Comprehensive Pentest Reference.

Default tool per task

• Port discovery. nmap for accuracy, masscan first when the IP range is >/22 to bound timing.
• Web content discovery. ffuf with a tuned wordlist (SecLists raft-large as default), katana for JS-rendered routes, waybackurls for historic paths.
• Web vuln scan. nuclei with the public template tree, scoped to fingerprinted tech. Never run the full tree blind.
• Authentication abuse. hydra for service brute-force, kerbrute for AD username enum and password spray, CrackMapExec for SMB/LDAP/MSSQL.
• Web exploitation. Burp Suite for manual, sqlmap for confirmed SQLi extraction.
• Post-exploitation. impacket suite (secretsdump, wmiexec, smbexec) on Linux ops boxes; Rubeus + SharpHound on Windows footholds.

Vulnerability classes worth memorizing

OWASP Top 10 covers the highest-volume classes. Non-OWASP classes that recur in real engagements:

• Untrusted deserialization. Java (ysoserial gadgets), .NET (ysoserial.net), Python pickle, PHP unserialize.
• SSRF chains. Cloud metadata (169.254.169.254), internal Redis, gopher:// for protocol smuggling.
• JWT confusion. alg: none, HS256 signed with RSA public key, key-ID directory traversal.
• Race conditions. Single-request multi-packet (RFC 7230 §3.3.3), business-logic windows around money movement.
• Server-side template injection. Jinja2, Twig, Velocity, FreeMarker — distinct payload syntax per engine.

Banner → first-look CVE clusters

• Apache HTTPD < 2.4.50. CVE-2021-41773 path traversal; instant win if mod-cgi enabled.
• Atlassian Confluence. CVE-2022-26134 OGNL injection on any Confluence pre-7.18.
• Microsoft Exchange. ProxyShell (CVE-2021-34473 et al.), ProxyNotShell (CVE-2022-41040 + 41082).
• VMware vCenter. Log4Shell vectors on pre-patch builds; vSphere Client SSRF.
• Citrix NetScaler/Gateway. CVE-2023-3519 unauthenticated RCE on internet-facing instances.
• Ivanti Connect Secure. CVE-2024-21887 + 46805 auth bypass + command injection.