Edit

Internal Pentest

Scan

Host && Port Scanning

  • -n flag to decrease time avoiding DNS resoltion.

  • -f fragment packets as FW evasion, if no FW/IDS, remove it.

  • Also check FW evasion

# Ping discovery, Top 20, fragment packets, no DNS resolution
sudo nmap -v --top-ports 20 X.X.X.0/24 -f -n --open -oA
# Ping discovery, Top 200, fragment packets, no DNS resolution, service version
sudo nmap -v --top-ports 200 X.X.X.0/24 -f -n -sV --open -oA
# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)
sudo nmap -v --top-ports 1000 X.X.X.0/24 -f -n -sV -Pn --open -oA

Web detection

# httpx
cat ip.txt | httpx -silent -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx.txt
cat ip.txt | httpx -silent -ports <UNCOMMON.PORTS> -random-agent -status-code -timeout 15 -title -web-server -tech-detect -o httpx_uncommon.txt

Enum

Check AD section too

Must-read:

AD no credentials

AD with credentials

  • Enum AD AIO

  • windapsearch

  • ldap

  • rpcclient

  • cme

Attacks

LLMNR & NBT-NS Poisoning (Responder)

  • Find a privileged user creds to reuse in other host

  • Set to Off SMB and HTTP in /usr/share/responder/Responder.conf

  • MultiRealy reuses hashes captured in specific host while responder is running

Kerberos

Dumps

AMSI Bypass

Common Exploits

PrivEsc

Local Privilege Escalation

Extra

Oneliners

Native commands

AV Bypasses

PreviousPentesting Web checklistNextWeb fuzzers review

Last updated

Was this helpful?