FILE: materi-09.module

Penetration Testing Methodology

Cara terstruktur lakukan pentest. Reconnaissance, scanning, exploitation, post-exploitation.

RUNTIME: 30m LEVEL: advanced STATUS: ACTIVE
terminal -- root@cyber root@cyber:~ # nmap -sV target.com Starting Nmap scan... PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https root@cyber:~ # [+] Scan completed - 3 open ports detected

1. Apa Itu Pentest

Simulasi serangan ke sistem dengan izin. Tujuan: temukan vulnerability sebelum hacker beneran. Fase: planning, recon, scanning, exploitation, post-exploitation, reporting. Wajib kontrak hitam putih.

2. Phase 1 Reconnaissance

Kumpulkan info target tanpa berinteraksi langsung (passive) atau dengan minimal trace (active). Tools: theHarvester, Maltego, Shodan, Google Dorks. Find: subdomain, email, employee, tech stack.

3. Phase 2 Scanning

Identifikasi service dan vulnerability. Port scanning (nmap). Service version detection. Vulnerability scanning (Nessus, OpenVAS). Web app scan (Burp, OWASP ZAP). Validasi findings manual.

4. Phase 3 Exploitation

Pakai vulnerability yang ditemukan untuk dapat akses. Metasploit framework populer. Custom exploit untuk target spesifik. Goal: gain initial foothold. Hindari merusak production data.

5. Phase 4 Post-Exploitation

Setelah dapat akses: privilege escalation, persistence, lateral movement, data exfiltration. Documentkan setiap langkah. Tools: Mimikatz, BloodHound, Cobalt Strike. Phase paling sensitif.

Practical Mission

  1. Lakukan recon di domain yang kamu miliki
  2. Pelajari Metasploit dengan target Metasploitable
  3. Run nmap dan analisis output
  4. Setup HackTheBox akademi
  5. Tulis pentest report sample 1 halaman

Recap Module