Penetration Testing Checklist

Table of Contents

1. Checklist
   • Reconnaissance
   • Scanning
   • Gaining Access
   • Maintaining Access
   • Covering Tracks
   • Reporting
2. Resources

Checklist

1. Reconnaissance

• Identify target: determine the IP address or the URL of the target system.

• Domain name research: use tools like WHOIS and DNS lookup to gather information about the domain.

• Network Enumeration: identify other systems in the same network.

• Identify technologies: determine the technologies used by the target system.

• Email harvesting: collect email addresses associated with the domain.

• Social media footprint: check the target's presence on social media platforms.

• Check for subdomains: use tools like Sublist3r2 or theHarvester to find subdomains associated with the target.

• Identify users: use OSINT (open source intelligence) to identify users associated with the target system.

• Physical location: if relevant, determine the physical location of the server.

• Network Topology: map out the network topology, understand how the internal systems are interconnected.

• Identify security measures: identify any security measures in place, this could include firewalls and intrusion detection systems.

2. Scanning

• Port Scanning: identify open ports on a target system.

• Network Scanning: identify active devices on a network.

• Vulnerability Scanning: use tools like Nessus or OpenVAS to identify known vulnerabilities in the system.

• Banner Grabbing: identify the services running on open ports.

• Scan for IP addresses: identify all IP addresses associated with the target system.

• Operating system detection: identify the operating system on a target machine.

• Service detection: determine the services running on a target system.

• Version detection: determine the versions of the services running on a target system.

• Web App Scanning: if the target system is running web application, use tools like OWASP ZAP or Burp Suite to perform more detailed scan.

3. Gaining Access

• Exploitation: use the vulnerabilities identified during the scanning phase to exploit the target system.

• Password cracking: if the system is protected by passwords, use tools like John The Ripper or Hydra for cracking.

• Privilege escalation: once access is gained, try to escalate privileges to gain more control over the system.

• Social Engineering: use the information gathered during the reconnaissance phase to trick users into revealing sensitive information.

• Session hijacking: if the target system uses sessions, try to hijack an active session to gain access.

• Spoofing: try to impersonate another users or device to gain access.

• Man-in-the-middle attack: intercept and alter communication between two parties without their knowledge.

• Denial of service: although not always applicable, sometimes a Denial of Service (DoS) can be used to exploit a vulnerability in the system.

4. Maintaining Access

• Install backdoors: once access is gained, install backdoors to ensure future access to the system.

• Create privileged accounts: create accounts with elevated privileges for future use.

• Rootkits: install rootkits to maintain control over the system.

• Disable security controls: disable any security controls that could detect your presence.

• Schedule tasks: schedule tasks or jobs that will re-establish your connection at a later time.

• Data exfiltration: set up methods to exfiltrate data from the target system.

• Connect to C&C server: establish connection to a Command and Control (C&C) server for remote control.

5. Covering Tracks

• Clear logs: remove or alter log files that could indicate your activities on the system.

• Hide files: if you've created or altered any files, make sure they're hidden or blend in with other files.

• Remove tools: any tools or software you installed on the system should be thoroughly removed.

• Terminate sessions: ensure that all connections to the target are properly terminated.

• Clear command history: if you've used a command line interface, make sure to clear the command history.

• Reset modified settings: if you've changed any settings on the target system, reset them to their original state.

• Use steganography: if you need to leave information on the target, consider using steganography to hide it.

• Use anti-forensics techniques: use techniques to thwart forensic analysis, such as file wiping.

6. Reporting

• Executive Summary: provide a high-level overview of the test, its objectives, and methodologies used.

• Scope: clearly define the scope of the penetration test, including the system that were tested.

• Findings: detail each vulnerability that was discovered, its severity, and the potential impact on the system.

• Evidence: provide evidence to support your findings, this could include screenshots, logs, or other relevant data.

• Recommendations: provide recommendations for mitigating each of the vulnerabilities found.

• Methodology: describe the methodology used during the penetration test.

• Conclusion: summarize the overall state of the system's security and any next steps that should be taken.

• Appendices: include any additional information that supports the report.

---

Resources

• Payloads (https://github.com/swisskyrepo/PayloadsAllTheThings)
• Sublist3r2 (https://github.com/RoninNakomoto/Sublist3r2)
• theHarvester (https://github.com/laramies/theHarvester)
• SecLists (https://github.com/danielmiessler/SecLists)
• Hydra (https://github.com/vanhauser-thc/thc-hydra)
• Nessus (https://www.tenable.com/products/nessus)
• John (https://github.com/openwall/john-packages)
• WHOIS Lookup (https://whois.domaintools.com)
• Metasploit (https://www.metasploit.com/)
• Burp Suite (https://portswigger.net/burp)
• HackTricks (https://book.hacktricks.xyz/)
• DNS Lookup (https://www.nslookup.io/)
• OWASP ZAP (https://www.zaproxy.org/)
• OpenVAS (https://www.openvas.org/)
• Nmap (https://nmap.org/)