rorymbyrne / CTFMethod

quick and dirty notes

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CTFMethod

quick and dirty notes

######################### Recon ######################### Identify Box Owner Look up their github - found Look up their Twitter - found Look up their LinkedIn - not found Look at HTB to find other boxes they have made ######################## Enumeration ######################### TCP Scan common ports (-f or no port specification) Scan all ports (-p- or -p 0-65535) Connect Scan - Optional UDP Scan common ports Optional - Scan all ports (-p- or -p 0-65535) Manually Check (mainly because they are easy to forget/miss) SNMP DNS TFTP ######################### Service Fingerprinting ######################### Identify Services (sV) Nmap Common Vulns (-sC) Identify Operating Systems Identify IPS/IDS/WAF/CDN/Security Technology Look for common weaknesses and known vulnerabilities (research) Search exploitdb from nmap output - optional ######################### HTTP Discovery Manually Review Site Check HTTP resonses Check METHODs Check Comments Check Site Legitimate Functionality Look for common files e.g. robots.txt, security.txt, sitemap.xml Check TLS Config (For flaws but also host header record leakage) Use the site through proxy (BURP) Crawl the site (BURP) Force Browser/Content Discovery (WFUZZ, DIRBUSTER, BURP PRO) Forced browse with custom content lists based on the target app etc. NIKTO NESSUS OWASP ZAP Known Unpatched Applicaiton Vulnerabilities Depenancy Vulnerabilities Content Security Policy Header Discovery Common Web Vulnerabilities XSS Injection SQL NOSQL Command Injection (OS) LDAP Injection
Path Traversal Security Misconfigurations Insecure File Upload Insecure Direct Oject Refrences (IDOR) Broken Authentication Session Tokens Cookie Manipulation/tampering XML Exernal Entities (XXE) Insecure Deserialisation JSON ######################### Priviledge Escalation ######################### ######################### Active Directory ######################### Group Policy Preferences Passwords Kerberoating ASREP Roasting Responer/LLMNR Poisoning WPAD Poisoning Pass the Hash Golden Ticket Silver Ticket Insecure Delegation Permissions Abusing Trusts Passwords in active directory metadata (e.g. Descriptions) Weak/Easily Guessable Passwords Weak or Missing Account Lockout settings Misconfigured ACL/DACL Directory Replication MIMIKATZ/IMPACKET PowerSploit/PowerUp SharpHound/Bloodhound PingCastle ######################### Microsoft Exchange ######################### Insecure Permissions Known Exploits ######################### Windows Server/Client ######################### Unquoted Service Paths Windows Installer Always Install Elevated Insure Credential Storage SYSPREP Answer Files Autologon Registry Keys VNC TeamViewer Excel Files Zip Files TXT Files Insecure Service/File Permissions ######################### Linux ######################### Kernel Exploits Insecure Custom Binary Insecure Linux Capabilities Insecure CRON Jobs CRON Path Vulnerabiltiies CRON Wildcards CRON File Overwrite Insecure Scripted Jobs Insecure SUID (Set User ID) Configuration Docker/Container Escapes Insecure Credentials Application Configurations Log Files/Debug Logs Insecure SSH Keys (id_rsa & id_rsa.pub) Insecure backups Transmission of Credentials in Clear Text Packet Capture to retrieve HTTP/TELNET/FTP credentials Binary Exploitation Buffer Overflow ROP ######################### Cloud Services ######################### Azure AD Connect Office 365 Azure AD AWS Insecure S3 Buckets Networking Insecure Management Interfaces DHCP Poisoning IPV4 MITM IPV6 MITM SMB Relay ######################### Common Protocols ######################### SMTP FTP SMB LDAP TELNET SSH TFTP SNMP Intel AMT/VPRO DELL iDRAC HP ILO WINRM NFS IMPAP POP3

ezoic increase your site revenue

About

quick and dirty notes