I maintain this knowledge base on a CherryTree database that I use during engagements.
Online Practice labs ,Test and Advancing your skills in cyber security.
Depending on your role in Infosec structure, you may assist in the following tasks.
- Initial Engagement with Stakeholders.
- Draw up and sign the legal agreements, MSA's and NDA's.
- Scope the Statement of work and the Rules of engagement with Stakeholders, Business Owners and 3rd party hosting providers.
- Before engaging in the security assessment PenTest milestone, confirm the approval to start the PenTest.
- Document all PenTest activities and findings and keep a detailed risk register during the pentest phase.
- Present Detailed Pentest Report with sufficient evidence to discount any false positive or doubt in stakeholders
- Remedial post assessment engagement, tracking and retesting
- InfoSec & Frameworks - CIA, NIST, STRIDE, COBIT, PDCA, AGILE, TOGAF, OODA, SIPOC, & ITDRP
- URL References - source of Information Security i used to compile my Penetration Testing Methodology
- Wordlists sources
- Python Programming
- PowerShell
- Linux Commands
- JavaScript
- Command and Control / C2 / C&C / Cloud Services
- Bash Scripts
- Go Coding
- Installations
- C++/CPP Coding
- VisualBasic Code
Target + Vulnerability + Exploit = Compromise
Information gathering before going into enumeration phase.
Get understanding of the target, it's services and systems.
- Scanning
- netdiscover
- nmap
- network discovery
- UDP scans
- List Target Ports
- no response ICMP
- full ignore
- external scan
- all exploit scripts
- nmap grepper
- Fingerprint & Banner
- help
- autorecon
- port knocking
- wget
- wordpress scan
- masscan
- packet sniffing
- wireshark
- wireshark filters
- dhcp traffic
- device models & OS
- Windows User Account
- String Search
- OSI Models
- SShdump
- tcpdump
- OSI Model Layers
- network challenges
- tshark
- wireshark
- OSINT
- maltego
- Google Dork
- shodan
- Collections
- WayBack Machines Web Archives
- Google Cached
- Netcraft
- bug bounty hunting
- TheHarvester
- whois
- Human Manual Task to gather information
Most important phase, rigorous enumeration of all recond services and ports. The idea is to collect as much interesting information as possible about the target and it's services. Exploitation or attacks are only possible once you can find an exploit in the target services or ports. Your eyes are the best tools, read carefully.
- 21 FTP
- 22 SSH
- login with private key
- ShellShock
- SSH directo to bin/sh
- SSH local port Forwarding
- nmap
- OpenSSH private key
- 23 Telnet
- 25 SMTP
- nmap
- hunter online
- connect
- python
- 53 DNS
- DIG DNS
- brute
- host enum
- dnsenum
- nmap dns
- 80/443 HTTP
- wfuzz
- gobuster
- dirb
- dirsearch
- wordpress
- nikto
- CEWL
- wget
- curl
- Browsing
- wappalyzer
- httpOnly False
- javascript
- back ticks
- login page
- robots.txt
- domain names
- source code & Dev Tools
- whatweb
- owasp-zap
- skipfish
- uniscan
- 88 Kerberost
- GetNPUsers
- kerbrute
- GetUserSPNs
- 110 POP3
- pop3 alt port
- 111 NFS
- 123 NTP
- 135 RPC
- 139/445 SMB
- nmap smb
- msfconsole
- crackmapexec smb
- smbclient
- smbclient null
- smbpasswd
- mount smb
- enum shares
- smbget
- smbmap
- rpcclient
- rpclient help
- enum printers
- bash query RID
- enum4linux
- 143 IMAP
- 161 SNMP
- 389/3269 LDAP
- 554 RTSP
- 593 RPC over HTTP
- 631 Printers
- 636 LDAP
- 1056 Trojan / Virus
- 1433 SQL
- SQLMAP
- 1521 Oracle
- 2049 NFS
- show mount
- 3268 GlobalCat
- 3306 MYSQL
- msfconsole
- SQLMAP
- mysql with creds
- 3389 RDP
- xfreerdo
- remmina
- 4386 HQK
- 5060 SIP
- 5601 Kibana
- 5666 NRPE (Nagios)
- 5901 VNC
- 5985 WinRM
- crackmapexec winrm
- Evil-WinRM
- 6379 REDIS
- 6667 irc
- 6699 napster
- 8080 Web Servers
- HttpFileServer HFS
- Jenkins/Jetty
- 8291 MikroTik
- 8443 NetGear
- 8500 FMTP Coldfusion
- 8834 nessus
- 9191 Printer PaperCut
- 9256 Achat
- 9389 AD Web
- 11211 memcached
- 13327 CrossFire
- 50000 Jetty
Once all possible services have been enumerated with, or without credentials, then attempt to establishing a basic low privilege shell as a user or service account. Once thorough enumeration of services and ports completed, aim too obtain a low level user and or service account shell by exploiting it. Getting a FootHold on the target.
- Default Credentials
- Hosting
- samba smbd
- SMBserver
- python2 HTTP
- python3 http
- FTP hosting
- PHP
- File transfer
- PowerShell
- CURL
- certutil
- wget
- ftp file transfers
- smbclient
- scp
- netcat
- VBscript
- Payloads
- exiftool
- PayloadsAllTheThings
- msfvenom
- Windows 32bit
- Windows 64bit
- Linux
- Mobile
- XSS Payloads
- SQL Injections Input
- Windows Commands
- Compilers & Debuggers
- dnSpy
- gcc
- gcc mingw w64
- gcc help
- Immunity Debugger
- fpm compiler
- Visual Studio Code
- minGW
- jDoodle
- Connect Shells
- NC
- NetCat Windows
- Python
- pwncat
- socat
- bash shell
- PowerShell Reverse Shell
- PowerCat
- Cracking
- identify hash
- hashid
- Active Crack
- hydra
- ssh
- ftp
- pop3
- http-post-form
- http-get
- medusa
- wordpress
- crackmapexec
- Python brute force
- hydra
- Offline Cracking
- hashcat GPU host
- md5
- NTLM
- NTLMv2
- Kerberos
- sha512 1800
- bcrypt 3200
- sha2-256 1400
- SHA-1
- sha1(pass:salt)
- hmac-sha1
- base64
- VNC reg decryt
- John
- keepass db
- shadow.bak
- zip2john
- ssh2john
- netNTLMv2
- Raw-MD5
- pgp & asc
- Raw-SHA256
- responder logs
- John GPU host
- sha512 dynamic
- Gost Hash
- BASH brute force
- Burp Suite Decoder
- Python scripts
- fcrackzip
- gpp-decrypt
- hex crack xxd
- hashcat GPU host
- Online Websites Decrypt Services
- identify hash
- Metasploit
- metasploit help
- msfconsole
- msf Reconnaissance
- smtp
- smb metasploit
- wordpress login
- msf Exploitation
- reverse_tcp
- multi/handler 1 line
- libreNMS
- msfconsole psexec
- bluekeep
- HFS HttpFileServer
- webmin
- TomCat
- ms17-010 eternalblue
- wordpress 5 core
- nostromo
- smb_login brute
- add custom module
- Struts
- msf post exploitation
- background msf
- privelege escalation
- exploit-suggest
- looting
- persistence
- Metasploit PowerShell
- msf pivoting
- metasploit help
- AV Bypass
- Exploits & Low Shell
- Exploiting
- ftp
- Example FTP Script
- telnet 21
- ProFTPd exploit
- ftp upload sh
- ssh
- login using priv&pub key
- custom port and noprofile
- ssh-keygen
- ssh port forwarding
- ssh log poisoning
- SSH Tunnels
- LFI / RFI
- LFI wordlist
- ColdFusion
- win.ini
- LFI example5
- lfi domain search
- php parameter
- php filter LFI
- Kibana Logs
- RCE
- umbracp webapp
- curl upload
- curl command injection
- openEMR
- Drupal 7
- tomcat9
- moodle rce
- RCE BlogEngine
- dvwa
- icecast
- Jenkins
- SMB
- smbmap
- smbclient
- crackmapexec
- mount smb
- CMS
- CMS Made Simple
- WordPress
- Fuel CMS
- joomla CMS
- Gila CMS
- Cuppa CMS
- bolt CMS
- JsonPickle Exploitation
- Arbitrary File upload
- Impacket MSSQLclient
- VHD Hyper-V
- ntp
- OpenSSL heartbleed
- REDIS
- Shellshock HTTP
- phpMyAdmin
- nginx
- jserv Apache
- blind back tick
- node.js
- ${ifs}
- .htpasswd
- MSSQL cmdshell
- file uploads
- client side
- Extensions
- Magic Numbers
- Challenge
- RCE & overwrite
- Bypass Client side filter
- ftp
- Linux Reverse Shell
- bash
- python reverse shell
- full interactive shells
- NetCat
- HTTP force Browsing
- php excution
- Kernel OS
- Windows Reverse Shell
- Evil-WinRm
- Kerberoasting
- PowerShell
- iis aspx
- psexec.py
- coldfusion
- MSSQL cmdshell
- Rejetto HTTP file server
- Windows Kernel Exploits
- Windows REG
- Jenkins
- Exploiting
- Buffer Overflow - Windows
- fuzz - pattern - EIP - JMP ESP - bad characters - NOP sled - Payload
- Buffer Overflow - Linux
- fuzz - pattern - EIP - JMP ESP - bad characters - NOP sled - Payload
- Extractions!
- Reversing
- r2
- r2 debug
- ghidra
- source code
- html
- web request
- user agent
- referer
- drop down+1
- javascript
- edit HTML
- curl post
- image size
- r2
- Crypto
- base 16 32 64
- rot13
- base58
- XOR operation
- Vigenere Cipher
- Cistercian Monks Numrals
- Numbers > Dec > Hex > Ascii
- CyberChef
- fernet
- Integrity Check Files
- volatility
- RSA Chinese Remainder
- Chiffre de Bacon
- old mobile keyboard
- Stego
- binwalk
- zsteg
- steghide
- stegCracker
- exiftool
- pngcheck
- jsteg
- multimon-ng
- stegSNOW
- Homoglyphs
- binary image
- steg_brute.py
- stegsolve.jar
- hexdump
- QR codes
- reverse image search
- forensics
- usbrip
- Microsoft Docs
- volatility
- packet capture
- WireShark
- readpst
- VHD
- web archives
- Mobile
- mobile backup
- apk
- OSINT
- phishing emails
- username locations
- WayBack Machine
- sherlock
- Reversing
We gained low shell, with limited permissions. Privilege Escalation next to more elevated rights on target or gain full access as root administrator.
-
Windows
- Enumerate to privilege escalate
- Windows cmds
- winPEAS
- SherLock
- Watson
- JAWS
- Windows Exploit Suggester
- seatbelt
- SharpUp
- rpcclient
- PowerShell Enum
- Registry
- icacls
- SysInternals
- PowerUp
- Privilege Escalation Windows
- dnscmd
- evil-winrm
- CapCom.sys
- Port Forwarding
- socat tunnel
- plink putty
- SSH Tunnel forwarding
- Windows SubSystem Linux
- Windows Privileges
- hot patato
- Potato Impersonation
- SeImpersonatePrivilege
- Alternate Stream
- PowerShell Stream
- smb allinfo
- runAS
- Services
- Service escalate registry
- Service Escalate Executable
- Service Unquoted Service Path
- Service Binary Path
- StartUp Apps
- Windows Kernel Exploits
- psExec.py PrivEsc
- User Account Control (UAC)
- Enumerate to privilege escalate
-
Linux
- Enumerate inside Linux Shell
- Linux Enum Commands
- System Enum
- ps
- cron jobs
- scheduled cron jobs
- User Enum
- history
- enum4linux
- Network Enum
- netstat
- tcpdump
- ss
- find weak perm
- SUID
- password hunting
- System Enum
- LinPEAS
- LinEnum
- pspy
- Linux Exploit Suggester
- Linux Priv Checker
- Access MDB
- Capabilities
- Linux Enum Commands
- Linux Priv Esc to increase rights in low shell
- Weka File Perm
- Kernel Exploits
- Stored Passwords
- sudo
- shell escaping
- intended function
- LD_Preload
- pwfeedback
- systemctl
- dpkg
- perl scripts
- zip
- Python Lib HiJack
- SSH Keys
- psexec
- PenTestMonkeys
- Full Interactive Shell
- SUID
- Shared Object Injection
- Symlinks
- Envrionment Variables
- sysinfo
- Statuscheck
- logrotate
- Capabilities PrivEsc
- Schedule Cron Jobs
- NFS Root Squashing
- Docker
- Lxd Privilege Escalation
- lxc/lxd privesc
- Enumerate inside Linux Shell
The section is based on the OWASP Top 10 Web Application Security Testing Guide. Following the OWASP Top 10 Web Application Testing Attack Guide and their CheckList of Test Cases as guide through Web App Pentests engagements.
- OWASP Web Application Testing Attack Guide v4 - PDF
- OWASP Testing Checklist v4 - Microsoft EXCEL
- OWASP Testing Checklist - Google Sheet
- Info Recon(INFO)
- Tools & Methods
- gobuster
- unshorten tiny URL
- directory Brute Force
- robots.txt
- cookies
- DNS
- dirb
- Burp Suite
- curl
- Fingerprint Web Server-INFO002
- Fingerprint Web App-INFO009
- Tools & Methods
- Configuration (CONFIG)
- Sensitive Information-CONFIG004
- Admin Interfaces-CONFIG005
- Identity (IDENT)
- User Registration-IDENT002
- Authentication (AUTHN)
- account lock-AUTHN003
- Weak password policy-AUTHN007
- Weak password change reset-AUTHN009
- Authorization (AUTHZ)
- IDOR-AUTHZ004
- Session (SESS)
- Session Manage Schema SESS001
- Input Validation (INPVAL)
- reflected XSS-INPVAL001
- SQL Injection-INPVAL005
- SQLMAP
- SQLi Payloads
- UNION Attacks
- XSS-INPVAL009
- Code Injection-INPVAL012
- Server-side template injection
- Splitting/Smuggling-INPVAL016
- Error Handling (ERR)
- Weak Cryptography (CRYPST)
- Padding Oracle CRYPST002
- Business Logic (BUSLOGIC)
- Work Flows-BUSLOGIC006
- Client Side (Client)
- DOM Cross site scripting-CLIENT001
- Resouce Manipulation CLIENT006
- CORS CLIENT007
- ClickJacking CLIENT009
Certain systems require more specialized methods and lead to high value targets, for example Databases, eMail, Directory services, WiFi, and Network Pivoting. These systems have very detailed and specific attack methods, and tools to enumerate and exploit.
- Active Directory
- LLMNR Poison
- HashCat
- SMB Relay
- msfconsole
- impacket psexec
- IPv6 Attack
- PowerView
- BloodHound
- AD Attack POST Compromise
- Printers
- DNS
- Pivoting Networks
- SQL
- mysql
- mySQL commands
- Microsoft SQL
- postgreSQL
- RogueSQL MIM
- SQLite
- mysql
- Oracle
- Wireless
- aircrack-ng
- Introduction
- Executive Summary
- Findings
- Risk Matrix
- Recommendations
- Remediation
Once the security assessment is complete the value to the stakeholders are in the detailed and quality findings presented, recommendations and remediation reported.