com um clique
pentest-playbook
7-phase pentest pipeline from passive recon to exploitation.
Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.
Menu
7-phase pentest pipeline from passive recon to exploitation.
Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
4-phase pipeline for max findings per minute across batches.
| name | pentest-playbook |
| description | 7-phase pentest pipeline from passive recon to exploitation. |
| version | 1.1.0 |
| author | uphiago |
| license | MIT |
| metadata | {"tags":["meta","playbook","pentest","methodology","workflow"],"category":"meta","related_skills":["recon-playbook","port-mass-scan","cache-attack","firebase-supabase-attack","api-noauth-hunt"]} |
7-phase master pentest pipeline covering the full lifecycle from passive reconnaissance to exploitation and reporting. Distilled from 100+ targets across government, healthtech, fintech, e-commerce, ISP, and SMB sectors. This is the "meta-playbook" — it tells you what to do at each stage of an engagement and which skills to load for each phase.
| Phase | Name | Focus | Key Skills | Duration |
|---|---|---|---|---|
| 1 | Passive Recon | OSINT, subdomains, leaks, tech stack | subdomain-enumeration, offensive-osint | 30-60 min |
| 2 | Active Recon | Port scans, live hosts, tech detection | port-mass-scan, port-service-discovery, web2-recon | 30-60 min |
| 3 | Web Enumeration | Sensitive files, .env, CORS, JS secrets | web-enumeration, cors-credential-wordpress, js-secrets-extraction | 20-40 min |
| 4 | Framework Exploit | WordPress, Laravel, Spring, .NET | hunt-wordpress, hunt-laravel, hunt-springboot, hunt-aspnet | 30-60 min |
| 5 | Cloud & Infrastructure | Firebase, Supabase, S3, Cloud Functions | hunt-firebase, hunt-supabase, cloud-iam-deep | 30-60 min |
| 6 | Deep Exploitation | SQLi, SSRF, RCE, ATO, chains | hunt-sqli, hunt-ssrf, cross-attack-chains | 1-4 hours |
| 7 | Report & Remediation | Documentation, PoC, CVSS scoring | report-writing, triage-validation, evidence-hygiene | 1-3 hours |
# 1. Subdomain enumeration
subfinder -d target.com -silent | tee subs.txt
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' >> subs.txt
# 2. Tech stack detection via response headers
curl -sI "https://target.com" | grep -iE "server|x-powered-by|x-aspnet|x-generator|x-runtime"
# 3. Google dorks
# site:target.com filetype:env DB_PASSWORD
# site:target.com "-----BEGIN RSA PRIVATE KEY-----"
# 4. GitHub code search (SA keys, .env, credentials)
# See google-dorks-catalog skill for full list
# 1. Port scan (top 1000 ports)
rustscan -a target.com --ulimit 5000 -g | tee ports.txt
# 2. HTTP probe on alive hosts
cat subs.txt | httpx -silent -status-code -title -tech-detect | tee live.txt
# 3. CORS quick test
curl -skI "https://target.com/wp-json/wp/v2/users" -H "Origin: https://evil.com" | grep -i "access-control"
Run the full web-enumeration skill — 200+ sensitive file paths, .env extraction, path traversal bypass, vHost enum.
Load the relevant hunt-* skill based on detected framework:
hunt-wordpress + wp-mass-reconhunt-laravelhunt-springboothunt-aspnethunt-firebase (API key → Firestore → Storage)hunt-supabase (anon key → RLS bypass)cloud-iam-deep (SA key → GCP token → IAM policy)docker-privesc (if container access)Chain findings using cross-attack-chains skill. The 5 confirmed chains (A-E) turn individual Medium/High findings into Critical impact.
Use report-writing skill for bug bounty or redteam-report-template for client deliverables. Apply triage-validation 7-question gate before submitting.
When brute force / direct attacks aren't producing results, DO NOT persist — pivot to lateral discovery. This is the single most important judgment call in a pentest.
| Signal | Current Vector | Pivot To |
|---|---|---|
| 100+ passwords tested, zero hits | Brute force (login) | SSRF, CORS, subdomain enum, API discovery, source leak, open registration, Firebase/Supabase |
| All common creds fail on MySQL/SSH | Database/SSH brute | API discovery (port scan for HTTP services), JS bundle secrets, Firebase config, CORS exfil |
| WAF/403 on every payload | Web exploitation | CDN bypass (origin IP discovery), subdomain enum (staging/dev may lack WAF), API on non-standard ports, HTTP method/header tampering |
| rate limit / captcha / lockout | Auth brute | SameSite bypass, OAuth misconfig, MFA fatigue, password-reset poisoning, SSO token reuse |
| 401/403 on all API endpoints | API exploitation | OPTIONS preflight, method tampering (GET→POST, PUT→PATCH), content-type switching (JSON→XML→form), header injection (X-Forwarded-User, X-Original-URL), JWT alg=none |
| SPA returns same HTML for all paths | Path enumeration | Check API on other ports (8080, 8443, 3000, 5000, 8084), JS bundle route extraction, source maps, Firebase/Supabase, CORS exfil |
| No vulns found on main app | App exploitation | Sister apps (same IP/cert/headers → same code), subdomains, staging/dev instances, mobile APKs, CMS admin panels, forum/community software |
When a vector isn't paying off, systematically check these BEFORE declaring the target clean:
Before spending more than 5 minutes on any SINGLE attack vector:
If none worked in 3 distinct attempts, the vector is low-probability. Document what was tried and move on. Do NOT cycle back to the same vector with more of the same — find a qualitatively different angle.
"Let me just try 100 more passwords..."
"Maybe I need a bigger wordlist..."
"Let me try one more round..."
🚫 STOP. If the first 100 targeted passwords didn't work, the next 10,000 won't either (for real-world passwords). Instead: