12 categories · 55 commands — covering recon, web attacks, exploitation, post-exploitation, and blue team defense.
Enumeration, privilege audit, and system recon commands.
Find binaries compiled with SUID bit for privilege escalation vectors.
Reveal loopback services invisible to external scanners.
Identify exact kernel version for legacy exploit matching (DirtyCOW etc.).
Locate files writable by any user — common path injection targets.
Enumerate scheduled tasks that may run writable scripts as root.
List currently logged-in users and their terminal sessions.
Host discovery, service fingerprinting, and NSE scripts.
Sweep all ports with version detection and OS fingerprinting.
Quick sweep of 100 common ports for initial triage.
Discover live hosts across a subnet without port scanning.
Scan common UDP ports — DNS, SNMP, NTP, TFTP.
Run NSE vulnerability scripts against open ports.
Auth bypass, union extraction, and blind SQLi techniques.
Classic tautology injection to bypass login forms.
Determine number of columns in the current query.
Enumerate all table names from the information schema.
True/false inference to extract data char-by-char.
Use sleep() delays to infer data when no visible output.
Automate extraction of tables and data with sqlmap.
Reflected, stored, DOM-based XSS and WAF bypass payloads.
Classic alert payload to confirm XSS execution context.
Exfiltrate session cookies to an attacker-controlled endpoint.
Use HTML event attributes when <script> tags are filtered.
Mix uppercase/lowercase to evade case-sensitive WAF rules.
Use javascript: URI in href/src for CSP-light environments.
Inject into document.write() or innerHTML via URL fragment.
Handlers, session control, and post-exploitation commands.
Set up a listener to catch incoming reverse shells.
Scan a subnet for SMB versions and protocol support.
Core post-exploitation commands inside a Meterpreter session.
Establish persistence by adding registry run key.
HTTP manipulation, origin spoofing, and proxy intercept tricks.
Spoof internal IP headers to bypass admin IP whitelists.
Set JWT algorithm to "none" to bypass signature verification.
Force server-side requests to internal endpoints via open redirect.
Send duplicate parameters to confuse parsing logic.
Hashcat, John, and credential extraction techniques.
Crack MD5 hashes using rockyou.txt wordlist.
Crack Windows NTLM hashes with John the Ripper.
Apply transformation rules (append numbers, capitalize) to wordlist.
Dump SAM/NTDS hashes remotely using valid credentials.
Move payloads between attacker and target using various protocols.
Serve files from attacker machine over HTTP instantly.
Host an SMB share for Windows file transfers without credentials.
Encode binary files to base64 and transfer as text.
Transfer files directly over raw TCP with netcat.
SUID, sudo, cron, and kernel exploit escalation vectors.
List commands current user can run as root via sudo.
Escape to root shell via SUID python binary.
Add a new root user if /etc/passwd is writable.
Create a malicious binary in PATH before the real one.
Display filters for isolating credentials, scans, and tunnels.
Filter POST requests containing login form data.
Identify port scanning activity by SYN flag pattern.
Detect data exfiltration via suspicious DNS queries.
Reassemble and read a full TCP conversation.
Passive intelligence gathering without touching the target.
Discover subdomains using passive DNS and certificate logs.
Use Google search operators to find exposed files.
Find internet-exposed services without scanning the target.
Harvest email addresses and domains from public sources.
Server hardening, log analysis, and incident response commands.
Find brute-force SSH attempts in auth logs.
Immediately block a suspicious IP address.
Detect files changed in the last 24h — useful post-intrusion.
Run a comprehensive system hardening assessment.