Skip to content

Research Update Enhanced src/generic-methodologies-and-resou... #1583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Research Update Enhanced src/generic-methodologies-and-resou... #1583

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 56 additions & 3 deletions src/generic-methodologies-and-resources/pentesting-methodology.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,19 +20,55 @@ Do you have **physical access** to the machine that you want to attack? You shou
> [!TIP]
> Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide.

#### 1.1 Continuous External Asset Discovery

The public attack surface now spans SaaS tenants, ephemeral cloud services and unmanaged shadow IT. Keep a rolling inventory that merges CT logs, BGP/ASN data and cloud provider APIs:

- Use **Amass/Subfinder** (with `-all -recursive -config`) to pull domains from CT, passive DNS and WHOIS, then immediately probe them with `httpx`/`katana` to understand HTTP fingerprints, tech stacks and historical redirects.
- Pull ASN allocations via `amass intel -org "Target" -asn -whois` or `metabigor net --org "Target"` to enrich the IP space monitored by `masscan`/`zmap`.
- Track **SaaS & cloud identities**: tools like `cloudlist`/`samlurl` enumerate assets behind identity providers, while ProjectDiscovery Cloud’s **Credential Monitoring** feed surfaces malware-stealer leaks you can rapidly convert into credential stuffing or password spraying opportunities to test the client’s exposure.

Example workflow:

```bash
amass enum -d target.com -src -ip -brute -w resolvers.txt -o amass.txt
subfinder -dL roots.txt -recursive -all -timeout 20 -o subs.txt
httpx -l subs.txt -sc -td -title -ip -tech-detect -http2 -c 300 -o web-surface.txt
```

Feed every new hostname or IP into your target tracker (Trello, ReconFTW sheet, etc.) so later phases automatically inherit fresh scope items.

### **2-** [**Having Fun with the network**](pentesting-network/index.html) **(Internal)**

**This section only applies if you are performing an internal test.**\
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/index.html#sniffing).

Leverage dual-stack tooling: run `responder -I eth0 -wrf` on IPv4 broadcast domains, combine it with `mitm6 -d target.corp` to forge IPv6 RAs and harvest NTLMv2, and keep a lightweight `pcapkit`/`termshark` capture rolling to bookmark protocols worth replaying. If EDR aggressively watches ARP poisoning, pivot to `Inveigh-Relay` or DHCP rogue techniques within the same guideline.

### **3-** [**Port Scan - Service discovery**](pentesting-network/index.html#scanning-hosts)

The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting-network/index.html#scanning-hosts).

Modern workflows chain **fast stateless scanners** with deep probes:

```bash
rustscan -b 8192 -a 10.0.8.0/24 --ulimit 6000 -- -sV -Pn -oA corp-wide
naabu -list hosts.txt -p - -rate 100000 -exclude-cdn -c 1000 -stats
nmap -sCV -p $(cat corp-wide.gnmap | awk -F "/" '/open/ {print $1}' | paste -sd ",") target
```

`rustscan`/`naabu` quickly return live TCP surfaces (and even IPv6). Pipe those ports into `nmap`, `smap`, `httpx` or `ike-scan` depending on the protocol family to keep timelines tight even on /16 scopes.

### **4-** [Searching service version exploits](../generic-hacking/search-exploits.md)

Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell...

Automate intelligence ingest:

- Mirror **CISA KEV**, vendor advisories and Github Security Advisory feeds, and tag findings with service banners from your scans.
- Convert timely disclosures into scanner tasks. For instance, when a CVE drops, pull the matching Nuclei template/Exploit-DB PoC and run `nuclei -id cve-2025-1974 -l alive.txt -rl 50 -c 150 -bs 25` so every host is re-tested automatically.
- Maintain a “known good” exploit arsenal (public PoCs, custom scripts) inside your notes repo and link them to the service/port entry.

### **5-** Pentesting Services

If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.**
Expand All @@ -44,18 +80,26 @@ Also, a small guide on how to[ **find known vulnerabilities in software**](../ge

**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any).

Build per-service **checklists** tied to your asset inventory (e.g. if HTTP stack shows Azure Front Door headers, branch into Azure-specific fingerprinting). Keeping methodology templates in Obsidian/Notion means you can instantly assign the right test depth per host.

#### 5.1 Automatic Tools

There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.**

Augment it with **Nuclei**, `autorecon2`, `xael-connected` or the ProjectDiscovery cloud platform to continuously rescan high-value assets—2024 alone added thousands of community templates covering Atlassian, GitLab, Palo Alto, Ivanti and more, so schedule template updates alongside your scan cadence to catch newly weaponized CVEs quickly.

#### **5.2 Brute-Forcing services**

In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](../generic-hacking/brute-force.md)**.**

Blend credential sources: combine harvested passwords, stealer logs, default creds and browser-based leaks into targeted sprays (`kerbrute userenum`, `hydra -L users -P leaks.txt rdp://`). Always consider smart throttling (`-t 4 --delay 1.2`) to stay under lockout policies while still exercising weak password hygiene tests the customer approved.

### 6- [Phishing](phishing-methodology/index.html)

If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/index.html):

Adversary-in-the-middle kits keep evolving. The **Tycoon 2FA** kit (updated March 2024) now rotates JavaScript and HTML on every deployment to blind signature-based filters, sells ready-made Microsoft 365/Gmail portals, and collects session cookies to bypass MFA instantly. Pair your lures with adversarial SEO, QR codes or Teams message pretexts, and always rehearse MFA-prompt and device-enrollment abuse flows so you know exactly which detections to expect.

### **7-** [**Getting Shell**](../generic-hacking/reverse-shells/index.html)

Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](../generic-hacking/reverse-shells/index.html).
Expand All @@ -70,6 +114,8 @@ If you have troubles with the shell, you can find here a small **compilation of
- [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
- [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/index.html)

Maintain **execution journals** (history exports, transcript logging, Beacon logs) so you can replay exact steps whenever a shell dies or needs to be replicated with less noisy tooling.

### **9-** [**Exfiltration**](../generic-hacking/exfiltration.md)

You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](../generic-hacking/exfiltration.md)**.**
Expand All @@ -89,6 +135,8 @@ You should also check this pages about how does **Windows work**:

**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)

Keep tabs on monthly LPE drops (kernel race conditions, container escapes, Azure Arc agents, VMware Tools). Building a local `privesc-matrix.md` that maps OS build numbers to exploit reliability saves time when shells are fragile.

#### **10.2- Domain Privesc**

Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/index.html). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
Expand All @@ -114,6 +162,10 @@ In this case tunnelling could be necessary. Here you can find [**a post talking
You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/index.html). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
Check also the page about [**NTLM**](../windows-hardening/ntlm/index.html), it could be very useful to pivot on Windows environments..

#### 12.1 Modern Tunnelling Tips

Lightweight VPN-style agents such as **Ligolo-ng 0.8** remove most SOCKS/proxychains pain: create interfaces directly from the console (`interface_create --name corp`), spawn listeners on pivot hosts, then `tunnel_start --tun corp` to stream traffic from any subnet the agent can reach. For multi-hop situations, daisy-chain Ligolo listeners or mix with `chisel`/`ssh -J` and keep small scripts that rebuild every tunnel fast when defenders reset routes.

### MORE

#### [Android Applications](../mobile-pentesting/android-app-pentesting/index.html)
Expand All @@ -132,8 +184,9 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/index.html), it c
- [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
- [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md)

## References

{{#include ../banners/hacktricks-training.md}}


- [ProjectDiscovery - Introducing Credential Monitoring](https://projectdiscovery.io/blog/leaked-credential-monitoring)
- [Proofpoint - Tycoon 2FA Phishing Kit Being Used to Bypass MFA](https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass)

{{#include ../banners/hacktricks-training.md}}