Some of these items are only used for Web Application Penetration Testing
- [ ] Inventory Company's External Infrastructure
- [ ] Create Topological Map of Network
- [ ] Identify IP Addresses of the Target
- [ ] Locate the traffic routes that go the servers
- [ ] Trace the TCP traffic Path to the destination
- [ ] Trace the UDP traffic Path to the destination
- [ ] Identify the physical location of the target servers
- [ ] Examine the use of IPv6 at the remote location
- [ ] Look up the domain registry for IP information
- [ ] Find IP lock information about the target
- [ ] List Open Ports
- [ ] List Close Ports
- [ ] List Suspicious Ports that may be stealth ports
- [ ] Port scan every port on the targets network
- [ ] Use SYN scan on the target and analyze the response.
- [ ] Use connect scan on the target and analyze the response.
- [ ] Use Xmas scan on the target and analyze the response.
- [ ] Use FIN scan on the target and analyze the response.
- [ ] Use null scan on the target and analyze the response.
- [ ] Examine TCP sequence number prediction
- [ ] Examine the use of standard and nonstandard protocol.
- [ ] Examine IP ID sequence number prediction
- [ ] Examine the system uptime of the target
- [ ] Examine the operating system used by different targets
- [ ] Examine the patches applied to the operating system
- [ ] Locate the DNS record of the domain and attempt DNS Hijacking
- [ ] List programming languages and application software used to create various programs on the target server
- [ ] Look for errors and custom web pages
- [ ] Guess different subdomain names and analyze different responses
- [ ] Hijack sessions
- [ ] Examine cookies generated by the server
- [ ] Examine the Access Control used by the Web Server
- [ ] Brute-force URL injection and session tokens
- [ ] Check for directory consistency and page-naming syntax of the Web pages.
- [ ] Look for sensitive information in the Web page source code.
- [ ] Try buffer overflow attempts in input fields.
- [ ] Look for invalid ranges in input fields.
- [ ] Attempt escape-character injection
- [ ] Try Cross-Site Scripting techniques.
- [ ] Record and replay the traffic to the target Web Server and note the response
- [ ] Try various SQL-injection techniques
- [ ] Examine hidden fields
- [ ] Examine Server-Side Includes (SSI)
- [ ] Examine e-commerce and payment gateways handled by the Web Server
- [ ] Examine welcome, error, and debug messages.
- [ ] Probe the server through SMTP mail bouncing.
- [ ] Grab the banners of HTTP Server
- [ ] Grab the banners of SMTP Server
- [ ] Grab the banners of POP3 Servers.
- [ ] Grab the banners of FTP Servers.
- [ ] Identify the Web Extensions used on the server
- [ ] Try to use an HTTPS tunnel to encapsulate traffic.
- [ ] OS Fingerprint Target Servers
- [ ] Check for ICMP Responses (Type 3 Port Unreachable)
- [ ] Check for ICMP Responses (Type 8 Echo Request)
- [ ] Check for ICMP Responses (Type 13 Time-Stamp Request)
- [ ] Check for ICMP Responses (Type 15 Information Request)
- [ ] Check for ICMP Responses (Type 17 Subnet Address Mask Request)
- [ ] Check for ICMP Responses from broadcast address.
- [ ] Port Scan DNS Server (TCP/UDP 53)
- [ ] Port Scan TFTP Servers (Port 69)
- [ ] Test for NTP Ports (Port 123)
- [ ] Test for SNMP Ports (Ports 161,162)
- [ ] Test for Telnet Ports (Port 23)
- [ ] Test for LDAP Ports (Port 389)
- [ ] Test for NetBIOS Ports (Port 135-139 and 445)
- [ ] Test for SQL Server Ports (Port 1433 and 1434)
- [ ] Test for Citrix Ports (Port 1495)
- [ ] Test for Oracle Ports (Port 1521)
- [ ] Test for NFS Ports (Port 2049)
- [ ] Test for RDP Ports (Port 3389)
- [ ] Test for Sybase Ports (Port 5000)
- [ ] Test for SIP Ports (Port 5060)
- [ ] Test for VNC Ports (Port 5800 and 900)
- [ ] Test for X11 Ports (Port 6000)
- [ ] Test for FTP Ports (Port 20)
- [ ] Test for Web Server Ports (Port 80)
- [ ] Test for SSL Server Ports (Port 443)
- [ ] Test for Kerberos and AD Ports (Port TCP/UDP 88)
- [ ] Test for SSH Servers Ports (Port 22)