EJPT Notes :

Pen-testing Cycle:

• Information Gathering
• Fingerprinting & Scanning
• Vlunerability Assessment
• Exploitation
• Reporting

Information Gathering :

General List

- WHOIS
- DNS Information
- Check live hosts by their IP
- Check if one or more webites using the same IP
- Services runnign on the network 
- Open ports
- OS running on hosts or servers

- Checking Items:
        - Emails
        - Phone numbers
        - websites
        - Addresses
        - Social Media : LinkedIn, Facebook, Twitter, CrunchBase,

Whoeis:
    - use the command whois in Linux and OSX to find the general information                about a domain
        Ex: whois www.apple.com

    - For Windows, Sysinternal Whois

Web Applicaiton:

- Domain
- Sub Domain
- Page (website crawling)
- Technologies 
- Langauges 
- Frameworks and Content Managewment Systems 
- Web Application Testing

Fingerprinting & Scanning

OS Fingerprinting:

    - Fingerprinting OS helps narrow down the range of vulnerabilities and  
        exploitation 
    - Finding an approximate version of the OS
    - Level of patching

Port Scanning:

    - Open ports
    - Type of services on the ports
    - Knowing the running service can infer:
        - OS 
        - IP address inference (server IP or Client IP )
        - Types of servers --
> Databases, Web, Email

General Items

    - Routers
    - Firewalls
    - Hosts
    - Services 
    - Printers
    - Ports

You can perform the fingerprinting passively (through analyzing wireshark stored pcap file) or Actively unsing POF

Port status:

• if packets are flaged with RST means that the port isclosed

• if packets compeleted the handshake, then sent RST flag means the port isopen

• Every TCP connection (full handshake)is logged into the system and can be detectable

• TCP synis a stealthy way to scan the ports. Sending Syn packets to the target and analyze the results

  The TCP-SYN sends a SYN packet to the target, if it gets RST, it means that the port is closed.

  if the packets are returned with ACK flags mean that the port is open. Therefore, in this case the scanner send RST packet to force close the connection and not compelete the connection.

• Since there was NO complete handshake, no logs were recorded on the system.

Daemon:

is a service running on a server with specific port. Port scanning helps discover daemon service on the network.

When running port scanning, if the daemon is not running or running on different ports, TCP packets are sent with RST flag

Figuring out the scope of address:

• 16 bit long netmask means 65536 hosts

• To detemine which IP addresses are assigned to hosts, useping sweep

• Ping Sweep Tool: - Fping is a Linux tool

        Ex: fping -a -g IPRANGE 
  
        - a for returning live hosts
        - g for peforeming ping sweeps instead of regular pings
        EX:
            fping -a -g 10.54.12/24
    - Fping also return offline hosts despite the option -a on LAN, to weed out offline hosts 
       while performing the ping sweep use /dev/null
  
    EX: fping -a -g 192.136.82.0 192.168.82.66 2
  
  > /dev/null
  

Tools:

• P0f:
• Nmap
• Zmap [Nmap GUI]

Vulnerability Assessment :

- Can be manually or automatically using automted tools 
- Tools can include Scanners, Fuzzers

Exploitation :

 is the last stage after gathering information and enumerating the systems            multiple times