Overview
The best way to stop an attacker is to think like one. This by-example guide teaches offensive security techniques through annotated tool output and attack scenarios — built for software engineers who want to understand what their code looks like from the attacker's side.
Ethical Use Notice: All examples are for authorized penetration testing, CTF competitions, lab environments, and defensive understanding only. Never apply offensive techniques against systems without explicit written authorization.
Why Software Engineers Need This
You write APIs, authentication systems, file upload handlers, and database queries. Each one is a potential attack surface. When you understand how attackers exploit these systems — the exact commands, tool output, and thought process — you write more defensively from day one.
This track uses only legal, lab-based environments (HackTheBox, TryHackMe, local VMs). You do not need a security certification or prior penetration testing experience. You need a terminal, curiosity, and a legal lab environment.
What Is Red Team By-Example Learning?
Red team by-example learning is a technique-first approach where you learn through annotated tool output, scripts, and adversary playbooks rather than abstract theory. Each example shows:
- What it does — annotated tool output documenting each step of the attack chain
- Why it works — the vulnerability or misconfiguration being exploited and the underlying mechanism
- When to use it — which phase of an engagement this technique applies to
- Detection surface — what artifacts the technique leaves for defenders to catch
Learning Progression
| Level | Engineer Context | What You Learn |
|---|---|---|
| Beginner | "I want to understand recon and scanning" | Passive OSINT, nmap, service enumeration, basic web scanning |
| Intermediate | "I want to understand exploitation" | SQLi, XSS, shell access, privilege escalation, lateral movement |
| Advanced | "I want to understand APT-level techniques" | AV evasion, C2, AD attacks, full-chain scenarios |
Start at Beginner even if you are an experienced engineer. The recon and enumeration examples build mental models that the exploitation examples depend on.
Coverage
What Is Covered
- Reconnaissance — passive OSINT, active scanning, service enumeration, network mapping
- Initial access — exploitation of common vulnerabilities, phishing simulation, credential attacks
- Execution and persistence — shell payloads, scheduled tasks, startup persistence mechanisms
- Privilege escalation — local privilege escalation on Linux and Windows
- Lateral movement — credential reuse, pass-the-hash, pivoting techniques
- Exfiltration simulation — data staging, covert channel basics
- Post-exploitation — situational awareness, credential dumping, living-off-the-land binaries
What Is Not Covered
- Defensive detection and response (see Blue Team by Example)
- Strategic risk management and governance (see CISO by Example)
- General IT security hardening (see IT Security by Example)
Prerequisites
- Comfort with a Linux terminal (you can run commands and read output)
- Basic understanding of HTTP, TCP ports, and DNS (you know what a web server is)
- Access to a legal lab: HackTheBox, TryHackMe, or a local VM
No security certification or prior penetration testing experience required.
Structure of Each Example
Every example follows a consistent five-part format:
- What This Covers — the technique and its place in the attack chain (2-3 sentences)
- Scenario — lab environment, authorized engagement context, and assumed access level
- Annotated Tool Output or Script — commands and output with inline comments explaining each step, what it reveals, and what a defender would see
- Key Takeaway — the core offensive insight and its defensive implication (1-2 sentences)
- Why It Matters — production relevance for attackers and defenders (50-100 words)
Examples by Level
Beginner (Examples 1–28)
- Example 1: Passive DNS Recon — whois, dig, and host
- Example 2: OSINT with theHarvester
- Example 3: Google Dorking
- Example 4: Shodan Recon
- Example 5: Active Host Discovery with nmap
- Example 6: TCP SYN Scan
- Example 7: Service Version Detection
- Example 8: OS Fingerprinting
- Example 9: Aggressive Scan
- Example 10: NSE Script Scanning
- Example 11: UDP Scan
- Example 12: Banner Grabbing with netcat
- Example 13: Web Server Enumeration with curl
- Example 14: robots.txt and sitemap.xml Recon
- Example 15: Directory Brute-Forcing with gobuster
- Example 16: Subdomain Enumeration with gobuster
- Example 17: Virtual Host Discovery
- Example 18: SMB Enumeration
- Example 19: FTP Anonymous Login Check
- Example 20: SSH Audit
- Example 21: HTTP Method Enumeration
- Example 22: Nikto Web Scan
- Example 23: Searchsploit
- Example 24: CVE Lookup for a Discovered Service Version
- Example 25: Metasploit Basic Usage
- Example 26: Hydra Brute-Force
- Example 27: Password Spraying Concept
- Example 28: Screenshot Capture with EyeWitness
Intermediate (Examples 29–57)
- Example 29: Exploiting EternalBlue with Metasploit
- Example 30: Manual SQL Injection
- Example 31: XSS Session Cookie Theft
- Example 32: Command Injection
- Example 33: File Inclusion Exploitation
- Example 34: Unrestricted File Upload
- Example 35: Default Credentials Exploitation
- Example 36: Password Cracking with hashcat
- Example 37: Generating a Reverse Shell with msfvenom
- Example 38: Catching a Reverse Shell with netcat
- Example 39: Stabilizing a Shell
- Example 40: Linux Privesc — SUID Binary Abuse
- Example 41: Linux Privesc — sudo Misconfiguration
- Example 42: Linux Privesc — Cron Job Abuse
- Example 43: Linux Privesc — PATH Hijacking
- Example 44: Linux Privesc — Kernel Exploit Identification
- Example 45: Windows Privesc — Unquoted Service Path
- Example 46: Windows Privesc — Weak Service Permissions
- Example 47: Credential Dumping with Mimikatz
- Example 48: Pass-the-Hash Attack
- Example 49: Kerberoasting
- Example 50: AS-REP Roasting
- Example 51: BloodHound Data Collection
- Example 52: Pivoting with SSH Port Forwarding
- Example 53: Pivoting with Chisel
- Example 54: SMB Lateral Movement
- Example 55: WMI Lateral Movement
- Example 56: Post-Exploitation Situational Awareness
- Example 57: Living Off the Land
Advanced (Examples 58–85)
- Example 58: Custom Shellcode Generation
- Example 59: AV Evasion — XOR Obfuscation
- Example 60: Process Injection
- Example 61: Reflective DLL Injection
- Example 62: AMSI Bypass
- Example 63: ETW Patching
- Example 64: Token Impersonation
- Example 65: DCSync Attack
- Example 66: Golden Ticket Attack
- Example 67: Silver Ticket Attack
- Example 68: Skeleton Key Attack
- Example 69: LSASS Dump
- Example 70: Credential Access via DPAPI
- Example 71: C2 Framework Basics — Sliver
- Example 72: DNS C2 Exfiltration
- Example 73: HTTPS C2 Traffic Blending
- Example 74: Persistence via Registry Run Key
- Example 75: Persistence via Scheduled Task
- Example 76: Persistence via WMI Subscription
- Example 77: Data Staging and Exfiltration
- Example 78: Cloud Credential Theft — AWS IMDS
- Example 79: SSRF to Metadata Service
- Example 80: OAuth 2.0 Token Theft
- Example 81: ADCS ESC1 Abuse
- Example 82: Kerberos Delegation Abuse
- Example 83: Full-Chain Attack Scenario
- Example 84: Red Team Reporting
- Example 85: Purple Team Debrief
Last updated May 20, 2026