Penetration Testing Guide & Checklist
Digubah dari: https://github.com/iAnonymous3000/awesome-pentest-checklist
Overview
A comprehensive guide for ethical penetration testing, meticulously designed to cover all phases of a penetration test. This step-by-step checklist ensures thorough coverage from preparation to reporting, ideal for both novice and experienced testers.
Step
1. Pre-Engagement
Legal and Compliance
Secure a Non-Disclosure Agreement (NDA): Example NDA Template: NDA Template by LegalTemplates
Obtain formal, written authorization for testing.
Ensure legal compliance with all relevant laws and regulations (e.g., GDPR, HIPAA).
Obtain appropriate insurance coverage (e.g., professional liability insurance).
Establish additional confidentiality agreements if necessary.
Scope Definition
Collect comprehensive client and system information.
Define the scope and rules of engagement clearly:
Identify in-scope and out-of-scope systems and applications.
Confirm any limitations or constraints (e.g., testing windows, sensitive systems).
Agree on acceptable testing methodologies and tools.
Establish safe testing periods to minimize business impact.
Identify third-party systems and obtain necessary permissions.
Example Scoping Document: Scoping Template by SANS Institute
Communication and Planning
Set specific, measurable success criteria.
Establish emergency contact and response protocols.
Define data handling and storage protocols:
Agree on how sensitive data will be stored, transmitted, and destroyed.
Agree on communication channels and reporting frequency with the client:
Set up regular check-ins and progress updates.
Clarify testing schedule and time frame.
Ensure the penetration testing team has the necessary skills and certifications.
2. Information Gathering
Passive Reconnaissance
Perform WHOIS lookups and analyze domain registration information. Tool: WHOIS Lookup by ICANN
Conduct DNS analysis and enumerate subdomains. Tool: Sublist3r
Undertake passive information gathering (e.g., Shodan, Censys). Tool: Shodan
Utilize Open Source Intelligence (OSINT) techniques:
Gather information from social media, public forums, and past breaches. Tool: Maltego
Review job postings for insights into technologies and systems used.
Examine code repositories (e.g., GitHub) for exposed code or credentials. Tool: GitHub Search
Analyze SSL/TLS certificates for issuer details and expiration dates. Tool: SSL Labs
Perform Google dorking to find potentially sensitive information. Guide: Google Dorking Cheat Sheet
Active Reconnaissance
Conduct network and application scans (e.g., Nmap, Nessus). Tool: Nmap
Identify and enumerate all subdomains. Tool: Amass
Perform web crawling for hidden or dynamic content. Tool: Burp Suite
Map network topology and identify network devices. Tool: Netdiscover
Identify technologies, platforms, and frameworks used in applications. Tool: Wappalyzer
Search for common vulnerabilities (e.g., default credentials, unpatched systems). Tool: OpenVAS
Check for information leakage via metadata, HTML comments, etc. Tool: Metagoofil
Social Engineering Opportunities
Assess opportunities and methods for social engineering:
Monitor social media platforms for company-related disclosures. Tool: Social-Engineer Toolkit (SET)
Gather employee and organizational information from public sources. Tool: LinkedIn
3. Vulnerability Analysis
Automated Scanning
Validate and prioritize findings from automated scans. Tool: Nessus
Test for known vulnerabilities and possible exploits. Tool: OpenVAS
Use vulnerability assessment tools to identify potential issues. Tool: Qualys
Manual Testing
Analyze applications for common flaws:
SQL Injection (SQLi) Example: SQLi Cheat Sheet
Cross-Site Scripting (XSS) Example: XSS Cheat Sheet
Cross-Site Request Forgery (CSRF) Example: CSRF Example
Insecure Direct Object References (IDOR) Example: IDOR Example
Insecure deserialization Example: Deserialization Cheat Sheet
Conduct fuzz testing to discover new vulnerabilities. Tool: AFL (American Fuzzy Lop)
Review server and application configurations for misconfigurations. Tool: Lynis
Perform manual code reviews where feasible. Guide: OWASP Code Review Guide
Assess authentication and authorization mechanisms. Tool: Burp Suite
Check for sensitive data exposure (e.g., in URLs, API responses). Tool: ZAP (Zed Attack Proxy)
Examine session management for weaknesses like session fixation. Guide: Session Management Cheat Sheet
Network and Infrastructure
Test for security misconfigurations in network devices (firewalls, routers). Tool: Nessus
Evaluate encryption and cryptographic practices, including SSL/TLS configurations. Tool: SSL Labs
Assess APIs for vulnerabilities such as improper authentication. Tool: Postman
Assess logging and monitoring controls for effectiveness. Tool: Splunk
Examine third-party components and libraries for vulnerabilities. Tool: Dependency-Check
IoT Device Testing
Firmware analysis for vulnerabilities. Tool: Binwalk
Assess communication protocol security (e.g., MQTT, CoAP). Tool: Wireshark
Perform hardware security testing (e.g., JTAG, UART interfaces). Tool: JTAGulator
Evaluate over-the-air (OTA) update security. Tool: Firmware Analysis Toolkit
Check default configuration and hardcoded credentials. Tool: RouterSploit
Assess RF communication security (e.g., Bluetooth, Zigbee). Tool: Ubertooth
Review physical security controls.
Container Security
Analyze Docker security configurations. Tool: Docker Bench for Security
Assess Kubernetes cluster security. Tool: Kube-bench
Perform container image scanning for vulnerabilities. Tool: Clair
Implement runtime security monitoring. Tool: Falco
Review service mesh configurations. Tool: Istio
Evaluate container orchestration security. Tool: Kubescape
Secure container registries. Tool: Harbor
CI/CD Pipeline Security
Secure source code management systems. Tool: GitGuardian
Assess build pipeline security. Tool: Jenkins
Protect artifact repositories. Tool: Nexus Repository Manager
Secure deployment processes. Tool: Argo CD
Evaluate Infrastructure as Code (IaC) security. Tool: Checkov
Implement secrets management best practices. Tool: HashiCorp Vault
Enforce pipeline access controls. Tool: Open Policy Agent (OPA)
Cloud Infrastructure
Conduct cloud configuration reviews. Tool: Prowler
Assess Identity and Access Management (IAM) policies. Tool: CloudSploit
Secure storage services (e.g., S3 buckets, Blob storage). Tool: S3Scanner
Review network security groups and firewall settings. Tool: Scout Suite
Evaluate serverless function security. Tool: Serverless Framework
Test for misconfigurations in cloud environments. Tool: CloudMapper
Assess cloud-specific vulnerabilities and exploits. Tool: Pacu
OWASP Testing Guide
A comprehensive guide to testing the security of web applications. OWASP Testing Guide
NIST SP 800-115
Technical Guide to Information Security Testing and Assessment. NIST SP 800-115
Cloud Penetration Testing Resources
AWS Penetration Testing Guidelines AWS Penetration Testing Guidelines
Azure Penetration Testing Microsoft Cloud Penetration Testing Rules of Engagement
Google Cloud Platform (GCP) Penetration Testing GCP Penetration Testing Guidelines
Mobile Security Testing
OWASP Mobile Security Testing Guide A detailed guide for testing mobile applications' security. OWASP MSTG
Compliance and Standards
Verify adherence to industry standards (e.g., OWASP Top Ten, NIST). Reference: OWASP Top Ten
Assess compliance with the organization's security policies and procedures.
Map findings to compliance requirements (e.g., PCI DSS, ISO 27001). Reference: PCI DSS Requirements
4. Exploitation
Initial Access
Attempt to gain initial access through:
Phishing campaigns (with explicit permission). Tool: GoPhish
Exploiting known vulnerabilities. Tool: Metasploit
Using default or weak credentials. Tool: Hydra
Utilize exploit frameworks (e.g., Metasploit) responsibly and within scope. Tool: Metasploit
Privilege Escalation
Perform privilege escalation on compromised systems. Tool: LinPEAS
Exploit application logic flaws and business logic vulnerabilities. Example: Privilege Escalation Techniques
Lateral Movement
Explore lateral movements within the network. Tool: CrackMapExec
Attempt to access other systems and resources. Tool: Mimikatz
Security Evasion
Attempt to bypass security controls like WAF, 2FA, etc. Tool: WAFW00F
Try to evade detection by security solutions (e.g., antivirus, IDS/IPS). Tool: Veil-Evasion
Use custom or zero-day exploits cautiously and with explicit permission. Tool: Exploit-DB
Documentation
Document each step of the exploitation process meticulously.
Maintain detailed logs of all actions for accountability and analysis.
Ensure all exploitation steps are reproducible and verifiable.
5. Post-Exploitation
Impact Analysis
Identify and access critical data stores.
Analyze the potential business and technical impacts of exploited vulnerabilities.
Evaluate the likelihood of real-world exploitation based on findings.
Persistence and Cleanup
Implement strategies for maintaining access, if necessary and authorized. Tool: Empire
Remove all tools, scripts, and artifacts used during testing.
Ensure no backdoors, test accounts, or persistence mechanisms remain.
Verify that systems are restored to their pre-testing state.
Confirm that no sensitive data was altered or left exposed.
Data Handling
Adhere to secure data handling and processing procedures.
Check for clear-text credentials and sensitive data in memory. Tool: Mimikatz
Simulate data exfiltration, if within the agreed scope. Tool: Dnscat2
Documentation
Document all system alterations comprehensively.
6. Reporting
Report Preparation
Create a detailed technical report documenting tools, techniques, and procedures used.
Include evidence such as screenshots and logs.
Provide clear, actionable remediation recommendations.
Assign risk ratings to all identified vulnerabilities.
Follow industry-standard reporting formats (e.g., PTES, NIST guidelines). Reference: PTES Reporting
Include a detailed methodology section explaining the testing approach.
Provide references to relevant industry standards and best practices.
Executive Summary
Prepare an executive summary for stakeholder review.
Include both technical details and high-level overviews for different audiences.
Classification and Security
Ensure the report is classified appropriately and sensitive data is secured.
Offer a prioritized action plan with clear timelines for remediation.
Client Communication
Conduct a read-out meeting with the client to discuss key findings.
Suggest a timeline for follow-up assessments or retesting.
7. Remediation Verification
Retesting
Allow a designated period for the client to remediate identified issues.
Conduct retests to verify the effectiveness of fixes.
Update the report with verification results and any new findings.
Validate that security controls are now functioning as intended.
Unresolved Issues
Document any unresolved security issues.
Recommend strategies for ongoing monitoring and improvement.
Continuous Improvement
Assist in identifying root causes to prevent future vulnerabilities.
Recommend improvements to policies, procedures, and security practices.
Propose integrating security into the software development lifecycle.
Advise on the need for security awareness and training programs.
Propose a schedule for regular future security audits.
Provide guidance on implementing a vulnerability management program.
Last updated