FREE RESOURCE — NO CERT NEEDED

The Complete
Hacker's Methodology
From Recon to Root

Every phase. Every technique. Real tools. Zero fluff.

This is my actual study map — the same framework I used to go from zero to building real offensive security skills with no certs. 6 phases, 100+ techniques, all the tools that actually matter.

01 / RECONNAISSANCE 02 / ENUMERATION 03 / EXPLOITATION 04 / POST-EXPLOITATION 05 / LATERAL MOVEMENT 06 / PERSISTENCE

Get the full methodology — free.

Drop your email. The complete guide unlocks instantly on this page. No waiting. No PDF to download. Just the knowledge.

  • All 6 attack phases with real techniques and tools
  • 100+ offensive techniques mapped to MITRE ATT&CK
  • Key tools for each phase: Nmap, BloodHound, Mimikatz, and more
  • AD attack paths: Kerberoasting, DCSync, PetitPotam, Golden Tickets
  • Built from real grind — not recycled Medium posts
CHECK YOUR INBOX

We sent a confirmation link to . Click it to unlock the full methodology.

Don't see it? Check spam / promotions.

ACCESS GRANTED

Scroll down. The full methodology is yours.

PHASE 01
RECONNAISSANCE
OSINT Google Dorks GitHub Dorks Subdomain Enum Port Scanning ████████ ████████ ████
PHASE 02
ENUMERATION
FTP(21) SSH(22) SMB(445) MSSQL AD Enum ████████ ██████ ███████
PHASE 03
EXPLOITATION
SQLi XSS LFI/RFI SSTI ████████ ██████ ███████ ████
PHASE 04
POST-EXPLOITATION
SUID/GUID Sudo Abuse ████████ ██████ ███████ ████
PHASE 05
LATERAL MOVEMENT
Pass-the-Hash ████████ ██████ ███████ ████
PHASE 06
PERSISTENCE
████████ ██████ ███████ ████ ████████
✓   ACCESS GRANTED

The Complete Hacker's Methodology

Compiled from real notes, real labs, real failures. Built for people who actually do the work.
Bookmark this page. Reference it every session.

PHASE 01 RECONNAISSANCE 9 TECHNIQUES
// PASSIVE RECON
OSINT
MaltegoSpiderFoottheHarvester — email, employee, and infrastructure discovery from public sources
Google Dorking
site:filetype:inurl:intitle: — search engine operators to expose sensitive files and paths
GitHub Dorking
GitDorkertruffleHoggitleaks — find leaked API keys, creds, and source code
Subdomain Enumeration
amasssubfinderdnsxcrt.sh — passive subdomain discovery + takeover checks
IMINT / GEOINT
Google MapsShodanCensys — physical location, IP metadata, and satellite imagery analysis
Email Analysis
Email HeadersHunter.ioPhonebook.cz — analyze sender infrastructure, find employee emails
// ACTIVE RECON
Port Scanning
nmap -sV -sCmasscanrustscan — discover open ports, services, and versions
Network Scanning
nmap -snnetdiscoverarp-scan — live host discovery and network topology mapping
Cloud Info Gathering
cloud_enumS3ScannerGrayhatWarfare — exposed S3 buckets, Azure blobs, GCP storage
PHASE 02 ENUMERATION 15+ SERVICES
// SERVICE ENUMERATION
FTP (21)
nmap --script ftp-*anonymous login check — dangerous settings: anonymous access, writable dirs
SSH (22)
ssh-audithydra — key auth, weak ciphers, user enumeration via timing
SMTP (25/465/587)
VRFY / EXPNsmtp-user-enum — open relay check, user enumeration
SMB (139/445)
smbclientsmbmapenum4linux-ngrpcclient — null sessions, share listing, user enum
SNMP (161/162)
snmpwalkonesixtyonesnmpcheck — community string brute force, MIB dumping
MSSQL (1433)
impacket-mssqlclientsqsh — xp_cmdshell, linked servers, credential access
MySQL (3306)
mysql -u -pSQLMap — LOAD_FILE, INTO OUTFILE, schema enumeration
RDP (3389)
rdesktopxfreerdpnmap rdp-* — BlueKeep check, NLA enforcement, session hijacking
WinRM (5985/5986)
evil-winrmcrackmapexec — PowerShell remoting, lateral movement vector
// WEB ENUMERATION
Directory Fuzzing
ffufgobusterferoxbuster — discover hidden paths, backup files, admin panels
Subdomain / VHost Fuzzing
ffuf -H "Host: FUZZ"virtual host enumeration — find internal apps on shared hosts
Application Fingerprinting
WPScanjoomscanWappalyzer — CMS, framework, plugin version detection
Parameter Fuzzing
Arjunx8ffuf — find hidden GET/POST parameters for injection
// ACTIVE DIRECTORY ENUMERATION
User Enumeration
kerbruteenum4linuxnet user /domain — enumerate domain users without credentials
BloodHound
SharpHoundbloodhound-python — map AD attack paths, find shortest path to DA
PowerView
Get-DomainUserGet-DomainGroupFind-LocalAdminAccess — AD object enumeration from PowerShell
ACL Enumeration
BloodHound edgesdsaclsGet-ObjectAcl — find misconfigured permissions (WriteDACL, GenericAll)
PHASE 03 EXPLOITATION 30+ TECHNIQUES
// WEB APP ATTACKS
SQL Injection
SQLMapmanual UNIONboolean-blindtime-based — auth bypass, data dump, OS command via xp_cmdshell
XSS
ReflectedStoredDOM-basedXSSHunter — session hijacking, phishing via HTML injection
LFI / RFI
../etc/passwdphp://filterdata:// — read files, log poisoning → RCE, proc/self/environ
File Upload Attacks
MIME bypassdouble extensionnull byte — upload webshells, bypass extension filters
SSTI
{{7*7}} checkJinja2 RCEtplmap — server-side template injection to RCE on Flask/Django
XXE
ENTITY injectionSSRF via XXEBlind OOB — read local files, internal SSRF via XML parsers
IDOR
Burp Suiteparameter tampering — access other users' data by manipulating IDs
Command Injection
; | && ||filter bypassIFS bypass — inject OS commands through unsanitized input fields
SSRF
169.254.169.254gopher://Redis SSRF — access internal cloud metadata, internal services
CSRF
missing token checkSameSite bypass — force authenticated actions on behalf of victim
// ACTIVE DIRECTORY ATTACKS
Kerberoasting
GetUserSPNs.pyRubeushashcat -m 13100 — request TGS for SPN accounts, crack offline
AS-REP Roasting
GetNPUsers.pyRubeus asreproast — target accounts with no pre-auth required
DCSync
Mimikatz lsadump::dcsyncsecretsdump.py — dump all domain hashes by mimicking DC replication
Golden Tickets
Mimikatz kerberos::goldenkrbtgt hash — forge TGTs for any account, persistent domain access
PetitPotam
PetitPotam.pyntlmrelayxADCS — coerce DC auth, relay to ADCS, get DC cert
PrintNightmare
CVE-2021-1675SharpPrintNightmare — Print Spooler RCE → SYSTEM on unpatched DCs
ACL Abuse
GenericAllWriteDACLForceChangePassword — abuse misconfigured ACEs to take over accounts
Password Spraying
kerbruteCrackMapExecSpray — single password against many users, avoid lockout
// BINARY EXPLOITATION
Stack Buffer Overflow (32-bit)
EIP overwritemona.pymsf pattern_create — control EIP, find bad chars, jump to shellcode
ret2libc / ROP Chaining
ROPgadgetpwntoolsropper — bypass NX/DEP, chain gadgets, call system()
SEH Overflow
!mona sehpop pop ret — structured exception handler overwrite technique
PHASE 04 POST-EXPLOITATION 20+ TECHNIQUES
// LINUX PRIVILEGE ESCALATION
SUID / GUID Abuse
find / -perm -4000GTFOBins — exploit SUID binaries to escalate to root
Sudo Abuse
sudo -lLD_PRELOADLD_LIBRARY_PATH — exploit allowed sudo commands and env hijacking
Cronjob Abuse
crontab -l/etc/cron*pspy — hijack scheduled scripts running as root
Linux Capabilities
getcap -r / 2>/dev/nullcap_setuid — abuse kernel capabilities set on binaries
Docker Group
docker run -v /:/mntbreakout techniques — mount host filesystem via docker socket
PATH Abuse
echo $PATHwritable dir in PATH — drop malicious binary in writable PATH location
Credential Hunting
grep -r password~/.bash_historyproc/*/environ — find creds in files, memory, bash history
// WINDOWS PRIVILEGE ESCALATION
SeImpersonate
PrintSpooferJuicyPotatoGodPotato — impersonate SYSTEM from service account
Token Manipulation
Mimikatz token::elevateIncognito — steal and impersonate tokens from other processes
AlwaysInstallElevated
reg query HKCU\...\Installermsfvenom .msi — install MSI packages as SYSTEM
Unquoted Service Path
wmic service getPowerUp.ps1 — place malicious binary in unquoted path location
Credential Dumping
Mimikatz sekurlsa::logonpasswordssecretsdumpprocdump LSASS — dump plaintext creds and hashes from memory
SAM / LSA / NTDS
reg save HKLM\SAMesentutlvssadmin shadow — dump local and domain hashes from registry/disk
PHASE 05 LATERAL MOVEMENT 12 TECHNIQUES
Pass-the-Hash
impacket-wmiexeccrackmapexecevil-winrm — authenticate with NTLM hash, no plaintext password needed
WinRM Lateral Movement
evil-winrm -i IP -u user -p pass — remote PowerShell sessions to other machines
WMI Lateral Movement
wmiexec.pyInvoke-WMIMethod — execute commands remotely via WMI (stealthy)
PsExec
impacket-psexecSysinternals PsExec — interactive SYSTEM shell on remote host via SMB
RDP Hijacking
tscontscon SESSION_ID /dest:DEST — take over disconnected RDP sessions without creds
DCOM Lateral Movement
MMC20.ApplicationShellWindowsShellBrowserWindow — execute code via COM objects remotely
SMB Relaying
ntlmrelayx.pyResponderSMB signing OFF — relay captured NTLM auth to other machines
SSH Tunneling
ssh -L / -R / -Dchiselligolo-ng — pivot through firewalls via SSH port forwarding
NetNTLMv2 Relay
Responderntlmrelayxhashcat -m 5600 — capture and relay/crack NTLMv2 hashes
PHASE 06 PERSISTENCE & EXFILTRATION 15 TECHNIQUES
// PERSISTENCE
Scheduled Tasks
schtasks /createWMI Event Subscription — run malicious payload on schedule or trigger
DLL Hijacking / Proxying
Process MonitorProcmon filter: NAME NOT FOUND — replace DLL searched-but-missing by a legit app
COM Hijacking
HKCU\Software\Classes\CLSIDProcess Monitor — override COM object lookup in user-writable registry hive
Registry Autorun
HKCU\...\RunHKLM\...\Run — add entry to run payload on every login
WMI Event Subscription
__EventFilterCommandLineEventConsumer — trigger payload on system events, survives reboot
PowerShell Profile
$PROFILEMicrosoft.PowerShell_profile.ps1 — execute code whenever PowerShell is launched
Backdooring AdminSDHolder
AdminSDHolder ACESDProp propagation — persistence on privileged AD accounts via ACL inheritance
Golden Ticket (AD Persistence)
krbtgt hashMimikatz kerberos::golden — forge valid TGTs indefinitely even after password change
// EXFILTRATION
DNS Exfiltration
Invoke-PowerClouddnscat2iodine — tunnel data out via DNS queries, bypasses egress filters
HTTP/S Forwarding
iptables redirectorssocatnginx relay — chain traffic through redirectors to hide C2 origin
File Transfer (Linux)
wget / curlbase64 encodeSCPPython HTTP server — move files in and out of target environment
Nmap
Port scanning, service detection, NSE scripts
Metasploit
Exploit framework, payloads, post modules
Mimikatz
Credential dumping, pass-the-hash, golden tickets
BloodHound
AD attack path mapping, privilege escalation paths
Responder
LLMNR/NBT-NS poisoning, hash capture
impacket
PsExec, secretsdump, GetSPNs, relay attacks
CrackMapExec
Mass enumeration, spray, lateral movement
Burp Suite
Web app testing, intercepting proxy, scanner
ffuf / gobuster
Directory/subdomain/parameter fuzzing
SQLMap
Automated SQL injection detection and exploitation
Cobalt Strike
C2 framework, Beacon payloads, teamserver
PowerShell Empire
Post-exploitation framework, PowerShell C2
SpiderFoot
Automated OSINT, attack surface mapping
Rubeus
Kerberos abuse, ticket manipulation, roasting
hashcat / JtR
Password cracking, hash recovery
pwntools
Binary exploitation, CTF framework, ROP
Want the full technical notes behind this methodology? I publish cybersecurity articles on Substack — breaking down each of these techniques the way I actually learned them.
READ THE SUBSTACK → VIEW FULL GITBOOK
// CYBERSECURITY
Bro to Bro book
Bro to Bro
A teen's way into cybersecurity
Stuck and don't know where to start? This is the peer-to-peer guide for teens looking for a way in — how to build your life and transition into a cybersecurity career from zero. Real talk, no gatekeeping.
READ FREE →
// CODING FOR KIDS & EDUCATORS
// FOLLOW THE BUILD