Taylor Jolin

Hacker | Musician | Innovator | Dreamer

Category: Education


Pentesting Methodology – Recon

This workflow is in no way associated with any other framework. This is my personal general approach to hacking a machine or network.

Physical Attacks

Do you have physical access to the network or a machine? If so there are a ton of physical attacks that can be waged on a network or machine.

One attack that is fairly easy to do is outlined below. I refer to it as the SETHC Attack. Remember, you need physical access to the machine you are attacking for this hack to work.

  1. First, you need to find an boot disk of some sort. Linux Distro, Hiren’s Boot CD, anything that gives access to the file directory. Once you have your boot disc in order, insert it into the computer and reboot. Enter the Bios’ boot mode and select the media that you wish to boot to (i.e. your boot disc).
  2. Once booted, use the file manager and locate a file called SETHC.EXE. It will be located in C:\Windows\System32\
  3. Make a copy of the file and name it whatever you like.
  4. Find the executable for the CMD Prompt, CMD.EXE, which is also in that folder. Copy it and rename it SETHC.EXE
  5. Reboot the computer and let it boot into Windows.
  6. At the login screen, hit the SHIFT button 5 times and a CMD window will appear.
  7. Type in the following to reset the local administrator account:
    • net user administrator password
    • NOTE: password should be changed to your desired password
  8. Login to the computer with the local admin account.

Host or Asset Discovery

There are two types of tests that can be ran, an internal or external test. An internal test would look for hosts on the internal network whereas an external test would look for assets on the perimeter of the network.

  • Recon – The first thing you should do when approaching any device is to perform a port scan. With the right port scanning tool, you can learn all sorts of information about the host device. I prefer to use NMAP but there are a wealth of others. You can even call NMAP from Metasploit and run it. Once we have a target thoroughly mapped out and we have found all of the information we can, we can then move on to looking for vulnerabilities or known exploits.

In the event that you find multiple hosts on the network, try to do an OS discovery to see what is what and if it may be of any interest later on. One could usually assume that Linux, Mac, and Windows servers have some sort of misconfiguration somewhere. This goes the same for networking appliances such as firewalls, switches, routers, etc…