povilaika
  • Home
  • Blog
Contact us
Povilaika SolutionsInformation Security learning and research
  • Home
  • Blog
Penetration Testing Checklist
penetration testing checklist
  • checklists

Penetration Testing Checklist

On this page, you will find the Penetration Testing Checklist. It is by no means exhaustive and is to be regularly updated.

Last updated on: 2022-06-07

Table of contents

  1. Open-source intelligence
      • Domain
      • IP address
      • Email address
  2. Enumeration
      • Domain
      • IP address
      • Web content
  3. Vulnerability assessment
      • General
      • Web server
      • Web application
  4. Exploitation
      • General
  5. Reporting
      • General

Open-source intelligence

Penetration Testing Checklist: OSINT – Domain

Whois – retrieve WHOIS records for domains within scope. Can be done with the whois utility on the Linux command line or by using 3rd party websites (who.is). Can reveal useful information about the domain registrant.

https://www.povilaika.com/wp-content/uploads/2022/06/Screenshot-from-2022-06-02-11-43-40.png

Subdomain discovery – find all subdomains for the target domain without interacting with it. Can be done with tools like Amass and sublist3r. 3rd party websites like SecurityTrails may provide relevant historical information.

Google dorking – find relevant information using search engines. A collection of search terms (“dorks”) for this task can be found on Google Hacking Database by Offensive Security. Manual Google searching or automated tools such as pagodo can be used.

https://www.povilaika.com/wp-content/uploads/2022/06/Screenshot-from-2022-06-02-12-15-37.png

Certificate research – find current and historical certificate information. Often useful in revealing the original IP addresses behind CDNs. 3rd party websites are the preferred way of approach (crt.sh).

https://www.povilaika.com/wp-content/uploads/2022/06/Screenshot-from-2022-06-02-11-58-02.png

Contact discovery – retrieve contact information (such as email addresses) related to a domain. Self-hosted passive OSINT tools such as theHarvester can be used, as well as 3rd party websites like Hunter.

https://www.povilaika.com/wp-content/uploads/2022/06/Screenshot-from-2022-06-02-12-19-43.png

Penetration Testing Checklist: OSINT – IP address

Reverse DNS lookups – find domains associated with the IP address. Command-line utilities such as host, dig, or nslookup can be used.

Specialized search engine search – specialized search engines (such as Shodan or Censys) can be used to find information about IP addresses without actively probing them.

Penetration Testing Checklist: OSINT – Email address

Breach data lookups – websites like Have I Been Pwned can be used to find information about the presence of an email address in public data breaches. Paid 3rd party services like DeHashed and Intelligence X can also provide the data from within the breaches.

intelligence x

Automated tools – automated email passive reconnaissance tools like MOSINT or GHunt can also provide valuable information.

penetration testing checklist

Enumeration

Penetration Testing Checklist: Enumeration – Domain

Subdomain brute-forcing – discover subdomains by fuzzing the target domain. Tools such as dnsrecon can be used for this task.

subdomain brute-forcing with dnsrecon

Virtual host (vhost) brute-forcing – find virtual hosts on a target server. The tool GoBuster with SecLists, fuzzdb, or other publicly available wordlists can be used to accomplish this.

vhost brute-force with gobuster

Zone transfer enumeration – abuse zone transfer vulnerability on misconfigured domains to reveal additional DNS records. Can be done with tools such as dnsenum.

zone transfer

Penetration Testing Checklist: Enumeration – IP address

Port scanning – discover open ports on a remote host. Some of the commonly used tools to accomplish this task are nmap, masscan, and RustScan.

port scanning with masscan

Service enumeration/banner grabbing – a technique related to port scanning. Reveals running services and their versions on open ports. Usually done with nmap.

service detection with nmap

OS detection – detect the operating system a host is running. Also done with nmap.

os detection with nmap

Penetration Testing Checklist: Enumeration – Web content

Directory brute-force – brute-force files and directories on the target web server. Can be done with tools such as ffuf, dirb, or GoBuster.

directory brute-force with dirb

Spider scraping – a more intelligent alternative (or supplement) to traditional directory brute-forcing. Done with tools called ‘spiders’, such as GoSpider.

spidering a website with gospider

Technology fingerprinting – a technique used to detect technologies present on a target website. A tool like whatweb automates this.

web technology fingerprinting with wappalyzer

Vulnerability assessment

Penetration Testing Checklist: Vulnerability assessment – General

Nmap scripts – vulnerability assessment can be done using nmap’s NSE scripts. They can be found at /usr/share/nmap/scripts.

vulnerability scanning with nmap

Metasploit modules – The Metasploit Framework has a large collection of modules to check for specific vulnerabilities.

vulnerability scanning with metasploit

Vulnerability scanners – these tools try to automatically identify vulnerabilities on a given target. Popular examples are Nessus (commercial, but has a free ‘Essentials’ edition) and OpenVAS (free and open-source).

nessus vulnerability scanner

Manual searching – a manual technique for finding vulnerabilities on targets. Usually done by researching known software versions (for example, a specific WordPress plugin version). Exploit-DB and Vulners websites are a good starting point.

exploit-db

Penetration Testing Checklist: Vulnerability assessment – Web server

Vulnerability scanning – on top of traditional vulnerability scanners, web server-specific scanners like Nikto or Metasploit’s WMAP can be used.

scanning web servers with nikto

Checking security headers – make sure to inspect security headers on the target to reveal HTTP daemon configuration issues. Tools like shcheck automate the process.

checking security headers with shcheck

Testing SSL/TLS configuration – use tools like testssl.sh to find SSL/TLS-related vulnerabilities in web servers that use HTTPS.

ssl/tls audit with testssl

Penetration Testing Checklist: Vulnerability assessment – Web application

Web vulnerability scanning – done by using vulnerability scanners built specifically for auditing web applications. Commercial examples are Burp Suite and Acunetix, open-source – OWASP Zap and SkipFish.

owasp zap

Specialized web application vulnerability scanning – specialized tools like joomscan and wpscan often provide better results than general web vulnerability scanners.

scanning wordpress websites with wpscan

Exploitation

The exploitation phase is different for every engagement. If traditional approaches do not work, research the CVE entry, source code, vendor advisory, or the type of vulnerability you are trying to exploit.

Penetration Testing Checklist: Exploitation – General

General exploitation frameworks – use pre-made tools and frameworks like Metasploit or Armitage (GUI for Metasploit) to exploit vulnerable targets.

exploiting a vulnerability with metasploit

Specialized exploitation frameworks – use tools like BeEF Framework, sqlmap or commix to exploit specific vulnerability classes.

beef xss exploitation framework

Manual exploitation – exploitation using manually acquired exploits from repositories like Exploit-DB or Packet Storm.

searching for exploits on packet storm

Reporting

Automated vulnerability assessment tools are often shipped with reporting capabilities.

Penetration Testing Checklist: Reporting – General

Note taking applications – note taking applications like Notion or CherryTree can export your notes into formats like PDF while retaining their hierarchy.

cherrytree

Open-source reporting frameworks – free and open-source frameworks like Dradis-CE can be used to report your findings with pre-made templates.

dradis logo

Commercial reporting frameworks – notably the Penetration Testing Workshop.

pentest ws

Manual reporting – reporting can be always done with office software like Microsoft Word or LibreOffice Writer.

libreoffice logo

resource

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Penetration Testing Checklist
  • Using a CVE-2021-42013 Apache 2.4.50 exploit in the wild​
Povilaika Solutions | All rights reserved
  • Home
  • Blog
Go to mobile version