Update PEH

syselement · Jul 2, 2024 · 4c28296 · 4c28296
1 parent 76acae8
commit 4c28296
Show file tree

Hide file tree

Showing 12 changed files with 171 additions and 6 deletions.
diff --git a/peh/3-eth-hack/.gitbook/assets/2024-07-02_20-03-06_537.png b/peh/3-eth-hack/.gitbook/assets/2024-07-02_20-03-06_537.png
diff --git a/peh/3-eth-hack/.gitbook/assets/2024-07-02_20-30-23_539.png b/peh/3-eth-hack/.gitbook/assets/2024-07-02_20-30-23_539.png
diff --git a/peh/3-eth-hack/.gitbook/assets/2024-07-02_23-58-39_542.png b/peh/3-eth-hack/.gitbook/assets/2024-07-02_23-58-39_542.png
diff --git a/peh/3-eth-hack/.gitbook/assets/2024-07-03_00-09-39_543.png b/peh/3-eth-hack/.gitbook/assets/2024-07-03_00-09-39_543.png
diff --git a/peh/3-eth-hack/.gitbook/assets/2024-07-03_00-12-42_544.png b/peh/3-eth-hack/.gitbook/assets/2024-07-03_00-12-42_544.png
diff --git a/peh/3-eth-hack/.gitbook/assets/Phases-of-Ethical-Hacking.png b/peh/3-eth-hack/.gitbook/assets/Phases-of-Ethical-Hacking.png
diff --git a/peh/3-eth-hack/README.md b/peh/3-eth-hack/README.md
@@ -1,11 +1,27 @@
 # 3. The Ethical Hacker Methodology
 
+![Phases of Ethical Hacking - InfosecTrain](.gitbook/assets/Phases-of-Ethical-Hacking.png)
+
+**Ethical hacking**, or **penetration testing**, identifies and addresses vulnerabilities in computer systems and networks through a structured process.
+
+The five stages are:
+
+1. **Reconnaissance**: Gathering information about the target using passive techniques like public searches, website browsing and DNS examination to understand the target and find potential entry points.
+2. **Scanning**: Actively probing the target to discover open ports, services and vulnerabilities using tools like port scanners, network mappers and vulnerability scanners to identify exploitable weaknesses.
+3. **Gaining Access**: Exploiting discovered vulnerabilities to gain unauthorized access using methods like password cracking, social engineering and software exploits.
+4. **Maintaining Access**: Ensuring continued access by bypassing security, setting up backdoors and establishing persistent access to mimic a real attacker and assess potential impact.
+5. **Covering Tracks**: Removing traces of activity by deleting logs, modifying files and restoring the system to its original state to remain undetected and to leave no evidence.
+
+> Ethical hacking must always be **authorized**, legal and conducted with strict adherence to **ethical guidelines**, **confidentiality** and necessary **permissions** from system owners.
+>
+> ❗ **Use these techniques responsibly, ethically and with proper authorization for security testing!**
+
 ## Sections
 
-1. Information Gathering
-1. Scanning & Enumeration
-1. Vulnerability Scanning with Nessus
-1. Exploitation Basics
+1. [Information Gathering](recon.md)
+1. [Scanning & Enumeration](enum.md)
+1. [Vulnerability Scanning with Nessus](va.md)
+1. [Exploitation Basics](exploit.md)
 
 ------
 
diff --git a/peh/3-eth-hack/enum.md b/peh/3-eth-hack/enum.md
@@ -0,0 +1 @@
+# Scanning & Enumeration
diff --git a/peh/3-eth-hack/exploit.md b/peh/3-eth-hack/exploit.md
@@ -0,0 +1 @@
+# Exploitation Basics
diff --git a/peh/3-eth-hack/recon.md b/peh/3-eth-hack/recon.md
@@ -0,0 +1,132 @@
+# Information Gathering
+
+## Passive reconnaissance
+
+➡️ **Physical** engagement / **Social** engineering
+
+- **Location** information like
+  - satellite images
+  - drone recon
+  - building layout (badge readers, security, fencing, etc)
+- **Job** information
+  - employees (name, job title, phone number, etc)
+  - pictures (badge photos, desk photos, computer photos, etc)
+
+
+
+➡️ Web / Host Assessment
+
+- target validation
+  - `whois`, `nslookup`, `dnsrecon`
+- finding subdomains
+  - Google, `dig`, `nmap`, `crt.sh`, etc
+- fingerprinting
+  - `nmap`, `wappalyzer`, `netcat`, etc
+- data breaches
+  - HaveIBeenPwned, Breach-Parse, WeLeakInfo
+
+
+
+### Target
+
+> ❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested
+>
+> 🔗 [Bugcrowd](https://bugcrowd.com/engagements)
+>
+> - 🧪  `e.g.` - [Tesla](https://bugcrowd.com/tesla)
+
+- Read the **program details**, follow the terms and stay in scope
+- Following test will be made on the `*.tesla.com` target
+
+---
+
+## Discovering email addresses
+
+- The goal is discovering public email addresses and check if they really exist
+
+➡️ [Hunter.io](https://hunter.io/domain-search) (free registration) - Find email addresses from any company name or website
+
+![Hunter.io](.gitbook/assets/2024-07-02_20-03-06_537.png)
+
+➡️ [Phonebook.cz](https://phonebook.cz/) (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain
+
+➡️ [VoilaNorbert](https://www.voilanorbert.com/)
+
+➡️ [Clearbit Connect](https://clearbit.com/resources/tools/connect) (Chrome extension)
+
+➡️ [EmailHippo Email address verifiy](https://tools.emailhippo.com/) - Free email address verification tool
+
+➡️ [Email-checker](https://email-checker.net/)
+
+---
+
+## Breached credentials
+
+➡️ [breach-parse](https://github.com/hmaverickadams/breach-parse) - A tool for parsing breached passwords
+
+- `BreachCompilation` password list (44GB) file comes from breached password dumps
+
+```bash
+breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data"
+```
+
+**Credential stuffing** and **Password spraying** can be done using the results.
+
+
+
+➡️ [DeHashed.com](https://dehashed.com/) (subscription) - public data search-engine
+
+- Hashed passwords or other data can be found
+- Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too
+- Investigation to tie the data to other accounts, etc
+- Use tools to try to decrypt the hashed password, like [Hashes.com](https://hashes.com/en/decrypt/hash), Google, etc
+
+![DeHashed.com](.gitbook/assets/2024-07-02_20-30-23_539.png)
+
+---
+
+## Hunting subdomains
+
+Identify subdomains 
+
+➡️ [Sublist3r](https://github.com/aboul3la/Sublist3r) (outdated) - enumerate subdomains of websites using OSINT
+
+```bash
+sudo apt install sublist3r
+```
+
+```bash
+sublist3r -d tesla.com
+
+sublist3r -d tesla.com -t 100 -v
+```
+
+
+
+➡️ [crt.sh](https://crt.sh/) - look for registered certificates and find subdomains or sub-subdomains
+
+![crt.sh](.gitbook/assets/2024-07-02_23-58-39_542.png)
+
+➡️ [amass](https://github.com/owasp-amass/amass) - in-depth attack surface mapping and asset discovery
+
+```bash
+sudo apt install amass
+```
+
+```bash
+amass enum -d tesla.com
+
+amass enum -d syselement.com
+```
+
+![amass enum -d tesla.com](.gitbook/assets/2024-07-03_00-09-39_543.png)
+
+![amass enum -d syselement.com](.gitbook/assets/2024-07-03_00-12-42_544.png)
+
+➡️ [httprobe](https://github.com/tomnomnom/httprobe) - take a list of domains and probe for working (alive) http and https servers
+
+---
+
+## Website technologies
+
+➡️ [BuiltWith.com](https://builtwith.com/) - find out what websites are built with
diff --git a/peh/3-eth-hack/va.md b/peh/3-eth-hack/va.md
@@ -0,0 +1 @@
+# Vulnerability Scanning with Nessus
diff --git a/peh/peh-references.md b/peh/peh-references.md
@@ -61,11 +61,25 @@
 
 ## The Ethical Hacker Methodology
 
-
+- [Phases of Ethical Hacking - InfosecTrain](https://www.infosectrain.com/blog/phases-of-ethical-hacking/)
+- [Bugcrowd](https://bugcrowd.com/engagements)
 
 ### Information Gathering
 
-
+- [Hunter.io](https://hunter.io/domain-search)
+- [Phonebook.cz](https://phonebook.cz/)
+- [Clearbit Connect](https://clearbit.com/resources/tools/connect)
+- [EmailHippo Email address verifiy](https://tools.emailhippo.com/)
+- [Email-checker](https://email-checker.net/)
+- [breach-parse](https://github.com/hmaverickadams/breach-parse)
+- [DeHashed.com](https://dehashed.com/)
+- [Hashes.com](https://hashes.com/en/decrypt/hash)
+- [Sublist3r](https://github.com/aboul3la/Sublist3r)
+- [crt.sh](https://crt.sh/)
+- [amass](https://github.com/owasp-amass/amass)
+- [httprobe](https://github.com/tomnomnom/httprobe)
+- [BuiltWith.com](https://builtwith.com/)
+- 
 
 ### Scanning & Enumeration