Below is a general methodology on how one would begin a pentest. Do more research on your own to get the technical and legal details that are required:
- Get permission to attack the target in writing. If you don’t receive permission, do NOT proceed.
- Use a search engine to see what comes up for your target. Use passive technology.
- Run HTTrack to get a copy of the website so you can browse offline. This is not passive, so proceed with caution.
- Use google-fu.
- Run theHarvester on the target to get email addresses and other company information.
- Review whois.
- Review netcraft.
- Run host on ip address.
- Try a zone transfer.
- Run nslookup to get dns and mail server information.
- Run dig on ip address
- Run metagoofil to locate/download .pdf, .docs, ppt files, etc.
- Put all results in tool like mindmap.
- Review perimeter devices and end-points – if they are in scope.
- Do a ping sweep with fping to see what’s alive.
- Run Nmap to see what services are running.
- Try to log in with information you have accumulated.
- Run using proxychains and Tor browser
- Use any information found during reconnaissance stage.
- Run Nessus (port: 8834)
- Create a legal scan policy
- Run brute force – hydra or medusa
- If you can remotely log into network, you WIN.
- Run metasploit if you are in.
- Take results from Nessus and use them to search for exploits and payloads in metasploit.