Skip to content

Commit 9baebd4

Browse files
dsopasdsopas
authored
Merge pull request #1 from dsopas/dev
Large update that should be in the master version
2 parents dfc33c9 + 0a45d6e commit 9baebd4

File tree

5 files changed

+28
-24
lines changed

5 files changed

+28
-24
lines changed

README.md

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,26 @@
11
# Security Assessment Mindset
2-
by David Sopas [@dsopas](https://twitter.com/dsopas)
2+
3+
![Cool image from Char49](https://char49.com/labs/wp-content/uploads/2018/03/mindset.jpg)
34

45
## Why
5-
I did this to help me on my all-around security assessments (pentest, bug bounty, red-team) and to keep my work organized.
6+
I did this to help me on my security assessments (pentest, bug bounty, red-team, kung) and to keep my work well organized.
67

78
Each time I finished a task, I marked it with a check icon using [XMind](https://www.xmind.net/). If you don't have this tool, print the image version and use your pencil to mark it as done.
89

9-
Included in this mindset is [WAHH Methodology](http://mdsec.net/wahh/tasks.html) and [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist).
10+
Included in this mindset is [WAHH Methodology](http://mdsec.net/wahh/tasks.html), [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist) and [IOT PenTesting Guide](https://www.gitbook.com/book/adi0x901/iot-pentesting-guide/details) from [@adi1391](https://twitter.com/adi1391).
1011

11-
On some particular tasks you have notes (only in XMind format) that provide name of some tools you might use for that particular task.
12+
On some particular tasks you have notes (only in XMind format) that provide the name of some tools or links you might use for that particular task.
1213

1314
## Formats
14-
If you don't have XMind software, I exported the PNG and the Freemind version. If you need other format, please let me know so I can start exporting it in future versions.
15+
If you don't have XMind software, I exported the PNG, Freemind and OPML versions. If you need other format, please let me know so I can start exporting it in future versions.
1516

16-
## Contribute
17-
New tasks, tools, typos and other things you think it would help this mindset, add a new issue on Github for discussion and validation. This is open to all the infosec community so let us all keep things rolling.
17+
## How to contribute
18+
New tasks, tools, typos and other things you think it would help this mindmap, please **Add a new issue on dev branch** on this repo for discussion and validation. Remember that tis is open to ALL infosec community so let us all keep things rolling :thumbsup:. Any question, feel free to ping me at [Twitter](https://www.twitter.com/dsopas).
1819

1920
## To do
2021
- Mobile applications mindmap (iOS and Android)
21-
- Networking mindmap (currently working on this)
22+
- Networking mindmap (work in progress)
2223
- Wifi mindmap
23-
- IoT mindmap
24+
- IoT mindmap (work in progress)
25+
- Add "Thanks" section for shout people who helped in this project
26+
- Improve font style and colors

assessment-mindset.mm

Lines changed: 15 additions & 15 deletions
Large diffs are not rendered by default.

assessment-mindset.opml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
<?xml version="1.0" encoding="UTF-8" standalone="no"?><opml version="2.0"><head><title>Target</title><owername>dsopas</owername><producer>XMind</producer><xmind-version>3.7.7</xmind-version></head><body><outline text="Target"><outline text="Infrastructure"><outline text="Web"><outline text="Top Level Domain"><outline text="target.com"><outline text="List of IPs"/></outline></outline><outline text="List subdomains"><outline text="subbrute"/><outline text="Sublist3r"/><outline text="Cloudflare Enumeration Tool"/></outline><outline text="Recon and Mapping"><outline text="Brute-force Files and Directories"><outline text="gobuster"/><outline text="dirsearch"/><outline text="DirBuster"/></outline><outline text="Public vulnerabilities, leaks or attacks"/><outline text="Google Hacking Database"><outline text="exploit-db.com" type="link" url="https://www.exploit-db.com/google-hacking-database/"/></outline><outline text="Discover new endpoints from JS files"><outline text="JSParser"/></outline><outline text="CDN misconfigurations"><outline text="bucket_finder"/><outline text="lazys3"/><outline text="teh_s3_bucketeers"/></outline><outline text="Meta Data gathering"><outline text="Documents and Images"><outline text="Foca"/><outline text="recon-ng (metacrawler)"/></outline></outline><outline text="Certificate search"><outline text="crt.sh"/></outline><outline text="Emails"><outline text="Gather Addresses"><outline text="TheHarvester"/><outline text="Maltego"/></outline><outline text="Verify Address"><outline text="hunter.io"/><outline text="Facebook"/><outline text="haveibeenpwned.com" type="link" url="https://haveibeenpwned.com/"/><outline text="Search engines"/></outline></outline><outline text="Wayback Machine"><outline text="archive.org" type="link" url="http://archive.org/web/"/></outline><outline text="Socal Media Profiles"><outline text="Facebook"/><outline text="Twitter"/><outline text="Linkedin"/></outline><outline text="Technology Profile"><outline text="builtwith.com" type="link" url="https://builtwith.com/"/><outline text="wappalyzer.com" type="link" url="https://www.wappalyzer.com"/><outline text="w3techs.com" type="link" url="https://w3techs.com/sites"/><outline text="toolbar.netcraft.com" type="link" url="https://toolbar.netcraft.com/site_report"/><outline text="whatcms.org" type="link" url="https://whatcms.org"/></outline><outline text="Other domains"><outline text="Reverse Whois"><outline text="viewdns.info"/></outline><outline text="Nerdydata with Analytics UA"><outline text="nerdydata.com" type="link" url="https://nerdydata.com/search"/></outline><outline text="Reverse IP Domain"><outline text="yougetsignal.com" type="link" url="https://www.yougetsignal.com/tools/web-sites-on-web-server/"/></outline></outline></outline><outline text="Test"><outline text="Client-side Controls"><outline text="Test Transmission of Data via the Client"/><outline text="Test Client-side Control Over User Input"/><outline text="Test Thick-client Components"/></outline><outline text="Access Controls"><outline text="Understand the Access Control Requirements"/><outline text="Testing with Multiple Accounts"/><outline text="Testing with Limited Access"/><outline text="Test for Insecure Access Control Methods"/></outline><outline text="Logic Flaws"><outline text="Identify the Key Attack Surface"/><outline text="Test Multistage Processes"/><outline text="Test Handling of Incomplete Input"/><outline text="Test Trust Boundaries"/><outline text="Test Transaction Logic"/></outline><outline text="Authentication Mechanism"><outline text="Understand the Mechanism"/><outline text="Test Password Quality"/><outline text="Test for Username Enumeration"><outline text="Forgot Password"><outline text="Message output"/><outline text="Timing requests"/></outline><outline text="Signup page"/><outline text="Change username"/></outline><outline text="Test Resilience to Password Guessing"/><outline text="Test Any Account Recovery Function"/><outline text="Test Any Remember Me Function"/><outline text="Test Any Impersonation Function"/><outline text="Test Username Uniqueness"><outline text="Test for company internal domains"/></outline><outline text="Test Predictability of Auto-Generated Credentials"/><outline text="Test for Unsafe Transmission of Credentials"/><outline text="Test for Logic Flaws"/><outline text="Exploit Any Vulnerabilities to Gain Unauthorized Access"/></outline><outline text="Session Management Mechanism"><outline text="Understand the Mechanism"/><outline text="Test Tokens for Meaning"/><outline text="Test Tokens for Predictability"/><outline text="Check for Insecure Transmission of Tokens"/><outline text="Check for Disclosure of Tokens in Logs"/><outline text="Check Mapping of Tokens to Sessions"/><outline text="Test Session Termination"/><outline text="Check for Session Fixation"/><outline text="Check for CSRF"/><outline text="Check for Cookie Scope"/></outline><outline text="Web Server Vulnerabilities"><outline text="Test for Default Credentials"/><outline text="Test for Default Content"/><outline text="Test for Dangerous HTTP Methods"/><outline text="Test for Proxy Functionality"/><outline text="Test for Virtual Hosting Misconfiguration"/><outline text="Test for Web Server Software bugs"/></outline><outline text="Input-based Vulnerabilities"><outline text="Fuzz all Request Parameters"/><outline text="Test for SQL Injection"><outline text="sqlmap"/></outline><outline text="Test for XSS and Other Response Injection"><outline text="TPLMap"/><outline text="XSS Hunter"/><outline text="XSSSniper"/></outline><outline text="Test for OS Command Injection"><outline text="Commix"/></outline><outline text="Test for Path Traversal"><outline text="dotdotpwn"/><outline text="Panoptic"/></outline><outline text="Test for Script Injection"/><outline text="Test for File Inclusion"><outline text="fimap"/><outline text="LFISuite"/></outline><outline text="Test for XXE"><outline text="XXEinjector"/><outline text="oxml_xxe"/><outline text="xxe.sh" type="link" url="http://www.xxe.sh"/></outline><outline text="Test for DOM based attacks"/><outline text="Test for Race Conditions"/><outline text="Test for Object Injection"/><outline text="Test for HTML Injection"/></outline><outline text="Misc Check"><outline text="Check for Frame Injection"><outline text="savanttools.com" type="link" url="http://savanttools.com/test-frame"/></outline><outline text="Check for Local Privacy Vulnerabilities"/><outline text="Follow up any information leakage"/><outline text="Tabnabbing"/></outline><outline text="SSL and Security headers testing"><outline text="observatory.mozilla.org" type="link" url="observatory.mozilla.org"/></outline><outline text="API"><outline text="Authentication"><outline text="Check for Basic Auth"/><outline text="Test &quot;Max Retry&quot; and jail features in Login"/><outline text="Check sensitive data without encryption"/></outline><outline text="JWT"><outline text="Test JWT secret brute-forcing"><outline text="jwt_tool"/></outline><outline text="Test if algorithm could be changed"><outline text="jwt.io"/></outline><outline text="Test token expiration time (TTL, RTTL)"/><outline text="Test if sensitive data is in the JWT"><outline text="jwt.io"/></outline></outline><outline text="OAuth"><outline text="Test redirect_uri for open redirects"/><outline text="Test the existence of response_type=token"/><outline text="Test CSRF"/></outline><outline text="Access"><outline text="Test brute-force attacks"/><outline text="Find http requests"/><outline text="Test lack of HSTS header"/></outline><outline text="Input"><outline text="Test different HTTP methods (GET, POST, PUT, DELETE, PATCH)"/><outline text="Test different content-types"/><outline text="Test for common vulnerabilities (XSS, SQL Injection, RCE, XXE, etc)"/><outline text="Test for URL sensitive data (password, tokens, api keys)"/></outline><outline text="Processing"><outline text="Check if all endpoints are protected behind authentication"/><outline text="Check if resource ID is used in the URL (eg: /user/348974/orders)"/><outline text="Test for Debug on"/></outline><outline text="Output"><outline text="Check for X-Content-Type-Options: nosniff"/><outline text="Check for X-Frame-Options: deny"/><outline text="Check for Content-Security-Policy: default-src 'none'"/><outline text="Check for fingerprinting headers (X-Powered-by, Server, X-AspNet-Version)"/><outline text="Check for content-type forcing"/><outline text="Check for return sensitive data"/></outline></outline><outline text="Subdomain Takeover"><outline text="HostileSubBruteforcer"/></outline><outline text="CMS"><outline text="Wordpress"><outline text="wpscan"/><outline text="WPSeku"/></outline><outline text="Joomla!"><outline text="joomScan"/><outline text="joomlavs"/></outline><outline text="Drupal"><outline text="droopescan"/></outline><outline text="Sharepoint"/></outline></outline><outline text="Proxy Tools"><outline text="OWASP ZAP" type="link" url="https://github.com/zaproxy/zaproxy"/><outline text="Burp CE" type="link" url="https://portswigger.net/burp/communitydownload"/><outline text="Fiddler" type="link" url="https://www.telerik.com/fiddler"/></outline><outline text="Automated Scanning Tools"><outline text="Nikto"/><outline text="Wapiti"/><outline text="w3af"/></outline></outline><outline text="Network"><outline text="Discovery"><outline text="Enumerate DNS records"><outline text="nmap"/><outline text="hping3"/></outline><outline text="Mail Servers"/><outline text="Whois" type="link" url="http://whois.domaintools.com/"/><outline text="Traceroute" type="link" url="http://www.monitis.com/traceroute/"/><outline text="Reverse IP"/></outline><outline text="Port Scanning"><outline text="Tools:&#10;&#10;- nmap&#10;&#10;Online:&#10;&#10;- netcraft&#10;- shodan&#10;- HTTPRecon" type="note"/><outline text="Banner Grabbing"><outline text="Services running"><outline text="Test for common/default passwords"/><outline text="Test for open vulnerabilities"/><outline text="Brute-force possible services"><outline text="Tools:&#10;&#10;- Brutus&#10;- THC-Hydra/XHydra&#10;- Ncrack&#10;- Patator" type="note"/></outline></outline></outline><outline text="OS Fingerprinting"><outline text="Test for open vulnerabilities"/></outline></outline><outline text="Automated Scanning Tools"><outline text="OpenVAS"/></outline><outline text="Exploit Tools"><outline text="Metasploit"/><outline text="Evilgrade"/></outline><outline text="DNS Zone Transfer"/><outline text="SSL Checks"><outline text="Heartbleed"/><outline text="POODLE"/><outline text="DROWN"/></outline><outline text="TLS ROBOT"/><outline text="Bash ShellShock"/><outline text="Sniffing"><outline text="Wireshark"/><outline text="Dsniff"/><outline text="Bettercap"/></outline></outline><outline text="Mobile Application"><outline text="iOS"/><outline text="Android"/></outline></outline><outline text="Internet of Things"><outline text="Recon"><outline text="External"><outline text="fccid.io"><outline text="Does it reveal details about the target?"/><outline text="Identify chipsets being used"/><outline text="Identify exposed interfaces"/><outline text="Check for internal and external pictures"/><outline text="Test cases on the device"/><outline text="Find on which frequency is being used"/></outline><outline text="Identify ports and interfaces"/><outline text="Check voltage and power consumption"/></outline><outline text="Internal"><outline text="Identify chips"/><outline text="Identify other components"/><outline text="Copper tracing"/></outline><outline text="Identify the pinouts for the Serial interface"><outline text="Multimeter"/><outline text="Logic analyzer"/><outline text="JTAGulator"/></outline></outline><outline text="Testing"><outline text="Connect to the Serial interface"><outline text="Identify the baudrate"/><outline text="Shell"><outline text="Authenticated"><outline text="Dump the firmware"/><outline text="Modify values on the device and see if it persists"/><outline text="Control the device via Shell"/><outline text="Does shell have root privileges?"/></outline><outline text="Unauthenticated"><outline text="Can you brute-force the password?"/><outline text="Is the password hidden in the firmware?"/><outline text="Bootloader manipulation attacks"/></outline></outline></outline><outline text="Analyze firmware"><outline text="Is the firmware encrypted?"><outline text="What kind of encryption is being used?"><outline text="hexdump"/><outline text="strings"/><outline text="binwalk"/></outline></outline><outline text="Extracting components from the firmware"><outline text="Extract the file system"><outline text="binwalk"/></outline><outline text="Find hardcoded credentials"><outline text="API keys"/><outline text="Private certificates"/><outline text="Backdoor"/><outline text="Config files"/></outline></outline><outline text="Emulating the firmware"><outline text="Identify the architecture"/><outline text="Emulate the firmware"><outline text="Qemu"/><outline text="Chroot"/><outline text="FAT"/></outline><outline text="Perform analysis and exploitation via emulation"/></outline><outline text="Reverse Engineering firmware binaries"><outline text="Test for command injection bugs"><outline text="IDA analysis"/><outline text="Web files"/></outline><outline text="Identify buffer overflows and other binary vulns and exploitation"/></outline><outline text="Automated Scanning Tools"><outline text="Firmwalker"/></outline></outline><outline text="Communication with Mobile and Web applications"><outline text="Reverse Engineer the Mobile Application"><outline text="Search for ports being used"/><outline text="Search for hardcoded firmware download URLs"/><outline text="Identify command messaging format"/><outline text="Search for hardcoded SSIDs"/><outline text="Search for hardcoded encryption keys"/></outline><outline text="Intercept the traffic"><outline text="Search and Analyze the traffic between devices"/></outline><outline text="MQTT"><outline text="What topic are being used?"/><outline text="Is the communication going over secure channel?"/><outline text="Can you subscribe to any topic?"/><outline text="Can you publish to the topics?"/><outline text="Is there authentication being used?"/></outline><outline text="CoAP"><outline text="Is the implementation secure?"/></outline></outline><outline text="Radio Security"><outline text="Identify spikes in the frequency used when data is being transferred"><outline text="GQRX"/></outline><outline text="Bluetooth Low Energy"><outline text="Scan for devices"><outline text="BLEAH"/><outline text="hcitool"/><outline text="Blue Hydra"/></outline><outline text="Try to sniff the communication"><outline text="Ubertooth"/><outline text="Adafruit BLE Sniffer"/></outline><outline text="Identify the handles being read and written"><outline text="BLEAH"/></outline><outline text="Can you write handles?"><outline text="gatttool"/></outline><outline text="Are replay attacks possible?"><outline text="BTLEJuice"/></outline><outline text="Is the communication encrypted?"><outline text="Yes"><outline text="Did you caputred the inital key exchange communication?"/><outline text="Can you decrypt the communication by brute-forcing?"/></outline><outline text="No"><outline text="Is sensitive information being passed in clear text?"/></outline></outline></outline><outline text="ZigBee"/></outline></outline></outline><outline text="Logical"><outline text="Founded"><outline text="Date"/></outline><outline text="Competitors"/><outline text="Case Studies"/><outline text="Employees"><outline text="Linkedin"/></outline><outline text="Funding Rounds"/><outline text="Stackshare"/><outline text="Job Positions"><outline text="Indeed"/><outline text="Linkedin"/><outline text="Monster"/></outline><outline text="Public legal records" type="link" url="http://publicrecords.netronline.com"/><outline text="OpenSecrets" type="link" url="https://www.opensecrets.org/"/><outline text="Partners"/><outline text="Investors"/><outline text="Misc"><outline text="Phone Lookup" type="link" url="http://illmob.org/bookmark.html"/><outline text="License Plate Lookup" type="link" url="http://illmob.org/bookmark.html"/><outline text="Search People"><outline text="Tools:&#10;&#10;- https://www.truepeoplesearch.com&#10;- https://www.familytreenow.com&#10;- http://www.mooseroots.com &#10;- https://www.advancedbackgroundchecks.com&#10;- http://www.peekyou.com" type="note"/></outline></outline></outline><outline text="Physical"><outline text="Offices"/><outline text="Datacenter Locations"/><outline text="Third-Party Service Providers"/></outline></outline></body></opml>

assessment-mindset.png

289 KB
Loading

assessment_mindset.xmind

10.3 MB
Binary file not shown.

0 commit comments

Comments
 (0)