Tryhackme notes

Rules of Engagement (ROE)

The ROE is a document that is created at the initial stages of a penetration

testing engagement. This document consists of three main sections
(explained in the table below), which are ultimately responsible for deciding
how the engagement is carried out. The SANS institute has a great example
of this document which you can view online here.

Stages of pen testing

NMAP

Port states in nmap

Important nmap cmds
Host dsicovery cmds
Arp request command

 netdiscover -r IP

file as input for your list of targets

 nmap -iL list_of_hosts.txt

list of hosts that Nmap will scan

 nmap -sL TARGETS

ARP scan without port-scanning

 nmap -PR -sn TARGETS

ICMP echo request

 sudo nmap -PE -sn MACHINE_IP/24

ICMP Timestamp

 nmap -PP -sn MACHINE_IP/24

Performance enhancing for scans

More nmap scans

Post port scan scans

CVSS - Common Vulnerability Scoring System

VPR- Vulnerability Priority Rating

Exploit-DB
Exploit-DB is a resource that we, as hackers, will find much more helpful
during an assessment. Exploit-DB retains exploits for software and
applications stored under the name, author and version of the software or
application.
 Encoders in metasploit
Encoders will allow you to encode the exploit and payload in the hope that a signature-based
antivirus solution may miss them.

Signature-based antivirus and security solutions have a database of known threats. They
detect threats by comparing suspicious files to this database and raise an alert if there is a
match. Thus encoders can have a limited success rate as antivirus solutions can perform
additional checks

Evasion in metasploit
While encoders will encode the payload, they should not be considered a
direct attempt to evade antivirus software. On the other hand, “evasion”
modules will try that, with more or less success

NOPs
NOPs (No OPeration) do nothing, literally. They are represented in the Intel
x86 CPU family with 0x90, following which the CPU will do nothing for one
cycle. They are often used as a buffer to achieve consistent payload sizes.

Metasploit exploit rank

Privelege escalation
Post exploitation cmds
PIM AND PAM
Two key concepts are used to assign and manage the access rights of
individuals: Privileged Identity Management (PIM) and Privileged Access
Management (or PAM for short).

Initially, these two concepts can seem to overlap; however, they are different
from one another. PIM is used to translate a user's role within an
organisation into an access role on a system. Whereas PAM is the
management of the privileges a system's access role has, amongst other
things.

STRIDE framework for threat modeling:

CSIRT (incident response plan)

OSINT
Some useful OSINT tools:

 wappalyzer
 Wayback machine
 Github
 S3 buckets

Authentication bypass
Subdomain enumeration
Three ways:
OSINT
Virtual host
Brute force
OSINT:

-site:www.domain.com site:*.domain.com

Reset password

HASHING
Useful websites:
https://crackstation.net/

(searching a particular hash such as md5, sha,etc)

https://www.base64encode.org
(encode and decode base64, base32)

IDOR example

File inclusion
SSRF
XSS
Cookie stealing using netcat and xss
Code injection payloads:

https://github.com/payloadbox/command-injection-payload-list

Burp suite

Intruder attack types

Mail protocol