Active Directory penetration testing — BloodHound enumeration, Kerberoasting, AS-REP Roasting, lateral movement, DCSync, Pass-the-Hash, domain privilege escalation. Use when target network has Windows domain controllers.
Cloud security testing — AWS/Azure/GCP asset discovery, S3 public bucket enumeration, SSRF-to-metadata credential theft, IAM abuse, Kubernetes/container escape, secret scanning in repos, and automated misconfiguration auditing for authorized engagements.
Automated CVE and misconfiguration scanning using Nuclei — Project Discovery's template-based vulnerability scanner. Covers 10,000+ CVEs, misconfigurations, exposed panels, default credentials, and more. Combine with nmap for full coverage.
Email security testing — SMTP relay, open relay detection, user enumeration via VRFY/RCPT/EXPN, SPF/DKIM/DMARC auditing, email spoofing tests, IMAP/POP3 brute force, phishing simulation setup, and mail server misconfiguration for authorized engagements.
Exploitation tool reference covering Metasploit Framework (msfconsole, msfvenom), searchsploit (ExploitDB), and on-demand tools (crackmapexec/netexec, impacket, evil-winrm, responder, BeEF, SET). Use during the exploitation phase of a penetration test after vulnerabilities have been identified.
Network analysis, traffic capture, and MITM tool reference. Covers tshark/tcpdump (packet capture), hping3 (packet crafting), netcat/socat (connections), and on-demand tools (bettercap, ettercap, responder). Use for network traffic analysis, protocol inspection, and man-in-the-middle testing.
Passive OSINT (Open-Source Intelligence) gathering — domain enumeration, subdomain discovery, email harvesting, DNS analysis, WHOIS, Shodan queries, infrastructure mapping. Used at the START of every engagement.
Password attack tool reference covering hydra (network brute-forcing), john the ripper (hash cracking), hashcat (GPU-accelerated cracking), and supporting tools (cewl, crunch, hash-identifier). Use during authentication testing and credential attacks in a penetration test.