(01)// Recon
INTERMEDIATElinuxmacos
Nmap — Full TCP port scan with version detection
Scans all 65535 TCP ports with service version detection and default scripts. -oA saves output in all three formats.
nmaptcpversion-detectionscripts
// arsenal
// arsenal
// arsenal
Commands, techniques, and playbooks battle-tested and searchable. Curated entries for recon, exploitation, forensics, reverse engineering, DFIR, and CTF.
// 60 entries
Scans all 65535 TCP ports with service version detection and default scripts. -oA saves output in all three formats.
Scans the 20 most common UDP ports. UDP is slow — be patient.
SYN scan (half-open, less noisy) with OS fingerprinting. Requires root.
Brute-forces directories and files. -x adds extension fuzzing.
Discovers virtual hosts by fuzzing the Host header. Filter by word count to remove false positives.
Identifies CMS, frameworks, server software, headers. -a 3 is aggressive mode.
Lists SMB shares without authentication (null session).
Full SMB/LDAP enumeration: users, groups, shares, password policy, OS info.
Walks the full SNMP MIB tree using the default community string "public".
Queries LDAP anonymously for all objects. Replace dc values with target domain.
Simple banner grab. Connect to a port and read whatever the service sends.
Automated Linux privilege escalation enumeration. Checks SUID, cron, writable paths, sudo, capabilities.
Lists commands the current user can run with sudo. Check GTFOBins for each result.
Finds all SUID binaries on the system. Cross-reference each with GTFOBins.
Checks system cron jobs and finds writable shell scripts that may be executed by root cron.
Automated Windows privilege escalation enumeration. Checks services, registry, credentials, tokens.
Lists current user token privileges. SeImpersonatePrivilege = likely path to SYSTEM.
Automatically detects and exploits SQL injection. --dbs enumerates databases. --batch skips prompts.
Decodes JWT header and payload without signature verification.
Tests for Local File Inclusion via path traversal to read /etc/passwd.
Adds or overrides X-Forwarded-For header to simulate localhost access for IP-restricted endpoints.
Identifies the true file type regardless of extension. ELF, PE, scripts, archives.
Extracts all printable strings of 8+ chars. Often reveals hardcoded credentials, URLs, C2 addresses.
Reports enabled security mitigations: ASLR, NX, PIE, stack canaries, RELRO.
Runs Ghidra analysis without the GUI. Useful for scripting bulk analysis.
Opens binary in radare2 with full analysis (-A runs aaa). Start here for interactive disassembly.
Opens binary in GDB with pwndbg plugin for enhanced output. Essential for dynamic analysis.
Intercepts and logs all library function calls (malloc, strcmp, printf, etc.) as the program runs.
Intercepts system calls. Filter with -e to focus on specific calls like file opens and network.
Static analysis of PE (Windows) executables. Shows suspicious imports, strings, entropy, digital signature.
Identifies packers, compilers, cryptors used on PE files. Tells you if unpacking is needed.
Extracts full metadata from images, PDFs, Office files, audio, video. Second form strips it all.
Installs FLARE-VM — the complete Windows malware analysis environment with 100+ tools.
Identifies capabilities of a PE binary using rules mapped to MITRE ATT&CK and MBC.
Identifies OS version and build from a Windows memory dump.
Lists all running processes at time of memory capture. pstree shows parent-child relationships.
Extracts network connections present in memory at time of capture.
Identifies and extracts embedded files (ZIP, gzip, ELF, PNG, etc.) from any binary or firmware.
File carving tool that recovers files from disk images based on headers and footers.
Extracts data hidden in JPEG/BMP/WAV files using steghide embedding.
Detects LSB (Least Significant Bit) steganography in PNG and BMP files.
GUI tool to analyze image bit planes, color channels, and LSB visually.
Visualizes audio files as spectrograms. Hidden images or text often visible in frequency domain.
Cracks hashes using dictionary attack. -m specifies hash type (0=MD5, 1000=NTLM, 1800=sha512crypt).
Combines passwd and shadow files then cracks with wordlist.
Use CyberChef Magic operation to auto-detect and decode unknown encoding chains.
Collects Active Directory relationship data for BloodHound graph analysis.
Requests Kerberos service tickets for accounts with SPNs. Cracks offline to get plaintext passwords.
Collects key forensic artifacts from a live Windows system using KAPE triage collection.
PowerShell: retrieves Windows Security logon events (Event ID 4624). Shows who logged in and when.
Filters captured traffic to show only HTTP POST requests, useful for credential harvesting in DFIR/CTF.
Extracts all HTTP transferred files (images, scripts, executables) from a PCAP capture.
Python3 reverse shell one-liner. Start a netcat listener before executing on target.
Upgrades a raw netcat shell to a fully interactive TTY with tab completion, Ctrl+C, and clear.
Downloads and executes a PowerShell script entirely in memory without writing to disk.
Shodan searches for internet-exposed services. Useful for recon on target organizations.
Gathers emails, subdomains, IPs, and employee names from public sources.
Standard first-five-commands methodology for any unknown file in CTF forensics/misc challenges.
Quick reference for visually identifying common encoding schemes in CTF challenges.
GTFOBins documents how to abuse Unix binaries for privilege escalation, reverse shells, and file reads.