Pentesting

April 22, 2026 · View on GitHub

Penetration testing tricks, cheat sheets and offensive tools
by @kmkz · boffsec-services.com · @kmkz_security


Interactive Kill Chain Map

-> Kill Chain Map

Full offensive kill chain -- Initial Access, Persistence, Lateral Movement, Post-Exploitation,
Defense Evasion and Payload Delivery -- with commands. Open in browser, no dependencies.


Cheat Sheets

Pentest-Cheat-Sheet

General pentesting methodology and field-tested commands.

SectionCoverage
Shell obtainingNetcat, hping3, SNMP, man GTFObin
SQL InjectionUNION-based, blind, sqlmap (Tor + WAF bypass)
FirewalkTCP source port fixation, nmap firewalk script
WirelessWPA/WPA2, PMKID attack (clientless), hashcat cracking
MSF modulesPost-exploitation, credential gathering, pivoting
Windows BoFGadget finding (mona), EIP control, shellcode delivery
Brute-forceRDP (ncrack), SSH (hydra), .htaccess (medusa)
Web attacksXSS, LFI->RCE, webshell, stored XSS via exiftool
Hash captureImpacket fake SMB server, whois exfiltration
AD reconManual TTP - nltest, net group, EntraID/Azure check
LolbinsGTFO/LOLBAS refs, sxstrace NTLM hash exfil

Payload-Delivery-Cheat-Sheet

Windows payload delivery techniques for initial access.

SectionCoverage
File transferxxd hex dump/restore, bitsadmin, PowerShell wget
DDE / CSV injectionWord, Excel, Outlook, Chrome via DDEAUTO
Base64 droppersUnicode encoding, exe-to-b64, in-memory decode
AMSI bypassNon-patched Win10, updated Win10 (SetValue NULL)
PS deliveryIEX webclient, COM objects (IE, Msxml2, WinHttp), DNS TXT
XSL executionWMIC /format for AppLocker bypass
Proxy-aware AWL bypasscertutil dropper + msbuild indirect exec

Post-Exploitation-Cheat-Sheet

Post-exploitation, pivoting and lateral movement techniques.

Defenses-Evasion-Cheat-Sheet

Defense evasion, AV/EDR bypass and logging suppression techniques.


AV Evasion

Scripts and techniques to bypass antivirus and EDR solutions.

-> AV_Evasion/

FileDescription
AMSI-Bypass.ps1AMSI bypass via PowerShell reflection

Payload Delivery - Hardware

FileDescription
RubberDucky-howtoRubber Ducky setup and payload writing guide
DuckyPayloads/Ready-to-use Rubber Ducky payloads

Tools

FileLanguageDescription
Intelx_LeakFinder.pyPythonLeak hunting via IntelX API
preg_rep_webshell.phpPHPWebshell using preg_replace /e flag

Repository structure

Pentesting/
    killchain-map.html
    CheatSheets/
        Pentest-Cheat-Sheet
        Post-Exploitation-Cheat-Sheet
        Payload-Delivery-Cheat-Sheet
        Defenses-Evasion-Cheat-Sheet
    AV_Evasion/
    DuckyPayloads/
    Hardware/
        RubberDucky-howto
    Tools/
        AMSI-Bypass.ps1
        Intelx_LeakFinder.py
        preg_rep_webshell.php
    README.md


For professional engagements: boffsec-services.com