Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Here we’re listing out the quick cheatsheet and commands of all pen test phases.
Normally no active tests are performed on targets. At this phase google is your friend. You try to learn all you can about potential organizations/targets from available public sources. Reconnaissance generally takes place in two parts i.e. Active and Passive Reconnaissance.
In active reconnaissance, you’ll directly interact with the computer system to gain information.
In passive reconnaissance, you’ll not directly connected to the computer system.
This phase involves identifying live targets and their open ports on a network.
nmap -sS 192.168.1.1-255; nmap -sn -Pr 192.168.1.0/24
netdiscover -r 10.0.0.0/24 -i eth0
3) Enumeration/OS fingerprinting:
Learn more about the potential applications listening behind discovered open ports. This involves sending packets to open ports and analyzing the responses sent back by the services. By analyzing these responses the OS might be determined here as well.
nmap with the -sV and or -O option
amap -Abqv 10.0.0.1 80; amap -B 10.0.0.1 80
xprobe2 -p tcp:445:open
httprint for webserver enumeration
metasploit and smb_version module if port 445 or 139 is open
nmap –script smb-os-discovery
After identifying the OS and it’s applications (and in some cases their versions), you will want to research that app for potential vulnerabilities and security bypasses. Some resources that you can use to research vulnerabilities are
After finding potential vulnerabilities and exploits in your research phase, you will want to attempt to try these exploits against the vulnerable apps. In some cases you will be required to compile and or modify the exploit code to get things working or to simply suit your need. Some tools that aid in the exploitation phase are:
6) Maintaining Access:
After you have successfully exploited a target, you will want tEo ensure that access to the remote vulnerable host will be quick and easy. You may be required to open a port in the firewall or just turn that darn thing off. Some tools that can be used here are;
7) Clearing Tracks:
This step basically involves clearing traces of your activity on the vulnerable machine, including uploaded files and any events that may have been logged to the event viewer that may idicate that the machine has been compromised. Rootkits can also help hide your upload files, your open ports, running services, etc. These are very difficult to detect and mitigate.
These are just guidelines that we’ve collected from various resources. The majority of pentesters out there tend to follow similar guidelines to those that we’ve outlined. There are many more tools that can be utilized in each phase but that was not the purpose of this article. It is important to have an idea of the overal phases that one may encouter in real life and why each is important. We did not go into much depth but each phase has their value. It is very important to know your tools, to practice using them and when to use them, as your experience can be the deciding factor in whether you get in or whether you serve yourself a serving of fail.