Penetration Tests

Steps and tools used during penetration testing.

Pre-engagement

• For good resources, see:
  • Awesome Hacking (GitHub)
  • Suggested tools (Bug Bounty Forum)
  • Kali Tools (Kali.org)
• For taking notes on ethical hacking: OneNote, WordPress, GitBook, Notion.

Prerequisites

• Contract (client) or form:
  • Project name
  • Project code for timesheet
  • Architecture / Network diagram
  • Components in Scope: environment (dev/QA/prod), server name, IP address, URL, connection string
  • Approval to do the tests
  • Test accounts : 2 users per user profiles, 2 admin users, 1 user for infrastructure scans
  • Test type: Black-box, Gray-box, White-box
• Threat Modeling (optional)
• Machine setup: Kali Linux

Methodologies & Frameworks

• The Open Source Security Testing Methodology Manual (OSSTMM 3)
• NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
• Penetration Testing Execution Standard
• Information System Security Assessment Framework (ISSAF)

Reconnaissance / Passive Information Gathering / OSINT

Gather information about a target without directly interacting with it. Third parties can be used for information gathering. Other definitions include a more permissive approach, like interacting as a normal user would.

• Publicly Available Information
• Search GitHub Repositories
• Search Technical Information

Active Info Gathering / Scanning / Enumeration

• DNS Enumeration
• Live host discovery: Nmap, ping & hping3, SPARTA 
• Open ports *: Nmap, Netcat, traceroute
• Scan with infrastructure scanners: Nessus, OpenVAS, Tenable Security Center, Tsunami
• Look for Shares: \\server_name
• Social Media Enumeration
• Network: IOXIDResolver | Nmap | lbd
• Client Fingerprint (browser and OS)
• Social Engineering

* Investigate each open/filtered port. See details for each ports.

Identify the OS remotely

Ping the target machine.

ping $IP

• TTL ~128 => the OS is likely Windows
• TTL ~ 64, the OS could be Linux, Unix, or MacOS

Forensics Tools

• Vinetto – Thumbs.db viewer
• Exiftool – File metadata

Database enumeration

• Oscanner in Oracle Database

SSL Certificates

• Qualys SSL Labs – Test strength of SSL Certificates
• Mozilla Observatory – SSL Certificates / Response Headers

Exploits / Attacks / Vulnerabilities

Multiple exploits may exist for a vulnerability, for different target OS versions and architectures.

• Search: SearchSploit | GHDB | National Vulnerability Database (NVD)
• Repositories: Exploit DB | SecurityFocus | PacketStorm | Nmap NSE | 0day
• Repositories (not safe): GitHub
• Cross-compiler: Mingw-w64
• Package Python apps into standalone executables: PyInstaller
• CVE
• Databases
• Exploits
• Exploits / Attacks / Vulnerabilities
• Mobile Applications
• Passwords Attacks
• Web Applications & APIs
• Wireless / Wifi Attacks
• Client-side attacks: Microsoft Office Macros | HTML Applications (HTA) | CSV Injection | BeEF | CactusTorch (create infected PDF, .doc, etc.)
• Bypass Antivirus
• Known Exploited Vulnerabilities Catalog
• Denial of Service (DoS): Low Orbit Ion Cannon

Network Attacks

• Man-in-the-middle (MITM)
  • ARP Cache Poisoning / ARP Spoofing
  • Ettercap
  • SSLstrip
• DNS Spoofing Attack: Ettercap
• Spy on traffic / Network Sniffing: Ettercap | Wireshark | Xplico | Port Mirroring

Post-Exploitation

Privilege Escalation

• Privilege escalation: Unix | Windows
• Impersonation privileges exploits: Juicy Potato, PrintSpoofer

Post-Exploitation

• Post-Exploitation: Unix | Windows
• Data Exfiltration

Lateral Movement Techniques

Phases of lateral movement: reconnaissance, credential/privilege gathering, and gaining access to other computers in the network.

• Credentials & Hashes:
  • Credential reuse
  • Dumping hashes with Mimikatz
  • Pass-the-Hash
• Kerberos:
  • Kerberoasting
  • AS-REP Roasting
  • Pass the Ticket
  • Overpass the Hash/Pass the Key
  • MS14-068 (ExploitDB)
• Exploit software or kernel vulnerabilities
• Port Forwarding / Tunneling
• After running BloodHound, if you find privileges like “GenericAll”, “GenericWrite”, “Write”, “WriteProperty”, “Self”, “WriteOwner”, “ForceChangePassword”, “WriteDACL”, see Active Directory ACLs/ACEs Abuse.

Cleanup

• Remove all uploaded files and exploits after a pentest.

Reporting

Bug Bounty Platforms

• Bugcrowd (private bounties at https://bugcrowd.com/company_name)
• HackerOne
• Huntr (for GitHub repositories)
• Open Bug Bounty (formerly XSSposed)
• YesWeHack
• SynAck
• Find security.txt file using gosecuritytxt

### NOT VERIFIED ###
List of Bug Bounty/Crowdsourced Security Platforms:
Detectify - cs.detectify.com
Cobalt - cobalt.io
Zerocopter - www.zerocopter.com
HackenProof - hackenproof.com
Vulnerability Lab - www.vulnerability-lab.com
FireBounty - firebounty.com
BugBounty.jp - bugbounty.jp
AntiHACK - www.antihack.me
Intigriti - www.intigriti.com
SafeHats - safehats.com
RedStorm - www.redstorm.io
Cyber Army ID - www.cyberarmy.id
Yogosha - yogosha.com

Reporting 0-Day

• Zero Day Initiative – Report 0-day vulnerabilities

Severity Scoring

CVSS

• CVSS Calculator
• CVSS examples
• CVSS Specification Document
• CVSS 4.0 Preview (PDF)

DREAD

• https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

Missing Security Controls

• Calculator
• Conference “The Quest for Better Pentest Reports”
• Git Repository for Missing Security Controls

Reporting Tools

• PwnDoc
• PenText
• Dradis
• Jira – ticket system

Report Templates

Examples

• Offensive Security

• MITRE: CVE IDs And How To Get Them (PDF)
• Writing a Penetration Testing Report (SANS)
• French terms for Information Security