Post

Pentesting Basics

Posted Updated
By Axl0t0l
2 min read
Pentesting Basics

This post is not in final form yet, Information is subject to change.

Before You Start

1. Getting started

○ Important Notes

Please note that I spent so much time making this post from Organizing, Writing and Formatting it. Any action would be appreciated to support me, whether it’s Staring this repo or leaving a commennt1 or reacting or sharing this post/site. All matters for me ❤️!

2. Cheat Sheets

○ GTFOBins Link

Description: used in binary pervillage escalation

○ WEB Link

Description: this conatins everything you need for web.

○ lyudaio Cheetsheat Link

Description: this is the Swiss Army Knife for cheatsheets, conatins guides for everything from Databases, OSs, Tools and ect…..

Recon

Goal:

Identify the attack surface and decide where to enumerate.

Scope:

Broad, non-destructive discovery.

1. Passive/Active Recon

○ Network Recon

  • Host discovery
  • Port scanning
  • Service identification

○ Web Recon

  • Page source
  • Headers
  • Tech stack
  • robots.txt
  • JS file discovery

○ DNS / OSINT Recon

  • Domains
  • Subdomains
  • Public records

2. Post Recon

○ Output of Recon

  • Target map
  • Services list
  • Technologies
  • Enumeration targets

Enumeration

Goal: Extract detailed, actionable information from each discovered service in order to identify exploitable weaknesses. Enumeration explains how things behave, not just that they exist.

Scope:

  • Targeted and interactive
  • Based strictly on Recon results
  • No exploitation yet (unless unavoidable)

1. Service Enumeration

○ Enumerate

  • Service versions and enabled modules
  • Authentication methods
  • Anonymous or guest access
  • Default or weak configurations

○ Examples

  • SSH: banner information, authentication methods (nmap -sV -sC)
  • FTP: anonymous login, writable directories
  • SMB: available shares, permissions (smb4linux -a)
  • Databases: exposed ports, default credentials Iwould recommend seeing this for for info.

2. Web Enumeration

○ Directory and File Enumeration

Look for:

  • Admin panels
  • Backup files
  • Old or test versions
  • Configuration files use dirb or gobuster

○ Parameter Enumeration

Identify:

  • GET parameters
  • POST parameters
  • JSON keys
  • Cookies
  • Headers
  • Common web vulnerabilities (IDOR, SQLi, XSS, LFI, CSRF, SSRF, command injection and ect……)

Test:

  • Missing parameters
  • Unexpected values
  • Type changes (integer to string, etc…)

○ Authentication Enumeration

Check for:

  • Username validity leaks
  • Error message differences
  • Password reset flaws
  • Missing or weak rate limits

○ API Enumeration

Enumerate:

  • Versioned endpoints
  • Debug or test routes
  • Unauthenticated endpoints
  • Overly verbose responses

3. User Enumeration

Sources:

  • Login and password reset pages
  • API responses
  • SMB, LDAP, or FTP services

4. Permission Enumeration

Enumerate:

  • Read permissions
  • Write permissions
  • Role boundaries
  • Object ownership issues (IDOR)

5. Enumeration After Initial Access

○ Common findings

Look for:

  • Configuration files
  • Stored credentials
  • Internal services
  • Scheduled tasks
  • Sudo rules
  • SUID binaries

6. Post Enumeration

○ Enumeration Output

By the end of enumeration you should have:

  • Services fully mapped
  • Inputs clearly identified
  • Users discovered
  • Trust assumptions documented
  • Clear exploit candidates

If not, enumerate again (:

○ Enumeration Checklist

  • All services enumerated
  • Hidden endpoints discovered
  • Inputs identified
  • Users enumerated
  • Permissions mapped
  • Errors analyzed

  1. Comments section is down below. ↩︎

Guides, Pentesting Guides
Guide
This post is licensed under CC BY 4.0 by the author.