added default note structures

2026-05-20 14:33:39 -05:00
parent 2c78f26dd2
commit 9ebd95623a
16 changed files with 245 additions and 0 deletions
@@ -0,0 +1,11 @@
 #|||ORG_NAME||| #external #attacks
 # Directory BruteForcing:
 ---
 # Login Attacks:
 ---
 (continue as needed...)
@@ -0,0 +1 @@
 #|||ORG_NAME||| #external #findings
@@ -0,0 +1,32 @@
 #|||ORG_NAME||| #external #general
 # Scope
 (past scope from workbook)
 # PPC
 Planning call notes:
 * methodolgy
 * whole month testing window
 * start with a vuln scan in nessus pro
 * pentesting execution standard framework
 * info gathering
 * recon
 * exlpoitation
 * reporting 
 * primary objective
    * reasonable and expected protections are in place
    * see if we can get access to the internal network
        * if we do get inside 
            * reach out to the contact and see what they'd want us to know
 * questions to ask
 * custom objectives
    * nope: 
 * testing main website
 * include office 365 
 * password attacks
    * password sprays 3-12 hours
    * lock out policy - 
 * primary contact - 
 * emergency contact method -
@@ -0,0 +1 @@
 #|||ORG_NAME||| #external #host_notes
@@ -0,0 +1,17 @@
 #|||ORG_NAME||| #internal #attack
 # Persistence via _
 (screenshot)
 (embed important info from initail_enum here.)
 # local privesc:
 powerup/sharpup findings:
 (screenshot)
 # local evasion:
 evasion notes:
 # Lateral Movement:
 lateral movement notes:
@@ -0,0 +1,4 @@
 #|||ORG_NAME||| #internal #cleanup
 - [ ] Breach machine C-temp-fr
 - [ ] (continue to add as needed
@@ -0,0 +1,34 @@
 #|||ORG_NAME||| #internal #general
 # SCOPE
 (paste scope from workbook)
 On the call: 
 Introductions 
    Let them know that their primary contact will be the PM and there should be 
 Go over general attack strategy/procedure. 
    We will get a beacon payload by the time the test starts 
        The beacon payload should be executed on a domain joined windows system. 
            If the system is not domain joined/no domain - let Seth know as this modifies the standard beacon 
        Select a user based on a department/role that they would like tested (Marketing, Sales, HR, IT) 
            This can be a test system with a cloned user, but then we don't get keylogging or screen grabs 
        The beacon is created using Cobalt Strike and communicates over HTTPS 
        Since Cobalt Strike is very well signatured, remind them that they may need to add an exclusion in antivirus and/or web filter 
    We will look at local privilege escalation, conduct portscans, password sprays, targeted vulnerability scanning (NOT NESSUS), lateral movement opportunities, and escalating to DOMAIN ADMIN privilege.  
    Ask if they want a focus on any particular assets. for example, an old time logging system, or remote access system. 
 Confirm On Prem AD vs NoAD or Azure AD - 
 Ask if they have any questions or concerns 
 Do they have a specific contact - 
 emergency contact method - 
 Email any follow-up items from the call to the PM 
 sensitive systems - 
 secondary objectives -
@@ -0,0 +1,15 @@
 #|||ORG_NAME||| #internal #enumeration
 # important info
 | type               | info          |
 | ------------------ | ------------- |
 | FQDN               |               |
 | short domain       |               |
 | logon server       |               |
 | initial username   |               |
 | initial hostname   |               |
 | initial ip         |               |
 | logon server ip    |               |
 | azure ad joined    |               |
 | observation window |               |
@@ -0,0 +1,12 @@
 #|||ORG_NAME||| #internal #l00t/creds
 # Passwords:
 | system | user | password |
 | ------ | ---- | -------- |
 # Hahses:
 | type | user | hash |
 | ---- | ---- | ---- |
@@ -0,0 +1,13 @@
 #|||ORG_NAME||| #internal #l00t/dumps
 # SAM
 systemname:
 ```
 ```
 # LSASS.EXE
 systemname: 
 ```
 ```
@@ -0,0 +1,30 @@
 - [ ] useraspass
 - [ ] Seasonyear!
 - [ ] Service123!
 - [ ] admin
 - [ ] Admin
 - [ ] Admin123!
 - [ ] admin123
 - [ ] admin1
 - [ ] 1234567
 - [ ] Seasonyear
 - [ ] seasonyear!
 - [ ] seasonyear
 - [ ] COMPANYYEAR!
 - [ ] COMPANYYEAR
 - [ ] November2024!
 - [ ] September2024!
 - [ ] October2024!
 - [ ] COMPANYfoundingyear!
 - [ ] COMPANYfoundingyear
 - [ ] COMPANYstreetnumber!
 - [ ] COMPANYstreetnumber
 - [ ] Password
 - [ ] P@ssw0rd
 - [ ] Password1!
 - [ ] Password123!
 - [ ] Passwordyear!
 - [ ] P@55w0rd
 - [ ] Service
 - [ ] Service!
 - [ ] Serviceyear!
@@ -0,0 +1,5 @@
 #|||ORG_NAME||| #Vishing #calls
 # todays date
 | name | number | job title | number |
 | ____ | ______ | _________ | ______ |
@@ -0,0 +1,7 @@
 #|||ORG_NAME||| #Vishing #enumeration
 # Main Site Findings:
 # Social Media Findings:
 # Google Maps Findings:
@@ -0,0 +1,32 @@
 #|||ORG_NAME||| #Vishing #general
 # Scope
 (paste scope from workbook)
 Introductions
 have they been vished before? - 
 if yes ask what the purpose of that vishing was, gain a foothold, or other? - 
 ask the purpose of this test (ex try to get creds, foothold, generally want to see where employes are at) - 
 four main aspects
 1. verbal confirmation and verification of information
 2. run commands on the system they're on
 3. go to a specific website
 4. join a screen sharing session with us
 pretexts:
 default is third party it.
 Vector - 
 ask for primary contact - 
 ask preferred method of contact for emergency - 
 ask for any questions, comments, or concerns.
@@ -0,0 +1,31 @@
 #|||ORG_NAME||| #Vishing #pretext
 Hello I'm (name) from (place). I'm helping (linked in it user) from your IT team track down a problem with your computer management system and just need to confirm some information about your computer real quick, is now a bad time to talk?
 Great I just need to confirm that my inventory report here is accurate.
 Are you currently running Windows 11? y - 
 Microsoft Office is currently installed, correct? y
 When was the last time your computer had a reboot? y
 Your primary browser is firfox? 
 Oh thats strange it seems our report is wrong then... I don't think our program on your computer is checking in correctly... uhhh I want to make sure you're getting all the windows updates we need to be compliant.
 Hold the windows key on your keyboard and press the r button. in the box that opens up type cmd.exe and press enter.
 This will open a scary black box, but don't worry I'll walk you through what we need here, it'll be pretty easy.
 In that box type systemifo all one word and press enter.
 Scroll up through that output and find the section that talks about hotfixes, how many are installed?
 That doesn't seem like the right number to me, can you read me the last 3 that are listed there?
 yeah you're definitely not getting all of the windows updates. This is going to take a bit of troubleshooting to figure out. Would you mind hopping in a Zoom call with me and sharing your screen so I can check a few things? This should only take a couple of minutes.
 (open up the services manager and scroll through it, check some program files folders, and run a few commands in cmd to act like I'm troubleshooting.)
 Hmmm everything looks ok on this end. I'm going to do some troubleshooting on the server side and see if we can get to the bottom of this. I don't think we'll need anything else from you to fix this, but if that changes I'll let you know.  Thank you for your time.