Blackbox Network Penetration Testing Process (PTES Based)

---

Objective:

Find vulnerabilities and attack vectors, exploit them and develop a thoughtful retrospective with compelling evidence.

Causes of vulnerabilities:

– Design and development errors – Poor system configuration – Human errors (specific or architectural)

High Level Process:

• Organization Profiling
  • Creating profiled passwords
  • Understanding organization relationships
  • User information
  • Looking for past breaches and compromised passwords
• Data Collection
  • Ports, services, operating systems
  • URL fuzzing and crawling
  • DNS maps
• Automated Vulnerability Analysis
  • OpenVAS system scanning & report generation
  • OWASP ZAP and Nikto web application scanning & report generation
  • Metasploit Framework
• Manual Vulnerability Analysis
  • Analyzing returned custom errors
  • Analyzing web schemas
  • Google dorking
• Automated Exploitation
  • CVE exploitation
• Manual Exploitation
  • Creating maliciously crafted packets and responses
  • Profiled password brute-forcing
• Data Rollup and Data Point Correlation
  • Reporting prep
  • Custom and Deep Manual Exploits
• Report Delivery
  • List of systems, scopes, vulnerabilities, successful attacks/breaches, remediation recommendation

Engineering Process: (DRAFT v2)

MS1 (Day 1-3)

Organization Profiling

• DNS Scanning
  • TheHarvester theharvester -d <DOMAIN> -b all -v -n -\-t -l 500
  • Mxtoolbox
  • Robtex
  • Dnsmap dnsmap <DOMAIN> -w usr/share/wordlists/gvit_subdomain_wordlist.txt -r results.txt

Email Address Scanning

• Hunter
• Maltego CE

Password Profiling

• Based on intelligence gathered from Maltego CE, mostly emails and names

DNS/IP Dorking

• Google dorking - pentest-tools
  • Directory listing vulnerabilities
  • Configuration files exposed
  • Database files exposed
  • Log files exposed
  • Backup and old files
  • Login pages
  • SQL errors
  • Publicly exposed documents
  • phpinfo()
• SiteDigger
  • https://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

SSL/TLS Analysis

• tlssled
• sslscan for quick scan (this is also called from tlssled)
• ssllabs.com (requires host to have a domain name)

User Breach Lookup

• Hacked-DB Script (available on GVIT github)
• Have I been pwned (https://haveibeenpwned.com/)

User Password Lookup

• Using internal password database
• Dropbox Hack Search (Grab SHA1 Hash and decipher with HashCat)

Host Identification

• Shodan
• ARIN

Vulnerability Scanning

• OpenVAS
• Nexpose
• Legion
• NetSparker - Premium product, not open source
• Nikto
• DirBuster
• OWASP ZAP
• Asafaweb

MS2 (Day 3-5)

• Dradis Import
• Password Bruteforcing - Hydra (can be called from Sparta)
• Exploitation Research
  • https://www.exploit-db.com/
  • http://www.securityfocus.com/
  • https://cxsecurity.com/
  • http://0day.today
  • http://siph0n.net/
  • https://minotr.net/
  • https://www.threatcrowd.org/
  • https://metadefender.opswat.com/threat-intelligence-feeds
  • https://www.threatminer.org/
  • http://data.netlab.360.com/
  • https://talosintelligence.com
  • https://cymon.io/
• Exploitation via Metasploit Framework, custom scripts depending on vulnerabilities discovered
• Web exploitation via manual testing based on vulnerabilities discovered by NetSparker, OWASP ZAP, Nexpose, and OpenVAS. Useful beginner's guide for cross site scripting: https://xss-game.appspot.com
• sqlninja (for SQL injection)
• Internal exploitation
  • DHCPig (DHCP exhaustion)
  • Wifite (wireless attacks)
  • Aircrack-ng suite
  • Kismet for passive wireless discovery
  • Yersinia (Layer 2 exploitation)
  • WireShark Traffic Sniffing
  • NTLM relaying to capture hashes and pass the hash
  • MITM attacks with Ettercap, mitmf, hunt-tool, and more if it's within the RoE

MS3 (Day 5-8)

• Create Maltego Maps (company intelligence & systems topology)
• Screenshot Data Roll Up
• Exploit Data Roll Up
• MS4 (Day 8-12)
• Generate Dradis Report (soon to be Spearhead)
• Word Document Customizations
  • Add in any additional screenshots and scale & crop as necessary
  • Check for proper language usage (Third-Person-Formal & Past Tense)
  • Look for and correct any non-sequiturs
  • Check for soft returns, spacing and correct font (Lato)
  • Ensure issue titles are all using Title Case
  • Ensure all fields contain proper entries (No n/a or empty fields)
  • Simplify summary, insight and mitigation fields wherever possible
  • Format tables, lists or other data collections in clean easy to read tables with alternating colors
  • Insert page breaks where needed to ensure good flow of report
  • Check “Affected Hosts” for duplicates and trailing commas
  • Insert comments for any incomplete items
• Proof Read and Review