Scribd
Upload
136 views9 pages

Penetration Testing Checklist

This penetration test plan outlines various services, protocols, and vulnerabilities to test across multiple ports and services including HTTP(S), SMTP, MySQL, NTP, IKE, DNS, SMB, and MS-SQL. For each one, it lists specific tests to perform such as checking for invalid SSL certificates, default credentials, vulnerabilities like Heartbleed, and enumeration techniques. It also provides a risk level assessment for each test from low to high risk and notes on findings or limitations. The goal is to conduct a thorough assessment of security weaknesses by testing for common issues and exploiting known vulnerabilities across the full network and system surfaces.

Uploaded by

HARI HARAN K R
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLS, PDF, TXT or read online on Scribd
136 views9 pages

Penetration Testing Checklist

This penetration test plan outlines various services, protocols, and vulnerabilities to test across multiple ports and services including HTTP(S), SMTP, MySQL, NTP, IKE, DNS, SMB, and MS-SQL. For each one, it lists specific tests to perform such as checking for invalid SSL certificates, default credentials, vulnerabilities like Heartbleed, and enumeration techniques. It also provides a risk level assessment for each test from low to high risk and notes on findings or limitations. The goal is to conduct a thorough assessment of security weaknesses by testing for common issues and exploiting known vulnerabilities across the full network and system surfaces.

Uploaded by

HARI HARAN K R
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLS, PDF, TXT or read online on Scribd

Test Pl Network Penetration Test Plan - Latest

Threats Test Page

tcp/80, tcp/8080 (http) Dangerous HTTP method?

Sensitive content stored on the web server

WebDAV is enabled

FrontPage extensions are enabled

SQL Injection

Cross-Site Scripting

Internal IP on website

Metadata on website

Sniff cleartext usernames and passwords

Check for directory listing

Apache Tomcat default credential check

443/tcp, 8443/tcp (https, Include the test cases of 80 ports

Check for Invalide SSL Certificate

Try all SSL/TLS related Vulnerabilties


25/tcp (SMTP) Try all SSL/TLS related Vulnerabilties

Check for Invalide SSL Certificate

tcp/3306 (my-sql) Sniff cleartext usernames/password

Do user enumeration

Test for default username/password

Check for version

udp/123 (NTP) NTP Server

udp/500 (IKE) Test using aggressive mode

udp/53 (DNS) DNS Recursion

DNS Zone Transfer

DNS cache

DNS service on random port


tcp/3389 (ms-wbt-server)Terminal service multiple vulnerabilities

Include the test cases of HTTPS/SSL service (tcp/443)

tcp/1433 (ms-sql) Microsoft SQL Server Enumeration

User enumeration

445,137,138,139(SMB, Attempts to detect if a Microsoft SMBv1 server is vulnerable to

Detects Microsoft Windows systems vulnerable to denial of se

Tests whether target machines are vulnerable to ms10-061 Print

Check for RRAS Memory Corruption vulnerability

Check for Windows DNS RPC Interface Could Allow Remote C

Check for Microsoft Windows system vulnerable to remote cod

Check for SMB remote memory corruption vulnerability

Check for SMB null session and signing disabled

Check for nbstat information

Check for os discovery

Enumerate SMB Shares


Test Name

DELETE, PUT etc. ?


Trace?

Access sensitive content stored in files and directories on the web server

Write/delete sensitive content to/from the web root directory.

Conduct remote authoring of web pages using IIS FrontPage extensions

Access and modify content on the web server using malicious queries.

Execute malicious script on a client browser.

Gather information about internal IP addresses.

Search for and find sensitive metadata inside static files stored on the website.

Use Wireshark to sniff cleartext traffic.

Use Dirb, Nikto, Nmap-scripts tools

Default login check with username and password

Try all the test cases that are releted to 443/tcp

is SSL Certificat expired?


is SSL Certificat have Public 1024 or less ?
is SSL Certificat have x.509 sha-1 ?
is SSL Certificat is self sign?
is SSL Certificate have wildcard domain?

Check for TLS 1.0,SSLV3 and SSLV2 is supported?


Check for Weak/Mediuam ciphers
Check for Sweet32
Check for POODLE
Check for BEAST
Check for CRIME
Check for FREAK
Check for Logjam
Check for DROWN
Check for RC4 ciphers
Check for Breach
Check for Renegotiation
Check for ROBOT
Check for CCS injection
Check for Heartbleed

Check for TLS 1.0,SSLV3 and SSLV2 is supported?


Check for Weak/Mediuam ciphers
Check for Sweet32
Check for POODLE
Check for BEAST
Check for CRIME
Check for FREAK
Check for Logjam
Check for DROWN
Check for RC4 ciphers
Check for Breach
Check for Renegotiation
Check for ROBOT
Check for CCS injection
Check for Heartbleed

is SSL Certificat expired?


is SSL Certificat have Public 1024 or less ?
is SSL Certificat have x.509 sha-1 ?
is SSL Certificat is self sign?
is SSL Certificate have wildcard domain?

Cleartext usernames and passwords

Is user enumeration possible?

Using default username/password?

Vulnerable version?

NTP info can be used for exploiting known vulnerabilities

Pre-shared key ?

The DNS server can be brought down by creating large numbers of DNS queries?

Obtain a list of all the hosts on the remote internal network by performing a Zone tra

DNS cache snooping against a DNS server.

Does DNS service running on different port


Terminal Services Encryption Level is Medium or Low
Terminal Services Doesn't Use Network Level Authentication (NLA) Only
Terminal Services Encryption Level is not FIPS-140 Compliant

1. Try all the test cases of HTTP/SSL

Microsoft SQL Server Configuration Enumerator


Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeratio
Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
  Microsoft SQL Server Escalate Db_Owner
Microsoft SQL Server SQLi Escalate Db_Owner
Microsoft SQL Server Escalate EXECUTE AS
Microsoft SQL Server SQLi Escalate Execute AS
Microsoft SQL Server xp_cmdshell Command Execution
Microsoft SQL Server Find and Sample Data
Microsoft SQL Server Interesting Data Finder
Microsoft SQL Server SQLi NTLM Stealer
Microsoft SQL Server Generic Query

valid-user enumeration against Ms-SQL server

Run smb-vuln-ms17-010.nse nmap script

Run smb-vuln-cve2009-3103.nse nmap script

Run smb-vuln-ms10-061 nmap scripts

Run smb-vuln-ms06-025 nmap scripts

Run smb-vuln-ms07-029 nmap script

Run smb-vuln-ms08-067 nmap scritp

Run smb-vuln-ms10-054 nmap script

Check smb-enum-sessions.nse and smb-security-mode nmap scripts

Run nbstat.nse nmap sctipt

Run smb-os-discovery.nse nmap script

Use SMBClient or Nmap script


Risk Status Note

medium
low

medium

high

high

high

high

info

medium

medium

low Risk is based on the details we retrieve

high try "tomcat"

na

medium
low
low
low
info

low
medium
low
medium
low
low
low
low
low
low
low
low
medium
medium
high

low
medium
low
medium
low
low
low
low
low
low
low
low
medium
medium
high

medium
low
low
low
info

medium

info

high

medium

info

low

medium

medium

low

low
low
low
low

medium

medium
medium
medium
medium
high
medium
medium
medium
medium
medium
medium
high
medium

high

high

high

high

high

high

high

high

medium

info

info

low

You might also like