Pentesting Methodology

External Recon Methodology

About the author

Tunneling and Port Forwarding

Brute Force - CheatSheet

Search Exploits

Shells

Shells (Linux, Windows, MSFVenom)

Linux/Unix

Checklist - Linux Privilege Escalation

Linux Privilege Escalation

Useful Linux Commands

Linux Environment Variables

Windows

Checklist - Local Windows Privilege Escalation

Windows Local Privilege Escalation

DPAPI - Extracting Passwords

SeImpersonate from High To System

ACLs - DACLs/SACLs/ACEs

From High Integrity to SYSTEM with Name Pipes

Integrity Levels

Leaked Handle Exploitation

Named Pipe Client Impersonation

Privilege Escalation Abusing Tokens

Privilege Escalation with Autoruns

SeDebug + SeImpersonate copy token

Windows C Payloads

Active Directory Methodology

Stealing Credentials

Authentication, Credentials, UAC and EFS

Basic CMD for Pentesters

Basic PowerShell for Pentesters

Mobile Apps Pentesting

Android APK Checklist

Android Applications Pentesting

Pentesting

Pentesting Network

Pentesting JDWP - Java Debug Wire Protocol

Pentesting Printers

7/tcp/udp - Pentesting Echo

21 - Pentesting FTP

22 - Pentesting SSH/SFTP

23 - Pentesting Telnet

25,465,587 - Pentesting SMTP/s

43 - Pentesting WHOIS

53 - Pentesting DNS

69/UDP TFTP/Bittorrent-tracker

79 - Pentesting Finger

80,443 - Pentesting Web Methodology

88tcp/udp - Pentesting Kerberos

110,995 - Pentesting POP

111/TCP/UDP - Pentesting Portmapper

113 - Pentesting Ident

123/udp - Pentesting NTP

135, 593 - Pentesting MSRPC

137,138,139 - Pentesting NetBios

139,445 - Pentesting SMB

143,993 - Pentesting IMAP

161,162,10161,10162/udp - Pentesting SNMP

194,6667,6660-7000 - Pentesting IRC

264 - Pentesting Check Point FireWall-1

389, 636, 3268, 3269 - Pentesting LDAP

500/udp - Pentesting IPsec/IKE VPN

502 - Pentesting Modbus

512 - Pentesting Rexec

513 - Pentesting Rlogin

514 - Pentesting Rsh

515 - Pentesting Line Printer Daemon (LPD)

548 - Pentesting Apple Filing Protocol (AFP)

554,8554 - Pentesting RTSP

623/UDP/TCP - IPMI

631 - Internet Printing Protocol(IPP)

873 - Pentesting Rsync

1026 - Pentesting Rusersd

1098/1099 - Pentesting Java RMI

1433 - Pentesting MSSQL - Microsoft SQL Server

1521,1522-1529 - Pentesting Oracle TNS Listener

1723 - Pentesting PPTP

1883 - Pentesting MQTT (Mosquitto)

2049 - Pentesting NFS Service

2301,2381 - Pentesting Compaq/HP Insight Manager

3260 - Pentesting ISCSI

3299 - Pentesting SAPRouter

3306 - Pentesting Mysql

3389 - Pentesting RDP

3632 - Pentesting distcc

4369 - Pentesting Erlang Port Mapper Daemon (epmd)

5353/UDP Multicast DNS (mDNS)

5432,5433 - Pentesting Postgresql

5671,5672 - Pentesting AMQP

5800,5801,5900,5901 - Pentesting VNC

5984,6984 - Pentesting CouchDB

5985,5986 - Pentesting WinRM

6000 - Pentesting X11

6379 - Pentesting Redis

8009 - Pentesting Apache JServ Protocol (AJP)

9042/9160 - Pentesting Cassandra

9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)

9200 - Pentesting Elasticsearch

10000 - Pentesting Network Data Management Protocol (ndmp)

11211 - Pentesting Memcache

15672 - Pentesting RabbitMQ Management

27017,27018 - Pentesting MongoDB

44818/UDP/TCP - Pentesting EthernetIP

47808/udp - Pentesting BACNet

50030,50060,50070,50075,50090 - Pentesting Hadoop

Pentesting Web

Abusing hop-by-hop headers

Bypass Payment Process

Cache Poisoning and Cache Deception

Client Side Template Injection (CSTI)

Command Injection

Content Security Policy (CSP) Bypass

Cookies Hacking

CORS - Misconfigurations & Bypass

CRLF (%0D%0A) Injection

Cross-site WebSocket hijacking (CSWSH)

CSRF (Cross Site Request Forgery)

Dangling Markup - HTML scriptless injection

Deserialization

Email Header Injection

File Inclusion/Path traversal

HTTP Request Smuggling / HTTP Desync Attack

JWT Vulnerabilities (Json Web Tokens)

NoSQL injection

OAuth to Account takeover

Parameter Pollution

Rate Limit Bypass

SSRF (Server Side Request Forgery)

SSTI (Server Side Template Injection)

Domain/Subdomain takeover

Unicode Normalization vulnerability

Web Tool - WFuzz

XPATH injection

XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)

XXE - XEE - XML External Entity

XSS (Cross Site Scripting)

XSSI (Cross-Site Script Inclusion)

Physical attacks

Physical Attacks

Escaping from KIOSKs

Exploiting

Linux Exploiting (Basic) (SPA)

Exploiting Tools

Windows Exploiting (Basic Guide - OSCP lvl)

Forensics

Malware Analysis

Memory dump analysis

Volatility - Examples

Basic Forensics (ESP)

Crypto

Electronic Code Book (ECB)

Cipher Block Chaining CBC-MAC

RC4 - Encrypt&Decrypt

Crypto CTFs Tricks

BACKDOORS

Stego

Esoteric languages

MISC

Other Big References

TODO

Other Web Tricks

Interesting HTTP

Emails Vulnerabilities

Cloud security review

Android Forensics

6881/udp - Pentesting BitTorrent

1911 - Pentesting fox

Online Platforms with API

Phising Documents

Reset/Forgoten Password Bypass

Stealing Sensitive Information Disclosure from a Web

Powered by GitBook

JAWS

​
Start
iex(New-Object net.WebClient).downloadstring("https://raw.githubusercontent.com/411Hall/JAWS
/master/jaws-enum.ps1")
Info recopilation
It does not only check for privilege escalation missconfiguration, but it also gathers information about the current situation.
Users & groups
Network (interfaces, arp, ports, firewall (lot of output), hosts)
Processes
Scheduled Tasks (lot of output)
Services (lot of output)
Installed Software, Program folders
Patches
Drives
Last modified files
Checks
Files and folders with Full Control
Unquoted Service Paths
Potentially interesting files
System files with password
Stored credentials

Integrity Levels

Last updated 7 months ago

Contents

Info recopilation