From 9ebd95623a6ab646b7ced3236ca2e06ad1eda7b4 Mon Sep 17 00:00:00 2001 From: pyro Date: Wed, 20 May 2026 14:33:39 -0500 Subject: [PATCH] added default note structures --- note_templates/external_pentest/attacks.md | 11 ++++++ note_templates/external_pentest/findings.md | 1 + note_templates/external_pentest/general.md | 32 +++++++++++++++++ note_templates/external_pentest/host_notes.md | 1 + note_templates/internal_pentest/attacks.md | 17 ++++++++++ note_templates/internal_pentest/cleanup.md | 4 +++ note_templates/internal_pentest/findings.md | 0 note_templates/internal_pentest/general.md | 34 +++++++++++++++++++ .../internal_pentest/initial_enum.md | 15 ++++++++ note_templates/internal_pentest/l00t/creds.md | 12 +++++++ note_templates/internal_pentest/l00t/dumps.md | 13 +++++++ .../internal_pentest/password_spray.md | 30 ++++++++++++++++ note_templates/vishing/calls.md | 5 +++ note_templates/vishing/enumeration.md | 7 ++++ note_templates/vishing/general.md | 32 +++++++++++++++++ note_templates/vishing/pretext.md | 31 +++++++++++++++++ 16 files changed, 245 insertions(+) create mode 100644 note_templates/external_pentest/attacks.md create mode 100644 note_templates/external_pentest/findings.md create mode 100644 note_templates/external_pentest/general.md create mode 100644 note_templates/external_pentest/host_notes.md create mode 100644 note_templates/internal_pentest/attacks.md create mode 100644 note_templates/internal_pentest/cleanup.md create mode 100644 note_templates/internal_pentest/findings.md create mode 100644 note_templates/internal_pentest/general.md create mode 100644 note_templates/internal_pentest/initial_enum.md create mode 100644 note_templates/internal_pentest/l00t/creds.md create mode 100644 note_templates/internal_pentest/l00t/dumps.md create mode 100644 note_templates/internal_pentest/password_spray.md create mode 100644 note_templates/vishing/calls.md create mode 100644 note_templates/vishing/enumeration.md create mode 100644 note_templates/vishing/general.md create mode 100644 note_templates/vishing/pretext.md diff --git a/note_templates/external_pentest/attacks.md b/note_templates/external_pentest/attacks.md new file mode 100644 index 0000000..9912dbc --- /dev/null +++ b/note_templates/external_pentest/attacks.md @@ -0,0 +1,11 @@ +#|||ORG_NAME||| #external #attacks + +# Directory BruteForcing: + +--- + +# Login Attacks: + +--- + +(continue as needed...) diff --git a/note_templates/external_pentest/findings.md b/note_templates/external_pentest/findings.md new file mode 100644 index 0000000..ac2cd3a --- /dev/null +++ b/note_templates/external_pentest/findings.md @@ -0,0 +1 @@ +#|||ORG_NAME||| #external #findings diff --git a/note_templates/external_pentest/general.md b/note_templates/external_pentest/general.md new file mode 100644 index 0000000..5154d5b --- /dev/null +++ b/note_templates/external_pentest/general.md @@ -0,0 +1,32 @@ +#|||ORG_NAME||| #external #general + +# Scope + +(past scope from workbook) + +# PPC + +Planning call notes: +* methodolgy +* whole month testing window +* start with a vuln scan in nessus pro +* pentesting execution standard framework +* info gathering +* recon +* exlpoitation +* reporting +* primary objective + * reasonable and expected protections are in place + * see if we can get access to the internal network + * if we do get inside + * reach out to the contact and see what they'd want us to know +* questions to ask +* custom objectives + * nope: +* testing main website +* include office 365 +* password attacks + * password sprays 3-12 hours + * lock out policy - +* primary contact - +* emergency contact method - diff --git a/note_templates/external_pentest/host_notes.md b/note_templates/external_pentest/host_notes.md new file mode 100644 index 0000000..c0c20cc --- /dev/null +++ b/note_templates/external_pentest/host_notes.md @@ -0,0 +1 @@ +#|||ORG_NAME||| #external #host_notes diff --git a/note_templates/internal_pentest/attacks.md b/note_templates/internal_pentest/attacks.md new file mode 100644 index 0000000..4022559 --- /dev/null +++ b/note_templates/internal_pentest/attacks.md @@ -0,0 +1,17 @@ +#|||ORG_NAME||| #internal #attack + +# Persistence via _ +(screenshot) + +(embed important info from initail_enum here.) + +# local privesc: +powerup/sharpup findings: + +(screenshot) + +# local evasion: +evasion notes: + +# Lateral Movement: +lateral movement notes: diff --git a/note_templates/internal_pentest/cleanup.md b/note_templates/internal_pentest/cleanup.md new file mode 100644 index 0000000..f33b178 --- /dev/null +++ b/note_templates/internal_pentest/cleanup.md @@ -0,0 +1,4 @@ +#|||ORG_NAME||| #internal #cleanup + +- [ ] Breach machine C-temp-fr +- [ ] (continue to add as needed diff --git a/note_templates/internal_pentest/findings.md b/note_templates/internal_pentest/findings.md new file mode 100644 index 0000000..e69de29 diff --git a/note_templates/internal_pentest/general.md b/note_templates/internal_pentest/general.md new file mode 100644 index 0000000..34a1316 --- /dev/null +++ b/note_templates/internal_pentest/general.md @@ -0,0 +1,34 @@ +#|||ORG_NAME||| #internal #general + +# SCOPE +(paste scope from workbook) + +On the call: + +Introductions + Let them know that their primary contact will be the PM and there should be + +Go over general attack strategy/procedure. + We will get a beacon payload by the time the test starts + The beacon payload should be executed on a domain joined windows system. + If the system is not domain joined/no domain - let Seth know as this modifies the standard beacon + Select a user based on a department/role that they would like tested (Marketing, Sales, HR, IT) + This can be a test system with a cloned user, but then we don't get keylogging or screen grabs + The beacon is created using Cobalt Strike and communicates over HTTPS + Since Cobalt Strike is very well signatured, remind them that they may need to add an exclusion in antivirus and/or web filter + We will look at local privilege escalation, conduct portscans, password sprays, targeted vulnerability scanning (NOT NESSUS), lateral movement opportunities, and escalating to DOMAIN ADMIN privilege. + Ask if they want a focus on any particular assets. for example, an old time logging system, or remote access system. + +Confirm On Prem AD vs NoAD or Azure AD - + +Ask if they have any questions or concerns + +Do they have a specific contact - + +emergency contact method - + +Email any follow-up items from the call to the PM + +sensitive systems - + +secondary objectives - diff --git a/note_templates/internal_pentest/initial_enum.md b/note_templates/internal_pentest/initial_enum.md new file mode 100644 index 0000000..6912417 --- /dev/null +++ b/note_templates/internal_pentest/initial_enum.md @@ -0,0 +1,15 @@ +#|||ORG_NAME||| #internal #enumeration + +# important info + +| type | info | +| ------------------ | ------------- | +| FQDN | | +| short domain | | +| logon server | | +| initial username | | +| initial hostname | | +| initial ip | | +| logon server ip | | +| azure ad joined | | +| observation window | | diff --git a/note_templates/internal_pentest/l00t/creds.md b/note_templates/internal_pentest/l00t/creds.md new file mode 100644 index 0000000..206a591 --- /dev/null +++ b/note_templates/internal_pentest/l00t/creds.md @@ -0,0 +1,12 @@ +#|||ORG_NAME||| #internal #l00t/creds + +# Passwords: + +| system | user | password | +| ------ | ---- | -------- | + + +# Hahses: + +| type | user | hash | +| ---- | ---- | ---- | diff --git a/note_templates/internal_pentest/l00t/dumps.md b/note_templates/internal_pentest/l00t/dumps.md new file mode 100644 index 0000000..af058be --- /dev/null +++ b/note_templates/internal_pentest/l00t/dumps.md @@ -0,0 +1,13 @@ +#|||ORG_NAME||| #internal #l00t/dumps + +# SAM + +systemname: +``` +``` + +# LSASS.EXE + +systemname: +``` +``` diff --git a/note_templates/internal_pentest/password_spray.md b/note_templates/internal_pentest/password_spray.md new file mode 100644 index 0000000..93dad66 --- /dev/null +++ b/note_templates/internal_pentest/password_spray.md @@ -0,0 +1,30 @@ +- [ ] useraspass +- [ ] Seasonyear! +- [ ] Service123! +- [ ] admin +- [ ] Admin +- [ ] Admin123! +- [ ] admin123 +- [ ] admin1 +- [ ] 1234567 +- [ ] Seasonyear +- [ ] seasonyear! +- [ ] seasonyear +- [ ] COMPANYYEAR! +- [ ] COMPANYYEAR +- [ ] November2024! +- [ ] September2024! +- [ ] October2024! +- [ ] COMPANYfoundingyear! +- [ ] COMPANYfoundingyear +- [ ] COMPANYstreetnumber! +- [ ] COMPANYstreetnumber +- [ ] Password +- [ ] P@ssw0rd +- [ ] Password1! +- [ ] Password123! +- [ ] Passwordyear! +- [ ] P@55w0rd +- [ ] Service +- [ ] Service! +- [ ] Serviceyear! diff --git a/note_templates/vishing/calls.md b/note_templates/vishing/calls.md new file mode 100644 index 0000000..aa0d751 --- /dev/null +++ b/note_templates/vishing/calls.md @@ -0,0 +1,5 @@ +#|||ORG_NAME||| #Vishing #calls + +# todays date +| name | number | job title | number | +| ____ | ______ | _________ | ______ | diff --git a/note_templates/vishing/enumeration.md b/note_templates/vishing/enumeration.md new file mode 100644 index 0000000..69e206d --- /dev/null +++ b/note_templates/vishing/enumeration.md @@ -0,0 +1,7 @@ +#|||ORG_NAME||| #Vishing #enumeration + +# Main Site Findings: + +# Social Media Findings: + +# Google Maps Findings: diff --git a/note_templates/vishing/general.md b/note_templates/vishing/general.md new file mode 100644 index 0000000..070c73d --- /dev/null +++ b/note_templates/vishing/general.md @@ -0,0 +1,32 @@ +#|||ORG_NAME||| #Vishing #general + + +# Scope +(paste scope from workbook) + + +Introductions + +have they been vished before? - + +if yes ask what the purpose of that vishing was, gain a foothold, or other? - + +ask the purpose of this test (ex try to get creds, foothold, generally want to see where employes are at) - + +four main aspects +1. verbal confirmation and verification of information +2. run commands on the system they're on +3. go to a specific website +4. join a screen sharing session with us + +pretexts: +default is third party it. + + +Vector - + +ask for primary contact - + +ask preferred method of contact for emergency - + +ask for any questions, comments, or concerns. diff --git a/note_templates/vishing/pretext.md b/note_templates/vishing/pretext.md new file mode 100644 index 0000000..2e6d769 --- /dev/null +++ b/note_templates/vishing/pretext.md @@ -0,0 +1,31 @@ +#|||ORG_NAME||| #Vishing #pretext + +Hello I'm (name) from (place). I'm helping (linked in it user) from your IT team track down a problem with your computer management system and just need to confirm some information about your computer real quick, is now a bad time to talk? + +Great I just need to confirm that my inventory report here is accurate. + +Are you currently running Windows 11? y - + +Microsoft Office is currently installed, correct? y + +When was the last time your computer had a reboot? y + +Your primary browser is firfox? + +Oh thats strange it seems our report is wrong then... I don't think our program on your computer is checking in correctly... uhhh I want to make sure you're getting all the windows updates we need to be compliant. + +Hold the windows key on your keyboard and press the r button. in the box that opens up type cmd.exe and press enter. + +This will open a scary black box, but don't worry I'll walk you through what we need here, it'll be pretty easy. + +In that box type systemifo all one word and press enter. + +Scroll up through that output and find the section that talks about hotfixes, how many are installed? + +That doesn't seem like the right number to me, can you read me the last 3 that are listed there? + +yeah you're definitely not getting all of the windows updates. This is going to take a bit of troubleshooting to figure out. Would you mind hopping in a Zoom call with me and sharing your screen so I can check a few things? This should only take a couple of minutes. + +(open up the services manager and scroll through it, check some program files folders, and run a few commands in cmd to act like I'm troubleshooting.) + +Hmmm everything looks ok on this end. I'm going to do some troubleshooting on the server side and see if we can get to the bottom of this. I don't think we'll need anything else from you to fix this, but if that changes I'll let you know. Thank you for your time.