Category Test case

Find network range

Identifying access points
Identifying routers/switches/hubs
Identifying subnets
Identifying Vlans
Identifying active hosts
Performing search engine analysis
Reconnaisance
Performing whois lookups
Identifying firewalls/Honeypots
Identifying Intrusion detecting systems
Identifying Intrusion prevention systems
Find any websites hosted
Find network protocols
Find network devices

Find network services

Find DNS records
Find route paths
Switches/ routers/ hubs Banner grabbing
Firewall Banner grabbing
IDS/IPS Banner grabbing
Network devices Banner grabbing
Find firewall version
Foot-Printing Find IDS version
Find IPS version
Find common running services in network
Running services information gathering
Find hosted websites platform
Capturing LAN network traffic
Capturing wireless network traffic
Analysing wireless network traffic
Analysing LAN network traffic

Scanning for open ports

Identifying vulnerablities in running services
Identifying vulnerabilities in network protocols
Identifying vulnerabilities in switches/routers/hubs
Identifying vulnerabilities in firewall
Identifying vulnerabilities in IDS
Scanning
Identifying vulnerabilities in IPS
Identify critical endpoints
Identify critical servers
Identify critical network devices
 check default credentials of routers/switches/hubs
Check default credentails of network devices

Enumerate network services

Enumerate Hostnames
Enumeration Enumerate user groups
Enumerate user accounts
Enumerate file paths

Identifying weak points from gathered information

Identifying entry points
Discover exploits for vulnerable services
Discover exploits for vulnerable network protocols
Discover exploits for vulnerable switches/routers/hubs
Discover exploits for vulnerable firewall
Discover exploits for vulnerable IDS
Discover exploits for vulnerable IPS
Discover payloads for vulnerable services
Discover payloads for vulnerable network protocols
Discover payloads for vulnerable switches/routers/hubs
Discover payloads for vulnerable firewall
Target - Mapping
Discover payloads for vulnerable IDS
Discover payloads for vulnerable IPS
Discover exposed sensitive information
Discover exposed sensitives keys
Discover exposed network keys
Prepare custom exploits for vulnerable services
Prepare custom exploits for vulnerable network protocols
Prepare custom exploits for vulnerable switches/routers/hubs
Prepare custom exploits for vulnerable firewall
Prepare custom exploits for vulnerable IDS
Prepare custom exploits for vulnerable IPS
Prepare custom dictionary list

Identify attack surfaces

Identify attack vectors
Perform MAC flooding
Perform DHCP Attacks
Perform MITM attacks
Perform DNS spoofing Attacks
Perform ARP spoofing attacks
Exploitation Exploit identified vulnerabilities in services
Exploit identified vulnerabilities in network protocols
Exploit identified vulnerabilities in swithces/routers/hubs
Exploit identified vulnerabilities in IDS
 Exploitation

Exploit identified vulnerabilities in IPS

Exploit identified vulnerabilities in communication protocols
Exploit to Break IV-vector
Perform DOS attack

Acccess network services

Check for default/weak credentials
Perform brute force for user credentials
Identify root/system admin user on windows
Identify root/system admin user on linux
Attempt for escalation
Bruteforce for root/system admin user password
Access least privileges user account
Gaining Access
Identify vulnerable process
Perform process injection
Perform DLL injection
Discover user level available information
Discover user level sentive information
Discover user level atuhorizations
Discover additional internal network services
Find private keys/access keys

Collect vulnerabilities info of network services

Collect vulnerabilities info of network protocols
Collect vulnerabilities info of Swithces/routers/hubs
Collect vulnerabilities info of firewalls
Post - Exploitation
Collect vulnerabilities info of IDS
Collect vulnerabilities info of IPS
Collect vulnerabilities info of Hosted web servers
Collect vulnerabilities info of wireless network

Clear event logs

Delete uploaded payloads
Delete uploaded exploits
Clearing Tracks Delete temporary files
Delete any rootkits if installed
Remove user accounts created
Reconfigure settings to original state
 Tools
angry ipscanner,advanced ipscanner
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
angry ipscanner
nmap, zenmap, sparta, nessus pro
angry ipscanner
google dorks, shodan, OSINT
whois lookup
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
angry ipscanner

nmap, zenmap, sparta, nessus pro

nslookup
Tracert
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta
wireshark, tcpdump, bettercap
wireshark, tcpdump, acrylic wifi
wireshark
wireshark

nmap, zenmap
nmap openvas
nmap openvas
nmap openvas
nmap openvas
nmap openvas
nmap openvas
Analysing recon & footprinting results
Analysing recon & footprinting results
Analysing recon & footprinting results
THC Hydra, Cain & Abel, JTR
THC Hydra, Cain & Abel, JTR

nmap, zenmap
DNSenum, DNSRecon, nmap
powershell
finger
dirbuster, dirb

Manual analysis
Manual analysis
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
Manual findings
Manual findings
Manual findings
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
ceWL, crunch, combinator

Manual findings
Manual findings
Macof
DHCPig
MITMf, bttercap
ettercap
arp, arpspoof
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
metasploit, msfvenom
cain & Abel, aircrack-ng
Hulk, Hping, pyloris

netcat, putty, metasploit

THC Hydra, Cain & Abel, JTR
THC Hydra, Cain & Abel, JTR
powershell
Terminal
BeRoot, PrivEsc, traitor, potato
THC Hydra, Cain & Abel, JTR
netcat, putty, metasploit
Manual finding & Analysis
DLL Hijacking
DLL Hijacking
Manual finding & Analysis
Manual finding & Analysis
Manual finding & Analysis
Manual finding & Analysis
Manual finding & Analysis

nessus pro report, snipping tool

nessus pro report, snipping tool
nessus pro report, snipping tool
nessus pro report, snipping tool
nessus pro report, snipping tool
nessus pro report, snipping tool
nessus pro report, snipping tool
nessus pro report, snipping tool

clearev, metasploit
Manual deletion
Manual deletion
Manual deletion
Manual deletion
Manual deletion
Manual reset
 Feature
IP Range
nmap aggressive scan
nmap aggressive scan
IP Range
nmap aggressive scan
IP Range
google dorks - use filetype,inurl,intitle,site etc
who is database
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
nmap port scan
nmap port scan
IP Range

Nmap TCP ACK scan (-sA)

nsllokup options (use ? To get)
tracert <ip address>
NMAP NSE script
Nmap TCP ACK scan (-sA)
NMAP NSE script
NMAP NSE script
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
WIRESHARK LAN INTERFACE SCAN
WIRESHARK WLAN INTERFACE SCAN
WIRESHARK PCAP ANALYSIS
WIRESHARK PCAP ANALYSIS

nmap -p- IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
deducing from findings
deducing from findings
deducing from findings
hydra -l user -P passlist.txt URL or IP
hydra -l user -P passlist.txt URL or IP

nmap -A IP
nmap -A IP
get-netgpogroup
finger @IP
dirb -w wordlist-path url

Deducing from the findings

Deducing from the findings
use search box
use search box
use search box
use search box
use search box
use search box
use search box
use search box
use search box
use search box
use search box
use search box
Deducing from the findings for sensitive information leaks
Deducing from the findings for sensitive keys leaks
Deducing from the findings for network key leaks
use suitable exploits/payloads in metasploit
use suitable exploits/payloads in metasploit
use suitable exploits/payloads in metasploit
use suitable exploits/payloads in metasploit
use suitable exploits/payloads in metasploit
use suitable exploits/payloads in metasploit
cewl -d 2 -m 5 -w docswords.txt URL

Deducing from findings

Deducing from findings
macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
pig.py <interface>
bettercap [arguments you are using for testing]
ettercap>MITM>ARP poisoning>sniff remote connections>plugins>DNS_spoof
arpspoof -I <interface> <target ip> <accesspoint ip>
use run command or exploit command in respective payload module
use run command or exploit command in respective payload module
use run command or exploit command in respective payload module
use run command or exploit command in respective payload module
use run command or exploit command in respective payload module
use run command or exploit command in respective payload module
aircrack-ng <pcap file>
pyloris -t -c IP/interface

nc -l IP
hydra -l user -P passlist.txt URL or IP
hydra -l user -P passlist.txt URL or IP
Get-WmiObject Win32_UserAccount -filter “LocalAccount=True” | Select-Object Name,FullName,Disabled.
check for /etc/passwd file
execute beroot or potato on target
hydra -l user -P passlist.txt URL or IP
nc -l IP
execute os commands ( ps command on linux)
manual injection
parse.py -d DLL -f header file -b bumpfile
check user folders, directories, files
check for passwords, sensitive information
check for user level authorizations, permissions
check for intranet network services like printer, scanners, attendace device, CC cameras etc
check for ssh keys, private keys, public keys

take screenshots using snipping tool

take screenshots using snipping tool
take screenshots using snipping tool
take screenshots using snipping tool
take screenshots using snipping tool
take screenshots using snipping tool
take screenshots using snipping tool
take screenshots using snipping tool

execute cleraev command in running session

manual deletion
manual deletion
manual deletion
manual deletion
manual deletion of created accounts
manual reconfiguring
 Category Test case
Find network range
Identifying access points
Identifying routers/switches/hubs
Identifying subnets
Identifying vlans
Identifying active hosts
Performing search engine queries
Reconnaisance
Performing whois lookups
Identifying firewalls
Identifying Intrusion detecting systems
Identifying Intrusion prevention systems
Find any websites hosted
Find network protocols
Find network devices

Find Host based services

OS fingerprinting
Web server Banner grabbing
CMS finger printing
Identify server side language
Foot-Printing Find OS kernel version
running services finger-printing
Find hosted websites platform
Capturing network traffic
Analysing network traffic
Running services information gathering

Scanning for open ports

Scanning for open network services
Scanning for open applciation services
Identify vulnerabilities in open ports
Identify vulnerabilities in open network services
Identifying vulnerablities in open application services
Scanning
Identifying vulnerabilities in network protocols
Identify vulnerabilities in web server
Identify vulnerabilities in CMS
Identify vulnerabilities in server side language
Identify hidden forms/fields
Identify hidden directories

Enumerate application services

Enumerate kernel platform
Enumerate network services
Enumeration
 Enumeration Enumerate Hostnames
Enumerate user groups
Enumerate user accounts
Enumerate file paths

Identifying weak points from gathered information

Identifying entry points
Discover exploits for vulnerable network services
Discover exploits for vulnerable application services
Discover exploits for vulnerable network protocols
Discover exploits for vulnerable web server
Discover exploits for vulnerable CMS
Target - Mapping Discover payloads for vulnerable network services
Discover payloads for vulnerable applciation services
Discover payloads for vulnerable network protocols
Discover exposed sensitive content
Discover exposed sensitives keys
Discover exposed network keys
Prepare custom exploits for vulnerable network services
Prepare custom dictionary list

Identify attack surface

Identify attack vectors
perform kernal exploitation

Perform MAC flooding

Perform DHCP Attacks
Perform MITM attacks

Perform DNS Spoof Attack

Exploitation Perform ARP spoofing attacks
Perform DOS Attack

Test for reverse shell access

Exploit identified vulnerabilities in network services

Exploit identified vulnerabilities in application services

Exploit identified vulnerabilities in network protocols

Acccess network services

Check for default credentials
Brute force user credentials
Access least privileges user account
 Identify vulnerable process
Perform process injection
Perform DLL injection
Discover user level available information
Discover user level sentive content
Gaining Access Discover user level atuhorizations

Discover additional network services (Intranet)

Find network keys

Identify root/system admin user on windows

Identify root/system admin user on linux
Attempt for escalation
Brute force root/system admin user password

Collect vulnerabilities info of services

Collect vulnerabilities info of network protocols
Post-Exploitation
Collect vulnerabilities info of Hosted web servers
Collect vulnerabilities info of wireless network

Clear event logs

Reconfigure settings to original state
Delete uploaded payloads
Clearing Tracks Delete uploaded exploits
Delete temporary files
Delete any rootkits if installed
Remove user accounts created
 Tools
angry ipscanner
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
angry ipscanner
nmap, zenmap, sparta, nessus pro
angry ipscanner
google dorks, shodan, OSINT
whois lookup
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
nmap, zenmap, sparta, nessus pro
angry ipscanner

nmap, zenmap, nessus pro

nmap, zenmap, nessus pro
HTTPprint, HTTP recon
CMSmap, Wappalyzer
Wappalyzer, browser
nmap, zenmap, nessus pro
nmap, zenmap
cURL, Wget, Nikto
wireshark, TCPdump, bettercap
wireshark
google, duckduckgo

nmap, zenmap, sparta

nmap, zenmap, sparta
nmap, zenmap, sparta
nessuss pro, nexpose, openvas
nessuss pro, nexpose, openvas
nessuss pro, nexpose, openvas
nessuss pro, nexpose, openvas
nmap, HTTPprint, HTTPrecon
CMSmap, Wappalyzer
google, duckduckgo
Tamperdata, burpsuite
dirb, dirbuster

nmap
kernelpop
nmap, zenmap
 angryipscanner
powershell
finger
dirbuster, dirb

Manual analysis
Manual analysis
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
exploitDB, OSINT
metasploit, msfvenom
ceWL, crunch, combinator

Manual analysis
Manual analysis
kernelpop

Macof
DHCPig
MITMf, ettercap

ettercap
arp, arpspoof
Hulk, Hping, pyloris

netcat, metasploit

metasploit, msfvenom

metasploit, msfvenom

metasploit, msfvenom

netcat, putty, metasploit

THC Hydra, Cain & Abel, JTR
THC Hydra, Cain & Abel, JTR
netcat, putty, metasploit
 Manual finding & Analysis
DLL Hijacking
DLL Hijacking
Manual finding & Analysis
Manual finding & Analysis
Manual finding & Analysis

Manual finding & Analysis

Manual finding & Analysis

powershell
Terminal
Manual finding & Analysis
BeRoot, PrivEsc, traitor, potato

nessess reports, snipping tool

nessess reports, snipping tool
nessess reports, snipping tool
nessess reports, snipping tool

clearev, metasploit
Manual reset
Manual deletion
Manual deletion
Manual deletion
Manual deletion
Manual deletion
 Feature
ip range
nmap aggressive scan
nmap aggressive scan
ip range
nmap aggressive scan
ip range
google dorks - use filetype,inurl,intitle,site etc
who is database
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
nmap port scan
nmap port scan
ip range

Nmap TCP ACK scan (-sA)

Nmap TCP ACK scan (-sA)
HTTP RECON ENTER TAGET IP OR DOMAIN NAME
WAPPALYZER EXTENISON
WAPPALYZER EXTENISON
Nmap TCP ACK scan (-sA)
Nmap TCP ACK scan (-sA)
curl <url>
WIRESHARK LAN INTERFACE SCAN
WIRESHARK PCAP ANALYSIS
Nmap TCP ACK scan (-sA)

nmap -p- IP
nmap -A IP
nmap -A IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
nmap -A --script=vulns IP
httprint {-h <host>
cmsmap.py https://example.com
google searchbox
Manual R&D for respective login
dirb -w <wordlist-path> <url>

nmap -A IP
run kernelpop.py
nmap -A IP
 insert ip range in attack field
get-netgpogroup
finger @IP
dirb -w wordlist-path url

Deducing from the findings

Deducing from the findings
use search box in exploitDB
use search box in exploitDB
use search box in exploitDB
use search box in exploitDB
use search box in exploitDB
use search box in exploitDB
use search box in exploitDB
use search box in exploitDB
deducing form the findings
deducing form the findings
deducing form the findings
use related exploits/payloads in metasploit
cewl -d 2 -m 5 -w docswords.txt URL

Deducing from findings

Deducing from findings
run kernelpop.py
macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n
times]
pig.py <interface>
bettercap [arguments you are using for testing]
ettercap>MITM>ARP poisoning>sniff remote
connections>plugins>DNS_spoof
arpspoof -I <interface> <target ip> <accesspoint ip>
pyloris -t -c IP/interface
test scripts from the link
"http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-
sheet"

use run command or exploit command in respective payload module

use run command or exploit command in respective payload module

use run command or exploit command in respective payload module

nc -l IP
hydra -l user -P passlist.txt URL or IP
hydra -l user -P passlist.txt URL or IP
nc -l IP
 execute OS commands ( ps command on linux)
manual injection at weakpoint
parse.py -d DLL -f header file -b bumpfile
check user folders, directories,files
check for passwords, sensitive information
check for user level authorizations, permissions
check for intranet network services like printer, scanners, attendace
device, CC cameras etc
check for ssh keys, private keys, public keys

Get-WmiObject Win32_UserAccount -filter “LocalAccount=True” |

Select-Object Name,FullName,Disabled.
check for /etc/passwd file
manual attempt
hydra -l user -P passlist.txt URL or IP

take screenshots using snipping tool

take screenshots using snipping tool
take screenshots using snipping tool
take screenshots using snipping tool

execute cleraev command in running session

manual deletion
manual deletion
manual deletion
manual deletion
manual deletion of created accounts
manual reconfiguring
S.no Service name
1 SNMP
2 DNS
3 LDAP
4 SMB
5 DSF
6 NTP
7 FTP
8 Active directory
9 Open LDAP
10 Novell Directory services
11 ACL
12 SFTP
13 TFTP
14 Telnet
15 SSH
16 SMTP
17 NetBIOS
18 Kerberos
19 Database services
20 remote access services
21 VPN services
22 POP3
23 IMAP
24 IRC
25 Printer services
26 Storage services
27 Web services
28 VOIP servics
29 syslog
30 RPC
31 VNC
32 Open system for communication services
33 Real time streaming protocol services