Penetration Testing Methodology

FREE
intermediatev1.0.0tokenshrink-v2
# pt Methodology Knowledge Pack

## The Cyber Kill Chain
A structured framework for conducting a pt. It models the stages an attacker goes through to successfully breach a target.

### 1. rec (Information Gathering)
The most critical phase. The goal is to maximize the attack surface by gathering as much intelligence about the target as possible before sending a single packet.

- **Passive rec**: Gathering info without direct interaction with the target's systems. OSINT (Open Source Intelligence). Queries to WHOIS, DNS records (A, MX, TXT), Shodan, search engines, social media (LinkedIn for employee names to build phishing lists), and public code repositories (GitHub for leaked secrets).
- **Active rec**: Direct interaction. Ping sweeps, DNS zone transfers. Higher risk of detection.

### 2. Scanning & Enumeration
Probing the target to identify live hosts, open ports, and running services.

- **Port Scanning**: Using tools like Nmap or Masscan. A SYN scan (stealth scan) sends a SYN packet and waits for a SYN-ACK, but tears down the connection before completing the three-way handshake to avoid logging.
- **Service/OS Fingerprinting**: Analyzing packet responses (TTL, TCP window size, banners) to determine the Exact os (Windows Server 2019 vs Linux kernel 5.4) and service versions (Apache 2.4.41 instead of just HTTP).
- **Enumeration**: Extracting usernames, machine names, net shares, and routing tables. SMB (port 445), SNMP (port 161/162), and RPC are prime targets. Example: anonymous SMB login to read shared files.

### 3. vuln Assessment
Mapping the enumerated services to known vulns.

- Automated scanners (Nessus, OpenVAS, Qualys) check service banners against CVE databases.
- Manual verification is required to weed out false positives (e.g., a scanner flags Apache 2.4.29 as vulnerable, but the vendor backported the patch without updating the version number).
- Focus areas: Unpatched software, misconfigurations (default passwords, exposed admin panels), and architectural flaws.

### 4. exploit
The "hacking" phase. Gaining unauthorized access by leveraging the vulns found in the previous step.

- Matching a cve to a known exploit (e.g., finding an Exploit-DB script for a specific buffer overflow).
- **Metasploit Framework**: The industry standard tool. An exploit module delivers a payload (the code that runs on the target after successful exploit). 
- Common payloads:
  - **Bind Shell**: The pt machine connects to a port opened by the payload on the target.
  - **Reverse Shell**: The target connects back to a listening port on the pt machine. Generally preferred as it often bypasses inbound firewall rules.
- Web app exploits: SQL Injection (SQLi) to dump db contents, Cross-Site Scripting (XSS) to steal sessions, Server-Side Request Forgery (SSRF) to access internal nets.

### 5. Post-exploit
What happens after you get a shell. The goal is to demonstrate the impact of the breach.

- **privesc**: Moving from a low-privileged user (e.g., `www-data` or a standard employee) to `root` (Linux) or `SYSTEM` (Windows). Methods include exploiting kernel vulns, misconfigured cron jobs/scheduled tasks, excessive SUID permissions, or dumping memory (Mimikatz) to find cleartext admin passwords or Kerberos tickets (Pass-the-Hash/Pass-the-Ticket).
- **Pivoting**: Using the compromised machine as a proxy to attack other machines deeper inside the internal net that are not exposed to the internet.
- **Looting**: Finding sensitive data—customer records, financial data, intellectual property, or domain controller hashes (NTDS.dit).
- **Persistence**: Installing backdoors, creating rogue admin accounts, or modifying startup scripts to maintain access even if the machine is rebooted or the original vuln is patched.

### 6. Reporting
The true product of a pt. A list of findings without context is useless to a business.

- **Executive Summary**: High-level overview of the business risk. Written for C-suite (no jargon).
- **Technical Findings**: Detailed breakdown of every vuln.
  - CVSS Score (Critical, High, Medium, Low).
  - Steps to reproduce (enough detail that a developer can verify it).
  - Impact (what an attacker can actually achieve).
  - Remediation (how to fix it—patching, configuration changes, or compensating controls like WAF rules).

## Types of Tests
- **Black Box**: The tester has no prior knowledge of the internal net or app structure (simulates an external attacker).
- **White Box (Crystal Box)**: Full knowledge, including source code, architecture diagrams, and admin credentials. Most thorough.
- **Gray Box**: Partial knowledge, typical of an insider threat or an application where the tester is given standard user credentials to test tenant isolation (authorization flaws like IDOR).

2.5K

tokens

17.7%

savings

Downloads0
Sign in to DownloadCompressed by TokenShrink