[ { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2022 initstring\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# Pentest Methodology\nShort checklists to keep your pentests on track.\n\nThey are:\n- Not exhaustive\n- Not overly descriptive\n- Not a replacement for PTES or OWASP\n\n\n# Thanks\nAll of these items are things I picked up here and there, and it would be tough to credit every item. Here are some people/sources I definitely owe thanks to:\n\n- All of the authors of the listed tools.\n- [3xocyte](https://github.com/3xocyte) for his wealth of knowledge in destroying AD environments.\n\n# Current Status\nI am not currently working as a pentester! This means it's unlikely I will be updating this project any time soon. Feel free to submit PRs, though, I will happily review and merge when appropriate.\n" }, { "path": "devops-cloud.md", "content": "# Devops / Cloud Penetration Test\n" }, { "path": "external.md", "content": "# External Penetration Test\n\n## Mapping Attack Surface\n\n### Automated Tools\n- [ ] Generate nmap output files (with targets in `targets.txt`):\n ```sh\n nmap -oA nmap-out -sV -p- -vv -iL targets.txt\n ```\n- [ ] For tests with lots of web hosts, grab screenshots with a tool like [gowitness](https://github.com/sensepost/gowitness)\n- [ ] Import nmap findings into Metasploit\n ```sh\n # create a new workspace\n workspace -a \n \n # import the file\n db_import nmap-out.xml\n \n # view 5060 and 2000 to see if they are legit (they probably are not)\n services -p 5060,2000\n \n # delete them\n services -p 5060,2000 -d\n ```\n- [ ] Use Metasploit modules for web dir/file enumeration\n ```sh\n msfconsole\n spool dir-scanner.txt\n use auxiliary/scanner/http/dir_scanner\n set DICTIONARY /opt/SecLists/Discovery/Web-Content/common.txt\n \n services -u -p 80 --rhosts\n set rport 80\n set ssl false\n run\n \n services -u -p 443 --rhosts\n set rport 443\n set ssl true\n run\n \n # repeat for other web ports (8443, 8080, etc)\n ```\n\n### Manual Review\n- [ ] Identify all URLs that allow logins from Spiderfoot.\n- [ ] Review all the discovered URLs from the Metasploit dir scanners.\n- [ ] Identify all systems that may provide remote access (Citrix, RDP, VPN, etc).\n- [ ] Identify all vendor-products that are likely to offer RCE-as-a-feature (Jenkins, Serv-U, etc).\n- [ ] Identify all vendor products that may allow you to download a trial version to look for 0-days.\n\n## Obtaining Credentials\n\n### Password Spraying\n- [ ] Make damn sure you know the lockout policy you are up against.\n- [ ] Do you have reliable username enumeration on an endpoint? OWA, Skype, etc.\n - If so, do a fine-tuned first run with usernames from OSINT phase PLUS as much from the [likely usernames](https://github.com/insidetrust/statistically-likely-usernames) as you have time for.\n- [ ] Spray a service accounts list like [this one](https://github.com/insidetrust/statistically-likely-usernames/blob/master/service-accounts.txt) with username-as-password.\n- [ ] Spray your known-good corporate usernames against common passwords, staying safely below lockout rates.\n - [The classics](https://github.com/insidetrust/statistically-likely-usernames/blob/master/weak-corporate-passwords/english-basic.txt)\n - SeasonYear (Summer2019)\n - MonthYear (March2019)\n - CompanyNumber (Google1)\n - CompanyYear (Google2019)\n - ^^ All of the above without a capital first letter, and a `!` at the end (still meets complexity requirements)\n - ^^ All of the above with a `!` at the end.\n - No luck? Get creative with things like the corporate HQ address, corporate mottos, etc.\n- [ ] Still no creds and safe to try more without locking out? Try weak passwords based on company name, location, etc.\n\n## Authenticated Information Gathering\n- [ ] Gather all user accounts from:\n - OWA or Office365 address list\n - portal.azure.com (Azure AD)\n - Lync (Windows app will download and cache the GAL locally)\n- [ ] Search email inboxes for:\n - \"Password\" - look for standard password IT uses to reset\n - \"Remote Access\" - look for info on connecting to VPN, etc\n - \"Intranet\", \"Portal\", \"HelpDesk\", etc - look for sources of internal company info\n- [ ] Hang out in company chat rooms in Slack, Skype, etc.\n- [ ] Check calendars for dial in info for board meetings and other sensitive events.\n- [ ] Check Office365, Sharepoint, Drive, etc for similar sensitive details.\n- [ ] Try additional password spraying with new accounts and likely passwords you have gathered.\n\n## Breaching the Perimeter\n\n- [ ] Leverage all available remote access services, such as:\n - RDP\n - Citrix\n - VPN\n- [ ] Identified any RCE-by-design apps during OSINT? Try the credentials on those.\n- [ ] Look for trial versions of any off-the-shelf applications on perimeter, download, find 0 days.\n" }, { "path": "internal-ad.md", "content": "# Internal Penetration Test (Active Directory Environments)\n\n## Unauthenticated Information Gathering\n\n### Automated Tools\n- [ ] Generate nmap output files (with targets in `targets.txt`):\n ```sh\n nmap -oA nmap-out -sV -p- -vv -iL targets.txt\n ```\n- [ ] For tests with lots of web hosts, grab screenshots with a tool like [gowitness](https://github.com/sensepost/gowitness)\n- [ ] Import nmap findings into Metasploit\n ```sh\n # create a new workspace\n workspace -a \n \n # import the file\n db_import nmap-out.xml\n \n # view 5060 and 2000 to see if they are legit (they probably are not)\n services -p 5060,2000\n \n # delete them\n services -p 5060,2000 -d\n ```\n- [ ] Use Metasploit modules for web dir/file enumeration\n ```sh\n msfconsole\n spool dir-scanner.txt\n use auxiliary/scanner/http/dir_scanner\n set DICTIONARY /opt/SecLists/Discovery/Web-Content/common.txt\n \n services -u -p 80 --rhosts\n set rport 80\n set ssl false\n run\n \n services -u -p 443 --rhosts\n set rport 443\n set ssl true\n run\n \n # repeat for other web ports (8443, 8080, etc)\n ```\n- [ ] Check for anonymous SMB shares with `auxiliary/scanner/smb/smb_enumshares`.\n- [ ] Check for open NFS shares with `auxiliary/scanner/nfs/nfsmount`.\n- [ ] Check for anonymous FTP shares with `auxiliary/scanner/ftp/anonymous`.\n- [ ] Create a list of machines that are not configured to do SMB signing (for relaying later on).\n - crackmapexec '--gen-relay-list'\n\n### Manual Review\n- [ ] Identify all URLs that allow logins.\n- [ ] Manually review screenshots from all HTTP services.\n\n\n## Obtaining Credentials\n- [ ] Responder attack.\n - First, run in analyze mode. Determine blue-teamy stuff and then run configure Responder.conf to not respond to those IPs.\n- [ ] Execute an [ipv6 mitm](https://github.com/fox-it/mitm6) attack.\n- [ ] Getting action from standard responder or mitm6? Use [Impacket](https://github.com/SecureAuthCorp/impacket)'s ntlmrelay.py to dump SAM and/or get interactive SMB shells.\n- [ ] Start cracking any received challenge/response data.\n- [ ] Wireless WPA-Enterprise attacks to gather usernames, hashes, and passwords.\n - [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) is a nice automation tool for hostapd-wpe.\n- [ ] Find any printer admin pages? Try default creds and look for LDAP integration.\n- [ ] Drop a few USB sticks in the conference rooms (don't push the scope!).\n- [ ] Internal password spray:\n - Metasploit's `auxiliary/scanner/smb/smb_login`.\n - [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec).\n \n\n## Authenticated Information Gathering\n- [ ] Manually review scripts in `\\\\domain_name\\netlogon`\n - Don't just look for passwords - look for references to dev environments, deployment servers, etc.\n- [ ] Run the [Sharphound](https://github.com/BloodHoundAD/SharpHound) injestor and map paths in Bloodhound.\n- [ ] Enumerate shares with crackmapexec '--shares'\n- [ ] Rummage through shares.\n- [ ] Rummage through Sharepoint, e-mail, etc.\n - [ ] Look for anything related to new accounts and passwords resets. IT often uses standard passwords for these. If you find one, spray it around.\n- [ ] Enumerate and map network connectivity with a tool like [leprechaun](https://blog.vonahi.io/post-exploitation-with-leprechaun/).\n\n\n## Initial Foothold\n- [ ] \n\n## Local Privilege Escalation\n- [ ] Try [WindowsEnum](https://github.com/absolomb/WindowsEnum) or similar script to cover the basics.\n- [ ] Use a test machine to observe procmon.exe for vendor 0-days (writable DLL and service paths, etc)\n\n## Domain Privilege Escalation\n- [ ] Get SPNs (Kerberoast - get that GPU humming!)\n- [ ] Run [Grouper](https://github.com/l0ss/Grouper2)\n- [ ] Running SQL servers? Try for authenticated SQL/SMB relay with `auxiliary/admin/mssql/mssql_ntlm_stealer`\n- [ ] Leverage existing credentials to get more credentials or passable hashes.\n - crackmapexec '--sam'\n - crackmapexec '--lsa'\n - crackmapexec '-M mimikatz'\n - Windows Task Manager or procdump.exe to dump lsass and use mimikatz or [pypykatz](https://github.com/skelsec/pypykatz)\n- [ ] Find logged in users and sessions on boxes you have admin rights to.\n - crackmapexec '--loggedon-users'\n - crackmapexec '--sessions'\n- [ ] Review Bloodhound path's to DA with:\n - All currently compromised accounts\n - All logged-on users on boxes you have admin rights to\n\n\n## Objective Hunting\n- [ ] Use Impacket's secretsdump.py to access credentials for specific accounts you need.\n" }, { "path": "osint.md", "content": "# General Information Gathering\n\n## Automated Steps\n- [ ] Run Spiderfoot with the base domain name and an appropriate level based on your scope.\n - Stick to passive scans pre-engagement.\n - Known that web crawling may hit out-of-scope targets and take a long time.\n\n## Manual Steps\n- [ ] Manually review social media sites for interesting info.\n - Twitter, Facebook, YouTube, Instagram, LinkedIn, Glassdoor, Reddit, etc.\n- [ ] Manually review corporate website.\n- [ ] Manually search GitHub, Gitlab, StackOverflor, etc for company and product names.\n - If company has their own repos, consider running [gitrob](https://github.com/michenriksen/gitrob).\n\n# DNS Enumeration\n- [ ] Run [amass](https://github.com/OWASP/Amass) with a config file including API keys and a brute-force strategy.\n ```\n amass -d -config \n ```\n- [ ] Run [theHarvester](https://github.com/laramies/theHarvester)\n ```\n ./theHarvester.py -d -b all\n ```\n- [ ] Use [cloud_enum](https://github.com/initstring/cloud_enum) to enumerate public resources on Amazon, Azure, and Google Cloud.\n\n# Username Enumeration\n- [ ] Run [linkedin2username](https://github.com/initstring/linkedin2username).\n- [ ] Search through your hoard of password dumps.\n\n# Breached Account Reporting\n- [ ] Run usernames through [pwned_report](https://github.com/initstring/pentest-tools/blob/master/osint/pwned_report.py)\n" }, { "path": "password-audit.md", "content": "# Password Audit\n" }, { "path": "web.md", "content": "# Web Application Pentest\n\n## Technology Stack Enumeration\n- [ ] [Wappalyzer](https://www.wappalyzer.com/download) helps with basic enumeration.\n - Don't forget to disable extension when done reviewing!\n\n## Follow a Testing Methodology\n- [ ] [OWASP Testing Guide](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents)\n- [ ] [Web Application Hacker's Handbook Checklist](https://gist.github.com/jhaddix/6b777fb004768b388fefadf9175982ab) summarized by jhaddix.\n" }, { "path": "wifi.md", "content": "# Wireless Penetration Test\n\n## Information Gathering\n- [ ] Perform a full site walkthrough while collecting general info.\n ```sh\n # put interface into monitor mode\n sudo airmon-ng start wlan0\n\n # Write info to log file\n airodump-ng --write wifi-walkthrough --wps --band abg wlan0mon\n ```\n- Manually review the airodump output, looking for:\n - A/V equipment broadcasting open or vendor-default networks.\n - Unofficial APs connected to the corporate network.\n - Client authentication attempts (who to evil-AP)\n\n## WPA2-PSK Stuff\n- [ ] Grab the handshake and crack it.\n- [ ] If cracked, carry out evil-AP / client-side attacks.\n\n## WPA2-Enterprise Stuff\n- [ ] [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) automates basic username enum and hash theft for enterprise networks.\n - Physically walk through all office areas while conducting attacks.\n - Find areas where employees congregate that are out of range of the corporate APs and try attacks there (lobbys, cafe, etc)\n\n## Open, Guest-Portal Stuff\n- [ ] Check for network isolation:\n - `ip neigh`\n - `netdiscover`\n - `nmap`\n - `masscan`\n- [ ] Responder.\n- [ ] Evil-AP, force challenge-response with a captive portal.\n- [ ] Try to find the admin portal URL. It may be on the same domain name as the captive portal.\n - Log in with default creds.\n - See if it allows you to admin the non-guest networks.\n\n## Additional Client-Side Attacks\n- [ ] [EAPHammer](https://github.com/s0lst1c3/eaphammer)\n" } ]