Skip to content

Suggests programs to run against services found during the enumeration phase of a Pentest


Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



75 Commits

Repository files navigation



Suggests binaries to run against services found during the enumeration phase of a Pentest


While studying for the Offensive Security Certified Profesional (OSCP) and Offensive Security Web Assessor (OSWA) certifications I found it hard to keep track of which commands to run during the enumeration phase for specific services.

The purpose of this tool is easily keep track of those commands.

Install Instructions

git clone
cd Pentest-Service-Enumeration

Basic Usage

To view basic usage just type:


This will list out the available services and give an example of how to use the program

[Pentest Service Enumeration: 0.0.3]
- Pentest command reference via the cli
Available Services
[*] dns
[*] ftp
[*] hashcat
[*] http
[*] ldap
[*] linpriv
[*] mimikatz
[*] nfs
[*] rpc
[*] searchsploit
[*] smb
[*] smtp
[*] snmp
[*] sql
[*] ssh
[*] sudo
[*] tcpdump
[*] webdav
[*] wfuzz
Return command references for a service
Usage: pse <service-name>

[*] pse ftp
[*] pse wfuzz
[*] pse smb

Help: pse -h

Listing commands for a service

pse <service-name>


List commands to run with smb

# pse smb

connect to remote smb share as null user
[*] smbclient "//$IP/$SHARE_NAME" -U ""
Create a destination mount directory, mount remote share as guest
[*] sudo mkdir /mnt/$IP_$FOLDER; sudo mount -v -t cifs "//$IP/$FOLDER" /mnt/$IP_$FOLDER -o username=guest
Launch a semi-interactive shell
List smb share files using a null user
[*] smbclient -L $IP -U -N
ngrep samba version while connecting via smbclient
[*] export INTERFACE="tun0"; sudo ngrep -i -d $INTERFACE 's.?a.?m.?b.?a.*[[:digit:]]'
Recursive directory listing
[*] smbmap -H $ip -R
Scan IP Address for SMB Pipe Names
[*] pipef -a $IP

List commands to run with wfuzz

# pse wfuzz

[Pentest Service Enumeration: 0.0.3]
Command injection
[*] URL="http://target:80/php/blocklisted.php?ip="; wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 "$URL"
Directory Discovery (medium) - ignore 404, 301
[*] URL="http://target/FUZZ";FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,301 "$URL"
Directory Discovery (medium) - ignore 404, 403, 301
[*] URL="http://target/FUZZ"; FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,403,301 "$URL"
File discovery
[*] URL="http://target/FUZZ";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "$URL"
POST data fuzzing (password cracking)
[*] URL="http://target:80/wp-login.php" wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" "$URL"
Param value fuzzing (find hidden params)
[*] export URL="http://target:80/index.php?FUZZ=data";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL"
Param value fuzzing (usernames)
[*] URL="http://target:80/index.php?fpv=FUZZ"; wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404 "$URL"

Adding commands for a service

File Structure

Services are text files located at:


Every command you want to return should be on a separate line in the format:


Example Service

File: $HOME/.pse/nfs


show available nfs mounts:showmount -e $IP
mount a nfs share:export IP=; sudo mkdir -p /mnt/$IP/home && sudo mount -t nfs $IP:/home /mnt/$IP/home


Edit corresponding service file at $HOME/.pse/<filename> (e.g. $HOME/.pse/smb or $HOME/.pse/dns)

If your want to add a new service, create a file at $HOME/.pse/foo

Example: Create documentation for curl

To add curl as a service for pse:

  1. Create file $HOME/.pse/curl
  2. Add one line per command you want saved in format:

Example content for file $HOME/.pse/curl:

Return help content:curl -h
Run curl in verbose mode:curl -v

Now when you run command pse curl:

[Pentest Service Enumeration: 0.0.3]
Return help content
[*] curl -h
Run curl in verbose mode
[*] curl -v


No releases published


No packages published
