Anda di halaman 1dari 2


High-value penetration testing involves modeling the techniques used by real-world computer attackers to find vulnerabilities, and, under controlled
circumstances, to exploit those flaws in a professional, safe manner according to a carefully designed scope and rules of engagement. This process
helps to determine business risk and potential impact of attacks, all with the goal of helping the organization improve its security stance.
Here are tips for each phase of penetration testing to help you provide higher business value in your work.

Discuss black-box versus crystal/white-box testing Discuss with target system personnel the Carefully consider all interactions with third-party Look for common office documents posted on target
while building your rules of engagement, noting that particularly sensitive information they have in servers and searches to ensure you do not divulge websites by using Google searches for:
crystal box testing often provides more detailed their environment (such as PII) and how you can sensitive information about the target or violate a site:<TargetDomain> ext:doc | ext:docx |
results, is safer, and delivers better business value. measure access to it without actually non-disclosure arrangement by using them. You may ext:xls | ext:xlsx | ext:pdf
downloading it. Consider going after generic want to consider using the TOR network to obscure
sample records planted to demonstrate your your relationship with the target organization.
access instead of the actual sensitive data.

Use the Shodan search engine’s “net:” directive to

Make sure you get written permission to test any
look for unusual or interesting devices in the target
third parties that own or operate target systems Remember to check social networking sites network address ranges. Also, use unique footer
(MSSPs, cloud providers, ISPs, shared hosting Keep your skills fresh by setting aside an hour or two per (especially LinkedIn, Facebook, and Twitter) information (such as a common copyright notice
environments, border routers, DNS servers, etc.) week to participate in Capture the Flag competitions, to learn about target personnel and the on target web pages) to find additional pages via
including the free SANS Holiday Hack Challenge at technologies they use. Shodan using the “html:” directive. or the numerous free CtFs at

REPORTING Double-check that all IP addresses included in the

scope belong to the target organization and aren’t
a mistake. Use whois lookups and traceroute to
Don’t wait for the end of your
Use a template to guide a voice conversation to
identify the scope and rules of engagement. check that the addresses make sense and actually
belong to the target organization.
penetration test to write the report.
Instead, write the report as you test,
setting aside time each day to write Conduct a daily debriefing call with In LinkedIn, look for long-term IT and Run a sniffer such as While open ports such as
one to three pages. Not only will you Include target system personnel to exchange InfoSec employees to see which tcpdump while you are TCP 445 often indicate a
produce a better report, your pen screenshots in ideas and lessons learned. If daily is technologies they are familiar with, scanning a target so you Windows machine, this is
test itself will also be better. your report to too frequent, consider calls two or including firewalls, development can continually verify that not always the case. The
illustrate findings three times per week. environments, and more. your scanner is still target could be a Samba
clearly. Annotate running appropriately. daemon or another
screenshots with SMB-based target.
arrows and
To add extra value to your circles pointing
recommendations, consider including out the important
steps an operations person can take aspects of the Verify discovered vulnerability findings by researching how
to verify that a recommended fix is in illustration. to check the issue manually or through a bash, PowerShell,
place, such as a command to check for
Nmap Scripting Engine (NSE) script, or other script.
the presence of a patch. For some
findings, this can be hard to do, so in
those cases recommend that the given Identify targets by
issue be retested. IP address (IPv4
and IPv6 if you Put vulnerabilities that you have
Try to identify false positives
have it), domain identified in the context of how
by running a different tool to
name, and (if you critical the asset is, as this helps
corroborate a finding.
Write for the proper audience in each section: have it) MAC you assign priority and assess risk.
The Executive Summary should be for the address (especially
decision-makers who are allocating resources. for compromised
client machines
Findings should be written from a technical using DHCP).
perspective, informed by business issues. If you are using a virtual machine for your attacks, configure
Recommendations should take into account it for bridged networking to avoid filling up NAT tables and
the operations team and their processes. to ensure reverse shell connections can come back to you.


When you gain access to a target machine, don’t use it to scan for more Create a word list fine-tuned to Create a word list fine-tuned
targets yet, as that might get you detected prematurely. Instead, plunder it the target organization based on for users based on their
for information about other potential targets based on network activity: words from its website. social networking profiles.
DNS cache (Windows): c:\> ipconfig /displaydns
ARP cache: arp -a
Established TCP connections: netstat -na
Routing table: netstat -nr When you successfully crack a password using Remember, passwords can
word-mangling rules, add that password to your be gathered using a variety
dictionary for further password attacks on that of techniques, including

When you gain access to a target, if Even without root, system, or admin
EXP LOITATION penetration test. That way, if you encounter the
same password in a different hash format, you
won’t have to wait for word-mangling to
automated guessing,
cracking, sniffing, and
keystroke logging.
a sniffer is installed on the machine privileges on a target machine, you re-discover that password.
(like tcpdump or Wireshark’s tshark can still usually perform very useful
tool), run it to look for network post-exploitation activities,
When creating payloads that evade anti-malware tools,
traffic to identify other possible including getting a list of users,
do NOT submit your sample to online scanning sites like
target machines, as well as cleartext determining installed (and possibly For password guessing, always As soon as you get hashes to check for evasion, as that may defeat
protocols containing sensitive or vulnerable) software, and pivoting consider the account lockout policy from targets, start a password
your payload as new signature updates are distributed.
useful information. through the system. and try to avoid it by using password cracker to try to determine the
spraying techniques (a large number passwords. Don’t let any time
of accounts and targets with a small go by until you start cracking
Set up a command or script that checks Build your payloads so that number of passwords). the hashes you’ve gotten.
the availability of the target service every they make a reverse
When you get on a Windows box, look for ESTABLISHED TCP few seconds while you are attacking it. connection back to you,
connections to ports 445 (SMB) and 3389 (RDP), as these That way, if you do crash it, you’ll notice increasing the chance you’ll
other systems may be excellent systems to pivot to, quickly and can work with target system get through a firewall that Sometimes you don’t need a password for
provided they are in scope: personnel to get it restarted. allows outbound connections. authentication because simply using the hash
c:\> netstat -na | find “EST” | find “:445” can get the job done, as with pass-the-hash
c:\> netstat -na | find “EST” | find “:3389” attacks against Windows and SMB targets,
For your payloads, use a protocol that and with hashes of passwords stored in
is likely allowed outbound from the To lower the chance of crashing Windows cookies for some websites.
target environment, such as HTTPS target systems and services, once you gain
While they can be very useful for management (with a proxy-aware payload like those admin-level credentials and SMB access to
demonstrations, be careful turning on video available in PowerShell Empire, them, use psexec or similar Windows features
cameras and capturing audio from compromised Metasploit, and the Veil Framework) or (WMIC, sc, etc.) to cause them to run code,
DNS (such as the DNScat tool). instead of a buffer overflow or related exploit. If you have a compatible GPU on your
target machines. Conduct that level of invasive
system, consider using a GPU-based
access only with written permission, and have it
password cracking tool, such as Hashcat, as
reviewed by your legal team to ensure
you’ll get 20 to 100 times the performance.
compliance with local laws.
If your exploit fails, read the output of your exploitation tool carefully to see where it errors out. Also, run a sniffer
such as tcpdump to see how far along it gets in making a connection, sending the exploit, and loading the stager and
stage. If your stager worked but your stage couldn’t be loaded, your anti-virus evasion tactics may be failing.
Rules of Engagement Scoping
Penetration testing team contact information What are the target organization's biggest security Will penetration test

include internal

Target organization contact information concerns? (Examples include disclosure of sensitive

Pos "Daily debriefing" frequency

"Daily debriefing" time/location
Start date of penetration test
information, interruption of production processing,
embarrassment due to website defacement, etc.)

What specific hosts, network address ranges, or

network testing?
If so, how will access
be obtained?
applications should be tested?
End date of penetration test
What specific hosts, network address ranges, or Are client/end-user
Times when the testing occurs applications should explicitly NOT be tested? systems included in
List any third parties that own systems or networks If so, how many
Will test be announced to target personnel? that are in scope as well as which systems they client systems will
own (written permission must have been obtained be targeted?
Will target organization shun IP addresses of
in advance by the target organization).
attack systems?

Does target organization's network have Will the test be performed against a live
Is social engineering
automatic shunning capabilities that might production environment or a test environment?
disrupt access in unforeseen ways (i.e., create a
denial-of-service condition), and if so, what If so, how may it
steps will be taken to mitigate the risk? be used?
Which of the following testing techniques will the
Would the shunning of attack systems conclude penetration test include:
the test, and if not, what steps will be taken to Ping sweep of network ranges? Are denial-of-service
continue if systems get shunned and what
Port scan of target hosts? attacks allowed?

approval (if any) will be required?
Vulnerability scan of targets? Are dangerous
What are the IP addresses of penetration testing checks/exploits
team's attack systems? Penetration into targets?


Application-level manipulation?
Is this a "black box" test?
Client-side reverse engineering?
What is the policy regarding viewing data
(including potentially sensitive/confidential Physical penetration attempts?
data) on compromised hosts? Social engineering of people?
Will target personnel observe the testing team? Other?

P E N T- PST R-S A N S1 8 - B P-V1

Base Syntax Scan Types Aggregate Timing Options

SEC460 Enterprise Threat and Vulnerability Assessment # nmap [ScanType] [Options] {targets} -sn Probe only (host discovery, not port scan) -T0 Paranoid: Very slow, used for IDS evasion
SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling -sS SYN Scan -T1 Sneaky: Quite slow, used for IDS evasion
-sT TCP Connect Scan -T2 Polite: Slows down to consume less bandwidth,
GWAPT SEC542 Web App Penetration Testing and Ethical Hacking ONDEMAND Target Specification -sU UDP Scan
-sV Version Scan
runs ~10 times slower than default
-T3 Normal: Default, a dynamic timing model based
IPv4 address:
SEC550 Active Defense, Offensive Countermeasures and Cyber Deception IPv6 address: AABB:CCDD::FF%eth0
-O OS Detection on target responsiveness
--scanflags Set custom list of TCP using -T4 Aggressive: Assumes a fast and reliable network
Host name:
GPEN SEC560 Network Penetration Testing and Ethical Hacking ONDEMAND
IP address range: 192.168.0-255.0-255
URGACKPSHRSTSYNFIN in any order and may overwhelm targets
-T5 Insane: Very aggressive; will likely overwhelm
SEC561 Immersive Hands-on Hacking Techniques CIDR block:
y is targets or miss open ports
CyberCitr private Use file with lists of targets: -iL <filename>
Fine-Grained Timing Options
SEC562 CyberCity Hands-on Kinetic Cyber Range Exercise fo
availableining only. --min-hostgroup/max-hostgroup <size>
SEC564 Red Team Operations and Threat Emulation tra Target Ports Parallel host scan group sizes Scripting Engine
--min-parallelism/max-parallelism -sC Run default scripts
SEC567 Social Engineering for Penetration Testers No port range specified scans 1,000 most popular <numprobes> --script=<ScriptName>|
ports Probe parallelization <ScriptCategory>|<ScriptDir>...
GPYC SEC573 Automating Information Security with Python ONDEMAND -F Scan 100 most popular ports
--min-rtt-timeout/max-rtt-timeout/in Run individual or groups of scripts
-p<port1>-<port2> Port range
SEC575 Mobile Device Security and Ethical Hacking itial-rtt-timeout <time> --script-args=<Name1=Value1,...>
GMOB ONDEMAND -p<port1>,<port2>,... Port List
Specifies probe round trip time. Use the list of script arguments
-pU:53,U:110,T20-445 Mix TCP and UDP
SEC580 Metasploit Kung Fu for Enterprise Pen Testing -r Scan linearly (do not randomize ports) --max-retries <tries> --script-updatedb
Update script database
--top-ports <n> Scan n most popular ports Caps number of port scan probe retransmissions.
GAWN SEC617 Wireless Penetration Testing and Ethical Hacking -p-65535 Leaving off initial port makes Nmap
--host-timeout <time>
scan start at port 1
SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques Give up on target after this long
ONDEMAND -p0- Leaving off end port makes Nmap scan up
to port 65535 --scan-delay/--max-scan-delay <time>
Output Formats
GXPN SEC660 Advanced Penetration Testing, Exploit Writing, and Ethical Hacking ONDEMAND
-p- Leaving off start and end port makes Nmap Adjust delay between probes -oN Standard Nmap output Generate Nmap,
scan ports 1-65535 -oG Greppable format Greppable, and XML
--min-rate <number>
SEC760 Advanced Exploit Development for Penetration Testers Send packets no slower than <number> per
-oX XML format output files using
-oA <basename> basename for files
--max-rate <number>
Probing Options Send packets no faster than <number> per
GC I H Ce r ti fie d Inc i d e nt Hand le r Learn more about SANS PENETRATION TESTING and ETHICAL HACKING courses at -Pn Don't probe (assume all hosts are up) second Misc Options
GWAPT We b Appl i cati o n Pe ne trati o n Te s te r -PB Default probe (TCP 80, 445 & ICMP)
GPEN Pe ne trati o n Te ste r -PS<portlist>
-n Disable reverse IPaddress lookups
-6 Use IPv6 only
GPYC Pytho n Co d e r Check whether targets are up by probing TCP ports -A Use several features, including OS Detection,
GMOB M o bi le D ev i ce Se cu r i ty Analys t PEN TEST BLOGS, CHEAT SHEETS, DOWNLOADS, RESOURCES: -PE Use ICMP Echo Request Version Detection, Script Scanning (default), and
GAWN Asse ssi ng and Au d i ti ng W i rele ss N e t w orks
GXPN Ex plo i t Re searc he r & Ad v. Pe n e t ra t ion Te s te r -PP Use ICMP Timestamp Request traceroute
--reason Display reason Nmap thinks port is open,
-PM Use ICMP Netmask Request closed, or filtered

Syntax 5 PowerShell Essentials Pipelining, Loops, and Variables Scapy Basics Basic Packet Crafting / Viewing Receiving and Analyzing Packets
Cmdlets are small scripts that follow a Piping cmdlet output to another cmdlet: To list supported layers: Scapy works with layers. Layers are individual Received packets can be stored in a variable when using a
dash-separated verb-noun convention such
CONCEPT WHAT’S IT DO? A HANDY ALIAS PS C:\> Get-Process | Format-List >>> ls() functions linked together with the "/" character to send/receive function such as sr(), srp(), sr1() sr1p():
as "Get-Process". PS C:\> Get-Help Shows help & PS C:\> Help –property name construct packets. To build a basic TCP/IP packet with >>> packet =
[cmdlet] examples [cmdlet] Some key layers are: "data" as the payload: IP(dst="")/TCP(dport=(0,1024))
ForEach-Object in the pipeline (alias %): arp, ip, ipv6, tcp, udp, icmp
SIMILAR VERBS WITH DIFFERENT ACTIONS: -examples -examples >>> packet = IP(dst="")/ >>> unans, ans = sr(packet)
PS C:\> ls *.txt | ForEach-Object
- New- Creates a new resource TCP(dport=22)/"data" Received 1086 packets, got 1024 answers, remaining 0
PS C:\> Get- Shows a list of PS C:\> gcm {cat $_} To view layer fields use ls(layer): packets
- Set- Modifies an existing resource Command *[string]* >>> ls(IPv6)
commands Where-Object condition (alias where or ?): >>> ls(TCP) Note: Scapy allows the user to craft all the way down to
- Get- Retrieves an existing resource PS C:\> Get-Process | Where-Object the ether() (Data Link) layer, but will use default values “ans” will store the answered packets:
- Read- Gets information from a source, PS C:\> Get- Shows properties PS C:\> [cmdlet] {$ –eq "notepad"} for the data link layer if it's omitted when using the >>> ans
To list available commands:
such as a file Member & methods | gm >>> lsc() send() or sr() functions. To correctly pass traffic, layers <Results: TCP:1024 UDP:0 ICMP:0 Other:0>
Generating ranges of numbers and looping:
should be ordered from lowest to highest from left to
- Find- Used to look for an object PS C:\> ForEach- Takes each item PS C:\> [cmdlet] PS C:\> 1..10
Some key commands for interacting right (e.g., ether -> IP -> TCP). To see a summary of the responses:
- Search- Used to create a reference to Object { $_ } on pipeline and | % { [cmdlet] PS C:\> 1..10 | % {echo "Hello!"}
with packets: >>> ans.summary()
a resource handles it as $_ $_ } Creating and listing variables: rdpcap, send, sr, sniff, To get a packet summary: IP / TCP >
- Start- (asynchronous) begin an PS C:\> $tmol = 42 wrpcap >>> packet.summary() S ==> IP / TCP
operation, such as starting a process PS C:\> Select- Searches for PS C:\> sls –path PS C:\> ls variable: >
String strings in files or [file] –pattern Getting help with commands use To get more packet details: SA / Padding
- Invoke- (synchronous) perform an Examples of passing cmdlet output down
output, like grep [string] help(command): >>> Note: this is the output from port 139 (netbios_ssn). Notice
operation such as running a command pipeline: >>> help(rdpcap) how this port was open and responded with a SYN-ACK.
PS C:\> dir | group extension |
To view a specific pair of sent/replied packets:
PS C:\> Get-Service dhcp |
Each verb-noun named cmdlet may have
many parameters to control cmdlet
Finding Cmdlets Stop-Service -PassThru |
>>> ans[15]
functionality. To get a list of all available cmdlets: Set-Service -StartupType Disabled
PS C:\> Get-Command Sniffing and pcaps Sending Packets To view the first packet in the stream:
>>> ans[15][0] (this will be packet the
OBJECTS: Get-Command supports filtering. To filter cmdlets on the verb set: To sniff using Berkley Packet Filters: CREATING AND SENDING A PACKET Scapy sent)
The output of most cmdlets are objects >>> packets = <IP frag=0 proto=tcp dst= |<TCP
that can be passed to other cmdlets and
PS C:\> Get-Command Set* or
PS C:\> Get-Command –Verb Set
Getting Help sniff(filter="host") >>> packet = IP(dst="")/ dport=netstat flags=S |>>
further acted upon. This becomes To get help with help: TCP(dport=80, flags="S")
important in pipelining cmdlets. Or on the noun "Process": PS C:\> Get-Help Sniffing using counts: Send a packet, or list of packets without custom ether To view the response from the distant end:
PS C:\> Get-Command *Process or >>> packets = sniff(count=100) layer: >>> ans[15][1]
PS C:\> Get-Command –Noun process To read cmdlet self documentation: >>> send(packet) <IP version=4L ihl=5L tos=0x0 len=40
PS C:\> Get-Help <cmdlet> id=16355 flags=DF frag=0L ttl=128 proto=tcp
Reading packets from a pcap:
Detailed help: >>> packets = SEND FUNCTION OPTIONS chksum=0x368c src= dst=
PS C:\> Get-Help <cmdlet> -detailed rdpcap("filename.pcap") options=[] |<TCP sport=netstat
Efficient PowerShell Cmdlet Aliases Usage examples:
filter = <Berkley Packet Filter>
retry = <retry count for unanswered packets> timeout =
dport=ftp_data seq=0 ack=1 dataofs=5L
Aliases provide short references to long commands. Writing packets to a pcap: reserved=0L flags=RA window=0 chksum=0x2b4c
TAB COMPLETION: PS C:\> Get-Help <cmdlet> -examples <number of seconds to wait before giving up>
PS C:\> get-child<TAB> To list available aliases (alias alias): >>> wrpcap("filename.pcap", urgptr=0 |<Padding
iface = <interface to send and receive>
PS C:\> Get-ChildItem PS C:\> Get-Alias Full (everything) help: packets) load='\x00\x00\x00\x00\x00\x00' |>>>
>>> packets = sr(packet, retry=5,
PS C:\> Get-Help <cmdlet> -full timeout=1.5, iface="eth0", filter="host
Parameter shortening: To expand an alias into a full name: To view the TCP flags in the response packet:
PS C:\> ls –recurse is equivalent to: PS C:\> alias <unknown alias> Online help (if available): and port 80")
>>> ans[15][1].sprintf("%TCP.flags%")
PS C:\> ls -r PS C:\> alias gcm PS C:\> Get-Help <cmdlet> -online 'RA'

Post Modules from Meterpreter Managing Sessions Metasploit Meterpreter

With an available Meterpreter session, BASE COMMANDS:
The Slingshot Linux distribution is used for a variety
of different SANS Penetration Testing courses.
post modules can be run on the target machine. Run the exploit expecting a single session that is ? / help: Display a summary of commands
immediately backgrounded: exit / quit: Exit the Meterpreter session
RUN POST MODULES FROM METERPRETER msf > exploit -z sysinfo: Show the system name and OS type
meterpreter > run post/multi/gather/env
Run the exploit in the background, so that
shutdown / reboot: Self-explanatory Slingshot’s tool arsenal has been thoroughly tested to
RUN POST MODULES ON A BACKGROUNDED SESSION msfconsole can still be used while the exploit is ensure excellent results in course labs and in penetration
use post/windows/gather/hashdump
show options msf > exploit –j
cd: Change directory
testing projects.
msf > set SESSION 1 lcd: Change directory on local (attacker's)
msf > run List all current jobs (usually exploit listeners):
msf > jobs –l
machine pwd / getwd: Display current working
directory ls: Show the contents of the directory Slingshot includes the following tools:
Kill a job: cat: Display the contents of a file on screen
Useful Auxiliary Modules msf > jobs –k [JobID] download / upload: Move files to/from the
target machine
msf > use auxiliary/scanner/portscan/tcp mkdir / rmdir: Make / remove directory FRAMEWORK COLLABORATION TOOL
msf > set RHOSTS edit: Open a file in the default editor (typically vi)
msf > run Metasploit Console Basics (msfconsole)
msf > search [criteria] getpid: Display the process ID that Meterpreter is
msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt SPECIFY AN EXPLOIT TO USE: running inside TCPDUMP SNIFFER
msf > run msf > use exploit/[ExploitPath] getuid: Display the user ID that Meterpreter is ETTERCAP MAN IN THE NESSUS VULNERABILITY SCANNER
running with
FTP SERVER SPECIFY A PAYLOAD TO USE: ps: Display process list
msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > set PAYLOAD [PayloadPath]
kill: Terminate a process given its process ID NIKTO WEB SCANNER
msf > run SHOW OPTIONS FOR THE CURRENT MODULES: execute: Run a given program with the privileges EXIFTOOL FOR METADATA VEIL-EVASION ANTI-VIRUS
msf > show options of the process the Meterpreter is loaded in ANALYSIS NMAP PORT SCANNER AND EVASION TOOL
migrate: Jump to a given destination process ID
Create a socks4 proxy on the local machine that SET OPTIONS:
- Target process must have same or lesser privileges
msf > set [Option] [Value]
allows external tools to use Metasploit's routing.
- Target process may be a more stable process HYDRA PASSWORD POWERSHELL EMPIRE
msf > use auxiliary/server/socks4
msf > run
msf > exploit
process has a lock on
ipconfig: Show network interface information
The Most Trusted Source for Information Security Training,
Certification, and Research portfwd: Forward packets through TCP session
route: Manage/view the exploited system's routing @SANSPenTest
@SANSInstitute table 01101000 01101111 01101100 01101001 01100100 01100001 01111001 01101000 01100001 01100011 01101011 01100011
01101000 01100001 01101100 01101100 01100101 01101110 01100111 01100101 00101110 01100011 01101111 01101101