DiscordHackTheBoxTryHackMeGitHub

Methodology

Usually penetration testing are having a structure, with which hackers are working. So here I'll try to explain shortly about each part of engagement.

Pre-engagement (Planning)

Objective: Establish clear rules and goals with the client.

  • What to do: Define the scope of the engagement (e.g., which systems or networks are in scope). Agree on legal boundaries and expectations.

  • Tools/Techniques: Legal contracts, Rules of Engagement (RoE) documents.

  • Outcome: Clear understanding of what to test and which attack simulations are permitted.

Information Gathering (Reconnaissance)

Objective: Collect as much information as possible about the target without interacting with it directly (passive) or by scanning (active).

  • What to do:

    • Passive reconnaissance: Search for open-source information (OSINT) such as domain names, email addresses, and IP ranges.

    • Active reconnaissance: Scan for open ports, services, and vulnerable applications.

  • Tools/Techniques:

    • Passive: Google dorking, WHOIS lookup, Shodan, theHarvester.

    • Active: Nmap, Masscan, banner grabbing.

  • MITRE ATT&CK Mapping: Reconnaissance (T1595), Initial Access (T1078).

Vulnerability Assessment

Objective: Identify vulnerabilities within the target systems using automated and manual techniques.

  • What to do: Scan the network and systems for known vulnerabilities, misconfigurations, or weak services.

  • Tools/Techniques:

    • Automated Scanners: Nessus, OpenVAS, Qualys.

    • Manual Techniques: Burp Suite for web applications, Nikto, manual code review, misconfiguration checks (e.g., missing patches, weak encryption).

  • Outcome: A list of vulnerabilities and potential attack vectors.

  • MITRE ATT&CK Mapping: Discovery (T1083), Network Service Scanning (T1046).

Exploitation

Objective: Exploit identified vulnerabilities to gain access to the system.

  • What to do: Use the vulnerabilities identified in the previous step to break into the system.

  • Tools/Techniques:

    • Exploit Frameworks: Metasploit, ExploitDB, custom scripts.

    • Web Exploits: SQL Injection, Command Injection, Cross-Site Scripting (XSS), Remote Code Execution (RCE).

  • Outcome: Initial access to the target system.

  • MITRE ATT&CK Mapping: Execution (T1203), Exploitation for Client Execution (T1203).

Post-Exploitation

Objective: Gather useful information, maintain persistence, and expand control over the compromised environment.

  • What to do:

    • Data Collection: Extract sensitive data like passwords, tokens, or database content.

    • Persistence: Install backdoors or create new user accounts to maintain access.

    • Stealth: Cover tracks by cleaning up logs or using anti-forensics techniques.

  • Tools/Techniques:

    • Password Dumping: Mimikatz, Windows Credential Manager, hash dumping.

    • Maintaining Persistence: Creating cron jobs, modifying Windows Registry, SSH backdoors.

    • Log Manipulation: Clearing logs or tampering with forensic evidence.

  • Outcome: Expanded control over the compromised system and preparation for further exploitation.

  • MITRE ATT&CK Mapping: Persistence (T1547), Collection (T1114), Defense Evasion (T1070).

Lateral Movement

Objective: Move from the initial compromised system to other systems within the network.

  • What to do: Use compromised credentials, session hijacking, or pivoting techniques to access other internal systems.

  • Tools/Techniques:

    • Credential Reuse: Using passwords or tokens obtained from one machine to access others.

    • Pivoting: Use compromised machine as a gateway to explore further systems (Metasploit, proxychains).

    • SMB Exploits: Pass-the-Hash, exploiting SMB/RDP services (e.g., PsExec).

  • Outcome: Gaining control of additional systems in the network.

  • MITRE ATT&CK Mapping: Lateral Movement (T1021), Pass-the-Hash (T1550), Exploitation of Remote Services (T1210).

Privilege Escalation

Objective: Gain higher-level privileges, such as root or system administrator, on the compromised machine.

  • What to do: Exploit kernel vulnerabilities, misconfigurations, or use tools to escalate privileges.

  • Tools/Techniques:

    • Linux Privilege Escalation: Exploiting SUID binaries, kernel exploits (e.g., Dirty Cow), checking for weak sudo permissions.

    • Windows Privilege Escalation: Windows UAC bypass, token manipulation, exploiting vulnerable services like PrintNightmare.

  • Outcome: Elevated privileges on the compromised system.

  • MITRE ATT&CK Mapping: Privilege Escalation (T1068), Exploitation for Privilege Escalation (T1068).

Proof-of-Concept (PoC)

Objective: Demonstrate the potential impact of vulnerabilities by providing clear proof of exploitation.

  • What to do: Provide evidence that proves the exploit works and shows what data or system control was obtained.

  • Tools/Techniques:

    • PoC Development: Write custom exploits or screenshots showing access.

    • Documenting Impact: Collect data (e.g., extracted sensitive files, screenshots of shell access).

  • Outcome: A clear demonstration of the impact for reporting purposes.

  • MITRE ATT&CK Mapping: Impact (T1486).

Post-Engagement

Objective: Summarize findings, provide recommendations, and remove any artifacts left during the test.

  • What to do:

    • Reporting: Provide technical and executive reports outlining the vulnerabilities found, exploitation details, and recommendations.

    • Cleanup: Remove backdoors, accounts, or persistence mechanisms installed during the test.

  • Tools/Techniques: Manual system checks, script cleanups, forensic tools.

  • Outcome: The system is restored, and the client receives actionable feedback.

  • MITRE ATT&CK Mapping: Not directly mapped, but defensive measures are taken based on findings.

Differences Between Post-Exploitation, Lateral Movement, and Privilege Escalation

Post-Exploitation:

  • Objective: After gaining initial access, focus on gathering intelligence, maintaining access, and preparing for further attacks.

  • Key Techniques:

    • Data Collection: Dump credentials, extract sensitive files.

    • Persistence: Create new user accounts, install backdoors (e.g., cron jobs, startup scripts).

    • Log Manipulation: Clean or manipulate logs to avoid detection.

Lateral Movement:

  • Objective: Move through the compromised network to access more systems and expand control.

  • Key Techniques:

    • Pivoting: Use compromised machine as a foothold to explore other systems (e.g., using Metasploit's pivot module).

    • Credential Reuse: Leverage passwords or hashes from one machine to access others.

    • Exploiting Remote Services: Use RDP, SMB, SSH to move to other systems.

Privilege Escalation:

  • Objective: Elevate privileges from a lower-level user (e.g., local user) to an administrator or root.

  • Key Techniques:

    • Windows: UAC bypass, token impersonation (e.g., SeImpersonatePrivilege).

    • Linux: Exploit SUID binaries, weak sudo permissions, kernel exploits (e.g., Dirty Cow).

Full Workflow Example

  • Pre-engagement: Define rules using engagement contracts.

  • Information Gathering: Use Nmap for network scanning, WHOIS for public information.

  • Vulnerability Assessment: Scan with Nessus, manually validate with Burp Suite.

  • Exploitation: Use Metasploit to exploit an RCE vulnerability.

  • Post-Exploitation: Dump credentials with Mimikatz, install persistence with cron jobs.

  • Lateral Movement: Use compromised credentials for SMB shares, pivot using proxychains.

  • Privilege Escalation: Exploit kernel vulnerabilities on Linux for root access.

  • Proof-of-Concept: Demonstrate access to critical data (e.g., passwords, sensitive files).

  • Post-Engagement: Cleanup backdoors, provide a detailed report.

PreviousCertificatesNextProtocols

Last updated