# Penetration Testing Guide & Checklist Digubah dari: ### Overview A comprehensive guide for ethical penetration testing, meticulously designed to cover all phases of a penetration test. This step-by-step checklist ensures thorough coverage from preparation to reporting, ideal for both novice and experienced testers. ### Step 1. [**Pre-Engagement**](#id-1.-pre-engagement) 2. [**Information Gathering**](#id-2.-information-gathering) 3. [**Vulnerability Analysis**](#id-3.-vulnerability-analysis) 4. [**Exploitation**](#id-4.-exploitation) 5. [**Post-Exploitation**](#id-5.-post-exploitation) 6. [**Reporting**](#id-6.-reporting) 7. [**Remediation Verification**](#id-7.-remediation-verification) *** ### 1. Pre-Engagement #### Legal and Compliance * **Secure a Non-Disclosure Agreement (NDA):**\ Example NDA Template: [NDA Template by LegalTemplates](https://www.legaltemplates.net/form/non-disclosure-agreement/) * Obtain formal, written authorization for testing. * Ensure legal compliance with all relevant laws and regulations (e.g., GDPR, HIPAA). * Obtain appropriate insurance coverage (e.g., professional liability insurance). * Establish additional confidentiality agreements if necessary. #### Scope Definition * Collect comprehensive client and system information. * Define the scope and rules of engagement clearly: * Identify in-scope and out-of-scope systems and applications. * Confirm any limitations or constraints (e.g., testing windows, sensitive systems). * Agree on acceptable testing methodologies and tools. * Establish safe testing periods to minimize business impact. * Identify third-party systems and obtain necessary permissions. * **Example Scoping Document:** [Scoping Template by SANS Institute](https://www.sans.org/white-papers/33343/) #### Communication and Planning * Set specific, measurable success criteria. * Establish emergency contact and response protocols. * Define data handling and storage protocols: * Agree on how sensitive data will be stored, transmitted, and destroyed. * Agree on communication channels and reporting frequency with the client: * Set up regular check-ins and progress updates. * Clarify testing schedule and time frame. * Ensure the penetration testing team has the necessary skills and certifications. *** ### 2. Information Gathering #### Passive Reconnaissance * Perform WHOIS lookups and analyze domain registration information.\ **Tool:** [WHOIS Lookup by ICANN](https://whois.icann.org/) * Conduct DNS analysis and enumerate subdomains.\ **Tool:** [Sublist3r](https://github.com/aboul3la/Sublist3r) * Undertake passive information gathering (e.g., Shodan, Censys).\ **Tool:** [Shodan](https://www.shodan.io/) * Utilize Open Source Intelligence (OSINT) techniques: * Gather information from social media, public forums, and past breaches.\ **Tool:** [Maltego](https://www.maltego.com/) * Review job postings for insights into technologies and systems used. * Examine code repositories (e.g., GitHub) for exposed code or credentials.\ **Tool:** [GitHub Search](https://github.com/search) * Analyze SSL/TLS certificates for issuer details and expiration dates.\ **Tool:** [SSL Labs](https://www.ssllabs.com/ssltest/) * Perform Google dorking to find potentially sensitive information.\ **Guide:** [Google Dorking Cheat Sheet](https://www.exploit-db.com/google-hacking-database) #### Active Reconnaissance * Conduct network and application scans (e.g., Nmap, Nessus).\ **Tool:** [Nmap](https://nmap.org/) * Identify and enumerate all subdomains.\ **Tool:** [Amass](https://github.com/OWASP/Amass) * Perform web crawling for hidden or dynamic content.\ **Tool:** [Burp Suite](https://portswigger.net/burp) * Map network topology and identify network devices.\ **Tool:** [Netdiscover](https://github.com/alexxy/netdiscover) * Identify technologies, platforms, and frameworks used in applications.\ **Tool:** [Wappalyzer](https://www.wappalyzer.com/) * Search for common vulnerabilities (e.g., default credentials, unpatched systems).\ **Tool:** [OpenVAS](https://www.openvas.org/) * Check for information leakage via metadata, HTML comments, etc.\ **Tool:** [Metagoofil](https://github.com/laramies/metagoofil) #### Social Engineering Opportunities * Assess opportunities and methods for social engineering: * Monitor social media platforms for company-related disclosures.\ **Tool:** [Social-Engineer Toolkit (SET)](https://github.com/trustedsec/social-engineer-toolkit) * Gather employee and organizational information from public sources.\ **Tool:** [LinkedIn](https://www.linkedin.com/) *** ### 3. Vulnerability Analysis #### Automated Scanning * Validate and prioritize findings from automated scans.\ **Tool:** [Nessus](https://www.tenable.com/products/nessus) * Test for known vulnerabilities and possible exploits.\ **Tool:** [OpenVAS](https://www.openvas.org/) * Use vulnerability assessment tools to identify potential issues.\ **Tool:** [Qualys](https://www.qualys.com/) #### Manual Testing * Analyze applications for common flaws: * SQL Injection (SQLi)\ **Example:** [SQLi Cheat Sheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) * Cross-Site Scripting (XSS)\ **Example:** [XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) * Cross-Site Request Forgery (CSRF)\ **Example:** [CSRF Example](https://owasp.org/www-community/attacks/csrf) * Insecure Direct Object References (IDOR)\ **Example:** [IDOR Example](https://portswigger.net/web-security/access-control/idor) * Insecure deserialization\ **Example:** [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) * Conduct fuzz testing to discover new vulnerabilities.\ **Tool:** [AFL (American Fuzzy Lop)](https://github.com/google/AFL) * Review server and application configurations for misconfigurations.\ **Tool:** [Lynis](https://cisofy.com/lynis/) * Perform manual code reviews where feasible.\ **Guide:** [OWASP Code Review Guide](https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf) * Assess authentication and authorization mechanisms.\ **Tool:** [Burp Suite](https://portswigger.net/burp) * Check for sensitive data exposure (e.g., in URLs, API responses).\ **Tool:** [ZAP (Zed Attack Proxy)](https://www.zaproxy.org/) * Examine session management for weaknesses like session fixation.\ **Guide:** [Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) #### Network and Infrastructure * Test for security misconfigurations in network devices (firewalls, routers).\ **Tool:** [Nessus](https://www.tenable.com/products/nessus) * Evaluate encryption and cryptographic practices, including SSL/TLS configurations.\ **Tool:** [SSL Labs](https://www.ssllabs.com/ssltest/) * Assess APIs for vulnerabilities such as improper authentication.\ **Tool:** [Postman](https://www.postman.com/) * Assess logging and monitoring controls for effectiveness.\ **Tool:** [Splunk](https://www.splunk.com/) * Examine third-party components and libraries for vulnerabilities.\ **Tool:** [Dependency-Check](https://owasp.org/www-project-dependency-check/) #### IoT Device Testing * Firmware analysis for vulnerabilities.\ **Tool:** [Binwalk](https://github.com/ReFirmLabs/binwalk) * Assess communication protocol security (e.g., MQTT, CoAP).\ **Tool:** [Wireshark](https://www.wireshark.org/) * Perform hardware security testing (e.g., JTAG, UART interfaces).\ **Tool:** [JTAGulator](https://www.jtagulator.com/) * Evaluate over-the-air (OTA) update security.\ **Tool:** [Firmware Analysis Toolkit](https://github.com/attify/firmware-analysis-toolkit) * Check default configuration and hardcoded credentials.\ **Tool:** [RouterSploit](https://github.com/threat9/routersploit) * Assess RF communication security (e.g., Bluetooth, Zigbee).\ **Tool:** [Ubertooth](https://github.com/greatscottgadgets/ubertooth) * Review physical security controls. #### Container Security * Analyze Docker security configurations.\ **Tool:** [Docker Bench for Security](https://github.com/docker/docker-bench-security) * Assess Kubernetes cluster security.\ **Tool:** [Kube-bench](https://github.com/aquasecurity/kube-bench) * Perform container image scanning for vulnerabilities.\ **Tool:** [Clair](https://github.com/quay/clair) * Implement runtime security monitoring.\ **Tool:** [Falco](https://falco.org/) * Review service mesh configurations.\ **Tool:** [Istio](https://istio.io/) * Evaluate container orchestration security.\ **Tool:** [Kubescape](https://github.com/kubescape/kubescape) * Secure container registries.\ **Tool:** [Harbor](https://goharbor.io/) #### CI/CD Pipeline Security * Secure source code management systems.\ **Tool:** [GitGuardian](https://www.gitguardian.com/) * Assess build pipeline security.\ **Tool:** [Jenkins](https://www.jenkins.io/) * Protect artifact repositories.\ **Tool:** [Nexus Repository Manager](https://www.sonatype.com/nexus-repository-oss) * Secure deployment processes.\ **Tool:** [Argo CD](https://argoproj.github.io/argo-cd/) * Evaluate Infrastructure as Code (IaC) security.\ **Tool:** [Checkov](https://www.checkov.io/) * Implement secrets management best practices.\ **Tool:** [HashiCorp Vault](https://www.vaultproject.io/) * Enforce pipeline access controls.\ **Tool:** [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) #### Cloud Infrastructure * Conduct cloud configuration reviews.\ **Tool:** [Prowler](https://github.com/prowler-cloud/prowler) * Assess Identity and Access Management (IAM) policies.\ **Tool:** [CloudSploit](https://cloudsploit.com/) * Secure storage services (e.g., S3 buckets, Blob storage).\ **Tool:** [S3Scanner](https://github.com/sa7mon/S3Scanner) * Review network security groups and firewall settings.\ **Tool:** [Scout Suite](https://github.com/nccgroup/ScoutSuite) * Evaluate serverless function security.\ **Tool:** [Serverless Framework](https://www.serverless.com/) * Test for misconfigurations in cloud environments.\ **Tool:** [CloudMapper](https://github.com/duo-labs/cloudmapper) * Assess cloud-specific vulnerabilities and exploits.\ **Tool:** [Pacu](https://github.com/RhinoSecurityLabs/pacu) #### OWASP Testing Guide A comprehensive guide to testing the security of web applications.\ [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) #### NIST SP 800-115 Technical Guide to Information Security Testing and Assessment.\ [NIST SP 800-115](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf) #### Cloud Penetration Testing Resources * **AWS Penetration Testing Guidelines**\ [AWS Penetration Testing Guidelines](https://aws.amazon.com/security/penetration-testing/) * **Azure Penetration Testing**\ [Microsoft Cloud Penetration Testing Rules of Engagement](https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing) * **Google Cloud Platform (GCP) Penetration Testing**\ [GCP Penetration Testing Guidelines](https://cloud.google.com/security/penetration-testing) #### Mobile Security Testing * **OWASP Mobile Security Testing Guide**\ A detailed guide for testing mobile applications' security.\ [OWASP MSTG](https://owasp.org/www-project-mobile-security-testing-guide/) #### Compliance and Standards * Verify adherence to industry standards (e.g., OWASP Top Ten, NIST).\ **Reference:** [OWASP Top Ten](https://owasp.org/www-project-top-ten/) * Assess compliance with the organization's security policies and procedures. * Map findings to compliance requirements (e.g., PCI DSS, ISO 27001).\ **Reference:** [PCI DSS Requirements](https://www.pcisecuritystandards.org/document_library) *** ### 4. Exploitation #### Initial Access * Attempt to gain initial access through: * Phishing campaigns (with explicit permission).\ **Tool:** [GoPhish](https://getgophish.com/) * Exploiting known vulnerabilities.\ **Tool:** [Metasploit](https://www.metasploit.com/) * Using default or weak credentials.\ **Tool:** [Hydra](https://github.com/vanhauser-thc/thc-hydra) * Utilize exploit frameworks (e.g., Metasploit) responsibly and within scope.\ **Tool:** [Metasploit](https://www.metasploit.com/) #### Privilege Escalation * Perform privilege escalation on compromised systems.\ **Tool:** [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) * Exploit application logic flaws and business logic vulnerabilities.\ **Example:** [Privilege Escalation Techniques](https://book.hacktricks.xyz/linux-unix/privilege-escalation) #### Lateral Movement * Explore lateral movements within the network.\ **Tool:** [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) * Attempt to access other systems and resources.\ **Tool:** [Mimikatz](https://github.com/gentilkiwi/mimikatz) #### Security Evasion * Attempt to bypass security controls like WAF, 2FA, etc.\ **Tool:** [WAFW00F](https://github.com/EnableSecurity/wafw00f) * Try to evade detection by security solutions (e.g., antivirus, IDS/IPS).\ **Tool:** [Veil-Evasion](https://github.com/Veil-Framework/Veil-Evasion) * Use custom or zero-day exploits cautiously and with explicit permission.\ **Tool:** [Exploit-DB](https://www.exploit-db.com/) #### Documentation * Document each step of the exploitation process meticulously. * Maintain detailed logs of all actions for accountability and analysis. * Ensure all exploitation steps are reproducible and verifiable. *** ### 5. Post-Exploitation #### Impact Analysis * Identify and access critical data stores. * Analyze the potential business and technical impacts of exploited vulnerabilities. * Evaluate the likelihood of real-world exploitation based on findings. #### Persistence and Cleanup * Implement strategies for maintaining access, if necessary and authorized.\ **Tool:** [Empire](https://github.com/EmpireProject/Empire) * Remove all tools, scripts, and artifacts used during testing. * Ensure no backdoors, test accounts, or persistence mechanisms remain. * Verify that systems are restored to their pre-testing state. * Confirm that no sensitive data was altered or left exposed. #### Data Handling * Adhere to secure data handling and processing procedures. * Check for clear-text credentials and sensitive data in memory.\ **Tool:** [Mimikatz](https://github.com/gentilkiwi/mimikatz) * Simulate data exfiltration, if within the agreed scope.\ **Tool:** [Dnscat2](https://github.com/iagox86/dnscat2) #### Documentation * Document all system alterations comprehensively. *** ### 6. Reporting #### Report Preparation * Create a detailed technical report documenting tools, techniques, and procedures used. * Include evidence such as screenshots and logs. * Provide clear, actionable remediation recommendations. * Assign risk ratings to all identified vulnerabilities. * Follow industry-standard reporting formats (e.g., PTES, NIST guidelines).\ **Reference:** [PTES Reporting](http://www.pentest-standard.org/index.php/Reporting) * Include a detailed methodology section explaining the testing approach. * Provide references to relevant industry standards and best practices. #### Executive Summary * Prepare an executive summary for stakeholder review. * Include both technical details and high-level overviews for different audiences. #### Classification and Security * Ensure the report is classified appropriately and sensitive data is secured. * Offer a prioritized action plan with clear timelines for remediation. #### Client Communication * Conduct a read-out meeting with the client to discuss key findings. * Suggest a timeline for follow-up assessments or retesting. *** ### 7. Remediation Verification #### Retesting * Allow a designated period for the client to remediate identified issues. * Conduct retests to verify the effectiveness of fixes. * Update the report with verification results and any new findings. * Validate that security controls are now functioning as intended. #### Unresolved Issues * Document any unresolved security issues. * Recommend strategies for ongoing monitoring and improvement. #### Continuous Improvement * Assist in identifying root causes to prevent future vulnerabilities. * Recommend improvements to policies, procedures, and security practices. * Propose integrating security into the software development lifecycle. * Advise on the need for security awareness and training programs. * Propose a schedule for regular future security audits. * Provide guidance on implementing a vulnerability management program.