added default note structures

2026-05-20 14:33:39 -05:00
parent 2c78f26dd2
commit 9ebd95623a
16 changed files with 245 additions and 0 deletions
@@ -0,0 +1,11 @@
+#|||ORG_NAME||| #external #attacks
+
+# Directory BruteForcing:
+
+---
+
+# Login Attacks:
+
+---
+
+(continue as needed...)
@@ -0,0 +1 @@
+#|||ORG_NAME||| #external #findings
@@ -0,0 +1,32 @@
+#|||ORG_NAME||| #external #general
+
+# Scope
+
+(past scope from workbook)
+
+# PPC
+
+Planning call notes:
+* methodolgy
+* whole month testing window
+* start with a vuln scan in nessus pro
+* pentesting execution standard framework
+* info gathering
+* recon
+* exlpoitation
+* reporting 
+* primary objective
+    * reasonable and expected protections are in place
+    * see if we can get access to the internal network
+        * if we do get inside 
+            * reach out to the contact and see what they'd want us to know
+* questions to ask
+* custom objectives
+    * nope: 
+* testing main website
+* include office 365 
+* password attacks
+    * password sprays 3-12 hours
+    * lock out policy - 
+* primary contact - 
+* emergency contact method -
@@ -0,0 +1 @@
+#|||ORG_NAME||| #external #host_notes
@@ -0,0 +1,17 @@
+#|||ORG_NAME||| #internal #attack
+
+# Persistence via _
+(screenshot)
+
+(embed important info from initail_enum here.)
+
+# local privesc:
+powerup/sharpup findings:
+
+(screenshot)
+
+# local evasion:
+evasion notes:
+
+# Lateral Movement:
+lateral movement notes:
@@ -0,0 +1,4 @@
+#|||ORG_NAME||| #internal #cleanup
+
+- [ ] Breach machine C-temp-fr
+- [ ] (continue to add as needed
@@ -0,0 +1,34 @@
+#|||ORG_NAME||| #internal #general
+
+# SCOPE
+(paste scope from workbook)
+
+On the call: 
+
+Introductions 
+    Let them know that their primary contact will be the PM and there should be 
+
+Go over general attack strategy/procedure. 
+    We will get a beacon payload by the time the test starts 
+        The beacon payload should be executed on a domain joined windows system. 
+            If the system is not domain joined/no domain - let Seth know as this modifies the standard beacon 
+        Select a user based on a department/role that they would like tested (Marketing, Sales, HR, IT) 
+            This can be a test system with a cloned user, but then we don't get keylogging or screen grabs 
+        The beacon is created using Cobalt Strike and communicates over HTTPS 
+        Since Cobalt Strike is very well signatured, remind them that they may need to add an exclusion in antivirus and/or web filter 
+    We will look at local privilege escalation, conduct portscans, password sprays, targeted vulnerability scanning (NOT NESSUS), lateral movement opportunities, and escalating to DOMAIN ADMIN privilege.  
+    Ask if they want a focus on any particular assets. for example, an old time logging system, or remote access system. 
+
+Confirm On Prem AD vs NoAD or Azure AD - 
+
+Ask if they have any questions or concerns 
+
+Do they have a specific contact - 
+
+emergency contact method - 
+
+Email any follow-up items from the call to the PM 
+
+sensitive systems - 
+
+secondary objectives -
@@ -0,0 +1,15 @@
+#|||ORG_NAME||| #internal #enumeration
+
+# important info
+
+| type               | info          |
+| ------------------ | ------------- |
+| FQDN               |               |
+| short domain       |               |
+| logon server       |               |
+| initial username   |               |
+| initial hostname   |               |
+| initial ip         |               |
+| logon server ip    |               |
+| azure ad joined    |               |
+| observation window |               |
@@ -0,0 +1,12 @@
+#|||ORG_NAME||| #internal #l00t/creds
+
+# Passwords:
+
+| system | user | password |
+| ------ | ---- | -------- |
+
+
+# Hahses:
+
+| type | user | hash |
+| ---- | ---- | ---- |
@@ -0,0 +1,13 @@
+#|||ORG_NAME||| #internal #l00t/dumps
+
+# SAM
+
+systemname:
+```
+```
+
+# LSASS.EXE
+
+systemname: 
+```
+```
@@ -0,0 +1,30 @@
+- [ ] useraspass
+- [ ] Seasonyear!
+- [ ] Service123!
+- [ ] admin
+- [ ] Admin
+- [ ] Admin123!
+- [ ] admin123
+- [ ] admin1
+- [ ] 1234567
+- [ ] Seasonyear
+- [ ] seasonyear!
+- [ ] seasonyear
+- [ ] COMPANYYEAR!
+- [ ] COMPANYYEAR
+- [ ] November2024!
+- [ ] September2024!
+- [ ] October2024!
+- [ ] COMPANYfoundingyear!
+- [ ] COMPANYfoundingyear
+- [ ] COMPANYstreetnumber!
+- [ ] COMPANYstreetnumber
+- [ ] Password
+- [ ] P@ssw0rd
+- [ ] Password1!
+- [ ] Password123!
+- [ ] Passwordyear!
+- [ ] P@55w0rd
+- [ ] Service
+- [ ] Service!
+- [ ] Serviceyear!
@@ -0,0 +1,5 @@
+#|||ORG_NAME||| #Vishing #calls
+
+# todays date
+| name | number | job title | number |
+| ____ | ______ | _________ | ______ |
@@ -0,0 +1,7 @@
+#|||ORG_NAME||| #Vishing #enumeration
+
+# Main Site Findings:
+
+# Social Media Findings:
+
+# Google Maps Findings:
@@ -0,0 +1,32 @@
+#|||ORG_NAME||| #Vishing #general
+
+
+# Scope
+(paste scope from workbook)
+
+
+Introductions
+
+have they been vished before? - 
+
+if yes ask what the purpose of that vishing was, gain a foothold, or other? - 
+
+ask the purpose of this test (ex try to get creds, foothold, generally want to see where employes are at) - 
+
+four main aspects
+1. verbal confirmation and verification of information
+2. run commands on the system they're on
+3. go to a specific website
+4. join a screen sharing session with us
+
+pretexts:
+default is third party it.
+
+
+Vector - 
+
+ask for primary contact - 
+
+ask preferred method of contact for emergency - 
+
+ask for any questions, comments, or concerns.
@@ -0,0 +1,31 @@
+#|||ORG_NAME||| #Vishing #pretext
+
+Hello I'm (name) from (place). I'm helping (linked in it user) from your IT team track down a problem with your computer management system and just need to confirm some information about your computer real quick, is now a bad time to talk?
+
+Great I just need to confirm that my inventory report here is accurate.
+
+Are you currently running Windows 11? y - 
+
+Microsoft Office is currently installed, correct? y
+
+When was the last time your computer had a reboot? y
+
+Your primary browser is firfox? 
+
+Oh thats strange it seems our report is wrong then... I don't think our program on your computer is checking in correctly... uhhh I want to make sure you're getting all the windows updates we need to be compliant.
+
+Hold the windows key on your keyboard and press the r button. in the box that opens up type cmd.exe and press enter.
+
+This will open a scary black box, but don't worry I'll walk you through what we need here, it'll be pretty easy.
+
+In that box type systemifo all one word and press enter.
+
+Scroll up through that output and find the section that talks about hotfixes, how many are installed?
+
+That doesn't seem like the right number to me, can you read me the last 3 that are listed there?
+
+yeah you're definitely not getting all of the windows updates. This is going to take a bit of troubleshooting to figure out. Would you mind hopping in a Zoom call with me and sharing your screen so I can check a few things? This should only take a couple of minutes.
+
+(open up the services manager and scroll through it, check some program files folders, and run a few commands in cmd to act like I'm troubleshooting.)
+
+Hmmm everything looks ok on this end. I'm going to do some troubleshooting on the server side and see if we can get to the bottom of this. I don't think we'll need anything else from you to fix this, but if that changes I'll let you know.  Thank you for your time.