Penetration Testing Guide & Checklist

Digubah dari: https://github.com/iAnonymous3000/awesome-pentest-checklist

Overview

A comprehensive guide for ethical penetration testing, meticulously designed to cover all phases of a penetration test. This step-by-step checklist ensures thorough coverage from preparation to reporting, ideal for both novice and experienced testers.

Step

1. Pre-Engagement

2. Information Gathering

3. Vulnerability Analysis

4. Exploitation

5. Post-Exploitation

6. Reporting

7. Remediation Verification

1. Pre-Engagement

Legal and Compliance

• Secure a Non-Disclosure Agreement (NDA): Example NDA Template: NDA Template by LegalTemplates

• Obtain formal, written authorization for testing.

• Ensure legal compliance with all relevant laws and regulations (e.g., GDPR, HIPAA).

• Obtain appropriate insurance coverage (e.g., professional liability insurance).

• Establish additional confidentiality agreements if necessary.

Scope Definition

• Collect comprehensive client and system information.

• Define the scope and rules of engagement clearly:

  • Identify in-scope and out-of-scope systems and applications.

  • Confirm any limitations or constraints (e.g., testing windows, sensitive systems).

• Agree on acceptable testing methodologies and tools.

• Establish safe testing periods to minimize business impact.

• Identify third-party systems and obtain necessary permissions.

• Example Scoping Document: Scoping Template by SANS Institute

Communication and Planning

• Set specific, measurable success criteria.

• Establish emergency contact and response protocols.

• Define data handling and storage protocols:

  • Agree on how sensitive data will be stored, transmitted, and destroyed.

• Agree on communication channels and reporting frequency with the client:

  • Set up regular check-ins and progress updates.

• Clarify testing schedule and time frame.

• Ensure the penetration testing team has the necessary skills and certifications.

2. Information Gathering

Passive Reconnaissance

• Perform WHOIS lookups and analyze domain registration information. Tool: WHOIS Lookup by ICANN

• Conduct DNS analysis and enumerate subdomains. Tool: Sublist3r

• Undertake passive information gathering (e.g., Shodan, Censys). Tool: Shodan

• Utilize Open Source Intelligence (OSINT) techniques:

  • Gather information from social media, public forums, and past breaches. Tool: Maltego

  • Review job postings for insights into technologies and systems used.

  • Examine code repositories (e.g., GitHub) for exposed code or credentials. Tool: GitHub Search

• Analyze SSL/TLS certificates for issuer details and expiration dates. Tool: SSL Labs

• Perform Google dorking to find potentially sensitive information. Guide: Google Dorking Cheat Sheet

Active Reconnaissance

• Conduct network and application scans (e.g., Nmap, Nessus). Tool: Nmap

• Identify and enumerate all subdomains. Tool: Amass

• Perform web crawling for hidden or dynamic content. Tool: Burp Suite

• Map network topology and identify network devices. Tool: Netdiscover

• Identify technologies, platforms, and frameworks used in applications. Tool: Wappalyzer

• Search for common vulnerabilities (e.g., default credentials, unpatched systems). Tool: OpenVAS

• Check for information leakage via metadata, HTML comments, etc. Tool: Metagoofil

Social Engineering Opportunities

• Assess opportunities and methods for social engineering:

  • Monitor social media platforms for company-related disclosures. Tool: Social-Engineer Toolkit (SET)

  • Gather employee and organizational information from public sources. Tool: LinkedIn

3. Vulnerability Analysis

Automated Scanning

• Validate and prioritize findings from automated scans. Tool: Nessus

• Test for known vulnerabilities and possible exploits. Tool: OpenVAS

• Use vulnerability assessment tools to identify potential issues. Tool: Qualys

Manual Testing

• Analyze applications for common flaws:

  • SQL Injection (SQLi) Example: SQLi Cheat Sheet

  • Cross-Site Scripting (XSS) Example: XSS Cheat Sheet

  • Cross-Site Request Forgery (CSRF) Example: CSRF Example

  • Insecure Direct Object References (IDOR) Example: IDOR Example

  • Insecure deserialization Example: Deserialization Cheat Sheet

• Conduct fuzz testing to discover new vulnerabilities. Tool: AFL (American Fuzzy Lop)

• Review server and application configurations for misconfigurations. Tool: Lynis

• Perform manual code reviews where feasible. Guide: OWASP Code Review Guide

• Assess authentication and authorization mechanisms. Tool: Burp Suite

• Check for sensitive data exposure (e.g., in URLs, API responses). Tool: ZAP (Zed Attack Proxy)

• Examine session management for weaknesses like session fixation. Guide: Session Management Cheat Sheet

Network and Infrastructure

• Test for security misconfigurations in network devices (firewalls, routers). Tool: Nessus

• Evaluate encryption and cryptographic practices, including SSL/TLS configurations. Tool: SSL Labs

• Assess APIs for vulnerabilities such as improper authentication. Tool: Postman

• Assess logging and monitoring controls for effectiveness. Tool: Splunk

• Examine third-party components and libraries for vulnerabilities. Tool: Dependency-Check

IoT Device Testing

• Firmware analysis for vulnerabilities. Tool: Binwalk

• Assess communication protocol security (e.g., MQTT, CoAP). Tool: Wireshark

• Perform hardware security testing (e.g., JTAG, UART interfaces). Tool: JTAGulator

• Evaluate over-the-air (OTA) update security. Tool: Firmware Analysis Toolkit

• Check default configuration and hardcoded credentials. Tool: RouterSploit

• Assess RF communication security (e.g., Bluetooth, Zigbee). Tool: Ubertooth

• Review physical security controls.

Container Security

• Analyze Docker security configurations. Tool: Docker Bench for Security

• Assess Kubernetes cluster security. Tool: Kube-bench

• Perform container image scanning for vulnerabilities. Tool: Clair

• Implement runtime security monitoring. Tool: Falco

• Review service mesh configurations. Tool: Istio

• Evaluate container orchestration security. Tool: Kubescape

• Secure container registries. Tool: Harbor

CI/CD Pipeline Security

• Secure source code management systems. Tool: GitGuardian

• Assess build pipeline security. Tool: Jenkins

• Protect artifact repositories. Tool: Nexus Repository Manager

• Secure deployment processes. Tool: Argo CD

• Evaluate Infrastructure as Code (IaC) security. Tool: Checkov

• Implement secrets management best practices. Tool: HashiCorp Vault

• Enforce pipeline access controls. Tool: Open Policy Agent (OPA)

Cloud Infrastructure

• Conduct cloud configuration reviews. Tool: Prowler

• Assess Identity and Access Management (IAM) policies. Tool: CloudSploit

• Secure storage services (e.g., S3 buckets, Blob storage). Tool: S3Scanner

• Review network security groups and firewall settings. Tool: Scout Suite

• Evaluate serverless function security. Tool: Serverless Framework

• Test for misconfigurations in cloud environments. Tool: CloudMapper

• Assess cloud-specific vulnerabilities and exploits. Tool: Pacu

OWASP Testing Guide

A comprehensive guide to testing the security of web applications. OWASP Testing Guide

NIST SP 800-115

Technical Guide to Information Security Testing and Assessment. NIST SP 800-115

Cloud Penetration Testing Resources

• AWS Penetration Testing Guidelines AWS Penetration Testing Guidelines

• Azure Penetration Testing Microsoft Cloud Penetration Testing Rules of Engagement

• Google Cloud Platform (GCP) Penetration Testing GCP Penetration Testing Guidelines

Mobile Security Testing

• OWASP Mobile Security Testing Guide A detailed guide for testing mobile applications' security. OWASP MSTG

Compliance and Standards

• Verify adherence to industry standards (e.g., OWASP Top Ten, NIST). Reference: OWASP Top Ten

• Assess compliance with the organization's security policies and procedures.

• Map findings to compliance requirements (e.g., PCI DSS, ISO 27001). Reference: PCI DSS Requirements

4. Exploitation

Initial Access

• Attempt to gain initial access through:

  • Phishing campaigns (with explicit permission). Tool: GoPhish

  • Exploiting known vulnerabilities. Tool: Metasploit

  • Using default or weak credentials. Tool: Hydra

• Utilize exploit frameworks (e.g., Metasploit) responsibly and within scope. Tool: Metasploit

Privilege Escalation

• Perform privilege escalation on compromised systems. Tool: LinPEAS

• Exploit application logic flaws and business logic vulnerabilities. Example: Privilege Escalation Techniques

Lateral Movement

• Explore lateral movements within the network. Tool: CrackMapExec

• Attempt to access other systems and resources. Tool: Mimikatz

Security Evasion

• Attempt to bypass security controls like WAF, 2FA, etc. Tool: WAFW00F

• Try to evade detection by security solutions (e.g., antivirus, IDS/IPS). Tool: Veil-Evasion

• Use custom or zero-day exploits cautiously and with explicit permission. Tool: Exploit-DB

Documentation

• Document each step of the exploitation process meticulously.

• Maintain detailed logs of all actions for accountability and analysis.

• Ensure all exploitation steps are reproducible and verifiable.

5. Post-Exploitation

Impact Analysis

• Identify and access critical data stores.

• Analyze the potential business and technical impacts of exploited vulnerabilities.

• Evaluate the likelihood of real-world exploitation based on findings.

Persistence and Cleanup

• Implement strategies for maintaining access, if necessary and authorized. Tool: Empire

• Remove all tools, scripts, and artifacts used during testing.

• Ensure no backdoors, test accounts, or persistence mechanisms remain.

• Verify that systems are restored to their pre-testing state.

• Confirm that no sensitive data was altered or left exposed.

Data Handling

• Adhere to secure data handling and processing procedures.

• Check for clear-text credentials and sensitive data in memory. Tool: Mimikatz

• Simulate data exfiltration, if within the agreed scope. Tool: Dnscat2

Documentation

• Document all system alterations comprehensively.

6. Reporting

Report Preparation

• Create a detailed technical report documenting tools, techniques, and procedures used.

• Include evidence such as screenshots and logs.

• Provide clear, actionable remediation recommendations.

• Assign risk ratings to all identified vulnerabilities.

• Follow industry-standard reporting formats (e.g., PTES, NIST guidelines). Reference: PTES Reporting

• Include a detailed methodology section explaining the testing approach.

• Provide references to relevant industry standards and best practices.

Executive Summary

• Prepare an executive summary for stakeholder review.

• Include both technical details and high-level overviews for different audiences.

Classification and Security

• Ensure the report is classified appropriately and sensitive data is secured.

• Offer a prioritized action plan with clear timelines for remediation.

Client Communication

• Conduct a read-out meeting with the client to discuss key findings.

• Suggest a timeline for follow-up assessments or retesting.

7. Remediation Verification

Retesting

• Allow a designated period for the client to remediate identified issues.

• Conduct retests to verify the effectiveness of fixes.

• Update the report with verification results and any new findings.

• Validate that security controls are now functioning as intended.

Unresolved Issues

• Document any unresolved security issues.

• Recommend strategies for ongoing monitoring and improvement.

Continuous Improvement

• Assist in identifying root causes to prevent future vulnerabilities.

• Recommend improvements to policies, procedures, and security practices.

• Propose integrating security into the software development lifecycle.

• Advise on the need for security awareness and training programs.

• Propose a schedule for regular future security audits.

• Provide guidance on implementing a vulnerability management program.