*Note: Check-lists and cheat-sheets :)
- SMB-Checklist
- Win32 Offensive Cheatsheet
- Regexp Security Cheatsheet
- Cheat-Sheet - Active-Directory
- Security Testing of Thick Client Application
- OWASP Cheat Sheet Series
- OSSTMM
- MindMaps
- EasyG and all the connected tools
- Burp Suite and all the extensions
- Kali Linux + install.sh since it has everything you need
See The Bug Hunter's Methodology v4.0 - Recon Edition by @jhaddix #NahamCon2020!
- Integrations
- Application Libraries (usually JavaScript)
- Application: Custom Code or COTS
- Application Framework
- Web Hosting Software (Default creds, Web server misconfigurations, web exploits)
- Open Ports and Services (Default creds on services, service level exploits)
- Identify technologies
- Look for response headers, use
curl -I www.domain.com
- Use WappaLyzer, WhatWeb, BuilWith
- Check for CVEs
- Portscanning: use nmap, also for possible hidden web ports
- SMB:
nmap -vvv -p 139,445 --script=smb*
- SMB:
- Check errors / cause an error - Search for possible disclosures in the responses - Try to cause an error with a wrong / non-existent HTTP method
- Search for
.js
files, they may reveal infos about libraries and / or plugin used
- Look for response headers, use
- Check available HTTP methods
- Use
OPTIONS
andHEAD
- Pay attention if dangerous methods are enabled, like
PUT
,DELETE
,CONNECT
andTRACE
- HTTP verb tampering
- Use
- Test for SSL
- Check ciphers
- testssl.sh
nmap -sV --script ssl-enum-ciphers -p 443
- SSL Server Test (Powered by Qualys SSL Labs)
- Check if HTST is set
Strict-Transport-Security
- sslstrip
- Check ciphers
- Metafiles Leakage
- Look for infos in
robots.txt
,.svn
,.DS_STORE
,README.md
,.env
- Look for infos in
- Enumerate inputs and functionalities
- Be sure to have noted every possible input, especially the riskier ones
- Look at the source code
- Search for interesting content, like comments
- Directory Research
- Check for possible backup files
.old
, log files, and other files like.php
or.asp
, even for source disclosure - Search for possible hidden / supposed-to-be protected paths
- Use various lists
- SecLists, FuzzDB, PayloadAllTheThings
- Custom: cewl
- Check for possible backup files
- Dorking
- Google, GitHub, Shodan
- Defining the Scope
- Check if the target is valid
- Setup the environment
- Information gathering
- Passive Information Gathering (OSINT)
- Active Information Gathering
- Service enumeration
- Cicle
- Penetration
- Initial Foothold
- Privilege Escalation
- Lateral Movement
- Maintaining access (Trojans)
- House keeping
- Cleaning up rootkits
- Covering tracks
- See: Post Exploitation - The Penetration Testing Execution Standard
- Results
- Reporting / Analysis
- Lessons Learned / Remediation
- XSS
- CSRF
- Authorization issues
- IDOR
- Run EasyG assetenum
- Select the interesting targets
- Pass the subdomains to Burp Suite
- Open them in Firefox
- Check for mobile/desktop applications
- If there are any other non-web application, use Apkleak and Source2Url (even if OoS)
- If every asset is in scope
- If IPs are in scope:
cat ip.txt | dnsx -ptr -resp-only
- Recon
- Explore the app, test every functionality (eventually, search for documentation)
- Crawl with Burp Suite
- Collect endpoints with BurpJSLinkFinder
- Content Discovery, use tools, Google Dorking and GitHub Dorking
- Check the Testing layers
- See the technologies, search for CVEs
- Look for PII Disclosure
- If you find documents redacted
- Try to copy and paste the obscured text
- Try to convert the PDF, for example with pdftotext
- If you find documents redacted
- Parameters
- Look for reflections
- Use ParamSpider
- Redirection
- Check for Open Redirects
- Authentication
- See Authentication vulnerabilities
- Account Section
- HTTP Request Smuggling in login panels
- CSRF for every auth user action
- Password Reset Broken Logic / Poisoning
- Upload Functions
- Email functions, check if you can send emails from the target
- Spoofing
- HTML Injection
- XSS
- Feedback functions
- Look for Blind XSS
- Broken Access Control, IDOR & co
- Content Types
- Look for multipart-forms
- Look for content type XML
- Look for content type json
- APIs
- Methods
- API Security Checklist
- Errors
- Change POST to GET
- OWASP Cheat Sheet Series, check also
- Look at the index of this repo and see if you've missed anything interesting