Repository: initstring/pentest-methodology Branch: master Commit: 5a18954a13c8 Files: 9 Total size: 13.4 KB Directory structure: gitextract_lgzbl_af/ ├── LICENSE ├── README.md ├── devops-cloud.md ├── external.md ├── internal-ad.md ├── osint.md ├── password-audit.md ├── web.md └── wifi.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2022 initstring Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ # Pentest Methodology Short checklists to keep your pentests on track. They are: - Not exhaustive - Not overly descriptive - Not a replacement for PTES or OWASP # Thanks All of these items are things I picked up here and there, and it would be tough to credit every item. Here are some people/sources I definitely owe thanks to: - All of the authors of the listed tools. - [3xocyte](https://github.com/3xocyte) for his wealth of knowledge in destroying AD environments. # Current Status I am not currently working as a pentester! This means it's unlikely I will be updating this project any time soon. Feel free to submit PRs, though, I will happily review and merge when appropriate. ================================================ FILE: devops-cloud.md ================================================ # Devops / Cloud Penetration Test ================================================ FILE: external.md ================================================ # External Penetration Test ## Mapping Attack Surface ### Automated Tools - [ ] Generate nmap output files (with targets in `targets.txt`): ```sh nmap -oA nmap-out -sV -p- -vv -iL targets.txt ``` - [ ] For tests with lots of web hosts, grab screenshots with a tool like [gowitness](https://github.com/sensepost/gowitness) - [ ] Import nmap findings into Metasploit ```sh # create a new workspace workspace -a # import the file db_import nmap-out.xml # view 5060 and 2000 to see if they are legit (they probably are not) services -p 5060,2000 # delete them services -p 5060,2000 -d ``` - [ ] Use Metasploit modules for web dir/file enumeration ```sh msfconsole spool dir-scanner.txt use auxiliary/scanner/http/dir_scanner set DICTIONARY /opt/SecLists/Discovery/Web-Content/common.txt services -u -p 80 --rhosts set rport 80 set ssl false run services -u -p 443 --rhosts set rport 443 set ssl true run # repeat for other web ports (8443, 8080, etc) ``` ### Manual Review - [ ] Identify all URLs that allow logins from Spiderfoot. - [ ] Review all the discovered URLs from the Metasploit dir scanners. - [ ] Identify all systems that may provide remote access (Citrix, RDP, VPN, etc). - [ ] Identify all vendor-products that are likely to offer RCE-as-a-feature (Jenkins, Serv-U, etc). - [ ] Identify all vendor products that may allow you to download a trial version to look for 0-days. ## Obtaining Credentials ### Password Spraying - [ ] Make damn sure you know the lockout policy you are up against. - [ ] Do you have reliable username enumeration on an endpoint? OWA, Skype, etc. - If so, do a fine-tuned first run with usernames from OSINT phase PLUS as much from the [likely usernames](https://github.com/insidetrust/statistically-likely-usernames) as you have time for. - [ ] Spray a service accounts list like [this one](https://github.com/insidetrust/statistically-likely-usernames/blob/master/service-accounts.txt) with username-as-password. - [ ] Spray your known-good corporate usernames against common passwords, staying safely below lockout rates. - [The classics](https://github.com/insidetrust/statistically-likely-usernames/blob/master/weak-corporate-passwords/english-basic.txt) - SeasonYear (Summer2019) - MonthYear (March2019) - CompanyNumber (Google1) - CompanyYear (Google2019) - ^^ All of the above without a capital first letter, and a `!` at the end (still meets complexity requirements) - ^^ All of the above with a `!` at the end. - No luck? Get creative with things like the corporate HQ address, corporate mottos, etc. - [ ] Still no creds and safe to try more without locking out? Try weak passwords based on company name, location, etc. ## Authenticated Information Gathering - [ ] Gather all user accounts from: - OWA or Office365 address list - portal.azure.com (Azure AD) - Lync (Windows app will download and cache the GAL locally) - [ ] Search email inboxes for: - "Password" - look for standard password IT uses to reset - "Remote Access" - look for info on connecting to VPN, etc - "Intranet", "Portal", "HelpDesk", etc - look for sources of internal company info - [ ] Hang out in company chat rooms in Slack, Skype, etc. - [ ] Check calendars for dial in info for board meetings and other sensitive events. - [ ] Check Office365, Sharepoint, Drive, etc for similar sensitive details. - [ ] Try additional password spraying with new accounts and likely passwords you have gathered. ## Breaching the Perimeter - [ ] Leverage all available remote access services, such as: - RDP - Citrix - VPN - [ ] Identified any RCE-by-design apps during OSINT? Try the credentials on those. - [ ] Look for trial versions of any off-the-shelf applications on perimeter, download, find 0 days. ================================================ FILE: internal-ad.md ================================================ # Internal Penetration Test (Active Directory Environments) ## Unauthenticated Information Gathering ### Automated Tools - [ ] Generate nmap output files (with targets in `targets.txt`): ```sh nmap -oA nmap-out -sV -p- -vv -iL targets.txt ``` - [ ] For tests with lots of web hosts, grab screenshots with a tool like [gowitness](https://github.com/sensepost/gowitness) - [ ] Import nmap findings into Metasploit ```sh # create a new workspace workspace -a # import the file db_import nmap-out.xml # view 5060 and 2000 to see if they are legit (they probably are not) services -p 5060,2000 # delete them services -p 5060,2000 -d ``` - [ ] Use Metasploit modules for web dir/file enumeration ```sh msfconsole spool dir-scanner.txt use auxiliary/scanner/http/dir_scanner set DICTIONARY /opt/SecLists/Discovery/Web-Content/common.txt services -u -p 80 --rhosts set rport 80 set ssl false run services -u -p 443 --rhosts set rport 443 set ssl true run # repeat for other web ports (8443, 8080, etc) ``` - [ ] Check for anonymous SMB shares with `auxiliary/scanner/smb/smb_enumshares`. - [ ] Check for open NFS shares with `auxiliary/scanner/nfs/nfsmount`. - [ ] Check for anonymous FTP shares with `auxiliary/scanner/ftp/anonymous`. - [ ] Create a list of machines that are not configured to do SMB signing (for relaying later on). - crackmapexec '--gen-relay-list' ### Manual Review - [ ] Identify all URLs that allow logins. - [ ] Manually review screenshots from all HTTP services. ## Obtaining Credentials - [ ] Responder attack. - First, run in analyze mode. Determine blue-teamy stuff and then run configure Responder.conf to not respond to those IPs. - [ ] Execute an [ipv6 mitm](https://github.com/fox-it/mitm6) attack. - [ ] Getting action from standard responder or mitm6? Use [Impacket](https://github.com/SecureAuthCorp/impacket)'s ntlmrelay.py to dump SAM and/or get interactive SMB shells. - [ ] Start cracking any received challenge/response data. - [ ] Wireless WPA-Enterprise attacks to gather usernames, hashes, and passwords. - [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) is a nice automation tool for hostapd-wpe. - [ ] Find any printer admin pages? Try default creds and look for LDAP integration. - [ ] Drop a few USB sticks in the conference rooms (don't push the scope!). - [ ] Internal password spray: - Metasploit's `auxiliary/scanner/smb/smb_login`. - [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec). ## Authenticated Information Gathering - [ ] Manually review scripts in `\\domain_name\netlogon` - Don't just look for passwords - look for references to dev environments, deployment servers, etc. - [ ] Run the [Sharphound](https://github.com/BloodHoundAD/SharpHound) injestor and map paths in Bloodhound. - [ ] Enumerate shares with crackmapexec '--shares' - [ ] Rummage through shares. - [ ] Rummage through Sharepoint, e-mail, etc. - [ ] Look for anything related to new accounts and passwords resets. IT often uses standard passwords for these. If you find one, spray it around. - [ ] Enumerate and map network connectivity with a tool like [leprechaun](https://blog.vonahi.io/post-exploitation-with-leprechaun/). ## Initial Foothold - [ ] ## Local Privilege Escalation - [ ] Try [WindowsEnum](https://github.com/absolomb/WindowsEnum) or similar script to cover the basics. - [ ] Use a test machine to observe procmon.exe for vendor 0-days (writable DLL and service paths, etc) ## Domain Privilege Escalation - [ ] Get SPNs (Kerberoast - get that GPU humming!) - [ ] Run [Grouper](https://github.com/l0ss/Grouper2) - [ ] Running SQL servers? Try for authenticated SQL/SMB relay with `auxiliary/admin/mssql/mssql_ntlm_stealer` - [ ] Leverage existing credentials to get more credentials or passable hashes. - crackmapexec '--sam' - crackmapexec '--lsa' - crackmapexec '-M mimikatz' - Windows Task Manager or procdump.exe to dump lsass and use mimikatz or [pypykatz](https://github.com/skelsec/pypykatz) - [ ] Find logged in users and sessions on boxes you have admin rights to. - crackmapexec '--loggedon-users' - crackmapexec '--sessions' - [ ] Review Bloodhound path's to DA with: - All currently compromised accounts - All logged-on users on boxes you have admin rights to ## Objective Hunting - [ ] Use Impacket's secretsdump.py to access credentials for specific accounts you need. ================================================ FILE: osint.md ================================================ # General Information Gathering ## Automated Steps - [ ] Run Spiderfoot with the base domain name and an appropriate level based on your scope. - Stick to passive scans pre-engagement. - Known that web crawling may hit out-of-scope targets and take a long time. ## Manual Steps - [ ] Manually review social media sites for interesting info. - Twitter, Facebook, YouTube, Instagram, LinkedIn, Glassdoor, Reddit, etc. - [ ] Manually review corporate website. - [ ] Manually search GitHub, Gitlab, StackOverflor, etc for company and product names. - If company has their own repos, consider running [gitrob](https://github.com/michenriksen/gitrob). # DNS Enumeration - [ ] Run [amass](https://github.com/OWASP/Amass) with a config file including API keys and a brute-force strategy. ``` amass -d -config ``` - [ ] Run [theHarvester](https://github.com/laramies/theHarvester) ``` ./theHarvester.py -d -b all ``` - [ ] Use [cloud_enum](https://github.com/initstring/cloud_enum) to enumerate public resources on Amazon, Azure, and Google Cloud. # Username Enumeration - [ ] Run [linkedin2username](https://github.com/initstring/linkedin2username). - [ ] Search through your hoard of password dumps. # Breached Account Reporting - [ ] Run usernames through [pwned_report](https://github.com/initstring/pentest-tools/blob/master/osint/pwned_report.py) ================================================ FILE: password-audit.md ================================================ # Password Audit ================================================ FILE: web.md ================================================ # Web Application Pentest ## Technology Stack Enumeration - [ ] [Wappalyzer](https://www.wappalyzer.com/download) helps with basic enumeration. - Don't forget to disable extension when done reviewing! ## Follow a Testing Methodology - [ ] [OWASP Testing Guide](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents) - [ ] [Web Application Hacker's Handbook Checklist](https://gist.github.com/jhaddix/6b777fb004768b388fefadf9175982ab) summarized by jhaddix. ================================================ FILE: wifi.md ================================================ # Wireless Penetration Test ## Information Gathering - [ ] Perform a full site walkthrough while collecting general info. ```sh # put interface into monitor mode sudo airmon-ng start wlan0 # Write info to log file airodump-ng --write wifi-walkthrough --wps --band abg wlan0mon ``` - Manually review the airodump output, looking for: - A/V equipment broadcasting open or vendor-default networks. - Unofficial APs connected to the corporate network. - Client authentication attempts (who to evil-AP) ## WPA2-PSK Stuff - [ ] Grab the handshake and crack it. - [ ] If cracked, carry out evil-AP / client-side attacks. ## WPA2-Enterprise Stuff - [ ] [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) automates basic username enum and hash theft for enterprise networks. - Physically walk through all office areas while conducting attacks. - Find areas where employees congregate that are out of range of the corporate APs and try attacks there (lobbys, cafe, etc) ## Open, Guest-Portal Stuff - [ ] Check for network isolation: - `ip neigh` - `netdiscover` - `nmap` - `masscan` - [ ] Responder. - [ ] Evil-AP, force challenge-response with a captive portal. - [ ] Try to find the admin portal URL. It may be on the same domain name as the captive portal. - Log in with default creds. - See if it allows you to admin the non-guest networks. ## Additional Client-Side Attacks - [ ] [EAPHammer](https://github.com/s0lst1c3/eaphammer)