Detect a container + check capabilities for escape
John the Ripper — Password Cracking
John the Ripper — versatile password cracker with hash extraction helpers for common file formats.
Exploitation
23 cmds
Basic Cracking
Auto-detect hash and crack with default wordlist
Dictionary attack with rockyou
Dictionary + mangling rules
Crack NTLM hashes specifically
Crack Linux SHA512crypt shadow hashes
Crack bcrypt hashes
Show cracked passwords
List all supported hash formats
Hash Extraction Tools (John suite)
Combine passwd+shadow for cracking
Crack password-protected ZIP
Crack password-protected RAR
Crack PDF password
Crack SSH private key passphrase
Crack Office document password
Crack KeePass database
Crack 7-Zip archive password
Advanced Options
Brute force with incremental mode
Brute force digits only
Mask attack pattern
Use 4 CPU cores in parallel
Custom pot file path
Resume interrupted session
Name the cracking session
Volatility — Memory Forensics
Volatility 3 framework for memory forensics — process analysis, credential extraction, and malware investigation.
Forensics
23 cmds
Core Analysis
Get OS info from Windows memory dump
Get kernel banner from Linux dump
List running processes (Windows)
Process tree (parent-child relationships)
Scan for process structures (finds hidden procs)
Show command line args for each process
List DLLs loaded by process 1234
List handles for process 1234
Network & Connections
Network connections and sockets
Scan for network artifacts (more complete)
Credentials & Hashes
Dump NTLM password hashes from memory
Dump LSA secrets from memory
Dump cached domain credentials
Registry & Files
List registry hives in memory
Read registry autorun key
Scan for file objects in memory
Extract file from process memory
Malware Analysis
Find injected code / memory anomalies
Dump suspicious memory regions to disk
Detect process hollowing
Virtual address descriptor info for process
Dump full process memory map
Search strings within process memory
SQL Injection — Manual Payloads
Hand-built SQL injection payloads — auth bypass, UNION extraction, schema enum, error/blind/time-based, stacked-query RCE and WAF bypasses across MySQL, MSSQL, PostgreSQL and Oracle.
Web Pentest
38 cmds
Detection & Auth Bypass
Classic always-true authentication bypass
Comment out the rest of the query
Log in as a known user, comment the password check
Break out of a double-quote + parenthesis context
MySQL hash-comment variant
URL-friendly always-true
UNION-Based Extraction
Find the column count (increment until it errors)
Match the column count with NULLs
Identify which columns are reflected
Leak DB version (MySQL/MSSQL)
Dump credentials
Concatenate all creds into one row (MySQL)
Schema Enumeration
List all tables
List columns of a table
List databases (MySQL)
Oracle version banner
List tables (PostgreSQL)
Error-Based
MySQL error-based leak (extractvalue)
MySQL error-based leak (updatexml)
MSSQL error-based type-cast leak
PostgreSQL error-based cast leak
Blind — Boolean & Time
Boolean TRUE baseline
Boolean FALSE baseline (diff the responses)
Extract data one character at a time
MySQL time-based delay
MySQL conditional time delay
MSSQL time-based delay
PostgreSQL time-based delay
Stacked Queries & RCE
Enable xp_cmdshell on MSSQL
Run an OS command via MSSQL
PostgreSQL command exec via COPY TO PROGRAM
MySQL write a webshell (needs FILE priv + writable path)
WAF / Filter Bypass
MySQL versioned-comment keyword bypass
Mixed-case keyword bypass
Inline comments instead of spaces
Tab (%09) used as whitespace
ALL keyword to dodge "UNION SELECT" signatures
Double URL-encoded ' OR 1=1
GraphQL Attacks
GraphQL security testing — endpoint discovery and engine fingerprinting, introspection (and recovery when disabled), IDOR/authz via nodes & mutations, batching rate-limit bypass, DoS and injection.
Web Pentest
17 cmds
Discovery
Confirm a GraphQL endpoint
Hunt the endpoint + any exposed IDE
Fingerprint the GraphQL engine
Introspection
Full introspection — dump the schema
List all queries and mutations
Inspect a specific type's fields
Recover the schema even when introspection is disabled
Authz / IDOR
IDOR via a node argument
Authz bypass / mass assignment via a mutation
Relay global-id IDOR (base64 of type:id)
Rate-Limit Bypass (Batching)
Alias many attempts in ONE request to beat rate limits
Array/JSON batching — send many operations at once
DoS
Deeply nested / circular query to exhaust resources
Active Directory Certificate Services enumeration and abuse with Certipy v5 — ESC1 through ESC16, NTLM relay to AD CS (ESC8/ESC11), shadow credentials, and golden certificates.
Active Directory
36 cmds
Enumeration & Discovery
Enumerate CAs, templates and ACLs — dumps JSON/TXT report
Show only vulnerable templates (ESC findings) on stdout
Only enabled AND vulnerable templates (real attack surface)
Pass-the-hash enum + BloodHound output for graphing
Force both text and JSON output of the AD CS layout
ESC1 — SAN Impersonation
Request a cert for the template, supplying Administrator UPN in the SAN
Add both UPN and DNS SAN (impersonate a machine/DC)
Embed target SID (required when StrongCertificateBindingEnforcement is on)
ESC2 / ESC3 — Any-Purpose & Enrollment Agent
ESC2 — Any-Purpose EKU template: request, then auth as anyone
AWS IMDSv2 — PUT here first to get a session token
GCP token (needs header Metadata-Flavor: Google)
Azure IMDS (needs header Metadata: true)
IP Encoding Bypass
127.0.0.1 as a decimal integer
127.0.0.1 in hexadecimal
127.0.0.1 in octal
Short-form loopback
IPv4-mapped IPv6 address
Public DNS name that resolves to 127.0.0.1
Parser Confusion & Redirect
Everything before @ is userinfo; real host is 127.0.0.1
Fragment confuses naive host parsers
Backslash parser inconsistency
Open redirect to bypass allow-lists
Suffix trick against weak allow-list checks
Protocol Smuggling
Read local files when file:// is permitted
Leak process environment (secrets) on Linux
Talk to Memcached via dict://
Smuggle a Redis command via gopher (RCE primitives)
Smuggle SMTP via gopher
Blind SSRF & Parser-Driven
OOB interaction (interactsh / Burp Collaborator) for blind SSRF
Hit your own listener to confirm an outbound request
SVG→PDF/PNG renderer SSRF
XXE-driven SSRF via an external entity
FFUF — Fast Web Fuzzer
FFUF (Fuzz Faster U Fool) — high-speed web fuzzer for directories, parameters, subdomains, and more.
Web Pentest
25 cmds
Directory & File Fuzzing
Basic directory fuzzing
Fuzz with multiple file extensions
Match specific response codes
Filter out 404 responses
Filter by response size
Filter by word count in response
Set 100 concurrent threads
Recursive directory fuzzing
Subdomain & VHost Fuzzing
Subdomain enumeration
Virtual host (vhost) fuzzing
Vhost fuzzing filtering by size
Parameter & Value Fuzzing
Fuzz GET parameter names
Fuzz GET parameter values (IDOR)
POST parameter fuzzing (username enum)
Password brute force via POST
Fuzz with authentication cookie
Authentication & Headers
Fuzz with Bearer token
Fuzz with session cookie
Set cookies via -b flag
Proxy through Burp Suite
Output & Advanced
Save output as JSON
Save output as HTML report
Auto-calibrate filter (smart baseline)
Limit requests per second
Multi-wordlist fuzzing with named positions
Nuclei — Fast Vulnerability Scanner
Nuclei is a fast, template-based vulnerability scanner for web apps, networks, and cloud infrastructure.
Web Pentest
20 cmds
Basic Scanning
Scan single target with all templates
Scan list of targets from file
Scan with custom template directory
Save results to file
Save results as JSON
Update all templates to latest
Template Filtering
Run only exposure templates
Run only CVE templates
Run only 2023 CVE templates
Run vulnerability templates
Run misconfig templates
Run templates with specific tags
Only run critical and high severity templates
Exclude DoS templates (safe mode)
Proxy, Auth & Speed
Route through Burp proxy
Add custom header (auth)
Set 50 concurrent requests
Limit to 100 requests/second
Set 10 second timeout
Full pipeline: subdomains → live hosts → CVE scan
Command Injection
OS command injection — separators and substitution, blind/time-based detection, OOB exfiltration, space/keyword/WAF bypasses, reverse shells and Windows command injection.
Web Pentest
29 cmds
Separators
Chain a second command (semicolon)
Pipe into the injected command
Run only if the first command fails
Background separator (also Windows)
Run if the first command succeeds
Backtick command substitution
Modern command substitution
URL-encoded newline as a separator
Blind / Time-Based
Confirm blind injection via a delay (Unix)
Time delay via substitution
Unix delay via ping
Windows delay via ping
Out-of-Band Exfil
Exfil command output via an HTTP callback
DNS exfil of command output
POST a file to your listener
Base64 the output to survive URL/DNS rules
Space & Keyword Bypass
${IFS} substitutes for a blocked space
Brace expansion avoids spaces
Input redirection instead of a space
Empty quotes break keyword matching
Glob wildcards avoid literal binary names
Base64-decode then execute
Reverse Shells
Bash reverse shell
Netcat reverse shell
Netcat (no -e) FIFO reverse shell
Windows
Windows command separator
Download + execute a payload (certutil)
Run an encoded PowerShell command
PowerShell download-cradle
NoSQL Injection
NoSQL injection (MongoDB-focused) — authentication bypass with operators, query operator injection, blind regex extraction, server-side $where JavaScript injection, JSON vs form delivery, and NoSQLMap/ffuf tooling.
Web Pentest
23 cmds
Authentication Bypass
Operator injection — "not equal to null" matches any password
Log in as the first user when both fields are bypassed
Greater-than-empty matches any set password
Form/URL-encoded operator injection
Regex-match the username, bypass the password
Query Operator Injection
Match anything that is not null
Range operators to match populated fields
Match any value from a list
Filter on field presence
Wildcard regex match
Blind Extraction (Regex Oracle)
Confirm the first character, then iterate the alphabet
Character-by-character extraction of a secret field
Boolean oracle drives blind NoSQLi
JavaScript Injection ($where)
Run server-side JavaScript inside the query
Time-based blind via $where
Break out of a string into the $where JS context
Arbitrary JS predicate
Encoding & Delivery
Send real operator objects (not strings) in a JSON body
Express/PHP parse bracket params into nested operators
Operator injection through query-string bracket notation
Tooling
Automated MongoDB / NoSQL injection + enumeration
Fuzz operator names into bracket parameters
Manual operator injection in Repeater
Insecure Deserialization
Insecure deserialization across languages — stream fingerprinting, Java ysoserial gadget chains, PHP phpggc + manual objects, Python pickle/PyYAML, .NET ysoserial.net (ViewState/BinaryFormatter), Ruby Marshal and Node node-serialize.
Web Pentest
22 cmds
Detection & Magic Bytes
Java serialized object signature
PHP serialized object / array
Python pickle stream
.NET BinaryFormatter stream
Ruby Marshal data
Java — ysoserial
Detect deserialization with a dependency-free DNS callback
Generate a CommonsCollections RCE gadget
BeanUtils gadget (common on Jenkins / Spring apps)
Spring gadget chain
PHP — phpggc & Manual
List every available PHP gadget chain
Generate a Laravel RCE gadget chain
Monolog gadget, base64 output
Hand-craft an object to hit a __wakeup/__destruct gadget
Trigger object instantiation via the phar:// wrapper
Python — pickle / PyYAML
Build a base64 pickle RCE payload via __reduce__
PyYAML RCE via unsafe load / full_load
PyYAML RCE that returns command output
.NET — ysoserial.net
Generate a BinaryFormatter RCE payload
Forge a malicious ASP.NET ViewState (leaked machineKey)
Abuse polymorphic type handling in Json.NET
Ruby / Node
Ruby 2.x–3.x universal deserialization RCE gadget
node-serialize RCE via an IIFE function
API Security — OWASP API Top 10
REST API penetration testing mapped to the OWASP API Security Top 10 — endpoint/spec discovery, BOLA/BFLA, broken auth, mass assignment & data exposure, resource consumption, SSRF, CORS/misconfig, shadow versions and tooling.
Web Pentest
25 cmds
Recon & Discovery
Hunt API docs that map the entire attack surface
Brute API routes — 401/403 still reveal hidden endpoints
Kiterunner — content discovery tuned for API routes
Crawl and extract API endpoints from JavaScript
Version & shadow-API discovery (API9)
API1 / API5 — BOLA & BFLA
API1 BOLA — read/modify others' objects by changing IDs
API5 BFLA — invoke admin-only functions
Automate authorization testing across the whole API
API2 — Broken Authentication
API2 — brute/stuff when login isn't throttled
Brute the login endpoint
Token and key weaknesses
Account takeover via a weak reset flow
API3 — Mass Assignment & Data Exposure
API3 BOPLA — inject privileged fields the API binds blindly
Excessive data exposure — the server over-returns
Object property-level authorization bypass
API4 — Resource Consumption
API4 — melt the DB/memory with huge page sizes
Cost & DoS via unbounded operations
Parser resource exhaustion
API7 / API8 / API9 — SSRF, Misconfig, Inventory
API7 SSRF via URL-accepting fields
API8 — permissive CORS leaking authenticated data
API8 misconfiguration probes
API9 — deprecated/shadow versions skip new controls
Tooling
Automated API misconfig/exposure checks
Discover hidden JSON parameters
Build the request corpus to fuzz
ADB — Android Debug Bridge
ADB (Android Debug Bridge) for device interaction, app analysis, and Android penetration testing.
Mobile Pentest
30 cmds
Connection & Setup
List connected devices/emulators
Connect to device over network (TCP/IP mode)
Enable ADB over TCP/IP on port 5555
Connect to specific device by ID
Restart ADB daemon as root
Wait for device to come online
Shell & Commands
Open interactive shell on device
Check current user on device
List all installed packages
List only third-party apps
Get APK path for package
Full package info (perms, activities, etc)
Activity stack info
Launch specific app activity
Send deeplink intent
Get device model
Get Android SDK version
File Operations
Pull app data directory (needs root)
Pull file from SD card
Push file to device
List app data directory
Read shared preferences
Read SQLite database
APK Extraction & Logging
Extract installed APK from device
Install APK to device
Uninstall package
View app-specific logcat logs
Filter logcat by tag
Save full logcat to file
Take screenshot from device
Frida — Dynamic Instrumentation & Hooking
Frida dynamic instrumentation toolkit for hooking, bypassing, and analyzing mobile and desktop apps.
Mobile Pentest
24 cmds
Setup & Connection
Install Frida CLI tools
List connected devices
List processes on USB device
List processes on remote device
Start frida-server on device (run on device via adb shell)
Deploy and start frida-server on Android
Attach & Spawn
Attach to running app with script (USB)
Spawn (launch) app with script from start
Attach via remote Frida server
Attach interactively (REPL mode)
Trace all calls to open() function
Trace iOS NSURLSession network calls
Common Hook Scripts
Bypass SSL pinning (Conscrypt TrustManager)
Bypass root detection — override isRooted()
Hook Android Activity lifecycle
Hook native libc open() calls
Hook crypto function and log decrypted output
objection (Frida wrapper)
Launch objection REPL against app
Disable SSL pinning (inside objection)
Bypass root detection (inside objection)
List all loaded classes
List methods of a class
Hook all methods in a class
Dump app memory
SQLMap — SQL Injection Automation
SQLMap automates detection and exploitation of SQL injection vulnerabilities across all major databases.
Web Pentest
28 cmds
Basic Detection
Test GET parameter for SQLi
Enumerate databases
List tables in a database
List columns in a table
Dump specific columns
Dump all databases
POST Requests & Forms
Test POST parameters
Test from saved Burp request file
Test specific POST parameter
POST with authentication cookie
Authentication & Session
Inject with session cookie
Inject with Bearer token
HTTP Basic authentication
Techniques & Evasion
All techniques: Boolean, Error, Union, Stacked, Time
Time-based blind only
Use tamper script for WAF bypass
Chain multiple tamper scripts
Random User-Agent to avoid detection
Slow down requests (IDS evasion)
Route through Burp proxy
Max level & risk (most aggressive)
OS & Privilege Escalation
Get current DB user, database, hostname
Check if current user is DBA
Read local file (MySQL FILE priv)
Write webshell to server
Interactive OS shell via SQLi
Execute single OS command
Dump DB user password hashes
BloodHound — Active Directory Attack Path Analysis
BloodHound maps Active Directory attack paths using graph theory to find privilege escalation routes.
Active Directory
19 cmds
Data Collection (SharpHound / BloodHound.py)
Python collector — collect all data
Collect and auto-zip for import
Collect DC info only (faster, stealthier)
Use TCP DNS with custom resolver
SharpHound Windows binary — collect all
SharpHound collect + zip output
Session loop collection for 2 hours
BloodHound collection via NetExec
BloodHound Cypher Queries (Neo4j)
Find all DA/admin users
Shortest path to Domain Admins from any user
Shortest path from specific user to DA
Find all Kerberoastable users
Find AS-REP Roastable users
Find computers with unconstrained delegation
Find enabled users not logged in 90+ days
Find all admin groups
Setup & Launch
Start Neo4j then BloodHound GUI
Start Neo4j in foreground
Install bloodhound-python collector
NetExec (CrackMapExec) — AD Lateral Movement
NetExec (nxc) — the Swiss Army knife for Windows/AD lateral movement, credential spraying, and post-exploitation.
Active Directory
53 cmds
SMB Enumeration & Auth
Discover SMB hosts on subnet
Test SMB credentials
SMB pass-the-hash
Spray credentials across subnet
Credential spray with lists
Enumerate SMB shares
List active SMB sessions
Enumerate domain users via SMB
Enumerate domain groups
Get password policy
RID brute force to enumerate users/groups
List logged-on users (hunt where admins are sitting)
Authenticate with a LOCAL account instead of domain
Null-session enumeration (no creds)
List domain computer objects
Find hosts with SMB signing OFF (relay target list)
WPScan is a WordPress security scanner for finding vulnerabilities, weak passwords, and exposed files.
Web Pentest
19 cmds
Basic Scanning
Basic WordPress scan
Full enumeration (plugins, themes, users)
Enumerate users only
Enumerate plugins only
Enumerate themes only
Enumerate only vulnerable plugins
Enumerate only vulnerable themes
Enumerate ALL plugins (aggressive, slow)
Password Attacks
Brute force admin password
Brute force multiple users
Enumerate users then brute force
Brute force with 20 threads
Advanced Options
Use WPScan API token for vuln data
Route through Burp proxy
Aggressive detection (more requests)
Save output as JSON report
Bypass HTTP basic auth
Scan as authenticated user
Randomize User-Agent per request
Pivoting & Tunneling
Pivot into internal networks — Ligolo-ng, Chisel, SSH local/remote/dynamic forwards & ProxyJump, proxychains, Metasploit autoroute/socks, socat/netcat relays and native Windows netsh/plink forwarding.
Network Pentest
25 cmds
Ligolo-ng
Start the Ligolo-ng proxy on your attack box
Run the agent on the pivot (Linux or agent.exe)
Route the internal subnet through the ligolo interface
Pick the agent session and start the tunnel
Reverse port-forward to catch shells from internal hosts
Chisel
Start the Chisel server (reverse mode) on the attacker
Reverse SOCKS proxy from the pivot back to you
Reverse single-port forward (e.g. RDP)
Local forward to an internal host through the pivot
SSH Tunneling
Dynamic SOCKS proxy through SSH
Local port forward to an internal service
Reverse forward — expose a pivot-local service to you
ProxyJump straight to an internal host
proxychains (use the SOCKS)
Point proxychains at your SOCKS tunnel
TCP-connect scan through the proxy (no SYN over SOCKS)
Run AD tooling across the internal subnet
RDP through the tunnel
Metasploit / Meterpreter
Add a Meterpreter route to the internal subnet
Forward an internal port to your localhost
Expose the routes as a SOCKS proxy for proxychains
socat / netcat Relays
Simple TCP relay through a Linux pivot
Netcat relay without -e
Windows-Side Forwarding
Native Windows port forward — nothing to upload
SSH reverse tunnel from Windows (plink)
Run the Chisel client on Windows
Coercion & mitm6 — Forced Authentication
Force machine accounts to authenticate to you and relay it — PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, Coercer and mitm6, paired with ntlmrelayx / Certipy relay (RBCD, Shadow Credentials, ESC8).
Active Directory
20 cmds
mitm6 — IPv6 DNS Takeover
Spoof DHCPv6 to become the network's IPv6 DNS server (WPAD/auth capture)
Only answer FQDN queries for the target domain — quieter, less breakage
Restrict spoofing to a single victim host (targeted)
Relay the IPv6/WPAD-captured machine auth to LDAPS → configure RBCD
Relay → add a new computer account (then use it for RBCD)
PetitPotam — MS-EFSRPC
Unauthenticated EFSRPC coercion (unpatched DCs) — listener then target
Abuse the Print Spooler RPC to coerce the target to auth to your listener
Alternative SpoolSample/PrinterBug trigger
Check whether the MS-RPRN (Spooler) interface is exposed first
DFSCoerce / ShadowCoerce
MS-DFSNM coercion — works even when the Spooler is disabled
MS-FSRVP (VSS) coercion — another no-Spooler path
Coercer — All-in-One
Enumerate which coercion methods/pipes the target actually exposes
Fire every available coercion method at the target at once
Trigger one specific RPC method only
Relay Combos (where the coerced auth goes)
Relay coerced machine auth to LDAPS → grant RBCD over the victim computer
Relay → add Shadow Credentials (msDS-KeyCredentialLink) on the DC
ESC8 — relay coerced DC$ auth to AD CS web enrollment to mint a DC cert
Relay to SMB and stash the session in a SOCKS proxy for reuse
XXE — XML External Entity
XML External Entity attacks — local file read, SSRF, PHP filter/expect wrappers, blind & error-based out-of-band exfiltration via external DTDs, XInclude, SVG/Office documents and entity-expansion DoS.
Web Pentest
15 cmds
Basic File Read
Read a local file via an external entity
Windows local file read
Directory listing on some Java parsers
SSRF via XXE
Reach cloud metadata through XXE
Hit an internal-only service
PHP Wrappers
Base64-wrap to read files with special chars (PHP)
Read application PHP source code
Command exec if the PHP expect wrapper is enabled
Blind / Out-of-Band
Load an external DTD for out-of-band exfil
External DTD that exfiltrates a file over HTTP
Leak file contents inside a parser error message
Other Vectors
XInclude — works when you cannot control the DOCTYPE
XXE through an uploaded SVG
XXE via Office Open XML documents
Billion Laughs entity-expansion DoS
IDOR & Broken Access Control
Insecure Direct Object Reference and broken access control — ID tampering, mass assignment, verb abuse, encoded references, BFLA function-level access and Autorize/Arjun tooling.
Web Pentest
19 cmds
Finding IDOR
Increment/decrement object IDs to reach others' data
Tamper an ID in the query string
Compare the self route with a direct-ID route
Fuzz IDs and flag 200 responses
Parameter & Body Tampering
Swap the user id in a JSON body
Mass assignment — add privileged fields the API trusts
Duplicate parameter — some parsers honour the last (or first)
Wrap the id in an array to bypass type checks
HTTP Verb / Method
Write or modify via an unprotected verb
Smuggle a privileged method past verb-based rules
Indirect / Encoded References
Decode, change, then re-encode object references
Change the subject when the API trusts the token id
Guess hashed identifiers derived from sequential values