pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. PENTESTING

CHECKLIST

PreviousPENTESTINGNextREPORTING

Last updated 1 year ago

A working/living curated checklist that can be modified as needed for various penetration testing engagements. Please feel free to build, modify and edit this list as you like.


Note taking: , , , , , Screen shots: , , (GIF/video creation) Network Screenshots: , ,


PROJECT LINKS: DATE RANGE: January 1st 2024 - January 8th, 2024 EXTRA NOTES:


Passive Enumeration


Passive Enumeration
Task Completion

Websites:

☐

☐

☐

☐

DNS:

☐

☐

☐

☐


OSINT


OSINT
Task Completion

Social Media Checks:

☐

☐

☐

☐

☐

Cross-Platform Checks:

☐

☐

Email:

☐

☐

☐

☐

☐

☐

Google Dorks:

info:

☐

define:

☐

insite:

☐

inurl

☐

filetype:

☐

☐

☐

Breaches & Business:

☐

☐

☐

☐

☐

Images:

☐

☐

☐

External Enumeration


External Enumeration
Task Completion

Major scanners:

☐

☐

☐

☐

Directory Searches:

☐

☐

☐

☐

Web:

☐

☐

☐

☐

☐

WAF:

☐

☐

☐

Scans:

☐

Do initial scans require further testing?

☐

Scans exported

☐

VAPT created/modified

☐

Draft report created

☐

Report reviewed

☐

Screenshots and Notes Included?

☐


Internal Enumeration


Internal Enumeration
Task Completion

Basic Setup:

☐

ROE Signed?

☐

Scope checked?

☐

Jumpbox ready?

☐

Connection checks

☐

Folders created

☐

Tools installed/updated

☐

Wireshark/tcpdump setup?

☐

Metasploit:

Updated?

☐

Metasploit DB started?

☐

Capturing output of modules?

☐

Set global variables

☐

DNS:

☐

☐

☐

☐

☐

☐

☐

Kerberos Abuse/NTLM:

☐

☐

☐

☐

☐

MS-RPRN RPC:

☐

☐

☐

SMB/SNMP/RPC:

☐

☐

smbclient

☐

☐

☐

☐

☐

☐

Brute-Forcing:

☐

Accounts Sprayed?

☐

Hashes cracked? Mimikatz, John, Hashcat

☐

Usernames/passwords exported to file

☐

Credentials stuffed?

☐

Default credentials checked?

☐

Specific Scans:

☐

Telnet

☐

SSH

☐

FTP

☐

SNMP

☐

Specialized Scans:

☐

☐

☐

Includes Apache Commons

☐

☐

☐

Fuzzers:

☐

☐

☐

Create Lists for:

☐

DC's, Exchange, SQL, FTP, Printers, VOIP, Mail, etc..

☐

Information Disclosures

☐


Post Exploitation/Privesc


Post Exploitation
Task Completion

Tools:

☐

☐

☐

☐

☐

☐

☐

☐

Permissions/Information:

☐

System

☐

Services

☐

History

☐

Users

☐

Passwords

☐

Network

☐

Writeable Checks:

☐

/dev/shm

☐

/tmp/

☐

/var/tmp/

☐

/var/spool/vbox

☐

/var/spool/samba

☐

hostname | uname -a  
cat /proc/version | cat /etc/issue | lscpu 

services
ps au | ps aux | grep root
find / -perm -u=s -type f 2>/dev/null #(finds all perms with s)
ls -la /etc/cron.daily/

whoami | id -u  (for 0 response) | id -un | logname 
/[moomaddafucka]??/b??/[whatever]ho???
ls -la /home/ | ls -l ~/.ssh
cat /etc/passwd | cut -d : -f 1 | cat /etc/shadow | cat /etc/group
history | sudo su -  

network: ifconfig | ip a | ip route | arp a | ip neigh | netstat -ano

passwords
grep --color=auto -rnw '/' -ie "PASSWORD=" --color==always 2> /dev/null
locate password | more
find / -name '*yourtstring*' 
find / -name authorized_keys
find / -name id_rsa 2> /dev/null
find . -writable (For all files under the current directory that are writable by the current user)
find . ! -writable
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

find/ -path /proc -prune -o -type d -perm -o+w 2>/dev/null #find writable dirs
find/ -path /proc -prune -o -type f -perm -o+w 2>/dev/null #find writable files

check

() bins

Exploit Suggester (/)

OneNote
GoogleDocs
GitBook
notepad++
Joplin
Obsidian
Snipping tool
Greenshot
ShareX
Eyewitness
Gowitness
Aquatone
Shodan
Maltego
Censys
Zoomeye
Wappalyzer
DNS Dumpster
crt-sh
Netcraft
Facebook
Twitter
LinkedIn
Reddit
YouTube
Sherlock
WhatsMyName
phonebook.cz
TheHarvester
GHunt
HaveIbeenPwned
Email Hippo
h8mail
GHDB
Google Advanced Search
IntelX
DeHashed
LeakCheck
SnusBase
CrunchBase
Google Image Search
Bing Image Search
Aperisolve
Nessus
NMAP
OpenVAS
dirsearch
Feroxbuster
Gobuster
Dirbuster
Burp Suite
OWASP ZAP
SQLmap
Nikto
wafw00f
whatwaf
Sublist3r
Amass
dnsrecon
DNspy
Fierce
dnsenum
Bloodhound
Responder
Rubeus
Kerbrute
PetitPotam
spoolsample
crackmapexec
smbmap
onesixtyone
enum4linux
rpcclient
Impacket-rpcdump
Itwasalladream
PRET
log4j-scan
Spring4Shell
IKE-scan
WFuzz
ffuf
Peass-ng
LinEnum
Evil-WinRM
GTFO
LOLBAS
LoFP (Living off False Positives)
Linuxprivchecker
Windows
Linux