Pentest+ notes

Tools:

cheetsheet

https://highon.coffee/blog/penetration-testing-tools-cheat-sheet

Scanners

• Nikto
• OpenVAS
• sqlmap
• Nessus
• Nmap

OSINT

• WHOIS
• Nslookup
• FOCA
• theHarvester
• Shodan
• Maltego
• Recon-ng
• Censys

Remote Access Tools

• Secure Shell (SSH)
• Ncat
• NeTCAT
• Proxychains

Credential Testing Tools

• Hashcat
• Medusa
• Hydra
• CeWL
• John the Ripper
• Cain and Abel
• Mimikatz
• Patator
• DirBuster
• W3AF

Wireless

• Aircrack-ng
• Kismet
• WiFite

Networking Tools

• Wireshark
• Hping

Debuggers

• OllyDbgTools of the Trade 19
• Immunity Debugger
• GDB
• WinDbg
• IDA

Web Proxies

• OWASP ZAP
• Burp Suite

Mobile Tools

• Drozer
• APKX
• APK Studio

Software Assurance

• FindBugs/find-sec-bugs
• Peach
• AFL
• SonarQube
• YASCA

Social Engineering Tools

• SeT
• BeeF

Miscellaneous Tools

• SearchSploit
• PowerSploit
• Responder
• Impacket
• empire
• Metasploit framework

four phases:

• Planning and Scoping
• Information Gathering and Vulnerability Identification
• Attacking and Exploiting
• Reporting and Communicating Results

Penetration Testing Execution Standard:

• http://www.pentest-standard.org/index.php/Main_Page

---

rules of engagement (RoE)

• timeline
• locations, systems, applications, or other potential targets
• Data handling requirements
• target behaviors
• resources are committed to the test
• Legal concerns
• communications
• particular events
• Who is permitted to engage

api documents:

• XML: Web Services Description Language (WSDL)
• Web Application Description Language (WADL)
• SOAP
• reference: Swagger, a suite of API developer tools. https://petstore.swagger.io

legal:

• SOW: statement of work. define project-specific activities, deliverables, and timelines
• SOOs: statements of objectives
• PWSs: performance work statements
• MSA: master services agreement. The terms that will govern future agreements.
• NDAs: nondisclosure agreements
• CAs: confidentiality agreements

compliance:

• HIPAA, FERPA, SOX, GLBA, and PCI DSS
• PCI DSS, guide line: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
• https://www.pcisecuritystandards.org/
• GLBA: requires fi nancial institutions to protect against “reasonably anticipated threats”
• HIPAA: forbid protected health information (PHI) from being accessed

proper signing authority

• ISO(information security officer) or the sponsor may be it.

Disclaimers

• Point-in-time assessment
• Comprehensiveness

NAC

• NETWORK ACCESS CONTROL

Scope creep

• additional items are added to the scope of an assessment

Certificate pinning

• associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision.
• pinning list, called a pinset.

---

CERT

• Computer Emergency Response Team
• , <https://www.us-cert.gov>, <https://www.sei.cmu.edu/our-work/cybersecurity-center-development/national-csirts/index.cfm>

MITRE

• CAPEC: The Common Attack Pattern Enumeration and Classification. https://capec.mitre.org
• CVE: Common Vulnerabilities and Exposures. https://www.cve.mitre.org
• CWE: Common Weakness Enumeration. < https://cwe.mitre.org>

ISC

• SANS. https://pen-testing.sans.org/blog/pen-testing

metadata scanning tools

• ExifTool
• FOCA, Fingerprinting Organizations with Collected Archives

DNS

historical view of the domain registration information

• domainhistory.net
• whoismind.com

host google.com

zone transfer

• host -t axfr domain.name dns-server
• dig axfr @target.nameserver.com domain.name
• nmap –script dns-zone-transfer.nse –script-args dns-zone-transfer.domain<domain> -p53 <hosts>

Routes

• traceroute (or tracert on Windows): tracert www.netflix.com
• tracert * * * : No response to query(maybe timeout) but traffic is going through. hosts not respond but route traffic properly.
• BGP looking glasses: http://www.bgp4.as/looking-glasses, allow for route inspection.

Data

theHarvester

• gather emails, domain information, hostnames, employee names, and open ports and banners
• using search engines and Maltego

Recon-ng

• OSINT

common ports

• 20 TCP, UDP FTP data
• 21 TCP, UDP FTP control
• 22 TCP, UDP SSH
• 23 TCP, UDP Telnet
• 25 TCP, UDP SMTP (email)
• 53 UDP DNS
• 67 TCP, UDP DHCP server
• 68 TCP, UDP DHCP client
• 69 TCP, UDP TFTP
• 80 TCP, UDP HTTP
• 88 TCP, UDP Kerberos
• 110 TCP, UDP POP3
• 123 TCP, UDP NTP
• 135 TCP, UDP Microsoft EPMAP
• 136-139 TCP, UDP NetBIOS
• 143 TCP IMAP
• 161 UDP SNMP
• 162 TCP, UDP SNMP traps
• 389 TCP, UDP LDAP
• 443 TCP, UDP HTTPS
• 445 TCP Microsoft AD and SMB
• 500 TCP, UDP ISAKMP, IKE
• 515 TCP LPD print services
• 1433 TCP Microsoft SQL Server
• 1434 TCP, UDP Microsoft SQL Monitor
• 1521 TCP Oracle database listener
• 1812, 1813 TCP, UDP RADIUS

Kismet additional features:

• find hidden SSIDs
• passive association of wireless clients and access points
• tools help to decrypt encrypted traffic

SNMP sweep

• network topology map and device discovery
• need correct community string

packet crafting

• Hping is popular. create custom packets easily.
• sending SYN packets. hping -S -V targetsite.com -p 8080 verbose output
• Scapy, Yersina, and even NETCAT.

Enumeration

users: SMB, SNMP are most common. and email user enumeration.

email: theHarvester, Metasploit

• msf> use auxiliary/gather/search_email_collector
• purchase commercial email address lists

group

• snmp snmpwalk public -v1 10.0.0.1 1 | grep 77.1.2.25 | cut -d "" -f4
• samrdump https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_15/examples/samrdump.py
• Impacket Python libraries: SMB tools, NTLM and Kerberos authentication capabilities https://www.coresecurity.com/corelabs-research/open-source-tools/impacket

expired certificates

• indicators of improper maintenance

port scan

• Hping: hping example.com -V --scan 1-1024
• NETCAT: nc -zv example.com 1-2014
• Telnet: Telnet to each port, looking for a blank screen

---

scan

security requirements of PCI DSS and FISMA

FISMA

Government agency face a regulatory requirement to conduct vulnerability scans

vulnerability scan tools

• Nessus and QualysGuard, commercial products
• OpenVAS, open-source solution

Virtualization and Container

• Virtualization share physical resources.
• Container share OS.

---

first test:

• NDA: nondisclosure agreement
• SOW: statement of work
• MSA: master services agreement
• An authenticated(credentialed) scan: provides the most detailed view of the system.
• ln /dev/null ~/.bash_history -sf make bash history to null
• Nmap will scan the 1,000 most common ports for both TCP and UDP, by default.
• VLAN hopping: one technique: double tagging attack.
• determine if in VM: Run wmic baseboard to get manufacturer, product

Security Content Automation protocol (SCAp)

• Common Configuration Enumeration (CCE)
• Common Platform Enumeration (CPE), provides standardized nomenclature for product names and versions.
• Common Vulnerabilities and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS) measure and describ the severity of security vulnerabilities.
• Extensible Configuration Checklist Description Format (XCCDF)
• Open Vulnerability and Assessment Language (OVAL)

MOUs & SLAs

• Memorandums of understanding (MOUs)
• service-level agreements (SLAs)

Asset inventory

white box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans.

PCI DSS

minimum frequency scan Quarterly

IoT device

most likely to be disrupted during a vulnerability scan

Risk Appetite

Organization`s willingness to tolerate risk within the environment.

Scan schedules most determined by

• organization’s risk appetite,
• regulatory requirements,
• technical constraints,
• business constraints,
• licensing limitations.

vulnerability management life cycle

Detection, Remediation, Testing

Continuous monitoring

incorporates information from agents running on the target servers

Potential Impact

• low: limited
• moderate: serious
• high: severe or catastrophic

SOW

guidance on how to handle situations where they discover critical vulnerabilities.

Analyzing Vulnerability Scans