bmt 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/data/0.1/methodologies/active_directory.json +426 -0
  4. data/lib/data/0.1/methodologies/internal_network.json +454 -0
  5. data/lib/data/0.1/methodologies/website_testing.json +398 -206
  6. data/lib/data/0.1/schema.json +4 -4
  7. metadata +5 -3
data/lib/data/0.1/methodologies/internal_network.json ADDED
@@ -0,0 +1,454 @@
1
+ {
2
+ "metadata": {
3
+ "title": "Internal Network Penetration Testing Methodology",
4
+ "release_date": "2025-08-19T00:00:00+00:00",
5
+ "description": "A checklist for assessing internal network infrastructure and associated services",
6
+ "vrt_version": "1.17"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "recon_enum",
12
+ "title": "Reconnaissance & Enumeration",
13
+ "description": "Conduct network reconnaissance and enumerate active services and hosts",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "host_service_discovery",
18
+ "title": "Host and Service Discovery",
19
+ "caption": "",
20
+ "description": "Conduct port scanning to identify live hosts and accessible (TCP & UDP) services.",
21
+ "tools": "Nmap, Zenmap"
22
+ },
23
+ {
24
+ "key": "vuln_assessment",
25
+ "title": "Vulnerability Assessment",
26
+ "caption": "",
27
+ "description": "Conduct vulnerability scanning against in-scope hosts.",
28
+ "tools": "Nessus, nmap"
29
+ },
30
+ {
31
+ "key": "dns_enum",
32
+ "title": "DNS Enumeration",
33
+ "caption": "",
34
+ "description": "Identify DNS servers, enumerate the available DNS records and attempt a zone transfer.",
35
+ "tools": "Fierce, dig, nslookup, dnsenum, sublist3r"
36
+ },
37
+ {
38
+ "key": "legacy_unencrypted_services",
39
+ "title": "Legacy & Unencrypted Services",
40
+ "caption": "",
41
+ "description": "Identify any legacy and unencrypted services (e.g telnet, FTP etc.) that are present in the network.",
42
+ "tools": "Nmap, zenmap"
43
+ },
44
+ {
45
+ "key": "unpatched_software_cve",
46
+ "title": "Unpatched Software & CVEs",
47
+ "caption": "",
48
+ "description": "Identify the use of outdated and unpatched software in use throughout the network. Assess which publicly disclosed vulnerabilities impact these software versions.",
49
+ "tools": "Nmap, Zenmap"
50
+ },
51
+ {
52
+ "key": "outdated_unsupported_os",
53
+ "title": "Outdated and Unsupported Operating Systems",
54
+ "caption": "",
55
+ "description": "Identify hosts using outdated and end-of-life operating systems.",
56
+ "tools": "Nessus, nmap"
57
+ },
58
+ {
59
+ "key": "traffic_poisoning",
60
+ "title": "Traffic Poisoning",
61
+ "caption": "",
62
+ "description": "Analyse traffic and send spoofed responses to hostname resolution queries (e.g LLMNR, NBT-NS, MDNS) with the aim of capturing hashes or relaying authentication to target systems.",
63
+ "tools": "Responder, Inveigh"
64
+ },
65
+ {
66
+ "key": "shares",
67
+ "title": "Share Enumeration",
68
+ "caption": "",
69
+ "description": "Identify insecure network shares that are accessible to unauthenticated users. Search these shares for the presence of sensitive data (e.g credentials, configuration files, customer data).",
70
+ "tools": "Crackmapexec, NetExec, SMBMap, SMBClient, enum4linux, nmap"
71
+ }
72
+ ]
73
+ },
74
+ {
75
+ "key": "microsoft_protocols",
76
+ "title": "Microsoft Protocols",
77
+ "description": "Assess vulnerabilities and misconfigurations in Microsoft protocols and services",
78
+ "type": "checklist",
79
+ "items": [
80
+ {
81
+ "key": "null_sessions_guest_access",
82
+ "title": "Null Sessions & Guest Access",
83
+ "caption": "",
84
+ "description": "Identify SMB & MSRPC services which support null sessions and/or guest access. If supported, leverage this access to enumerate useful information (e.g users, groups, password policy, shares etc.).",
85
+ "tools": "NetExec, enum4linux, rpcclient"
86
+ },
87
+ {
88
+ "key": "smb_signing",
89
+ "title": "SMB Signing",
90
+ "caption": "",
91
+ "description": "Identify hosts for which SMB signing is either disabled or enabled but not required.",
92
+ "tools": "nmap smb2-security-mode, NetExec gen-relay-list"
93
+ },
94
+ {
95
+ "key": "ldap_signing_channel_binding",
96
+ "title": "Microsoft LDAP Signing & Channel Binding",
97
+ "caption": "",
98
+ "description": "Identify LDAP servers configured to not require/enforce LDAP signing and channel binding.",
99
+ "tools": "NetExec ldap-checker, LdapRelayScan"
100
+ },
101
+ {
102
+ "key": "ldap_anonymous_bind",
103
+ "title": "Microsoft LDAP Anonymous Bind",
104
+ "caption": "",
105
+ "description": "Discern whether the LDAP server(s) supports anonymous binds.",
106
+ "tools": "Ldapsearch"
107
+ }
108
+ ]
109
+ },
110
+ {
111
+ "key": "file_transfer_management_protocols",
112
+ "title": "File Transfer & Management Protocols",
113
+ "description": "Identify and assess the security of file transfer and management protocols used across the network",
114
+ "type": "checklist",
115
+ "items": [
116
+ {
117
+ "key": "tftp",
118
+ "title": "TFTP (Trivial File Transfer Protocol)",
119
+ "caption": "",
120
+ "description": "Attempt to brute-force files from available TFTP servers. For any enumerated files, search for the presence of sensitive data (e.g credentials, configuration data). Fingerprint the TFTP software version and assess whether it is impacted by known vulnerabilities. ",
121
+ "tools": "tftp, nmap tftp-enum, metasploit tftpbrute"
122
+ },
123
+ {
124
+ "key": "ftp_anon_login",
125
+ "title": "FTP (File Transfer Protocol): Anonymous Login and Weak Credentials",
126
+ "caption": "",
127
+ "description": "Identify FTP servers supporting anonymous login or weak/default credentials.",
128
+ "tools": "FTP, nmap"
129
+ },
130
+ {
131
+ "key": "ftp_common_vulns",
132
+ "title": "FTP (File Transfer Protocol): Common Vulnerabilities",
133
+ "caption": "",
134
+ "description": "Fingerprint the FTP server(s) and assess whether the software version is impacted by known vulnerabilities.",
135
+ "tools": "Nmap, netcat"
136
+ },
137
+ {
138
+ "key": "nfs_enum",
139
+ "title": "NFS (Network File System)",
140
+ "caption": "",
141
+ "description": "Identify NFS servers and the versions in use. Attempt to enumerate and mount available NFS shares and search for the presence of exposed sensitive data (e.g home folders, SSH keys, configuration files, credentials).",
142
+ "tools": "showmount, nmap, mount"
143
+ },
144
+ {
145
+ "key": "ssh_enum",
146
+ "title": "SSH (Secure Shell): Protocol & Software Versions",
147
+ "caption": "",
148
+ "description": "Identify SSH servers and fingerprint both the protocol version and software versions in use. When banner grabbing, note any SSH servers displaying SSH-1.0 or SSH-1.99, indicating support for the insecure and obsolete SSH-1. Assess whether software versions are impacted by known vulnerabilities.",
149
+ "tools": "Nmap, ssh, netcat"
150
+ },
151
+ {
152
+ "key": "ssh_algos",
153
+ "title": "SSH (Secure Shell): Algorithms & Ciphers",
154
+ "caption": "",
155
+ "description": "Check whether SSH servers support insecure key-exchange, host-key, encryption or message authentication code algorithms.",
156
+ "tools": "Nmap ssh2-enum-algos, ssh-audit"
157
+ },
158
+ {
159
+ "key": "ssh_auth_methods",
160
+ "title": "SSH (Secure Shell): Supported Authentication Methods",
161
+ "caption": "",
162
+ "description": "Assess whether SSH servers support password-based authentication and permit root login.",
163
+ "tools": "Nmap ssh-auth-methods, ssh-audit"
164
+ },
165
+ {
166
+ "key": "snmp_enum",
167
+ "title": "SNMP (Simple Network Management Protocol)",
168
+ "caption": "",
169
+ "description": "Identify SNMP servers and assess whether insecure and unencrypted versions (e.g v1/2c) are in use. Test for default community strings or weak passwords which could allow read or write access. Leverage any access gained to retrieve sensitive or useful data present in the MIB.",
170
+ "tools": "snmpwalk, metasploit snmp_enum, nmap"
171
+ }
172
+ ]
173
+ },
174
+ {
175
+ "key": "remote_access_protocols",
176
+ "title": "Remote Access Protocols",
177
+ "description": "Identify remote access services and assess their configurations",
178
+ "type": "checklist",
179
+ "items": [
180
+ {
181
+ "key": "rdp_enum",
182
+ "title": "RDP (Remote Desktop Protocol)",
183
+ "caption": "",
184
+ "description": "Identify accessible RDP services and analyse for weaknesses in the configuration by determining the security layer and encryption levels supported.",
185
+ "tools": "Nmap rdp-enum-encryption, rdp-sec-check, NetExec --nla-screenshot"
186
+ },
187
+ {
188
+ "key": "vnc_enum",
189
+ "title": "VNC (Virtual Network Computing)",
190
+ "caption": "",
191
+ "description": "Identify VNC servers and assess the configuration for weaknesses (e.g 'None' authentication method enabled), use of default/weak credentials, and unpatched vulnerabilities.",
192
+ "tools": "Nmap, metasploit, vncviewer"
193
+ },
194
+ {
195
+ "key": "x11_enum",
196
+ "title": "X11 (X Windows)",
197
+ "caption": "",
198
+ "description": "Identify X11 servers and assess the configuration for weaknesses (e.g ‘Open’ access) and software version related vulnerabilities.",
199
+ "tools": "Nmap x11-access, metasploit open_x11, xephyr, xwd, xwininfo"
200
+ }
201
+ ]
202
+ },
203
+ {
204
+ "key": "mail_protocols",
205
+ "title": "Mail Protocols",
206
+ "description": "Assess mail servers for misconfigurations and common vulnerabilities",
207
+ "type": "checklist",
208
+ "items": [
209
+ {
210
+ "key": "smtp_fingerprint",
211
+ "title": "SMTP (Simple Mail Transfer Protocol): Fingerprinting & Encryption",
212
+ "caption": "",
213
+ "description": "Fingerprint the software version to identify unpatched vulnerabilities and assess whether the service supports unencrypted connections.",
214
+ "tools": "Nmap, netcat"
215
+ },
216
+ {
217
+ "key": "smtp_user_enum",
218
+ "title": "SMTP (Simple Mail Transfer Protocol): User Enumeration",
219
+ "caption": "",
220
+ "description": "Assess whether SMTP server(s) are vulnerable to user enumeration.",
221
+ "tools": "smtp-user-enum, nmap smtp-enum-users, metasploit smtp_enum"
222
+ },
223
+ {
224
+ "key": "smtp_relay",
225
+ "title": "SMTP (Simple Mail Transfer Protocol): Open Relay",
226
+ "caption": "",
227
+ "description": "Assess whether SMTP server(s) are vulnerable to open relay.",
228
+ "tools": "nmap smtp-open-relay, metasploit smtp_relay"
229
+ },
230
+ {
231
+ "key": "imap_enum",
232
+ "title": "IMAP (Internet Message Access Protocol): Fingerprinting & Encryption",
233
+ "caption": "",
234
+ "description": "Fingerprint the software version to identify unpatched vulnerabilities and assess whether the service supports unencrypted connections.",
235
+ "tools": "nmap"
236
+ },
237
+ {
238
+ "key": "pop3_enum",
239
+ "title": "POP3 (Post Office Protocol): Fingerprinting & Encryption",
240
+ "caption": "",
241
+ "description": "Fingerprint the software version to identify unpatched vulnerabilities and assess whether the service supports unencrypted connections.",
242
+ "tools": "nmap"
243
+ }
244
+ ]
245
+ },
246
+ {
247
+ "key": "databases",
248
+ "title": "Databases",
249
+ "description": "Identify, fingerprint, and assess database services for vulnerabilities, misconfigurations, and weak credentials",
250
+ "type": "checklist",
251
+ "items": [
252
+ {
253
+ "key": "mysql_enum",
254
+ "title": "MySQL: Fingerprinting",
255
+ "caption": "",
256
+ "description": "Identify the version of MySQL in use to discover whether it is impacted by known vulnerabilities.",
257
+ "tools": "CVE Database, ExploitDB, Metasploit"
258
+ },
259
+ {
260
+ "key": "mysql_default_creds",
261
+ "title": "MySQL: Default Credentials",
262
+ "caption": "",
263
+ "description": "Determine whether you can gain access to the MySQL server(s) using default or weak credentials (e.g root:<blank>, anonymous:<blank>).",
264
+ "tools": "Mysql, metasploit, nmap"
265
+ },
266
+ {
267
+ "key": "mysql_abuse",
268
+ "title": "MySQL: Abusing Access",
269
+ "caption": "",
270
+ "description": "If you are able to gain access to the MySQL server, leverage this access to explore the schema and database entries and dump user hashes. Assess the privileges available to the user and abuse dangerous functions such as the FILE privilege to retrieve sensitive data and attempt command execution on the underlying host (e.g via the into outfile and load_file commands).",
271
+ "tools": "Mysql, metasploit"
272
+ },
273
+ {
274
+ "key": "mssql_enum",
275
+ "title": "MSSQL: Fingerprinting",
276
+ "caption": "",
277
+ "description": "Identify the version of MSSQL in use to discover whether it is impacted by known vulnerabilities.",
278
+ "tools": "CVE Database, ExploitDB, Metasploit"
279
+ },
280
+ {
281
+ "key": "mssql_default_creds",
282
+ "title": "MSSQL: Default Credentials",
283
+ "caption": "",
284
+ "description": "Determine whether you can gain access to the MSSQL server(s) using default or weak credentials (e.g sa:sa).",
285
+ "tools": "impacket-mssqlclient, metasploit, nmap"
286
+ },
287
+ {
288
+ "key": "mssql_abuse",
289
+ "title": "MSSQL: Abusing Access",
290
+ "caption": "",
291
+ "description": "If you are able to gain access to the MSSQL server, leverage this access to explore the schema and database entries and dump user hashes. Probe for enabled stored procedures which could be abused for further compromise such as executing commands on the underlying host (e.g xp_cmdshell) or capturing the service account hash (e.g xp_subdirs or xp_dirtree). Assess misconfigurations that could allow you to escalate privileges in the database (for example via impersonation or linked servers).",
292
+ "tools": "impacket-mssqlclient, sqsh, metasploit"
293
+ },
294
+ {
295
+ "key": "postgresql_enum",
296
+ "title": "PostgreSQL: Fingerprinting",
297
+ "caption": "",
298
+ "description": "Identify the version of PostgreSQL in use to discover whether it is impacted by known vulnerabilities.",
299
+ "tools": "CVE Database, ExploitDB, Metasploit"
300
+ },
301
+ {
302
+ "key": "postgresql_default_creds",
303
+ "title": "PostgreSQL: Default Credentials",
304
+ "caption": "",
305
+ "description": "Determine whether you can gain access to the PostgreSQL server(s) using default or weak credentials (e.g postgres:postgres).",
306
+ "tools": "psql, metasploit, nmap"
307
+ },
308
+ {
309
+ "key": "postgresql_abuse",
310
+ "title": "PostgreSQL: Abusing Access",
311
+ "caption": "",
312
+ "description": "If you are able to gain access to the PostgreSQL server, leverage this access to explore the schema and database entries and dump user hashes. If you have sufficient privileges, attempt to retrieve files from the server and gain command execution on the underlying host.",
313
+ "tools": "psql, metasploit"
314
+ },
315
+ {
316
+ "key": "oracle_enum",
317
+ "title": "Oracle DB: Fingerprinting & Enumeration",
318
+ "caption": "",
319
+ "description": "Identify the version in use to discover whether it is impacted by known vulnerabilities. Attempt to enumerate the TNS listener version, TNS listener password (if enabled), and oracle service identifier (SID).",
320
+ "tools": "tnscmd10g, oscanner, odat, metasploit, nmap, hydra"
321
+ },
322
+ {
323
+ "key": "oracle_default_creds",
324
+ "title": "Oracle DB: Default Credentials",
325
+ "caption": "",
326
+ "description": "Determine whether you can gain access to OracleDB using default or weak credentials (e.g ANONYMOUS:ANONYMOUS, DBSNMP:DBSNMP, SCOTT:TIGER, SYS:CHANGE_ON_INSTALL and more).",
327
+ "tools": "Metasploit oracle_login, Nmap oracle-brute"
328
+ },
329
+ {
330
+ "key": "oracle_abuse",
331
+ "title": "Oracle DB: Abusing Access",
332
+ "caption": "",
333
+ "description": "If you are able to gain access to the Oracle DB, leverage this access to explore the schema and database entries, attempt to elevate privileges, read or write files, and gain command execution (e.g via java procedures or DBMS_SCHEDULER).",
334
+ "tools": "sqlplus, odat, metasploit"
335
+ },
336
+ {
337
+ "key": "redis_login",
338
+ "title": "Redis: Anonymous Access or Weak Credentials",
339
+ "caption": "",
340
+ "description": "Assess the configuration of the Redis DB to determine whether it can be accessed unauthenticated (default) or with weak credentials. As Redis uses a plain-text based protocol, you can also sniff network traffic for credentials or other sensitive data travelling to and from it.",
341
+ "tools": "netcat, redis-cli, metasploit redis_login, nmap redis-brute, hydra"
342
+ },
343
+ {
344
+ "key": "redis_abuse",
345
+ "title": "Redis: Abusing Access",
346
+ "caption": "",
347
+ "description": "If you are able to gain access to the Redis database, leverage this access to read keys and attempt to gain command execution on the underlying host (e.g via web shell, writing to SSH authorized_keys, manipulating crontab, loading redis modules etc.).",
348
+ "tools": "redis-cli, redis-dump, netcat"
349
+ }
350
+ ]
351
+ },
352
+ {
353
+ "key": "web_applications",
354
+ "title": "Web Applications",
355
+ "description": "Discover and analyze internal web applications for vulnerabilities",
356
+ "type": "checklist",
357
+ "items": [
358
+ {
359
+ "key": "internal_webapps",
360
+ "title": "Internal Web Applications",
361
+ "caption": "",
362
+ "description": "Identify any web applications present in the internal network. For third-party systems (e.g not developed by the client), consult vendor documentation to examine whether default credentials are in use. For client-managed systems (e.g those created and owned by the client), probe these applications for exploitable vulnerabilities and baseline configuration weaknesses (e.g HTTP security headers, exposed software versions, patching etc.). As this is an internal infrastructure assessment, focus on exploitable vulnerabilities which could lead to extending compromise on the underlying host(s).",
363
+ "tools": "BurpSuite, SQLMap, nuclei"
364
+ },
365
+ {
366
+ "key": "phpmyadmin",
367
+ "title": "PHPMyAdmin",
368
+ "caption": "",
369
+ "description": "If PHPMyAdmin is identified, determine whether default (e.g root:<blank>, root:password) or weak credentials are used. Fingerprint the version of PHPMyAdmin and assess whether it is impacted by known vulnerabilities. In particular, historical versions of PHPMyAdmin are impacted by a variety of both unauthenticated and authenticated RCE vulnerabilities.",
370
+ "tools": "Metasploit, hydra"
371
+ },
372
+ {
373
+ "key": "webmin",
374
+ "title": "Webmin",
375
+ "caption": "",
376
+ "description": "If a Webmin control panel is identified, fingerprint the version and research publicly disclosed vulnerabilities which may impact that version. In particular, historical versions of Webmin are impacted by a number of authenticated RCE vulnerabilities.",
377
+ "tools": "Searchsploit, ExploitDB"
378
+ },
379
+ {
380
+ "key": "tomcat",
381
+ "title": "Apache Tomcat",
382
+ "caption": "",
383
+ "description": "If Apache Tomcat is identified, locate the manager login page (e.g /manager/html) and determine whether default credentials (e.g admin:admin, tomcat:tomcat, admin:s3cr3t and more) are in use. If access is achieved, attempt to gain command execution on the host by creating and uploading a JSP webshell.",
384
+ "tools": "metasploit tomcat_mgr_login, hydra, msfvenom"
385
+ },
386
+ {
387
+ "key": "jenkins",
388
+ "title": "Jenkins",
389
+ "caption": "",
390
+ "description": "If Jenkins is identified, perform enumeration to examine which pages can be viewed and which commands can be executed without authentication. Attempt to brute force weak credentials. If access is achieved, attempt to gain code execution on the server (e.g via building projects, executing a groovy script, or reverse shell).",
391
+ "tools": "Metasploit jenkins_enum, jenkins_command, jenkins_login, jenkins_script_console"
392
+ }
393
+ ]
394
+ },
395
+ {
396
+ "key": "baseboard_management_controllers",
397
+ "title": "Baseboard Management Controllers",
398
+ "description": "Assess baseboard management controllers for vulnerabilities, weak credentials, and data exposure",
399
+ "type": "checklist",
400
+ "items": [
401
+ {
402
+ "key": "ipmi",
403
+ "title": "IPMI (Intelligent Platform Management Interface)",
404
+ "caption": "",
405
+ "description": "Enumerate which IPMI version and forms of authentication are supported. If IPMI v2.0 is supported, attempt to exploit common vulnerabilities for this version (e.g password hash retrieval and cipher zero authentication bypass). Check for anonymous access being enabled or consult product documentation for default credentials and assess whether these are still in use. Fingerprint and research the particular make and version in use for unpatched vulnerabilities.",
406
+ "tools": "metasploit ipmi_dumphashes, ipmi_cipher_zero, ipmitool, hashcat"
407
+ }
408
+ ]
409
+ },
410
+ {
411
+ "key": "printers",
412
+ "title": "Printers",
413
+ "description": "Discover and assess MultiFunction Printers (MFPs) for vulnerabilities, weak credentials, and data exposure",
414
+ "type": "checklist",
415
+ "items": [
416
+ {
417
+ "key": "printer_enum",
418
+ "title": "Printers: Discovery",
419
+ "caption": "",
420
+ "description": "Discover MultiFunction Printers (MFPs) present in the local network and determine the languages supported.",
421
+ "tools": "PRET"
422
+ },
423
+ {
424
+ "key": "printer_file_system",
425
+ "title": "Printers: File System Access",
426
+ "caption": "",
427
+ "description": "Access the file system of the printer and examine any stored faxes and print jobs for the presence of sensitive data. Research the make and model for path traversal vulnerabilities which allow breakout from the sandboxed directory (e.g 0:/). Explore the file system for sensitive data such as service credentials used for network integration by the printer.",
428
+ "tools": "PRET"
429
+ },
430
+ {
431
+ "key": "printer_portal",
432
+ "title": "Printers: Web Based Management Portal",
433
+ "caption": "",
434
+ "description": "If the printer has an accessible embedded web server, consult vendor documentation for default credentials and attempt to gain access. If access is achieved, hunt around for sensitive data including stored print jobs, user address books, and credentials used by the printer to connect to external services (e.g FTP, SMB, SMTP). Additionally, if the printer is configured to support LDAP integration, explore the possibility of retrieving credentials via an LDAP Pass-Back Attack.",
435
+ "tools": "PRET"
436
+ }
437
+ ]
438
+ },
439
+ {
440
+ "key": "upload_logs",
441
+ "title": "Upload logs",
442
+ "description": "This should include output from port scans and vulnerability assessments.",
443
+ "type": "large_upload"
444
+ },
445
+ {
446
+ "key": "executive_summary",
447
+ "title": "Executive summary",
448
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
449
+ "type": "executive_summary"
450
+ }
451
+ ]
452
+ }
453
+ }
454
+