Pen Testing Cheat Sheet - Black Box PT

# Pen Testing Cheat Sheet - Black Box PT ## Preamble - I have a box - I can turn it on and connect it to my network - I do not have any login credentials ## Host Scanning What hosts are up on this network? ```bash sudo netdiscover -r <ip address range> ``` ## Port Scanning What ports are running, i.e. open, on the hosts on this network TCP: ```bash sudo nmap <target ip> -p- ``` - -p- is to ensure I scan all 65535 tcp ports UDP: ```bash sudo masscan <target ip> -pU:1-65535 --rate=10000 ``` ## Service Enumeration ### Find out what service and versions run on the ports ```bash sudo nmap -sV <target ip> -p<list of open ports> ``` - Normal list output on terminak ```bash sudo nmap -sV <target ip> -p<list of open ports> -oX <filename>.xml ``` - Output results to xml file which can be - Read by searchsploit - Converted to html to include in report ### Find out what vulnerabilities are available for those services ```bash searchsploit <search terms like service and version> ``` ```bash searchsploit --nmap <filename>.xml ``` - searchsploit can also be used together with the nmap generated xml - However, this does not always give all results I can also search for vulnerabilites and exploits in msfconsole ```bash msfconsole msf6> search type:auxiliary <search terms like service and version> msf6> search type:exploit <search terms like service and version> ``` ## Exploits - Choose whether I need payload or not - If need payload, remember to choose platform - OS, i.e. Linux/Windows/macos - cmd/java/python etc etc - Choose architecture - x86 - x64 - Choose staged or stageless - Choose shell type - meterpreter or not - Choose connection type - Reverse (prioritise reverse) - Bind - Choose protocol - tcp - perl - http - etc. etc. ## Post Exploit ### Privilege Escalation #### Meterpreter + Suggester Use suggester to find potential PrivEsc exploits ```bash! msf6> search suggester msf6> use post/multi/recon/local_exploit_suggester ``` - Set session to an active METERPRETER session - run - take note of available exploits and attempt them #### Manual PrivEsc - Under Construction ##### SUID - UC