hacktricks/pentesting-methodology.md

132 lines
8 KiB
Markdown
Raw Normal View History

---
description: >-
This is the main page. Here you can find the typical workflow for the
pentesting of a machine
---
# Pentesting Methodology
![](.gitbook/assets/portada-2.png)
2020-09-26 15:31:26 +00:00
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2020-08-17 08:33:42 +00:00
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
## 0- Physical Attacks
2020-08-05 22:58:41 +00:00
Do you have **physical access** to the machine that you want to attack? You should read some **\*\*\[**tricks about physical attacks**\]\(physical-attacks/physical-attacks.md\) and others about \[**escaping from GUI applications\*\*\]\(physical-attacks/escaping-from-gui-applications/\).
## 1- [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)
## **2-** [**Having Fun with the network**](pentesting/pentesting-network/)
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively\(MitM\)** what can you find inside the network. You can read [**Pentesting Network**](pentesting/pentesting-network/#sniffing).
## 3- [Port Scan - Service discovery](pentesting/pentesting-network/#scanning-hosts)
The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting/pentesting-network/#scanning-hosts).
## **4-** [Searching service version exploits](search-exploits.md)
Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell...
## **5-** Pentesting Services
If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.**
**Inside this book you will find a guide to pentest the most common services** \(and others that aren't so common\)**. Please, search in the left index the** _**PENTESTING**_ **section** \(the services are ordered by their default ports\).
**I want to make a special mention of the** [**Pentesting Web**](pentesting/pentesting-web/) **part \(as it is the most extensive one\).**
Also, a small guide on how to[ **find known vulnerabilities in software**](search-exploits.md) can be found here.
**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** \(if any\).
### 5.1 Automatic Tools
There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.**
### **5.2 Brute-Forcing services**
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
2020-08-05 22:58:41 +00:00
## **6-** [**Getting Shell**](shells/shells/)
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/).
2020-08-05 22:58:41 +00:00
Specially in Windows you could need some help to **avoid antiviruses**: **\*\*\[**Check this page**\]\(windows/av-bypass.md\)**.\*\*
## 7- Inside
If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:
* [**Linux**](linux-unix/useful-linux-commands/)\*\*\*\*
* \*\*\*\*[**Windows \(CMD\)**](windows/basic-cmd-for-pentesters.md)\*\*\*\*
* \*\*\*\*[**Winodows \(PS\)**](windows/basic-powershell-for-pentesters/)\*\*\*\*
## **8 -** [**Exfiltration**](exfiltration.md)\*\*\*\*
You will probably need to **extract some data from the victim** or even **introduce something** \(like privilege escalation scripts\). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
## **9- Privilege Escalation**
### **9.1- Local Privesc**
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**
Here you can find a **guide to escalate privileges locally in** [**Linux**](linux-unix/privilege-escalation/) **and in** [**Windows**](windows/windows-local-privilege-escalation/)**.**
You should also check this pages about how does **Windows work**:
2020-08-31 12:30:26 +00:00
* [**Authentication, Credentials, Token privileges and UAC**](windows/authentication-credentials-uac-and-efs.md)\*\*\*\*
* How does [**NTLM works**](windows/ntlm/)\*\*\*\*
* How to [**steal credentials**](windows/stealing-credentials/) in Windows
* Some tricks about [_**Active Directory**_](windows/active-directory-methodology/)_\*\*\*\*_
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
### **9.2- Domain Privesc**
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](windows/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
## 10 - POST
### **10**.1 - Looting
Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.
Find here different ways to [**dump passwords in Windows**](windows/stealing-credentials/).
### 10.2 - Persistence
**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.
Here you can find some** [**persistence tricks on active directory**](windows/active-directory-methodology/#persistence)**.**
TODO: Complete persistence Post in Wnidows & Linux
## 11 - Pivoting
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** \(start the Pentesting Methodology again\) inside new networks where your victim is connected.
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).
2020-08-05 22:58:41 +00:00
You definitely should also check the post about [Active Directory pentesting Methodology](windows/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.
Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to pivot on Windows environments..
## MORE
### [Android Applications](mobile-apps-pentesting/android-app-pentesting/)
### **Exploiting**
2020-08-05 22:58:41 +00:00
* [**Basic Linux Exploiting**](exploiting/linux-exploiting-basic-esp/)
* [**Basic Windows Exploiting**](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Basic exploiting tools**](exploiting/tools/)
2020-08-05 22:58:41 +00:00
### [**Basic Python**](misc/basic-python/)
### **Crypto tricks**
2020-08-05 22:58:41 +00:00
* [**ECB**](crypto/electronic-code-book-ecb.md)
* [**CBC-MAC**](crypto/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](crypto/padding-oracle-priv.md)
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%281%29.png)
2020-09-26 15:31:26 +00:00
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)