├── LICENSE ├── README.md ├── devops-cloud.md ├── external.md ├── internal-ad.md ├── osint.md ├── password-audit.md ├── web.md └── wifi.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 initstring 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Pentest Methodology 2 | Short checklists to keep your pentests on track. 3 | 4 | They are: 5 | - Not exhaustive 6 | - Not overly descriptive 7 | - Not a replacement for PTES or OWASP 8 | 9 | 10 | # Thanks 11 | All of these items are things I picked up here and there, and it would be tough to credit every item. Here are some people/sources I definitely owe thanks to: 12 | 13 | - All of the authors of the listed tools. 14 | - [3xocyte](https://github.com/3xocyte) for his wealth of knowledge in destroying AD environments. 15 | 16 | # Current Status 17 | I am not currently working as a pentester! This means it's unlikely I will be updating this project any time soon. Feel free to submit PRs, though, I will happily review and merge when appropriate. 18 | -------------------------------------------------------------------------------- /devops-cloud.md: -------------------------------------------------------------------------------- 1 | # Devops / Cloud Penetration Test 2 | -------------------------------------------------------------------------------- /external.md: -------------------------------------------------------------------------------- 1 | # External Penetration Test 2 | 3 | ## Mapping Attack Surface 4 | 5 | ### Automated Tools 6 | - [ ] Generate nmap output files (with targets in `targets.txt`): 7 | ```sh 8 | nmap -oA nmap-out -sV -p- -vv -iL targets.txt 9 | ``` 10 | - [ ] For tests with lots of web hosts, grab screenshots with a tool like [gowitness](https://github.com/sensepost/gowitness) 11 | - [ ] Import nmap findings into Metasploit 12 | ```sh 13 | # create a new workspace 14 | workspace -a 15 | 16 | # import the file 17 | db_import nmap-out.xml 18 | 19 | # view 5060 and 2000 to see if they are legit (they probably are not) 20 | services -p 5060,2000 21 | 22 | # delete them 23 | services -p 5060,2000 -d 24 | ``` 25 | - [ ] Use Metasploit modules for web dir/file enumeration 26 | ```sh 27 | msfconsole 28 | spool dir-scanner.txt 29 | use auxiliary/scanner/http/dir_scanner 30 | set DICTIONARY /opt/SecLists/Discovery/Web-Content/common.txt 31 | 32 | services -u -p 80 --rhosts 33 | set rport 80 34 | set ssl false 35 | run 36 | 37 | services -u -p 443 --rhosts 38 | set rport 443 39 | set ssl true 40 | run 41 | 42 | # repeat for other web ports (8443, 8080, etc) 43 | ``` 44 | 45 | ### Manual Review 46 | - [ ] Identify all URLs that allow logins from Spiderfoot. 47 | - [ ] Review all the discovered URLs from the Metasploit dir scanners. 48 | - [ ] Identify all systems that may provide remote access (Citrix, RDP, VPN, etc). 49 | - [ ] Identify all vendor-products that are likely to offer RCE-as-a-feature (Jenkins, Serv-U, etc). 50 | - [ ] Identify all vendor products that may allow you to download a trial version to look for 0-days. 51 | 52 | ## Obtaining Credentials 53 | 54 | ### Password Spraying 55 | - [ ] Make damn sure you know the lockout policy you are up against. 56 | - [ ] Do you have reliable username enumeration on an endpoint? OWA, Skype, etc. 57 | - If so, do a fine-tuned first run with usernames from OSINT phase PLUS as much from the [likely usernames](https://github.com/insidetrust/statistically-likely-usernames) as you have time for. 58 | - [ ] Spray a service accounts list like [this one](https://github.com/insidetrust/statistically-likely-usernames/blob/master/service-accounts.txt) with username-as-password. 59 | - [ ] Spray your known-good corporate usernames against common passwords, staying safely below lockout rates. 60 | - [The classics](https://github.com/insidetrust/statistically-likely-usernames/blob/master/weak-corporate-passwords/english-basic.txt) 61 | - SeasonYear (Summer2019) 62 | - MonthYear (March2019) 63 | - CompanyNumber (Google1) 64 | - CompanyYear (Google2019) 65 | - ^^ All of the above without a capital first letter, and a `!` at the end (still meets complexity requirements) 66 | - ^^ All of the above with a `!` at the end. 67 | - No luck? Get creative with things like the corporate HQ address, corporate mottos, etc. 68 | - [ ] Still no creds and safe to try more without locking out? Try weak passwords based on company name, location, etc. 69 | 70 | ## Authenticated Information Gathering 71 | - [ ] Gather all user accounts from: 72 | - OWA or Office365 address list 73 | - portal.azure.com (Azure AD) 74 | - Lync (Windows app will download and cache the GAL locally) 75 | - [ ] Search email inboxes for: 76 | - "Password" - look for standard password IT uses to reset 77 | - "Remote Access" - look for info on connecting to VPN, etc 78 | - "Intranet", "Portal", "HelpDesk", etc - look for sources of internal company info 79 | - [ ] Hang out in company chat rooms in Slack, Skype, etc. 80 | - [ ] Check calendars for dial in info for board meetings and other sensitive events. 81 | - [ ] Check Office365, Sharepoint, Drive, etc for similar sensitive details. 82 | - [ ] Try additional password spraying with new accounts and likely passwords you have gathered. 83 | 84 | ## Breaching the Perimeter 85 | 86 | - [ ] Leverage all available remote access services, such as: 87 | - RDP 88 | - Citrix 89 | - VPN 90 | - [ ] Identified any RCE-by-design apps during OSINT? Try the credentials on those. 91 | - [ ] Look for trial versions of any off-the-shelf applications on perimeter, download, find 0 days. 92 | -------------------------------------------------------------------------------- /internal-ad.md: -------------------------------------------------------------------------------- 1 | # Internal Penetration Test (Active Directory Environments) 2 | 3 | ## Unauthenticated Information Gathering 4 | 5 | ### Automated Tools 6 | - [ ] Generate nmap output files (with targets in `targets.txt`): 7 | ```sh 8 | nmap -oA nmap-out -sV -p- -vv -iL targets.txt 9 | ``` 10 | - [ ] For tests with lots of web hosts, grab screenshots with a tool like [gowitness](https://github.com/sensepost/gowitness) 11 | - [ ] Import nmap findings into Metasploit 12 | ```sh 13 | # create a new workspace 14 | workspace -a 15 | 16 | # import the file 17 | db_import nmap-out.xml 18 | 19 | # view 5060 and 2000 to see if they are legit (they probably are not) 20 | services -p 5060,2000 21 | 22 | # delete them 23 | services -p 5060,2000 -d 24 | ``` 25 | - [ ] Use Metasploit modules for web dir/file enumeration 26 | ```sh 27 | msfconsole 28 | spool dir-scanner.txt 29 | use auxiliary/scanner/http/dir_scanner 30 | set DICTIONARY /opt/SecLists/Discovery/Web-Content/common.txt 31 | 32 | services -u -p 80 --rhosts 33 | set rport 80 34 | set ssl false 35 | run 36 | 37 | services -u -p 443 --rhosts 38 | set rport 443 39 | set ssl true 40 | run 41 | 42 | # repeat for other web ports (8443, 8080, etc) 43 | ``` 44 | - [ ] Check for anonymous SMB shares with `auxiliary/scanner/smb/smb_enumshares`. 45 | - [ ] Check for open NFS shares with `auxiliary/scanner/nfs/nfsmount`. 46 | - [ ] Check for anonymous FTP shares with `auxiliary/scanner/ftp/anonymous`. 47 | - [ ] Create a list of machines that are not configured to do SMB signing (for relaying later on). 48 | - crackmapexec '--gen-relay-list' 49 | 50 | ### Manual Review 51 | - [ ] Identify all URLs that allow logins. 52 | - [ ] Manually review screenshots from all HTTP services. 53 | 54 | 55 | ## Obtaining Credentials 56 | - [ ] Responder attack. 57 | - First, run in analyze mode. Determine blue-teamy stuff and then run configure Responder.conf to not respond to those IPs. 58 | - [ ] Execute an [ipv6 mitm](https://github.com/fox-it/mitm6) attack. 59 | - [ ] Getting action from standard responder or mitm6? Use [Impacket](https://github.com/SecureAuthCorp/impacket)'s ntlmrelay.py to dump SAM and/or get interactive SMB shells. 60 | - [ ] Start cracking any received challenge/response data. 61 | - [ ] Wireless WPA-Enterprise attacks to gather usernames, hashes, and passwords. 62 | - [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) is a nice automation tool for hostapd-wpe. 63 | - [ ] Find any printer admin pages? Try default creds and look for LDAP integration. 64 | - [ ] Drop a few USB sticks in the conference rooms (don't push the scope!). 65 | - [ ] Internal password spray: 66 | - Metasploit's `auxiliary/scanner/smb/smb_login`. 67 | - [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec). 68 | 69 | 70 | ## Authenticated Information Gathering 71 | - [ ] Manually review scripts in `\\domain_name\netlogon` 72 | - Don't just look for passwords - look for references to dev environments, deployment servers, etc. 73 | - [ ] Run the [Sharphound](https://github.com/BloodHoundAD/SharpHound) injestor and map paths in Bloodhound. 74 | - [ ] Enumerate shares with crackmapexec '--shares' 75 | - [ ] Rummage through shares. 76 | - [ ] Rummage through Sharepoint, e-mail, etc. 77 | - [ ] Look for anything related to new accounts and passwords resets. IT often uses standard passwords for these. If you find one, spray it around. 78 | - [ ] Enumerate and map network connectivity with a tool like [leprechaun](https://blog.vonahi.io/post-exploitation-with-leprechaun/). 79 | 80 | 81 | ## Initial Foothold 82 | - [ ] 83 | 84 | ## Local Privilege Escalation 85 | - [ ] Try [WindowsEnum](https://github.com/absolomb/WindowsEnum) or similar script to cover the basics. 86 | - [ ] Use a test machine to observe procmon.exe for vendor 0-days (writable DLL and service paths, etc) 87 | 88 | ## Domain Privilege Escalation 89 | - [ ] Get SPNs (Kerberoast - get that GPU humming!) 90 | - [ ] Run [Grouper](https://github.com/l0ss/Grouper2) 91 | - [ ] Running SQL servers? Try for authenticated SQL/SMB relay with `auxiliary/admin/mssql/mssql_ntlm_stealer` 92 | - [ ] Leverage existing credentials to get more credentials or passable hashes. 93 | - crackmapexec '--sam' 94 | - crackmapexec '--lsa' 95 | - crackmapexec '-M mimikatz' 96 | - Windows Task Manager or procdump.exe to dump lsass and use mimikatz or [pypykatz](https://github.com/skelsec/pypykatz) 97 | - [ ] Find logged in users and sessions on boxes you have admin rights to. 98 | - crackmapexec '--loggedon-users' 99 | - crackmapexec '--sessions' 100 | - [ ] Review Bloodhound path's to DA with: 101 | - All currently compromised accounts 102 | - All logged-on users on boxes you have admin rights to 103 | 104 | 105 | ## Objective Hunting 106 | - [ ] Use Impacket's secretsdump.py to access credentials for specific accounts you need. 107 | -------------------------------------------------------------------------------- /osint.md: -------------------------------------------------------------------------------- 1 | # General Information Gathering 2 | 3 | ## Automated Steps 4 | - [ ] Run Spiderfoot with the base domain name and an appropriate level based on your scope. 5 | - Stick to passive scans pre-engagement. 6 | - Known that web crawling may hit out-of-scope targets and take a long time. 7 | 8 | ## Manual Steps 9 | - [ ] Manually review social media sites for interesting info. 10 | - Twitter, Facebook, YouTube, Instagram, LinkedIn, Glassdoor, Reddit, etc. 11 | - [ ] Manually review corporate website. 12 | - [ ] Manually search GitHub, Gitlab, StackOverflor, etc for company and product names. 13 | - If company has their own repos, consider running [gitrob](https://github.com/michenriksen/gitrob). 14 | 15 | # DNS Enumeration 16 | - [ ] Run [amass](https://github.com/OWASP/Amass) with a config file including API keys and a brute-force strategy. 17 | ``` 18 | amass -d -config 19 | ``` 20 | - [ ] Run [theHarvester](https://github.com/laramies/theHarvester) 21 | ``` 22 | ./theHarvester.py -d -b all 23 | ``` 24 | - [ ] Use [cloud_enum](https://github.com/initstring/cloud_enum) to enumerate public resources on Amazon, Azure, and Google Cloud. 25 | 26 | # Username Enumeration 27 | - [ ] Run [linkedin2username](https://github.com/initstring/linkedin2username). 28 | - [ ] Search through your hoard of password dumps. 29 | 30 | # Breached Account Reporting 31 | - [ ] Run usernames through [pwned_report](https://github.com/initstring/pentest-tools/blob/master/osint/pwned_report.py) 32 | -------------------------------------------------------------------------------- /password-audit.md: -------------------------------------------------------------------------------- 1 | # Password Audit 2 | -------------------------------------------------------------------------------- /web.md: -------------------------------------------------------------------------------- 1 | # Web Application Pentest 2 | 3 | ## Technology Stack Enumeration 4 | - [ ] [Wappalyzer](https://www.wappalyzer.com/download) helps with basic enumeration. 5 | - Don't forget to disable extension when done reviewing! 6 | 7 | ## Follow a Testing Methodology 8 | - [ ] [OWASP Testing Guide](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents) 9 | - [ ] [Web Application Hacker's Handbook Checklist](https://gist.github.com/jhaddix/6b777fb004768b388fefadf9175982ab) summarized by jhaddix. 10 | -------------------------------------------------------------------------------- /wifi.md: -------------------------------------------------------------------------------- 1 | # Wireless Penetration Test 2 | 3 | ## Information Gathering 4 | - [ ] Perform a full site walkthrough while collecting general info. 5 | ```sh 6 | # put interface into monitor mode 7 | sudo airmon-ng start wlan0 8 | 9 | # Write info to log file 10 | airodump-ng --write wifi-walkthrough --wps --band abg wlan0mon 11 | ``` 12 | - Manually review the airodump output, looking for: 13 | - A/V equipment broadcasting open or vendor-default networks. 14 | - Unofficial APs connected to the corporate network. 15 | - Client authentication attempts (who to evil-AP) 16 | 17 | ## WPA2-PSK Stuff 18 | - [ ] Grab the handshake and crack it. 19 | - [ ] If cracked, carry out evil-AP / client-side attacks. 20 | 21 | ## WPA2-Enterprise Stuff 22 | - [ ] [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) automates basic username enum and hash theft for enterprise networks. 23 | - Physically walk through all office areas while conducting attacks. 24 | - Find areas where employees congregate that are out of range of the corporate APs and try attacks there (lobbys, cafe, etc) 25 | 26 | ## Open, Guest-Portal Stuff 27 | - [ ] Check for network isolation: 28 | - `ip neigh` 29 | - `netdiscover` 30 | - `nmap` 31 | - `masscan` 32 | - [ ] Responder. 33 | - [ ] Evil-AP, force challenge-response with a captive portal. 34 | - [ ] Try to find the admin portal URL. It may be on the same domain name as the captive portal. 35 | - Log in with default creds. 36 | - See if it allows you to admin the non-guest networks. 37 | 38 | ## Additional Client-Side Attacks 39 | - [ ] [EAPHammer](https://github.com/s0lst1c3/eaphammer) 40 | --------------------------------------------------------------------------------