gonzalezpazmonica/pentesting

Pentesting Skill — Pipeline Shannon

§1 — Arsenal (detalle en checklists.md)

Recon: nmap, dig, whois, subfinder, amass, gobuster, ffuf, whatweb, crt.sh, testssl.sh Web: SQLi (error/blind/time/UNION), XSS (reflected/stored/DOM), SSTI, XXE, SSRF, CSRF, CMDi, path traversal, file upload, deserialization, business logic Auth: brute force, JWT (none/key-confusion/claim-tamper), OAuth abuse, SAML, session fixation AuthZ: IDOR, BOLA/BFLA, priv escalation (H/V), forced browsing, mass assignment API: REST param pollution, GraphQL introspection/DoS, gRPC reflection, WebSocket, rate limit bypass Infra: nmap NSE, mitmproxy, scapy, Redis/Mongo/ES/MySQL, TLS audit Container: Docker socket escape, privileged mode, K8s RBAC/etcd/pod escape, Helm injection Cloud: AWS IMDS/S3/IAM, Azure MI/SAS/RBAC, GCP metadata/SA keys Crypto: MD5/SHA1/ECB detection, padding oracle, hardcoded keys, PRNG prediction

§2 — Herramientas

# apt: nmap dnsutils whois nikto dirb tcpdump netcat socat openssl jq
# pip: sqlmap wfuzz mitmproxy scapy requests beautifulsoup4 pyjwt pycryptodome httpx

§3 — Informe final (Fase 5)

# Pentest Report — {sistema}
**Fecha:** {fecha} | **Entorno:** {env} | **Scope:** {desc}
## Executive Summary
Riesgo: {level} | Hallazgos probados: C:{n} H:{n} M:{n} L:{n}
Descartados (sin prueba L3): {n}
## Proven Findings (solo L3 — con evidencia)
## Attack Chains (diagramas de cadenas exitosas)
## Failed Attempts (L1/L2 — transparencia, sin contar como hallazgos)
## Remediation Roadmap (P0-P3)
## Positive Findings (controles que funcionaron)

§4 — Reglas por entorno

DEV: ✅ todo. Fuzzing agresivo, exploits, brute force, DoS controlado. ⚠️ No destruir datos sin backup. PRE: ✅ OWASP, fuzzing moderado. ❌ No brute force, no DoS, no datos ajenos. PROD: ✅ Solo pasivo (headers, TLS, DNS, auth test). ❌ No exploits, no fuzzing. Todo reversible.

§5 — Checklists (detalle en checklists.md)

Web: headers, TLS, cookies, CORS, auth, authz, input validation, upload, errors, rate limit, business logic API: auth, authz/endpoint, validation, mass assignment, rate limit, pagination, content-type, versioning, docs Infra: ports, versions, creds, SSH, firewall, DNS, email security, certs Cloud: non-root, no privileged, pinned images, RBAC, network policies, secrets, IAM, storage

§6 — MITRE ATT&CK

| Táctica | Técnicas | |---------|----------| | Reconnaissance | Active scanning, open websites | | Initial Access | Exploit public app, valid accounts | | Execution | Command interpreter, exploitation | | Persistence | Account manipulation, scheduled task | | Priv Escalation | Exploitation, token manipulation | | Credential Access | Brute force, credential dumping | | Lateral Movement | Remote services, exploitation | | Exfiltration | Over C2, web service, alt protocol |

§7 — CVSS v3.1 simplificado

| Factor | Peso | Valores | |--------|------|---------| | Attack Vector | 0.3 | Network(1.0) Adjacent(0.7) Local(0.5) Physical(0.2) | | Complexity | 0.2 | Low(1.0) High(0.5) | | Privileges | 0.2 | None(1.0) Low(0.6) High(0.3) | | Impact | 0.3 | High(1.0) Medium(0.6) Low(0.3) |

§8 — STRIDE quick-ref

| Cat | Pregunta | Controles | |-----|----------|-----------| | Spoofing | ¿Suplantar? | Auth, MFA, tokens | | Tampering | ¿Modificar? | Integridad, HMAC | | Repudiation | ¿Negar? | Audit logs | | Info Disclosure | ¿Acceder? | Encryption, ACL | | DoS | ¿Tumbar? | Rate limiting, WAF | | Elevation | ¿Escalar? | RBAC, least privilege |

§9 — Vulnerability Queue Format (Fase 3 → Fase 4)

Cada archivo 03-vuln-{clase}.json contiene:

{"vulnerabilities": [
  {"id": "INJ-001", "endpoint": "/api/search", "parameter": "q",
   "type": "sqli_error", "sink": "SQL query string interpolation",
   "source_file": "app.py:42", "confidence": "high",
   "suggested_payload": "' OR '1'='1", "notes": "No parameterized query"}
]}

Campos requeridos: id, endpoint, parameter, type, confidence. Si confidence < medium, no se intenta exploitation.