How to Pentest


I like to break a pentest into a few categories:
Intruder Scope: who is able to do this attack? Entire Internet (worst) / Local Area (think Wifi) / Targeted (USB stick dropped in your parking lot, very narrow)
For a first audit i would focus on Internet scope and maybe put a little time into Wifi.

What info can I get from their website? phone #? HTTPS?
are Email addresses protected from webcrawlers? browse to Https://websitename/robots.txt investigate
if documents are public, a tool like FOCA can read the metadata to retrieve email addresses and employee names
Google search them. Find their CEO name. Google search them. Linked-in them. enter the website name, note item in the security section. doesn’t do a good job of finding email addresses.
in the technology section; look for platforms that are easy to compromise ie WordPress. google search the platforms + vulnerability look for red items, look for an SPF record enter website name, note which other websites this email appears on a record search, note hosting provider
lookup MX record, who hosts their email, check email health! search for names creates a nice visual map of DNS tree enter a domain name and find their DNS registrar requires creating an account but lots of information in 1 spot

put a email address into every reset-your-password box to see if the message is different for valid/invalid email addresses.

tracing pixel send by email can determine their public ip address


Kali Linux will tell you SSH is started, it LIES
sudo service ssh start
ip address (linux) or ipconfig /all (windows)
DHCP will give you a DNS server, may also be a domain controller, lets verify
nmap –script=ldap* IP-Addresss-Of-Dns-Server
this should return a bunch of info, if it includes a DN, this is a domain controller

| ldap-rootdse:
| LDAP Results
| domainFunctionality: 6
| forestFunctionality: 6
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=my,DC=domain,DC=com

nmap –script=smb2-security-mode (or a range of ip addresses)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required

nmap –script=broadcast-wpad*

Nmap and 12 useful NSE scripts