In the field of cybersecurity, Penetration Tests, or Pentest, play a crucial role. They enable organizations to detect and correct vulnerabilities in their systems before they can be exploited by malicious attackers. An effective pentest mimics the actions of an external or internal attacker, seeking to access and exploit systems in a controlled manner to improve security. Although tools are used to perform these analyses, an excessive dependence on them can prove dangerous.
"Tools are the subtlest of traps. We become reliant upon them and in their absence we are vulnerable, weak, defenseless."
To counteract this counter-productivity, it is essential to follow a defined and structured methodology.
The penetration test is carried out in six stages, each of which is important.
graph TD
subgraph
L1["Step 1"]
L2["Step 2"]
L3["Step 3"]
L4["Step 4"]
L5["Step 5"]
L6["Step 6"]
end
A[Pre-engagement]
B[Intelligence Gathering]
C[Scanning]
D[Exploitation]
E[Post Exploitation]
F[Reporting]
L1 -.-> A
L2 -.-> B
L3 -.-> C
L4 -.-> D
L5 -.-> E
L6 -.-> F
Before the start of an audit, certain documentation must be completed during this phase to define the legal context and frame the audit. This involves creating a scoping document for the test, which includes the audit perimeter, duration, type of audit, mission order, audit authorization, the auditors' quotation, the non-disclosure agreement (NDA), etc.
The comprehensive checklist before a pentest ensures that no critical element is overlooked. It covers technical aspects like the determination of pentest type, key objectives, and testing boundaries. It also includes administrative and logistic details such as contact information, the necessity of VPNs, web services used by the site, and specific client requirements. This checklist is crucial for preparing a pentest that is not only effective but also aligned with the client’s needs and legal requirements.
- TPLink Adapter
- VMware
- Virtualbox
- QEMU/KVM
- Windows 10 VM
- Kali/Blackarch/ParrotOS VM
- Maltego - Maltego is an interactive data mining tool that renders directed graphs for link analysis.
- Metasploit Framework - collection of remote exploits and post exploitation tools for all platforms
- SET toolkit - designed to perform advanced attacks against the human element.
- theHarvester - gathering e-mail accounts, user names and hostnames/subdomains from different public sources
- mimikat - extract plain or hash of password.
- dig - bind-utils
- THC Hydra - for brute force
- Powersploit - a collection of Microsoft PowerShell modules
- CrackmapExec - post exploitation tools for Active Directory.
- Burpsuite - can use as proxy as well as active scanner
- Empire - powershell framework for remote and post exploitation.
- Nmap - port scanner
- knockpy - subdomain scanner
- netcat - network utility
- nishang - post exploitation powershell Framework See more
- Determination of the type of pentest (Blackbox, Whitebox)
- Key objectives behind this penetration test
- Location address and contact (if it is an onsite job)
- Validation that the Authorization Letter has been signed
- URL of the web application that is in scope and validation that isaccessible Hurl
- 2 sets of credentials (normal and admin or a privilege user) and validation that are working
- Determination of the environment (Production or UAT)
- Number of static and dynamic pages
- Testing Boundaries (DoS, Brute force attacks etc.)
- Technologies (PHP, ASP, .NET, IIS, Apache, Operating system etc.)
- Any VPN or port numbers are needed and verify those ahead of time
- Any web services that the site may use.
- Any pages that the client does not want to be tested.
- Any pages that submit emails
- IP address of the tester
- Escalation contact
- 3rd parties that needs to be contacted in advance of the pentest
- Web application firewalls and other IDS in place
- Timeframe of the assessment (dates and hours)
- Diagrams and any kind of documentation
- Validation that a backup has been performed recently on theapplication
- Other client requirements
In this phase, the pentest gathers as much information as possible about the target system. This includes domain registration details, IP addresses, and any public-facing information that can be leveraged in later stages. The goal is to map out the digital footprint of the target and identify potential entry points.
- whois enumeration
- prips on Linux for IP range generation
- ip search on Bing (ip:{IP})
- Domain profiling
- SubDomain Enumeration
- Sublist3r
- Amass
- urlscan
- Spidering + Local Copy
Certificates transparency enumeration securitytrails crt
- WaybackMachine Archives
- Google -> cache
- Google -> jobs
- Emails : hunter (Have a look at the email sources also)
- HaveIBeenPwned -> Check breachcompilations
- IntelX (tous les outils necessaires)
- Visiting the website behing Tor/VPN
- Wappalyzer
- Traffic Analysis
- alexa
- similarweb
- semrush
- osint
- shodan
- censys
- kali
- public files, site:drive.google.com "target"
- Check Facebook, Twitter "target leaks" "target security" on Twitter
- searchftps
- publicwww
- thingful
- grayhatwarfare
- wigle
- social-searcher
During the scanning phase, the pentester uses automated tools to identify open ports, active services, and vulnerabilities that could be exploited. This step is crucial for developing a detailed understanding of the target environment's security posture.
- Accunetix
- OpenVas
- Vega
- Nikto
- Wikto
- w3af
- Xenotix XSS Framework
- Wapiti
- HTTP
- nmap
- Metaploit Framework
This stage involves actively exploiting identified vulnerabilities to gain unauthorized access or escalate privileges within the system. The techniques used here mimic those that a real attacker might employ, providing a realistic assessment of the system’s defenses.
List of world-writables directories on Windows : Lien
Write enumeration scripts with ADSI : Lien
- exploit-db
- CyberChef
- Reverse-shell-Cheat-Sheet
- hacktricks
- NTLMRawUnhide
- Password Dictionaries Generation
- [Assetnote Wordlists
- CewL
- Account creation
- Account activation
- Login
- Account modification
- Phone number verification
- Password reset
- Automating xss
- Parameters enumeration for API routes
Once access is gained, this phase aims to determine the potential damage and data exposure that could occur. It involves exploring the compromised system to understand the depth of access obtained, extracting sensitive data, and assessing the possibility of maintaining long-term access for further exploitation.
======= PowerShell Commands for Pentesters
- Windows sysinternals
net use Z: https://live.sysinternals.com
- Pwdump7
- TBAL DPAIP Backdoor for local user
- Dumping Domain Password
- Dumping ClearText Creds
- Empire Tips and Trick
- Extract Remote Hash
- Capturing NetNTML
- The worst of both worlds
- pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy
- Beyond LLMNR/NBNS Spoofing
- Gathering AD Data with Powershell
- kerberosting without mimikatz
- Kerberost
- Golden Ticket
- pass-the-ticket
- Gaining Domain Admin Rights
- Attacking Kerberos : kicking the guard dog of hades
- Token Impersonation
- PEASS - Privilege Escalation Awesome Scripts SUITE
- Windows Privilege Escalation Fundamentals by FuzzySecurity
- DLL Hijacking
- Potato
- RottenPotatoNG
- Privilege Escalation Guide
- Lateral Movement
- RDP tunneling
- SQL Server Link Crawling
- Lateral Movement WinRM
- CrackeMapExec
- RDP Inception
- RDP Lateral Movement
- Powerview and crackmapExec
- Persistent payload
- port forwarding with netsh
- The Trustpocalypse
- DcShadow Explained
- Domain Trust: Why You Should Care
- A Guide to Attacking Domain Trusts
- Javascript C2
- evading autorun
- mimikatz obfuscation
- Putting data in Alternate data streams and how to execute it
- Leveraging INF-SCT Fetch
- Empire without powershell
- Powershell without powershell
- Exploitation Code Injection
- Powershell to bypass Constraint mode
- Bypass Constraint Mode with runscripthelper
- InternetExplorer.Application for C2
- We Don't Need Powershell.exe Part 2
- WSH Injection
- Borrowing Microsoft Code Signing Certificates
- Guide to Attacking Domain Trust
- Basic Linux Privilge escalation by g0tmi1k
- Exploit Database
- Attack and Defend : Linux Privilege Escalation
- SUID executable
- Guide to Linux Privilege Escaltion
- LDAP
- Understand and Exploit web based LDAP
- Web based LDAP injection
- Lateral Movement
- SSH port forwarding
- SSH & meterpreter port forward
- Tunneling & port forwarding
- webshell
- p0wny
- awesome-red-teaming
- out of band Exploitation
The final phase of the pentest involves compiling all findings, methodologies, and evidence into a comprehensive report. This report is crucial for the client as it provides detailed insights into the vulnerabilities identified, the methods used by the pentesters, and concrete recommendations for enhancing system security.
At the end of the mission, a comprehensive deliverable will be provided, encapsulating all aspects of the audit performed. This structured document will allow for a clear understanding of the vulnerabilities discovered as well as recommendations for remediation.
- Notes Document: A
notes.mdfile, formatted in Markdown according to GitHub's formatting guidelines, detailing each audit phase with the information discovered and its sources. - Screenshot Folder: Includes all screenshots from tests conducted, even those that did not result in vulnerabilities.
- Scripts Folder: Contains all scripts and payloads used during the pentest, including offensive scripts developed for the audit.
- Tool Outputs Folder: Gathers output files from various scanning tools and scripts used, providing a technical overview of the tests conducted.
The deliverable will be prepared as an archive, preferably in 7zip format, with strong encryption using AES-256 or AES-512. It will be structured in clearly named folders for easy navigation and stored either as an encrypted archive or on a secure, private online sharing space.
report.pdf: The main document containing all detailed notes from the audit.screenshots/: Folder containing the screenshots.scripts/: Folder containing the scripts used.scripts_output/: Folder containing the outputs of tools.
This reporting structure not only highlights the vulnerabilities and actions taken but also ensures traceability and clarity in the audit processes for future audits or compliance checks.