0c - Useful cheatsheet for pentesting

  • Tools are only as effective as their operator is knowledgeable.
  • Have ready to use virtual machines of GNU/Linux and Windows alike.
  • Use password managers and use strong passwords, preferably
  • keep pentesting and personal workspaces separate
  • document everything and have legal confirmations before doing any target assessment

Full upgrade & update of the system 

sudo apt update -y && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt autoclean -y

Installing multiple packages at once 

└──╼ $ cat install.list

netcat
radare2
nmap
seclists
tcpdump
hashcat
wireshark
git
gobuster
sudo apt install $(cat install.list | tr "\n" " ") -y

Running multiple bash configurations at once on the system 

user@user:~$ cat automation_scripts.txt

terminal.sh
tools.sh
GUI.sh
network.sh
vim.sh
for script in $(cat customization-scripts.txt); do curl -s http://myvps.vps-provider.net/$script | bash; done

Example penetration testing project folder structure might look like the following 

george@LTP51[/PEN1]$ tree .

.
└── Penetration-Testing
	├── Pre-Engagement
	│       └── ...
    ├── Network-Pentesting
	│       ├── Linux
	│       │   ├── Information-Gathering
	│		│   │   └── ...
	│       │   ├── Vulnerability-Assessment
    │       │   │	└── ...
    │       │	└── ...
    │       │    	└── ...
    │		├── Windows
    │ 		│   ├── Information-Gathering
    │		│   │   └── ...
    │		│   └── ...
    │       └── ...
    ├── WebApp-Pentesting
	│       └── ...
    ├── Social-Engineering
	│       └── ...
    ├── .......
	│       └── ...
    ├── Reporting
    │   └── ...
	└── Results
	    └── ...

General categories for note-taking during target assessment

  1. Newly discovered information

Take note of every newly discovered vulnerabilities, targets or points of access, IP addresses, usernames, passwords, source code, etc. that you identified and are related to the penetration testing engagement and process.

  1. Ideas for further tests and processing

You are processing hundreds if not thousands of data stream during penetration testing. It’s good record ideas that may be fleeting in the moment and may forget about it later.

  1. Scan results

With such a large amount of information in a short time, one can quickly feel overwhelmed. It is not easy at first to filter out the most critical pieces of information. So tracking details like this may come in handy.

  1. Logging

Logging is essential for both documentation and our protection. If third parties attack the company during our penetration test and damage occurs, we can prove that the damage did not result from our activities. Tools like script and date help us track executed commands during penetration testing in organized manner. like so:

script 03-21-2021-0200pm-exploitation.log

This will start a script logging and will save it in 03-21-2021-0200pm-exploitation.log file for later assessment. if you want to end recording type exit on the command line.

  1. Screenshots

Screenshots serve as a momentary record and represent proof of results obtained that may not be possible to describe using words.

Under Windows, the SysInternals Tools suite is a set of portable Windows applications that can be used to administer Windows systems (for the most part without requiring installation). The tools can be either downloaded from the Microsoft website or by loading them directly from an internet-accessible file share by typing \\live.sysinternals.com\tools into a Windows Explorer window.

For example, we can run procdump.exe directly without downloading it to disk like so:

PS C:\Users\George> \\live.sysinternals.com\tools\procdump.exe -accepteula

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

Monitors a process and writes a dump file when the process exceeds the
specified criteria or has an exception.

Capture Usage:
   procdump.exe [-mm] [-ma] [-mt] [-mp] [-mc <Mask>] [-md <Callback_DLL>] [-mk]
                [-n <Count>]
                [-s <Seconds>]
                [-c|-cl <CPU_Usage> [-u]]
                [-m|-ml <Commit_Usage>]
                [-p|-pl <Counter> <Threshold>]
                [-h]
                [-e [1] [-g] [-b] [-ld] [-ud] [-ct] [-et]]
                [-l]

Process Explorer is a part of the Sysinternals tool suite. This tool can show which handles and DLL processes are loaded when a program runs.

Windows host enumeration general data

Failing to follow any guided structure while performing enumeration, we will struggle to know if we have all the required information to reach our goal. It can be easy to write off a system as being completely patched and not vulnerable to any current CVEs or the latest vulnerabilities. However, if you only focus on that aspect, it is easy to miss out on the many human configuration errors that could exist in the environment. This is why taking our time and gathering all of the information we can on a system or environment should be prioritized in terms of importance over simply exploiting a system.

renaming all file extensions in a folder find . -name "*.old" -exec rename -v 's/\.old$/\.new/i' {} \;

PowerShell tools for sysadmins/pentesters

  • AdminToolbox - collection of helpful modules that allow system administrators to perform any number of actions dealing with things like Active Directory, Exchange, Network management, file and storage issues, and more.
  • ActiveDirectory - collection of local and remote administration tools for all things Active Directory. We can manage users, groups, permissions, and much more with it.
  • Empire/Situational Awareness - collection of PowerShell modules and scripts that can provide us with situational awareness on a host and the domain they are apart of. This project is being maintained by BC Security as a part of their Empire Framework.
  • Inveigh - a tool built to perform network spoofing and Man-in-the-middle attacks.
  • Bloodhound / SharpHound - allows us to visually map out an Active Directory Environment using graphical analysis tools and data collectors written in C# and PowerShell.

Useful Directories to look for under Windows

  • Appdata\ folder. many applications store their config and temp data here

  • User folder like C:\Users\User. SSH, VPN keys and more may be stored here as hidden files.

  • Console history is a goldmine. esp with admin access

    • C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
    • Get-Content (Get-PSReadlineOption).HistorySavePath

  • user clipboard may indicate at something. Get-Clipboard

  • Scheduled tasks.

    AD is designed to be backward-compatible, and many features are arguably not “secure by default”. AD is essentially a sizeable read-only database accessible to all users within the domain, regardless of their privilege level. A basic AD user account with no added privileges can enumerate most objects within AD