Skills

Quick Pentest Reference

Installation
SKILL.md

Quick Pentest Reference

Purpose

Provide rapid-access command references for common penetration testing tasks including directory busting, DNS enumeration, host discovery, service scanning, and password brute forcing. This skill serves as a quick reference for CTFs and penetration testing engagements.

Prerequisites

Required Tools

  • Nmap, Gobuster, FFUF
  • Hydra, Nikto
  • dig, nslookup, host
  • SecLists wordlists

Installation

sudo apt update
sudo apt install nmap gobuster ffuf hydra nikto dnsutils
sudo apt install seclists

Core Workflow

Phase 1: Directory Busting

Discover hidden directories and files:

Gobuster Directory Scan

# Basic directory scan
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt

# With extensions
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

# With status codes
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,301,302

FFUF Directory Scan

# Basic scan
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# With file extensions
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/common.txt -e .php,.txt,.html

# Filter by response size
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fs 4242

# Filter by status code
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fc 404

Phase 2: VHOST Enumeration

Discover virtual hosts and subdomains:

Gobuster VHOST Scan

gobuster vhost -u http://example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

FFUF VHOST Scan

ffuf -u http://example.com -H "Host: FUZZ.example.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Filter false positives by size
ffuf -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt -fs 0

Phase 3: Digital Certificate Reconnaissance

Passive subdomain discovery via certificates:

Certificate Search Engines

crt.sh Command Line

# Query crt.sh via curl
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u

Phase 4: DNS Enumeration

Query DNS records for intelligence:

DNS Record Types

Type Purpose
A IPv4 address
AAAA IPv6 address
MX Mail servers
NS Name servers
TXT Text records
CNAME Canonical name
SOA Start of authority

Dig Commands

# A record
dig example.com A

# All records
dig example.com ANY

# MX records
dig example.com MX

# Name servers
dig example.com NS

# TXT records (SPF, DKIM)
dig example.com TXT

# Reverse lookup
dig -x 192.168.1.1

# Use specific DNS server
dig @8.8.8.8 example.com

Host Command

# Basic lookup
host example.com

# Specific record type
host -t MX example.com
host -t NS example.com

# Verbose output
host -a example.com

Nslookup

# Interactive mode
nslookup
> server 8.8.8.8
> set type=MX
> example.com

# Direct queries
nslookup example.com
nslookup -type=MX example.com
nslookup -type=NS example.com

Phase 5: Zone Transfer

Attempt DNS zone transfer for full records:

# Dig zone transfer
dig @ns1.example.com example.com AXFR

# Host zone transfer
host -l example.com ns1.example.com

# Nslookup zone transfer
nslookup
> server ns1.example.com
> ls -d example.com

Phase 6: Automated DNS Tools

DNSRecon

# Standard enumeration
dnsrecon -d example.com

# Zone transfer attempt
dnsrecon -d example.com -t axfr

# Brute force subdomains
dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt

DNSenum

# Full enumeration
dnsenum example.com

# With wordlist
dnsenum --enum example.com -f /usr/share/wordlists/subdomains.txt

Fierce

# Subdomain enumeration
fierce --domain example.com

# With wordlist
fierce --domain example.com --subdomain-file wordlist.txt

Phase 7: Host Discovery

Identify live hosts on network:

Netdiscover

# Active scan
netdiscover -i eth0

# Passive mode
netdiscover -p -i eth0

# Specific range
netdiscover -r 192.168.1.0/24

ARP Scan

# Local network
arp-scan -l

# Specific interface
arp-scan -I eth0 -l

# Specific range
arp-scan 192.168.1.0/24

Nmap Host Discovery

# Ping sweep
nmap -sn 192.168.1.0/24

# ARP ping (local network)
nmap -sn -PR 192.168.1.0/24

# ICMP echo ping
nmap -sn -PE 192.168.1.0/24

# TCP SYN ping
nmap -sn -PS 192.168.1.0/24

# UDP ping
nmap -sn -PU 192.168.1.0/24

# ICMP timestamp
nmap -sn -PP 192.168.1.0/24

# Mask ping (bypasses ICMP blocks)
nmap -sn -PM 192.168.1.0/24

Phase 8: Service and OS Discovery

Enumerate ports, services, and operating systems:

Nmap Service Scans

# SYN scan with version detection
nmap -sS -sV 192.168.1.1

# Full TCP scan with OS detection
sudo nmap -T4 -p- -A 192.168.1.1

# UDP scan
nmap -sU -T4 192.168.1.1

# Top 1000 ports
nmap -sS -sV --top-ports 1000 192.168.1.1

# All ports aggressive
nmap -sS -sV -sC -O -p- 192.168.1.1

# Banner grabbing
nmap --script=banner 192.168.1.1

# Subnet scan
nmap 192.168.1.0/24

Nikto Web Scanner

# Basic scan
nikto -h http://192.168.1.1

# With SSL
nikto -h https://192.168.1.1 -ssl

# Save output
nikto -h http://192.168.1.1 -o nikto_report.html -Format html

Phase 9: Password Brute Force

Attack authentication services:

Hydra

# SSH brute force
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1

# FTP brute force
hydra -L users.txt -P passwords.txt ftp://192.168.1.1

# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"

# HTTP Basic Auth
hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/

# RDP brute force
hydra -l administrator -P passwords.txt rdp://192.168.1.1

# SMB brute force
hydra -L users.txt -P passwords.txt smb://192.168.1.1

Phase 10: Post Exploitation

Actions after gaining access:

Windows Credential Dumping

# Meterpreter
meterpreter> hashdump
meterpreter> getsystem
meterpreter> load kiwi
meterpreter> creds_all

# Mimikatz
mimikatz# sekurlsa::logonpasswords
mimikatz# lsadump::sam

Linux Privilege Escalation

# Check sudo permissions
sudo -l

# Find SUID binaries
find / -perm -4000 2>/dev/null

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# LinPEAS enumeration
./linpeas.sh

Quick Reference

Essential Wordlists

Path Purpose
/usr/share/wordlists/dirb/common.txt Common directories
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Medium directory list
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt Subdomains
/usr/share/wordlists/rockyou.txt Passwords

Command Quick Reference

Task Command
Directory bust gobuster dir -u URL -w wordlist
VHOST enum ffuf -H "Host: FUZZ.domain" -u URL -w wordlist
DNS lookup dig domain.com ANY
Zone transfer dig @ns.domain.com domain.com AXFR
Host discovery nmap -sn 192.168.1.0/24
Port scan nmap -sS -sV -p- target
Brute force hydra -l user -P list service://target

Constraints and Limitations

Authorization

  • Only test systems you own or have permission to test
  • Document all testing activities
  • Stay within scope

Tool Limitations

  • Some scans may trigger IDS/IPS
  • Rate limiting may block aggressive scans
  • Firewalls may block certain techniques

Troubleshooting

Scans Returning No Results

Solutions:

  1. Verify target is reachable
  2. Try different scanning techniques
  3. Check for firewall blocks
  4. Use slower scan rates
Related skills

More from zebbern/secops-cli-guides

Installs
Repository
zebbern/secops-…i-guides
GitHub Stars
30
First Seen