Using SOCKS Proxy vs. Port Forwarding: A Pentester’s Guide When performing internal penetration testing, gaining a foothold is just the beginning. The next step is pivoting — finding a way to explore deeper into restricted networks. Two powerful techniques for this are SOCKS proxying and port forwarding. Both serve different purposes, and knowing when to […]
Port 135: The RPC Goldmine for Pentesters In many internal pentests, port 135 (MSRPC) is quietly open — sitting there like an unassuming door. But to those who understand it, that door leads to the inner workings of Windows systems. This post walks you through how to identify, enumerate, exploit, and abuse everything behind port
Exploiting WinRM: A Guide for Pentesters Table of Contents 1. What is WinRM? Windows Remote Management (WinRM) is Microsoft’s implementation of the WS-Management protocol — a SOAP-based protocol used for remote management. It’s commonly used to run PowerShell commands or scripts remotely, making it a prime target for lateral movement. Think of it like SSH
Linux Lateral Movement for Pentesters Once you’ve compromised a Linux system, lateral movement allows you to pivot across the internal network, access new machines, and expand your foothold. This guide focuses on the essential tools and techniques used to move laterally in Linux environments during a penetration test. What Is Lateral Movement? Lateral movement in
Linux Lateral Movement Read More »
Windows Lateral Movement for Pentesters When you’ve compromised one machine in an Active Directory environment, the next logical step is to move laterally — hopping from system to system using valid credentials or tokens. In this post, we’ll focus purely on lateral movement techniques and the tools that help make it happen. We’ll cover: What
Windows Lateral-Movement Read More »
Exploiting MSSQL as a Pentester Overview Microsoft SQL Server (MSSQL) is a high-value target in many environments. It often runs with high privileges, contains sensitive data, and—if misconfigured—can lead to full system compromise. This guide walks you through everything you need to know about exploiting MSSQL from enumeration to post-exploitation. Scanning Start by identifying MSSQL
Windows Privileges: Understanding Windows privileges is crucial when targeting local escalation, persistence, and impersonation on Windows systems. This guide breaks down the core privileges in Windows, how they affect security, and how pentesters can abuse them to move from user to SYSTEM — or better. What Are Windows Privileges? Privileges are specific rights assigned to
Windows Privileges Read More »
Windows Access Tokens: Access tokens are at the core of how Windows manages identity and permissions. As a pentester, understanding how these tokens work — and more importantly, how to abuse them — gives you powerful tools for privilege escalation, lateral movement, and persistence. This guide breaks down all the important Windows access tokens, how
Windows Access Tokens Read More »
What Is Evil-WinRM? Evil-WinRM (Evil Windows Remote Management) is a PowerShell Remoting shell that allows authenticated users to interact with a remote Windows machine over the WinRM protocol. Think of it like a remote PowerShell shell on steroids — fast, reliable, and custom-built for red team operations. When Should You Use Evil-WinRM? Use Evil-WinRM when:
What is CrackMapExec? CrackMapExec, or CME, is a post-exploitation tool that lets you interact with SMB, WinRM, RDP, LDAP, and more, across large networks — all while managing and reusing credentials. Think of it as Metasploit’s quiet, more surgical cousin for internal Windows environments. It was built to help pentesters and red teamers enumerate, attack,
