โโโโโโโ โโโโโโโ โโโโ โโโโโโโโ โโโโ โโโโโโ โโโโ โโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโ
โโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ
โโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ
โโโโโโโโโโโโโโโโโโโโ โโโ โโโโโโ โโโ โโโโโโ โโโโโโ โโโโโโโโโโโโโโ
โโโโโโโ โโโโโโโ โโโ โโโโโโ โโโโโโ โโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโ โโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ
โโโ โโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ
โโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโ
โโโโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโ
Your Ultimate Penetration Testing Reference Guide
๐ฏ 130+ Cheatsheets โข ๐ก 70+ Port References โข ๐ก๏ธ OSCP Focused โข โก Copy-Paste Ready
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
โ RECON โโโโถโ ENUMERATE โโโโถโ EXPLOIT โโโโถโ PRIV ESC โโโโถโ LATERAL โ
โ Scanning โ โ Ports/Web โ โ CVE/Web โ โ Linux/Win โ โ Movement โ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
โ โ โ โ โ
โผ โผ โผ โผ โผ
[1.Scanning] [Port Files] [2.CVE-Exploit] [4.Privilege- [5.Lateral-
[7.Web-Exploit] [3.AD-Exploit] Escalation] Movement]
| ๐ฅ Emergency | ๐ Checklists | ๐ง Tools |
|---|---|---|
| Emergency Commands | Pentest Checklist | Tools Index |
| Reverse Shells | OSCP Exam Guide | Variable Setup |
| File Transfer | Web Analysis | Wordlist Guide |
All commands in this cheatsheet use these standardized variables. Set them before running commands.
export rhost="192.168.1.100" # Remote/Target IP
export lhost="10.10.14.5" # Local/Attacker IP
export lport="4444" # Listener port
export domain="corp.local" # AD domain name| Variable | Description | Example |
|---|---|---|
$rhost |
Remote/Target host IP | 192.168.1.100 |
$lhost |
Local/Attacker IP | 10.10.14.5 |
$lport |
Local listener port | 4444 |
$rport |
Remote target port | 80 |
$domain |
AD domain name | corp.local |
$user |
Username | admin |
$pass |
Password | Password123 |
$wordlist |
Wordlist path | /usr/share/wordlists/rockyou.txt |
$target |
OSCP exam target | Same as $rhost |
๐ 1.Scanning
- Port Scanning Guide - Nmap, Masscan, Rustscan
| Port | Service | File |
|---|---|---|
| 7 | Echo | 7-echo.md |
| 21 | FTP | 21-ftp.md |
| 22 | SSH | 22-ssh.md |
| 23 | Telnet | 23-telnet.md |
| 25 | SMTP | 25-smtp.md |
| 43 | WHOIS | 43-whois.md |
| 49 | TACACS+ | 49-tacacs.md |
| 53 | DNS | 53-dns.md |
| 69 | TFTP | 69-tftp.md |
| 79 | Finger | 79-finger.md |
| 80, 443 | HTTP/HTTPS | 80-443-http.md |
| 88 | Kerberos | 88-kerberos.md |
| 110, 995 | POP3 | 110-995-pop3.md |
| 111 | RPC | 111-rpc.md |
| 113 | Ident | 113-ident.md |
| 123 | NTP | 123-ntp.md |
| 135, 593 | MSRPC | 135-593-msrpc.md |
| 139, 445 | SMB | 139-445-smb.md |
| 143, 993 | IMAP | 143-993-imap.md |
| 161, 162 | SNMP | 161-162-snmp.md |
| 194, 6667 | IRC | 194-6667-irc.md |
| 389, 636, 3268, 3269 | LDAP | 389-636-3268-3269-ldap.md |
| 500 | IPsec/IKE | 500-ipsec.md |
| 512-514 | R-Services | 512-514-rservices.md |
| 515 | LPD | 515-lpd.md |
| 548 | AFP | 548-afp.md |
| 554 | RTSP | 554-rtsp.md |
| 623 | IPMI | 623-ipmi.md |
| 631 | IPP/CUPS | 631-ipp-cups.md |
| 873 | Rsync | 873-rsync.md |
| 1080 | SOCKS Proxy | 1080-socks.md |
| 1099 | Java RMI | 1099-java-rmi.md |
| 1414 | IBM MQ | 1414-ibmmq.md |
| 1433 | MSSQL | 1433-mssql.md |
| 1521 | Oracle | 1521-oracle.md |
| 1723 | PPTP VPN | 1723-pptp.md |
| 2049 | NFS | 2049-nfs.md |
| 2375, 2376 | Docker | 2375-2376-docker.md |
| 3128 | Squid Proxy | 3128-squid.md |
| 3260 | iSCSI | 3260-iscsi.md |
| 3306 | MySQL | 3306-mysql.md |
| 3389 | RDP | 3389-rdp.md |
| 3632 | distcc | 3632-distcc.md |
| 3690 | SVN | 3690-svn.md |
| 4222 | NATS | 4222-nats.md |
| 4369 | Erlang EPMD | 4369-epmd.md |
| 4786 | Cisco Smart Install | 4786-cisco-smart-install.md |
| 5000 | Docker Registry | 5000-docker-registry.md |
| 5353 | mDNS | 5353-mdns.md |
| 5432, 5433 | PostgreSQL | 5432-5433-postgresql.md |
| 5555 | ADB | 5555-adb.md |
| 5601 | Kibana | 5601-kibana.md |
| 5672 | AMQP/RabbitMQ | 5672-amqp.md |
| 5900 | VNC | 5900-vnc.md |
| 5984 | CouchDB | 5984-couchdb.md |
| 5985 | WinRM | 5985-winrm.md |
| 6000 | X11 | 6000-x11.md |
| 6379 | Redis | 6379-redis.md |
| 8000, 5005 | JDWP | 8000-jdwp.md |
| 8009 | AJP | 8009-ajp.md |
| 8086 | InfluxDB | 8086-influxdb.md |
| 8089 | Splunk | 8089-splunk.md |
| 9000 | FastCGI | 9000-fastcgi.md |
| 9042, 9160 | Cassandra | 9042-9160-cassandra.md |
| 9100 | JetDirect | 9100-jetdirect.md |
| 9200 | Elasticsearch | 9200-elasticsearch.md |
| 10000 | NDMP | 10000-ndmp.md |
| 11211 | Memcache | 11211-memcache.md |
| 15672 | RabbitMQ Mgmt | 15672-rabbitmq-mgmt.md |
| 27017 | MongoDB | 27017-mongodb.md |
| Port | Protocol | File |
|---|---|---|
| 102 | S7comm (Siemens) | 102-s7comm.md |
| 502 | Modbus | 502-modbus.md |
| 1883 | MQTT | 1883-mqtt.md |
| 4840 | OPC UA | 4840-opcua.md |
| 20000 | DNP3 | 20000-dnp3.md |
| 44818 | EtherNet/IP | 44818-ethernetip.md |
| 47808 | BACnet | 47808-bacnet.md |
๐ฅ 2.CVE-Exploit
- CVE Exploit - Shellshock, Sambacry, Drupalgeddon2, Log4Shell, Ghostcat, and more
- Buffer Overflow - Pattern creation, Offset calculation, JMP ESP gadgets, Shellcode generation, Exploit development
๐ข 3.AD-Exploit
- AD Exploitation - PowerView, BloodHound, ASREPRoast, Kerberoasting, DCSync, Golden/Silver Tickets, AD CS, NTLM Relay, Responder, AMSI Bypass
- Password Attacks - hashcat, John, Hydra, Kerbrute, mimikatz, NetExec
- Kerberos Attacks - ASREPRoast, Kerberoasting, Golden/Silver Tickets, DCSync, Constrained Delegation
- NTLM Relay & Responder - Responder setup, NTLM Relay attacks, Pass-the-Hash, Authentication Coercion
- AD CS Attacks - Certipy, ESC1-ESC15, PassTheCert, PKINIT, Golden Certificate
- Shadow Credentials - pyWhisker, Whisker, msDS-KeyCredentialLink, PKINIT Auth
- Kerberos Delegation - Constrained Delegation, RBCD, S4U Attack Chain
- AD Enumeration Tools - bloodyAD, adPEAS, NetExec, Invoke-ADEnum, ADRecon
โฌ๏ธ 4.Privilege-Escalation
- Privilege Escalation Windows - Potato exploits, PowerUp, winPEAS, DLL Hijacking, Credential Storage Exploitation
- Privilege Escalation Linux - SUDO, SUID, Capabilities, Cron, Kernel exploits, Docker escape
- GTFOBins Linux - SUDO escapes, SUID exploits, Capabilities, File Read/Write, Reverse Shells
- LOLBAS Windows - File Download, Code Execution, UAC Bypass, ADS, AWL Bypass
- Potato Exploits - JuicyPotato, PrintSpoofer, RoguePotato, SweetPotato, GodPotato
- Windows PrivEsc Tools - RunasCs, Seatbelt, SharpUp, PrivescCheck, Watson
โ๏ธ 5.Lateral-Movement
- Lateral Movement - PsExec, WMI, WinRM, DCOM, Pass-the-Hash, Pass-the-Ticket
- Pivoting & Tunneling - SSH Port Forwarding, Proxychains, Ligolo-ng, Chisel, sshuttle, Metasploit Pivoting
- Ligolo-ng Complete Guide - Single-hop & multi-hop pivoting, tunnel setup, routing, troubleshooting
- Persistence Techniques - Registry, Scheduled Tasks, Services, Cron, SSH Keys, Systemd
๐ป 6.OS-Command
- Windows Commands - PowerShell, cmd, file transfer, enumeration
- Linux Commands - File transfer, shell upgrading, networking, utilities
- Reverse Shell - Bash, Python, PHP, PowerShell, Netcat, Msfvenom, Shell Stabilization
- Wordlist Guide - SecLists, Password/Username Wordlists, Service-Specific Lists, Custom Generation
๐ 7.Web-Exploit
- Web Application Analysis - DNS, Subdomain, VHost, Directory Enumeration, Technology Fingerprinting, LFI, XSS, SSTI, SQLi, XXE
- SQL Injection - SQLi, SQLMap, Union, Blind, MSSQL, MySQL, PostgreSQL
- Cross-Site Scripting (XSS) - Reflected, Stored, DOM-Based, Cookie Stealing
- File Inclusion (LFI/RFI) - Path Traversal, PHP Wrappers, Log Poisoning
- Command Injection - OS Command Injection, Bypass Techniques
- SSRF - Server-Side Request Forgery, Cloud Metadata
- SSTI - Server-Side Template Injection, Jinja2, Twig, Freemarker
- XXE - XML External Entity, OOB, Blind XXE
- File Upload - Bypass Filters, Web Shells, Polyglot Files
- HTTP Request Smuggling - CL.TE, TE.CL, Cache Poisoning, Request Hijacking
- IDOR & Access Control - Insecure Direct Object Reference, Broken Access Control
- CSRF - Cross-Site Request Forgery, Token Bypass
- Insecure Deserialization - PHP, Java (ysoserial), Python Pickle, .NET
- Git Hacking - Exposed .git, GitDumper, Secret Extraction
- NoSQL Injection - MongoDB, CouchDB, Authentication Bypass, Blind Injection
- JWT Attacks - Algorithm Confusion, None Algorithm, Key Confusion, JWK/JKU Injection
- Race Condition - Limit Overrun, TOCTOU, Turbo Intruder, Single-Packet Attack
- Prototype Pollution - Server/Client-Side, RCE Gadgets, XSS Gadgets
- OAuth Vulnerabilities - redirect_uri Bypass, Token Theft, CSRF, Scope Manipulation
- WebSocket Attacks - CSWSH, Message Manipulation, SQLi/XSS via WebSocket
- Mass Assignment - Parameter Pollution, Hidden Field Abuse, Auto-Binding
๐ฎ 8.C2-Framework
- Sliver - Installation, Implant Generation, Listeners, Session Management, Armory Extensions
๐ฏ 9.OSCP-Exam
- OSCP Exam Guide - Exam Structure, Passing Scenarios, Allowed/Restricted Tools, Screenshot Requirements, Report Submission, Exam Tips, AD Set Step-by-Step Methodology
- Lab Walkthrough Examples - Real attack chains: HTB Forest, OSCP Independent Challenge, AD Set attacks
- Exam Tips & Tricks - Pre-exam prep, enumeration strategy, privilege escalation methodology, time management, report writing
๐ฑ 10.Mobile-Security
- Android Pentesting - APK Decompilation, apktool, jadx, APK Signing, ADB Commands, Frida SSL Pinning Bypass
๐ก๏ธ 11.Defensive-Security
- Network Forensics - tshark, Wireshark, tcpdump, PCAP Analysis, DNS/HTTP/TLS Analysis, Exfiltration Detection
- SOC Analysis - YARA Rules, File Hash Analysis, Data Decoding, Log Analysis, Threat Intelligence
| Tool | Description | Primary Use Case |
|---|---|---|
| Evil-WinRM | WinRM shell | Interactive remote shell |
| NetExec | Network attack tool | Authentication and exploitation |
| BloodHound | AD reconnaissance | Domain mapping |
| Rubeus | Kerberos toolkit | Ticket manipulation |
| Mimikatz | Credential extractor | Password and hash dumping |
| PowerView | AD enumeration | Domain reconnaissance |
| Impacket | Network protocols | SMB, Kerberos, WMI attacks |
| Certipy | AD CS attacks | Certificate abuse |
| pyWhisker | Shadow Credentials | msDS-KeyCredentialLink abuse |
| PKINITtools | PKINIT authentication | Certificate-based auth |
| bloodyAD | AD privilege escalation | RBCD, ACL abuse |
| adPEAS | AD enumeration | PowerShell AD scanner |
| RunasCs | Credential execution | Run as different user |
| Seatbelt | Host reconnaissance | Windows enumeration |
| SharpUp | Privilege escalation | Privesc checker (C#) |
| LinPEAS/winPEAS | Privilege escalation | Enumeration scripts |
| PrintSpoofer | Token impersonation | SeImpersonate privesc |
| GodPotato | Token impersonation | Universal Potato exploit |
| Chisel/Ligolo-ng | Tunneling | Port forwarding and pivoting |
| xfreerdp3 | RDP client | Remote Desktop connection |
| SQLMap | SQL Injection | Automated SQLi exploitation |
| FFuF | Web fuzzer | Directory/parameter fuzzing |
| tplmap | SSTI exploitation | Template injection automation |
| Gopherus | SSRF exploitation | Generate gopher payloads |
| jwt_tool | JWT attacks | JWT manipulation and cracking |
| Turbo Intruder | Race conditions | Burp extension for parallel requests |
| Arjun | Parameter discovery | Hidden parameter finder |
| wscat | WebSocket client | WebSocket testing |
If you find this repository helpful, please consider giving it a star! โญ
Contributions are welcome! Feel free to submit a Pull Request.
โ ๏ธ Educational Purpose OnlyThis repository is intended for educational and authorized penetration testing purposes only. Always obtain proper authorization before testing any systems you do not own. The author is not responsible for any misuse of the information provided.
Made with โค๏ธ for the InfoSec Community