Skip to content

grenierdev/Pentest-Cheatsheet

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

External

You'll cycle back here to move laterally in the subnet.

Subnet, Hosts, vHosts

Host scan for targets; crawl website to find domains and subdomains; brute force subdomain lookup and vhost; inspect SSL certificate for subdomain; retrieve WHOIS information for a domain.

Don't forget that subdomain also have subdomains!

Take notes of patterns in names or IPs.

Ports and Services

Port scan first; service scan found ports; banner grab the port without fingerprint match.

Don't forget only connect-scan work over tunnels!

Take notes of patterns and versions of ports and services. Sysadmin tend to reuse same software and configuration.

Domain

Encountered LDAP or Active Directory, launch enum4linux you might find users and objects.

Take notes of domains, users, groups, policies.

Infosec

Navigate website for employees, authors, contact data, interesting notes; CeWL to generate word list specific to a website.


Internal

Connectivity and Firewall

Capture Ping, HTTP request, SMB connect, FTP connect, Responder, or any other port with Bash, NC or Powershell.

Show firewall status and it's rules; create new rule for your reverse/bind shell.

Don't forget sysadmin are lasy-ass and usually configures firewall port both-direction for running services. Meaning that if port 3306 is open inbound, it probably open for outbound connection too.

Take notes of connectivity and firewall rules.

whoami

Where are you?, Who are you? What are your permissions? What can you access? What can you manipulate?

...whoami, id, passwd, sudoers, groups, sudo -l, SUID, GUID

Take notes of your privilege and retrieve your password if you can.

Users, Groups

Who's there with you, what are the level of security

Take notes of other users, their permissions and their password if you can retrieve them.

Running Processes, Services, CRONs and VMs

What's running on the system that you could abuse

OS stuff, pspy, docker, lxc, hyper-v


Interactive keyboard

Got you hand on some credential? Try to connect to all the services

...SSH, rdesktop, xfreerdp, evil-winrm, impacket-smbexec, chisel, NC, Invoke-PowerShellTcp, Web shell, impacket-smbserver

About

Collection of commands and link for my pentesting journey

Resources

Stars

Watchers

Forks

Contributors

Languages