Known vulnerabilities

Theory

This step ends the reconnaissance phase. The previous steps were aimed at gaining knowledge about the attack surface

Web server
Content Management System (CMS)
Web Application Firewall (WAF)
JavaScript Frameworks
and other technologies

Known vulnerabilities may then be identified depending on these information.

Practice

Known vulnerabilities can be found from the following resources

exploit-db.com: an online exploit database
searchsploit is a command-line utility that allows to do offline searches through the exploit-db
CVE Details, NVD NIST and MITRE are online CVE (Common Vulnerabilities and Exposures) searches

bash

# search exploits for a technology
searchsploit $technology

# Read an exploit
searchsploit -x $exploit_path

# Copy an exploit to the current directory
searchsploit -m $exploit_path

# Update the searchsploit database
searchsploit -u

When a vulnerability is found, one can research a Proof-Of-Concept (PoC) to try at exploiting the vulnerability. Most public PoCs can be found on GitHub.

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Known vulnerabilities

Theory

Practice

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Known vulnerabilities ​

Theory ​

Practice ​

Known vulnerabilities

Theory

Practice