Pentesting Methodologies

Information Gathering

This stage occurs before you gain access to a network. The goal is to gather as much information as possible about the business/company and their websites, personnel, and anything else relating to the company which will help you along the way. People often use insecure passwords such as names of their children, year of birth and their company name with a 5 instead of an S etc. Discovering this information about as many users as possible can be incredibly beneficial.

Tools/Programs:

Social Media profiles such as Facebook, Twitter and also things like LinkedIn, Google+ etc.
Maltego
Social Engineering
TheHarvester
Metagoofil
Shodan + API
ZoomEye
DNSenum/DNSrecon

 

Network Discovery

You should scan the network and map out every possible device, system, domain controller, host, and equipment. This is also where you should start Wireshark or TCPDump to capture data and get a better visual to see what’s going on within the network. In switched networks, you can only passively detect broadcasts from other machines, and not communication between two other machines specifically. However, if you are there as a security engineer, you may want to create a SPAN port on the switch so you can mirror the communication between other ports.

Tools/Programs:

Nmap
Maltego
NetDiscover
SMBClient
Ettercap
Wireshark
TCPDump
Arping
Hping
Xprobe2
TCPflow

Enumeration
Here is where you should perform port mapping, service version checks, OS detection, service scans, domain enumeration, user enumeration locally, and anything else running on the network which could be helpful. The goal is to find out which machines can be logged onto, what they are serving, what versions the services are and what authentication protocols are being used such as ssh and telnet.

 

Tools/Programs:

NMap
NSE (Nmap Scripting Engine)
SCAPY
Cisco Analysis Tools
Wireshark
DNSEnum
smtp-user-enum
snmpwalk

Vulnerability Assessment

From looking at the services, devices software, and information you discovered in the enumeration part of the assessment, we get a better understanding of the how the network functions. You can easily scan or search for known vulnerabilities, or attempt to write your own. If you find a service out of date such as apache you can easily find written exploits online.

Tools/Programs:

NMap
ExploitDB
NSE
Metasploit/Armitage + Nexpose
Nessus
Powerfuzzer
Fuzzers
Cisco Analysis Tools

Exploitation and Security

Here you can confirm the systems vulnerable to attacks and exploits that you’ve found during scanning and vulnerability assessment. This is where you should sugest doing security updates, software/hardware updates, and add security configurations for routers, switches, and firewalls.

Tools/Programs:

NSE
Metasploit/Armitage + Nexpose
Wireshark
Various Servers (Bind9 DNS servers, DHCP servers, SMB Servers etc.)
Yersina
Tcpreplay

Post Exploitation

For this stage you should think about installing a backdoor that you can access if you disconnect from the server.

Tools/Programs:

SBD (secure bd)
Cryptcat
Backdoor Factory
Meterpreter Persistence
Powersploit
Iodine