Offensive Security: Penetration Testing

TCP/IP internals, Wireshark packet analysis, Scapy for crafting packets, common protocols (DNS, SMTP, FTP, SMB, LDAP), and how they are exploited.

• Professor Messer: CompTIA Network+ N10-009 (free)coursefree
• Wireshark Official Docsdocfree
• TryHackMe: Pre-Security Pathcoursefree

• Capture and decode an HTTP form submission in Wireshark
• Craft a custom TCP packet with Scapy
• Identify SMB version from packet capture
• DNS zone transfer with dig axfr

Kali Linux setup, directory traversal, file permissions, AD fundamentals (users, groups, GPO, Kerberos), PowerShell for red team, and LOLBAS.

• OffSec: TryHackMe Linux Fundamentalscoursefree
• TryHackMe: Windows Fundamentals (3 rooms)coursefree
• OverTheWire: Bandit + Nataslinkfree

• Privilege escalation via misconfigured SUID
• PowerShell: enumerate local users and groups
• Identify Kerberoastable accounts with GetUserSPNs
• LOLBAS: execute code via certutil

Write reverse shells, port scanners, brute-forcers, payload encoders, and C2 POC scripts. Focus on practical exploit development skills.

• Black Hat Python 2nd Edition (No Starch)coursepaid
• Violent Python (original, free PDF widely available)docfree

• TCP port scanner with threading
• Simple reverse shell with socket + subprocess
• Password brute-forcer for SSH (lab VM only)
• XOR encoder to evade basic AV

Injection (SQL, command, LDAP), XSS (reflected, stored, DOM), CSRF, SSRF, XXE, IDOR, broken auth, and security misconfigurations. All labs in safe environments.

• PortSwigger Web Security Academy (free)coursefree
• OWASP Top 10 2021 (official)docfree
• DVWA: Damn Vulnerable Web Applicationrepofree
• HackTheBox Academy: Bug Bounty Hunter Pathcoursefree

• SQL injection: blind boolean-based extraction
• Stored XSS: steal session cookie
• SSRF: reach internal metadata endpoint
• XXE: read /etc/passwd
• IDOR: access another user's order history
• Complete 25 PortSwigger Web Security labs

Intercept proxy, Repeater, Intruder, Scanner, Decoder, Comparer, Collaborator, and BApp Store extensions. Professional-grade web application testing workflow.

• PortSwigger: Burp Suite Learning Resourcesdocfree
• TCM Security: Web Application Ethical Hacking Coursecoursepaid

• Intercept and modify a JWT token
• Intruder: credential stuffing attack on a lab
• Collaborator: detect out-of-band XXE/SSRF
• Scan a target: triage and report findings

REST and GraphQL API security: BOLA/IDOR, mass assignment, broken function-level auth, JWT attacks, and API fuzzing with ffuf and Postman.

• OWASP API Security Top 10docfree
• HackTheBox Academy: API Attacks Modulecoursefree
• Corey Ball: Hacking APIs (No Starch)coursepaid

• BOLA: access other user resources via API
• Mass assignment: elevate privileges via POST body
• JWT alg=none attack
• GraphQL introspection: map schema and find hidden endpoints

Nmap advanced scanning, service enumeration, Metasploit framework, post-exploitation (Meterpreter), pivoting, port forwarding, and lateral movement.

• TCM Security: Practical Ethical Hacking (PEH)coursepaid
• TryHackMe: Jr Penetration Tester Pathcoursefree
• Hack The Box: Starting Point Labs (free)linkfree

• Nmap: stealth scan, OS detection, service fingerprint
• Exploit EternalBlue with Metasploit (lab VM)
• Meterpreter: dump hashes, screenshot, keylog
• Pivot: reach isolated network via compromised host

Kerberoasting, AS-REP Roasting, Pass-the-Hash, Pass-the-Ticket, DCSync, BloodHound attack paths, and Golden/Silver Ticket attacks.

• TCM Security: Practical Active Directory Pentestingcoursepaid
• TryHackMe: Advanced Active Directory Modulecoursefree
• HackTricks: AD Attacks Cheat Sheetdocfree

• Kerberoasting: extract and crack a service ticket
• BloodHound: find shortest path to Domain Admin
• DCSync: dump all domain hashes
• Golden Ticket: forge a Kerberos TGT

Professional pentest report structure: executive summary, risk ratings (CVSS), findings (description, evidence, PoC, remediation), and client communication.

• TCM Security: Sample Pentest Report (GitHub)repofree
• CVSS v3.1 Calculator (NVD)linkfree
• Serpico: Open-source report generatorrepofree

• Write an executive summary non-technical readers can act on
• CVSS score 3 real findings correctly
• Peer-reviewed report: no technical errors

Offensive Security Certified Professional (OSCP) exam strategy, time management, enumeration methodology, 24-hour lab simulation, and buffer overflow basics.

• Offensive Security: PEN-200 / OSCP Coursecoursepaid
• TJNull: OSCP-like HackTheBox / OffSec machines listlinkfree
• TCM: Buffer Overflow Made Easy (YouTube free)videofree

• Exploit a basic stack buffer overflow
• Complete 10 OSCP-like machines from TJNull list
• 24-hour lab simulation: 3 machines in time
• Pass OSCP exam (target certification)