| Reconnaissance |
|
|
|
| OSINT gathering |
Collect public information |
theHarvester, Maltego, Shodan |
theHarvester -d target.com -l 500 -b google |
| Subdomain enumeration |
Find subdomains |
Sublist3r, Amass, crt.sh |
amass enum -d target.com |
| DNS information |
Gather DNS records |
dig, nslookup, DNSrecon |
dig any target.com |
| Email harvesting |
Find email addresses |
theHarvester, Hunter.io |
theHarvester -d target.com -b linkedin |
| Social media intel |
Analyze social presence |
Social-Analyzer |
social-analyzer --username "target" |
| Scanning |
|
|
|
| Network scanning |
Discover hosts/services |
Nmap, Masscan |
nmap -sS -A -T4 target.com |
| Vulnerability scanning |
Identify vulnerabilities |
Nessus, OpenVAS, Nexpose |
nmap --script vuln target.com |
| Web application scanning |
Find web vulnerabilities |
Nikto, OWASP ZAP, Burp Suite |
nikto -h target.com |
| Port scanning |
Identify open ports |
Nmap, Rustscan |
rustscan -a target.com -- -sV |
| Service enumeration |
Identify running services |
Nmap scripts |
nmap -sV -sC target.com |
| Enumeration |
|
|
|
| Web content discovery |
Find hidden content |
Gobuster, dirsearch, ffuf |
gobuster dir -u target.com -w wordlist.txt |
| API enumeration |
Discover API endpoints |
Swagger-scanner, ffuf |
ffuf -w paths.txt -u target.com/FUZZ |
| Network shares |
Identify accessible shares |
enum4linux, smbmap |
enum4linux -a target.com |
| SNMP enumeration |
Gather SNMP information |
snmpwalk, onesixtyone |
snmpwalk -v2c -c public target.com |
| User enumeration |
Identify valid users |
Kerbrute, smtp-user-enum |
kerbrute userenum -d domain.com userlist.txt |
| Vulnerability Assessment |
|
|
|
| CMS scanning |
Test CMS vulnerabilities |
WPScan, CMSmap, Droopescan |
wpscan --url target.com |
| SSL/TLS testing |
Check SSL configuration |
SSLyze, testssl.sh |
sslyze target.com:443 |
| Password attacks |
Test password security |
Hydra, Medusa, Hashcat |
hydra -l admin -P passwords.txt target.com http-post-form |
| Misconfigurations |
Find security misconfigs |
Nuclei, grype |
nuclei -u target.com -t misconfiguration/ |
| Default credentials |
Check default passwords |
Default Cred Scanner |
Test common username/password combinations |
| Exploitation |
|
|
|
| Web exploitation |
Exploit web vulnerabilities |
Burp Suite, sqlmap |
sqlmap -u "target.com/page?id=1" --dbs |
| Buffer overflows |
Exploit memory corruption |
Immunity Debugger, PEDA |
Customize exploit code for target |
| Privilege escalation |
Gain higher privileges |
LinPEAS, WinPEAS |
./linpeas.sh |
| Lateral movement |
Move across network |
Mimikatz, CrackMapExec |
crackmapexec smb 192.168.1.0/24 |
| Password cracking |
Break password hashes |
Hashcat, John the Ripper |
hashcat -m 1000 hash.txt wordlist.txt |
| Post-Exploitation |
|
|
|
| Persistence |
Maintain access |
Empire, Covenant |
Create backdoor accounts |
| Data exfiltration |
Extract sensitive data |
PowerShell scripts, exfil tools |
Test DLP controls |
| Pivoting |
Use compromised host |
Metasploit, chisel |
meterpreter> portfwd add -l 3389 -p 3389 -r target |
| Covering tracks |
Remove evidence |
Log manipulation |
Clear event logs, remove artifacts |
| Evidence collection |
Document findings |
Screenshot tools, logs |
Document all successful attacks |
| Reporting |
|
|
|
| Vulnerability validation |
Verify findings |
Manual testing |
Eliminate false positives |
| Risk assessment |
Rate vulnerability impact |
CVSS calculator |
Determine risk levels |
| Remediation planning |
Suggest fixes |
Best practice guides |
Provide actionable recommendations |
| Report writing |
Document methodology |
Templates, markdown |
Include executive summary |
| Evidence presentation |
Present attack path |
Network diagrams |
Show attack chains |
