**Tools of the Trade:** - [[Nmap]] - [[Metasploit]] - [[dnsmap]] - [[dmitry]] - [[Enum4Linux]] - [[Hydra]] - [[Hashcat]] - [[Medusa]] - [[Nessus]] - [[Shodan]] - [[Searchsploit]] - [[Veil]] - [[https://www.exploit-db.com/]] - [[https://viewdns.info/]] - [[https://leakpeek.com/]] - [[https://osintframework.com/]] - [[Cherrytree]] for documentation # Stages ## Scanning (Information Gathering) Information gathering ## Enumeration (Vulnerability Assessment) Investigating deeper into target to assess potential vulnerabilities, look for: - [[Entry Points]] that can be accessed via [[Attack Vectors]] on a target's [[Attack Surface]] - Avoid [[Rabbit Holes]] ## Exploitation (Gain Access) Exploit - The door in which you enter [[Payload]] - The device that allows you to interact with the environment Without payload, will not be able to interact. Types of Shell: - Reverse Shell - Target connects to attacker - Firewall tends not to block outgoing ports making this more versatile - Bind Shell - Payload opens listening port on target computer, attacker connects to target computer through compromised port ![[exploitation_shell_explanation.png]] ## Steps 1. Scan and document target machine using nmap 2. Use searchsploit to look for exploits that can be run in and outside of msfconsole 3. msfconsole: 1. search ``` # scan and document target machine using nmap nmap / db_nmap # use searchsploit to look for exploits that can be run in and outside of msfconsole # use msfconsole to search ``` ## [[Post Exploitation]] (Privilege Escalation, Maintaining Access, Cover Tracks) ## Reporting ## Format - Black Box - Simulate external attack with no insider knowledge - White Box - Full knowledge of attack box - Grey Box - Partial knowledge with some insider knowledge