Pentesting Methodology
This is the main page. Here you can find the typical workflow for the pentesting of a machine
Last updated
Was this helpful?
This is the main page. Here you can find the typical workflow for the pentesting of a machine
Last updated
Was this helpful?
Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the , or follow me on Twitter . If you want to share some tricks with the community you can also submit pull requests to that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.
Depending if the test you are perform is an internal or external test you may be interested on finding hosts inside the company network (internal test) or finding assets of the company on the internet (external test).
Once you know which services are running, and maybe their version, you have to search for known vulnerabilities. Maybe you get lucky and there is a exploit to give you a shell...
If there isn't any fancy exploit for any running service, you should look for common misconfigurations in each service running.
Inside this book you will find a guide to pentest the most common services (and others that aren't so common). Please, search in the left index the PENTESTING section (the services are ordered by their default ports).
If your service is not inside the index, search in Google for other tutorials and let me know if you want me to add it. If you can't find anything in Google, perform your own blind pentesting, you could start by connecting to the service, fuzzing it and reading the responses (if any).
If at this point you haven't found any interesting vulnerability you may need to try some phishing in order to get inside the network. You can read my phishing methodology here:
Specially in Windows you could need some help to avoid antiviruses: **[Check this page](windows/av-bypass.md).**
If you have troubles with the shell, you can find here a small compilation of the most useful commands for pentesters:
TODO: Complete persistence Post in Windows & Linux
Do you have physical access to the machine that you want to attack? You should read some and others about **[escaping from GUI applications**](physical-attacks/escaping-from-gui-applications/).
This section only applies if you are performing an internal test. Before attacking a host maybe you prefer to steal some credentials from the network or sniff some data to learn passively/actively(MitM) what can you find inside the network. You can read .
The first thing to do when looking for vulnerabilities in a host is to know which services are running in which ports. Let's see the.
I want to make a special mention of the part (as it is the most extensive one). Also, a small guide on how to can be found here.
There are also several tools that can perform automatic vulnerabilities assessments. I would recommend you to try , which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.
In some scenarios a Brute-Force could be useful to compromise a service. .
Somehow you should have found some way to execute code in the victim. Then, .
You will probably need to extract some data from the victim or even introduce something (like privilege escalation scripts). Here you have a .
If you are not root/Administrator inside the box, you should find a way to escalate privileges. Here you can find a guide to escalate privileges locally in and in . You should also check this pages about how does Windows work:
How does
How to in Windows
Some tricks about
Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:
Here you can find a . Even if this is just a subsection of a section, this process could be extremely delicate on a Pentesting/Red Team assignment.
Check if you can find more passwords inside the host or if you have access to other machines with the privileges of your user. Find here different ways to .
Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again. Here you can find some .
With the gathered credentials you could have access to other machines, or maybe you need to discover and scan new hosts (start the Pentesting Methodology again) inside new networks where your victim is connected. In this case tunnelling could be necessary. Here you can find . You definitely should also check the post about . There you will find cool tricks to move laterally, escalate privileges and dump credentials. Check also the page about , it could be very useful to pivot on Windows environments..
