Nmap
Basic Nmap Syntax
nmap [options] <ip address or subnet>
Options
- sS // Stealth Scan
- sP // Ping Scan
- sV // Version Scan
- p // Ports
- O // Operating System
- T1-T5 // Scan Speed Settings
- A // Agressive Scan
- v // Verbose
- oA // Output All Formats
- sU // UDP Scan Ping Scan
nmap -sP <ip address>Version Scan
nmap -sV <ip address>Full TCP Port Scan
nmap -p- -sV -sS -T4 <Target>UDP Scan
nmap -sU <Target>Aggressive Scan
nmap -sS -A -T4 <Target>Operating System Scan
nmap -O <Target>All Port Scan
nmap -sS -p- -T4 <Target>Scanning specific Ports or Port Range
nmap -p<port number(s)> [options] <Target>
nmap -p <port start number - port end number> [options] <target>Examples : nmap -sS -p 22,80,443,8080 example.com, nmap -p 1-65535 example.com
Nmap Scan from a File
nmap -iL <file.txt>Nmap Scripting Engine
nmap -script=<NSE script name> <Targets>- Usefull NSE Scripts
- smb-enum*
- smb-ls
- smb-mbenum
- smb-os-discovery
- smb-s*
- smb-vuln*
- smbv2*
netcat
Basic Syntax
nc [options] <host> <ports>Common Flags
-l # listen mode (server)
-p <port> # specify port for some builds when listening
-u # use UDP instead of TCP
-z # zero-I/O mode (port scan)
-v # verbose
-w <sec> # timeout for connects/reads
-e <prog> # execute program after connect (dangerous / not recommended on public pages)
-N # shutdown socket after EOF on some builds
--ssl # use SSL (ncat / ncat-specific)Listen as a simple TCP server
- Single Connection
nc -l <port>- Listening to Multiple Connections
while true; do nc -l <port>; done //loops to accept sequential connections.
Receive a file (server)
nc -l 9001 > received.binSend a file (client)
nc <receiver-ip> 9001 < file-to-send.bincurl
Quick reference (most-used flags)
-I — fetch headers only (HEAD).
-i — include headers with body.
-L — follow redirects.
-o <file> — save body to <file>.
-O — save using remote filename.
-s — silent (no progress). -S show errors when used with -s.
-v — verbose / debug.
-H — add header, e.g., -H "Content-Type: application/json".
-d, --data-binary — POST data.
-X — override request method (GET/POST/PUT/DELETE).
-u user:pass — basic auth.
-k — disable TLS certificate verification (insecure).
--cert <cert> --key <key> — client certificate auth.
-b, -c — cookie input & cookie jar.
-x — proxy.
--limit-rate — throttle transfer rate.
-C - — resume download.
--max-time / --connect-timeout — timeouts.
--http2, --http3 — request HTTP/2/3.Nikto
Traceroute
Gobuster
Most-used flags (cheatsheet)
-u <url> — target URL (for dir/vhost)
-d <domain> — target domain (for dns)
-w <wordlist> — path to wordlist (required)
-t <threads> — number of concurrent workers (default varies)
-x <ext1,ext2,...> — append extensions (e.g., php,html,txt) for dir mode
-s <codes> — show only responses with these status codes (comma list)
-o <file> — write output to file
-e — show full URL/expanded results (include full path in output)
-k — skip TLS cert verification (ignore HTTPS cert issues)
-a <agent> — set custom User-Agent header
-p <proxy> — use HTTP proxy (e.g., http://127.0.0.1:8080)
-H <header> — send custom header (e.g., cookie, auth) — repeatable in many builds
-q — quiet mode (minimal output)
(If you see any flag error on your host, run gobuster --help — different versions add/remove flags.)Dirb
Syntax
dirb <url> <wordlist> [options]Common Flags
-r # recursive (descend into found directories)
-o <file> # write output to file
-S <status> # skip responses with this status (not in all builds)
-s <codes> # show only responses with status codes (e.g., "200,301")
-x <ext> # check extensions (e.g., .php,.html)
-A <agent> # set User-Agent
-p <proxy> # proxy (http://127.0.0.1:8080)
-R <referrer> # set HTTP referer
Directory Brute forcing
dirb <url> <wordlist> -o <output file>Using Extensions
dirb <url> <wordlist> -x .php,.html -rUsing Proxy
dirb <url> <wordlists> -p <proxy>Example: dirb https://dev.local /usr/share/wordlists/dirb/big.txt -p http://127.0.0.1:8080
Wfuzz
syntax
wfuzz [options] -w <wordlist> <url>
# use FUZZ placeholder(s) in URL, headers, or bodycommon flags
-w <wordlist> // wordlist
-c // colorized output
-t <threads> // concurrent threads
--hc <codes> // hide responses with these status codes
--sc <codes> // show only these status codes
--hl <length> // hide responses with specific content-length
-H "Header: FUZZ" // fuzz header values
-d "param=FUZZ" // fuzz POST data
--hh <str> // hide responses containing string
--follow // follow redirects
--proxy http://... // proxy through Burp
Quick Commands
# dir fuzzing
wfuzz -c -w /usr/share/wordlists/dirb/common.txt http://example.com/FUZZ
# parameter fuzzing
wfuzz -c -w params.txt -d "id=FUZZ" -H "Cookie: session=abcd" http://example.com/item
# file extension testing
wfuzz -c -w words.txt -u http://site/FUZZ.php --hc 404
end
Wpscan
Syntax
wpscan --url <target> [options]Common Flags
--enumerate p,t,u,vt // p=plugins, t=themes, u=users, vt=vuln-templates (plugins/themes)
--api-token <token> // use API token (or set env var)
--plugins-detection <mode> // passive/active/agg (detection mode)
--proxy http://127.0.0.1:8080
--random-agent
--user-agent <agent>
--disable-tls-checks
-o <file> // output file
--format [cli,json,xml] // output format
--threads <n> // parallel requests
Quick Commands
# Enumerate plugins/themes/users
wpscan --url https://example.com --enumerate p,t,u --api-token YOUR_TOKEN -o wpscan-out.txt
# Passive plugin enumeration
wpscan --url https://example.com --enumerate p --plugins-detection passive
# Use proxy
wpscan --url https://example.com --enumerate p --proxy http://127.0.0.1:8080