"Tools are the subtlest of traps. We become reliant upon them and in their absence we are vulnerable, weak, defenseless*
- Pre-engagement
- Intelligence Gathering (Reconnaissance)
- Scanning
- Exploitation
- Post Exploitation
- Reporting
- TPLink Adapter
- VMware
- Virtualbox
- QEMU/KVM
- Windows 10 VM
- Kali/Blackarch/ParrotOS VM
- Maltego - Maltego is an interactive data mining tool that renders directed graphs for link analysis.
- Metasploit Framework - collection of remote exploits and post exploitation tools for all platforms
- SET toolkit - designed to perform advanced attacks against the human element.
- theHarvester - gathering e-mail accounts, user names and hostnames/subdomains from different public sources
- mimikat - extract plain or hash of password.
- dig - bind-utils
- THC Hydra - for brute force
- Powersploit - a collection of Microsoft PowerShell modules
- CrackmapExec - post exploitation tools for Active Directory.
- Burpsuite - can use as proxy as well as active scanner
- Empire - powershell framework for remote and post exploitation.
- Nmap - port scanner
- knockpy - subdomain scanner
- netcat - network utility
- nishang - post exploitation powershell Framework
(more on https://github.com/FenrirSec/fenrir-tools)
- Determination of the type of pentest (Blackbox, Whitebox)
- Key objectives behind this penetration test
- Location address and contact (if it is an onsite job)
- Validation that the Authorization Letter has been signed
- URL of the web application that is in scope and validation that isaccessible
- 2 sets of credentials (normal and admin or a privilege user) and validation that are working
- Determination of the environment (Production or UAT)
- Number of static and dynamic pages
- Testing Boundaries (DoS, Brute force attacks etc.)
- Technologies (PHP, ASP, .NET, IIS, Apache, Operating system etc.)
- Any VPN or port numbers are needed and verify those ahead of time
- Any web services that the site may use.
- Any pages that the client does not want to be tested.
- Any pages that submit emails
- IP address of the tester
- Escalation contact
- 3rd parties that needs to be contacted in advance of the pentest
- Web application firewalls and other IDS in place
- Timeframe of the assessment (dates and hours)
- Diagrams and any kind of documentation
- Validation that a backup has been performed recently on theapplication
- Other client requirements
- whois enumeration
- prips on Linux for IP range generation
- ip search on Bing (ip:{IP})
- Domain profiling
- SubDomain Enumeration
- Sublist3r
- Amass
- https://urlscan.io/
- Spidering + Local Copy
Certificates transparency enumeration - https://securitytrails.com/list/apex_domain/fenrir.agency
- WaybackMachine Archives
- Google -> cache:https://fenrir.pro
- Google -> jobs fenrir.pro
- Emails : hunter.io (Have a look at the email sources also)
- HaveIBeenPwned -> Check breachcompilations
- IntelX.io (tous les outils necessaires)
- Visiting the website behing Tor/VPN
- Wappalyzer
- Traffic Analysis
- alexa
- similarweb
- semrush
- https://osint.link/
- shodan.io
- censys.io
- https://tools.kali.org/information-gathering/metagoofil
- public files (https://intelx.io/tools?tab=file), site:drive.google.com "target"
- Check Facebook, Twitter "target leaks" "target security" on Twitter
- https://www.searchftps.net/
- https://publicwww.com/
- https://www.thingful.net
- https://buckets.grayhatwarfare.com/
- wigle.net
- https://www.social-searcher.com/search-users/?ntw=&q6=lp1eu
- Accunetix
- OpenVas
- Vega
- Nikto
- Wikto
- w3af
- Xenotix XSS Framework
- Wapiti
- https://github.com/projectdiscovery/httpx (HTTP)
- nmap
- Metaploit Framework
- testssh.sh
- sslscan
- https://wadcoms.github.io/
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
- https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters#domain-info
List of world-writables directories on Windows : https://gist.github.com/mattifestation/5f9de750470c9e0e1f9c9c33f0ec3e56
Write enumeration scripts with ADSI : https://dev-2null.github.io/Easy-Domain-Enumeration-with-ADSI/
https://jxy-s.github.io/herpaderping/
- https://www.exploit-db.com/
- https://gchq.github.io/CyberChef/
- http://blog.safebuff.com/2016/06/19/Reverse-shell-Cheat-Sheet/
- https://book.hacktricks.xyz/
- https://github.com/mlgualtieri/NTLMRawUnhide
- https://github.com/r3nt0n/bopscrk (Password Dictionaries Generation)
- https://wordlists.assetnote.io/
- CewL
- Account creation
- Account activation
- Login
- Account modification
- Phone number verification
- Password reset
- https://medium.com/@parasarora06/automating-xss-identification-with-dalfox-paramspider-e14283bb7916
- https://github.com/s0md3v/Arjun (Parameters enumeration for API routes)
======= https://www.infosecmatter.com/powershell-commands-for-pentesters/
- Windows sysinternals
net use Z: https://live.sysinternals.com
- Pwdump7
- TBAL DPAIP Backdoor for local user
- Dumping Domain Password
- Dumping ClearText Creds
- Empire Tips and Trick
- Extract Remote Hash
- Capturing NetNTML
- The worst of both worlds
- pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy
- Beyond LLMNR/NBNS Spoofing
- Gathering AD Data with Powershell
- kerberosting without mimikatz
- Kerberost
- Golden Ticket
- pass-the-ticket
- Gaining Domain Admin Rights
- Attacking Kerberos : kicking the guard dog of hades
- Token Impersonation
- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
- Windows Privilege Escalation Fundamentals by FuzzySecurity
- DLL Hijacking
- Potato
- RottenPotatoNG
- Privilege Escalation Guide
- Lateral Movement
- RDP tunneling
- SQL Server Link Crawling
- Lateral Movement WinRM
- CrackeMapExec
- RDP Inception
- RDP Lateral Movement
- Powerview and crackmapExec
- Persistent payload
- port forwarding with netsh
- The Trustpocalypse
- DcShadow Explained
- Domain Trust: Why You Should Care
- A Guide to Attacking Domain Trusts
- Javascript C2
- evading autorun
- mimikatz obfuscation
- Putting data in Alternate data streams and how to execute it
- Leveraging INF-SCT Fetch
- Empire without powershell
- Powershell without powershell
- Exploitation Code Injection
- Powershell to bypass Constraint mode
- Bypass Constraint Mode with runscripthelper
- InternetExplorer.Application for C2
- We Don't Need Powershell.exe Part 2
- WSH Injection
- Borrowing Microsoft Code Signing Certificates
- Guide to Attacking Domain Trust
- Basic Linux Privilge escalation by g0tmi1k
- Exploit Database
- Attack and Defend : Linux Privilege Escalation
- SUID executable
- Guide to Linux Privilege Escaltion
- LDAP
- Understand and Exploit web based LDAP
- Web based LDAP injection
- Lateral Movement
- SSH port forwarding
- SSH & meterpreter port forward
- Tunneling & port forwarding
- webshell
- p0wny
- awesome-red-teaming
- out of band Exploitation
- https://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343
- https://github.com/juliocesarfort/public-pentesting-reports
- https://resources.infosecinstitute.com/kali-reporting-tools/#gref
- https://github.com/kyawthiha7/pentest-methodology
- http://www.pentest-standard.org/index.php/Pre-engagement
- https://www.owasp.org/index.php/Penetration_testing_methodologies
- https://resources.infosecinstitute.com/penetration-testing-methodologies-and-standards/
- https://www.pentestpeople.com/penetration-testing-methodology/