Skip to content

Latest commit

 

History

History
135 lines (111 loc) · 3.28 KB

practical-methodolody.md

File metadata and controls

135 lines (111 loc) · 3.28 KB

Starting

  • Create a directory for the project/task
  • Use this directory to save everything related to the project at hand
  • Use the script command to save everything to a file named by dayMonthYear-dirname
mkdir pentest.target.company.com
cd pentest.target.company.com
script "$(date +%d%m%Y)-$(pwd | tr '/' '\n' | tail -1)"
  • Save your findings with screenshots in a document or system

Nmap

Nmap with 20 random decoys, shows open ports, syn scan, top 100 ports

nmap -D RND:20 --open -sS p --top-ports 100 -oN nmap-open-ports target.company.com

Send 60k pkts/s with no decoys

nmap -p- --min-rate=60000 --open -sS -oN nmap-open-ports target.company.com

Map host

Map directories.

gobuster dir -u https://tareget.company.com -w /usr/share/wordlists/big.txt -t 100 -e --no-error -r -o gobuster-out

-t 100    -> 100 threads
-e        -> show extended/full URLs
-r        -> follow redirects
-o <file> -> save output

Browse to the found paths/URLs to see what they look like.

Brute force FTP

hydra -v -t10 -l user01 -P passwords.txt -s 2121 ftp://target.company.com

-v             -> verbose
-t10           -> 10 threads
-l login       -> - login to test or -L <file>
-P <pass file> -> wordlist
-s <port>      -> tcp port

Brute force the login form

hydra -v -t10 -l user01 -P passwords.txt -s 2121 ftp://target.company.com

Map WAFs

whafw00f -v https://target.company.com
nuclei

Map technologies

Sitemap.xml robots.txt send content to waybackmachine

whatweb

nc -v target.company.com 80 -C
OPTIONS /lfjdaljfkda HTTP/1.0<enter>

-C -> Keep connection open to accept input

Map application

Tags and enty points

html-tool

echo https://target.company.com/ | html-tool comments
echo https://target.company.com/ | html-tool tags script
echo https://target.company.com/ | html-tool tags title
echo https://target.company.com/ | html-tool attribs scr
echo https://target.company.com/ | html-tool attribs scr href
echo https://target.company.com/ | html-tool attribs scr href | grep -i '.js'
echo https://target.company.com/ | html-tool attribs scr href | grep -i '.xml'
echo https://target.company.com/ | html-tool attribs scr href | grep -i '.php'

Source files

getjs

getJS --complete --url https://target.company.com
cat urls.txt | getJS

Fuzzing

Use common params to burteforce the app

gobuster dir -u https://adm.otimatel.com.br -w /usr/share/wordlists/dirb/big.txt -e -t 100 -r --no-error -o found_files.txt -x py,bkp,old,txt,xml

grep 200  found_files.txt

cat <<EOF > lista
page
url
pg
file
files
arquivo
id
EOF

for PARAM in $(cat lista.txt); do curl http://target.company.com/download.php?${PARAM}=download.php; done

wfuzz

cp /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt paramlist.txt
wfuzz -c -z paramlist.txt https://target.compnay.com/download.php?FUZZ=download.php

-c -> color
-z -> payload worlist

SQLi

User aritmetic, ex:

https://target.compnay.com/product.php?id=10
https://target.compnay.com/product.php?id=10-2
https://target.compnay.com/product.php?id=10+2

sqlmap

hash-identifier

hashcat

Google

john