djedi/security-cheatsheets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-cheatsheets/infosec/pentesting-methodology.md
rpriven af37040de1
Create pentesting-methodology.md
2025-04-15 00:10:05 -06:00

62 lines
4.7 KiB
Markdown
Raw Blame History

# Penetration Testing Methodology Cheatsheet
| Phase | Activity | Tools/Commands | Notes |
|-------|----------|----------------|-------|
| **Reconnaissance** ||||
| OSINT gathering | Collect public information | theHarvester, Maltego, Shodan | `theHarvester -d target.com -l 500 -b google` |
| Subdomain enumeration | Find subdomains | Sublist3r, Amass, crt.sh | `amass enum -d target.com` |
| DNS information | Gather DNS records | dig, nslookup, DNSrecon | `dig any target.com` |
| Email harvesting | Find email addresses | theHarvester, Hunter.io | `theHarvester -d target.com -b linkedin` |
| Social media intel | Analyze social presence | Social-Analyzer | `social-analyzer --username "target"` |
| **Scanning** ||||
| Network scanning | Discover hosts/services | Nmap, Masscan | `nmap -sS -A -T4 target.com` |
| Vulnerability scanning | Identify vulnerabilities | Nessus, OpenVAS, Nexpose | `nmap --script vuln target.com` |
| Web application scanning | Find web vulnerabilities | Nikto, OWASP ZAP, Burp Suite | `nikto -h target.com` |
| Port scanning | Identify open ports | Nmap, Rustscan | `rustscan -a target.com -- -sV` |
| Service enumeration | Identify running services | Nmap scripts | `nmap -sV -sC target.com` |
| **Enumeration** ||||
| Web content discovery | Find hidden content | Gobuster, dirsearch, ffuf | `gobuster dir -u target.com -w wordlist.txt` |
| API enumeration | Discover API endpoints | Swagger-scanner, ffuf | `ffuf -w paths.txt -u target.com/FUZZ` |
| Network shares | Identify accessible shares | enum4linux, smbmap | `enum4linux -a target.com` |
| SNMP enumeration | Gather SNMP information | snmpwalk, onesixtyone | `snmpwalk -v2c -c public target.com` |
| User enumeration | Identify valid users | Kerbrute, smtp-user-enum | `kerbrute userenum -d domain.com userlist.txt` |
| **Vulnerability Assessment** ||||
| CMS scanning | Test CMS vulnerabilities | WPScan, CMSmap, Droopescan | `wpscan --url target.com` |
| SSL/TLS testing | Check SSL configuration | SSLyze, testssl.sh | `sslyze target.com:443` |
| Password attacks | Test password security | Hydra, Medusa, Hashcat | `hydra -l admin -P passwords.txt target.com http-post-form` |
| Misconfigurations | Find security misconfigs | Nuclei, grype | `nuclei -u target.com -t misconfiguration/` |
| Default credentials | Check default passwords | Default Cred Scanner | Test common username/password combinations |
| **Exploitation** ||||
| Web exploitation | Exploit web vulnerabilities | Burp Suite, sqlmap | `sqlmap -u "target.com/page?id=1" --dbs` |
| Buffer overflows | Exploit memory corruption | Immunity Debugger, PEDA | Customize exploit code for target |
| Privilege escalation | Gain higher privileges | LinPEAS, WinPEAS | `./linpeas.sh` |
| Lateral movement | Move across network | Mimikatz, CrackMapExec | `crackmapexec smb 192.168.1.0/24` |
| Password cracking | Break password hashes | Hashcat, John the Ripper | `hashcat -m 1000 hash.txt wordlist.txt` |
| **Post-Exploitation** ||||
| Persistence | Maintain access | Empire, Covenant | Create backdoor accounts |
| Data exfiltration | Extract sensitive data | PowerShell scripts, exfil tools | Test DLP controls |
| Pivoting | Use compromised host | Metasploit, chisel | `meterpreter> portfwd add -l 3389 -p 3389 -r target` |
| Covering tracks | Remove evidence | Log manipulation | Clear event logs, remove artifacts |
| Evidence collection | Document findings | Screenshot tools, logs | Document all successful attacks |
| **Reporting** ||||
| Vulnerability validation | Verify findings | Manual testing | Eliminate false positives |
| Risk assessment | Rate vulnerability impact | CVSS calculator | Determine risk levels |
| Remediation planning | Suggest fixes | Best practice guides | Provide actionable recommendations |
| Report writing | Document methodology | Templates, markdown | Include executive summary |
| Evidence presentation | Present attack path | Network diagrams | Show attack chains |
## Common Ports & Services
| Port | Service | Common Vulnerabilities |
|------|---------|------------------------|
| 21 | FTP | Anonymous access, default credentials, cleartext auth |
| 22 | SSH | Weak passwords, outdated versions, key mismanagement |
| 23 | Telnet | Cleartext communications, outdated service |
| 25 | SMTP | Open relay, user enumeration, outdated software |
| 53 | DNS | Zone transfers, cache poisoning, DNSSEC issues |
| 80/443 | HTTP/HTTPS | XSS, SQLi, broken authentication, outdated software |
| 135 | MSRPC | Authentication bypass, RCE vulnerabilities |
| 139/445 | SMB/CIFS | EternalBlue, null sessions, weak permissions |
| 1433/1434 | MSSQL | Weak SA password, excessive privileges |
| 3306 | MySQL | Weak credentials, outdated versions |
| 3389 | RDP | BlueKeep, default/weak credentials |
Reference in a new issue View git blame Copy permalink