CHECKLIST

A working/living curated checklist that can be modified as needed for various penetration testing engagements. Please feel free to build, modify and edit this list as you like.

Note taking: OneNote, GoogleDocs, GitBook, notepad++, Joplin, Obsidian Screen shots: Snipping tool, Greenshot, ShareX (GIF/video creation) Network Screenshots: Eyewitness, Gowitness, Aquatone

PROJECT LINKS: DATE RANGE: January 1st 2024 - January 8th, 2024 EXTRA NOTES:

Passive Enumeration

Passive Enumeration
Task Completion

Websites:

Shodan

Maltego

Censys

Zoomeye

DNS:

Wappalyzer

DNS Dumpster

crt-sh

Netcraft

OSINT

OSINT
Task Completion

Social Media Checks:

Facebook

Twitter

LinkedIn

Reddit

YouTube

Cross-Platform Checks:

Sherlock

WhatsMyName

Email:

phonebook.cz

TheHarvester

GHunt

HaveIbeenPwned

Email Hippo

h8mail

Google Dorks:

info:

define:

insite:

inurl

filetype:

GHDB check

Google Advanced Search

Breaches & Business:

IntelX

DeHashed

LeakCheck

SnusBase

CrunchBase

Images:

Google Image Search

Bing Image Search

Aperisolve

External Enumeration

External Enumeration
Task Completion

Major scanners:

Nessus

NMAP

OpenVAS

Directory Searches:

dirsearch

Feroxbuster

Gobuster

Dirbuster

Web:

Burp Suite

OWASP ZAP

SQLmap

Nikto

WAF:

wafw00f

whatwaf

Scans:

Do initial scans require further testing?

Scans exported

VAPT created/modified

Draft report created

Report reviewed

Screenshots and Notes Included?

Internal Enumeration

Internal Enumeration
Task Completion

Basic Setup:

ROE Signed?

Scope checked?

Jumpbox ready?

Connection checks

Folders created

Tools installed/updated

Wireshark/tcpdump setup?

Metasploit:

Updated?

Metasploit DB started?

Capturing output of modules?

Set global variables

DNS:

Sublist3r

Amass

dnsrecon

DNspy

Fierce

dnsenum

Kerberos Abuse/NTLM:

Bloodhound

Responder

Rubeus

Kerbrute

MS-RPRN RPC:

PetitPotam

spoolsample

SMB/SNMP/RPC:

crackmapexec

smbclient

smbmap

onesixtyone

enum4linux

rpcclient

Impacket-rpcdump

Brute-Forcing:

Accounts Sprayed?

Hashes cracked? Mimikatz, John, Hashcat

Usernames/passwords exported to file

Credentials stuffed?

Default credentials checked?

Specific Scans:

Telnet

SSH

FTP

SNMP

Specialized Scans:

Itwasalladream

PRET

log4j-scan

Includes Apache Commons

Spring4Shell

IKE-scan

Fuzzers:

WFuzz

ffuf

Create Lists for:

DC's, Exchange, SQL, FTP, Printers, VOIP, Mail, etc..

Information Disclosures

Post Exploitation/Privesc

Post Exploitation
Task Completion

Tools:

Peass-ng

LinEnum

Evil-WinRM

GTFO (LOLBAS) bins

LoFP (Living off False Positives)

Linuxprivchecker

Exploit Suggester (Windows/Linux)

Permissions/Information:

System

Services

History

Users

Passwords

Network

Writeable Checks:

/dev/shm

/tmp/

/var/tmp/

/var/spool/vbox

/var/spool/samba

hostname | uname -a  
cat /proc/version | cat /etc/issue | lscpu 

services
ps au | ps aux | grep root
find / -perm -u=s -type f 2>/dev/null #(finds all perms with s)
ls -la /etc/cron.daily/

whoami | id -u  (for 0 response) | id -un | logname 
/[moomaddafucka]??/b??/[whatever]ho???
ls -la /home/ | ls -l ~/.ssh
cat /etc/passwd | cut -d : -f 1 | cat /etc/shadow | cat /etc/group
history | sudo su -  

network: ifconfig | ip a | ip route | arp a | ip neigh | netstat -ano

passwords
grep --color=auto -rnw '/' -ie "PASSWORD=" --color==always 2> /dev/null
locate password | more
find / -name '*yourtstring*' 
find / -name authorized_keys
find / -name id_rsa 2> /dev/null
find . -writable (For all files under the current directory that are writable by the current user)
find . ! -writable
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

find/ -path /proc -prune -o -type d -perm -o+w 2>/dev/null #find writable dirs
find/ -path /proc -prune -o -type f -perm -o+w 2>/dev/null #find writable files

PreviousPENTESTINGNextREPORTING

Last updated