\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{blacklist\_} \pdfinfo{ /Title (web-application-pentesting.pdf) /Creator (Cheatography) /Author (blacklist\_) /Subject (Web Application PenTesting Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{FF2800} \definecolor{LightBackground}{HTML}{FFF1EF} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Web Application PenTesting Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{blacklist\_} via \textcolor{DarkBackground}{\uline{cheatography.com/121658/cs/24003/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}blacklist\_ \\ \uline{cheatography.com/blacklist} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 9th October, 2020.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{x{2.72 cm} x{5.28 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Notes}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{References} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Bug bounty cheatsheet & \{\{fa-bolt\}\} \seqsplit{https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html} \tn % Row Count 4 (+ 3) % Row 2 \SetRowColor{LightBackground} Hacktricks cheatsheet & \{\{fa-bolt\}\} \seqsplit{https://book.hacktricks.xyz/bug-bounties-methodology} \tn % Row Count 7 (+ 3) % Row 3 \SetRowColor{white} Tools introduction & \{\{fa-bolt\}\} \seqsplit{https://medium.com/@hakluke} \tn % Row Count 9 (+ 2) % Row 4 \SetRowColor{LightBackground} Learn & \{\{fa-bolt\}\} Understand concept from youtube \{\{nl\}\}\{\{fa-bolt\}\} Read reports on the web, medium, hackerone, twitter, reddit etc.. \tn % Row Count 14 (+ 5) % Row 5 \SetRowColor{white} Practice & \{\{fa-bolt\}\} Docker websploit \{\{nl\}\}\{\{fa-bolt\}\} PortSwigger Academy \tn % Row Count 17 (+ 3) % Row 6 \SetRowColor{LightBackground} & \seqsplit{https://portswigger.net/web-security} \tn % Row Count 19 (+ 2) % Row 7 \SetRowColor{white} Resources & \{\{fa-bolt\}\} Pentester Lab free VM \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/"\}\}Another bug-hunting-methodology \{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://omespino.com/fastreconGG-bugswat2019.pdf"\}\}Another bug-hunting-methodology 2 \{\{/link\}\} \tn % Row Count 32 (+ 13) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4.08 cm} x{3.92 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Checklist}} \tn % Row 0 \SetRowColor{LightBackground} Understand the flow of application & Exploit it | 1Recon - 2 Checklist \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{} \tn % Row Count 2 (+ 0) % Row 2 \SetRowColor{LightBackground} Password reset & \{\{fa-bolt\}\} Change host header \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{No rate limit} \tn % Row Count 5 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.48 cm} x{5.52 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Bug Hunting Methodlogy}} \tn % Row 0 \SetRowColor{LightBackground} Jason Haddix & \{\{fa-bolt\}\} \{\{link="https://docs.google.com/presentation/d/1ph71Dhu6iBHJB3xkevEFnw15tggS5c\_zGbbh0ya4HdA/edit\#slide=id.g89b65a088d\_4\_83"\}\}Bug-Hunter-Methodology\{\{/link\}\} \tn % Row Count 7 (+ 7) % Row 1 \SetRowColor{white} Approaching target & \{\{fa-bolt\}\} \{\{link="https://medium.com/bugbountywriteup/recon-everything-48aafbb8987"\}\}Recon APT28\{\{/link\}\} \tn % Row Count 11 (+ 4) % Row 2 \SetRowColor{LightBackground} Oneforall & \{\{fa-bolt\}\} \{\{link="https://paper.seebug.org/1053/"\}\}Tool Guide\{\{/link\}\} \{\{nl\}\} \{\{fa-bolt\}\} \{\{link="https://www.daehee.com/oneforall/"\}\}Approach\{\{/link\}\} \tn % Row Count 17 (+ 6) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Amass} \tn % Row Count 18 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Nuclei} \tn % Row Count 19 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Lazyrecon} \tn % Row Count 20 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Burpsuite} \tn % Row Count 21 (+ 1) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Ffuf} \tn % Row Count 22 (+ 1) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{WaybackURL} \tn % Row Count 23 (+ 1) % Row 9 \SetRowColor{white} Burp & \{\{fa-bolt\}\} Goto Scope and click use advanced scope control\{\{nl\}\}\{\{fa-bolt\}\} Now we can enter a "term" instead of a domain name \{\{nl\}\}\{\{fa-bolt\}\} Click on add and inside host field enter only the target name like office \{\{nl\}\}\{\{fa-bolt\}\} Pop-up will come up Click no as we still want stuff outside of this term \{\{nl\}\}\{\{fa-bolt\}\} Go back to Sitemap and open menu \{\{nl\}\}\{\{fa-bolt\}\} Click on first option: Show only in scope items \{\{nl\}\}\{\{fa-bolt\}\} Now you can see only those URL with only that term \{\{nl\}\}\{\{fa-bolt\}\} Select all relevant domains or open more and Click on Scan, So that we can crawl all these URLs \{\{nl\}\}\{\{fa-bolt\}\} Menu: Scan details: Select crawl option and you can see a list of URLs/Domains to scan \{\{nl\}\}\{\{fa-bolt\}\} Scan configuration: Click on select from Library and select Fastest \{\{nl\}\}\{\{fa-bolt\}\} Again select from library and select never stop crawl due to application errors \{\{nl\}\}\{\{fa-bolt\}\} Apply those 2 and proceed ahead \{\{nl\}\}\{\{fa-bolt\}\} Goto Resource pool: Click on create new resource pool, assign it a name \{\{nl\}\}\{\{fa-bolt\}\} click on Maximum concurrent requests: 50 \{\{nl\}\}\{\{fa-bolt\}\} Done Burp has started scanning the target to find more subdomains and maybe root domains. Use the dashboard to track the progress \tn % Row Count 70 (+ 47) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{2.48 cm} x{5.52 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Bug Hunting Methodlogy (cont)}} \tn % Row 10 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Tools for Automation} \tn % Row Count 1 (+ 1) % Row 11 \SetRowColor{white} XSS & \{\{fa-bolt\}\} XSS Hunter \tn % Row Count 2 (+ 1) % Row 12 \SetRowColor{LightBackground} SSRF & \{\{fa-bolt\}\} Ssrf-Tool \{\{fa-bolt\}\} Hacktricks \tn % Row Count 4 (+ 2) % Row 13 \SetRowColor{white} SQL & \{\{fa-bolt\}\} SQLMAP \tn % Row Count 5 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-bolt\}\}Checklist \& Tools \{\{link="https://naglinagli.github.io/BugBounty/?s=09\#test-tokens-for-predictability"\}\}Test Cases that can be performed \& Number of Tools that can be used for this methodology\{\{/link\}\}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{SQL Injection}} \tn % Row 0 \SetRowColor{LightBackground} Second order SQL Injection & \{\{fa-bolt\}\} Using this vulnerability we can change the password of the particular username \{\{nl\}\}\{\{fa-bolt\}\} For example ' -{}- and create a new account blacklist' -{}- \{\{nl\}\}\{\{fa-bolt\}\} ' is Single quote. Used to delineate a query with an unmatched quote \tn % Row Count 13 (+ 13) % Row 1 \SetRowColor{white} \{\{link="http://hwang.cisdept.cpp.edu/swanew/Text/SQL-Injection.htm"\}\}SQL injection\{\{/link\}\} \{\{nl\}\}\{\{fa-bolt\}\} \{\{link="https://www.youtube.com/watch?v=PY13FNXT\_Dk"\}\}second-order-sql\{\{/link\}\} & \{\{fa-bolt\}\} What happens is there is a query like \{\{nl\}\}\{\{fa-bolt\}\} UPDATE users set password="new pass" where username="blacklist ' -{}-" and password="this is for current password" \{\{nl\}\}\{\{fa-bolt\}\} Now when i sue this query after -{}- becomes just a comment which have no use now and it will directly changed the pass of old user \tn % Row Count 30 (+ 17) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Tips \& Tricks}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Twitter} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} With great flexibility comes great power of messing things up & Having flexibility in web app development also means having facility in creating creating insecure code \tn % Row Count 7 (+ 6) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.92 cm} x{4.08 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{SSRF}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{SSRF} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} 1) What it is (concept) & \{\{fa-bolt\}\} In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. \{\{nl\}\} \{\{fa-bolt\}\} The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. \tn % Row Count 28 (+ 27) % Row 2 \SetRowColor{LightBackground} 2) Where it can be (where to look for) & \{\{fa-bolt\}\} SSRF exists when the server, as part of one of its features, fetches data or queries an internal or external resource. The key is that this request includes a value that the attacker can manipulate, potentially allowing the attacker to completely change the request being performed by the server. \tn % Row Count 44 (+ 16) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.92 cm} x{4.08 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{SSRF (cont)}} \tn % Row 3 \SetRowColor{LightBackground} 3) Goal & \{\{fa-bolt\}\} The user will need to modify the URL. \tn % Row Count 3 (+ 3) % Row 4 \SetRowColor{white} 4) Automation Tool & \{\{fa-bolt\}\} Hunt RMX (burp extension) \{\{nl\}\}\{\{fa-bolt\}\} Ssrfmap \tn % Row Count 7 (+ 4) % Row 5 \SetRowColor{LightBackground} SSRF Detecctor & \{\{fa-bolt\}\} \{\{link="https://github.com/ethicalhackingplayground/ssrf-tool"\}\}Detect-ssrf\{\{/link\}\} \tn % Row Count 12 (+ 5) % Row 6 \SetRowColor{white} Tips & \{\{fa-bolt\}\} The more endpoints you find the more scope you have \tn % Row Count 16 (+ 4) % Row 7 \SetRowColor{LightBackground} Tips & \{\{fa-bolt\}\} If you find a subdomain running and identify the service running i.e.-JIRA then you already know endpoints and can try them \tn % Row Count 23 (+ 7) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{link="https://github.com/jdonsec/AllThingsSSRF"\}\}AllThingsSSRF\{\{/link\}\} \newline \newline \{\{link="https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/"\}\}SSRF\_Guide\{\{/link\}\} \newline \newline \{\{link="https://github.com/hahwul/WebHackersWeapons"\}\}WebHackersWeapons\{\{/link\}\}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain APT-28}} \tn % Row 0 \SetRowColor{LightBackground} Cyber Kill Chain & \{\{fa-bolt\}\} Phases of Pentesting, Recon and Information gathering is very important phase, A good penetration tester spends 90\% of his time in widening the attack surface because he knows this is what its all about. Rest is just a matter of using the correct tools and techniques \tn % Row Count 14 (+ 14) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{1. Reconnaissance | Information Gathering} \tn % Row Count 15 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{2. Footprinting | Scanning} \tn % Row Count 16 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{3. Vulnerability Assessment | Vulnerability identification and analysis} \tn % Row Count 18 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{4. Gaining Access | Exploitation} \tn % Row Count 19 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{5. Maintaining Access | Post exploitation} \tn % Row Count 20 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{6. Clearing Track} \tn % Row Count 21 (+ 1) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{7 Reporting | Re-Testing} \tn % Row Count 22 (+ 1) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{fa-bolt\}\} Penetration Testing - Its a process where each next step is dependent on the previous step, Goal is to test each and every vulnerability without overloading the client infrastructure} \tn % Row Count 26 (+ 4) % Row 9 \SetRowColor{white} {\bf{Professional Penetration Testing Process}} & \{\{fa-steam\}\} E I F V E R \tn % Row Count 29 (+ 3) % Row 10 \SetRowColor{LightBackground} \{\{fa-bolt\}\} Engagement | RoE & \{\{fa-steam\}\} Details about penetration test are established \{\{nl\}\}\{\{fa-steam\}\} Quotation: It is in terms of price and estimate of the time required to perform your Job. It depends upon the test is for a network or web application or whole organization, and also depends upon {\bf{type of engagement}}- black, white, gray and complexity \{\{nl\}\}\{\{fa-steam\}\} Proposal Submittal: Write proposal keeping in mind clients needs and infrastructure. It should include understanding of client requirement and Approach \& Methodology that will be used like automated scans or manual testing, or onsite testing. Also it should include the Risks \& Benefit , value that pentest will bring to the organization. {\bf{Finally Proposal}} should include the Scope of Engagement \{\{nl\}\}\{\{fa-steam\}\} Staying in Scope: Always verify if it is client property and you have written permission to conduct assessment on it. So that you dont break the law as few country have rules and regulations that you need to comply with. \{\{nl\}\}\{\{fa-steam\}\} Incident Handling: It is an procedure or set of instruction that needs to be executed by both the parties involved on how to proceed when an incident occurs. Or have a Emergency contact number that might help in incident handling for the client infrastructure. \{\{nl\}\}\{\{fa-steam\}\} Once an emergency contact is set, it should be worth adding a statement to the {\bf{Rules Of Engagement}} \{\{nl\}\}\{\{fa-steam\}\} Legal Work: Organizations wants you to sign NDA \seqsplit{(Non-Disclosure-Agreement)}. Moreover, as Security Laws vary from country to country you might need to hire a Lawyer. Thus confidentiality must remain, and data cannot be sold to third party, must be encrypted and kept private. \{\{nl\}\}\{\{fa-steam\}\} Finally, {\bf{RoE}} is document that will define the scope of engagement and put on paper what Pentester is authorized to do and when, this includes the time window for your tests and your contacts in the client organization. And if something goes wrong there should a client contact whom you could coordinate activities or communicate in case something goes wrong \tn % Row Count 133 (+ 104) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain APT-28 (cont)}} \tn % Row 11 \SetRowColor{LightBackground} \{\{fa-bolt\}\} Information Gathering | Reconnaissance & \{\{fa-steam\}\} Most crucial stage for success. During this stage, pentester is an investigator who wants to harvest information about the client organization. Also dont engage before the dates as client should not miss a real attack vector. The RoE states if social engineering is allowed. \{\{nl\}\}\{\{fa-steam\}\} Understanding the Business is an important part as it helps you to understand what is important for your client. \tn % Row Count 21 (+ 21) % Row 12 \SetRowColor{white} \{\{fa-bolt\}\} Footprinting \& Scanning & \{\{fa-steam\}\} \tn % Row Count 23 (+ 2) % Row 13 \SetRowColor{LightBackground} \{\{fa-bolt\}\} Vulnerability Assessment & \{\{fa-steam\}\} Vulnerability identification and analysis \{\{nl\}\}\{\{fa-steam\}\} Manual or Automated \tn % Row Count 28 (+ 5) % Row 14 \SetRowColor{white} \{\{fa-bolt\}\} Exploitation (Gaining Access) | Post exploitation (Maintaining Access) | Clearing Tracks & \{\{fa-steam\}\} Gaining Access \& Maintaining Access \& Clearing Track \{\{nl\}\}\{\{fa-steam\}\} \tn % Row Count 33 (+ 5) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cyber Kill Chain APT-28 (cont)}} \tn % Row 15 \SetRowColor{LightBackground} \{\{fa-bolt\}\} Reporting & \{\{fa-steam\}\} Consultancy: This might be required by the Organization after delivering the report as they might need further clarification or help regarding Pentesters Findings. After consultancy a pentester should keep report encrypted or better yet, destroy it. \tn % Row Count 14 (+ 14) % Row 16 \SetRowColor{white} \{\{fa-bolt\}\} Finally, Information Gathering \& Fingerprinting is very important to ensure you make your {\bf{Target Wider}} & \{\{fa-steam\}\} Widening the Attack Surface. Sticking to the process is the real secret for an effective pentest. For eg - Highly motivated \& Experienced Hacker spend most of their time investigating their victims and gathering information about them using as many sources as possible, this helps them launch highly targeted attacks that do not trigger alarms in the victim defense system. \{\{nl\}\}\{\{fa-steam\}\} A successful and stealthy attack is made possible by a deep understanding of the target which comes from a thorough information gathering phase \tn % Row Count 42 (+ 28) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Web Fundamentals}} \tn % Row 0 \SetRowColor{LightBackground} Pentesting Career & \{\{fa-bolt\}\} Ability to exploit web application and finding vulnerabilities in web servers and services \tn % Row Count 6 (+ 6) % Row 1 \SetRowColor{white} Protocol & \{\{fa-bolt\}\} HTTP used to transfer web pages and data from server to client and vice-versa \tn % Row Count 11 (+ 5) % Row 2 \SetRowColor{LightBackground} HTTP (request \& response) & \{\{fa-bolt\}\} The client usually a web browser connects to a web server, i.e.- Apache HTTP Server and MS ISS \tn % Row Count 17 (+ 6) % Row 3 \SetRowColor{white} HTTP working & \{\{fa-bolt\}\} Works on Top of TCP Protocol \{\{nl\}\}\{\{fa-bolt\}\} First a TCP connection is established. Then client sends its requests and waits for response. The server processes the request and sends back the response along with a Status Code and Data \tn % Row Count 30 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Web Fundamentals (cont)}} \tn % Row 4 \SetRowColor{LightBackground} Client \{\{nl\}\}\{\{fa-bolt\}\} SYN \{\{nl\}\}\{\{fa-bolt\}\} ACK GET /html \{\{nl\}\}\{\{fa-bolt\}\} Close Connection & Server \{\{nl\}\}\{\{fa-bolt\}\} SYN ACK \{\{nl\}\}\{\{fa-bolt\}\} HTML response \tn % Row Count 5 (+ 5) % Row 5 \SetRowColor{white} Format of HTTP Headers & \{\{fa-bolt\}\} Headers \textbackslash{}r \textbackslash{}n \{\{nl\}\}\{\{fa-bolt\}\} \textbackslash{}r \textbackslash{}n \{\{nl\}\}\{\{fa-bolt\}\} To end lines in HTTP, use \textbackslash{}r (Carriage Return) \& \textbackslash{}n (New Line) characters \{\{nl\}\}\{\{fa-bolt\}\} Message Body \{\{nl\}\}\{\{fa-bolt\}\} Header\_name : Header\_value \tn % Row Count 16 (+ 11) % Row 6 \SetRowColor{LightBackground} HTTP Request Example & \{\{fa-bolt\}\} Request Method \{\{fa-bolt\}\} / PATH, the PATH tells the server which resource browser is asking for and there is Protocol version that tells the server how to communicate with the with the browser \tn % Row Count 27 (+ 11) % Row 7 \SetRowColor{white} Method header & \{\{fa-bolt\}\} GET - Used to retrieve, 200 code, returns XML or JSON \{\{nl\}\}\{\{fa-bolt\}\} POST - Used to send content body, i.e- Parameters and Data \{\{nl\}\}\{\{fa-bolt\}\} PUT - Update Capabilites \{\{nl\}\}\{\{fa-bolt\}\} DELETE - Delete a resource identified by a URI \tn % Row Count 40 (+ 13) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Web Fundamentals (cont)}} \tn % Row 8 \SetRowColor{LightBackground} Host header & \{\{fa-bolt\}\} HOST header field specifies the internet hostname and port number of the resource being requested \{\{nl\}\}\{\{fa-bolt\}\} A web server can host multiple websites. This header field tells the server which site the client is asking for \{\{nl\}\}\{\{fa-bolt\}\} The HOST value is obtained from the URI of the resource \tn % Row Count 16 (+ 16) % Row 9 \SetRowColor{white} User-Agent header & \{\{fa-bolt\}\} Tells the server which client software is issuing the requests, a client could be Firefox, Google, Edge and a mobile app \{\{nl\}\}\{\{fa-bolt\}\} Also reveals the server the operating system version \tn % Row Count 27 (+ 11) % Row 10 \SetRowColor{LightBackground} Accept header & \{\{fa-bolt\}\} The browser sends the Accept Header field to specify which document type it is expecting in the Response \{\{nl\}\}\{\{fa-bolt\}\} text/html \tn % Row Count 35 (+ 8) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Web Fundamentals (cont)}} \tn % Row 11 \SetRowColor{LightBackground} Accept-Language header & \{\{fa-bolt\}\} Similarly, The browser can ask for a specific language in the response \tn % Row Count 5 (+ 5) % Row 12 \SetRowColor{white} Accept-Encoding header & \{\{fa-bolt\}\} The browser accepts two types of compression, gzip \& deflate \tn % Row Count 9 (+ 4) % Row 13 \SetRowColor{LightBackground} Connection header & \{\{fa-bolt\}\} The connection header field allows the sender to specify that are desired for that particular connection \{\{nl\}\}\{\{fa-bolt\}\} i.e.- Connection : keep-alive, Future communications with the server will reuse the current connection \tn % Row Count 21 (+ 12) % Row 14 \SetRowColor{white} HTTP Response & \{\{fa-bolt\}\} When the server receives a request, it processes it and sends back an HTTP response to the client. The response has its own header format. Along with Page Content \tn % Row Count 30 (+ 9) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Web Fundamentals (cont)}} \tn % Row 15 \SetRowColor{LightBackground} Status line & \{\{fa-bolt\}\} Status code along with Protocol version \tn % Row Count 3 (+ 3) % Row 16 \SetRowColor{white} Date & \{\{fa-bolt\}\} Date represents the date and time at which the message was originated \tn % Row Count 8 (+ 5) % Row 17 \SetRowColor{LightBackground} Cache-Control header & \{\{fa-bolt\}\} The server informs the client about cached content. Using cache content saves bandwidth as it prevents the client from re-requesting unmodified content. \tn % Row Count 17 (+ 9) % Row 18 \SetRowColor{white} Content-Type & \{\{fa-bolt\}\} Lets the client know how to interpret the body of the message. i.e. - text/html , charset=UTF-8 \tn % Row Count 23 (+ 6) % Row 19 \SetRowColor{LightBackground} Content-Encoding & \{\{fa-bolt\}\} It extends Content-Type and If gzip then message body is compressed with the gzip \tn % Row Count 28 (+ 5) % Row 20 \SetRowColor{white} Server header & \{\{fa-bolt\}\} The server header field contains the header of the server that generated the content \{\{nl\}\}\{\{fa-bolt\}\} Very useful field during a Pentest to identify the software running on the Web server \tn % Row Count 38 (+ 10) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Web Fundamentals (cont)}} \tn % Row 21 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Content-Length} \tn % Row Count 1 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{link="https://cheatography.com/kstep/cheat-sheets/http-status-codes/"\}\}Status Codes\{\{/link\}\}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}