Hashcat: GPU Cracking at Scale Hashcat is the world’s fastest password recovery tool. Designed for brute-force and rule-based attacks, it leverages your GPU to crack passwords faster than any CPU-based tool can dream of. When you need to process massive hash dumps or custom password formats at scale, Hashcat is the go-to weapon. In this […]
John the Ripper: John the Ripper (or just “John”) is a legendary password cracker. It’s smart, flexible, and built for real-world hash cracking — from Linux password files to Windows NTLM hashes and beyond. This post covers everything you need to know to use John effectively during pentests: how to identify hash types, load them,
Hydra: Brute Force Hacking Like a Pro Hydra is a fast and flexible login cracker. It’s one of the most essential tools in a pentester’s arsenal when credentials are unknown and brute-forcing is on the table. Whether you’re testing SSH, HTTP forms, or even RDP, Hydra gets the job done with speed and precision. In
Linux Capabilities for Privilege Escalation What They Are, How to Find Them, and How to Abuse Them as a Pentester In modern Linux systems, root isn’t always all-or-nothing anymore. Since kernel 2.2, Linux has supported a feature called Capabilities, which splits root privileges into fine-grained controls. Why does that matter to you as a pentester?Because
Linux Capabilities for Privesc Read More »
printf for Payloads: When it comes to crafting precise payloads or writing malicious scripts on-the-fly, one tool stands above echo in both control and reliability — the mighty printf. It’s clean, it’s predictable, and it doesn’t flinch at escape characters or strange input. As pentesters, we often find ourselves needing to generate scripts, inject payloads,
printf for payloads Read More »
LinPEAS: Automating Linux Privilege Escalation Enumeration Once you’ve landed on a Linux machine during a penetration test, your goal is simple: escalate privileges. Whether you’re stuck in a restricted shell or sitting as a low-privileged user, your mission is to become root. That’s where LinPEAS comes in. What Is LinPEAS? LinPEAS is part of the
Here’s a battle-tested list of prime target files to loot on a Linux web server, whether it’s running Apache, Nginx, PHP, Node.js, or Python. 1. Web App Configuration Files These almost always contain database credentials, API keys, and even OS-level user creds. File Why It Matters config.php PHP apps – MySQL creds, $db_user, $db_pass .env
Linux – Sensitive Files etc Read More »
Privilege Escalation via World-Writable Config File Abusing Misconfigured Trusted Files for Root Access Introduction In the real world, privilege escalation rarely comes from some obvious exploit. More often, it’s a subtle misconfiguration that turns into full control — if you know how to spot it. This post breaks down a classic example: a world-writable config
Privesc via World-Writable Config File Read More »
Post-Compromise Enumeration on Linux Enumeration is the first step you take once you gain access to any system — and it never stops mattering. Whether you landed root via a juicy RCE or snuck in with a low-privileged shell, you now need to figure out where you are, what you have, and what you can
Linux Post-Compromise Enum Read More »
PowerShell Remoting for Pentesters Introduction PowerShell Remoting is like RDP without the GUI. It lets administrators (and attackers) run commands on remote systems over the network using the WinRM service. If you’ve got valid credentials and the right access, PowerShell Remoting becomes a stealthy, native post-exploitation tool — no implants, no noise, and no third-party
Powershell Remoting Read More »
