Pen-Testing Comps
Friday, 19 January 2024

+ How's it going?

+ Monday, Wednesday, and beyond
- Generating ideas, lots and lots of ideas
- This is up to you
- Jeff & mostly Mike as tech resources
- Jeff as explanation resource
    (e.g., what's up with that bash -c thing?)

+ Publicly available exploits
- Apache 2.4.50 example, unfinished
- searchsploit
- searchsploit -m
- exploit-db.com
- how to install this hated version? (I haven't figured it out yet)

+ Is there a way to simulate a person?
- phishing
- XSS
- ...stuff that requires fooling a person...

+ How to find cool stuff
- ...

+ Using #ideas channel
- ...

+ Pentesting methodologies
- hacker-focused: book.hacktricks.xyz
- more industry-oriented
    OWASP
    OSSTMM
    NIST
    PTES
    ISSAF
    MITRE ATT&CK

https://book.hacktricks.xyz/pentesting-methodology
https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies
https://www.isecom.org/OSSTMM.3.pdf
NIST Special Publication 800-115
http://www.pentest-standard.org/index.php/Main_Page
Information System Security Assessment Framework (ISSAF)