# Pentesting

{% hint style="danger" %}
This is my general rough process. Each pentest is unique and does not follow a "guide". Some of these tools are loud and will get deteced. Make sure YOU understand each tools use, flags, and more when using. Some tools may cause unintendid harm if used incorrectly.
{% endhint %}

## External

### Standard

* Enumerate open ports and services, typically with nmap
  * Enumerate webpages with [FFUF](/tools/ffuf.md)
  * View any webpages for info and check for default login creds
    * Find info for OWAPortals, or [WPScan](/tools/wpscan.md) if they exist
* Enumerate open ports and services with:
  * [Shodan](https://www.notion.so/th4ntis/shodan.io/)
  * [Fofa](https://en.fofa.info/)
  * [Web-check.xyz](https://www.notion.so/th4ntis/web-check.xyz/)
* Look for users and credentials on [DeHashed-API-Tool](/tools/dehashed-api-tool.md)
* Research vulnerabilities on versions of services and look for PoC
* Enumerate domain with [FastGoogleDorkScan](https://github.com/IvanGlinkin/Fast-Google-Dorks-Scan)
* Enumerate users with [OneDrive User Enum](/tools/onedrive-user-enum.md)
* Password Spray (use to be with CredMaster, looking into new tool, [FlareProx](https://github.com/MrTurvey/flareprox))
* Scan with Nessus

### With Credentials

* See if user can log into Azure environment
  * Enumerate for permissions and users within EntraID using portal.azure and [GraphRunner](/tools/graphrunner.md)
  * Crawl SharePoint for interesting files using [GraphRunner](/tools/graphrunner.md)
* Check other login environments
  * COMPANY.okta.com
  * [m365.cloud.microsoft](http://m365.cloud.microsoft)

## Internal

### Standard

* Enumerate open ports and services, typically with nmap
  * View any webpages for info and check for default login creds
  * Check for FTP Anonymous login
  * Scan for SMB Null Sessions (also using [SMBCrunch](/tools/smbcrunch.md))
* Research vulnerabilities on versions of services and look for PoC
* Check for SMB Signing, typically with [NetExec](/tools/netexec.md)
  * Enumerate hostnames and IPs from this as well
* Poison LLMNR, NBT-NS and MDNS with [Responder](/tools/responder.md)
* Capture SMB Relays with Impackets NTLMRelayX
* Abuse relays using [Proxychains](/tools/proxychains.md) and [NetExec](/tools/netexec.md) and other tools to dump SAM hashes, LSA hashes, and network Shares.
* Attempt to crack any NTLM or NTLMv2 hashes obtained from [Responder](/tools/responder.md) and [Impackets - NTLMRelayX](/tools/impacket.md)
* Pass NTLM hashes to other machines with [NetExec](/tools/netexec.md)
* Enumerate Users with [Kerbrute](/tools/kerbrute.md)
* PasswordSpray with [NetExec](/tools/netexec.md) or [SMBSpray](/tools/smbspray.md)
* Crawl shares for interesting files using [proxychains](https://github.com/haad/proxychains) and [ManSpider](/tools/manspider.md)
* Scan with Nessus

### With Credentials

* See if user can log into Azure environment
  * Enumerate for permissions and users within EntraID using portal.azure and [GraphRunner](/tools/graphrunner.md)
  * Crawl sharepoint for interesting files using [GraphRunner](/tools/graphrunner.md)
* Crawl internal shares for interesting files using [ManSpider](/tools/manspider.md)
* Run [LDAP Domain Dump](/tools/ldap-domain-dump.md) and [Bloodhoud](/tools/bloodhoud-azurehound-sharphound.md)
  * Analyze [LDAPDomainDump](https://github.com/dirkjanm/ldapdomaindump) files for
    * passwords in description
    * list of DAs
    * other high value targets
  * Analyze [Bloodhound](/tools/bloodhoud-azurehound-sharphound.md) data to find
    * Kerberoastable users
    * Tier Zero users with email
    * Tier Zero computers not owned by Tier Zero
    * Tier Zero accounts that can be delegated
    * Tier Zero AD principals synchronized with Entra ID
    * AS-REP Roastable Tier Zero users (DontReqPreAuth)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/processes/pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.