# Penetration Testing Guide & Checklist

Digubah dari: <https://github.com/iAnonymous3000/awesome-pentest-checklist>

### Overview

A comprehensive guide for ethical penetration testing, meticulously designed to cover all phases of a penetration test. This step-by-step checklist ensures thorough coverage from preparation to reporting, ideal for both novice and experienced testers.

### Step

1. [**Pre-Engagement**](#id-1.-pre-engagement)
2. [**Information Gathering**](#id-2.-information-gathering)
3. [**Vulnerability Analysis**](#id-3.-vulnerability-analysis)
4. [**Exploitation**](#id-4.-exploitation)
5. [**Post-Exploitation**](#id-5.-post-exploitation)
6. [**Reporting**](#id-6.-reporting)
7. [**Remediation Verification**](#id-7.-remediation-verification)

***

### 1. Pre-Engagement

#### Legal and Compliance

* **Secure a Non-Disclosure Agreement (NDA):**\
  Example NDA Template: [NDA Template by LegalTemplates](https://www.legaltemplates.net/form/non-disclosure-agreement/)
* Obtain formal, written authorization for testing.
* Ensure legal compliance with all relevant laws and regulations (e.g., GDPR, HIPAA).
* Obtain appropriate insurance coverage (e.g., professional liability insurance).
* Establish additional confidentiality agreements if necessary.

#### Scope Definition

* Collect comprehensive client and system information.
* Define the scope and rules of engagement clearly:
  * Identify in-scope and out-of-scope systems and applications.
  * Confirm any limitations or constraints (e.g., testing windows, sensitive systems).
* Agree on acceptable testing methodologies and tools.
* Establish safe testing periods to minimize business impact.
* Identify third-party systems and obtain necessary permissions.
* **Example Scoping Document:** [Scoping Template by SANS Institute](https://www.sans.org/white-papers/33343/)

#### Communication and Planning

* Set specific, measurable success criteria.
* Establish emergency contact and response protocols.
* Define data handling and storage protocols:
  * Agree on how sensitive data will be stored, transmitted, and destroyed.
* Agree on communication channels and reporting frequency with the client:
  * Set up regular check-ins and progress updates.
* Clarify testing schedule and time frame.
* Ensure the penetration testing team has the necessary skills and certifications.

***

### 2. Information Gathering

#### Passive Reconnaissance

* Perform WHOIS lookups and analyze domain registration information.\
  **Tool:** [WHOIS Lookup by ICANN](https://whois.icann.org/)
* Conduct DNS analysis and enumerate subdomains.\
  **Tool:** [Sublist3r](https://github.com/aboul3la/Sublist3r)
* Undertake passive information gathering (e.g., Shodan, Censys).\
  **Tool:** [Shodan](https://www.shodan.io/)
* Utilize Open Source Intelligence (OSINT) techniques:
  * Gather information from social media, public forums, and past breaches.\
    **Tool:** [Maltego](https://www.maltego.com/)
  * Review job postings for insights into technologies and systems used.
  * Examine code repositories (e.g., GitHub) for exposed code or credentials.\
    **Tool:** [GitHub Search](https://github.com/search)
* Analyze SSL/TLS certificates for issuer details and expiration dates.\
  **Tool:** [SSL Labs](https://www.ssllabs.com/ssltest/)
* Perform Google dorking to find potentially sensitive information.\
  **Guide:** [Google Dorking Cheat Sheet](https://www.exploit-db.com/google-hacking-database)

#### Active Reconnaissance

* Conduct network and application scans (e.g., Nmap, Nessus).\
  **Tool:** [Nmap](https://nmap.org/)
* Identify and enumerate all subdomains.\
  **Tool:** [Amass](https://github.com/OWASP/Amass)
* Perform web crawling for hidden or dynamic content.\
  **Tool:** [Burp Suite](https://portswigger.net/burp)
* Map network topology and identify network devices.\
  **Tool:** [Netdiscover](https://github.com/alexxy/netdiscover)
* Identify technologies, platforms, and frameworks used in applications.\
  **Tool:** [Wappalyzer](https://www.wappalyzer.com/)
* Search for common vulnerabilities (e.g., default credentials, unpatched systems).\
  **Tool:** [OpenVAS](https://www.openvas.org/)
* Check for information leakage via metadata, HTML comments, etc.\
  **Tool:** [Metagoofil](https://github.com/laramies/metagoofil)

#### Social Engineering Opportunities

* Assess opportunities and methods for social engineering:
  * Monitor social media platforms for company-related disclosures.\
    **Tool:** [Social-Engineer Toolkit (SET)](https://github.com/trustedsec/social-engineer-toolkit)
  * Gather employee and organizational information from public sources.\
    **Tool:** [LinkedIn](https://www.linkedin.com/)

***

### 3. Vulnerability Analysis

#### Automated Scanning

* Validate and prioritize findings from automated scans.\
  **Tool:** [Nessus](https://www.tenable.com/products/nessus)
* Test for known vulnerabilities and possible exploits.\
  **Tool:** [OpenVAS](https://www.openvas.org/)
* Use vulnerability assessment tools to identify potential issues.\
  **Tool:** [Qualys](https://www.qualys.com/)

#### Manual Testing

* Analyze applications for common flaws:
  * SQL Injection (SQLi)\
    **Example:** [SQLi Cheat Sheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
  * Cross-Site Scripting (XSS)\
    **Example:** [XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
  * Cross-Site Request Forgery (CSRF)\
    **Example:** [CSRF Example](https://owasp.org/www-community/attacks/csrf)
  * Insecure Direct Object References (IDOR)\
    **Example:** [IDOR Example](https://portswigger.net/web-security/access-control/idor)
  * Insecure deserialization\
    **Example:** [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
* Conduct fuzz testing to discover new vulnerabilities.\
  **Tool:** [AFL (American Fuzzy Lop)](https://github.com/google/AFL)
* Review server and application configurations for misconfigurations.\
  **Tool:** [Lynis](https://cisofy.com/lynis/)
* Perform manual code reviews where feasible.\
  **Guide:** [OWASP Code Review Guide](https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf)
* Assess authentication and authorization mechanisms.\
  **Tool:** [Burp Suite](https://portswigger.net/burp)
* Check for sensitive data exposure (e.g., in URLs, API responses).\
  **Tool:** [ZAP (Zed Attack Proxy)](https://www.zaproxy.org/)
* Examine session management for weaknesses like session fixation.\
  **Guide:** [Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)

#### Network and Infrastructure

* Test for security misconfigurations in network devices (firewalls, routers).\
  **Tool:** [Nessus](https://www.tenable.com/products/nessus)
* Evaluate encryption and cryptographic practices, including SSL/TLS configurations.\
  **Tool:** [SSL Labs](https://www.ssllabs.com/ssltest/)
* Assess APIs for vulnerabilities such as improper authentication.\
  **Tool:** [Postman](https://www.postman.com/)
* Assess logging and monitoring controls for effectiveness.\
  **Tool:** [Splunk](https://www.splunk.com/)
* Examine third-party components and libraries for vulnerabilities.\
  **Tool:** [Dependency-Check](https://owasp.org/www-project-dependency-check/)

#### IoT Device Testing

* Firmware analysis for vulnerabilities.\
  **Tool:** [Binwalk](https://github.com/ReFirmLabs/binwalk)
* Assess communication protocol security (e.g., MQTT, CoAP).\
  **Tool:** [Wireshark](https://www.wireshark.org/)
* Perform hardware security testing (e.g., JTAG, UART interfaces).\
  **Tool:** [JTAGulator](https://www.jtagulator.com/)
* Evaluate over-the-air (OTA) update security.\
  **Tool:** [Firmware Analysis Toolkit](https://github.com/attify/firmware-analysis-toolkit)
* Check default configuration and hardcoded credentials.\
  **Tool:** [RouterSploit](https://github.com/threat9/routersploit)
* Assess RF communication security (e.g., Bluetooth, Zigbee).\
  **Tool:** [Ubertooth](https://github.com/greatscottgadgets/ubertooth)
* Review physical security controls.

#### Container Security

* Analyze Docker security configurations.\
  **Tool:** [Docker Bench for Security](https://github.com/docker/docker-bench-security)
* Assess Kubernetes cluster security.\
  **Tool:** [Kube-bench](https://github.com/aquasecurity/kube-bench)
* Perform container image scanning for vulnerabilities.\
  **Tool:** [Clair](https://github.com/quay/clair)
* Implement runtime security monitoring.\
  **Tool:** [Falco](https://falco.org/)
* Review service mesh configurations.\
  **Tool:** [Istio](https://istio.io/)
* Evaluate container orchestration security.\
  **Tool:** [Kubescape](https://github.com/kubescape/kubescape)
* Secure container registries.\
  **Tool:** [Harbor](https://goharbor.io/)

#### CI/CD Pipeline Security

* Secure source code management systems.\
  **Tool:** [GitGuardian](https://www.gitguardian.com/)
* Assess build pipeline security.\
  **Tool:** [Jenkins](https://www.jenkins.io/)
* Protect artifact repositories.\
  **Tool:** [Nexus Repository Manager](https://www.sonatype.com/nexus-repository-oss)
* Secure deployment processes.\
  **Tool:** [Argo CD](https://argoproj.github.io/argo-cd/)
* Evaluate Infrastructure as Code (IaC) security.\
  **Tool:** [Checkov](https://www.checkov.io/)
* Implement secrets management best practices.\
  **Tool:** [HashiCorp Vault](https://www.vaultproject.io/)
* Enforce pipeline access controls.\
  **Tool:** [Open Policy Agent (OPA)](https://www.openpolicyagent.org/)

#### Cloud Infrastructure

* Conduct cloud configuration reviews.\
  **Tool:** [Prowler](https://github.com/prowler-cloud/prowler)
* Assess Identity and Access Management (IAM) policies.\
  **Tool:** [CloudSploit](https://cloudsploit.com/)
* Secure storage services (e.g., S3 buckets, Blob storage).\
  **Tool:** [S3Scanner](https://github.com/sa7mon/S3Scanner)
* Review network security groups and firewall settings.\
  **Tool:** [Scout Suite](https://github.com/nccgroup/ScoutSuite)
* Evaluate serverless function security.\
  **Tool:** [Serverless Framework](https://www.serverless.com/)
* Test for misconfigurations in cloud environments.\
  **Tool:** [CloudMapper](https://github.com/duo-labs/cloudmapper)
* Assess cloud-specific vulnerabilities and exploits.\
  **Tool:** [Pacu](https://github.com/RhinoSecurityLabs/pacu)

#### OWASP Testing Guide

A comprehensive guide to testing the security of web applications.\
[OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)

#### NIST SP 800-115

Technical Guide to Information Security Testing and Assessment.\
[NIST SP 800-115](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf)

#### Cloud Penetration Testing Resources

* **AWS Penetration Testing Guidelines**\
  [AWS Penetration Testing Guidelines](https://aws.amazon.com/security/penetration-testing/)
* **Azure Penetration Testing**\
  [Microsoft Cloud Penetration Testing Rules of Engagement](https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing)
* **Google Cloud Platform (GCP) Penetration Testing**\
  [GCP Penetration Testing Guidelines](https://cloud.google.com/security/penetration-testing)

#### Mobile Security Testing

* **OWASP Mobile Security Testing Guide**\
  A detailed guide for testing mobile applications' security.\
  [OWASP MSTG](https://owasp.org/www-project-mobile-security-testing-guide/)

#### Compliance and Standards

* Verify adherence to industry standards (e.g., OWASP Top Ten, NIST).\
  **Reference:** [OWASP Top Ten](https://owasp.org/www-project-top-ten/)
* Assess compliance with the organization's security policies and procedures.
* Map findings to compliance requirements (e.g., PCI DSS, ISO 27001).\
  **Reference:** [PCI DSS Requirements](https://www.pcisecuritystandards.org/document_library)

***

### 4. Exploitation

#### Initial Access

* Attempt to gain initial access through:
  * Phishing campaigns (with explicit permission).\
    **Tool:** [GoPhish](https://getgophish.com/)
  * Exploiting known vulnerabilities.\
    **Tool:** [Metasploit](https://www.metasploit.com/)
  * Using default or weak credentials.\
    **Tool:** [Hydra](https://github.com/vanhauser-thc/thc-hydra)
* Utilize exploit frameworks (e.g., Metasploit) responsibly and within scope.\
  **Tool:** [Metasploit](https://www.metasploit.com/)

#### Privilege Escalation

* Perform privilege escalation on compromised systems.\
  **Tool:** [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
* Exploit application logic flaws and business logic vulnerabilities.\
  **Example:** [Privilege Escalation Techniques](https://book.hacktricks.xyz/linux-unix/privilege-escalation)

#### Lateral Movement

* Explore lateral movements within the network.\
  **Tool:** [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
* Attempt to access other systems and resources.\
  **Tool:** [Mimikatz](https://github.com/gentilkiwi/mimikatz)

#### Security Evasion

* Attempt to bypass security controls like WAF, 2FA, etc.\
  **Tool:** [WAFW00F](https://github.com/EnableSecurity/wafw00f)
* Try to evade detection by security solutions (e.g., antivirus, IDS/IPS).\
  **Tool:** [Veil-Evasion](https://github.com/Veil-Framework/Veil-Evasion)
* Use custom or zero-day exploits cautiously and with explicit permission.\
  **Tool:** [Exploit-DB](https://www.exploit-db.com/)

#### Documentation

* Document each step of the exploitation process meticulously.
* Maintain detailed logs of all actions for accountability and analysis.
* Ensure all exploitation steps are reproducible and verifiable.

***

### 5. Post-Exploitation

#### Impact Analysis

* Identify and access critical data stores.
* Analyze the potential business and technical impacts of exploited vulnerabilities.
* Evaluate the likelihood of real-world exploitation based on findings.

#### Persistence and Cleanup

* Implement strategies for maintaining access, if necessary and authorized.\
  **Tool:** [Empire](https://github.com/EmpireProject/Empire)
* Remove all tools, scripts, and artifacts used during testing.
* Ensure no backdoors, test accounts, or persistence mechanisms remain.
* Verify that systems are restored to their pre-testing state.
* Confirm that no sensitive data was altered or left exposed.

#### Data Handling

* Adhere to secure data handling and processing procedures.
* Check for clear-text credentials and sensitive data in memory.\
  **Tool:** [Mimikatz](https://github.com/gentilkiwi/mimikatz)
* Simulate data exfiltration, if within the agreed scope.\
  **Tool:** [Dnscat2](https://github.com/iagox86/dnscat2)

#### Documentation

* Document all system alterations comprehensively.

***

### 6. Reporting

#### Report Preparation

* Create a detailed technical report documenting tools, techniques, and procedures used.
* Include evidence such as screenshots and logs.
* Provide clear, actionable remediation recommendations.
* Assign risk ratings to all identified vulnerabilities.
* Follow industry-standard reporting formats (e.g., PTES, NIST guidelines).\
  **Reference:** [PTES Reporting](http://www.pentest-standard.org/index.php/Reporting)
* Include a detailed methodology section explaining the testing approach.
* Provide references to relevant industry standards and best practices.

#### Executive Summary

* Prepare an executive summary for stakeholder review.
* Include both technical details and high-level overviews for different audiences.

#### Classification and Security

* Ensure the report is classified appropriately and sensitive data is secured.
* Offer a prioritized action plan with clear timelines for remediation.

#### Client Communication

* Conduct a read-out meeting with the client to discuss key findings.
* Suggest a timeline for follow-up assessments or retesting.

***

### 7. Remediation Verification

#### Retesting

* Allow a designated period for the client to remediate identified issues.
* Conduct retests to verify the effectiveness of fixes.
* Update the report with verification results and any new findings.
* Validate that security controls are now functioning as intended.

#### Unresolved Issues

* Document any unresolved security issues.
* Recommend strategies for ongoing monitoring and improvement.

#### Continuous Improvement

* Assist in identifying root causes to prevent future vulnerabilities.
* Recommend improvements to policies, procedures, and security practices.
* Propose integrating security into the software development lifecycle.
* Advise on the need for security awareness and training programs.
* Propose a schedule for regular future security audits.
* Provide guidance on implementing a vulnerability management program.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.anggipradana.com/tutorial/penetration-testing-guide-and-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.