From af37040de16ead4d78ba498e0cd088a8f03badcc Mon Sep 17 00:00:00 2001
From: rpriven <74690648+rpriven@users.noreply.github.com>
Date: Tue, 15 Apr 2025 00:10:05 -0600
Subject: [PATCH] Create pentesting-methodology.md

---
 infosec/pentesting-methodology.md | 62 +++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 infosec/pentesting-methodology.md

diff --git a/infosec/pentesting-methodology.md b/infosec/pentesting-methodology.md
new file mode 100644
index 0000000..586c66b
--- /dev/null
+++ b/infosec/pentesting-methodology.md
@@ -0,0 +1,62 @@
+# Penetration Testing Methodology Cheatsheet
+
+| Phase | Activity | Tools/Commands | Notes |
+|-------|----------|----------------|-------|
+| **Reconnaissance** ||||
+| OSINT gathering | Collect public information | theHarvester, Maltego, Shodan | `theHarvester -d target.com -l 500 -b google` |
+| Subdomain enumeration | Find subdomains | Sublist3r, Amass, crt.sh | `amass enum -d target.com` |
+| DNS information | Gather DNS records | dig, nslookup, DNSrecon | `dig any target.com` |
+| Email harvesting | Find email addresses | theHarvester, Hunter.io | `theHarvester -d target.com -b linkedin` |
+| Social media intel | Analyze social presence | Social-Analyzer | `social-analyzer --username "target"` |
+| **Scanning** ||||
+| Network scanning | Discover hosts/services | Nmap, Masscan | `nmap -sS -A -T4 target.com` |
+| Vulnerability scanning | Identify vulnerabilities | Nessus, OpenVAS, Nexpose | `nmap --script vuln target.com` |
+| Web application scanning | Find web vulnerabilities | Nikto, OWASP ZAP, Burp Suite | `nikto -h target.com` |
+| Port scanning | Identify open ports | Nmap, Rustscan | `rustscan -a target.com -- -sV` |
+| Service enumeration | Identify running services | Nmap scripts | `nmap -sV -sC target.com` |
+| **Enumeration** ||||
+| Web content discovery | Find hidden content | Gobuster, dirsearch, ffuf | `gobuster dir -u target.com -w wordlist.txt` |
+| API enumeration | Discover API endpoints | Swagger-scanner, ffuf | `ffuf -w paths.txt -u target.com/FUZZ` |
+| Network shares | Identify accessible shares | enum4linux, smbmap | `enum4linux -a target.com` |
+| SNMP enumeration | Gather SNMP information | snmpwalk, onesixtyone | `snmpwalk -v2c -c public target.com` |
+| User enumeration | Identify valid users | Kerbrute, smtp-user-enum | `kerbrute userenum -d domain.com userlist.txt` |
+| **Vulnerability Assessment** ||||
+| CMS scanning | Test CMS vulnerabilities | WPScan, CMSmap, Droopescan | `wpscan --url target.com` |
+| SSL/TLS testing | Check SSL configuration | SSLyze, testssl.sh | `sslyze target.com:443` |
+| Password attacks | Test password security | Hydra, Medusa, Hashcat | `hydra -l admin -P passwords.txt target.com http-post-form` |
+| Misconfigurations | Find security misconfigs | Nuclei, grype | `nuclei -u target.com -t misconfiguration/` |
+| Default credentials | Check default passwords | Default Cred Scanner | Test common username/password combinations |
+| **Exploitation** ||||
+| Web exploitation | Exploit web vulnerabilities | Burp Suite, sqlmap | `sqlmap -u "target.com/page?id=1" --dbs` |
+| Buffer overflows | Exploit memory corruption | Immunity Debugger, PEDA | Customize exploit code for target |
+| Privilege escalation | Gain higher privileges | LinPEAS, WinPEAS | `./linpeas.sh` |
+| Lateral movement | Move across network | Mimikatz, CrackMapExec | `crackmapexec smb 192.168.1.0/24` |
+| Password cracking | Break password hashes | Hashcat, John the Ripper | `hashcat -m 1000 hash.txt wordlist.txt` |
+| **Post-Exploitation** ||||
+| Persistence | Maintain access | Empire, Covenant | Create backdoor accounts |
+| Data exfiltration | Extract sensitive data | PowerShell scripts, exfil tools | Test DLP controls |
+| Pivoting | Use compromised host | Metasploit, chisel | `meterpreter> portfwd add -l 3389 -p 3389 -r target` |
+| Covering tracks | Remove evidence | Log manipulation | Clear event logs, remove artifacts |
+| Evidence collection | Document findings | Screenshot tools, logs | Document all successful attacks |
+| **Reporting** ||||
+| Vulnerability validation | Verify findings | Manual testing | Eliminate false positives |
+| Risk assessment | Rate vulnerability impact | CVSS calculator | Determine risk levels |
+| Remediation planning | Suggest fixes | Best practice guides | Provide actionable recommendations |
+| Report writing | Document methodology | Templates, markdown | Include executive summary |
+| Evidence presentation | Present attack path | Network diagrams | Show attack chains |
+
+## Common Ports & Services
+
+| Port | Service | Common Vulnerabilities |
+|------|---------|------------------------|
+| 21 | FTP | Anonymous access, default credentials, cleartext auth |
+| 22 | SSH | Weak passwords, outdated versions, key mismanagement |
+| 23 | Telnet | Cleartext communications, outdated service |
+| 25 | SMTP | Open relay, user enumeration, outdated software |
+| 53 | DNS | Zone transfers, cache poisoning, DNSSEC issues |
+| 80/443 | HTTP/HTTPS | XSS, SQLi, broken authentication, outdated software |
+| 135 | MSRPC | Authentication bypass, RCE vulnerabilities |
+| 139/445 | SMB/CIFS | EternalBlue, null sessions, weak permissions |
+| 1433/1434 | MSSQL | Weak SA password, excessive privileges |
+| 3306 | MySQL | Weak credentials, outdated versions |
+| 3389 | RDP | BlueKeep, default/weak credentials |