| name | pentest-playbook |
| description | 7-phase pentest pipeline from passive recon to exploitation. |
| version | 1.1.0 |
| author | uphiago |
| license | MIT |
| metadata | {"tags":["meta","playbook","pentest","methodology","workflow"],"category":"meta","related_skills":["recon-playbook","port-mass-scan","cache-attack","firebase-supabase-attack","api-noauth-hunt"]} |
Pentest Playbook Skill
7-phase master pentest pipeline covering the full lifecycle from passive reconnaissance to exploitation and reporting. Distilled from 100+ targets across government, healthtech, fintech, e-commerce, ISP, and SMB sectors. This is the "meta-playbook" — it tells you what to do at each stage of an engagement and which skills to load for each phase.
When to Use
- Starting a new pentest engagement with an unknown target.
- You need the canonical workflow for any type of target.
- After surface recon — this playbook tells you what to do next.
- Training — understand the full lifecycle of a professional pentest.
The 7-Phase Pipeline
| Phase | Name | Focus | Key Skills | Duration |
|---|
| 1 | Passive Recon | OSINT, subdomains, leaks, tech stack | subdomain-enumeration, offensive-osint | 30-60 min |
| 2 | Active Recon | Port scans, live hosts, tech detection | port-mass-scan, port-service-discovery, web2-recon | 30-60 min |
| 3 | Web Enumeration | Sensitive files, .env, CORS, JS secrets | web-enumeration, cors-credential-wordpress, js-secrets-extraction | 20-40 min |
| 4 | Framework Exploit | WordPress, Laravel, Spring, .NET | hunt-wordpress, hunt-laravel, hunt-springboot, hunt-aspnet | 30-60 min |
| 5 | Cloud & Infrastructure | Firebase, Supabase, S3, Cloud Functions | hunt-firebase, hunt-supabase, cloud-iam-deep | 30-60 min |
| 6 | Deep Exploitation | SQLi, SSRF, RCE, ATO, chains | hunt-sqli, hunt-ssrf, cross-attack-chains | 1-4 hours |
| 7 | Report & Remediation | Documentation, PoC, CVSS scoring | report-writing, triage-validation, evidence-hygiene | 1-3 hours |
Per-Phase Procedure
Phase 1 — Passive Recon
subfinder -d target.com -silent | tee subs.txt
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' >> subs.txt
curl -sI "https://target.com" | grep -iE "server|x-powered-by|x-aspnet|x-generator|x-runtime"
Phase 2 — Active Recon
rustscan -a target.com --ulimit 5000 -g | tee ports.txt
cat subs.txt | httpx -silent -status-code -title -tech-detect | tee live.txt
curl -skI "https://target.com/wp-json/wp/v2/users" -H "Origin: https://evil.com" | grep -i "access-control"
Phase 3 — Web Enumeration
Run the full web-enumeration skill — 200+ sensitive file paths, .env extraction, path traversal bypass, vHost enum.
Phase 4 — Framework Exploitation
Load the relevant hunt-* skill based on detected framework:
- WordPress:
hunt-wordpress + wp-mass-recon
- Laravel:
hunt-laravel
- Spring Boot:
hunt-springboot
- ASP.NET:
hunt-aspnet
Phase 5 — Cloud & Infrastructure
- Firebase:
hunt-firebase (API key → Firestore → Storage)
- Supabase:
hunt-supabase (anon key → RLS bypass)
- Cloud IAM:
cloud-iam-deep (SA key → GCP token → IAM policy)
- Docker:
docker-privesc (if container access)
Phase 6 — Deep Exploitation
Chain findings using cross-attack-chains skill. The 5 confirmed chains (A-E) turn individual Medium/High findings into Critical impact.
Phase 7 — Report
Use report-writing skill for bug bounty or redteam-report-template for client deliverables. Apply triage-validation 7-question gate before submitting.
Lateral Pivot Decision Points (Critical Methodology)
When brute force / direct attacks aren't producing results, DO NOT persist — pivot to lateral discovery. This is the single most important judgment call in a pentest.
Pivot Triggers — Know When to Switch Vectors
| Signal | Current Vector | Pivot To |
|---|
| 100+ passwords tested, zero hits | Brute force (login) | SSRF, CORS, subdomain enum, API discovery, source leak, open registration, Firebase/Supabase |
| All common creds fail on MySQL/SSH | Database/SSH brute | API discovery (port scan for HTTP services), JS bundle secrets, Firebase config, CORS exfil |
| WAF/403 on every payload | Web exploitation | CDN bypass (origin IP discovery), subdomain enum (staging/dev may lack WAF), API on non-standard ports, HTTP method/header tampering |
| rate limit / captcha / lockout | Auth brute | SameSite bypass, OAuth misconfig, MFA fatigue, password-reset poisoning, SSO token reuse |
| 401/403 on all API endpoints | API exploitation | OPTIONS preflight, method tampering (GET→POST, PUT→PATCH), content-type switching (JSON→XML→form), header injection (X-Forwarded-User, X-Original-URL), JWT alg=none |
| SPA returns same HTML for all paths | Path enumeration | Check API on other ports (8080, 8443, 3000, 5000, 8084), JS bundle route extraction, source maps, Firebase/Supabase, CORS exfil |
| No vulns found on main app | App exploitation | Sister apps (same IP/cert/headers → same code), subdomains, staging/dev instances, mobile APKs, CMS admin panels, forum/community software |
Lateral Discovery Checklist (run this when stuck)
When a vector isn't paying off, systematically check these BEFORE declaring the target clean:
- Ports beyond top-20 — nmap -p- on critical targets, masscan on /24 ranges
- Non-standard API ports — 8080, 8081, 8084, 8443, 3000, 5000, 9090, 9000
- Subdomains — subfinder + crt.sh (staging, dev, admin, api, mail, cpanel, shop)
- JS bundle secrets — Firebase API keys, AWS/GCP credentials, internal endpoints, JWTs
- Open registration — wp-login.php?action=register, /signup, /register endpoints
- CORS exfiltration — ACAO reflection + ACAC:true = browser-readable data from authenticated victims
- Firebase / Supabase — API key in JS → anonymous auth → Firestore/RTDB read
- Error logs — /error_log, /debug.log, /wp-content/debug.log (often 1MB+ of paths, SQL, creds)
- Source code leaks — .git/HEAD, .env, sitemap.xml, robots.txt disallow paths, source maps
- Sister-app sweep — same IP / cert / headers → same vulnerable code template on other paths
The 3-Attempt Rule
Before spending more than 5 minutes on any SINGLE attack vector:
- Try the primary approach (e.g., 100 pwds via multicall)
- Try one lateral pivot (e.g., check open registration)
- Try one creative alternative (e.g., check CORS, Firebase, JS secrets)
If none worked in 3 distinct attempts, the vector is low-probability. Document what was tried and move on. Do NOT cycle back to the same vector with more of the same — find a qualitatively different angle.
Anti-Pattern: The Brute Force Trap
"Let me just try 100 more passwords..."
"Maybe I need a bigger wordlist..."
"Let me try one more round..."
🚫 STOP. If the first 100 targeted passwords didn't work, the next 10,000 won't either (for real-world passwords). Instead:
- Check if there's ANY authentication at all (CORS no-auth endpoints)
- Check if registration is open (create your own account)
- Check if the auth uses JWTs you can forge (alg=none, weak HMAC)
- Check if there's a different auth path (SSO, OAuth, SAML)
- Move on to a different target entirely
Pitfalls
- Don't skip Phase 1. Many critical findings come from passive recon (source leaks, GitHub SA keys).
- Don't spend more than 15 min on Phase 2. Quick filter is enough — save deep probing for Phase 6.
- OPSEC is not optional. Use proxy-ns or proxychains + Tor from the start. Never burn your source IP.
- .env is not always a finding. Verify content contains actual credentials (DB_, APP_KEY), not just SPA catch-all HTML.
- Document as you go. Don't wait until Phase 7 — you'll forget exact commands.
- Don't brute-force past the pivot trigger. 100 targeted passwords per vector is the max before lateralizing.
Verification
- Each phase has a clear exit criterion (e.g., "score >= 6 → escalate to Phase 6").
- Every finding must be reproducible with the exact command.
- All findings must pass the 7-question gate before reporting.