📌 Penetration Testing Checklist

A structured and practical guide for ethical hackers and security professionals to ensure thorough testing.

📖 Table of Contents

1. Pre-Engagement
2. Information Gathering
3. Vulnerability Analysis
4. Exploitation
5. Post-Exploitation & Documentation
6. Reporting
7. Remediation & Re-Testing
8. Specialized Testing Considerations
9. Additional Resources

---

1️⃣ Pre-Engagement

• Secure a Non-Disclosure Agreement (NDA) and written permission.
• Define scope, rules of engagement, and limitations.
• Identify in-scope and out-of-scope systems, IPs, APIs, applications.
• Set up communication protocols, emergency contacts, and reporting frequency.
• Assess business risks, compliance (e.g., GDPR, HIPAA, PCI DSS).

---

2️⃣ Information Gathering

🔹 Passive Reconnaissance

• WHOIS lookup, domain registration details, and subdomain enumeration.
• Open Source Intelligence (OSINT) – Social media, public forums, past breaches.
• DNS record analysis, SSL/TLS certificate inspection.

🔹 Active Reconnaissance

• Port scanning using Nmap, Masscan.
• Web application scanning (Nikto, Dirb, Gobuster).
• Identify technologies, frameworks, and dependencies.

🔹 Social Engineering Opportunities

• Identify leaked credentials on GitHub, Pastebin, HaveIBeenPwned.
• Check for phishing vectors, employee exposure on LinkedIn.

---

3️⃣ Vulnerability Analysis

🔹 Automated & Manual Testing

• Run vulnerability scans (Nessus, OpenVAS, Burp Suite, ZAP).
• Test for common vulnerabilities:
  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Insecure Direct Object References (IDOR)
  • Security Misconfigurations

🔹 Authentication & Authorization

• Check for default credentials, weak password policies.
• Test session security, token expiration, and session hijacking.

🔹 Infrastructure Security

• Review firewall, IDS/IPS, WAF bypass testing.
• Assess encryption, SSL/TLS security.

---

4️⃣ Exploitation

🔹 Initial Access

• Exploit vulnerabilities using Metasploit, manual payloads.
• Test weak authentication with credential stuffing, brute force.

🔹 Privilege Escalation

• Escalate privileges via misconfigured services, kernel exploits.
• Check SUID binaries, stored credentials, environment variables.

🔹 Lateral Movement

• Pivot through the network using pass-the-hash, RDP, SSH keys.
• Exfiltrate sensitive data (DB dumps, credentials, API keys).

🔹 Security Evasion

• Test WAF bypass techniques and antivirus evasion.
• Utilize custom exploits and stealth techniques.

---

5️⃣ Post-Exploitation & Documentation

• Maintain a detailed log of exploitation steps, findings, and timestamps.
• Capture screenshots, session logs, network dumps for PoC.
• Identify persistence mechanisms and test for backdoors.
• Provide clear remediation recommendations.

---

6️⃣ Reporting

• Provide risk ratings and business impact for each vulnerability.
• Deliver a technical report and executive summary.
• Include mitigation strategies, patching guidelines, and security best practices.
• Ensure actionable and clear recommendations.

---

7️⃣ Remediation & Re-Testing

• Verify all vulnerabilities are fixed after remediation.
• Conduct re-testing to confirm patches.
• Provide guidance for ongoing security improvement.

---

8️⃣ Specialized Testing Considerations

🔹 API Security

• Test for API vulnerabilities (OWASP API Security Top 10).
• Identify broken authentication, data exposure, rate-limiting issues.

🔹 Mobile App Security

• Analyze iOS & Android apps (reverse engineering, static & dynamic analysis).
• Look for insecure storage, API leaks, improper SSL pinning.

🔹 Cloud Security

• Assess AWS, Azure, GCP configurations for misconfigurations & privilege issues.
• Check public S3 buckets, exposed cloud storage.

---

9️⃣ Additional Resources

📌 OWASP Testing Guide
📌 NIST Cybersecurity Framework
📌 Mitre ATT&CK Framework
📌 Exploit Database (Offensive Security)
📌 HackTricks – Security Cheatsheets

---