Share
## https://sploitus.com/exploit?id=E834820B-9821-5C48-ADF1-0663BF7FA8E7
# Penetration Testing Framework

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Security](https://img.shields.io/badge/Security-Pentesting-red.svg)](https://owasp.org/)
[![PTES](https://img.shields.io/badge/Methodology-PTES-blue.svg)](http://www.pentest-standard.org/)
[![OWASP](https://img.shields.io/badge/OWASP-WSTG-orange.svg)](https://owasp.org/www-project-web-security-testing-guide/)
[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/)
[![Made with Bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)](https://www.gnu.org/software/bash/)

A modular penetration testing framework providing scripts, methodologies, and documentation for security assessments across OSINT, network reconnaissance, exploitation, and web application testing phases.

## Overview

This framework provides a structured approach to penetration testing with reusable scripts, detailed methodology documentation, and practical examples. It follows industry-standard methodologies including PTES, NIST SP 800-115, and OWASP WSTG.

**Note**: All examples use anonymized data. IP addresses, domain names, and credentials shown are either fictional or from intentionally vulnerable applications (OWASP Juice Shop).

## Project Structure

```
.
โ”œโ”€โ”€ osint/                    # Passive reconnaissance (OSINT)
โ”‚   โ”œโ”€โ”€ scripts/              # Automation scripts for OSINT
โ”‚   โ”œโ”€โ”€ wordlists/            # Generated wordlists from reconnaissance
โ”‚   โ””โ”€โ”€ README.md             # OSINT methodology documentation
โ”‚
โ”œโ”€โ”€ active-recon/             # Active reconnaissance phase
โ”‚   โ”œโ”€โ”€ scripts/              # Network scanning and enumeration scripts
โ”‚   โ”œโ”€โ”€ examples/             # Sample outputs and reports
โ”‚   โ””โ”€โ”€ README.md             # Active recon methodology
โ”‚
โ”œโ”€โ”€ exploitation/             # Controlled exploitation phase
โ”‚   โ”œโ”€โ”€ elasticsearch/        # Elasticsearch security assessment
โ”‚   โ”œโ”€โ”€ scripts/              # Exploitation PoC scripts
โ”‚   โ””โ”€โ”€ README.md             # Exploitation methodology
โ”‚
โ”œโ”€โ”€ juice-shop/               # Grey box web application testing
โ”‚   โ”œโ”€โ”€ vulnerabilities/      # Detailed vulnerability writeups
โ”‚   โ”œโ”€โ”€ http-requests/        # HTTP request examples (Burp-style)
โ”‚   โ””โ”€โ”€ README.md             # Web app testing methodology
โ”‚
โ”œโ”€โ”€ docs/                     # Additional documentation
โ”‚   โ”œโ”€โ”€ METHODOLOGY.md        # Full testing methodology
โ”‚   โ”œโ”€โ”€ ATTACK_SURFACE.md     # Attack surface mapping template
โ”‚   โ””โ”€โ”€ REMEDIATION.md        # Remediation planning guide
โ”‚
โ”œโ”€โ”€ DISCLAIMER.md             # Legal disclaimer
โ”œโ”€โ”€ LICENSE                   # MIT License
โ””โ”€โ”€ README.md                 # This file
```

## Methodologies & Frameworks

- **PTES** (Penetration Testing Execution Standard)
- **NIST SP 800-115** (Technical Guide to Information Security Testing)
- **OWASP WSTG** (Web Security Testing Guide)
- **OWASP Top 10 2021**

## Phases Covered

### 1. Passive Reconnaissance (OSINT)
- Google Dorks automation
- Wayback Machine analysis
- Certificate Transparency (CT) log enumeration
- Shodan/Censys queries
- LinkedIn username enumeration

### 2. Active Reconnaissance
- Host discovery (nmap, arp-scan)
- Service enumeration
- Banner grabbing
- Middleware probing (Redis, Elasticsearch)

### 3. Controlled Exploitation
- Elasticsearch CVE-2015-1427, CVE-2015-5531
- AJP Ghostcat (CVE-2020-1938)
- Jenkins CLI vulnerabilities
- ActiveMQ CVE-2023-46604, CVE-2016-3088
- Weak credential discovery

### 4. Web Application Testing (Grey Box)
- Authentication bypass (SQL Injection)
- Broken Access Control (IDOR/BOLA)
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object References
- JWT session management flaws
- File upload vulnerabilities
- Mass assignment / privilege escalation

## Key Findings Summary

| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Infrastructure | 5 | 7 | 3 | 1 |
| Web Application | 2 | 9 | 4 | 1 |
| **Total** | **7** | **16** | **7** | **2** |

## Tools Used

### Reconnaissance
- nmap, masscan
- Burp Suite
- curl, wget
- Shodan, Censys
- crt.sh, Wayback Machine

### Exploitation
- Nuclei
- Custom Python/Bash scripts
- Native clients (redis-cli, mysql, curl)

### Web Testing
- Burp Suite (Proxy, Repeater, Intruder)
- Browser DevTools
- Custom HTTP requests

## Features

- **Modular Architecture**: Independent modules for each testing phase
- **Reusable Scripts**: Production-ready Bash scripts with error handling
- **Comprehensive Documentation**: Detailed methodology guides and templates
- **Practical Examples**: Real-world vulnerability writeups and HTTP requests
- **Standards Compliant**: Follows PTES, NIST SP 800-115, OWASP WSTG
- **Remediation Guidance**: Prioritized fix recommendations with code examples

## Quick Start

```bash
# Clone the repository
git clone https://github.com/LaurentGiovannoni/penetration-testing-framework.git
cd penetration-testing-framework

# Make scripts executable
chmod +x osint/scripts/*.sh
chmod +x active-recon/scripts/*.sh
chmod +x exploitation/scripts/*.sh
chmod +x exploitation/elasticsearch/*.sh

# Run OSINT on a target domain
./osint/scripts/ct_enum.sh example.com

# Run active reconnaissance
./active-recon/scripts/port_scan.sh 192.168.1.0/24 quick

# Check Elasticsearch security
./exploitation/elasticsearch/es_check.sh 192.168.1.10:9200
```

## Disclaimer

This framework is for **authorized security testing and educational purposes only**.

- Only use on systems you own or have explicit written permission to test
- The authors are not responsible for misuse or damage caused by this framework
- All examples use intentionally vulnerable applications (OWASP Juice Shop) or fictional data

See [DISCLAIMER.md](DISCLAIMER.md) for full legal notice.

## Author

**Laurent Giovannoni**

- GitHub: [@LaurentGiovannoni](https://github.com/LaurentGiovannoni)

## Contributing

Contributions are welcome! Feel free to:
- Submit bug reports and feature requests via [Issues](../../issues)
- Fork the repository and submit Pull Requests
- Improve documentation or add new modules

## License

This project is licensed under the MIT License - see [LICENSE](LICENSE) for details.

---

**References**:
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [PTES Standard](http://www.pentest-standard.org/)
- [NIST SP 800-115](https://csrc.nist.gov/publications/detail/sp/800-115/final)
- [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/)