Scanning: This phase involves identifying live targets and their open ports on a network.
- unicornscan 10.0.0.1
- nmap -sS 192.168.1.1-255; nmap -sn -Pr 192.168.1.0/24
- netdiscover -r 10.0.0.0/24 -i eth0
- nmap with the -sV and or -O option
- amap -Abqv 10.0.0.1 80; amap -B 10.0.0.1 80
- xprobe2 -p tcp:445:open
- httprint for webserver enumeration
- metasploit and smb_version module if port 445 or 139 is open
- nmap --script smb-os-discovery
Research: After identifying the OS and it's applications (and in some cases their versions), you will want to research that app for potential vulnerabilities and security bypasses. Some resources that you can use to research vulnerabilities are
- www.securityfocus.com
- www.exploit-db.com
- www.secunia.com
- www.google.ca
- metasploit
- www.exploit-db.com or a local copy of their archive as found in backtrack 4
- local copy of milworm exploits archive
- fasttrack
- milw0rm
- SET, i.e, social engineering toolkit
- netcat
- cryptcat
- mirkov
- guptachar (see blogpost)
- metsvc (meterpreter)
- rootkits
These are just guidelines that i've learnt from various resources. The majority of pentesters out there tend to follow similar guidelines to those that i've outlined. There are many more tools that can be utilized in each phase but that was not the purpose of this blog. It is important to have an idea of the overal phases that one may encouter in real life and why each is important. I did not go into much depth but each phase has their value. It is very important to know your tools, to practice using them and when to use them, as your experience can be the deciding factor in whether you get in or whether you serve yourself a serving of fail.