# Pentesting Methodology ## Pentesting Methodology ## Pentesting Methodology ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Pentesting%20Methodology/Untitled) **0- Physical Attacks** Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](https://book.hacktricks.xyz/hardware-physical-access/physical-attacks) and others about [**escaping from GUI applications**](https://book.hacktricks.xyz/hardware-physical-access/escaping-from-gui-applications). **1 -** [**Discovering hosts inside the network**](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network#discovering-hosts) **/** [**Discovering Assets of the company**](https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology) **Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test). Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide. **2-** [**Having Fun with the network**](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network) **(Internal)** **This section only applies if you are performing an internal test.** Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network#sniffing). **3-** [**Port Scan - Service discovery**](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network#scanning-hosts) The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the [**basic tools to scan ports of hosts**](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network#scanning-hosts). **4-** [**Searching service version exploits**](https://book.hacktricks.xyz/generic-methodologies-and-resources/search-exploits) Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell... **5-** **Pentesting Services** If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.** **Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** ***PENTESTING*** **section** (the services are ordered by their default ports). **I want to make a special mention of the** [**Pentesting Web**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web) **part (as it is the most extensive one).** Also, a small guide on how to [**find known vulnerabilities in software**](https://book.hacktricks.xyz/generic-methodologies-and-resources/search-exploits) can be found here. **If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any). **5.1 Automatic Tools** There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.** **5.2 Brute-Forcing services** In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force)**.** **6-** [**Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology): **7-** [**Getting Shell**](https://book.hacktricks.xyz/generic-methodologies-and-resources/shells) Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](https://book.hacktricks.xyz/generic-methodologies-and-resources/shells). Specially in Windows you could need some help to **avoid antiviruses**: [**Check this page**](https://book.hacktricks.xyz/windows-hardening/av-bypass)**.**\\ **8- Inside** If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters: [**Linux**](https://book.hacktricks.xyz/linux-hardening/useful-linux-commands) [**Windows (CMD)**](https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters) [**Winodows (PS)**](https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters) **9 -** [**Exfiltration**](https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration) You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration)**.** **10- Privilege Escalation** **10.1- Local Privesc** If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.** Here you can find a **guide to escalate privileges locally in** [**Linux**](https://book.hacktricks.xyz/linux-hardening/privilege-escalation) **and in** [**Windows**](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**.** You should also check this pages about how does **Windows work**: [**Authentication, Credentials, Token privileges and UAC**](https://book.hacktricks.xyz/windows-hardening/authentication-credentials-uac-and-efs) How does [**NTLM works**](https://book.hacktricks.xyz/windows-hardening/ntlm) How to [**steal credentials**](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Pentesting%20Methodology/README/README.md) in Windows Some tricks about [***Active Directory***](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology) **Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) **10.2- Domain Privesc** Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment. **11 - POST** **11.1 - Looting** Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**. Find here different ways to [**dump passwords in Windows**](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Pentesting%20Methodology/README/README.md). **11.2 - Persistence** **Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.Here you can find some** [**persistence tricks on active directory**](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology#persistence)**.** TODO: Complete persistence Post in Windows & Linux **12 - Pivoting** With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected. In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding). You definitely should also check the post about [Active Directory pentesting Methodology](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology). There you will find cool tricks to move laterally, escalate privileges and dump credentials. Check also the page about [**NTLM**](https://book.hacktricks.xyz/windows-hardening/ntlm), it could be very useful to pivot on Windows environments.. **MORE** [**Android Applications**](https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting) **Exploiting** [**Basic Linux Exploiting**](https://book.hacktricks.xyz/reversing-and-exploiting/linux-exploiting-basic-esp) [**Basic Windows Exploiting**](https://book.hacktricks.xyz/reversing-and-exploiting/windows-exploiting-basic-guide-oscp-lvl) [**Basic exploiting tools**](https://book.hacktricks.xyz/reversing-and-exploiting/tools) [**Basic Python**](https://book.hacktricks.xyz/generic-methodologies-and-resources/python) **Crypto tricks** [**ECB**](https://book.hacktricks.xyz/crypto-and-stego/electronic-code-book-ecb) [**CBC-MAC**](https://book.hacktricks.xyz/crypto-and-stego/cipher-block-chaining-cbc-mac-priv) [**Padding Oracle**](https://book.hacktricks.xyz/crypto-and-stego/padding-oracle-priv)