PT Tools & Techniques

Host discovery, port scanning modes, timing templates, and output formats. Nmap fundamentals for structured network reconnaissance.

Service version detection, OS fingerprinting, banner grabbing, and interpreting ambiguous scan results with confidence.

Fragmentation, decoys, idle scans, timing manipulation, and techniques for scanning through firewalls and IDS/IPS in authorized engagements.

Nmap Scripting Engine: vulnerability detection scripts, service-specific probes, brute-force scripts, and writing custom NSE scripts.

Practical overview of the core recon toolkit: which tools to use at each stage, how to chain their output, and when to switch between passive and active methods.

Shodan search operators, filters, and dork patterns for discovering exposed services, industrial systems, IoT devices, and misconfigured infrastructure.

Using Censys for internet-wide asset discovery: certificate transparency, protocol fingerprinting, and building exposure maps for authorized assessments.

Email, subdomain, IP, and employee enumeration with theHarvester — configuring data sources, interpreting results, and feeding output into the attack workflow.

SpiderFoot OSINT automation: module selection, scan configuration, correlation of cross-source findings, and integrating results into a target profile.

Amass for subdomain enumeration and attack surface mapping: passive and active modes, DNS brute-forcing, graph output, and integrating with other recon tools.

Passive and active recon for web targets: technology fingerprinting, directory enumeration, subdomain discovery, and building an attack surface map before touching the app.

Automated and manual scanning: Nikto, Burp Scanner, ZAP active scan, and manual verification of findings — separating signal from noise in web vulnerability reports.

Burp Scanner configuration, crawl scope, active scan tuning, issue types, confidence levels, and building a structured pentest report from scanner findings.

Using Burp Intruder and Repeater for form-based login brute force, session token analysis, and parameter manipulation in web authentication flows.

Full ZAP workflow: spider, active scanner, fuzzer, AJAX spider, and HUD mode. Setting up ZAP as an intercepting proxy for authenticated application testing.

SQLMap fundamentals: detection modes, database enumeration, data extraction, and the wizard for quick assessments against SQL-injectable endpoints.

Advanced SQLMap: tamper scripts, custom headers, crawling, POST injection, OS command execution, file read/write, and evading WAF detection.

Nikto scan configuration, plugin selection, evasion options, and interpreting output for common web server misconfigurations and outdated software.

Directory and file brute-forcing with DirBuster: wordlist selection, threading, extension bruteforcing, and interpreting 200/301/403 response patterns.

Attacker-perspective walkthrough of OWASP Top 10 vulnerabilities — understanding each class to test for them effectively and build detection coverage.

Hydra fundamentals and advanced options: protocol selection, wordlist configuration, rate limiting, and service-specific setup for HTTP, FTP, SSH, SMB, and more.

Hashcat attack modes, GPU optimization, rule files, combinator attacks, and hash type selection — from hash identification to cracked output.

John the Ripper across all major attack modes: wordlist, incremental, single, and external. Rule-based mutations, format detection, and cracking complex hashes.

Comprehensive format reference: identifying which --format flag matches which hash type across Windows, Linux, application, and archive hash families.

Using the *2john family (office2john, pdf2john, zip2john, ssh2john, keepass2john) to extract crackable hashes from protected files for John the Ripper.

PPG walkthrough: generating target-specific wordlists from known personal details — the strongest attack vector against security-aware users who use "personalized" passwords.

Consolidated guide covering all major password cracking scenarios in authorized testing: archives, documents, web logins, remote access protocols, and IP cameras.

WPA/WPA2 capture and offline cracking with Aircrack-ng: monitor mode, deauth injection, 4-way handshake capture, and dictionary/brute-force attacks.

Authorized RDP credential testing: Crowbar for protocol-correct RDP brute-force, PPG for personalized wordlist generation, and rate-limiting considerations.

SSH credential testing via Metasploit's auxiliary scanner module: target configuration, wordlist setup, threading, and post-exploitation access after successful login.

Telnet credential testing and exploitation: default credential attacks, session hijacking risks, and why Telnet remains a viable target in industrial and legacy environments.

Using the RTSP Brute Force Tool for authorized IP camera security assessment: vendor presets, path enumeration, credential testing, and stream access verification.

ZIP archive password recovery: zip2john hash extraction, dictionary and brute-force attack modes, encryption type detection, and authorized recovery scenarios.

PDF owner and user password recovery: pdf2john extraction, encryption version detection, and attack strategy selection for different PDF security levels.

DOC, DOCX, PPT password recovery: office2john/msoffice2john extraction, encryption strength detection, and efficient cracking for both legacy and modern Office formats.

Essential PT tool selection: which tools to have, why, and how they fit together across reconnaissance, exploitation, credential testing, and post-exploitation phases.

Metasploit Framework fundamentals: msfconsole navigation, workspace management, database integration, payload types, and the exploit lifecycle from search to shell.

Auxiliary module reference: scanners, fuzzers, credential testers, and enumeration modules — how to select, configure, and run auxiliary modules effectively.

Exploit module deep dive: RHOST/LHOST configuration, payload selection, session types, post-exploitation modules, and pivoting through Meterpreter.

FTP attack vectors: anonymous login, credential brute-force, banner grabbing, directory traversal, and using FTP for post-exploitation file transfer and persistence.

Sublist3r for passive subdomain discovery: multi-source aggregation, integration with brute-force modes, and feeding results into the attack surface map.

Full AD attack chain: Kerberoasting, AS-REP roasting, ACL abuse, Pass-the-Hash, Pass-the-Ticket, LSASS credential dumping, and DCSync — step-by-step walkthrough.

Complete ESC8 exploitation guide: ADCS misconfiguration discovery, Web Enrollment abuse, certificate request, and leveraging the certificate for domain admin access.

WhatWeb for technology fingerprinting: CMS detection, server identification, framework recognition, and building target technology profiles for vulnerability mapping.

Manual K8s PT from zero knowledge: cluster discovery, API server enumeration, RBAC misconfiguration exploitation, container escape, and lateral movement across namespaces.

GCP attack chain: IAM misconfiguration discovery, service account key abuse, privilege escalation, compute instance access, and data exfiltration from Cloud Storage.

Practical hardening checklist covering SSH lockdown, firewall rules, fail2ban, auditd, unattended upgrades, and service minimization — all open-source tooling.

Wireshark-driven analysis: protocol anomaly detection, C2 pattern identification, DNS tunneling indicators, and SSL/TLS fingerprinting in captured traffic.