**Slide 1: Penetration Testing Process**

- **Phases of Penetration Testing**:
  - Pre-engagement (1)
    - Agreement on rules of engagement, scope, and objectives.
  - Intelligence gathering (2)
    - Passive reconnaissance: Information collected without interacting with the target.
      - Tools: Search engines, social media, DNSdumpster, etc.
    - Active reconnaissance: Information collected by interacting with the target.
      - Tools: Nmap, Zenmap, Wireshark, etc.
  - Threat modeling (3)
    - Identifying potential threats and vulnerabilities in the target system.
  - Vulnerability scanning (4)
    - Automated testing to identify vulnerabilities in the target system.
      - Tools: Nessus, OpenVAS, etc.
  - Exploitation (5)
    - Using exploits to gain unauthorized access to the target system.
      - Tools: Metasploit, Burp Suite, etc.
  - Post-exploitation (6)
    - Maintaining access to the target system and gathering sensitive information.
      - Tools: Mimikatz, BloodHound, etc.

**Slide 2: Public Exploits**

- **Finding reliable exploits**:
  - SecLists (<https://seclists.org/>)
  - Exploit-DB (<https://www.exploit-db.com/>)
- **Offline exploit DB in Kali**:
  - `searchsploit` command
    ```
    searchsploit <keyword>
    ```

**Slide 3: Compiling Exploits**

- **Cross-compiling for Windows**:
  - Use `gcc` with specific flags to compile for Windows.
    ```
    gcc -o exploit.exe exploit.c -m64 -lwininet
    ```
- **Lab Activity**: Fix and compile `646.c` to exploit SLMail on Windows 7 lab machine.

**Slide 4: Penetration Testing Execution Standard (PTES)**

- **Phases of PTES**:
  - Pre-engagement
  - Intelligence gathering
  - Threat modeling
  - Vulnerability scanning
  - Exploitation
  - Post-exploitation
  - Reporting

**Slide 5: Post-Exploitation**

- **Goals of post-exploitation**:
  - Determine the value of the compromised machine.
  - Maintain control for later use.
  - Identify and document sensitive data.
  - Set up access methods for later use.

**Slide 6: Infrastructure Analysis**

| Category | Information to gather |
| --- | --- |
| Network information | Configuration, interfaces, routing, DNS servers, ARP entries, proxy servers, listening services, neighbour discovery protocols, wireless keys |
| Pillaging | Startup items, login items, security services, file and print shares, databases, source code management systems, virtualisation, messaging systems, backup systems |
| Documents | Spreadsheets, word documents, databases, password files |
| History | Command history, USB activity, web history, patching history; log files, bookmarks |
| Monitoring | Key logging, screen capture, webcam access, network traffic capture |

**Slide 7: Escalation and Persistence**

- **Privilege escalation techniques**:
  - Exploit higher privileged process.
  - Inject into higher privileged DLL.
  - Overwrite higher privileged executable file.
  - Trojan, rootkits, backdoor account/service.
- **Persistence techniques**:
  - Reverse shell to single IP.
  - Backdoor service that survives reboot.

**Slide 8: Moving Things Around**

- **Uploading/downloading files**:
  - Use FTP with Kali acting as an FTP server.
- **Privilege escalation example**:
  - `useradd.c` exploit for Windows 7 lab machine.

**Exercise**: Complete the lab activity on privilege escalation using `useradd.c` and verify high privilege access.