rattis wrote:Hi and welcome to the forum.
So what tools and methodology did you use on your project? how did you track the data? what was your favorite part, and what was your least favorite parts of the project?
Thank you so much for your comment.
Well, I use ISSAF methodology in my Penetration Testing projects (OSSTMM is newer and alot better but I haven't fully studied it, I'm gonna use it later after studying) but ISSAF handles my job very well, so I'm happy with that.
About the tools, I pretty much use all of common tools. I use Kali and Samurai as a platform, Nmap for active info gathering, OpenVAS for finding vulns, Metasploit and Searchsploit for exploitation, brupsuite. w3af and temper and acunetix for web application pentest, and you can guess the rest i think, Hydra, john the ripper, nessus, and so on....
I think the most important part in a pentest is Information gathering, Because we can find alot sensitve data without even using any hacking skills, and i always dedicate more time for this phase, For example it's great to search the company's name in job finding websites, because if their IT dept wants to hire someone, then we can somehow guess which services they are running. i also try to find employees in social network like Facebook or LinkedIn, because i may want to perform a social engineering attack against them later in order get data out of them. I've also created a virtual Linux based mediawiki server on vmware to archive all of the obtained information from this phase.
My favorite part of any pentesting project, is exploitation. It makes me so happy when an exploit runs successfully! But again in order to exploit a services we need to have a whole bunch of correct and useful information from previous phases.
Again Thank so much for your comment my friend.
"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked
to them, may never hear from them again... I know you all...