Main Page

From wiki.exploitpedia.org

exploitpedia.org is a Penetration Testing and Red Team operations wiki

Cowsay.png


exploitpedia.org is a wiki dedicated to professional penetration testing, offensive security or ethical hacking knowledge, techniques, tools and everything related. It is based in standards as PTES, CEH, OSSTMM among others.


DISCLAIMER: This is a site dedicated to professional penetration testing. It is illegal to perform any action against any hosts without prior consent and it is only allowed against your own infrastructure or during a professional customer engagement with prior written consent. Also note that even with that requirements to perform security testing in Microsoft Azure or Amazon AWS you must notice them beforehand.


Subscribe to our Newsletter

Subscribe to the newsletter to get updates and new articles





MODULE I: Infrastructure penetration testing

PHASE I: Reconnaissance
Passive reconnaissance
Active reconnaissance
PHASE II: Scanning
PHASE III: Enumeration
PHASE IV: Exploitation
Password cracking
Brute forcing
SQL Exploitation
msfvenom payloads
Network infrastructure
PHASE V: Post exploitation
Shells
Droppers
Privilege Escalation
Data exfiltration
Meterpreter
Sniffers
PowerShell frameworks
Password dumping
RATs
Escape environments
PHASE VI: Covering Tracks
PHASE VII: Lateral Movement
PTH: Pass the hash
PTT: Pass the ticket
Pivoting
Tunneling
RDP

MODULE II: Web application penetration testing

MODULE III: Mobile penetration testing

Links


SecDevOps / Cloud Security

  • DEFECT DOJO: Security program and vulnerability management tool. Features: Imports XML output from nmap, nikto, burp, qualys, nessus, ...Integrates to Jira. Generates reports.

Frameworks

  • Metasploit: The world’s most used Penetration testing framework
  • PTF: Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration testing.
  • Faradaysec: Faradaysec is an Integrated Multiuser Pentest Environment that maps and leverages all the knowledge you generate in real time.
  • Armitage: Cyber Attack Management for Metasploit
  • Cobalt Strike: Adversary Simulation and Red team Operations
  • OWTF: OWASP Offensive Web Testing Framework
  • PentestBox is an Opensource PreConfigured Portable Penetration Testing Environment for the Windows Operating System
  • ISF: Industrial Control System (ICS) Exploitation Framework based on Python

Calculators

Paper Frameworks

  • MITRE CAPEC: Common Attack Pattern Enumeration and Classification. Specifies the attack patterns to attacks. I.e.: for a DOS attack (C) Abuse Existing Functionality – (210) -> (M) Flooding – (125) -> (S) UDP Flood – (486) [CVE-2003-0760]
  • OWASP ASVS 4.0: OWASP Application Security Verification Standard

Test/Lab environments

  • HTB: Online platform with Penetration testing labs (Similar to OSCP labs)
  • DVWA: Damn Vulnerable Web Application
  • Kevgir: Multi Vulnerable Virtual Machine
  • WebGoat A deliberately insecure Web Application
  • Metasploitable 2 Metasploitable login is “msfadmin”; the password is also “msfadmin”.
  • Metasploitable 3 Is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit.

Other tools

Follow us / Contact


Contribute

The best way to contribute is to spread the word or if you contribute improving the content and quality of the wiki. Get an account and register with your email, that's it.