Hackzzz - The Notebook
  • ⚡Welcome!
    • 👾Hackzzz
    • 📝Writeups
      • HackTheBox
        • 🐧Linux
          • Lame
          • Squashed
          • Faculty
        • 🪟Windows
          • Jeeves
          • Bart
          • Active
          • Tally
      • Portswigger
        • 📂File upload
          • Apprentice
            • Remote code execution via web shell upload
            • Web shell upload via Content-Type restriction bypass
        • 💉SQL Injection
          • Apprentice
            • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
            • SQL injection vulnerability allowing login bypass
          • Practioner
            • SQL injection UNION attack, determining the number of columns returned by the query
            • SQL injection UNION attack, finding a column containing text
            • SQL injection UNION attack, retrieving data from other tables
            • SQL injection UNION attack, retrieving multiple values in a single column
            • SQL injection attack, querying the database type and version on Oracle
            • SQL injection attack, querying the database type and version on MySQL and Microsoft
            • SQL injection attack, listing the database contents on non-Oracle databases
            • SQL injection attack, listing the database contents on Oracle
            • Blind SQL injection with conditional responses
            • Blind SQL injection with time delays
            • Blind SQL injection with time delays and information retrieval
        • 📑Information Disclosure
          • Apprentice
            • Error Messages
            • Filtering a debug page
            • Backup Leakage
            • Authentication bypass via information disclosure
          • Practitioner
            • Information disclosure in version control history
        • 🪜Directory Traversal
          • Apprentice
            • File path traversal, simple case
          • Practioner
            • File path traversal, traversal sequences blocked with absolute path bypass
            • File path traversal, traversal sequences stripped non-recursively
            • File path traversal, traversal sequences stripped with superfluous URL-decode
            • File path traversal, validation of file extension with null byte bypass
        • 🧑‍💻OS Command Injection
          • Apprentice
            • OS command injection, simple case
          • Practioner
            • Blind OS command injection with time delays
            • Blind OS command injection with output redirection
        • 🧃Broken Authentication
          • Apprentice
            • Username enumeration via different responses
            • 2FA simple bypass
            • Password reset broken logic
        • 🗃️Access Control
          • Apprentice
            • Unprotected admin functionality
            • Unprotected admin functionality with unpredictable URL
            • User role controlled by request parameter
            • User role can be modified in user profile
            • User ID controlled by request parameter
            • User ID controlled by request parameter, with unpredictable user IDs
            • User ID controlled by request parameter with data leakage in redirect
            • User ID controlled by request parameter with password disclosure
            • Insecure Direct Object References (IDOR)
        • 📝External Entity Injection
          • Apprentice
      • TryHackme
        • 🐧Linux
        • 🪟Windows
          • Crocc Crew
          • Enterprise
    • 🔮Github
    • 📺YouTube Channel
  • Everything About and Notes
    • 🥷Five stages of Ethical Hacking
    • 🔍OSINT
      • 🕵️Information Gathering Methodologies
        • Information Gathering
        • OSINT Employee's
        • Automate OSINT techniques
          • Sherlock
          • PhoneInfoga
          • Osintgram
          • twint
          • Userrecon
      • Discovering Email Address
      • Breach Credentials
      • Reverse Image Searching
      • Hunting Usernames & Accounts
      • Searching People
      • Phone Numbers
      • Google Dorks
      • Search Engines
      • Default Passwords
      • Aircraft Tracking
      • Car OSINT
      • Wi-Fi OSINT
      • OSINT Virtual Machine
    • 👁️Network Pentesting
      • MITM Cheatsheet
      • Host Discovery
      • Scanning Hosts
      • Sniffing
      • Spoofing
      • DNS spoofing + apache2
      • Firewall/IDS Evasion
      • 🖨️Printer Hacking
      • 👁️‍🗨️IoT Pentesting
    • 🪟Windows and Active Directory
      • Windows Basic Commands
        • Network Command's
        • Tasks
        • Computer Slow Command's
        • Bypass Windows Admin Prompt
      • Active Directory
        • AD Enumeration
        • Man-In-The-Middle Attacks
          • SMB Relay
          • LLMNR Poisoning
        • Zerologon (2020-1472)
        • Password Cracking
        • Kerberoasting
          • Kerbrute
          • ASREP Roasting
        • Post-Compromise Enumeration
          • Powerview
          • Bloodhound
            • Installing & Setting Up
            • SharpHound
            • Using BloodHound
        • Post-Compromise attacks
          • Privilege Escalation
            • Token Impersonation
            • Print Nightmare (CVE-2021-1675)
          • Pass Attacks
            • Pass the Hash
            • Pass the Password
            • GPP cPassword Attack
          • Mimikatz
            • Golden Ticket Attack
          • Dumping hashes (secretsdump)
      • Windows Privilege Escalation
        • Unquoted Path Service
        • Abusing the Golden Privileges
        • Print Spoofer
        • Print-Nightmare
        • Rogue Potato
      • Active Directory Exploitation Cheat Sheet
      • Active Directory Attacks (PayloadAllTheThings)
    • 🧠Social Engineering
      • Windows Malware
        • Generating Undetectable backdoors
        • Bypassing Anti-Virus by modifying Hex Value
        • Creating Trojans
          • Embedding malicious files in Images or PDF
          • Changing Trojans Icon
          • Spoofing file extensions
          • Microsoft Office Trojans
            • Word Macros
      • OS X Malware
        • Using Msfvenom
      • Linux Malware
        • Simple Backdoors
        • Embedding Evil Code in a Legitimate Linux Package
        • Backdooring An APK
      • Spying Software
      • Delivery methods
        • Gophish
        • Spoofing Emails
          • Setting Your Own SMTP server
        • Creating Fake Login Website
        • Manipulating URL's
      • Make attacks outside the network
        • Ngrok
      • Social Engineering
      • Social Engineering by Cristopher hadnagy
    • 🕸️Web Pentesting
      • Web Basics
      • Information Gathering - Some One-liners
      • File Upload
      • Code Execution
      • Local File Inclusion
      • SQL Injection
      • XSS (Corss-site scripting)
      • CSRF (Cross-site requests forgery)
      • Discovering Vulnerabilities using OWASP ZAP
      • CMS
        • Wpscan
      • 🕷️OWASP Testing Guide
      • 📒Bug Bounty Checklist
    • 📡Wireless Pentesting
      • Wi-Fi Network Fundamentals
        • Basic Terminologies and Concepts
      • De-authentication
      • Disassociation Packets
      • Beacon Flooding
      • Authentication Denial-Of-Service
      • SSID Probing and Bruteforcing
      • EAPOL Start and Logoff Packet Injection
      • Attacks for IEEE 802.11s mesh networks
      • WIDS Confusion
      • WEP
        • Caffe-Latte
      • WPA/WPA2 - PSK
        • Handshake Capture
        • WPA Cracking
        • Resources
      • Evil Twin Attacks
        • WifiPumpkin3
          • Creating a fake access point
          • Using captive portal attack
          • Pulp scripts
      • WI-FI Pentesting Guide
      • Wifi Hacking Using Windows CMD
    • 🔥Binary Explotation
      • Assembly for Reverse Engineering
      • Reversing
    • 🏃‍♂️Pivoting & Port-forwarding
      • Chisel
      • SSH
      • Socat
      • plink
      • sshuttle
      • Pivoting Bash Scripts
    • 📱Mobile Application Pentesting
      • Android Hacking Methodology
      • Mobile Application CheatSheet
      • Android Penetration Testing
    • 🦾Arduino
    • 🌐External Pentesting
      • External Pentesting
  • Gadgets
    • 📇Proxmark3
      • Attacking MIFARE Classic 1KB
    • 📡SDR Hacking
      • Hardware
      • Using RTL-SDR
      • DragonOS
    • 🍍WI-FI Pineapple
      • Evil Portals
  • 🚩Resources
    • 🐙Extras
      • Drone Hacking
      • Password Cracking with Rules and Munging
      • Game Hacking
      • Carding
      • Personal Security Checklist
    • 🟦Metasploit
      • Metasploit Modules
    • rc Personal Config (.bashrc && .zshrc)
    • WADCOMS
    • GTFOBins
    • LOLBAS
    • Devhints
    • Weakpass
    • Revshells
    • 📑Pentesting Reports Repo
Powered by GitBook
On this page
  • ROE (Rules of Engagement)
  • Verify Scope
  • Vulnerability Scan
  • External OSINT
  • Breach Creds
  • Identifying Emails & Employees
  • Enumerating valid accounts
  • Attacking
  • Attacking Login Portals
  • OWA (Outlook Web Access)
  • Other Portals
  • Bypassing MFA
  • Escalating Privileges
  • Common Findings
  • Insufficient Auth Controls
  • Weak Password Policy
  • Insufficient Patching
  • Default Credentials
  • Insufficient Encryption
  • Information Disclosure
  • Username Enum
  • Default Pages
  • IKE Aggressive Mode
  • Unexpected Open Ports
  • Insufficient traffic Blocking
  • Undetected Malicious Activity
  • Historical account compromised
  1. Everything About and Notes

External Pentesting

PreviousArduinoNextProxmark3

Last updated 1 year ago

ROE (Rules of Engagement)

  • This doc should be signed and have a copy of it ; }

Verify Scope

  1. Scan the IPs to verify that we are not attacking another company

  2. Subdomains (amass, assetfinder, DNSRecon, Subfinder )

Use Google Dorking:

  • site: domain.com -www

  • site: domain.com

  • site: *.domain.com

Vulnerability Scan

First thing todo before start with the big part.

  • openVAS

  • Nessus -

External OSINT

Breach Creds

Identifying Emails & Employees

  • Do some research about naming convention for email (Ex: firstname.lastname)

  • Scrape Company LinkedIn with tools to put together the 2 conventions.

Enumerating valid accounts

  • Check login form or password reset forms for user enumeration.

Attacking

Attacking Login Portals

  • Password Strategy: currentSeason + currentYear + SpecialChar + location + address + companyname

OWA (Outlook Web Access)

  • Password Spray

  • msf: scanner owa_login

  • Check the OWA Version

Other Portals

  • Burpsuite Intruder

  • FFuF

  • Wfuzz

Bypassing MFA

  • ike-scan

Escalating Privileges

  • Office for instance we can look for other accounts.

  • if portal.azure.com find other accounts.

  • Password spray with previous password found.

Common Findings

Insufficient Auth Controls

  • Bypass MFA

  • No MFA

Weak Password Policy

  • Recommend Guidelines, NIST, OWASP

Insufficient Patching

  • Unpatched software or services that needs an update.

Default Credentials

  • SecLists

  • Cirt

Insufficient Encryption

  • Weak ciphers

  • Test the SSL Certificate

Information Disclosure

  • Verbose error messages

  • Verbose stack trace

  • mDNS

  • Server Version, languages, response headers etc.

Username Enum

  • Some Broken Authentication finding like "Invalid Username"

Default Pages

  • Apache default pages

  • IIS default page

IKE Aggressive Mode

  • ike-scan

Unexpected Open Ports

  • RDP

  • Telnet

Insufficient traffic Blocking

  • Geo blocking not in place

  • Limits attack surface

  • Depends on the customer location of the client

Undetected Malicious Activity

  • Brute-Force Attacks

  • Nmap

  • Nessus

  • Web Enum

Historical account compromised

  • Have I been Pwned

Phonebook.cz -

LinkedIn2Username -

LinkedInt -

CredMaster -

TrevorSpray -

https://www.tenable.com/products/nessus
https://github.com/hmaverickadams/breach-parse
https://dehashed.com/
https://haveibeenpwned.com/
https://phonebook.cz/
https://github.com/initstring/linkedin2username
https://github.com/vysecurity/LinkedInt
https://github.com/knavesec/CredMaster
https://github.com/blacklanternsecurity/TREVORspray
🌐
Page cover image