Practical Network Penetration Tester

engagement types (external, internal, webapp, wireless, physical, mobile)

• recon: passive: gather info w/out detection | active: direct scanning/enum

ftp (21) # tcp
ssh (22) # tcp
telnet (23) #tcp
smtp (25) # tcp
dns (53) # tcp/udp
http (80) # tcp

https (443) # tcp
dhcp (67 / 68) # udp
pop3 (110) # tcp
imap (143) # tcp
snmp (161) # udp
rdp (3389) # tcp

ntp (123) # udp
smb (445) # tcp
ftps (990) # tcp
tftp (69) # udp
ldap (389) # tcp/udp
mysql (3306) # tcp

passive recon:

location: satellite img, building layout, badge readers, break areas, sec, fencing

job: employees (name, title, job, phone, mgr), pics (badges, desks)

• target: WHOIS, nslookup, dnsrecon
• subdomains: google, dig, nmap, sublist3r, subfinder, bluto, crt.sh, %.site.com
• fingerprinting: nmap, wappalyzer, builtwith, net cat
• breaches: hibp, breach parse, weleakinfo, dehashed, hashes.org
• email: hunter.io, phonebook.cz, intelx, voilanorbet.com
• verify email: tools.verifyemailaddress.io, email hippo, email-checker.net/validate, forgot passwd

diff bet bind + reverse shells? bind shell: we connect to victim || reverse shell: victim connects to us

- lvnp  
-l # listen for inbound connections
-v # verbosity (2x+ for more)
-n # numeric-only IP's (no DNS)
-p # port 

-e /bin/sh
-e # exec 
/bin/sh # shell to use

diff bet staged + non-staged payloads?

• staged: sends payload in stages (less stable) windows/meterpreter/reverse_tcp
• non-staged: sends shellcode all at once (larger: won’t always work) windows/meterpreter_reverse_tcp