How to Pentest

15th April 2021

Prep:

I like to break a pentest into a few categories:
Intruder Scope: who is able to do this attack? Entire Internet (worst) / Local Area (think Wifi) / Targeted (USB stick dropped in your parking lot, very narrow)
For a first audit i would focus on Internet scope and maybe put a little time into Wifi.

What info can I get from their website? phone #? HTTPS?
are Email addresses protected from webcrawlers? browse to Https://websitename/robots.txt investigate
if documents are public, a tool like FOCA can read the metadata to retrieve email addresses and employee names
Google search them. Find their CEO name. Google search them. Linked-in them.
https://www.seoptimer.com enter the website name, note item in the security section. doesn’t do a good job of finding email addresses.
in the technology section; look for platforms that are easy to compromise ie WordPress. google search the platforms + vulnerability
https://www.dnsinspect.com look for red items, look for an SPF record
https://hunter.io enter website name, note which other websites this email appears on
mxtoolbox.com a record search, note hosting provider
lookup MX record, who hosts their email, check email health!
linkedin.com search for names
dnsdumpster.com creates a nice visual map of DNS tree

https://lookup.icann.org/lookup enter a domain name and find their DNS registrar

https://securitytrails.com requires creating an account but lots of information in 1 spot

put a mailinator.com email address into every reset-your-password box to see if the message is different for valid/invalid email addresses.

tracing pixel send by email can determine their public ip address

Internal:

Kali Linux will tell you SSH is started, it LIES
sudo service ssh start
ip address (linux) or ipconfig /all (windows)
DHCP will give you a DNS server, may also be a domain controller, lets verify
nmap –script=ldap* IP-Addresss-Of-Dns-Server
this should return a bunch of info, if it includes a DN, this is a domain controller

| ldap-rootdse:
| LDAP Results
|
| domainFunctionality: 6
| forestFunctionality: 6
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=my,DC=domain,DC=com
|


nmap –script=smb2-security-mode target.dns.name.or.IP (or a range of ip addresses)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required

nmap –script=broadcast-wpad*

Nmap and 12 useful NSE scripts