Methodology
Usually penetration testing are having a structure, with which hackers are working. So here I'll try to explain shortly about each part of engagement.
Pre-engagement (Planning)
Objective: Establish clear rules and goals with the client.
What to do: Define the scope of the engagement (e.g., which systems or networks are in scope). Agree on legal boundaries and expectations.
Tools/Techniques: Legal contracts, Rules of Engagement (RoE) documents.
Outcome: Clear understanding of what to test and which attack simulations are permitted.
Information Gathering (Reconnaissance)
Objective: Collect as much information as possible about the target without interacting with it directly (passive) or by scanning (active).
What to do:
Passive reconnaissance: Search for open-source information (OSINT) such as domain names, email addresses, and IP ranges.
Active reconnaissance: Scan for open ports, services, and vulnerable applications.
Tools/Techniques:
Passive: Google dorking, WHOIS lookup, Shodan, theHarvester.
Active: Nmap, Masscan, banner grabbing.
MITRE ATT&CK Mapping: Reconnaissance (T1595), Initial Access (T1078).
Vulnerability Assessment
Objective: Identify vulnerabilities within the target systems using automated and manual techniques.
What to do: Scan the network and systems for known vulnerabilities, misconfigurations, or weak services.
Tools/Techniques:
Automated Scanners: Nessus, OpenVAS, Qualys.
Manual Techniques: Burp Suite for web applications, Nikto, manual code review, misconfiguration checks (e.g., missing patches, weak encryption).
Outcome: A list of vulnerabilities and potential attack vectors.
MITRE ATT&CK Mapping: Discovery (T1083), Network Service Scanning (T1046).
Exploitation
Objective: Exploit identified vulnerabilities to gain access to the system.
What to do: Use the vulnerabilities identified in the previous step to break into the system.
Tools/Techniques:
Exploit Frameworks: Metasploit, ExploitDB, custom scripts.
Web Exploits: SQL Injection, Command Injection, Cross-Site Scripting (XSS), Remote Code Execution (RCE).
Outcome: Initial access to the target system.
MITRE ATT&CK Mapping: Execution (T1203), Exploitation for Client Execution (T1203).
Post-Exploitation
Objective: Gather useful information, maintain persistence, and expand control over the compromised environment.
What to do:
Data Collection: Extract sensitive data like passwords, tokens, or database content.
Persistence: Install backdoors or create new user accounts to maintain access.
Stealth: Cover tracks by cleaning up logs or using anti-forensics techniques.
Tools/Techniques:
Password Dumping: Mimikatz, Windows Credential Manager, hash dumping.
Maintaining Persistence: Creating cron jobs, modifying Windows Registry, SSH backdoors.
Log Manipulation: Clearing logs or tampering with forensic evidence.
Outcome: Expanded control over the compromised system and preparation for further exploitation.
MITRE ATT&CK Mapping: Persistence (T1547), Collection (T1114), Defense Evasion (T1070).
Lateral Movement
Objective: Move from the initial compromised system to other systems within the network.
What to do: Use compromised credentials, session hijacking, or pivoting techniques to access other internal systems.
Tools/Techniques:
Credential Reuse: Using passwords or tokens obtained from one machine to access others.
Pivoting: Use compromised machine as a gateway to explore further systems (Metasploit, proxychains).
SMB Exploits: Pass-the-Hash, exploiting SMB/RDP services (e.g., PsExec).
Outcome: Gaining control of additional systems in the network.
MITRE ATT&CK Mapping: Lateral Movement (T1021), Pass-the-Hash (T1550), Exploitation of Remote Services (T1210).
Privilege Escalation
Objective: Gain higher-level privileges, such as root or system administrator, on the compromised machine.
What to do: Exploit kernel vulnerabilities, misconfigurations, or use tools to escalate privileges.
Tools/Techniques:
Linux Privilege Escalation: Exploiting SUID binaries, kernel exploits (e.g., Dirty Cow), checking for weak sudo permissions.
Windows Privilege Escalation: Windows UAC bypass, token manipulation, exploiting vulnerable services like PrintNightmare.
Outcome: Elevated privileges on the compromised system.
MITRE ATT&CK Mapping: Privilege Escalation (T1068), Exploitation for Privilege Escalation (T1068).
Proof-of-Concept (PoC)
Objective: Demonstrate the potential impact of vulnerabilities by providing clear proof of exploitation.
What to do: Provide evidence that proves the exploit works and shows what data or system control was obtained.
Tools/Techniques:
PoC Development: Write custom exploits or screenshots showing access.
Documenting Impact: Collect data (e.g., extracted sensitive files, screenshots of shell access).
Outcome: A clear demonstration of the impact for reporting purposes.
MITRE ATT&CK Mapping: Impact (T1486).
Post-Engagement
Objective: Summarize findings, provide recommendations, and remove any artifacts left during the test.
What to do:
Reporting: Provide technical and executive reports outlining the vulnerabilities found, exploitation details, and recommendations.
Cleanup: Remove backdoors, accounts, or persistence mechanisms installed during the test.
Tools/Techniques: Manual system checks, script cleanups, forensic tools.
Outcome: The system is restored, and the client receives actionable feedback.
MITRE ATT&CK Mapping: Not directly mapped, but defensive measures are taken based on findings.
Differences Between Post-Exploitation, Lateral Movement, and Privilege Escalation
Post-Exploitation:
Objective: After gaining initial access, focus on gathering intelligence, maintaining access, and preparing for further attacks.
Key Techniques:
Data Collection: Dump credentials, extract sensitive files.
Persistence: Create new user accounts, install backdoors (e.g., cron jobs, startup scripts).
Log Manipulation: Clean or manipulate logs to avoid detection.
Lateral Movement:
Objective: Move through the compromised network to access more systems and expand control.
Key Techniques:
Pivoting: Use compromised machine as a foothold to explore other systems (e.g., using Metasploit's pivot module).
Credential Reuse: Leverage passwords or hashes from one machine to access others.
Exploiting Remote Services: Use RDP, SMB, SSH to move to other systems.
Privilege Escalation:
Objective: Elevate privileges from a lower-level user (e.g., local user) to an administrator or root.
Key Techniques:
Windows: UAC bypass, token impersonation (e.g., SeImpersonatePrivilege).
Linux: Exploit SUID binaries, weak sudo permissions, kernel exploits (e.g., Dirty Cow).
Full Workflow Example
Pre-engagement: Define rules using engagement contracts.
Information Gathering: Use Nmap for network scanning, WHOIS for public information.
Vulnerability Assessment: Scan with Nessus, manually validate with Burp Suite.
Exploitation: Use Metasploit to exploit an RCE vulnerability.
Post-Exploitation: Dump credentials with Mimikatz, install persistence with cron jobs.
Lateral Movement: Use compromised credentials for SMB shares, pivot using proxychains.
Privilege Escalation: Exploit kernel vulnerabilities on Linux for root access.
Proof-of-Concept: Demonstrate access to critical data (e.g., passwords, sensitive files).
Post-Engagement: Cleanup backdoors, provide a detailed report.