Physical attacks
Mobile Apps Pentesting

Pentesting Methodology

This is the main page. Here you can find the typical workflow for the pentesting of a machine

Do you have physical access to the machine that you want to attack? You should read some tricks that can be very useful.

Before attacking a host maybe you prefer to steal some credentials from the network or sniff some data to learn passively/actively(MitM) what can you find inside the network. You can read Pentesting Network.

The first thing to do when looking for vulnerabilities in a host is to know which services are running in which ports. Let's see the basic tools to scan ports of hosts.

Once you know which services are running, and maybe their version, you have to search for known vulnerabilities. Maybe you get lucky and there is a exploit to give you a shell...

5- Pentesting Services

If there isn't any fancy exploit for any running service, you should look for common misconfigurations in each service running.

Inside this book you will find a guide to pentest the most common services. Please, search in the index (the services are ordered by their default ports).

I want to make a special mention of the Pentesting Web part (as it is the most extensive one).

If your service is not inside the index, search in Google for other tutorials and let me know if you want me to add it. If you can't find anything in Google, perform your own blind pentesting, you could start by connecting to the service, fuzzing it and reading the responses (if any).

5.1 Automatic Tools

There are also several tools that can perform automatic vulnerabilities assessments. You can find tutorials for some of them here. I would recommend you to try Legion, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.

Somehow you should have found some way to execute code in the victim. Then, a list of possible tools inside the system that you can use to get a reverse shell would be very useful.

Specially in Windows you could need some help to avoid antiviruses: Check this page.

7- Shell Access

If you have troubles with the shell, you can find here a small compilation of the most useful commands for pentesters:

You will probably need to extract some data from the victim or even introduce something (like privilege escalation scripts). Here you have a post about common tools that you can use with this purposes.

9- Privilege Escalation

If you are not root/Administrator inside the box, you should find a way to escalate privileges.

Here you can find a guide to escalate privileges locally in Linux and in Windows.

You should also check this pages about how does Windows work:

Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths: Suite PEAS

10 - POST

10.1 - Looting

Check if you can find more passwords inside the host or if you have access to other machines with the privileges of your user.

10.2 - Persistence

Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.

TODO: Persistence Post

11 - Pivoting

With the gathered credentials you could have access to other machines, or maybe you need to discover and scan new hosts (start the pentesting methodology again) inside new networks where your victim is connected. Check this guide with common tools that you can use to pivot between network.

You should also check the page about NTLM, Active Directory and Kerberos pentesting.



Crypto tricks