Methodology
- Recon— This is the one area most people skip over or put the least amount of effort into. Don’t. Without question, this is the most important phase. If done correctly, it is possible to gain access to a network without using a single exploit. For example, take a look at the modules available in recon- ng. Some of our favorites are the pwnlist modules and namechk.
- Scanning — Try to be as accurate as possible. If your scanner supports a scan dedicated to PCI, don’t use it. PCI scans have a very high false positive rate. If the project is a Crystal-box or Grey-box test, look into credentialed scanning. It will reduce the false positives, and the scan will run much faster. As an added bonus, it will also dramatically reduce the likelihood of crashing a system. Finally, always review the low and medium risk findings. These lower-risk findings may add up and result in significant potential for attack.
- Exploitation— Always explicitly set the TARGET in Metasploit, as it will reduce the likelihood of a target crash and will increase the likelihood of successful exploitation. Get very comfortable with the Social Engineering Toolkit. Learn how to bypass AV, see the reference section below.
- Post-Exploitation— After you have access to a target system, put the exploits away. Dump the passwords, crack the passwords. Get familiar with mimikatz. Get familiar with passing the hash. Get familiar with password spraying. Pivot mercilessly.
- Reporting— Tell a narrative and demonstrate the risk through screenshots and videos. Never, ever, copy and paste results from an automated tool.
Must-Have Tools
Software
- Kali Linux & Backtrack — An incredible collection of pen testing tools integrated together in a fantastic Linux distro.
http://www.kali.org/downloads - Mimikatz — Ever wished to pull clear-text passwords from memory? This tools grants that wish. By Benjamin Delpy
http://blog.gentilkiwi.com/mimikatz - Metasploit — Open Source exploit environment. Over 600 exploits. By HD Moore & the Metasploit development team
Metasploit.com - Recon-ng — The world’s finest reconnaissance environment. By Tim Tomes lanmaster53.com
- Nmap — The best port scanner there is, and a whole lot more! By Fyodor and the Nmap development team
nmap.org - Maltego* — Doing open source reconnaissance can be hard and lead to a tremendous amount of data and work. Maltego makes it easy. By Paterva http://www.paterva.com
- Python — If you have to learn one language, learn C++. But C++ is hard. Learn Python first. By Guido van Rossum
http://www.python.org - The Social Engineering Toolkit — Social engineering attacks, like phishing, made easy. So easy in fact, a 10 year old can use it. By Dave Kennedy http://www.trustedsec.com/downloads/social-engineer- toolkit
- Anonymizer Universal* — A fast and stable anonymizing proxy. By http://www.anonymizer.com
- FOCA — Automatically pull down files and extract metadata.
By Informatica64
http://www.informatica64.com/foca.aspx - THC-Hydra — The world’s best remote password guessing tool. By Van Hauser http://www.thc.org/thc-hydra
- Ettercap — The world’s best ARP cache poisoning and session hijacking tool. By Alberto Ornaghi (ALoR), Marco Valleri (NaGA), Emilio Escobar, and Eric Milam —http://ettercap.github.com/ettercap
- Cain and Able — Outstanding ARP cache poisoning and password- cracking tool. By Massimiliano Montoro http://www.oxid.it/cain.html
- John The Ripper — Our favorite general-purpose password- cracking tool. By Solar Designer http://www.openwall.com/john
- Oclhashcat — Hyper fast GPU based password-cracking tool. By Atom and Trac https://hashcat.net
- ISR-Evilgrade — Intercept and hijack software updates. By infobyte https://code.google.com/p/isr-evilgrade
- Wireshark — You will spend a tremendous amount of time analyzing packets. Wireshark makes it easy. By Gerald Combs http://www.wireshark.org
- Netcat — General purpose networking tool. It does just about everything. By The Hobbit http://netcat.sourceforge.net
- Scapy — The finest packet crafting tool in the world. By Philippe Biondi http://www.secdev.org/projects/scapy
Hardware
Teensy* — Emulate keyboards to take over systems.
Pwnplug* — Small, portable, powerful covert pen testing platform.
Pwnplug* — Small, portable, powerful covert pen testing platform.
* These tools are available on a commercial (cost) basis.
