# Methodology ## **Pre-engagement (Planning)** **Objective:** Establish clear rules and goals with the client. * **What to do**: Define the scope of the engagement (e.g., which systems or networks are in scope). Agree on legal boundaries and expectations. * **Tools/Techniques**: Legal contracts, Rules of Engagement (RoE) documents. * **Outcome**: Clear understanding of what to test and which attack simulations are permitted. ## **Information Gathering (Reconnaissance)** **Objective:** Collect as much information as possible about the target without interacting with it directly (passive) or by scanning (active). * **What to do**: * **Passive reconnaissance:** Search for open-source information (OSINT) such as domain names, email addresses, and IP ranges. * **Active reconnaissance:** Scan for open ports, services, and vulnerable applications. * **Tools/Techniques**: * **Passive:** Google dorking, WHOIS lookup, Shodan, theHarvester. * **Active:** Nmap, Masscan, banner grabbing. * **MITRE ATT\&CK Mapping**: *Reconnaissance (T1595)*, *Initial Access (T1078)*. ## **Vulnerability Assessment** **Objective**: Identify vulnerabilities within the target systems using automated and manual techniques. * **What to do**: Scan the network and systems for known vulnerabilities, misconfigurations, or weak services. * **Tools/Techniques**: * **Automated Scanners**: Nessus, OpenVAS, Qualys. * **Manual Techniques**: Burp Suite for web applications, Nikto, manual code review, misconfiguration checks (e.g., missing patches, weak encryption). * **Outcome**: A list of vulnerabilities and potential attack vectors. * **MITRE ATT\&CK Mapping**: *Discovery (T1083)*, *Network Service Scanning (T1046)*. ## **Exploitation** **Objective**: Exploit identified vulnerabilities to gain access to the system. * **What to do**: Use the vulnerabilities identified in the previous step to break into the system. * **Tools/Techniques**: * **Exploit Frameworks**: Metasploit, ExploitDB, custom scripts. * **Web Exploits**: SQL Injection, Command Injection, Cross-Site Scripting (XSS), Remote Code Execution (RCE). * **Outcome**: Initial access to the target system. * **MITRE ATT\&CK Mapping**: *Execution (T1203)*, *Exploitation for Client Execution (T1203)*. ## **Post-Exploitation** **Objective**: Gather useful information, maintain persistence, and expand control over the compromised environment. * **What to do**: * **Data Collection**: Extract sensitive data like passwords, tokens, or database content. * **Persistence**: Install backdoors or create new user accounts to maintain access. * **Stealth**: Cover tracks by cleaning up logs or using anti-forensics techniques. * **Tools/Techniques**: * **Password Dumping**: Mimikatz, Windows Credential Manager, hash dumping. * **Maintaining Persistence**: Creating cron jobs, modifying Windows Registry, SSH backdoors. * **Log Manipulation**: Clearing logs or tampering with forensic evidence. * **Outcome**: Expanded control over the compromised system and preparation for further exploitation. * **MITRE ATT\&CK Mapping**: *Persistence (T1547)*, *Collection (T1114)*, *Defense Evasion (T1070)*. ## **Lateral Movement** **Objective**: Move from the initial compromised system to other systems within the network. * **What to do**: Use compromised credentials, session hijacking, or pivoting techniques to access other internal systems. * **Tools/Techniques**: * **Credential Reuse**: Using passwords or tokens obtained from one machine to access others. * **Pivoting**: Use compromised machine as a gateway to explore further systems (Metasploit, proxychains). * **SMB Exploits**: Pass-the-Hash, exploiting SMB/RDP services (e.g., PsExec). * **Outcome**: Gaining control of additional systems in the network. * **MITRE ATT\&CK Mapping**: *Lateral Movement (T1021)*, *Pass-the-Hash (T1550)*, *Exploitation of Remote Services (T1210)*. ## **Privilege Escalation** **Objective**: Gain higher-level privileges, such as root or system administrator, on the compromised machine. * **What to do**: Exploit kernel vulnerabilities, misconfigurations, or use tools to escalate privileges. * **Tools/Techniques**: * **Linux Privilege Escalation**: Exploiting SUID binaries, kernel exploits (e.g., Dirty Cow), checking for weak sudo permissions. * **Windows Privilege Escalation**: Windows UAC bypass, token manipulation, exploiting vulnerable services like **PrintNightmare**. * **Outcome**: Elevated privileges on the compromised system. * **MITRE ATT\&CK Mapping**: *Privilege Escalation (T1068)*, *Exploitation for Privilege Escalation (T1068)*. ## **Proof-of-Concept (PoC)** **Objective**: Demonstrate the potential impact of vulnerabilities by providing clear proof of exploitation. * **What to do**: Provide evidence that proves the exploit works and shows what data or system control was obtained. * **Tools/Techniques**: * **PoC Development**: Write custom exploits or screenshots showing access. * **Documenting Impact**: Collect data (e.g., extracted sensitive files, screenshots of shell access). * **Outcome**: A clear demonstration of the impact for reporting purposes. * **MITRE ATT\&CK Mapping**: *Impact (T1486)*. ## **Post-Engagement** **Objective**: Summarize findings, provide recommendations, and remove any artifacts left during the test. * **What to do**: * **Reporting**: Provide technical and executive reports outlining the vulnerabilities found, exploitation details, and recommendations. * **Cleanup**: Remove backdoors, accounts, or persistence mechanisms installed during the test. * **Tools/Techniques**: Manual system checks, script cleanups, forensic tools. * **Outcome**: The system is restored, and the client receives actionable feedback. * **MITRE ATT\&CK Mapping**: Not directly mapped, but defensive measures are taken based on findings. ## **Differences Between Post-Exploitation, Lateral Movement, and Privilege Escalation** #### **Post-Exploitation**: * **Objective**: After gaining initial access, focus on gathering intelligence, maintaining access, and preparing for further attacks. * **Key Techniques**: * **Data Collection**: Dump credentials, extract sensitive files. * **Persistence**: Create new user accounts, install backdoors (e.g., cron jobs, startup scripts). * **Log Manipulation**: Clean or manipulate logs to avoid detection. #### **Lateral Movement**: * **Objective**: Move through the compromised network to access more systems and expand control. * **Key Techniques**: * **Pivoting**: Use compromised machine as a foothold to explore other systems (e.g., using Metasploit's pivot module). * **Credential Reuse**: Leverage passwords or hashes from one machine to access others. * **Exploiting Remote Services**: Use RDP, SMB, SSH to move to other systems. #### **Privilege Escalation**: * **Objective**: Elevate privileges from a lower-level user (e.g., local user) to an administrator or root. * **Key Techniques**: * **Windows**: UAC bypass, token impersonation (e.g., SeImpersonatePrivilege). * **Linux**: Exploit SUID binaries, weak sudo permissions, kernel exploits (e.g., Dirty Cow). ## Full Workflow Example * **Pre-engagement**: Define rules using engagement contracts. * **Information Gathering**: Use Nmap for network scanning, WHOIS for public information. * **Vulnerability Assessment**: Scan with Nessus, manually validate with Burp Suite. * **Exploitation**: Use Metasploit to exploit an RCE vulnerability. * **Post-Exploitation**: Dump credentials with Mimikatz, install persistence with cron jobs. * **Lateral Movement**: Use compromised credentials for SMB shares, pivot using proxychains. * **Privilege Escalation**: Exploit kernel vulnerabilities on Linux for root access. * **Proof-of-Concept**: Demonstrate access to critical data (e.g., passwords, sensitive files). * **Post-Engagement**: Cleanup backdoors, provide a detailed report.