Last Updated: November 2025 | Version: 3.0 | Status: Production Ready - 2026 Enhanced
[!] DISCLAIMER: This playbook is for authorized security testing only. Unauthorized access to computer systems is illegal.
- Start with Reconnaissance: Always begin with passive recon (OSINT, subdomain enum)
- Understand the Target: Know the tech stack before attacking
- OPSEC First: Stealth > Speed. Prefer techniques marked QUIET
- Document Everything: Take screenshots, save outputs, maintain detailed notes
- Legal Framework: ALWAYS have written authorization before testing
1. Reconnaissance (OSINT, Passive Scanning)
↓
2. Active Scanning (Port Scans, Service Detection)
↓
3. Initial Access (Exploit, Phishing, Password Spray)
↓
4. Persistence (Backdoors, Scheduled Tasks, Golden Tickets)
↓
5. Privilege Escalation (Lateral Movement, Credential Dumping)
↓
6. Domain Dominance / Full Compromise
↓
7. Data Exfiltration (if in scope)
↓
8. Clean Up & Report Writing
- Reconnaissance & OSINT - Subdomain enum, DNS, port scanning, web recon, OSINT
- OSINT (Open Source Intelligence) - People search, social media, breach databases, dark web
- Initial Access - Phishing, password spraying, vulnerability scanning, payloads
- Discovery - Active enumeration, service detection, network mapping
- Vulnerability Analysis - Nessus, OpenVAS, Nmap NSE, web app scanning, risk assessment
- Exploitation - Payload generation, shell types, exploit development, Metasploit
- Privilege Escalation
- Credential Access - Password dumping, cracking, Mimikatz, hash attacks
- Password Attacks - Hydra, Hashcat, John, Kerberoasting, password spraying, wordlists
- Persistence - Backdoors, scheduled tasks, registry, startup folders
- Lateral Movement - Pass-the-hash, WMI, PSExec, remote exploitation
- Defense Evasion - AV bypass, EDR evasion, obfuscation
- Collection - Data gathering, screen capture, keylogging
- Command & Control - C2 frameworks, tunneling, pivoting
- Exfiltration - Data exfiltration techniques
- Cloud Security - AWS, Azure, GCP exploitation
- Active Directory - Kerberos, BloodHound, domain dominance
- Web Application Testing - SQLi, XSS, authentication bypass
- Network Attacks - MitM, protocol attacks, wireless
- Container Security - Docker, Kubernetes, container escapes, registry attacks
- Mobile Security - Android/iOS testing, Frida, APK analysis, SSL pinning bypass
- Wireless Security - WiFi hacking, Bluetooth, RF attacks, SDR
- IoT & Embedded Security - Hardware analysis, UART/JTAG, firmware extraction, RF/SDR
- ICS/SCADA Security - Modbus, DNP3, PLC testing, OPC UA, industrial protocols
- Social Engineering - Phishing frameworks, pretexting, vishing, USB drops
- Physical Security - Lock picking, badge cloning, RFID/NFC, surveillance
- Identity Attack Library - OAuth, OIDC, SAML exploitation
- PKI and Certificate Attacks - Certificate abuse, ACME exploitation
- DNS Attack Suite - DNS rebinding, cache poisoning, DNSSEC bypass
- API & GraphQL Attacks - API abuse, GraphQL exploitation
- Serverless Exploitation - Lambda, Cloud Functions abuse
- Observability Abuse - Prometheus, Grafana, ELK exploitation
- CI/CD Pipeline Poisoning - Jenkins, GitLab, GitHub Actions
- Dependency Supply Chain - npm, PyPI, typosquatting
- Container Registry Attacks - Docker, OCI exploitation
- Binary Exploitation - ROP chains, buffer overflows, format strings
- Fuzzing Workflows - AFL++, LibFuzzer, coverage-guided fuzzing
- Reverse Engineering - IDA, Ghidra, Frida, unpacking
- Hardware & Firmware Attacks - JTAG, UART, UEFI exploitation
- TPM & HSM Abuse - BitLocker, CloudHSM exploitation
- Side Channel Attacks - Spectre, Meltdown, cache timing
- Telephony & VoIP Attacks - SIP, voicemail, SMS gateway
- Physical Security - BadUSB, RFID, lock picking, red team ops
- Mobile Backend Exploitation - API abuse, deep links
- Blockchain & Smart Contracts - Reentrancy, oracle manipulation
- Database Attacks - NoSQL injection, ORM abuse
- Forensic Artifacts - Evidence collection, timeline creation
- Lab Automation - Vagrant, Docker, Terraform labs
- Test Harnesses & CI - Automated payload testing
- Tool Arsenal - Complete tool list with installation and usage
- Automation & Scripting - PowerShell, Python, Bash automation for pentesting
- Incident Response - IR procedures, forensics, malware analysis
- Threat Hunting & Purple Team - Hunt methodologies, MITRE ATT&CK, adversary emulation, detection engineering
- Reporting & Debriefing - Professional pentest reports, debriefing process, attestation letters, client training
- Reporting - Professional pentest report writing, templates, compliance mapping
- Checklists & Guides - Pre-engagement, during, post-engagement checklists
- Learning Resources - HTB, THM, books, blogs, certifications
- Legal & Ethics - Scope, authorization, responsible disclosure
- Start with Reconnaissance
- Practice Web Application Testing
- Learn Initial Access techniques
- Study Privilege Escalation for Windows & Linux
- Master Active Directory attacks
- Learn Lateral Movement techniques
- Practice Defense Evasion
- Explore Cloud Security
- Deep dive into Binary Exploitation
- Study Supply Chain Attacks
- Master Hardware Attacks
- Learn Advanced Evasion techniques
# Quick subdomain enumeration
subfinder -d target.com -all -recursive | httpx -silent
# Fast port scan
rustscan -a target.com -- -sV -sC
# Directory bruteforce
feroxbuster -u https://target.com -w wordlist.txt -x php,html,txt
# Vulnerability scanning
nuclei -l urls.txt -tags cve,rce,sqli -severity critical,high
# Password spraying
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!'
# Mimikatz credential dump
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"[+] 19,900+ lines of battle-tested commands
[+] Copy-paste ready - Works in real engagements
[+] 2026 Edition - Latest techniques and tools
[+] Complete coverage - Recon to post-exploitation
[+] Advanced topics - Supply chain, hardware, blockchain
[+] Real-world focus - Practical, not theoretical
[+] Organized structure - Easy navigation and reference
- Total Commands: 5,000+
- Tools Covered: 300+
- Attack Techniques: 200+
- Code Examples: 1,000+
- Real CVEs: 100+
This playbook is maintained by the security community. To contribute:
- Fork the repository
- Add your techniques to appropriate doc files
- Test commands in a lab environment
- Submit a pull request with detailed description
- Include references and credits
- v3.0 (Nov 2025) - Reorganized into modular structure, added 23 advanced attack topics
- v2.5 (Oct 2025) - Added AI/ML security, advanced EDR evasion, supply chain attacks
- v2.0 (2025) - Enhanced cloud security, Kubernetes, wireless, social engineering
- v1.0 (2024) - Initial release
This playbook is intended ONLY for:
- [+] Authorized security testing with written permission
- [+] Educational purposes in controlled lab environments
- [+] Security research to improve defensive capabilities
- [+] Professional penetration testing engagements
[x] Unauthorized access to computer systems is illegal. The author assumes no liability for misuse of this information. Always obtain explicit written authorization before testing any systems you do not own.
Special thanks to the security community, open-source tool developers, and researchers who make this knowledge possible:
- @harmj0y (Will Schroeder) - PowerView, Rubeus
- @gentilkiwi (Benjamin Delpy) - Mimikatz
- @byt3bl33d3r - CrackMapExec, DeathStar
- @SecureAuthCorp - Impacket suite
- @projectdiscovery - Nuclei, httpx, subfinder
- @tomnomnom - ffuf, waybackurls, httprobe
- And countless others contributing to infosec
- GitHub Issues: Report bugs or request features
- Discussions: Share techniques and ask questions
- Twitter: Follow @RicheByte for updates
Stay safe, stay legal, stay ethical.
Happy (ethical) hacking! [Target]
Last Updated: November 11, 2025
Version: 3.0-2026-ULTIMATE-EDITION
License: Educational Use Only - Authorized Security Testing
GitHub: github.com/RicheByte/pentester-playbook