TCM's Pentesting Playlist

All notes were taken while watching TCM's the Cyber Mentor's playlist --> https://www.youtube.com/watch?v=ChdUC32lsYQ&list=PLLKT__MCUeiwBa7d7F_vN1GUwz_2TmVQj&index=4

Episode 4 : 5 Phases of Hacking & Passive OSINT

• hunter.io - emails of companies

• haveibeenpwned - checked for pwnage

Using AI and Deep learning to generate passwords

tensorflow-1.4-billion-password-analysis/README.md at master · philipperemy/tensorflow-1.4-billion-password-analysisGitHub

https://thehackernews.com/2017/12/data-breach-password-list.html

The Harvester (Red Team)

The Harvester is a tool that was developed in python. Using this you can gather information like emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers, and SHODAN computer database. This tool is useful for anyone like you who needs to know what an attacker can see about the organization.

theharvester -d [domain name] -b [search engine name / all ][options] [parameters]

• -d: Domain to search or company name.

• -b: Data source: baidu, bing, bingapi, dogpile, google, googleCSE, googleplus, google-profiles, linkedin, pgp, twitter, vhost, yahoo, all.

• -s: Start in result number X (default: 0).

• -v: Verify hostname via DNS resolution and also search for virtual hosts.

• -f: Save the results into an HTML and XML file (both).

• -n: Perform DNS reverse query on all ranges discovered.

• -c: Perform DNS brute force for the domain name.

• -t: Perform DNS TLD expansion discovery.

• -e: Use this DNS server.

• -l: Limit the number of results to work with (bing goes from 20 to 20 results, google 100 to 100, and pgp doesn’t use this option).

• -h: Use SHODAN database to query discovered hosts.

>>theharvester -d tesla.com -l 500 -b google
-d is for domain
-l is for number of searches
-b is for database or search engine

Bluto

Bluto is a Python-based tool for DNS recon (Name servers, IP addresses), DNS zone transfer testing (allows for more subdomains), DNS wild card checks, DNS brute forcing, e-mail enumeration and more. Bluto now does email address enumeration based on the target domain, currently using Bing and Google search engines plus gathering data from the Email Hunter service and LinkedIn. https://haveibeenpwned.com/ is then used to identify if any email addresses have been compromised.

crt.sh

searching for certificates to identify subdomains (search for %.tesla.com , % is wildcard)

Episode 5 : Scanning Tools & Tactics

Nmap, Nessus, Burpsuite essentials, metasploit

TCP 3 way handshake - when reliability is needed (SYN, SYN ACK, ACK)

UDP is connectionless - when speed is needed

Nmap

Options Summary | Nmap Network Scanning

• by default searches top 1000 ports, try to search all ports in TCP range 65535

• use -T(0-5) to control scan speed for stealth or carefulness (faster scans might miss something)

TCM's default scan

• -A allows for all scans - IOS detection, script scan, as much information as possible

• -p- is all ports on TCP

## TCM DEFAULT SCAN
nmap -T4 -A -p- <IP Address>

## FIRST SCAN BRIEF
nmap -T4 -p- <IP Address>
## FOLLOW WITH STRONGER NARROW SCAN
nmap -T4 -A -p < ports that show up above> <IP address>

stopped at https://www.youtube.com/watch?v=t9aAhuG0LkE&list=PLLKT__MCUeiwBa7d7F_vN1GUwz_2TmVQj&index=5

34:27mins