How to start

Hi,
I recently join to HTB to put in practice what I supposed to know. I've doubts how you conduct pentest here. I know each case is different but I am more interested in tools you usually use to start. NMAP, then openvas? Jump directly to metaexploit. None of above? I guess all the succeeds comes from distros like Kali or Parrot. Windows not needed or not desired. It's that right? Thanks for your help.

Thank you

Hack The Box
Always happy to help you. If I help you, don't forget to give me respect on my profile. Click on my badge for this.

Comments

  • Disclaimer: I'm not working as a pentester, just an enthusiastic HTB player

    I did it the hard way, installed Parrot on a dedicated machine and started solving the available easy boxes, figuring out what I need to use on the way. I don't really like metasploit to be honest because it's "magic". I prefer to use / write scripts I understand so I can learn. Windows definitely helps when you're hacking windows boxes. I made a conscious decision to work only from linux until it becomes literally impossible, and a lot of times this has caused me extra problems I needed to solve.

  • Also Disclaimer: I am not a pentester and I dont play the part of one in movies.

    Most of my HTB time is in Kali, simply because its what I am used to.

    Generally I start with NMAP, sometimes masscan but I dont find that faster against a single IP. I've seen some write ups which talk about Legion but I haven't tried it yet.

    Once Nmap tells me what ports are open, then its down to enumerating the port.

    For example, if it looks like a webserver I use dirb/dirbuster/gobuster/nikto and open it in Firefox/Burp to see if anything interesting appears.

    If SMB is open, different tools (smbclient,rpclient,crackmapexec etc).

    I dont have any issue with using MSF, but I find it isnt that helpful on most HTB boxes.

  • Thanks a lot. You bring me some light :)

    Hack The Box
    Always happy to help you. If I help you, don't forget to give me respect on my profile. Click on my badge for this.

  • Thank you all for sharing your experiences, these are very helpful and I appreciate them.

Sign In to comment.