Edit

Pentesting

This is my general rough process. Each pentest is unique and does not follow a "guide". Some of these tools are loud and will get deteced. Make sure YOU understand each tools use, flags, and more when using. Some tools may cause unintendid harm if used incorrectly.

External

Standard

  • Enumerate open ports and services, typically with nmap

    • Enumerate webpages with FFUF

    • View any webpages for info and check for default login creds

      • Find info for OWAPortals, or WPScan if they exist

  • Enumerate open ports and services with:

  • Look for users and credentials on DeHashed-API-Tool

  • Research vulnerabilities on versions of services and look for PoC

  • Enumerate domain with FastGoogleDorkScan

  • Enumerate users with OneDrive User Enum

  • Password Spray (use to be with CredMaster, looking into new tool, FlareProx)

  • Scan with Nessus

With Credentials

  • See if user can log into Azure environment

    • Enumerate for permissions and users within EntraID using portal.azure and GraphRunner

    • Crawl SharePoint for interesting files using GraphRunner

  • Check other login environments

Internal

Standard

  • Enumerate open ports and services, typically with nmap

    • View any webpages for info and check for default login creds

    • Check for FTP Anonymous login

    • Scan for SMB Null Sessions (also using SMBCrunch)

  • Research vulnerabilities on versions of services and look for PoC

  • Check for SMB Signing, typically with NetExec

    • Enumerate hostnames and IPs from this as well

  • Poison LLMNR, NBT-NS and MDNS with Responder

  • Capture SMB Relays with Impackets NTLMRelayX

  • Abuse relays using Proxychains and NetExec and other tools to dump SAM hashes, LSA hashes, and network Shares.

  • Attempt to crack any NTLM or NTLMv2 hashes obtained from Responder and Impackets - NTLMRelayX

  • Pass NTLM hashes to other machines with NetExec

  • Enumerate Users with Kerbrute

  • PasswordSpray with NetExec or SMBSpray

  • Crawl shares for interesting files using proxychains and ManSpider

  • Scan with Nessus

With Credentials

  • See if user can log into Azure environment

    • Enumerate for permissions and users within EntraID using portal.azure and GraphRunner

    • Crawl sharepoint for interesting files using GraphRunner

  • Crawl internal shares for interesting files using ManSpider

  • Run LDAP Domain Dump and Bloodhoud

    • Analyze LDAPDomainDump files for

      • passwords in description

      • list of DAs

      • other high value targets

    • Analyze Bloodhound data to find

      • Kerberoastable users

      • Tier Zero users with email

      • Tier Zero computers not owned by Tier Zero

      • Tier Zero accounts that can be delegated

      • Tier Zero AD principals synchronized with Entra ID

      • AS-REP Roastable Tier Zero users (DontReqPreAuth)

Last updated