Assessment Methodologies

PreviousAssessment Methodologies NextHost & Network Auditing

Last updated 2 years ago

Assessment Methodologies

Locate endpoints on a network:

Identify vulnerabilities in services:

Scan services & versions with nmap.

searchsploit (to search for exploits & vulnerabilities)

nmap scripts: locate /usr/share/nmap/scripts | grep service

msf: db_autopwn making db_nmap before or analyze command and then vuln

Identify the OS of an objective:

nmap -O

rpcclient -U “” -N IPobj -> srvinfo

smb-os-discovery (script nmap)

enum4linux -O IPobj

enum4linux -S IPobj

nc IPobj 22 (the SSH service tells you the O.S.)

Identify open ports & services from an objective

nmap -sS -p- -n -Pn --open IPobj

nmap -sV -p 21,22,etc -n -Pn --open IPobj

metasploit (search portscan or db_nmap)

Extract information from Open Source Platforms:

In the webpage.

robots.txt (hidden directories of the web server)

Source code (it may be hidden things)

Sitemap.xml/sitemaps.xml (facilitates the index of the web for the browser)

whois xwebpage (to extract information of the website: when it was registered, who owns it, what hosting company were registered through, CIDR =network range; Orgname= name of the organization)

Netcraft.com > services > internet data mining > internet research tools (combine whois, if there are SSL or TLS, the web technologies of the website, the name servers)

dnsrecon -d xpage.com (identify the records of a particular domain; NS = name server addresses; MX = mail service address (the “postman”); A=IPv4 address; AAAA=IPv6 address; TXT=txtrecord)

dnsdumpster.com

sublist3r -d xpage.com (search for subdomains using OSINT)

Compile technical information from open sources:

In the webpage may be information.

whatweb -a=1 xpage.com (enumerate technologies doing a stealth scan)

wafw00f xpage.com (can add the -a parameter)

Recopilar correos electrónicos de fuentes públicas:

In the webpage may be information.

theHarvester -d xpage.com -b google,linkedin,yahoo,dnsdumpster,duckduckgo,crtsh (search for emails doing OSINT, found mails can be used to search on leaked passwords databases like the below, because sometimes the users use to reutilice passwords).

Evaluate information & criticality or impact of vulnerabilities:

Nessus or OpenVAS

exploit-db or searchsploit

Search in google “service version CVE”

SCAP scan & STIGVIEWER (scan the PC and evaluate the vulnerabilities that it have).

PreviousAssessment Methodologies NextHost & Network Auditing

Last updated 2 years ago

Locate endpoints on a network:

Identify vulnerabilities in services:

Scan services & versions with nmap.

searchsploit (to search for exploits & vulnerabilities)

nmap scripts: locate /usr/share/nmap/scripts | grep service

msf: db_autopwn making db_nmap before or analyze command and then vuln

Identify the OS of an objective:

nmap -O

rpcclient -U “” -N IPobj -> srvinfo

smb-os-discovery (script nmap)

enum4linux -O IPobj

enum4linux -S IPobj

nc IPobj 22 (the SSH service tells you the O.S.)

Identify open ports & services from an objective

nmap -sS -p- -n -Pn --open IPobj

nmap -sV -p 21,22,etc -n -Pn --open IPobj

metasploit (search portscan or db_nmap)

Extract information from Open Source Platforms:

In the webpage.

robots.txt (hidden directories of the web server)

Source code (it may be hidden things)

Sitemap.xml/sitemaps.xml (facilitates the index of the web for the browser)

whois xwebpage (to extract information of the website: when it was registered, who owns it, what hosting company were registered through, CIDR =network range; Orgname= name of the organization)

Netcraft.com > services > internet data mining > internet research tools (combine whois, if there are SSL or TLS, the web technologies of the website, the name servers)

dnsrecon -d xpage.com (identify the records of a particular domain; NS = name server addresses; MX = mail service address (the “postman”); A=IPv4 address; AAAA=IPv6 address; TXT=txtrecord)

dnsdumpster.com

sublist3r -d xpage.com (search for subdomains using OSINT)

Compile technical information from open sources:

In the webpage may be information.

whatweb -a=1 xpage.com (enumerate technologies doing a stealth scan)

wafw00f xpage.com (can add the -a parameter)

Recopilar correos electrónicos de fuentes públicas:

In the webpage may be information.

(the best)

Evaluate information & criticality or impact of vulnerabilities:

Nessus or OpenVAS

exploit-db or searchsploit

Search in google “service version CVE”

SCAP scan & STIGVIEWER (scan the PC and evaluate the vulnerabilities that it have).