The Hacker Playbook

1. Establish a Baseline for Penetration Testing

To accomplish this, you need to have a standard baseline system, tools, and processes.

Repeatable Process. A consistent approach is crucial for effective penetration testing. This involves setting up standardized attacking systems, tools, and methodologies. Having both a Windows and Linux box configured with essential tools allows for consistent testing across different environments.

Virtual Machine Snapshots. Taking snapshots of clean, configured virtual machines (VMs) is a lifesaver. This allows you to quickly revert to a known good state, patch, update tools, and add any additional tools needed for specific engagements. This saves time and ensures consistency across tests.

Hardware and Software. Basic hardware requirements include a laptop with at least 8 GB of RAM, 500 GB of hard drive space (preferably SSD), and an i7 Intel Quad Core processor. Essential software includes VMware Workstations/Fusion/Player or Virtual Box, and Kali Linux. Commercial tools like Nexpose/Nessus and Burp Suite are highly recommended for professional testing.

2. Master Passive Information Gathering

Start with Passive Discovery, which will search for information about the target, network, clients, and more without ever touching the targeted host.

Non-Intrusive Reconnaissance. Passive discovery involves gathering information about the target without directly interacting with their systems. This is crucial for avoiding detection and gaining initial insights into the target's infrastructure, personnel, and online presence.

Discover Scripts. Tools like Discover-scripts automate various searches, including identifying people within the organization, domains, email addresses, and files. This tool aggregates information from various sources, such as LinkedIn, Google dorks, and WHOIS records, into a single report.

Compromised Lists. Utilizing known credential dumps for password reuse can be highly effective. By parsing through breached databases like the Adobe breach, you can identify email addresses and encrypted passwords associated with the target domain. This information can then be used for password cracking or spear phishing campaigns.

3. Employ Active Scanning Techniques

Active discovery is the process of trying to identify systems, services, and potential vulnerabilities.

System and Service Identification. Active discovery involves directly interacting with the target network to identify systems, services, and potential vulnerabilities. This requires using network scanners like Nmap and vulnerability scanners like Nexpose/Nessus.

Scanning Process. A typical scanning process involves:

• Network Vulnerability Scanning (Nexpose/Nessus)
• Scanning with Nmap
• Scanning with Custom Nmap Scripts
• Screen Capturing with PeepingTom

Nmap Banner Grabbing. Running a customized Nmap OS and service detection scan on common ports (or all 65,535 ports) is essential. Using a banner grabbing script like banner-plus.nse can quickly identify the banner page of opened ports, providing valuable information about the services running on the target network.

4. Exploit Vulnerabilities with Precision

Once a scanner finds a vulnerability, I will usually go search for a working exploit.

Exploitation Tools. Metasploit is a common tool for exploiting vulnerabilities. It allows you to select an exploit, set options, configure payloads, and run the attack. However, it's crucial to understand how exploits work and be able to modify them if necessary.

Manual Exploitation. Many times, exploits are not available in Metasploit and must be found elsewhere. These exploits may be written in various scripting languages like Python, C++, Ruby, Perl, or Bash. As a penetration tester, you need to be familiar with how to edit, modify, execute, and understand these scripts.

Script Validation. Before executing any script, it's crucial to test it first. Some scripts may contain malicious code that can harm the target system. Always validate the shell code and understand the potential impact of the exploit.

5. Navigate Networks Laterally

This section will be focused on moving through the network and trying to go from becoming a limited user all the way to owning the whole network.

Credential Harvesting. Once on a network, the goal is to move laterally and escalate privileges. This often involves harvesting credentials using tools like Responder.py, WCE (Windows Credential Editor), and Mimikatz.

Responder.py. Responder.py listens for LLMNR and NBT-NS requests and responds to them, capturing NTLM challenge/response hashes. These hashes can then be cracked using John the Ripper or oclHashcat.

Group Policy Preferences (GPP). GPPs are extensions for Active Directory that allow administrators to configure settings on domain-joined machines. However, if GPPs are used to push local admin accounts, the usernames and passwords may be stored in a readable format on the domain controller, allowing any domain user to retrieve them.

6. Master Social Engineering Tactics

If client attacks are in the scope of your tests, social engineering is your “go to” attack.

Doppelganger Domains. Purchasing doppelganger domains (e.g., uscompany.com instead of us.company.com) can be highly effective for capturing sensitive information. By setting up an SMTP server with a catch-all configuration, you can intercept emails sent to the misspelled domain.

Spear Phishing. Spear phishing involves crafting targeted emails to specific individuals or groups within an organization. This requires gathering information about the target, such as their interests, relationships, and communication patterns.

Social Engineering Toolkit (SET). SET is a powerful framework for creating and launching social engineering attacks. It includes modules for cloning websites, creating credential harvesters, and generating malicious payloads.

7. Evade Anti-Virus Detection

My feelings on Anti-Virus (AV) scanners are that they are there to stop the script kiddies.

Signature-Based Detection. Anti-virus (AV) scanners often rely on signature-based detection, which involves identifying known malicious code patterns. To evade AV, it's necessary to modify or obfuscate your payloads to avoid triggering these signatures.

Evade Tool. Tools like Evade can help identify the specific strings or code patterns that trigger AV detection. By splitting the file and scanning each part, you can pinpoint the exact location of the signature.

Python Payloads. Python is a versatile language for creating malicious payloads that can evade AV. Python scripts can be easily obfuscated and converted into executables using tools like py2exe or pyinstaller.

8. Optimize Password Cracking Strategies

This section is where I have collected everything else that assists in penetration testing, but didn’t have a place elsewhere.

Password Cracking Tools. John the Ripper (JtR) and oclHashcat are two powerful tools for cracking password hashes. JtR is a versatile tool that supports a wide range of hashing algorithms, while oclHashcat leverages the power of GPUs for faster cracking.

Wordlists, Rules, and Hashing Algorithms. To optimize password cracking, it's crucial to define wordlists, rules, and hashing algorithms. Wordlists contain common passwords, rules modify the wordlist to generate variations, and hashing algorithms specify the type of hash being cracked.

oclHashcat. oclHashcat is a powerful tool for cracking password hashes using GPUs. It supports a wide range of hashing algorithms and can be used to crack WPAv2 and NTLMv2 hashes.

Last updated: April 17, 2025