Penetration Testing Methodology

Penetration testing Process, Methods and Real world Attacks Collections

Framework and Testing Guide

• OWASP - Open Web Applicaiton Security Project
• PTES- Penetration Testing Execution Standard
• PCI DSS PCI Penetration Testing Guide
• PTF - Penetration Testing Framework
• OSSTMM - Open Source Security Testing Methodology Manual

Pre Engagement

VMware

• vmplayer
• vmware workstation
• vmware esxi

Windows

• windows 7/8/10

Linux

• kali
• Debian
• ubuntu
• Arch
• Gentoo

Wifi Adapter

• Alpha
• TPLink
• Panda
• Detroit DIY

Spectrum Analyser

• Kaltman Creations HF-4060

Open Source Software

• Maltego - Maltego is an interactive data mining tool that renders directed graphs for link analysis.
• Metasploit Framework - collection of remote exploits and post exploitation tools for all platforms
• SET toolkit - designed to perform advanced attacks against the human element.
• theHarvester - gathering e-mail accounts, user names and hostnames/subdomains from different public sources
• mimikat - extract plain or hash of password.
• dig - bind-utils
• THC Hydra - for brute force
• Powersploit - a collection of Microsoft PowerShell modules
• CrackmapExec - post exploitation tools for Active Directory.
• Burpsuite - can use as proxy as well as active scanner
• Empire - powershell framework for remote and post exploitation.
• Nmap - port scanner
• knockpy - subdomain scanner
• netcat - network utility
• nishang - post exploitation powershell Framework

Checklist

• Determination of the type of pentest (Blackbox, Whitebox)
• Key objectives behind this penetration test
• Location address and contact (if it is an onsite job)
• Validation that the Authorization Letter has been signed
• URL of the web application that is in scope and validation that isaccessible
• 2 sets of credentials (normal and admin or a privilege user) and validation that are working
• Determination of the environment (Production or UAT)
• Number of static and dynamic pages
• Testing Boundaries (DoS, Brute force attacks etc.)
• Technologies (PHP, ASP, .NET, IIS, Apache, Operating system etc.)
• Any VPN or port numbers are needed and verify those ahead of time
• Any web services that the site may use.
• Any pages that the client does not want to be tested.
• Any pages that submit emails
• IP address of the tester
• Escalation contact
• 3rd parties that needs to be contacted in advance of the pentest
• Web application firewalls and other IDS in place
• Timeframe of the assessment (dates and hours)
• Diagrams and any kind of documentation
• Validation that a backup has been performed recently on theapplication
• Other client requirements

Intelligence Gathering

Guides

• OSINT Primer 1
• https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Open%20Source%20Intelligence.md
• https://sites.google.com/site/greynetwork2/home/osint-resources
• http://archive.is/sYzcP#selection-62.0-62.1
• https://blog.rapid7.com/2015/02/23/osint-through-sender-policy-framework-spf-records/
• https://www.i-intelligence.eu/open-source-intelligence-tools-and-resources-handbook/
• https://krypt3ia.wordpress.com/2012/01/11/the-subtle-art-of-osint/
• https://www.slideshare.net/SudhanshuChauhan/tools-for-open-source-intelligence-osint-61284325

Tools

• Dnsrecon
• Recon-ng
• Shodan
• theHarvester
• maltego
• google dork
• http://osint.link/
• http://osintframework.com/

Thread Modelling

Guides

• https://www.owasp.org/index.php/Application_Threat_Modeling
• https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-and-risk-management/threat-modeling/#gref

Tools

• OWASP Thread Dragon
• Microsft SDL Thread Modelling tools

Vulnerability Analysis

Automatic Vul scanners

• Accunetix
• OpenVas
• Vega
• Nikto
• Wikto
• w3af
• Xenotix XSS Framework
• Wapiti

Manual Scanner

• nmap
• Metaploit Framework

Guides

• nmap scanning
• Nmap Network Scanning The Official Nmap Project Guide to Network Discovery and Security Scanning
• NSE
• nmap cheat sheet
• Metaploit vulnerable scanning
• hack metasploitable 2

Initial Intrusion

Pubic exploit POCS and payloads techniques

• PowerShell DNS Delivery
• SharpShooter Payload Generation Framework
• Pwning with Responder
• Low Privilege Active Directory Enumeration
• Setting Content MS
• HTA payload encryptor
• Microsoft office Payload in Document Properties
• DDE Payload
• Phishing with GoPhish
• Spear Phishing with SET toolkit
• ms017-010
• CVE-2017-5638
• CVE-2016-6662
• Exploit Database

Web Application

Attacker Vector

• Web Base Attack
• OWASP Top 10 2017
• Attack Vector

Public POCS

• Exploit Database
• PhpMyAdmin LFI
• LIF to RCE
• Java Deserailization Exploit
• Brute forcing JSON Web token
• Exploitation CORS

Reverse Connection

• Reverse Shell CheatSheet

Wifi

• awesome-wifi-security

Post Exploitation

Windows

Password dumping

• TBAL DPAIP Backdoor for local user
• Dumping Domain Password
• Dumping ClearText Creds
• Empire Tips and Trick
• Extract Remote Hash
• Capturing NetNTML

AD

• The worst of both worlds
• pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy
• Beyond LLMNR/NBNS Spoofing
• Gathering AD Data with Powershell
• kerberosting without mimikatz
• Kerberost
• Golden Ticket
• pass-the-ticket
• Gaining Domain Admin Rights
• Attacking Kerberos : kicking the guard dog of hades
• Token Impersonation

Privilege Escalation

• Windows Privilege Escalation Fundamentals by FuzzySecurity
• DLL Hijacking
• Potato
• RottenPotatoNG
• Privilege Escalation Guide

Lateral Movement

• RDP tunneling
• SQL Server Link Crawling
• Lateral Movement WinRM
• CrackeMapExec
• RDP Inception
• RDP Lateral Movement
• Powerview and crackmapExec
• Persistent payload
• port forwarding with netsh
• The Trustpocalypse
• DcShadow Explained
• Domain Trust: Why You Should Care
• A Guide to Attacking Domain Trusts
• Javascript C2

Bypass techniques

• evading autorun
• mimikatz obfuscation
• Putting data in Alternate data streams and how to execute it
• Putting data in Alternate data streams and how to execute it 2
• Leveraging INF-SCT Fetch
• Empire without powershell
• Powershell without powershell
• Exploitation Code Injection Powershell to bypass Constraint mode
• Bypass Constraint Mode with runscripthelper
• InternetExplorer.Application for C2
• We Don't Need Powershell.exe Part 2
• WSH Injection

MISC

• Borrowing Microsoft Code Signing Certificates
• Guide to Attacking Domain Trust

Linux

Privilege Escalation

• Basic Linux Privilge escalation by g0tmi1k
• Exploit Database
• Attack and Defend : Linux Privilege Escalation
• SUID executable
• Guide to Linux Privilege Escaltion
• Labs write up

LDAP

• Understand and Exploit web based LDAP
• Web based LDAP injection

Lateral Movement

• SSH port forwarding
• SSH & meterpreter port forward
• Tunneling & port forwarding

Web Shell

• webshell

Data Exfil

• awesome-red-teaming
• out of band Exploitation

Reporting

• public report
• Dradis Report Framework
• Writing Pentest Report By SANS

All the Tools mentioned here are Open Source or free.