eJPTv2 Full Cheatsheet
  • eJPTv2-CheatSheet
  • Assessment Methodologies
    • Assessment Methodologies
  • Host & Network Auditing
    • Host & Network Auditing
  • Host & Network Pentesting
    • Host & Network Pentesting
  • Web Application Pentesting
    • Web Application Pentesting
  • EXTRA BUT IMPORTANT
    • ENUM
    • HOST EXPLOITATION
    • PRIVESC
    • EXTRA CONTENT
Powered by GitBook
On this page
  1. Assessment Methodologies

Assessment Methodologies

Locate endpoints on a network:

Identify vulnerabilities in services:

Scan services & versions with nmap.

searchsploit (to search for exploits & vulnerabilities)

NATIONAL VULNERABILITIES DATABASE

nmap scripts: locate /usr/share/nmap/scripts | grep service

msf: db_autopwn making db_nmap before or analyze command and then vuln

Identify the OS of an objective:

nmap -O

rpcclient -U “” -N IPobj -> srvinfo

smb-os-discovery (script nmap)

enum4linux -O IPobj

enum4linux -S IPobj

nc IPobj 22 (the SSH service tells you the O.S.)

Identify open ports & services from an objective

nmap -sS -p- -n -Pn --open IPobj

nmap -sV -p 21,22,etc -n -Pn --open IPobj

metasploit (search portscan or db_nmap)

Extract information from Open Source Platforms:

In the webpage.

robots.txt (hidden directories of the web server)

Source code (it may be hidden things)

Sitemap.xml/sitemaps.xml (facilitates the index of the web for the browser)

whois xwebpage (to extract information of the website: when it was registered, who owns it, what hosting company were registered through, CIDR =network range; Orgname= name of the organization)

Netcraft.com > services > internet data mining > internet research tools (combine whois, if there are SSL or TLS, the web technologies of the website, the name servers)

dnsrecon -d xpage.com (identify the records of a particular domain; NS = name server addresses; MX = mail service address (the “postman”); A=IPv4 address; AAAA=IPv6 address; TXT=txtrecord)

dnsdumpster.com

sublist3r -d xpage.com (search for subdomains using OSINT)

Compile technical information from open sources:

In the webpage may be information.

whatweb -a=1 xpage.com (enumerate technologies doing a stealth scan)

wafw00f xpage.com (can add the -a parameter)

Recopilar correos electrónicos de fuentes públicas:

In the webpage may be information.

theHarvester -d xpage.com -b google,linkedin,yahoo,dnsdumpster,duckduckgo,crtsh (search for emails doing OSINT, found mails can be used to search on leaked passwords databases like the below, because sometimes the users use to reutilice passwords).

HaveIbeenPwned

BreachDirectory (the best)

Evaluate information & criticality or impact of vulnerabilities:

NATIONAL VULNERABILITIES DATABASE

MITRE SEARCH CVE LIST

Nessus or OpenVAS

exploit-db or searchsploit

Search in google “service version CVE”

SCAP scan & STIGVIEWER (scan the PC and evaluate the vulnerabilities that it have).

PreviousAssessment MethodologiesNextHost & Network Auditing

Last updated 2 years ago