Penetration Testing Guide & Checklist

Digubah dari: https://github.com/iAnonymous3000/awesome-pentest-checklist

Overview

A comprehensive guide for ethical penetration testing, meticulously designed to cover all phases of a penetration test. This step-by-step checklist ensures thorough coverage from preparation to reporting, ideal for both novice and experienced testers.

Step


1. Pre-Engagement

  • Secure a Non-Disclosure Agreement (NDA): Example NDA Template: NDA Template by LegalTemplates

  • Obtain formal, written authorization for testing.

  • Ensure legal compliance with all relevant laws and regulations (e.g., GDPR, HIPAA).

  • Obtain appropriate insurance coverage (e.g., professional liability insurance).

  • Establish additional confidentiality agreements if necessary.

Scope Definition

  • Collect comprehensive client and system information.

  • Define the scope and rules of engagement clearly:

    • Identify in-scope and out-of-scope systems and applications.

    • Confirm any limitations or constraints (e.g., testing windows, sensitive systems).

  • Agree on acceptable testing methodologies and tools.

  • Establish safe testing periods to minimize business impact.

  • Identify third-party systems and obtain necessary permissions.

  • Example Scoping Document: Scoping Template by SANS Institute

Communication and Planning

  • Set specific, measurable success criteria.

  • Establish emergency contact and response protocols.

  • Define data handling and storage protocols:

    • Agree on how sensitive data will be stored, transmitted, and destroyed.

  • Agree on communication channels and reporting frequency with the client:

    • Set up regular check-ins and progress updates.

  • Clarify testing schedule and time frame.

  • Ensure the penetration testing team has the necessary skills and certifications.


2. Information Gathering

Passive Reconnaissance

  • Perform WHOIS lookups and analyze domain registration information. Tool: WHOIS Lookup by ICANN

  • Conduct DNS analysis and enumerate subdomains. Tool: Sublist3r

  • Undertake passive information gathering (e.g., Shodan, Censys). Tool: Shodan

  • Utilize Open Source Intelligence (OSINT) techniques:

    • Gather information from social media, public forums, and past breaches. Tool: Maltego

    • Review job postings for insights into technologies and systems used.

    • Examine code repositories (e.g., GitHub) for exposed code or credentials. Tool: GitHub Search

  • Analyze SSL/TLS certificates for issuer details and expiration dates. Tool: SSL Labs

  • Perform Google dorking to find potentially sensitive information. Guide: Google Dorking Cheat Sheet

Active Reconnaissance

  • Conduct network and application scans (e.g., Nmap, Nessus). Tool: Nmap

  • Identify and enumerate all subdomains. Tool: Amass

  • Perform web crawling for hidden or dynamic content. Tool: Burp Suite

  • Map network topology and identify network devices. Tool: Netdiscover

  • Identify technologies, platforms, and frameworks used in applications. Tool: Wappalyzer

  • Search for common vulnerabilities (e.g., default credentials, unpatched systems). Tool: OpenVAS

  • Check for information leakage via metadata, HTML comments, etc. Tool: Metagoofil

Social Engineering Opportunities

  • Assess opportunities and methods for social engineering:


3. Vulnerability Analysis

Automated Scanning

  • Validate and prioritize findings from automated scans. Tool: Nessus

  • Test for known vulnerabilities and possible exploits. Tool: OpenVAS

  • Use vulnerability assessment tools to identify potential issues. Tool: Qualys

Manual Testing

Network and Infrastructure

  • Test for security misconfigurations in network devices (firewalls, routers). Tool: Nessus

  • Evaluate encryption and cryptographic practices, including SSL/TLS configurations. Tool: SSL Labs

  • Assess APIs for vulnerabilities such as improper authentication. Tool: Postman

  • Assess logging and monitoring controls for effectiveness. Tool: Splunk

  • Examine third-party components and libraries for vulnerabilities. Tool: Dependency-Check

IoT Device Testing

  • Firmware analysis for vulnerabilities. Tool: Binwalk

  • Assess communication protocol security (e.g., MQTT, CoAP). Tool: Wireshark

  • Perform hardware security testing (e.g., JTAG, UART interfaces). Tool: JTAGulator

  • Evaluate over-the-air (OTA) update security. Tool: Firmware Analysis Toolkit

  • Check default configuration and hardcoded credentials. Tool: RouterSploit

  • Assess RF communication security (e.g., Bluetooth, Zigbee). Tool: Ubertooth

  • Review physical security controls.

Container Security

  • Analyze Docker security configurations. Tool: Docker Bench for Security

  • Assess Kubernetes cluster security. Tool: Kube-bench

  • Perform container image scanning for vulnerabilities. Tool: Clair

  • Implement runtime security monitoring. Tool: Falco

  • Review service mesh configurations. Tool: Istio

  • Evaluate container orchestration security. Tool: Kubescape

  • Secure container registries. Tool: Harbor

CI/CD Pipeline Security

Cloud Infrastructure

  • Conduct cloud configuration reviews. Tool: Prowler

  • Assess Identity and Access Management (IAM) policies. Tool: CloudSploit

  • Secure storage services (e.g., S3 buckets, Blob storage). Tool: S3Scanner

  • Review network security groups and firewall settings. Tool: Scout Suite

  • Evaluate serverless function security. Tool: Serverless Framework

  • Test for misconfigurations in cloud environments. Tool: CloudMapper

  • Assess cloud-specific vulnerabilities and exploits. Tool: Pacu

OWASP Testing Guide

A comprehensive guide to testing the security of web applications. OWASP Testing Guide

NIST SP 800-115

Technical Guide to Information Security Testing and Assessment. NIST SP 800-115

Cloud Penetration Testing Resources

Mobile Security Testing

  • OWASP Mobile Security Testing Guide A detailed guide for testing mobile applications' security. OWASP MSTG

Compliance and Standards

  • Verify adherence to industry standards (e.g., OWASP Top Ten, NIST). Reference: OWASP Top Ten

  • Assess compliance with the organization's security policies and procedures.

  • Map findings to compliance requirements (e.g., PCI DSS, ISO 27001). Reference: PCI DSS Requirements


4. Exploitation

Initial Access

  • Attempt to gain initial access through:

    • Phishing campaigns (with explicit permission). Tool: GoPhish

    • Exploiting known vulnerabilities. Tool: Metasploit

    • Using default or weak credentials. Tool: Hydra

  • Utilize exploit frameworks (e.g., Metasploit) responsibly and within scope. Tool: Metasploit

Privilege Escalation

Lateral Movement

  • Explore lateral movements within the network. Tool: CrackMapExec

  • Attempt to access other systems and resources. Tool: Mimikatz

Security Evasion

  • Attempt to bypass security controls like WAF, 2FA, etc. Tool: WAFW00F

  • Try to evade detection by security solutions (e.g., antivirus, IDS/IPS). Tool: Veil-Evasion

  • Use custom or zero-day exploits cautiously and with explicit permission. Tool: Exploit-DB

Documentation

  • Document each step of the exploitation process meticulously.

  • Maintain detailed logs of all actions for accountability and analysis.

  • Ensure all exploitation steps are reproducible and verifiable.


5. Post-Exploitation

Impact Analysis

  • Identify and access critical data stores.

  • Analyze the potential business and technical impacts of exploited vulnerabilities.

  • Evaluate the likelihood of real-world exploitation based on findings.

Persistence and Cleanup

  • Implement strategies for maintaining access, if necessary and authorized. Tool: Empire

  • Remove all tools, scripts, and artifacts used during testing.

  • Ensure no backdoors, test accounts, or persistence mechanisms remain.

  • Verify that systems are restored to their pre-testing state.

  • Confirm that no sensitive data was altered or left exposed.

Data Handling

  • Adhere to secure data handling and processing procedures.

  • Check for clear-text credentials and sensitive data in memory. Tool: Mimikatz

  • Simulate data exfiltration, if within the agreed scope. Tool: Dnscat2

Documentation

  • Document all system alterations comprehensively.


6. Reporting

Report Preparation

  • Create a detailed technical report documenting tools, techniques, and procedures used.

  • Include evidence such as screenshots and logs.

  • Provide clear, actionable remediation recommendations.

  • Assign risk ratings to all identified vulnerabilities.

  • Follow industry-standard reporting formats (e.g., PTES, NIST guidelines). Reference: PTES Reporting

  • Include a detailed methodology section explaining the testing approach.

  • Provide references to relevant industry standards and best practices.

Executive Summary

  • Prepare an executive summary for stakeholder review.

  • Include both technical details and high-level overviews for different audiences.

Classification and Security

  • Ensure the report is classified appropriately and sensitive data is secured.

  • Offer a prioritized action plan with clear timelines for remediation.

Client Communication

  • Conduct a read-out meeting with the client to discuss key findings.

  • Suggest a timeline for follow-up assessments or retesting.


7. Remediation Verification

Retesting

  • Allow a designated period for the client to remediate identified issues.

  • Conduct retests to verify the effectiveness of fixes.

  • Update the report with verification results and any new findings.

  • Validate that security controls are now functioning as intended.

Unresolved Issues

  • Document any unresolved security issues.

  • Recommend strategies for ongoing monitoring and improvement.

Continuous Improvement

  • Assist in identifying root causes to prevent future vulnerabilities.

  • Recommend improvements to policies, procedures, and security practices.

  • Propose integrating security into the software development lifecycle.

  • Advise on the need for security awareness and training programs.

  • Propose a schedule for regular future security audits.

  • Provide guidance on implementing a vulnerability management program.

Last updated

Was this helpful?