External Penetration Test Process/Checklist

Some of these items are only used for Web Application Penetration Testing

• [ ] Inventory Company's External Infrastructure
• [ ] Create Topological Map of Network
• [ ] Identify IP Addresses of the Target
• [ ] Locate the traffic routes that go the servers
• [ ] Trace the TCP traffic Path to the destination
• [ ] Trace the UDP traffic Path to the destination
• [ ] Identify the physical location of the target servers
• [ ] Examine the use of IPv6 at the remote location
• [ ] Look up the domain registry for IP information
• [ ] Find IP lock information about the target
• [ ] List Open Ports
• [ ] List Close Ports
• [ ] List Suspicious Ports that may be stealth ports
• [ ] Port scan every port on the targets network
• [ ] Use SYN scan on the target and analyze the response.
• [ ] Use connect scan on the target and analyze the response.
• [ ] Use Xmas scan on the target and analyze the response.
• [ ] Use FIN scan on the target and analyze the response.
• [ ] Use null scan on the target and analyze the response.
• [ ] Examine TCP sequence number prediction
• [ ] Examine the use of standard and nonstandard protocol.
• [ ] Examine IP ID sequence number prediction
• [ ] Examine the system uptime of the target
• [ ] Examine the operating system used by different targets
• [ ] Examine the patches applied to the operating system
• [ ] Locate the DNS record of the domain and attempt DNS Hijacking
• [ ] List programming languages and application software used to create various programs on the target server
• [ ] Look for errors and custom web pages
• [ ] Guess different subdomain names and analyze different responses
• [ ] Hijack sessions
• [ ] Examine cookies generated by the server
• [ ] Examine the Access Control used by the Web Server
• [ ] Brute-force URL injection and session tokens
• [ ] Check for directory consistency and page-naming syntax of the Web pages.
• [ ] Look for sensitive information in the Web page source code.
• [ ] Try buffer overflow attempts in input fields.
• [ ] Look for invalid ranges in input fields.
• [ ] Attempt escape-character injection
• [ ] Try Cross-Site Scripting techniques.
• [ ] Record and replay the traffic to the target Web Server and note the response
• [ ] Try various SQL-injection techniques
• [ ] Examine hidden fields
• [ ] Examine Server-Side Includes (SSI)
• [ ] Examine e-commerce and payment gateways handled by the Web Server
• [ ] Examine welcome, error, and debug messages.
• [ ] Probe the server through SMTP mail bouncing.
• [ ] Grab the banners of HTTP Server
• [ ] Grab the banners of SMTP Server
• [ ] Grab the banners of POP3 Servers.
• [ ] Grab the banners of FTP Servers.
• [ ] Identify the Web Extensions used on the server
• [ ] Try to use an HTTPS tunnel to encapsulate traffic.
• [ ] OS Fingerprint Target Servers
• [ ] Check for ICMP Responses (Type 3 Port Unreachable)
• [ ] Check for ICMP Responses (Type 8 Echo Request)
• [ ] Check for ICMP Responses (Type 13 Time-Stamp Request)
• [ ] Check for ICMP Responses (Type 15 Information Request)
• [ ] Check for ICMP Responses (Type 17 Subnet Address Mask Request)
• [ ] Check for ICMP Responses from broadcast address.
• [ ] Port Scan DNS Server (TCP/UDP 53)
• [ ] Port Scan TFTP Servers (Port 69)
• [ ] Test for NTP Ports (Port 123)
• [ ] Test for SNMP Ports  (Ports 161,162)
• [ ] Test for Telnet  Ports (Port  23)
• [ ] Test for LDAP Ports (Port 389)
• [ ] Test for NetBIOS Ports (Port 135-139 and 445)
• [ ] Test for SQL Server Ports (Port 1433 and 1434)
• [ ] Test for Citrix Ports (Port 1495)
• [ ] Test for Oracle Ports (Port  1521)
• [ ] Test for NFS Ports (Port  2049)
• [ ] Test for RDP Ports (Port 3389)
• [ ] Test for Sybase Ports (Port 5000)
• [ ] Test for SIP Ports (Port 5060)
• [ ] Test for VNC Ports (Port 5800 and 900)
• [ ] Test for X11 Ports (Port 6000)
• [ ] Test for FTP Ports (Port 20)
• [ ] Test for Web Server Ports (Port 80)
• [ ] Test for SSL Server Ports (Port 443)
• [ ] Test for Kerberos and AD Ports (Port TCP/UDP 88)
• [ ] Test for SSH Servers Ports (Port 22)