7-phase pentest pipeline from passive recon to exploitation.
Install with the open skills CLI (global, non-interactive — available in every Claude Code session):
npx skills add uphiago/recon-skills --skill "pentest-playbook" -g -a claude-code -yOr manually — copy the SKILL.md below into:
~/.claude/skills/pentest-playbook/SKILL.md---
name: pentest-playbook
description: 7-phase pentest pipeline from passive recon to exploitation.
version: 1.1.0
author: uphiago
license: MIT
metadata:
tags: [meta, playbook, pentest, methodology, workflow]
category: meta
related_skills:
- recon-playbook
- port-mass-scan
- cache-attack
- firebase-supabase-attack
- api-noauth-hunt
---
# Pentest Playbook Skill
7-phase master pentest pipeline covering the full lifecycle from passive reconnaissance to exploitation and reporting. Distilled from 100+ targets across government, healthtech, fintech, e-commerce, ISP, and SMB sectors. This is the "meta-playbook" — it tells you what to do at each stage of an engagement and which skills to load for each phase.
## When to Use
- Starting a new pentest engagement with an unknown target.
- You need the canonical workflow for any type of target.
- After surface recon — this playbook tells you what to do next.
- Training — understand the full lifecycle of a professional pentest.
## The 7-Phase Pipeline
| Phase | Name | Focus | Key Skills | Duration |
|-------|------|-------|------------|----------|
| 1 | Passive Recon | OSINT, subdomains, leaks, tech stack | subdomain-enumeration, offensive-osint | 30-60 min |
| 2 | Active Recon | Port scans, live hosts, tech detection | port-mass-scan, port-service-discovery, web2-recon | 30-60 min |
| 3 | Web Enumeration | Sensitive files, .env, CORS, JS secrets | web-enumeration, cors-credential-wordpress, js-secrets-extraction | 20-40 min |
| 4 | Framework Exploit | WordPress, Laravel, Spring, .NET | hunt-wordpress, hunt-laravel, hunt-springboot, hunt-aspnet | 30-60 min |
| 5 | Cloud & Infrastructure | Firebase, Supabase, S3, Cloud Functions | hunt-firebase, hunt-supabase, cloud-iam-deep | 30-60 min |
| 6 | Deep Exploitation | SQLi, SSRF, RCE, ATO, chains | hunt-sqli, hunt-ssrf, cross-attack-chains | 1-4 hours |
| 7 | Report & Remediation | Documentation, PoC, CVSS scoring | report-writing, triage-validation, evidence-hygiene | 1-3 hours |
## Per-Phase Procedure
### Phase 1 — Passive Recon
```bash
# 1. Subdomain enumeration
subfinder -d target.com -silent | tee subs.txt
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' >> subs.txt
# 2. Tech stack detection via response headers
curl -sI "https://target.com" | grep -iE "server|x-powered-by|x-aspnet|x-generator|x-runtime"
# 3. Google dorks
# site:target.com filetype:env DB_PASSWORD
# site:target.com "-----BEGIN RSA PRIVATE KEY-----"
# 4. GitHub code search (SA keys, .env, credentials)
# See google-dorks-catalog skill for full list
```
### Phase 2 — Active Recon
```bash
# 1. Port scan (top 1000 ports)
rustscan -a target.com --ulimit 5000 -g | tee ports.txt
# 2. HTTP probe on alive hosts
cat subs.txt | httpx -silent -status-code -title -tech-detect | tee live.txt
# 3. CORS quick test
curl -skI "https://target.com/wp-json/wp/v2/users" -H "Origin: https://evil.com" | grep -i "access-control"
```
### Phase 3 — Web Enumeration
Run the full `web-enumeration` skill — 200+ sensitive file paths, .env extraction, path traversal bypass, vHost enum.
### Phase 4 — Framework Exploitation
Load the relevant hunt-* skill based on detected framework:
- WordPress: `hunt-wordpress` + `wp-mass-recon`
- Laravel: `hunt-laravel`
- Spring Boot: `hunt-springboot`
- ASP.NET: `hunt-aspnet`
### Phase 5 — Cloud & Infrastructure
- Firebase: `hunt-firebase` (API key → Firestore → Storage)
- Supabase: `hunt-supabase` (anon key → RLS bypass)
- Cloud IAM: `cloud-iam-deep` (SA key → GCP token → IAM policy)
- Docker: `docker-privesc` (if container access)
### Phase 6 — Deep Exploitation
Chain findings using `cross-attack-chains` skill. The 5 confirmed chains (A-E) turn individual Medium/High findings into Critical impact.
### Phase 7 — Report
Use `report-writing` skill for bug bounty or `redteam-report-template` for client deliverables. Apply `triage-validation` 7-question gate before submitting.
## Lateral Pivot Decision Points (Critical Methodology)
**When brute force / direct attacks aren't producing results, DO NOT persist — pivot to lateral discovery.** This is the single most important judgment call in a pentest.
### Pivot Triggers — Know When to Switch Vectors
| Signal | Current Vector | Pivot To |
|--------|---------------|----------|
| 100+ passwords tested, zero hits | Brute force (login) | SSRF, CORS, subdomain enum, API discovery, source leak, open registration, Firebase/Supabase |
| All common creds fail on MySQL/SSH | Database/SSH brute | API discovery (port scan for HTTP services), JS bundle secrets, Firebase config, CORS exfil |
| WAF/403 on every payload | Web exploitation | CDN bypass (origin IP discovery), subdomain enum (staging/dev may lack WAF), API on non-standard ports, HTTP method/header tampering |
| rate limit / captcha / lockout | Auth brute | SameSite bypass, OAuth misconfig, MFA fatigue, password-reset poisoning, SSO token reuse |
| 401/403 on all API endpoints | API exploitation | OPTIONS preflight, method tampering (GET→POST, PUT→PATCH), content-type switching (JSON→XML→form), header injection (X-Forwarded-User, X-Original-URL), JWT alg=none |
| SPA returns same HTML for all paths | Path enumeration | Check API on other ports (8080, 8443, 3000, 5000, 8084), JS bundle route extraction, source maps, Firebase/Supabase, CORS exfil |
| No vulns found on main app | App exploitation | Sister apps (same IP/cert/headers → same code), subdomains, staging/dev instances, mobile APKs, CMS admin panels, forum/community software |
### Lateral Discovery Checklist (run this when stuck)
When a vector isn't paying off, systematically check these BEFORE declaring the target clean:
1. **Ports beyond top-20** — nmap -p- on critical targets, masscan on /24 ranges
2. **Non-standard API ports** — 8080, 8081, 8084, 8443, 3000, 5000, 9090, 9000
3. **Subdomains** — subfinder + crt.sh (staging, dev, admin, api, mail, cpanel, shop)
4. **JS bundle secrets** — Firebase API keys, AWS/GCP credentials, internal endpoints, JWTs
5. **Open registration** — wp-login.php?action=register, /signup, /register endpoints
6. **CORS exfiltration** — ACAO reflection + ACAC:true = browser-readable data from authenticated victims
7. **Firebase / Supabase** — API key in JS → anonymous auth → Firestore/RTDB read
8. **Error logs** — /error_log, /debug.log, /wp-content/debug.log (often 1MB+ of paths, SQL, creds)
9. **Source code leaks** — .git/HEAD, .env, sitemap.xml, robots.txt disallow paths, source maps
10. **Sister-app sweep** — same IP / cert / headers → same vulnerable code template on other paths
### The 3-Attempt Rule
Before spending more than 5 minutes on any SINGLE attack vector:
1. Try the primary approach (e.g., 100 pwds via multicall)
2. Try one lateral pivot (e.g., check open registration)
3. Try one creative alternative (e.g., check CORS, Firebase, JS secrets)
If none worked in 3 distinct attempts, **the vector is low-probability**. Document what was tried and move on. Do NOT cycle back to the same vector with more of the same — find a qualitatively different angle.
### Anti-Pattern: The Brute Force Trap
```
"Let me just try 100 more passwords..."
"Maybe I need a bigger wordlist..."
"Let me try one more round..."
```
🚫 **STOP.** If the first 100 targeted passwords didn't work, the next 10,000 won't either (for real-world passwords). Instead:
- Check if there's ANY authentication at all (CORS no-auth endpoints)
- Check if registration is open (create your own account)
- Check if the auth uses JWTs you can forge (alg=none, weak HMAC)
- Check if there's a different auth path (SSO, OAuth, SAML)
- Move on to a different target entirely
## Pitfalls
- **Don't skip Phase 1.** Many critical findings come from passive recon (source leaks, GitHub SA keys).
- **Don't spend more than 15 min on Phase 2.** Quick filter is enough — save deep probing for Phase 6.
- **OPSEC is not optional.** Use proxy-ns or proxychains + Tor from the start. Never burn your source IP.
- **.env is not always a finding.** Verify content contains actual credentials (DB_, APP_KEY), not just SPA catch-all HTML.
- **Document as you go.** Don't wait until Phase 7 — you'll forget exact commands.
- **Don't brute-force past the pivot trigger.** 100 targeted passwords per vector is the max before lateralizing.
## Verification
- Each phase has a clear exit criterion (e.g., "score >= 6 → escalate to Phase 6").
- Every finding must be reproducible with the exact command.
- All findings must pass the 7-question gate before reporting.
Use when facing 2+ independent tasks that can be worked on without shared state or sequential dependencies
Use when encountering any bug, test failure, or unexpected behavior, before proposing fixes
Use when implementing any feature or bugfix, before writing implementation code