| Flag | Description |
|---|---|
-a |
Displays all active TCP connections and the TCP and UDP ports on which the computer is listening. |
-n |
Shows network addresses as numbers, avoiding name resolution. |
-r |
Displays the kernel routing table. |
-s |
Displays per-protocol statistics. |
-i |
Shows the state of all configured interfaces. |
-p <protocol> |
Shows statistics for the specified protocol (e.g., TCP, UDP). |
To show the networks accessible via the VPN after connecting, use:
| Flag | Description |
|---|---|
-sC |
Performs a script scan using default scripts. |
-sV |
Probes open ports to determine service/version information. |
-sS |
Perform stealth. SYN scan (stealthy and fast) |
-D |
Use decoys to mask source IP. |
-p <port ranges> |
Scans only specified ports. |
-O |
Enables OS detection. |
-S <IP_Address> |
Spoofs the source address. |
-oA <basename> |
Outputs scan results in all formats (XML, grepable, etc.). |
-v |
Increases verbosity level; use -vv for more detail. |
-d |
Increases debugging level; use -dd for even more detail. |
-6 |
Enables IPv6 scanning. |
-A |
Enables OS detection, version detection, script scanning, and traceroute. |
-Pn |
Treats all hosts as online (skips host discovery). |
--script=banner |
Grabs service banners from open ports. |
- Discover hosts and services (Basic scan):
nmap <ip>
| Flag | Description |
|---|---|
-L |
Retrieves a list of available shares on a remote host. |
-N |
Suppresses password prompt for anonymous access. |
-U |
Specifies the network username for authentication. |
- To list shares on a remote host:
smbclient -N -L \\\\<ip/domain> - To connect as a guest user:
smbclient \\\\<ip/domain>\\<share> - To connect as a specific user:
smbclient -U <user> \\\\<ip/domain>\\<share>
| Flag | Possible Values | Description |
|---|---|---|
-v <value> |
1|2c|3 |
specifies SNMP version to use |
-V |
Display package version number | |
-c |
public|private |
Set the community string |
| -a | MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512 |
Set authentication protocol |
| Flag | Description |
|---|---|
-c <path/to/file> |
File with community names to try |
-i <input_file> |
File with target hosts |
-o <output_file> |
Output log |
| ```-p | Specify the SNMP port |
-d |
Enable debug mode for detailed information |
onesixtyone -c <path/to/file> <target_ip>
Here’s how the documentation for ffuf could be structured similarly:
| Sub-command | Description |
|---|---|
dir |
Runs directory brute-forcing to find hidden files and directories. |
dns |
Performs subdomain enumeration by fuzzing the Host header. |
fuzz |
General fuzzing mode, replacing the FUZZ keyword in the URL, headers, or request body. |
vhost |
Performs virtual host enumeration. |
| Flag | Description |
|---|---|
-u <url> |
Specifies the target URL for fuzzing. |
-w <wordlist> |
Specifies the wordlist for fuzzing. |
-H <header> |
Adds a custom header to the requests. |
-X <method> |
Sets the HTTP method (default is GET). |
-fs <size> |
Filters out responses of a specific size (e.g., -fs 0 to exclude empty responses). |
-fc <code> |
Filters out responses with a specific HTTP status code (e.g., -fc 404). |
-fw <words> |
Filters out responses with a specific number of words. |
-fl <lines> |
Filters out responses with a specific number of lines. |
-t <threads> |
Specifies the number of threads to use (default: 40). |
-o <filename> |
Writes the results to the specified file. |
--recursion |
Enables recursive directory bruteforcing. |
--verbose |
Outputs additional details for each request. |
-
Directory Brute-forcing:
ffuf -u http://<url>/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 0 -t 100
-
Subdomain Discovery:
ffuf -u http://<url>/ -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.<url>" -fc 301
-
Parameter Fuzzing:
ffuf -u http://<url>/page.php?FUZZ=test -w /path/to/parameters.txt -fc 404
-
Recursive Directory Fuzzing:
ffuf -u http://<url>/FUZZ -w /usr/share/wordlists/dirb/common.txt --recursion
This format mirrors the structure of the Gobuster documentation while offering comprehensive details about FFUF. Let me know if you’d like further refinements or additions!
| Sub command | Description |
|---|---|
dir |
Runs a directory scan on a website. |
dns |
Runs a sub-domain scan on a website. |
fuzz |
Uses fuzzing mode. Replaces the keyword FUZZ in the URL headers and request body |
gcs |
Uses gcs bucket enumeration mode |
s3 |
Uses AWS S3 bucket enumeration mode |
tftp |
Uses TFTP enumeration mode |
host |
Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter) |
| Flag | Description |
|---|---|
--debug |
Enable debug output |
--delay duration |
Time each thread waits between requests (e.g. 1500ms) |
-o <filename> |
Write the results to file |
--pattern string |
File containing replacement patterns |
--threads int |
Number of concurrent threads (default 10) |
--verbose |
Verbose output |
--wordlist string |
Path to the wordlist. Set to - to use STDIN. |
--wordlist-offset int |
Resume from a given position in the wordlist (defaults to 0) |
-x <extension> |
Filter out output by specific extensions |
- To run a directory scan:
gobuster dir -u http://<ip/domain>/ -w /usr/share/dirb/wordlists/common.txt - To run a sub-domain scan:
gobuster dns -d <domain> -w /usr/share/SecLists/Discovery/DNS/namelist.txt
| Flag | Description |
|---|---|
-u http://<url>/FUZZ |
|
-w <path/to/wordlist> |
|
-fs 0 |
- To grab website banners:
curl -IL <domain>
- A handy tool and contains much functionality to automate web application enumeration across a network.
- We can also utilize online exploit databases to search for vulnerabilities, like Exploit DB, Rapid7 DB, or Vulnerability Lab
| Flag | Description |
|---|---|
- To list details about web servers and certificates:
whatweb <ip/domain>
- Search for public vulnerabilities/exploits for any application.
searchsploit openssh 7.2
- It is an excellent tool for pentesters.
- It contains many built-in exploits for many public vulnerabilities and provides an easy way to use these exploits against vulnerable targets.
- It has many other features, like:
- Running reconnaissance scripts to enumerate remote hosts and compromised targets
- Verification scripts to test the existence of a vulnerability without actually compromising the target
- Meterpreter, which is a great tool to connect to shells and run commands on the compromised targets
- Many post-exploitation and pivoting tools
-
To run Metasploit,
msfconsole -
To search for exploits of a vulnerability,
search exploit <vulnerability>- Eg:
search exploit eternalblue
Tip: Search can apply complex filters such as search cve:2009 type:exploit. See all the filters with help search
- Eg:
-
To use an exploit we found searching, use:
use <eploit_name/id> -
To show the options available to configure for the current exploit, run:
show options> Any option with Required set to yes needs to be set for the exploit to work -
To set value for a configuration, use:
set <config> value- Eg:
set RHOSTS <ip>
- Eg:
-
Once we set all options, to check whether server is vulnerable:
checkNote: Not every exploit in the Metasploit Framework supports the check function
-
To run the exploit:
runorexplot
- A free software package for retrieving files using
HTTP,HTTPS,FTP, andFTPS, the most widely used Internet protocols.
- It is a non-interactive command line tool, so it may be called from scripts,
cronjob, terminals without X-Windows support, etc.wget <remote_filepath_url>
| Flag | Description |
|---|---|
-d <data> |
HTTP POST Data |
-o <file> |
Write to file |
-O |
Write output to file named as remote file |
-T <file> |
Transfer local FILE to destination |
-u <user:password> |
Server user and password |
-A <name> |
Send User-Agent to server |
curl <remote_file_url> -o <filename>
scp <source_file_path> <destination_file_path>
The remote address will be like:
user@remotehost:<path>
- Encode
base64 <file_path> -w 0 - Decode
echo <base64_string> | base64 -d > <filename>