CheatSheets

CURL DNS File Transfer Hydra Impacket JohnTheRipper NCAT NMAP Online Resources Reverse Shell Wordlists

Active Directory

Mindmap Attacking AD Linux AD

Cloud

AWS Azure Google Terraform

Container

Docker Kubernetes

Linux

Penetration Testing Checklist Enumeration Privilege Escalation Post Exploitation Services Tools

Network

Data Exfiltration Port Scanning Reconnaissance Pivoting Services Traffic Analysis

Tech Stack

CMS Databases DevOps Enterprise Apps IAM Monitoring Open-Source Utilities Web Servers

Windows

AV/EDR Evasion Enumeration Privilege Escalation Post Exploitation

Web Application

Reconnaissance Common Vulnerabilities Authentication Bypass API Testing

Network Reconnaissance

Host Discovery

# Ping sweep
nmap -sn 192.168.1.0/24

# ARP scan
arp-scan -l

# Discover live hosts with masscan
masscan -p0-65535 192.168.1.0/24 --rate 1000

# ICMP echo with hping3
hping3 -1 192.168.1.1

DNS Enumeration

# Enumerate DNS records
dnsenum example.com

# Zone transfer attempt
dig axfr example.com @ns1.example.com

# Brute-force subdomains
subfinder -d example.com -o subdomains.txt

# Query DNS with nslookup
nslookup -type=NS example.com

OSINT Gathering

# Gather public info
theHarvester -d example.com -b google

# Search LinkedIn
linkedin2username -o usernames.txt example.com

# Scan Shodan
shodan search "org:example.com"

# Fetch WHOIS data
whois example.com

Service Fingerprinting

# Identify services with nmap
nmap -sV -O 192.168.1.0/24

# Enumerate SNMP
snmpwalk -v2c -c public 192.168.1.1

# Check HTTP headers
curl -I http://example.com

# Use enum4linux for SMB
enum4linux -a 192.168.1.1

Automated Reconnaissance Tools

• Nmap: nmap -sn <network>
• Masscan: masscan -p0-65535 <network>
• dnsrecon: dnsrecon -d example.com
• Recon-ng: recon-ng -m recon/domains-hosts
• SpiderFoot: spiderfoot -d example.com