Not everyone can do it according to strict requirements. After all, there are too many things to pay attention to. You must make mistakes to learn profound lessons because people are cheap and won't change without making mistakes.
Tools#
WebShell cannot use ordinary one-line horse, and the connection end uses encrypted traffic, not ordinary Chinese knife.
Do not use the default ice scorpion, which has been recognized by security vendors (using the default, it is so hard to enter the point, and it will be discovered and cleared within an hour)
Upload tools to the server, do not use default names, such as frp, nc, lcx, etc.
Use --random-agent parameter for sqlmap.
Remove features when scanning with nmap and zmap.
Do not trust the judgment of the tools, test the tools once, and manually test once.
sqlmap injection frequency issue, use --delay, --safe-url, --safe-freq | ID: SewellDinG provided
Cobalt Strike's Beacon certificate and features will be detected if the default is used.
Cobalt Strike uses domain fronting technology to disguise as a white site domain name and hide the real C2 server IP; (CS started by default can be recognized by various vendor devices)
When performing sensitive operations that may cause the administrator to notice (such as logging in to remote desktop, etc.), select the corresponding IP based on the target's location. (Some will prompt for remote login reminders)
Choose a non-mainland time zone, and the working hours should match the time zone.
Use your own tower-built DNSlog. Currently, online DNSlog sites are being monitored and will be detected as long as the domain name is requested.
Security Awareness#
The penetration work computer browser should not save any personal information to prevent information from being captured.
Do not casually change the administrator password or backend password.
Large files need to be packaged and split for download.
Do not use domestic VPS (Alibaba Cloud, Tencent Cloud) as CobaltStrike remote control server.
After the penetration project is completed, do not continue testing.
Do not leave personal IDs in development code, and do not generate trojans on personal computers, which will include computer paths and computer names.
Always operate in a virtual machine, do not use a real machine for operation.
Take a snapshot of the virtual machine, no need to install antivirus software, restore a snapshot after completing the project.
Set the router to only allow other VPN ports such as 1723 to access the Internet. Once the VPN is disconnected, it will automatically disconnect from the Internet. Otherwise, if the VPN is disconnected during the scanning process, the real IP address will be exposed (depending on the project, generally not needed).
Do not open any files brought back from the target on a machine with an internet connection, open them on a dedicated offline machine.
Penetration physical machine offline (used to store files, information, etc.), network traffic goes through a USB network card + anonymous line from the gateway built by the virtual machine (depending on the project, generally not needed).
Registration websites require verification codes, use a code receiving platform.
For executive email and operations personnel email, if you find a VPN account or important system login address, be cautious when accessing, especially if you need to download controls such as "安全登录控件.exe".
When collecting target information on Github, pay special attention to the project update time. If it is relatively new, be cautious when accessing, as it may be a lure to lure attackers into a sandbox.
Others#
Keep more domain names that imitate large companies. Usually, they point to Google or 8.8.8.8. When needed, resolve them to your own server, and immediately modify them when not in use. (If you temporarily register a domain name or want to use a domain name in the short term, it will waste a lot of time on this and may even be detected by security devices. This is a common thing and needs to be prepared more often to improve the credibility of the domain name.)
Remember the trojan you uploaded, keep the address, and be sure to delete or submit it after the project is over to avoid forgetting to clear it and being discovered by the defending party. This is difficult to explain clearly.
In authorized projects, some misoperations may be made during the crawling process, resulting in irreversible effects on the website (when crawling links, especially when logged in, crawling to the delete page will cause data to be deleted).
When cleaning logs, delete files by overwriting them to prevent data recovery, or only delete specified ID logs.
A team must be united, tolerant, and help each other learn and progress, and avoid internal conflicts. Otherwise, even if individuals in the team are powerful, they will be scattered.
Upgrade all browsers to the latest version and prohibit the use of old versions of Google Chrome.
There is an anti-honeypot plugin called anti-honeypot. Tools are not trustworthy. The defending party disguises the target as a honeypot.