Hands-on technical labs with step-by-step instructions. Organised by learning path from beginner to expert.
Set up your Kali VM, configure tools, and prepare your hacking lab environment.
Host discovery, port scanning, service detection, OS fingerprinting, and NSE scripts.
Capture, filter, and dissect network traffic to understand protocols.
Netcat as a network Swiss army knife β listeners, file transfer, reverse shells.
Socket programming, subprocess, file I/O, and building basic automation tools.
Build a DNS reconnaissance tool from scratch in Python.
Move files between machines using HTTP, FTP, SCP, SMB, and base64 encoding.
End-to-end passive recon on a target: DNS, WHOIS, Shodan, theHarvester.
Banner grabbing and service enumeration across FTP, SSH, SMTP, SMB, and HTTP.
Online password attacks against SSH, FTP, HTTP forms, and RDP with Hydra.
Crack NTLM, SHA1, and bcrypt hashes offline using hashcat and John the Ripper.
msfconsole, searching modules, setting options, running exploits, and Meterpreter.
Bash, Python, PHP, PowerShell, and Meterpreter reverse shells with netcat handlers.
Linux and Windows privesc fundamentals using linpeas, winpeas, and manual methods.
Pass-the-Hash, credential dumping with Mimikatz, and password spray techniques.
Intercept, modify, and replay HTTP requests using Burp Suite Community Edition.
Directory busting, technology fingerprinting, and web attack surface mapping.
Fast directory, parameter, and vhost fuzzing with ffuf and SecLists.
Error-based, union-based, and basic SQLi with manual exploitation.
Second-order SQLi, stored procedures, and WAF bypass techniques.
Boolean-based and time-based blind SQLi with sqlmap and manual methods.
MongoDB operator injection, authentication bypass, and data extraction.
OS command injection via semicolons, pipes, and backticks with filter bypass.
Exploit XML XPath and LDAP directory injection vulnerabilities.
Reflected, stored, and DOM-based XSS with cookie theft and keylogger payloads.
XSS chaining, CSP bypass, CSRF token theft, and SameSite attribute bypass.
Session fixation, prediction, and authentication logic flaws.
2FA bypass, brute force protection bypass, and credential stuffing.
IDOR via predictable IDs, GUIDs, and horizontal vs vertical privilege escalation.
Bypass extension filters, MIME type checks, and upload webshells.
Path traversal, null byte injection, PHP wrappers, and remote file inclusion.
alg:none bypass, RS256βHS256 confusion, JWT cracking, and OAuth code theft.
Internal service access, cloud metadata exploitation, and SSRF filter bypasses.
Detect and exploit Jinja2, Twig, and Freemarker SSTI for RCE.
CL.TE and TE.CL desync attacks to bypass front-end security controls.
Java, PHP, and Python deserialization gadget chains for RCE.
CORS, caching, host header injection, and HTTP/2 downgrade attacks.
Advanced SSRF chains, XXE, and server-side prototype pollution.
XXE external entity injection, blind XXE via OOB, and mass IDOR testing.
Enumerate dangling DNS, claim GitHub Pages and S3 buckets, exploit cookie scope.
REST API enumeration, BOLA, mass assignment, and API-specific fuzzing.
Introspection abuse, batching attacks, and GraphQL injection.
Unpack obfuscated JS, extract hidden endpoints, and reverse client-side logic.
Prototype pollution, web cache poisoning, and client-side path traversal.
Code review-driven RCE finding in PHP, Python, and Java web applications.
WPScan, plugin CVEs, theme RCE, XML-RPC abuse, and brute force.
Enumerate SMB shares, null sessions, and users with enum4linux and smbclient.
AD enumeration with net commands, PowerShell, and LDAP queries.
ldapsearch, windapsearch, and manual LDAP queries to map AD structure.
PowerView functions for enumerating users, groups, ACLs, and SPNs.
SharpHound collection, BloodHound graph analysis, and finding attack paths.
Kerberoasting, ASREPRoasting, Pass-the-Ticket, and Golden/Silver tickets.
Responder, NTLMrelayx, and relay chains for credential capture and relay.
Services, tokens, registry, DLL hijacking, and AlwaysInstallElevated.
SID history injection, foreign principal abuse, and cross-forest attacks.
GenericAll, WriteDACL, GenericWrite, and AddMember for privesc.
ESC1βESC8 ADCS misconfigurations for certificate-based domain compromise.
CME for SMB enumeration, credential testing, and lateral movement.
PSExec, WMI, WinRM, DCOM, and token impersonation for lateral movement.
Linked server abuse, MSSQL xp_cmdshell, Exchange privilege escalation.
WMI for persistence, lateral movement, and stealthy code execution.
Full attack chain from external foothold to domain admin in a lab network.
Deploy and operate the Sliver C2 framework for red team engagements.
AMSI bypass, PowerShell logging bypass, and process injection methods.
AppLocker rule bypass via trusted paths, DLL side-loading, and COM objects.
Proxychains, SSH tunneling, Chisel, and Ligolo for network pivoting.
Build process compromise, dependency confusion, and package hijacking.
Work a realistic alert queue: classify, investigate, and escalate findings.
Write SPL queries, build dashboards, and create detection rules in Splunk.
Key event IDs for logon, process creation, lateral movement, and privilege use.
Hypothesis-driven hunting in Elastic/Kibana using KQL and EQL.
Write YARA malware signatures and Sigma detection rules for SIEM platforms.
Snort/Suricata rule writing, tuning, and evasion-aware detection.
UEBA concepts, detecting insider threats, and anomalous account activity.
Detect DLL injection, process hollowing, and reflective injection in EDR logs.
Disk acquisition, filesystem timeline, log analysis, and bash history forensics.
Analyse infected memory dumps: find malware, C2 IPs, injected code, and creds.
Analyse malicious Office documents, PDFs, and macros with olevba and remnux.
Attack and detect common Windows attack patterns in a paired lab environment.
Classic stack overflow: control EIP/RIP, find bad chars, and deliver shellcode.
Full 32-bit Windows stack overflow with mona.py and custom shellcode.
Structured Exception Handler overflow exploitation with POP/POP/RET chains.
Egghunter technique for small buffer spaces and custom shellcode writing.
Dynamic binary analysis with WinDBG, setting breakpoints, and inspecting memory.
Bypass NX/DEP with ROP gadget chains, ret2libc, and ASLR defeat via info leaks.
Heap spray, use-after-free, and Windows heap internals for exploitation.
AFL++, libFuzzer, and coverage-guided fuzzing to discover binary vulnerabilities.
Read stack memory, leak canaries, and perform arbitrary writes with %n.
ptrace-based injection, LD_PRELOAD abuse, and /proc/mem manipulation.
Monitor mode, packet capture, deauth attacks, and WPA2 handshake cracking.
Capture 4-way handshake and crack with hashcat GPU-accelerated wordlists.
IV collection and statistical WEP key recovery with aircrack-ng.
Dragonblood side-channel attacks and WPA3 transition mode weaknesses.
Reaver and Bully WPS PIN brute force against vulnerable routers.
hostapd-wpe captive portal, SSL strip, and credential capture via rogue AP.
MAC spoofing, DNS tunnelling, and other captive portal evasion techniques.
BLE scanning, GATT attribute enumeration, and Bluetooth relay attacks.
APK decompilation, manifest review, jadx, and secret extraction.
Frida hooking, SSL unpinning, and runtime method tracing on Android.
Analyse an Android malware sample: C2 extraction, permissions, and indicators.
Enumerate AWS with compromised keys: IAM, S3, EC2, Lambda, and Secrets Manager.
Socket abuse, privileged mode, CAP_SYS_ADMIN cgroup escape, and runc CVE.
IP addressing, CIDR notation, and subnet calculation practice.
Configure VLANs, trunk ports, and inter-VLAN routing on Cisco switches.
STP operation, root bridge election, and port states.
Configure and verify EIGRP routing including neighbour adjacency and metrics.
OSPF areas, DR/BDR election, and route summarisation.
Standard, extended, and named ACLs for network traffic filtering.
Configure static NAT, dynamic NAT, and PAT overload.
Static route configuration, floating routes, and troubleshooting.
Configure port security, sticky MAC addresses, and violation modes.
IPv6 addressing, EUI-64, SLAAC, and dual-stack configuration.
Cisco IOS DHCP server and relay agent configuration.
Direct and indirect prompt injection to hijack LLM behaviour and extract data.
Jailbreaks, content filter bypass, and adversarial inputs against AI systems.
Craft adversarial examples to evade image classifiers and NLP security models.
Use LLMs to speed up recon, payload generation, and vulnerability analysis.
Backdoor injection in training data and model supply chain attacks.