Penetration Tests

Steps and tools used during penetration testing.

Pre-engagement

• For good resources, see:
  • Awesome Hacking (GitHub)
  • Suggested tools (Bug Bounty Forum)
  • Kali Tools (Kali.org)
• For taking notes on ethical hacking: OneNote, WordPress, GitBook, Notion.

Prerequisites

• Contract (client) or form:
  • Project name
  • Project code for timesheet
  • Architecture / Network diagram
  • Components in Scope: environment (dev/QA/prod), server name, IP address, URL, connection string
  • Approval to do the tests
  • Test accounts : 2 users per user profiles, 2 admin users, 1 user for infrastructure scans
  • Test type: Black-box, Gray-box, White-box
• Threat Modeling (optional)
• Machine setup: Kali Linux

Methodologies & Frameworks

• The Open Source Security Testing Methodology Manual (OSSTMM 3)
• NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
• Penetration Testing Execution Standard
• Information System Security Assessment Framework (ISSAF)

Reconnaissance / Passive Information Gathering / OSINT

Gather information about a target without directly interacting with it. Third parties can be used for information gathering. Other definitions include a more permissive approach, like interacting as a normal user would.

• Publicly Available Information
• Search GitHub Repositories
• Search Technical Information

Active Info Gathering / Scanning / Enumeration

Active information gathering techniques are used to collect information about a target system or network. These techniques involve actively engaging with the target to elicit information, as opposed to passive techniques that involve observing network traffic or publicly available information. Some examples of active information gathering techniques are port scanning, banner grabbing, network mapping, DNS enumeration, vulnerability scanning.

• DNS Enumeration
• Live host discovery: Nmap, ping & hping3, SPARTA 
• Open ports *: Nmap, Netcat, traceroute
• Scan with infrastructure scanners: Nessus, OpenVAS, Tenable Security Center, Tsunami
• Look for Shares: \\server_name
• Social Media Enumeration
• Network: IOXIDResolver | Nmap | lbd
• Client Fingerprint (browser and OS)
• Social Engineering

* Investigate each open/filtered port. See details for each ports.

Identify the OS remotely

Ping the target machine.

ping $IP

• TTL ~128 => the OS is likely Windows
• TTL ~ 64, the OS could be Linux, Unix, or MacOS

Forensics Tools

• Vinetto – Thumbs.db viewer
• Exiftool – File metadata

Database enumeration

• Oscanner in Oracle Database

SSL Certificates

• Qualys SSL Labs – Test strength of SSL Certificates
• Mozilla Observatory – SSL Certificates / Response Headers

Exploits / Attacks / Vulnerabilities

Multiple exploits may exist for a vulnerability, for different target OS versions and architectures.

• Search: SearchSploit | GHDB | National Vulnerability Database (NVD)
• Repositories: Exploit DB | SecurityFocus | PacketStorm | Nmap NSE | 0day
• Repositories (not safe): GitHub
• Cross-compiler: Mingw-w64
• Package Python apps into standalone executables: PyInstaller
• CVE
• Databases
• Exploits
• Exploits / Attacks / Vulnerabilities
• Mobile Applications
• Passwords Attacks
• Web Applications & APIs
• Wireless / Wifi Attacks
• Client-side attacks: Microsoft Office Macros | HTML Applications (HTA) | CSV Injection | BeEF | CactusTorch (create infected PDF, .doc, etc.)
• Bypass Antivirus
• Known Exploited Vulnerabilities Catalog
• Denial of Service (DoS): Low Orbit Ion Cannon

Network Attacks

• Man-in-the-middle (MITM)
  • ARP Cache Poisoning / ARP Spoofing
  • Ettercap
  • SSLstrip
• DNS Spoofing Attack: Ettercap
• Spy on traffic / Network Sniffing: Ettercap | Wireshark | Xplico | Port Mirroring

Post-Exploitation

Privilege Escalation

• Privilege escalation: Unix | Windows
• Impersonation privileges exploits: Juicy Potato, PrintSpoofer

Post-Exploitation

• Post-Exploitation: Unix | Windows
• Data Exfiltration

Lateral Movement Techniques

Phases of lateral movement: reconnaissance, credential/privilege gathering, and gaining access to other computers in the network.

• Credentials & Hashes:
  • Credential reuse
  • Dumping hashes with Mimikatz
  • Pass-the-Hash
• Kerberos:
  • Kerberoasting
  • AS-REP Roasting
  • Pass the Ticket
  • Overpass the Hash/Pass the Key
  • MS14-068 (ExploitDB)
• Exploit software or kernel vulnerabilities
• Port Forwarding / Tunneling
• After running BloodHound, if you find privileges like “GenericAll”, “GenericWrite”, “Write”, “WriteProperty”, “Self”, “WriteOwner”, “ForceChangePassword”, “WriteDACL”, see Active Directory ACLs/ACEs Abuse.

Cleanup

• Remove all uploaded files and exploits after a pentest.

Reporting

Bug Bounty Platforms

• Bugcrowd (private bounties at https://bugcrowd.com/company_name)
• HackerOne
• Huntr (for GitHub repositories)
• Open Bug Bounty (formerly XSSposed)
• YesWeHack
• SynAck
• Find security.txt file using gosecuritytxt

### NOT VERIFIED ###
List of Bug Bounty/Crowdsourced Security Platforms:
Detectify - cs.detectify.com
Cobalt - cobalt.io
Zerocopter - www.zerocopter.com
HackenProof - hackenproof.com
Vulnerability Lab - www.vulnerability-lab.com
FireBounty - firebounty.com
BugBounty.jp - bugbounty.jp
AntiHACK - www.antihack.me
Intigriti - www.intigriti.com
SafeHats - safehats.com
RedStorm - www.redstorm.io
Cyber Army ID - www.cyberarmy.id
Yogosha - yogosha.com

Reporting 0-Day

• Zero Day Initiative – Report 0-day vulnerabilities

Severity Scoring

CVSS

• CVSS Calculator
• CVSS examples
• CVSS Specification Document
• CVSS 4.0 Preview (PDF)

DREAD

• https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

Missing Security Controls

• Calculator
• Conference “The Quest for Better Pentest Reports”
• Git Repository for Missing Security Controls

Reporting Tools

• PwnDoc
• PenText
• Dradis
• Jira – ticket system

Report Templates

Examples

• Offensive Security

• MITRE: CVE IDs And How To Get Them (PDF)
• Writing a Penetration Testing Report (SANS)
• French terms for Information Security