Prep:<\/p>\n\n\n\n
I like to break a pentest into a few categories:
Intruder Scope: who is able to do this attack? Entire Internet (worst) \/ Local Area (think Wifi) \/ Targeted (USB stick dropped in your parking lot, very narrow)
For a first audit i would focus on Internet scope and maybe put a little time into Wifi.<\/p>\n\n\n\n
What info can I get from their website? phone #? HTTPS? https:\/\/lookup.icann.org\/lookup enter a domain name and find their DNS registrar<\/p>\n\n\n\n https:\/\/securitytrails.com requires creating an account but lots of information in 1 spot<\/p>\n\n\n\n put a mailinator.com email address into every reset-your-password box to see if the message is different for valid\/invalid email addresses.<\/p>\n\n\n\n tracing pixel send by email can determine their public ip address<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n Internal:<\/p>\n\n\n\n Kali Linux will tell you SSH is started, it LIES | ldap-rootdse: nmap –script=broadcast-wpad*<\/p>\n\n\n\n <\/p>\n\n\n\n
are Email addresses protected from webcrawlers? browse to Https:\/\/websitename\/robots.txt investigate
if documents are public, a tool like FOCA <\/a>can read the metadata to retrieve email addresses and employee names
Google search them. Find their CEO name. Google search them. Linked-in them.
https:\/\/www.seoptimer.com enter the website name, note item in the security section. doesn’t do a good job of finding email addresses.
in the technology section; look for platforms that are easy to compromise ie WordPress. google search the platforms + vulnerability
https:\/\/www.dnsinspect.com look for red items, look for an SPF record
https:\/\/hunter.io enter website name, note which other websites this email appears on
mxtoolbox.com<\/strong> a record search, note hosting provider
lookup MX record, who hosts their email, check email health<\/strong>!
linkedin.com search for names
dnsdumpster.com creates a nice visual map of DNS tree<\/p>\n\n\n\n
sudo service ssh start
ip address (linux) or ipconfig \/all (windows)
DHCP will give you a DNS server, may also be a domain controller, lets verify
nmap –script=ldap* IP-Addresss-Of-Dns-Server
this should return a bunch of info, if it includes a DN, this is a domain controller<\/p>\n\n\n\n
| LDAP Results
|
| domainFunctionality: 6
| forestFunctionality: 6
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=my,DC=domain,DC=com
|<\/p>\n\n\n\n
nmap –script=smb2-security-mode target.dns.name.or.IP (or a range of ip addresses)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required<\/span><\/strong><\/p>\n\n\n\nNmap and 12 useful NSE scripts<\/a><\/blockquote>