hacktricks/generic-methodologies-and-resources/pentesting-methodology.md

175 lines
12 KiB
Markdown
Raw Normal View History

2022-04-28 23:27:22 +00:00
---
description: >-
This is the main page. Here you can find the typical workflow for the
pentesting of a machine
---
2022-04-28 16:01:33 +00:00
2022-04-28 23:27:22 +00:00
# Pentesting Methodology
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2023-01-02 12:00:18 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
2022-07-21 20:26:09 +00:00
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
2022-05-01 16:32:23 +00:00
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
2022-04-30 20:19:32 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-05-01 13:25:53 +00:00
## Pentesting Methodology
2022-04-28 16:08:23 +00:00
![](<../.gitbook/assets/p2 (1).png>)
2022-05-01 13:25:53 +00:00
### 0- Physical Attacks
2022-05-01 16:04:05 +00:00
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/).
2022-05-01 13:25:53 +00:00
### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
**Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test).
2020-11-04 10:42:10 +00:00
{% hint style="info" %}
Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide.
{% endhint %}
2022-05-01 13:25:53 +00:00
### **2-** [**Having Fun with the network**](pentesting-network/) **(Internal)**
2020-11-04 10:42:10 +00:00
**This section only applies if you are performing an internal test.**\
2022-05-01 13:25:53 +00:00
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/#sniffing).
2022-05-01 13:25:53 +00:00
### 3- [Port Scan - Service discovery](pentesting-network/#scanning-hosts)
2022-05-01 13:25:53 +00:00
The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting-network/#scanning-hosts).
2022-05-01 13:25:53 +00:00
### **4-** [Searching service version exploits](search-exploits.md)
Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell...
2022-05-01 13:25:53 +00:00
### **5-** Pentesting Services
If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.**
**Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** _**PENTESTING**_ **section** (the services are ordered by their default ports).
2022-05-01 13:25:53 +00:00
**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **part (as it is the most extensive one).**\
Also, a small guide on how to[ **find known vulnerabilities in software**](search-exploits.md) can be found here.
**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any).
2022-05-01 13:25:53 +00:00
#### 5.1 Automatic Tools
There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.**
2022-05-01 13:25:53 +00:00
#### **5.2 Brute-Forcing services**
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
2022-07-21 20:26:09 +00:00
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
2022-05-01 16:32:23 +00:00
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-05-01 13:25:53 +00:00
### 6- [Phishing](phishing-methodology/)
2020-12-21 17:28:06 +00:00
2021-10-07 23:27:47 +00:00
If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/):
2020-12-21 17:28:06 +00:00
2022-05-01 13:25:53 +00:00
### **7-** [**Getting Shell**](shells/)
2022-05-01 13:25:53 +00:00
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/).
2022-04-05 22:24:52 +00:00
Specially in Windows you could need some help to **avoid antiviruses**: \[Check this page]\(windows/av-bypass.md)**.**
2022-05-01 13:25:53 +00:00
### 8- Inside
If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:
2022-05-07 19:19:13 +00:00
* [**Linux**](../linux-hardening/useful-linux-commands/)
2023-01-24 14:43:15 +00:00
* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
2022-05-01 13:25:53 +00:00
* [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
2022-05-01 13:25:53 +00:00
### **9 -** [**Exfiltration**](exfiltration.md)
You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
2022-05-01 13:25:53 +00:00
### **10- Privilege Escalation**
2022-05-01 13:25:53 +00:00
#### **10.1- Local Privesc**
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\
2022-05-01 13:25:53 +00:00
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
You should also check this pages about how does **Windows work**:
2022-10-04 23:49:59 +00:00
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
2022-05-01 13:25:53 +00:00
* How does [**NTLM works**](../windows-hardening/ntlm/)
* How to [**steal credentials**](broken-reference/) in Windows
2022-05-01 13:25:53 +00:00
* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
2022-05-01 13:25:53 +00:00
#### **10.2- Domain Privesc**
2022-05-01 13:25:53 +00:00
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
2022-05-01 13:25:53 +00:00
### 11 - POST
2022-05-01 13:25:53 +00:00
#### **11**.1 - Looting
Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\
Find here different ways to [**dump passwords in Windows**](broken-reference/).
2022-05-01 13:25:53 +00:00
#### 11.2 - Persistence
**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\
2022-05-01 13:25:53 +00:00
**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
2020-11-04 10:42:10 +00:00
TODO: Complete persistence Post in Windows & Linux
2022-05-01 13:25:53 +00:00
### 12 - Pivoting
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\
2022-05-01 13:25:53 +00:00
You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments..
2022-05-01 13:25:53 +00:00
### MORE
2022-05-01 13:25:53 +00:00
#### [Android Applications](../mobile-pentesting/android-app-pentesting/)
2022-05-01 13:25:53 +00:00
#### **Exploiting**
2022-05-01 16:17:23 +00:00
* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/)
* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Basic exploiting tools**](../exploiting/tools/)
2022-05-16 08:29:00 +00:00
#### [**Basic Python**](python/)
2022-05-01 13:25:53 +00:00
#### **Crypto tricks**
2022-05-01 16:17:23 +00:00
* [**ECB**](../cryptography/electronic-code-book-ecb.md)
* [**CBC-MAC**](../cryptography/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
2022-04-28 16:01:33 +00:00
2022-07-21 20:26:09 +00:00
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
2022-05-08 22:42:39 +00:00
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2023-01-02 12:00:18 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>