pentest-engineer.md

Here is the list of concepts you need to learn to become an awesome Penetration testing security engineer.

Mindset and Methodology:

• Attacker mindset — thinking like an adversary, not a defender
• Structured methodology vs ad-hoc testing
• Cyber Kill Chain (Lockheed Martin)
  • Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives
• MITRE ATT&CK Framework
  • Tactics (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact)
  • Techniques and Sub-techniques
  • Using ATT&CK to structure engagements and report findings
• PTES (Penetration Testing Execution Standard)
• OWASP Testing Guide (for web application testing)
• Legal and ethical boundaries
  • Rules of Engagement (RoE)
  • Scope definition and staying in scope
  • Authorization (written sign-off before testing)
  • Responsible disclosure
• Types of assessments
  • Black box, grey box, white box testing
  • Internal vs external penetration tests
  • Red team operations vs penetration tests vs vulnerability assessments
  • Physical penetration testing
  • Social engineering assessments
• CVSS (Common Vulnerability Scoring System)
  • Base metrics (AV, AC, PR, UI, S, C, I, A)
  • Temporal and environmental metrics
  • CVSS v3.1 vs CVSS v4.0
• CVE and CWE understanding
  • How CVEs are assigned and what they tell you
  • Using CVEs to identify exploitable vulnerabilities in scope

Reconnaissance:

• Passive Reconnaissance (OSINT)
  • Google Dorking (site:, filetype:, inurl:, intitle:, cache:)
  • Shodan, Censys, FOFA (internet-facing asset discovery)
  • WHOIS and domain registration history
  • DNS enumeration (A, MX, NS, TXT, CNAME, PTR records)
    • Tools: dig, nslookup, dnsx, amass, subfinder
  • Certificate transparency logs (crt.sh) for subdomain discovery
  • LinkedIn and social media OSINT (employee names, tech stack)
  • Job postings as intelligence (reveals internal technologies)
  • Wayback Machine (archived content, exposed endpoints, old credentials)
  • GitHub and GitLab OSINT (exposed source code, secrets, internal infrastructure)
    • GitLeaks, truffleHog for secret scanning in repos
  • Email harvesting (theHarvester, Hunter.io)
  • Breach data lookup (HaveIBeenPwned, Dehashed)
  • Maltego for link analysis
• Active Reconnaissance
  • Network scanning (Nmap — host discovery, port scanning, service detection, OS fingerprinting)
    • Common Nmap flags: -sS, -sV, -sC, -O, -p-, -A, --script
  • Service enumeration (banner grabbing, version identification)
  • Web application fingerprinting (Wappalyzer, whatweb)
  • Directory and file enumeration (gobuster, ffuf, dirsearch)
  • Virtual host enumeration (vhost fuzzing)
  • API endpoint discovery
  • Vulnerability scanning (Nessus, OpenVAS, Nuclei)
  • Nikto (web server misconfiguration scanning)

Network Penetration Testing:

• Network security reconnaissance
  • Host discovery (ping sweep, ARP scan)
  • Port scanning techniques (SYN scan, UDP scan, stealth scans)
  • Service and version detection
  • OS fingerprinting
• Network exploitation
  • Exploiting weak network services (FTP anonymous login, Telnet, SNMP community strings)
  • SMB attacks
    • EternalBlue (MS17-010)
    • SMB relay attacks (Responder + ntlmrelayx)
    • Pass-the-Hash via SMB
  • Man-in-the-Middle on LAN
    • ARP spoofing (arpspoof, Bettercap)
    • LLMNR/NBT-NS poisoning (Responder)
    • IPv6 DNS takeover (mitm6)
  • Network service exploitation (ProxyLogon, ProxyShell, Log4Shell, PrintNightmare)
• Wireless Penetration Testing
  • WPA2 handshake capture and offline cracking (aircrack-ng, hashcat)
  • PMKID attack
  • WPA2-Enterprise (PEAP) credential capture
  • Evil twin attack setup
  • Bluetooth and BLE testing basics
• VPN and Remote Access Testing
  • VPN gateway enumeration
  • Testing for IKEv1 aggressive mode weaknesses
  • Identifying SSL-VPN vulnerabilities (Pulse Secure, Fortinet, Citrix CVEs)

Active Directory Penetration Testing:

• AD enumeration
  • BloodHound / SharpHound for attack path mapping
  • ldapdomaindump
  • enum4linux, enum4linux-ng
  • PowerView (Get-NetUser, Get-NetGroup, Get-NetComputer, Find-LocalAdminAccess)
  • ADRecon
• AD attack techniques
  • Kerberoasting (requesting TGS for SPNs → offline crack → hashcat)
  • AS-REP Roasting (accounts without pre-auth required → request AS-REP → offline crack)
  • Pass-the-Hash (using NTLM hash without cracking)
  • Pass-the-Ticket (using stolen Kerberos TGT or TGS)
  • Overpass-the-Hash (convert NTLM hash to Kerberos TGT)
  • NTLM relay attacks (ntlmrelayx, Responder)
  • DCSync (mimicking DC replication to dump all hashes — requires DS-Replication-Get-Changes-All)
  • Golden Ticket (forging TGTs using the KRBTGT hash)
  • Silver Ticket (forging TGS using a service account hash)
  • Skeleton Key (patching LSASS to allow any password)
  • AdminSDHolder abuse
  • ACL/ACE-based privilege escalation (WriteDACL, GenericAll, ForceChangePassword, AddMember)
  • Domain trust abuse (inter-forest attacks, SID history injection)
  • GPO abuse for code execution
  • Print spooler abuse (PrinterBug)
  • Shadow credentials attack (msDS-KeyCredentialLink)
• Credential dumping
  • Mimikatz (sekurlsa::logonpasswords, lsadump::sam, lsadump::dcsync)
  • LSASS memory dumping (Task Manager, ProcDump, comsvcs.dll)
  • SAM and SYSTEM hive extraction (reg save)
  • secretsdump.py (Impacket)
  • Credential Manager and browser credential extraction
• Lateral movement
  • WMI execution (wmiexec.py)
  • WinRM / Evil-WinRM
  • PsExec and SMBexec (Impacket)
  • RDP lateral movement (xfreerdp, Remote Desktop hijacking)
  • DCOM execution
  • Token impersonation (Incognito, Meterpreter's getsystem)

Web Application Penetration Testing:

• OWASP Testing Guide methodology
• Manual testing with Burp Suite
  • Intercepting and modifying requests
  • Intruder for automated fuzzing (brute force, parameter fuzzing)
  • Repeater for manual exploitation
  • Collaborator for out-of-band testing (SSRF, blind XXE, blind XSS)
  • Scanner for automated vulnerability discovery
  • Extensions (ActiveScan++, Autorize, JWT Editor, Param Miner)
• Testing for OWASP Top 10 (see appsec-engineer.md for full list)
• API testing
  • Enumerating API endpoints (wordlists, Swagger/OpenAPI spec review)
  • BOLA/IDOR testing (changing user IDs in requests)
  • JWT manipulation (alg=none, weak secret brute force, RS256 to HS256)
  • Rate limiting bypass techniques
  • GraphQL introspection and exploitation
• Authentication testing
  • Username enumeration
  • Brute force and credential stuffing
  • Password reset flaws
  • MFA bypass techniques
• Authorization testing
  • Horizontal privilege escalation (IDOR)
  • Vertical privilege escalation (accessing admin functions as regular user)
  • Forced browsing
• Business logic testing
  • Price manipulation
  • Workflow bypass
  • Race conditions
• File upload vulnerabilities
  • Bypassing MIME type and extension filters
  • Uploading web shells
• XXE (XML External Entity) injection exploitation
• SSRF exploitation (internal service access, cloud metadata endpoints)
• Template injection (SSTI) detection and exploitation
• SQL injection exploitation
  • Manual SQLi
  • sqlmap (automated SQLi)
• Subdomain takeover

Cloud Penetration Testing:

• AWS penetration testing
  • Initial access via exposed access keys (GitHub, metadata endpoint, SSRF)
  • IAM enumeration (get-account-authorization-details, enumerate-iam)
  • IAM privilege escalation (iam:AttachUserPolicy, iam:PassRole, iam:CreateLoginProfile)
  • S3 bucket enumeration and access (aws s3 ls, s3scanner)
  • EC2 instance metadata service (IMDSv1 vs IMDSv2 and SSRF to 169.254.169.254)
  • Lambda exploitation
  • ECS/EKS escape and privilege escalation
  • Tools: Pacu (AWS exploitation framework), CloudMapper, ScoutSuite, Prowler
• Azure penetration testing
  • Azure AD enumeration (AADInternals, ROADtools)
  • Managed Identity abuse
  • Azure RBAC escalation
  • Azure Key Vault access
  • Tools: PowerZure, MicroBurst
• GCP penetration testing
  • Service account key abuse
  • Metadata server access (169.254.169.254 / metadata.google.internal)
  • GCS bucket enumeration (GCPBucketBrute)
  • Tools: GCP Scanner, GCPwn

Exploitation:

• Vulnerability research
  • Searching exploit databases (Exploit-DB, Packet Storm, NVD)
  • CVE → PoC mapping and exploitation
  • Adapting public exploits to target environments
• Metasploit Framework
  • Module types (exploit, auxiliary, post, payload, encoder, evasion)
  • Meterpreter (shell interaction, privilege escalation, lateral movement, persistence)
  • MSFvenom for payload generation
  • Msfconsole workflow (search, use, set, run/exploit)
• Manual exploitation
  • Stack-based buffer overflows (x86 — finding offsets, controlling EIP, shellcode)
  • Return-Oriented Programming (ROP) basics
  • Format string vulnerabilities
  • Use-after-free
• Payload generation and delivery
  • MSFvenom payload types (staged vs stageless, reverse vs bind shells)
  • Custom payload encoding and obfuscation
  • PowerShell one-liner delivery
  • Macro-based delivery (VBA macros — for authorized social engineering tests)
  • HTA and JavaScript-based payloads
• C2 (Command and Control) frameworks
  • Metasploit / Meterpreter
  • Cobalt Strike (concepts and Beacon payloads)
  • Sliver (open source)
  • Havoc C2 (open source)
  • Brute Ratel (concepts)
  • HTTP, HTTPS, DNS tunneling for C2 communication
• Post-Exploitation
  • Situational awareness (whoami, systeminfo, net commands, ipconfig/ifconfig)
  • Persistence mechanisms
    • Windows: Registry run keys, scheduled tasks, services, WMI subscriptions, DLL hijacking
    • Linux: cron jobs, .bashrc, init scripts, systemd services, SUID backdoors
  • Defense evasion
    • AMSI bypass
    • ETW (Event Tracing for Windows) patching
    • AV/EDR evasion (process injection, reflective DLL loading, custom loaders)
    • LOLBins (Living-off-the-Land Binaries) — certutil, regsvr32, mshta, wscript, bitsadmin
  • Data collection (credentials, sensitive files, emails, browser data)
  • Exfiltration techniques (DNS tunneling, HTTPS, cloud storage)
  • Pivoting and tunneling
    • SSH tunneling (local, remote, dynamic)
    • Proxychains
    • Chisel (HTTP tunneling)
    • Ligolo-ng (reverse tunneling)
    • SOCKS proxies via Meterpreter

Social Engineering:

• Phishing (email-based)
  • Spear phishing (targeted)
  • Pretexting
  • Credential harvesting pages (GoPhish, Evilginx)
  • MFA bypass via adversary-in-the-middle (AiTM) phishing (Evilginx2)
• Vishing (voice phishing)
• Smishing (SMS phishing)
• Physical social engineering
  • Pretexting scenarios (IT support impersonation, vendor impersonation)
  • Badge cloning (HID proximity card cloning)
  • USB drop attacks
• Social engineering assessment metrics and reporting

Vulnerability Management:

• Vulnerability lifecycle (discovery → triage → remediation → verification → closure)
• Vulnerability risk scoring
  • CVSS v3.1 / v4.0
  • EPSS (Exploit Prediction Scoring System)
  • Qualitative risk scoring (likelihood × impact)
• Vulnerability scanning vs penetration testing differences
• Remediation prioritization (threat intel, business criticality, exploitability)
• Retesting and verification of fixes

Reverse Engineering (Basics for Pentesting):

• Understanding PE (Portable Executable) structure
• Static analysis of binaries (strings, imports, Ghidra)
• Dynamic analysis (x64dbg, Process Monitor)
• Identifying hardcoded credentials and API keys in binaries
• Unpacking common packers (UPX)
• Decompiling .NET applications (dnSpy, ILSpy)
• Analyzing scripts and obfuscated code (PowerShell, VBScript, JavaScript)

Report Writing:

• Red Team Report Writing
  • Executive Summary (for non-technical leadership)
  • Technical narrative (attack chain walkthrough)
  • Findings section
    • Finding title
    • Severity rating (Critical/High/Medium/Low/Informational)
    • Description (what the vulnerability is)
    • Evidence (screenshots, payloads, command output)
    • Impact (what an attacker could do)
    • Recommendation (specific, actionable remediation)
  • Appendices (raw tool output, scope, methodology)
• Report quality standards
  • Reproducible findings with exact steps
  • Clear distinction between confirmed exploited and theoretically vulnerable
  • Avoiding FUD (Fear, Uncertainty, Doubt) — be precise
• Debriefing clients (verbal walkthrough of findings)
• Remediation retesting reporting
• Writing CVSS scores for findings

Purple and Orange Teaming:

• Purple Team
  • Combining red team attacks with blue team detection in real time
  • Structured exercises to improve detection coverage
  • Using MITRE ATT&CK for collaborative testing
  • Attack-detect-improve loop
  • Tools: Atomic Red Team, Caldera, Vectr (purple team tracking)
• Orange Team
  • Developers + security working together on offensive security
  • Developer education through live attack demonstrations
  • Secure coding improvements driven by pentesting findings
• Adversary emulation vs adversary simulation

Specialized Testing Areas:

• IoT penetration testing
  • Firmware extraction and analysis (binwalk)
  • Default credential testing
  • Hardware debugging (UART, JTAG)
  • RF analysis (replay attacks on wireless protocols)
• Mobile penetration testing
  • Android (adb, APK decompilation with jadx, Frida for runtime manipulation)
  • iOS (jailbreak-based testing, Objection, Frida)
  • OWASP Mobile Top 10
• OT/ICS (Operational Technology) penetration testing basics
  • Modbus, DNP3, Profinet protocol awareness
  • Importance of safety — testing in isolation or with strict rules of engagement
  • Shodan for ICS discovery

Tools:

• Kali Linux — primary pentesting OS
• Parrot OS — alternative pentesting OS
• Nmap — network scanning
• Burp Suite — web application testing
• Metasploit Framework — exploitation framework
• Impacket — Windows/AD protocol attacks (secretsdump, wmiexec, ntlmrelayx, psexec)
• BloodHound — AD attack path analysis
• Mimikatz — credential dumping
• Responder — LLMNR/NBT-NS/MDNS poisoning
• CrackMapExec / NetExec — SMB/WMI/LDAP attack swiss army knife
• Evil-WinRM — WinRM pentesting
• ffuf — web fuzzing
• amass / subfinder — subdomain enumeration
• sqlmap — SQL injection automation
• Nuclei — vulnerability scanning with templates
• Chisel — tunneling
• Ligolo-ng — reverse tunneling
• Pacu — AWS exploitation framework
• Sliver — open source C2
• GoPhish — phishing campaigns
• Ghidra — reverse engineering (free, NSA)
• hashcat — password cracking (GPU-based)
• John the Ripper — password cracking
• Wordlists: rockyou.txt, SecLists — credential and fuzzing wordlists

Platforms for Practice:

• HackTheBox — realistic lab machines (Beginner → Pro Hacker)
• TryHackMe — guided learning paths
• PentesterLab — web application exploitation exercises
• VulnHub — downloadable vulnerable VMs
• PortSwigger Web Security Academy — free web app labs
• HackTheBox Pro Labs — simulated enterprise networks (Offshore, RastaLabs, Cybernetics)
• OWASP WebGoat — intentionally vulnerable web app

Books:

• Hacking: The Art of Exploitation by Jon Erickson
• The Hacker Playbook 3 by Peter Kim
• Penetration Testing by Georgia Weidman
• Red Team Development and Operations by Joe Vest and James Tubberville
• The Web Application Hacker's Handbook
• Attacking Network Protocols by James Forshaw
• Rtfm: Red Team Field Manual by Ben Clark

Relevant Certifications:

• OSCP (Offensive Security Certified Professional) — industry gold standard for pentesting
• OSEP (Offensive Security Experienced Penetration Tester) — advanced evasion and AD
• OSWE (Offensive Security Web Expert) — advanced web app exploitation
• CRTP (Certified Red Team Professional — Altered Security) — Active Directory focused
• CRTE (Certified Red Team Expert — Altered Security)
• PNPT (Practical Network Penetration Tester — TCM Security)
• CEH (Certified Ethical Hacker — EC-Council)
• GPEN (GIAC Penetration Tester)
• GWAPT (GIAC Web Application Penetration Tester)
• OSED (Offensive Security Exploit Developer) — exploit development