--- description: >- This is the main page. Here you can find the typical workflow for the pentesting of a machine --- # Pentesting Methodology ![](<.gitbook/assets/portada 2.png>) {% hint style="warning" %} Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** LinPEAS, WinPEAS and MacPEAS aren’t enough for you? **Welcome The PEASS Family**, a limited collection of exclusive **NFTs** of our favourite PEASS in disguise, designed by my team. **Go get your favourite and make it yours!** And if you are a PEASS & Hacktricks enthusiast, you can get your hands now on our [**custom swag**](https://peass.creator-spring.com) **and show how much you like our projects!** You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book. {% endhint %} ## 0- Physical Attacks Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](physical-attacks/escaping-from-gui-applications/). ## 1 - [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/) **Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test). {% hint style="info" %} Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide. {% endhint %} ## **2-** [**Having Fun with the network**](pentesting/pentesting-network/) **(Internal)** **This section only applies if you are performing an internal test.**\ Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting/pentesting-network/#sniffing). ## 3- [Port Scan - Service discovery](pentesting/pentesting-network/#scanning-hosts) The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting/pentesting-network/#scanning-hosts). ## **4-** [Searching service version exploits](search-exploits.md) Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell... ## **5-** Pentesting Services If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.** **Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** _**PENTESTING**_ **section** (the services are ordered by their default ports). **I want to make a special mention of the** [**Pentesting Web**](pentesting/pentesting-web/) **part (as it is the most extensive one).**\ Also, a small guide on how to[ **find known vulnerabilities in software**](search-exploits.md) can be found here. **If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any). ### 5.1 Automatic Tools There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.** ### **5.2 Brute-Forcing services** In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.** ## 6- [Phishing](phishing-methodology/) If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/): ## **7-** [**Getting Shell**](shells/shells/) Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/). Specially in Windows you could need some help to **avoid antiviruses**: **\*\*\[Check this page]\(windows/av-bypass.md)**.\*\* ## 8- Inside If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters: * [**Linux**](linux-unix/useful-linux-commands/) * [**Windows (CMD)**](windows/basic-cmd-for-pentesters.md) * [**Winodows (PS)**](windows/basic-powershell-for-pentesters/) ## **9 -** [**Exfiltration**](exfiltration.md) You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.** ## **10- Privilege Escalation** ### **10.1- Local Privesc** If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\ Here you can find a **guide to escalate privileges locally in** [**Linux**](linux-unix/privilege-escalation/) **and in** [**Windows**](windows/windows-local-privilege-escalation/)**.**\ You should also check this pages about how does **Windows work**: * [**Authentication, Credentials, Token privileges and UAC**](windows/authentication-credentials-uac-and-efs.md) * How does [**NTLM works**](windows/ntlm/) * How to [**steal credentials**](windows/stealing-credentials/) in Windows * Some tricks about [_**Active Directory**_](windows/active-directory-methodology/) **Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) ### **10.2- Domain Privesc** Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](windows/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment. ## 11 - POST ### **11**.1 - Looting Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\ Find here different ways to [**dump passwords in Windows**](windows/stealing-credentials/). ### 11.2 - Persistence **Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\ **Here you can find some** [**persistence tricks on active directory**](windows/active-directory-methodology/#persistence)**.** TODO: Complete persistence Post in Windows & Linux ## 12 - Pivoting With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\ In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\ You definitely should also check the post about [Active Directory pentesting Methodology](windows/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\ Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to pivot on Windows environments.. ## MORE ### [Android Applications](mobile-apps-pentesting/android-app-pentesting/) ### **Exploiting** * [**Basic Linux Exploiting**](exploiting/linux-exploiting-basic-esp/) * [**Basic Windows Exploiting**](exploiting/windows-exploiting-basic-guide-oscp-lvl.md) * [**Basic exploiting tools**](exploiting/tools/) ### [**Basic Python**](misc/basic-python/) ### **Crypto tricks** * [**ECB**](cryptography/electronic-code-book-ecb.md) * [**CBC-MAC**](cryptography/cipher-block-chaining-cbc-mac-priv.md) * [**Padding Oracle**](cryptography/padding-oracle-priv.md)