Offensive Security Resources

A comprehensive offensive security reference built for penetration testers and red teamers.


About This Book

This is a hands-on reference designed to be open during engagements, lab work, and exams. Every page follows the same principle: give you the exact command to run, explain why you're running it, and show what the output looks like so you know you're on the right track.

Who it's for:

  • Pentesters preparing for OSCP, OSEP, or similar certifications
  • Red teamers who need a quick-reference during engagements
  • Students working through HackTheBox, Proving Grounds, or TryHackMe
  • Anyone who wants a structured methodology instead of scattered notes

What it covers:

  • Full attack chain from initial nmap scan to domain admin
  • Common applications with default creds and known exploit paths
  • Port-specific enumeration guides
  • Linux and Windows privilege escalation
  • Active Directory attacks including BloodHound, delegation, and ticket forging
  • Supporting topics: file transfers, shell escapes, payload generation, password cracking, steganography, and persistence

How to Navigate

Start with the Methodology Flowchart. It's the first section in the sidebar and acts as a master decision tree for the entire book. When you're stuck, go back to the flowchart.

Use search. Press S or click the magnifying glass to search across all pages. Search for a port number, tool name, CVE, or technique and you'll find the relevant page instantly.

Follow the sidebar order. The book is structured as a sequential methodology. The sidebar flows from reconnaissance at the top through post-exploitation at the bottom. During an engagement, you'll generally work top to bottom.

The Quick Reference table below links directly to the most common needs:

NeedGo To
I don't know where to startMethodology Flowchart
Initial port scan commandsRecon & Scanning
Enumerate a specific portPort Enumeration
Web app testingWeb Attacks
Exploit a known applicationCommon Applications
Generate a payload or shellPayload Generation
Transfer files to targetFile Transfers
Crack a hashPassword Attacks
Linux rootLinux PrivEsc
Windows SYSTEMWindows PrivEsc
Domain compromiseActive Directory
Reach internal netPivoting
Escape a restricted shellRestricted Shell Escapes
Compile an exploitCompiling Exploits
Hidden data in filesSteganography
Maintain accessPersistence
Time managementDecision Trees

Keyboard shortcuts:

  • S — Open search
  • — Previous / next page
  • T — Toggle sidebar

Page Format

Every technique in this book follows the same structure so you can scan pages quickly:

### Technique Name

Description — why you'd use this and when it applies

​```bash
the exact command to copy and paste
​```

<details>
<summary>Example Output</summary>

What you should expect to see when it works,
so you know you're on the right track.

</details>
  • Title tells you what the technique does
  • Description tells you why and when to use it
  • Command block is copy-paste ready (replace $IP with the target, $LHOST with your attack box)
  • Example Output (expandable) shows what success looks like

Variables used throughout the book:

VariableMeaning
$IPTarget IP address
$LHOSTYour attacker IP address
$DOMAINTarget domain name
$DC_IPDomain Controller IP
$SUBNETTarget subnet (e.g., 10.10.10.0)

Tools You'll Need

This book assumes a Kali Linux attack box. Most tools below come pre-installed. Install anything missing before your engagement or exam.

Core tools (pre-installed on Kali):

ToolUsed For
nmapPort scanning and service detection
gobusterDirectory and vhost brute forcing
niktoWeb vulnerability scanner
hydraOnline brute force (SSH, FTP, HTTP, etc.)
johnHash cracking
hashcatGPU hash cracking
searchsploitExploit database search
msfvenomPayload generation
netcat (nc)Reverse shells, file transfers
curl / wgetHTTP requests and file downloads
enum4linuxSMB/RPC enumeration
smbclient / smbmapSMB share access
impacket (full suite)psexec, secretsdump, ntlmrelayx, mssqlclient, etc.
evil-winrmWinRM shell access
crackmapexecNetwork-wide credential spraying
rpcclientRPC enumeration
ldapsearchLDAP queries
sqlmapAutomated SQL injection (banned on OSCP exam)
tcpdumpPacket capture
chiselTCP tunneling without SSH
ligolo-ngAdvanced pivoting

Install separately:

# BloodHound + Neo4j
sudo apt install bloodhound neo4j -y

# Stego tools
sudo apt install steghide stegseek binwalk zsteg exiftool -y

# wpscan
sudo apt install wpscan -y

# mingw (cross-compile for Windows)
sudo apt install mingw-w64 -y

# Python dependencies
pip install bloodhound impacket --break-system-packages

# Ligolo-ng (download from GitHub releases)
# https://github.com/nicocha30/ligolo-ng/releases

Upload to target (keep these ready):

ToolPurposeGet It
linpeas.shLinux privilege escalation scannergithub.com/carlospolop/PEASS-ng
winpeas.exeWindows privilege escalation scannergithub.com/carlospolop/PEASS-ng
SharpHound.exeBloodHound data collectorgithub.com/BloodHoundAD/SharpHound
PowerUp.ps1Windows privesc checkergithub.com/PowerShellMafia/PowerSploit
Rubeus.exeKerberos abuse toolkitgithub.com/GhostPack/Rubeus
Seatbelt.exeWindows host surveygithub.com/GhostPack/Seatbelt
chiselTCP tunnel clientgithub.com/jpillora/chisel
pspyMonitor Linux processes without rootgithub.com/DominicBreuker/pspy
nc.exeNetcat for WindowsPre-compiled in Kali: /usr/share/windows-resources/binaries/

Pre-exam setup checklist:

□ Kali updated: sudo apt update && sudo apt upgrade
□ All tools above installed and tested
□ linpeas/winpeas/SharpHound downloaded to ~/tools/
□ Reverse shell one-liners saved in a cheat sheet
□ VPN connection tested
□ Screenshot tool ready (Flameshot recommended)
□ Note-taking app open (CherryTree, Obsidian, or this book)
□ Terminal multiplexer running (tmux)

Built by Jashid Sany for penetration testing and red team engagements.