Penetration Testing Checklist
On this page, you will find the Penetration Testing Checklist. It is by no means exhaustive and is to be regularly updated.
Last updated on: 2022-06-07
Table of contents
- Open-source intelligence
- Vulnerability assessment
Penetration Testing Checklist: OSINT – Domain
Whois – retrieve WHOIS records for domains within scope. Can be done with the whois utility on the Linux command line or by using 3rd party websites (who.is). Can reveal useful information about the domain registrant.
Subdomain discovery – find all subdomains for the target domain without interacting with it. Can be done with tools like Amass and sublist3r. 3rd party websites like SecurityTrails may provide relevant historical information.
Google dorking – find relevant information using search engines. A collection of search terms (“dorks”) for this task can be found on Google Hacking Database by Offensive Security. Manual Google searching or automated tools such as pagodo can be used.
Certificate research – find current and historical certificate information. Often useful in revealing the original IP addresses behind CDNs. 3rd party websites are the preferred way of approach (crt.sh).
Contact discovery – retrieve contact information (such as email addresses) related to a domain. Self-hosted passive OSINT tools such as theHarvester can be used, as well as 3rd party websites like Hunter.
Penetration Testing Checklist: OSINT – IP address
Reverse DNS lookups – find domains associated with the IP address. Command-line utilities such as host, dig, or nslookup can be used.
Penetration Testing Checklist: OSINT – Email address
Breach data lookups – websites like Have I Been Pwned can be used to find information about the presence of an email address in public data breaches. Paid 3rd party services like DeHashed and Intelligence X can also provide the data from within the breaches.
Penetration Testing Checklist: Enumeration – Domain
Subdomain brute-forcing – discover subdomains by fuzzing the target domain. Tools such as dnsrecon can be used for this task.
Zone transfer enumeration – abuse zone transfer vulnerability on misconfigured domains to reveal additional DNS records. Can be done with tools such as dnsenum.
Penetration Testing Checklist: Enumeration – IP address
Service enumeration/banner grabbing – a technique related to port scanning. Reveals running services and their versions on open ports. Usually done with nmap.
OS detection – detect the operating system a host is running. Also done with nmap.
Penetration Testing Checklist: Enumeration – Web content
Spider scraping – a more intelligent alternative (or supplement) to traditional directory brute-forcing. Done with tools called ‘spiders’, such as GoSpider.
Technology fingerprinting – a technique used to detect technologies present on a target website. A tool like whatweb automates this.
Penetration Testing Checklist: Vulnerability assessment – General
Nmap scripts – vulnerability assessment can be done using nmap’s NSE scripts. They can be found at
Metasploit modules – The Metasploit Framework has a large collection of modules to check for specific vulnerabilities.
Vulnerability scanners – these tools try to automatically identify vulnerabilities on a given target. Popular examples are Nessus (commercial, but has a free ‘Essentials’ edition) and OpenVAS (free and open-source).
Manual searching – a manual technique for finding vulnerabilities on targets. Usually done by researching known software versions (for example, a specific WordPress plugin version). Exploit-DB and Vulners websites are a good starting point.
Penetration Testing Checklist: Vulnerability assessment – Web server
Checking security headers – make sure to inspect security headers on the target to reveal HTTP daemon configuration issues. Tools like shcheck automate the process.
Testing SSL/TLS configuration – use tools like testssl.sh to find SSL/TLS-related vulnerabilities in web servers that use HTTPS.
Penetration Testing Checklist: Vulnerability assessment – Web application
Web vulnerability scanning – done by using vulnerability scanners built specifically for auditing web applications. Commercial examples are Burp Suite and Acunetix, open-source – OWASP Zap and SkipFish.
The exploitation phase is different for every engagement. If traditional approaches do not work, research the CVE entry, source code, vendor advisory, or the type of vulnerability you are trying to exploit.
Penetration Testing Checklist: Exploitation – General
Automated vulnerability assessment tools are often shipped with reporting capabilities.
Penetration Testing Checklist: Reporting – General
Note taking applications – note taking applications like Notion or CherryTree can export your notes into formats like PDF while retaining their hierarchy.
Open-source reporting frameworks – free and open-source frameworks like Dradis-CE can be used to report your findings with pre-made templates.
Commercial reporting frameworks – notably the Penetration Testing Workshop.