| cover | coverY |
|---|---|
0 |
- This doc should be signed and have a copy of it ; }
- Scan the IPs to verify that we are not attacking another company
- Subdomains (amass, assetfinder, DNSRecon, Subfinder )
Use Google Dorking:
- site: domain.com -www
- site: domain.com
- site: *.domain.com
First thing todo before start with the big part.
- openVAS
- Nessus - https://www.tenable.com/products/nessus
- Do some research about naming convention for email (Ex: firstname.lastname)
- Phonebook.cz - https://phonebook.cz/
- Scrape Company LinkedIn with tools to put together the 2 conventions.
- LinkedIn2Username - https://github.com/initstring/linkedin2username
- LinkedInt - https://github.com/vysecurity/LinkedInt
- Check login form or password reset forms for user enumeration.
- CredMaster - https://github.com/knavesec/CredMaster
- TrevorSpray - https://github.com/blacklanternsecurity/TREVORspray
- Password Strategy: currentSeason + currentYear + SpecialChar + location + address + companyname
- Password Spray
- msf: scanner owa_login
- Check the OWA Version
- Burpsuite Intruder
- FFuF
- Wfuzz
- ike-scan
- Office for instance we can look for other accounts.
- if portal.azure.com find other accounts.
- Password spray with previous password found.
- Bypass MFA
- No MFA
- Recommend Guidelines, NIST, OWASP
- Unpatched software or services that needs an update.
- SecLists
- Cirt
- Weak ciphers
- Test the SSL Certificate
- Verbose error messages
- Verbose stack trace
- mDNS
- Server Version, languages, response headers etc.
- Some Broken Authentication finding like "Invalid Username"
- Apache default pages
- IIS default page
- ike-scan
- RDP
- Telnet
- Geo blocking not in place
- Limits attack surface
- Depends on the customer location of the client
- Brute-Force Attacks
- Nmap
- Nessus
- Web Enum
- Have I been Pwned