Offensive Security Wiki
My personal wiki for offensive security.
Penetration testing, red teaming, vulnerability research, exploit development. Field notes, CVE deep-dives, and reference material I build up over time.
The four pillars
The disciplines this wiki covers. Each pillar links to its landing page.
Penetration Testing
Scoped, time-boxed assessments. Methodology, engagement types, reporting.
Red Teaming
Adversary emulation, full kill-chain. Stealth-first, OPSEC discipline.
Vulnerability Research
Code review, fuzzing, patch diffing — finding bugs nobody else has reported.
Exploit Development
Bug → primitive → reliable exploit. Mitigation-aware, version-portable.
Foundations & operator tradecraft
What you need to read, do, and use during an engagement — kill-chain stages, TTPs, runbooks, tools.
Concepts
kill chain · ATT&CK · OPSEC · kerberoasting · LSASS dumping · DLL hijacking · EDR silencing
Techniques
recon · initial access · priv-esc · lateral movement · persistence · ROP · UAF
Tools
nmap · Burp · Ghidra · Cobalt Strike · BloodHound · mimikatz · impacket
Resources
Windows exploitation research
CVE deep-dives plus the kernel-mode and user-mode internals exercised by them. Start with the Windows research overview.
CVEs
CVE-2025-29824 (CLFS UAF) · CVE-2024-38063 (TCP/IP) · CVE-2024-30085 (cldflt) · SIGRed · CimFS
Kernel-mode exploitation
architecture · CLFS · cldflt · IORING · WNF · kernel streaming · mitigations
User-mode exploitation
Wi-Fi protocol research
The Wi-Fi research canon — from Pixie Dust WPS (2014) and KRACK (2017) through Dragonblood, FragAttacks, Framing Frames / MacStealer, TunnelCrack, SSID Confusion, PEAP/IWD bypass, MFP deauthentication, into the 2026 AirSnitch client-isolation work, and out into the ARP-over-GTK bridge-bypass primitive. The recurring theme: security-relevant decisions placed in unauthenticated framing fields, and defences placed at the wrong architectural layer.
Attacks
KRACK · Dragonblood · FragAttacks · Framing Frames · TunnelCrack · SSID Confusion · PEAP/IWD bypass · MFP deauth · Pixie Dust · abusing GTK · ARP over GTK · ARP spoofing · port stealing · gateway bouncing · broadcast reflection · rogue AP
Defenses
group-key randomization · MACsec · VLANs · spoofing prevention · DAI · endpoint ARP hardening
Devices
tested devices — Tables I–III digest, which routers fail which tests.
Wi-Fi concepts
ARP · 802.11 standards · frequency bands · frame types · beacons · probes / PNL · key hierarchy · handshakes · SAE / Dragonfly · CCMP / GCMP · RSN IE · WPA versions · MFP / 802.11w · 802.1X · EAP · EAP-TLS · PEAP / TTLS · WEP · WPS · OWE · 802.11r FT · 802.11k+v · WNM / ANQP · DPP · Wi-Fi Direct / TDLS · Passpoint · client isolation · captive portals · monitor mode & injection
Source material
One provenance page per raw source file that fed the wiki — title, filename, status, excerpt. Raw text stays offline; this catalogue tracks what's been distilled into wiki pages and what's still pending.