README.md

Information Gathering and Vulnerability Scanning

DNS lookups
Identify technical contacts
Administrator contacts
Cloud vs. self-hosted
Social media scraping
- Key contacts/job responsibilities
- Job listing/technology stack
Cryptographic flaws
- Secure Sockets Layer (SSL) certificates
- Revocation
Company reputation/security posture
Data
- Password dumps
- File metadata
- Strategic search engine analysis/enumeration
- Website archive/caching
- Public source-code repositories
Open-source intelligence (OSINT)
- Tools
  - Shodan
  - Recon-ng
- Sources
  - Common weakness enumeration (CWE)
  - Common vulnerabilities and exposures (CVE)

Enumeration
- Hosts
- Services
- Domains
- Users
- Uniform resource locators (URLs)
Website reconnaissance
- Crawling websites
- Scraping websites
- Manual inspection of web links
  - robots.txt
Packet crafting
- Scapy
Defense detection
- Load balancer detection
- Web application firewall (WAF) detection
- Antivirus
- Firewall
Tokens
- Scoping
- Issuing
- Revocation
Wardriving
Network traffic
- Capture API requests and responses
- Sniffing
Cloud asset discovery
Third-party hosted services
Detection avoidance

Fingerprinting
- Operating systems (OSs)
- Networks
- Network devices
- Software
Analyze output from:
- DNS lookups
- Crawling websites
- Network traffic
- Address Resolution Protocol (ARP) traffic
- Nmap scans
- Web logs

Considerations of vulnerability scanning
- Time to run scans
- Protocols
- Network topology
- Bandwidth limitations
- Query throttling
- Fragile systems
- Non-traditional assets
Scan identified targets for vulnerabilities
Set scan settings to avoid detection
Scanning methods
- Stealth scan
- Transmission Control Protocol (TCP) connect scan
- Credentialed vs. non-credentialed
Nmap
- Nmap Scripting Engine (NSE) scripts
- Common options
- A
- sV
- sT
- Pn
- O
- sU
- sS
- T 1-5
- script=vuln
- p
Vulnerability testing tools that facilitate automation