Cheat Sheets

FFUF (Fuzz Faster U Fool) is a fast and flexible web fuzzer that helps penetration testers and security researchers discover directories, files, parameters, and more. Basic Syntax ffuf -c -w path/to/wordlist -u https://target_url/FUZZ Examples # Filter responses with a content size of 4242 bytes ffuf -w /path/to/vhost/wordlist -u https://target_url/ -H "Host: FUZZ" -fs 4242 # Filter responses with a 401 status code ffuf -w /path/to/values.txt -u https://target_url/script.php?valid_name=FUZZ -fc 401 # Filter 401 responses and fuzz passwords in a POST request ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target_url/login.php -fc 401 Common Flags -c: Enable colorized output. -maxtime: Set the maximum runtime for the process in seconds. -p: Set a delay between requests (e.g., 0.1 seconds). -v: Verbose output. -t: Number of threads (default is 40). -mc: Match specific HTTP status codes (e.g., 200, 301, 403, or all). -fc: Filter out responses by HTTP status codes. -w: Specify the wordlist path. -u: Define the target URL. -s: Enable silent mode. -recursion: Enable recursive fuzzing. -r: Follow redirects. -o: Output results to a file. -of: Specify output format (e.g., json, html, csv, all). -b: Include cookies in the request. Examples # Match all responses, filter 42-byte answers, output colored and verbose ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v # Fuzz host headers and show only status 200 responses ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200 # Fuzz the `name` field in a POST request with JSON data, filter responses containing "error" ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \ -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error" # Use two wordlists for parameter and value fuzzing, match responses containing "VAL" ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c Tips and Tricks Interactive Mode: Press Enter while FFUF is running to access interactive features, such as reconfiguring filters or saving the state. Multiple Payloads: Use the FUZZ keyword multiple times in a URL (e.g., https://example.org/path/FUZZ/another_path/FUZZ). Variables in URLs: Specify payload locations using variables (e.g., https://example.org/path/{var1}/another_path/{var2}).

🛠️ Hydra Cheat Sheet 💡 Hydra is a powerful password-cracking tool for brute-forcing authentication protocols. It supports various protocols and is highly customizable for complex scenarios. 📌 1. Basic Syntax hydra [options] <IP/Target> <protocol> Examples: Brute-force SSH login with a single username and password list: hydra -l admin -P passwords.txt 192.168.1.10 ssh Brute-force HTTP POST login form: hydra -l admin -P passwords.txt 192.168.1.10 http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid login" 📌 2. Common Flags Flag Description -h Display help menu. -l <user> Single username/login. -L <file> Wordlist for usernames. -p <pass> Single password. -P <file> Wordlist for passwords. -s <port> Specify target port. -f Stop after finding valid credentials. -R Restore previous session. -t <num> Number of parallel threads (default: 16). -V Verbose output (show each attempt). -I Ignore an existing restore file. -u Loop usernames with each password attempt. -w <sec> Wait seconds between retries. -o <file> Write found credentials to a file. 📌 3. Supported Protocols Hydra supports a wide range of protocols, including: ...

🛠️ Nmap Cheat Sheet 🚀 Introduction This cheat sheet provides a quick reference for Nmap, including syntax, common flags, output formats, and advanced scripts for SMB and SSH enumeration. 📌 1. Basic Syntax # Standard scan nmap <target IP> # Stealth scan with verbose output and no ping sudo nmap -sS -Pn -v 10.10.10.10 # Aggressive scan with version detection sudo nmap -A -sS -Pn 10.10.10.10 # Full port scan with OS detection and vulnerability scripts sudo nmap -sV -sT -O -p- -vv --script vulners 10.10.10.10 📌 2. Common Flags Flag Description -p <PORT> Scan specific port -p- Scan all ports (1-65535) -sT TCP Connect scan -sU UDP scan -sV Detect services and versions -Pn Disable host discovery (no ping) -sS SYN “Stealth” scan -oA Output in all formats -sn Host discovery only (no port scan) -A Enable OS detection and version scan -O OS detection -v, -vv, -vvv Verbose output (levels) --script=vuln Run vulnerability detection scripts --script=vulners Run detailed vulnerability checks --script=http-enum Enumerate web server endpoints 📌 3. Output Formats Flag Description -oN Normal text output -oX XML output -oG Greppable output -oA Output in all three formats Example: ...

Basic Commands Start with the essentials to get a lay of the land: help: Display a list of available commands (your lifeline when you’re lost). sysinfo: Get basic system information, including OS and hostname (think of it as a “who am I dealing with?”). ps: List running processes. kill <PID>: Terminate a process by its PID (because some processes just need to “go away”). migrate <PID>: Move Meterpreter to a different process to stay under the radar. rev2self: Revert privileges to the original user (a “reset button” for when things get weird). File System Commands For poking around the file system: ...

smbclient is a command-line tool that allows you to interact with SMB (Server Message Block) file shares. Whether you’re uploading files, listing directories, or troubleshooting network shares, this tool is your go-to for SMB. Basic Usage To connect to an SMB file share, use the following syntax: smbclient //server/share [options] Replace server with the hostname or IP address of the server hosting the file share. Replace share with the name of the file share. Once connected, you will be prompted for credentials. After successful authentication, a command prompt will allow you to interact with the share. ...