Listen to this Post

Introduction:
In the fast-evolving landscape of cybersecurity, understanding the tools and techniques used by adversaries is no longer optional—it’s a core defense requirement. From network reconnaissance to privilege escalation, hands-on knowledge of pentesting commands empowers blue and red teams alike to identify and close security gaps before malicious actors exploit them.
Learning Objectives:
- Master essential Nmap scanning techniques for network discovery and vulnerability detection.
- Execute password hash cracking using Hashcat with real-world attack modes.
- Perform privilege escalation checks on Linux and Windows systems using automated scripts and manual commands.
You Should Know:
1. Network Reconnaissance with Nmap (Linux & Windows)
Nmap remains the gold standard for port scanning and service enumeration. Below are verified commands for stealthy and aggressive scans.
Step‑by‑Step Guide:
- Install Nmap:
Linux: `sudo apt install nmap -y` (Debian/Ubuntu) or `sudo yum install nmap` (RHEL/CentOS)
Windows: Download from https://nmap.org/download.html and add to PATH. - Basic scan: `nmap -sV -sC
` – version detection and default scripts. - Stealth SYN scan: `nmap -sS -Pn -f
` – half-open scan, avoids full TCP handshake. - Aggressive vulnerability scan: `nmap -sV –script=vuln
` – runs NSE vulnerability scripts. - Save output: `nmap -oA scan_results
` – generates .nmap, .gnmap, and .xml.
What it does: Identifies open ports, running services, OS fingerprinting, and potential CVEs. Use for external/internal asset discovery.
2. Password Cracking with Hashcat (Linux/Windows via GPU)
Hashcat leverages GPU power to crack password hashes efficiently. Always use with authorized hashes only.
Step‑by‑Step Guide:
- Install Hashcat:
Linux: `sudo apt install hashcat`
Windows: Download from https://hashcat.net/hashcat/
– Identify hash type: Use `hashcat –example-hashes` to match your hash format (e.g., NTLM = 1000, MD5 = 0).
– Basic dictionary attack: `hashcat -m 1000 -a 0 ntlm_hash.txt rockyou.txt`
(-m mode, `-a` attack type 0 = straight dictionary)
– Brute‑force (mask attack): `hashcat -m 0 -a 3 hash.txt ?l?l?d?d?d` – tries two lowercase letters + three digits.
– Rules‑based attack: `hashcat -m 1000 -a 0 ntlm_hash.txt rockyou.txt -r best64.rule`
Pro tip: Use `–force` if OpenCL errors appear, but ensure hardware compatibility. Monitor GPU temp with `nvidia-smi` (Linux) or GPU-Z (Windows).
3. Web Directory Brute‑Forcing with Gobuster (Linux)
Gobuster is a fast directory/file enumeration tool essential for web application pentesting.
Step‑by‑Step Guide:
- Install: `sudo apt install gobuster` or `go install github.com/OJ/gobuster/v3@latest`
– Basic dir scan: `gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt`
– With extensions: `gobuster dir -u https://target.com -w wordlist.txt -x php,asp,txt,bak`
– DNS subdomain enumeration: `gobuster dns -d target.com -w subdomains.txt`
– VHost brute‑force: `gobuster vhost -u https://target.com -w vhosts.txt –append-domain`Understanding output: Status codes 200 (OK), 301 (redirect), 403 (forbidden), 401 (auth required). Filter with
-s "200,204,301,302".
4. Linux Privilege Escalation Checklist (Manual Commands)
Once you have low‑privilege shell access, use these commands to identify misconfigurations.
Step‑by‑Step Guide:
- Kernel version: `uname -a` – search for known exploits (e.g., Dirty Pipe, Dirty Cow).
- SUID binaries: `find / -perm -4000 -type f 2>/dev/null` – look for
pkexec,sudo,vim,nmap. - Writable cron jobs: `cat /etc/crontab` and check scripts in `/etc/cron.` for world‑writable files.
- Sudo misconfigurations: `sudo -l` – if you can run any command as root without password,
sudo su -. - Path hijacking: `echo $PATH` – if current directory `.` is in PATH, create malicious binaries named after common commands.
Automated helper: Run `linpeas.sh` (download from GitHub) for a full enumeration script.
- Windows Persistence via Registry Run Keys (Admin Access Required)
Establishing persistence ensures access after a reboot. These techniques are monitored by EDR, so use only in authorized labs.
Step‑by‑Step Guide (PowerShell as Administrator):
- Current user run key:
`New-ItemProperty -Path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Run” -Name “Updater” -Value “C:\payload.exe” -PropertyType String`
– Local machine run key (system‑wide):
`New-ItemProperty -Path “HKLM:\Software\Microsoft\Windows\CurrentVersion\Run” -Name “SystemHelper” -Value “C:\backdoor.exe” -PropertyType String`
– Scheduled task:
`schtasks /create /tn “WindowsUpdate” /tr C:\malware.exe /sc daily /st 09:00 /ru SYSTEM`
– WMI event subscription:
`powershell -Command “Register-WmiEvent -Query ‘select from __InstanceModificationEvent within 5 where TargetInstance isa \”Win32_Service\” and TargetInstance.Name=\”W3SVC\”‘ -Action { Start-Process C:\shell.exe }”`Detection: Monitor `Autoruns` from Sysinternals. Blue teams should audit Run keys and scheduled tasks regularly.
- API Security Testing with Postman & Burp Suite
Modern web apps rely heavily on APIs. Broken object‑level authorization (BOLA) and excessive data exposure are common.
Step‑by‑Step Guide:
- Intercept API traffic: Configure Burp Suite as proxy, install CA cert on device, and navigate to the app.
- Enumerate endpoints: Use Postman Collections or `ffuf` with wordlists:
`ffuf -u https://api.target.com/v1/users/FUZZ -w ids.txt -fc 404`
– Test for IDOR: Change user IDs in request parameters (e.g., `GET /api/orders?user_id=123` →456). If you see other users’ orders, it’s vulnerable. - Check rate limiting: Send 100 rapid requests using `Burp Intruder` or Python `requests` – absence of 429 status indicates missing throttling.
- Verify JWT security: Use `jwt_tool` to test for `none` algorithm, weak secrets, or `kid` path traversal.
Mitigation: Implement proper authorization checks on server side, use random UUIDs instead of sequential IDs, and enforce API gateways with rate limiting.
7. Cloud Hardening with AWS CLI (Prevent Misconfigurations)
Misconfigured S3 buckets and IAM roles lead to data breaches. These commands help audit and harden cloud environments.
Step‑by‑Step Guide (AWS CLI configured with read‑only permissions):
- List all S3 buckets: `aws s3 ls` – then check each bucket’s ACL: `aws s3api get-bucket-acl –bucket
`
– Find public buckets: `aws s3api get-bucket-policy-status –bucket` – look for `”IsPublic”: true`
– Enforce bucket encryption: `aws s3api put-bucket-encryption –bucket–server-side-encryption-configuration ‘{“Rules”:[{“ApplyServerSideEncryptionByDefault”:{“SSEAlgorithm”:”AES256″}}]}’`
– Audit IAM users with unused keys:
`aws iam list-users –query ‘Users[].UserName’ –output text | xargs -I {} aws iam list-access-keys –user-name {}`
– Enable CloudTrail in all regions:
`aws cloudtrail create-trail –name SecurityTrail –s3-bucket-name your-log-bucket –is-multi-region-trail`
Red team note: Attempt to pull metadata from EC2: `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/` – exposed IAM credentials lead to privilege escalation.
What Undercode Say:
- Key Takeaway 1: Passive reconnaissance and active scanning must be paired with continuous validation—never trust a single tool’s output without cross‑referencing.
- Key Takeaway 2: Privilege escalation often succeeds because of leftover SUID binaries or writable cron jobs; regular system hardening and automated auditing (e.g., Lynis, OpenSCAP) drastically reduce these vectors.
Analysis: The “Pic of the Day” from Hacking Articles reminds us that cybersecurity is a daily hands‑on discipline. While humorous comments like “reimage the gym after every workout” highlight the impracticality of perfect hygiene, the core truth remains: attackers only need one flaw, defenders need to cover many. Our generated commands represent a baseline—real‑world engagements require adapting these to custom environments, logging every action, and always obtaining proper authorization. The shift toward API and cloud security reflects the modern perimeter; ignoring these areas leaves critical assets exposed.
Prediction:
Within the next 18 months, AI‑driven pentesting assistants will automate 70% of the command‑level work shown above, from Nmap scanning to privilege escalation checks. However, this will increase the demand for human analysts who can interpret context, bypass AI detection mechanisms, and conduct business‑logic abuse testing—areas where generative models still fail. Organizations that fail to integrate continuous, automated red teaming with cloud‑native security posture management (CSPM) will face breach costs exceeding $10M on average. The line between red team and blue team will blur further as purple teaming and breach‑and‑attack simulation (BAS) become mandatory compliance requirements.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Infosec Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


