Penetrating Testing/Assessment Workflow & other fun infosec stuff
https://github.com/jivoi/pentest
My feeble attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*
- Reconnaissance
- Passive/Semi-Passive
- Tools
- Discover - https://github.com/leebaird/discover
- Third Party Resources
- Locate Target Range
- ARIN - https://www.arin.net/
- Fingerprint Domain/Website
- Extended Network Information
- Central Ops - https://centralops.net/co/DomainDossier.aspx
- Robtex - https://www.robtex.net/
- Metasploit Scanning
- auxiliary/scanner/*
- portscan/tcp
- http/http_version
- http/tomcat_enum
- http/trace_axd
- Google - site: filetype:axd OR inurl:trace.axd
- auxiliary/scanner/*
- Shodan - https://www.shodan.io/
- Censys - https://www.censys.io/
- Zoomeye - https://www.zoomeye.org
- Netcraft - https://www.netcraft.com/
- DNS Enumeration/Information
- DNSdumpster - https://dnsdumpster.com/
- Subli3ster - https://github.com/aboul3la/Sublist3r
- Extended Network Information
- Social Media
- Locate Target Range
- Command Line Recon
- Network Information
- nslookup
- dig
- Security Mechanisms
- Halberd - Identify HTTP load balancers
- Metadata
- exiftool
- strings
- strings -e b (big endian) OR -e l (little endian)
- Just-Metadata
- Network Information
- People Search
- Yahoo People Search - http://itools.com/tool/yahoo-people-search
- Switchboard - http://www.switchboard.com/person
- Google Finance - https://www.google.com/finance
- Zaba - http://www.zabasearch.com/
- Tools
- Active
- Command Line Recon Tools
- General Recon
- Recon-NG - https://bitbucket.org/LaNMaSteR53/recon-ng
- Automated with https://github.com/jhaddix/domain
- Domain/Subdomain Enumeration/Information
- Fierce - https://github.com/mschwager/fierce
- Subli3ster - https://github.com/aboul3la/Sublist3r
- EyeWitness - https://github.com/ChrisTruncer/EyeWitness
- Altdns - https://github.com/infosec-au/altdns
- Brute force subdomain list - https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/sorted_knock_dnsrecon_fierce_recon-ng.txt
- Recon-NG - https://bitbucket.org/LaNMaSteR53/recon-ng
- Nmap
- nmap -Pn -sSU -sV --top-ports 20
- Create Custom Worldlist
- Tools
- WPS (Wi-Fi) Information Gathering
- Viper - Automating Various Pentesting Tasks
- pyFOCA - Python version of FOCA
- truffleHog - https://github.com/dxa4481/truffleHog
- Discover - https://github.com/leebaird/discover
- General Recon
- GUI
- FOCA - https://www.elevenpaths.com/labstools/foca/index.html
- EvilFOCA - https://github.com/ElevenPaths/EvilFOCA
- Maltego - http://sectools.org/tool/maltego/
- Dirbuster - http://sectools.org/tool/dirbuster/
- FOCA - https://www.elevenpaths.com/labstools/foca/index.html
- Command Line Recon Tools
- Google Searching
- site:"target name" jobs,careers,openings,etc
- intitle:"index of "
- Keyword
- .bash_history
- etc/shadow
- finances.xls(x)
- htpasswd
- inurl:maillog
- Keyword
- site:.edu filetype:.bak OR
- Keyword
- *.conf
- *.backup
- Keyword
- Phishing
- Important: Immediately pivot from initial host
- Frameworks
- Gophish - https://github.com/gophish/gophish
- Phishing Frenzy - https://www.phishingfrenzy.com/
- King Phisher - https://github.com/securestate/king-phisher
- FiercePhish - https://github.com/Raikia/FiercePhish
- Empire - https://enigma0x3.net/2016/03/15/phishing-with-empire/
- Initial Access Techniques
- Malicious Office XLS macros
- Tools for Internal Use
- Basic AUTH credential harvesting - https://github.com/ryhanson/phishery
- Passive/Semi-Passive
- Enumeration
- Internal
- Scanning
- Map Internal Network
- Command Line Tools
- arp -a
- ip neigh show
- smbtree -NS 2>/dev/null
- nbtscan -r <current_IPrange>
- netdiscover -r <current_IPrange>
- nmap -n -Pn -T5 -sS <current_IPrange>
- nmap NSE scripts
- NFS
- SMB
- nmap NSE scripts
- SMB
- Find Routers - https://github.com/pentestmonkey/gateway-finder
- Command Line Tools
- Map Internal Network
- Pivoting
- SSH Proxy Tunneling with Proxychain
- Scanning
- External
- Scanning
- Nmap
- Masscan - https://github.com/robertdavidgraham/masscan
- Unicornscan - http://sectools.org/tool/unicornscan/
- OneTwoPunch
- Combines nmap and unicorn scan https://github.com/superkojiman/onetwopunch/blob/master/onetwopunch.sh
- Scanning
- Internal
- Exploitation
- External
- Attack Windows
- Attack Linux
- Attack Web Applications
- Full Attack Frameworks
- Offensive Web Testing Framework - https://owtf.github.io/
- Web2attack - https://github.com/santatic/web2attack
- EaST - Exploits And Security Tool Framework
- Attack WAF
- WAFNinja - https://github.com/khalilbijjou/WAFNinja
- My Guide: http://pastebin.com/bUrGCYxE
- Steal HTTP/S Session Cookies
- XSS Scanner
- xsscrapy - https://github.com/DanMcInerney/xsscrapy
- XSS/Bypass Techniques
- Beat XSS Filters
- XSS Cheatsheet
- WAF Bypass
- Attack BASIC Auth
- Burp - http://www.smeegesec.com/2012/02/attacking-basic-authentication-with.html
- Ncrack (supports multiple protocols) - https://nmap.org/ncrack/
- Methodologies - https://blog.zsec.uk/ltr101-methodologies/
- Full Attack Frameworks
- Attack OWA/Exchange
- Malicious Outlook Rules - https://silentbreaksecurity.com/malicious-outlook-rules/
- Ruler - Abuse Exchange services - https://github.com/sensepost/ruler
- MailSniper - Search users mailbox - http://www.blackhillsinfosec.com/?p=5296
- Web Vulnerability Scanners
- Burp - https://portswigger.net/burp/
- Author's Guide: http://pastebin.com/nNHYP9Jd
- Wapiti http://wapiti.sourceforge.net/
- w3af - http://w3af.org/
- Nikto -https://cirt.net/Nikto2
- Burp - https://portswigger.net/burp/
- Command Line Tools
- Wireless Exploitation
- AirVentriloquest - Aircrack patch for WPA/2 packet injection
- Fluxion - MiTM WPA/2 Networks
- Internal
- LAN Attacks
- Attack Windows
- Attack Active Directory
- Blood Hound - https://github.com/adaptivethreat/BloodHound
- CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec
- EmPyre - http://www.rvrsh3ll.net/blog/empyre/empyre-engaging-active-directory/
- Red Teaming AD (PDF)
- Attack SQL Server
- PowerUpSQL - https://github.com/NetSPI/PowerUpSQL
- Python
- Command Line (Python Interpreter)
- Scapy advanced network attacks
- Local Python Server
- Serve Shells/Exploits
- Python -M SimpleHTTPServer
- Serve Shells/Exploits
- Python TTY Reverse Shell IPv6
- Metasploit In-Memory Python Interpreter
- Command Line (Python Interpreter)
- Attack Tools
- Responder - https://github.com/SpiderLabs/Responder
- Impacket - https://github.com/CoreSecurity/impacket
- SMBExec - https://github.com/pentestgeek/smbexec
- SMBSpider - https://github.com/altjx/ipwn#user-content-smbspider
- Basic AUTH credential harvesting - https://github.com/ryhanson/phishery
- WCE - http://www.ampliasecurity.com/research/windows-credentials-editor/
- Metasploit In-Memory Python Interpreter
- Packet Crafting
- Powershell
- PsExec
- Attack Active Directory
- Privilege Escalation
- Windows
- NTLM Relay/NBNS Spoofing - https://foxglovesecurity.com/2016/01/16/hot-potato/
- Linux/Unix
- Various exploits - https://github.com/FuzzySecurity/Unix-PrivEsc
- LinEnum- https://github.com/rebootuser/LinEnum
- Unix-privesc-check - http://pentestmonkey.net/tools/audit/unix-privesc-check
- Priv Esc/Enumeration - https://www.rebootuser.com/?p=1623
- Linux_Exploit_Suggester - https://github.com/PenturaLabs/Linux_Exploit_Suggester
- Windows
- Attack Windows
- Bypass AV/IDS/App Whitelisting/UAC
- Egressing Bluecoat with CobaltStrike
- Beaconpire
- Bypass App Whitelisting
- "Fileless" UAC Bypass
- Download/Execute Code via Command Line
- Reverse Shells
- Attack Routers
- Router Exploitation Framework - https://github.com/reverse-shell/routersploit
- Using Burp - https://www.cybrary.it/0p3n/pentesting-routers-1-dictionary-attack-burp-suite/
- LAN Attacks
- Find Exploits
- Web
- Exploit-db - https://www.exploit-db.com/
- From command line: https://www.exploit-db.com/searchsploit/
- Packet Storm - https://packetstormsecurity.com/files/tags/exploit
- SecurityFocus - http://www.securityfocus.com/bid
- EaST Framework Exploits - http://eastexploits.com/
- SecList - http://seclist.us/category/exploits
- Exploit-db - https://www.exploit-db.com/
- NMap
- Scan systems with NMap, parse output to: CVE's, CWE's and DPE's
- Import, manage, and search with a local MongoDB instance
- Web
- External
- Post-Exploitation
- Attack Linux
- Command Line Password Sniffing
- Tcpdump
- https://neverendingsecurity.wordpress.com/2015/03/14/tcpdump-tutorial-sniffing-and-analysing-packets-from-the-commandline/
- tcpdump -i eth0 port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep –i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=||name=|name:|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-
- Ngrep
- ngrep -q -W byline "GET|POST HTTP"
- Dsniff - https://github.com/tecknicaltom/dsniff
- Netsh Trace (Windows only) - https://isc.sans.edu/diary/19409
- Network Authentication Cracking Tool - https://nmap.org/ncrack/
- Tcpdump
- Command Line Password Sniffing
- Attack Windows
- Stealing/Cracking Passwords/Hashes
- Steal
- WCE -http://www.ampliasecurity.com/research/windows-credentials-editor/
- Extract Hashes from AD - https://blog.didierstevens.com/2016/07/13/
- Network Authentication Cracking Tool - https://nmap.org/ncrack/
- pysecdump - https://github.com/pentestmonkey/pysecdump
- Windows Creds - https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
- Network Password Recovery - http://www.nirsoft.net/utils/network_password_recovery.html
- Crack
- Windows Password Audit - https://blog.joelj.org/windows-password-audit-with-kali-linux/
- pysecdump - https://blog.didierstevens.com/2016/07/30/video-ntds-dit-extract-hashes-with-secretsdump-py/
- Hashcat - https://samsclass.info/123/proj10/px16-hashcat-win.htm
- Network Authentication Cracking Tool - https://nmap.org/ncrack/
- Steal
- Stealing/Cracking Passwords/Hashes
- Attack Mac
- Attack Specific Software/Tools
- Password/Hash Cracking
- Wordlists
- Password/Hash Cracking
- Guides
- Build Cracking Rig
- Cracking 12 Character Passwords
- Tools
- PACK (crack/obtain stats/) - https://thesprawl.org/projects/pack/
- Hashcat - https://hashcat.net/hashcat/
- Windows Password Audit - https://blog.joelj.org/windows-password-audit-with-kali-linux/
- pysecdump - https://blog.didierstevens.com/2016/07/30/video-ntds-dit-extract-hashes-with-secretsdump-py/
- GPU Cracking
- Web Services
- CrackStation - https://crackstation.net/
- HashKiller - https://forum.hashkiller.co.uk/default.aspx
- Guides
- Attack Frameworks/Tools
- PowerSploit - https://github.com/PowerShellMafia/PowerSploit
- Empire - http://www.powershellempire.com/
- Armitage - http://www.fastandeasyhacking.com/manual
- Pwnd(dot)sh - https://github.com/SafeBreach-Labs/pwndsh
- CrackMapExec
- Privilege Escalation - Excellent Wiki - http://pwnwiki.io/#!index.md
- Windows
- Wiki - http://pwnwiki.io/#!privesc/windows/index.md
- SMB
- Relay Attacks/Spoofing
- RDP
- Various techniques/commands
- Linux/Unix
- Various exploits - https://github.com/FuzzySecurity/Unix-PrivEsc
- Wiki - http://pwnwiki.io/#!privesc/linux/index.md
- LinEnum- https://github.com/rebootuser/LinEnum
- Unix-privesc-check - http://pentestmonkey.net/tools/audit/unix-privesc-check
- Priv Esc/Enumeration - https://www.rebootuser.com/?p=1623
- Basic Linux Privilege Escalation
- Linux_Exploit_Suggester
- Various techniques/commands
- Windows
- Attack Linux
- Exfiltration
- Detection Capabilities
- Egress-Assess
- Outbound Port Detection (find unfiltered outbound connections)
- Network Exfiltration
- DNS
- dnsteal - https://github.com/m57/dnsteal
- DNS
- Detection Capabilities
- Learning Resources
- Blogs
- Mubix - https://room362.com/
- OJ's Perspective - http://buffered.io/
- Carnal0wnage - http://carnal0wnage.attackresearch.com/
- Corelan - https://www.corelan.be/
- Daniel Miessler https://danielmiessler.com/information-security/
- NetSec Addict - http://netsec.ws/
- SecList - http://seclist.us/
- Notepad - https://bobloblaw.gitbooks.io/security/content/
- Getting Started
- OSCP Info
- Video Series/Channels
- LiveOverflow - https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w
- Pentestit - https://www.youtube.com/user/PentestITLab/videos
- Hacking Labs/VMs
- Vulnerable Windows Environment - http://www.crowdfunder.co.uk/rastalabs
- Web Apps
- Find more here
- Specific Topic Learning
- Web Application Security
- Solid Methodology - http://blog.zsec.uk/ltr101-method-to-madness/
- Introduction (left hand side) - http://securityidiots.com/index.html
- XSS
- Start here - http://brutelogic.com.br/blog/xss101/
- Practice XSS - https://xss-game.appspot.com/level1
- SQLi (SQL Injection)
- Various Web Exploits - https://google-gruyere.appspot.com/part1
- Scripting/Coding
- Python
- Exploit Development/Exploitation
- Modern Binary Exploitation - https://github.com/RPISEC/MBE
- https://www.peerlyst.com/posts/the-best-resources-for-learning-exploit-development
- Crypto
- Malware Analysis/Reversing
- Start Here - https://github.com/tylerph3/awesome-reversing
- University Course - https://github.com/RPISEC/Malware
- Ray's World - http://rayseyfarth.com/
- Amanda - http://amanda.secured.org/how-to-start-reverse-engineering-malware/
- Practice Phishing
- Web Application Security
- Free University Courses
- Challenges
- SANS Holiday Hack Challenge - https://holidayhackchallenge.com/2016/
- Before 2014 - https://pen-testing.sans.org/holiday-challenge/2014
- PCAP Challenges
- SANS Holiday Hack Challenge - https://holidayhackchallenge.com/2016/
- Fun Reading List
- Blogs
- Repos/Collection of Tools
- Large Toolset - https://awesomehacking.org/
- Large repo (many topics)
- Penetration Testing Tools
- Python
- Intro - https://github.com/PacktPublishing/Python-Journey-from-Novice-to-Expert
- Penetration Testing Tools - https://github.com/dloss/python-pentest-tools
- Python Forensics - https://github.com/PacktPublishing/Learning-Python-for-Forensics
- Reverse Engineering - https://github.com/tylerph3/awesome-reversing
- Complete Courses/Videos/Guides/Books
- Existing Full Guides (fantastic!)
- Pentest Wiki - https://github.com/nixawk/pentest-wiki
- Awesome Pentest - https://github.com/enaqx/awesome-pentest
- CTF
- Attack
- IPv6
- Windows
- Zero to Domain
- Network Fingerprinting and Exploitation -
- Linux
- Network Fingerprinting and Exploitation -
- Courses
- Metasploit Unleashed - https://www.offensive-security.com/metasploit-unleashed/
- Pen Testing - https://www.cybrary.it/course/advanced-penetration-testing/
- Videos
- Advanced Threat Tactics
- Books
- Advanced Penetration Testing for Highly Secured Environments
- LARGE (!) PDF - https://news.asis.io/sites/default/files/%E2%80%8Cbook.pdf
- Multiple pentesting books - http://www.arthur-training.com/Downloads/ITT/
- Advanced Penetration Testing for Highly Secured Environments
- How-To
- Evil Access Point - https://www.sensepost.com/blog/2013/rogue-access-points-a-how-to/
- DNS Phishing in Public Hotspots - https://www.exploit-db.com/docs/20875.pdf
- Various topics - https://bobloblaw.gitbooks.io/security/content/
- Misc. Resources
- Lectures/VMs/Videos (tons) - http://www.arthur-training.com/Downloads/
- Existing Full Guides (fantastic!)
- Cheatsheets
- Various Pentesting Tools
- Powershell
- Python
- Netcat
- Tcpdump
- Collections of Cheatsheets
- Detection/Remediation/Defending
- Detecting Meterpreter
- Detecting Backdoors
- Detecting Malicious VBA Macros
Good job!