Skip to main content
1

Recon

Full TCP scan first to avoid missing unusual ports, then a targeted service scan on what’s open. Don’t run slow scripts against all 65535 ports.
# Fast full TCP
nmap -p- --min-rate 5000 -T4 <IP> -oN nmap/full.txt

# Service + script scan on open ports
nmap -sV -sC -p <ports> <IP> -oN nmap/targeted.txt
2

Enumeration

Check every service found. Don’t skip anything: the foothold is almost always in a service you’d dismiss.
  • Web → directory bust, vhost, tech stack
  • SMB → null session, shares, users
  • LDAP → anonymous bind
  • RPC → null auth
3

Foothold

Find the vulnerability, exploit it, get a shell. Stabilize the shell immediately before doing anything else.
# Stabilize a raw netcat shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z → stty raw -echo; fg → export TERM=xterm
4

Post Exploitation

Orient yourself before escalating: understand the user, host, and network position.
whoami && id && hostname
ip a && ss -tlnp
cat /etc/passwd | grep -v nologin
Look for credentials in configs, history files, and environment variables.
5

Privesc

Run automated enumeration for breadth, then manually verify the interesting findings: automated tools flag a lot of noise.
# Linux
./linpeas.sh | tee /tmp/linpeas.txt

# Windows
.\winPEAS.exe | Out-File C:\Temp\winpeas.txt