CMSmap: Enumerating WordPress, Joomla, and Drupal Like a Pro When you’re testing a Content Management System (CMS) like WordPress, Joomla, or Drupal, your recon needs to go deeper than default credentials and login forms. This is where CMSmap comes in. It’s a Python-based scanner designed specifically for enumerating and testing known vulnerabilities in popular CMS […]
XFreeRDP: Access with and without Passwords xfreerdp is a powerful, flexible Remote Desktop Protocol (RDP) client for Linux that supports both password-based and Pass-the-Hash authentication. It’s a go-to tool when you’ve popped Windows credentials during an internal engagement. Basic Syntax Example: Domain User Authentication When authenticating as a domain user: Example: Alternatively: Pass-the-Hash (PtH) with
PHASE 1: Enumeration (Pre-Auth) 🔹 1. CrackMapExec (CME) Use it for: Scanning AD networks, checking creds, listing shares, Kerberoastable users, sessions, etc.Syntax: 🔹 2. Kerbrute Use it for: AS-REP roasting (pre-auth user discovery) and user enumeration.Syntax: 🔹 3. Impacket GetNPUsers.py Use it for: Dumping AS-REP roastable hashes.Syntax: 🔹 4. BloodHoundPython Use it for: Headless BloodHound
What is BloodHound-python? BloodHound-python is a Python-based ingestor for BloodHound. It’s designed to run on Linux systems, perfect for red teamers or pentesters working from Kali or similar. Unlike SharpHound (which is written in C# and runs on Windows), BloodHound-python can be used remotely without needing to drop binaries on the target — great for
BloodHound – Python Read More »
Mastering SSH: Keys, Tunnels, and Pivoting SSH (Secure Shell) is a foundational protocol for managing and accessing remote systems. For pentesters, it’s not just about logging in — it’s a powerful tool for pivoting, tunneling, and stealthy movement across networks. This post covers everything you need to know about SSH during an engagement: finding keys,
Basic MSSQL Navigation & Enumeration 🔹 List all databases 🔹 List all tables in current database 🔹 List all columns in a table 🔹 Switch database User & Role Enumeration 🔹 Current user and privileges 🔹 List all SQL Server logins 🔹 List users in current DB 🔹 List server roles Querying Data 🔹 Select
Exploiting the Finger Service (Port 79) on Linux: A Pentester’s Guide The Finger protocol, once a staple of early Unix systems, is now a mostly forgotten relic. But when you do encounter it on a target, port 79 can offer surprisingly useful enumeration data — and sometimes even lead to privilege escalation or lateral movement.
Nmblookup: NetBIOS Name Resolution in Action When you’re dealing with older Windows environments or internal networks, NetBIOS name resolution can still be in play. One lightweight tool for this is nmblookup, which lets you perform NetBIOS queries to identify hosts, workgroups, and domain names—especially when DNS isn’t available or reliable. This post breaks down: What
Enum4linux: SMB Enumeration for Pentesters When you come across an SMB service on a target, enum4linux is one of your go-to tools for fast and detailed enumeration. It’s basically a wrapper around smbclient, rpcclient, net, and nmblookup, automating the dirty work of probing Windows shares and services. This post will cover: What is enum4linux? enum4linux
Understanding and Exploiting SMTP: A Pentester’s Guide Category: Exploiting ServicesAuthor: Offensive Cyber ProfessionalFocus: Enumeration → Exploitation → Post-Exploitation Overview: What is SMTP? SMTP (Simple Mail Transfer Protocol) is the protocol used to send emails across networks. It operates over TCP port 25 (and sometimes 587 or 465 for submission and encrypted channels). While it’s essential
