The Recon Scout
Lvl 1 · MappingLearn to see everything before you touch anything.
- Scan
Nmap- Subdomains
Amass / crt.sh- Web probe
httpx- Content
- ffuf
- OSINT
- Recon-ng
▲ Field upgradeAdd Shodan to find exposed services without scanning.
Field Manual · Offensive Security
The offensive counterpart to the defense manual. You can't protect a system you don't know how to break — so this walks the attacker's kill chain, from recon to report. Everything here is for authorized testing, CTFs and your own lab.
Orientation
Read this first. The difference between a penetration tester and a criminal is not skill — it's permission.
This guide is for education and authorized security testing only. Ethical hacking is legal when — and only when — you have explicit, written permission from the owner of the system you are testing, or when you are working entirely inside systems you own.
Practising these techniques is legal on: your own machines and networks; intentionally vulnerable lab targets (VulnHub, HackTheBox, TryHackMe, PortSwigger Web Security Academy, OWASP Juice Shop, Metasploitable, DVWA); sanctioned CTF competitions; and paid penetration-testing engagements covered by a signed scope and rules-of-engagement document.
Running any of this against a system you do not own or are not contracted to test — even "just to look" — is a crime in most countries (Computer Fraud and Abuse Act in the US, Computer Misuse Act in the UK, and equivalents elsewhere). No scope, no test. The author and tompearl.com accept no liability for misuse; you alone are responsible for staying inside the law.
Scope — exactly which hosts, IPs, domains and apps are in bounds, and which are explicitly out.
Authorization — a signed engagement letter / rules-of-engagement document with dates and a get-out-of-jail contact.
Rules — allowed hours, whether social engineering or DoS is permitted, and how to stop if you cause an outage.
If you can't point to written permission for a target, it is not a target. Spin up a lab instead — you'll learn more and sleep better.
Unlearn
Beliefs that get beginners caught, burned, or stuck. Drop these now.
“A VPN or Tor makes what I'm doing legal.”
Anonymity is not authorization. Hiding your source IP doesn't change whether you had permission — it just changes how the sentencing reads.
“Real hacking is dropping zero-days like in the movies.”
Almost every real compromise is a stolen password, an unpatched box, or a misconfiguration. Boring beats clever.
“Automated scanners will find everything.”
Scanners find the obvious. Chained logic flaws, business-logic abuse and access-control gaps need a human brain.
“Getting a shell is the goal.”
The goal is a clear, reproducible report that lets the defenders fix it. A shell nobody can act on is worthless.
“Louder and faster is better.”
Aggressive scans crash fragile systems and get you blocked. Understand the target before you hammer it.
Kill chain · Phase 1
Map the attack surface before you throw a single packet. Most of the work happens here.
What it achieves
Turns a company name into a list of domains, subdomains, IP ranges, exposed services, technologies and people — the raw material every later phase depends on. A thorough map is worth more than a fast exploit.
Host: header. The default page is rarely the interesting one.Kill chain · Phase 2
From "these hosts exist" to "these exact services, versions and doors are open".
What it achieves
Identifies open ports, running services and their versions, then digs into each service for shares, users, endpoints and default credentials. Enumeration is where engagements are won — spend the time.
Kill chain · Web apps
Where most real-world bug bounties and breaches live. Learn the OWASP Top 10 by breaking it in a lab.
What it achieves
Turns a login form or search box into data theft, account takeover or code execution. The classics — injection, broken access control, and authentication flaws — still dominate real findings.
... WHERE user='$u' falls to ' OR '1'='1. Learn why parameterized queries kill it./api/invoice?id=1001. Try id=1002. If it returns someone else's invoice, that's a critical finding — no exploit tooling needed.http://169.254.169.254/latest/meta-data/ → cloud credentials → game over.PortSwigger's Web Security Academy is free, world-class, and legal to hammer as hard as you like. Pair it with OWASP Juice Shop and DVWA running locally.
Kill chain · Credentials
Stolen and weak credentials remain the single most common way in. Know how they fall.
What it achieves
Converts captured hashes or a login prompt into working credentials — then reuses them everywhere. Credential reuse is what turns one weak password into full domain compromise.
Kill chain · Phase 3
Turning a known weakness into a foothold — carefully, and inside scope.
What it achieves
Gets you your first code execution or session on a target. The professional's rule: understand what an exploit does before you run it, so you don't crash a production system you were hired to protect.
Kill chain · Phase 4
From a low-privilege foothold to root / SYSTEM / domain admin.
What it achieves
Takes the limited shell you landed and turns it into full control of the host, by abusing misconfigurations the sysadmin never noticed. Enumeration wins here just like everywhere else.
sudo -l first. If you can run even vi or find as root, GTFOBins gives you the one-liner to a root shell.whoami /priv — SeImpersonate is a classic win via "potato" attacks).Kill chain · Phase 5
Proving business impact — carefully, and only as far as scope allows.
The actual deliverable
The report is the product. A brilliant exploit nobody can understand or fix is a failure.
Title & severity (with CVSS or a clear risk rating), a plain-English impact statement, step-by-step reproduction with evidence, the affected assets, and a concrete remediation the team can actually act on.
TL;DR
The non-negotiables of a professional, legal test.
Pick your class
New to the field? Grab a starter kit for the path you're learning — every tool in it lives in the Toolbox below.
Learn to see everything before you touch anything.
Nmap
Amass / crt.sh
httpx▲ Field upgradeAdd Shodan to find exposed services without scanning.
Bug bounties and web pentests start here.
Burp Suite
sqlmap
Nuclei
PortSwigger Academy▲ Field upgradeRead every request in Burp by hand — automation misses logic flaws.
Internal networks and Active Directory.
Metasploit
BloodHound
hashcat▲ Field upgradePractice the full chain on HackTheBox Pro Labs before any real internal.
Zero risk, all reps. Start your whole journey here.
Kali Linux
VulnHub
TryHackMe
HackTheBox▲ Field upgradeWork OWASP Top 10 end-to-end before touching anything live.
Arsenal
The standard, mostly free / open-source offensive toolkit — most ship with Kali Linux. Each note says what phase it serves. Lab and authorized targets only.
Recon & enumeration
NmapThe standard port scanner and service/version fingerprinter, with a huge scripting engine.
ScanningVisitThese tools are neutral — the same scanner defends and attacks. What makes their use legal is authorization for that specific target. Against your own lab: go wild. Against anything else without written scope: it's an offence, full stop. See the rules of engagement.
Web application
Burp SuiteThe web pentester's core proxy — intercept, modify and replay requests. Free Community edition to start.
WebVisit
sqlmapAutomated detection and exploitation of SQL injection — study its output to learn the technique.
WebVisit
NucleiTemplate-based scanner for known vulnerabilities and misconfigurations at scale.
Scanning · WebVisitExploitation & C2
MetasploitThe exploitation framework — modules, payloads and post-exploitation, ideal for learning how exploits work.
ExploitationVisit
msfvenomPayload generator bundled with Metasploit for crafting reverse shells and stagers.
ExploitationVisit
Exploit-DB / searchsploitArchive of public exploits; read the code before you ever run one.
ExploitationVisitPasswords & credentials
Privilege escalation & AD
Enumerates local privilege-escalation paths on Linux and Windows automatically.
Priv-escVisit
BloodHoundGraphs Active Directory attack paths so you can see the route to domain admin.
Priv-esc · ADVisit
ImpacketPython toolkit for Windows/AD protocols — the backbone of pass-the-hash, Kerberoasting and lateral movement.
Post-exploit · ADVisitReference of trusted binaries abusable for privesc — essential lookup, not a tool.
Priv-escVisitPlatform & distro
Kali LinuxThe pentesting distro with hundreds of these tools pre-installed. Run it in a VM.
PlatformVisit
Parrot Security OSAlternative security distro, lighter than Kali with a similar toolset.
PlatformVisit
WiresharkPacket analyzer for understanding protocols and spotting cleartext credentials.
AnalysisVisit
Kill chain · People
Social engineering
The human layer — the most reliable way in, and the most sensitive to test. Only ever with explicit sign-off.
What it achieves
Bypasses every technical control by convincing a person to hand over access. Because it targets real people, it demands the strictest authorization and the most care.
Extra rules for the human layer
Social engineering must be explicitly named in the scope, target roles rather than individuals where possible, and never involve real harm, threats, or handling of anyone's genuine personal data beyond what the test requires. When in doubt, leave it out.