Penetration Testing Tools Cheat Sheet

Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet.

Site and other tools from:


Package any app for any Linux desktop, server, cloud or device.

A ‘snap’ is a universal Linux package

Snaps work on any distribution or device. Snaps are faster to install, easier to create, safer to run, and they update automatically and transactionally so your app is always fresh and never broken.

The public collection of snaps includes the latest and best apps from GitHub and beyond, so you have the whole world of Linux apps at your fingertips. Take the tour below to experience ‘hello world’ as a snap, or jump to the developer guide to create your own snaps.


netdata real-time performance monitoring for Linux

Netdata is a real-time performance monitoring solution.

Unlike other solutions that are only capable of presenting statistics of past performance, netdata is designed to be perfect for real-time performance troubleshooting.

Netdata is a linux daemon you run, which collects data in realtime (per second) and presents a web site to view and analyze them. The presentation is also real-time and full of interactive charts that precisely render all collected values.

Netdata has been designed to be installed on every system, without disrupting the applications running on it:

  • It will just use some spare CPU cycles (check Performance).
  • It will use the memory you want it have (check Memory Requirements).
  • Once started and while running, it does not use any disk I/O, apart its logging (check Log Files). Of course it saves its DB to disk when it exits and loads it back when it starts.
  • You can use it to monitor all your systems and applications. It will run on Linux PCs, servers or embedded devices.

Out of the box, it comes with plugins that collect key system metrics and metrics of popular applications.

Available here:

Midnight Commander file size format

When dealing with large files in MC, I have difficulties counting the digits to get the order of magnitude of the file size (hundreds of MB, or tens of GB, etc.). Sometimes, I use the trick to press insert key, which highlights the file and shows the file size in a nicely formatted way (i.e. 123,456,789), which makes it a thousand times more readable.

You can modify the configuration:

You can adjust the displayed digits with the column size option, see the “Listing mode” section in the manual. The file to edit is ~/.config/mc/panels.ini.

To list the file sizes as K, M or G use a narrow size column using the user_format key:

[New Left Panel]
user_format=half type name mark size:4 space mtime

Cherrytree Note Taking / Organiser

Cherrytree is a hierarchical note taking application, featuring rich text and syntax highlighting, storing data in a single xml or sqlite file.


  • rich text (foreground color, background color, bold, italic, underline, strikethrough, small, h1, h2, h3, subscript, superscript, monospace)
  • syntax highlighting supporting several programming languages
  • images handling: insertion in the text, edit (resize/rotate), save as png file
  • embedded files handling: insertion in the text, save to disk
  • multi-level lists handling (bulleted, numbered, to-do and switch between them, multiline with shift+enter)
  • simple tables handling (cells with plain text), cut/copy/paste row, import/export as csv file
  • codeboxes handling: boxes of plain text (optionally with syntax highlighting) into rich text, import/export as text file
  • alignment of text, images, tables and codeboxes (left/center/right/fill)
    hyperlinks associated to text and images (links to webpages, links to nodes/nodes + anchors, links to files, links to folders)
  • spell check (using pygtkspellcheck and pyenchant)
  • intra application copy/paste: supported single images, single codeboxes, single tables and a compound selection of rich text, images, codeboxes and tables
  • cross application copy/paste (tested with libreoffice and gmail): supported single images, single codeboxes, single tables and a compound selection of rich text, images, codeboxes and tables
  • copying a list of files from the file manager and pasting in cherrytree will create a list of links to files, images are recognized and inserted in the text
  • print & save as pdf file of a selection / node / node and subnodes / the whole tree
  • export to html of a selection / node / node and subnodes / the whole tree
  • export to plain text of a selection / node / node and subnodes / the whole tree
  • toc generation for a node / node and subnodes / the whole tree, based on headers h1, h2 and h3
  • find a node, find in selected node, find in selected node and subnodes, find in all nodes
  • replace in nodes names, replace in selected node, replace in selected node and subnodes, replace in all nodes
  • iteration of the latest find, iteration of the latest replace, iteration of the latest applied text formatting
  • import from html file, import from folder of html files
  • import from plain text file, import from folder of plain text files
  • import from basket, cherrytree, epim html, gnote, keepnote, keynote, knowit, mempad, notecase, rednotebook, tomboy, treepad lite, tuxcards, zim
  • export to cherrytree file of a selection / node / node and subnodes / the whole tree
  • password protection (using – NOTE: while a cherrytree password protected document is opened, an unprotected copy is extracted to a temporary folder of the filesystem; this copy is removed when you close cherrytree
  • tree nodes drag and drop

Download and details:

Docker Cheat Sheet

With Docker, developers can build any app in any language using any toolchain. “Dockerized” apps are completely portable and can run anywhere – colleagues’ OS X and Windows laptops, QA servers running Ubuntu in the cloud, and production data center VMs running Red Hat.

Developers can get going quickly by starting with one of the 13,000+ apps available on Docker Hub. Docker manages and tracks changes and dependencies, making it easier for sysadmins to understand how the apps that developers build work. And with Docker Hub, developers can automate their build pipeline and share artifacts with collaborators through public or private repositories.

Docker helps developers build and ship higher-quality applications, faster.” — What is Docker

Useful Docker Commands:

HTTP Evader – Automate Firewall Evasion Tests

If you are behind a firewall (today often known marketed as IPS, NGFW or UTM) which claims to protect you from malware you might want to verify these claims. HTTP Evader provides you with a way to automatically test how your firewall deals with situations where the malware hides in rare or invalid responses from the web server. Lots of highly praised firewalls fail to detect malware in this cases, which means they fail to protect you properly. Please note that this is not about bypassing web application firewalls (WAF) which protect a web server but about bypassing firewalls which should protect the client (browser). It is also not about bypassing URL filters.

The following tests try to transfer the EICAR test virus to you using differently shaped responses of the web server. This official test virus should be detected by any antivirus solution but does not do any harm.

To find out if you are vulnerable simply point your browser to the HTTP Evader test site. Before you report any problems to your firewall vendor please read the section about false positives and verify that the detected evasion is really possible.

400+ Free Resources for DevOps & Sysadmins

In 2014 Google indexed 200 Terabytes of data (1 T of data is equal to 1024 GB, to give you some perspective). And, it’s estimated that Google’s 200 TB is just .004% of the entire internet. Basically the internet is a big place with unlimited information.

So in an effort to decrease searching and increase developing, Morpheus Data published this massive list of free resources for DevOps engineers and System Admins, or really anyone wanting to build something useful out of the internet.

All these resources are free, or offer some kind of free/trial tier. You can use any/all of these tools personally, as a company, or even suggest improvements (in the comments). It’s up to you.

If you find this list useful, please share it with your DevOps/SysAdmin friends on your favorite social network, or visit Morpheus Data to learn how you can 4x your application deployment.


ls-httpd utility for WebServer Logs is very handy.

ls-httpd type count|time [log_file]
  • ls-httpd url 1000
    will find top URLs in the last 1000 access log entries
  • ls-httpd ip 1000
    will find top IPs in the last 1000 access log entries
  • ls-httpd agent 1000
    will find top user agents in the last 1000 access log entries
  • ls-httpd url 17:
    will find top URLs from 17:00:00 to 17:59:59
  • ls-httpd url 17:2
    will find top URLs from 17:20:00 to 17:29:59
  • ls-httpd url 17
    will find top URLs in the last 17 access log entries 🙂

Reference and Download: