Skip to main content

How to Organize Your Tools by Pentest Stages


How to Organize Your Tools by Pentest Stages


In this tut i will give you steps for hacking ... steps how hacking work and how to find everything about victim .. in every steps i have mention soft which we need to used in kali linux ... you can learn about their work from this website or from other....

I like to organize tools based on the phases of a pentest. Then, in each directory, I will symlink to the tool itself (if it's a tool I don't use often), unless I built the tool from source in that directory. With tools installed via Homebrew or from a .pkg, it can help to maintain a copy of the readme file in the directory with the tool named something like $toolname.readme. This will help with more obscure tools, and it can also help by giving you a place to note things about the tool.

Phase 1: Reconnaissance

This is the information gathering stage, and can be either active or passive. The whole purpose of this phase is to learn—the more information you can gather on a target before the actual attack, the better.
Some examples of important information:
  • What is the target?
  • How do they operate?
  • What IP ranges do they have allocated?
  • What do they do for mail?
  • What do their DNS records show?
  • What subdomains do they have?
  • What's going on in their company?
  • Who works there?
  • How do they assign login names?
  • What's their password policy?
  • What do their networks look like?
  • Are any of the people who work there vulnerable to social engineering?
  • What are there valuable assets?
  • Where do they store valuable assets?
All of these are important questions, and it's just the tip of the iceberg. The more information you have going into the attack, the better off you are. Of course, the more information you gather, the more time you will have to spend analyzing it—unless you are working with a team, in which case you can divide the efforts. I keep OSINT (open-source intelligence) gathering tools here, as well as active recon tools. Some examples of tools that you might find in my ~/pentest/recon directory are:
Depending on how unwieldy the directory becomes, I might divide the tools into two categories: active and passive. Active recon tools actually send packets to the target, where as passive tools gather information without interacting with the target system(s).

Phase 2: Scanning & Enumeration

If we did Phase 1 properly, we should have a wealth of information, IP addresses, employee names and e-mail addresses, etc. The next phase is to begin scanning.
Not all of the information gathered will be fruitful, so we have to narrow down and hone into certain targets. We examine perimeter and internal network devices looking for weaknesses, and learn more about the systems they have in place, as well as the services those systems are running. We see what ports are open, look for firewalls, locate vulnerabilities, and detect operating systems.
Some examples of tools that fit this category:
  • Nmap
  • Nikto
  • WPScan
You'll notice that I've included Nmap in both Phase 1 and 2—there will be some intersection of tools in these phases.

Phase 3: Gaining Access

In this phase, we put the previous steps' information to use. We will have lots of data on our targets and some ideas on which hosts we'll be focusing on. We've researched out-of-date services and checked for vulnerabilities. We might launch a social engineering campaign and target some known vulnerable services on a host.
Some examples of tools that fit this category:
  • THC Hydra
  • Nmap
  • Armitage
  • Metasploit
  • SET (Social Engineering Toolkit)
Once again, Nmap make our list due to its scripting engine; it's a highly flexible tool. I included a brute-force tool even though we don't really want to be brute-forcing due to time constraints. Of course, it doesn't hurt to run brute-force in the background throughout the test, providing you can afford that level of noise on the target system.

Phase 4: Maintaining Access

Once we've compromised something, we want to maintain access to gather even more information. Stealth will play a roll here since we don't want to be discovered acting on the target host(s). This phase involves privilege escalation, RATs (remote access tools), root kits, etc. The goal is to be able to access the system whenever we want.
Some tools that might be in the maintaining access folder:
  • Metasploit
  • Shellter
  • Webshells
Metasploit makes the list again here, though really, it could be included in every phase of this list.

Phase 5: Covering Your Tracks

This can cover a wide variety of tools and actions. We want to alter (possibly corrupt) log files, delete any files we're not using on the system, clear our history, hide our maintaining access tools, etc. We don't want to leave any trace that we were there.
Making mistakes on a contracted pentest is just bad business. If you are accessing a system illegally, it can be even worse. Equation group actually messed up covering their tracks and their custom tools were put up for sale on the web. We'll want to keep our infected hosts to a minimum, use varied malware, and try to stay one step ahead of potential incident responders.
We could use Metasploit or ClearLogs to clear event logs, or we can just delete them with a simple text editor. We could also erase our commands history and shred the history file. For more information, make sure to check out the following guide.

Stay Organized

If we keep our tools organized, it will be easier to conduct a pentest in a reasonable amount of time. It is extremely important to be able to quickly evaluate what we need to use and when. In some cases, when attacks haven't been added to a tool yet, it maybe important to maintain a separate PoC folder, though many of these can be quickly located on the Exploit Database. By keeping our tools associated to phases, we're also able to transition through phases in a smooth fashion.