Pentest Workbench

Quick Start

1. Define scope — target, rules of engagement, goals
2. Recon — passive OSINT, network enumeration
3. Identify — find vulnerabilities, misconfigs, weak points
4. Exploit — leverage findings with appropriate technique
5. Document — record steps, evidence, impact, remediation

Core Workflow

Phase 1: Recon & Enumeration

• Network OSINT: Use nmap, masscan, rustscan for port discovery
• Passive OSINT: Subdomain enum, WHOIS, Shodan, Censys, Google dorking
• Web recon: Dirbuster, ffuf, Burp Suite crawler
• For vulnerable targets: Netcat manual command probing first

Tools from linked repos:

• netstalking-osint — automated OSINT recon workflows
• Pentest-Tools (40+ categories) — scanner/framework discovery, network_enum

Phase 2: Vulnerability Analysis

• Web: WPScan for WordPress, sqlmap for SQLi, Burp for auth bypass
• Network: nmap NSE scripts, Metasploit, searchsploit
• Binary: IDA/Ghidra for RE, checksec for mitigations
• Config reviews: weak permissions, default creds, exposed secrets

Phase 3: Exploitation

Buffer Overflow (vulnserver pattern):

1. Send oversized input to identify crash point
2. Control EIP with offset measurement
3. Find stable jump (JMP ESP / call esp)
4. Generate shellcode (msfvenom / custom)
5. Execute with proper alignment

Web:

• SQLi → sqlmap or manual union/boolean
• XSS → Beef/XSS Hunter
• RCE → reverse shell via pentest-tools

Privesc (GTFOBins):

# Check sudo/suid binaries
sudo -l
find / -perm -4000 2>/dev/null

# Shell escape from restricted editor
:!/bin/bash

AD Attacks (Pentest-Tools):

• Kerberoasting, AS-REP roasting, SMB relay
• BloodHound/Sharphound enum → Golden/DFSRM

Phase 4: Post-Exploitation

• Cowrie honeypot: analyze attacker sessions for TTPs
• Privilege escalation: kernel exploits, sudo abuse, service misconfigs
• Persistence: scheduled tasks, services, SSH keys
• Lateral movement: PsExec, WMI, SMB, Pass-the-Hash

Phase 5: Documentation

• Steps reproducible by another tester
• Evidence: screenshots, packet captures, log output
• Impact: CVSS score, business risk
• Remediation: specific, actionable fixes

Key References

• Binary exploitation: See references/buffer-overflow.md (vulnserver anatomy, exploit dev)
• Privesc: See references/privesc.md (GTFOBins/LOLBAS, Linux/Windows escalation)
• Tool inventory: See references/tools-inventory.md (all linked tools catalogued)
• pwn.college: CTF exercises for memory corruption, ROP, kernel fundamentals

Exploit Dev (vulnserver)

Vulnserver runs on port 9999. Vulnerable commands:

| Command | Trigger Function | Buffer Size | Overflow Offset | |---------|-----------------|-------------|-----------------| | TRUN | Function3 | 2000 | ~2003 (EIP at ~2007) | | GMON | Function3 | 2000 | Similar to TRUN | | KSTET | Function2 | 60 | ~64 | | GTER | Function1 | 140 | ~144 | | LTER | Function3 | 2000 | Via transformation | | HTER | Function4 | 1000 | Hex-encoded |

Key insight: essfunc.dll EssentialFunc10-14 also use strcpy into small buffers (140, 60, 2000, 2000, 1000).

Exploit strategy:

1. Find offset with pattern_create / mona.py
2. Confirm EIP control
3. Locate or craft a ROP chain if ASLR/DEP present
4. Generate alphanumeric shellcode if bad chars restrict ASCII
5. Use egghunter if space is small

Tool Quick Ref

| Tool | Purpose | Key Command | |------|---------|-------------| | nmap | Port enum | nmap -sCV -p- -T4 target | | Burp Suite | Web testing | Proxy, Repeater, Intruder | | sqlmap | SQL injection | sqlmap -r req.txt --batch | | msfvenom | Shellcode gen | msfvenom -p linux/x64/shell_tcp LHOST=x R | | CrackMapExec | AD attacks | cme smb target -u user -p pass | | Evil-WinRM | Remote shell | evil-winrm -i target -u user -p pass |

Mindset

• Methodical > flashy — good recon beats brute force
• Always document as you go — screenshot everything
• Understand the payload — not just "it works"
• Think like defender — what would stop this attack?