Penetration Testing Guidelines - JimKnee-Champ/Ethical-Hacking-Journal GitHub Wiki

Definition of a pentest: "A legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure"

Vulnerability Assessment is an analysis of the system, whereas a pentest is an active test of the system.

A Pentest needs to be handled securely and officially for it to be legal and "white-hat." The purpose is to shore up vulnerabilities, not actually exploit the system.

3 stages to any cyber attack: find targets, analyze them for vulnerabilities, and then exploit the vulnerabilities.

Relevant network info: ip addresses, ranges; Domain info, subdomains; Server names and server IPs; what applications are being run, what security tools are used, firewalls, endpoint protection, and People’s addresses, names, permissions, jobs, development status; and Partners to the business.

Active vs passive recon Active: direct interaction with target. The target might be able to record us doing this. Passive: collecting information without engaging directly. Relying on the internet and public knowledge. Can use things like the Wayback Machine to visit an archived version of a website without leaving any traces on the target.

“Domain whois” Orgs must register domain names, often including email addresses in those recordings.

Google hacking: can gather info using google without entering the website and having your traffic recorded

Ex: site:domain terms Shodan.io

Passive recon tools: The H/harvester: query multiple search engines Netcraft: provides technical reports on websites Metagoofil: metadata analysis of publicly available files