CHECKLIST

A working/living curated checklist that can be modified as needed for various penetration testing engagements. Please feel free to build, modify and edit this list as you like.

---

Note taking: OneNote, GoogleDocs, GitBook, notepad++, Joplin, Obsidian Screen shots: Snipping tool, Greenshot, ShareX (GIF/video creation) Network Screenshots: Eyewitness, Gowitness, Aquatone

---

PROJECT LINKS: DATE RANGE: January 1st 2024 - January 8th, 2024 EXTRA NOTES:

---

Passive Enumeration

---

Passive Enumeration	Task Completion
Websites:
Shodan	☐
Maltego	☐
Censys	☐
Zoomeye	☐
DNS:
Wappalyzer	☐
DNS Dumpster	☐
crt-sh	☐
Netcraft	☐

---

OSINT

---

OSINT	Task Completion
Social Media Checks:
Facebook	☐
Twitter	☐
LinkedIn	☐
Reddit	☐
YouTube	☐
Cross-Platform Checks:
Sherlock	☐
WhatsMyName	☐
Email:
phonebook.cz	☐
TheHarvester	☐
GHunt	☐
HaveIbeenPwned	☐
Email Hippo	☐
h8mail	☐
Google Dorks:
info:	☐
define:	☐
insite:	☐
inurl	☐
filetype:	☐
GHDB check	☐
Google Advanced Search	☐
Breaches & Business:
IntelX	☐
DeHashed	☐
LeakCheck	☐
SnusBase	☐
CrunchBase	☐
Images:
Google Image Search	☐
Bing Image Search	☐
Aperisolve	☐

External Enumeration

---

External Enumeration	Task Completion
Major scanners:	☐
Nessus	☐
NMAP	☐
OpenVAS	☐
Directory Searches:
dirsearch	☐
Feroxbuster	☐
Gobuster	☐
Dirbuster	☐
Web:	☐
Burp Suite	☐
OWASP ZAP	☐
SQLmap	☐
Nikto	☐
WAF:	☐
wafw00f	☐
whatwaf	☐
Scans:	☐
Do initial scans require further testing?	☐
Scans exported	☐
VAPT created/modified	☐
Draft report created	☐
Report reviewed	☐
Screenshots and Notes Included?	☐

---

Internal Enumeration

---

Internal Enumeration	Task Completion
Basic Setup:	☐
ROE Signed?	☐
Scope checked?	☐
Jumpbox ready?	☐
Connection checks	☐
Folders created	☐
Tools installed/updated	☐
Wireshark/tcpdump setup?	☐
Metasploit:
Updated?	☐
Metasploit DB started?	☐
Capturing output of modules?	☐
Set global variables	☐
DNS:	☐
Sublist3r	☐
Amass	☐
dnsrecon	☐
DNspy	☐
Fierce	☐
dnsenum	☐
Kerberos Abuse/NTLM:	☐
Bloodhound	☐
Responder	☐
Rubeus	☐
Kerbrute	☐
MS-RPRN RPC:	☐
PetitPotam	☐
spoolsample	☐
SMB/SNMP/RPC:	☐
crackmapexec	☐
smbclient	☐
smbmap	☐
onesixtyone	☐
enum4linux	☐
rpcclient	☐
Impacket-rpcdump	☐
Brute-Forcing:	☐
Accounts Sprayed?	☐
Hashes cracked? Mimikatz, John, Hashcat	☐
Usernames/passwords exported to file	☐
Credentials stuffed?	☐
Default credentials checked?	☐
Specific Scans:	☐
Telnet	☐
SSH	☐
FTP	☐
SNMP	☐
Specialized Scans:	☐
Itwasalladream	☐
PRET	☐
log4j-scan Includes Apache Commons	☐
Spring4Shell	☐
IKE-scan	☐
Fuzzers:	☐
WFuzz	☐
ffuf	☐
Create Lists for:	☐
DC's, Exchange, SQL, FTP, Printers, VOIP, Mail, etc..	☐
Information Disclosures	☐

---

Post Exploitation/Privesc

---

Post Exploitation	Task Completion
Tools:	☐
Peass-ng	☐
LinEnum	☐
Evil-WinRM	☐
GTFO (LOLBAS) bins	☐
LoFP (Living off False Positives)	☐
Linuxprivchecker	☐
Exploit Suggester (Windows/Linux)	☐
Permissions/Information:	☐
System	☐
Services	☐
History	☐
Users	☐
Passwords	☐
Network	☐
Writeable Checks:	☐
/dev/shm	☐
/tmp/	☐
/var/tmp/	☐
/var/spool/vbox	☐
/var/spool/samba	☐

hostname | uname -a  
cat /proc/version | cat /etc/issue | lscpu 

services
ps au | ps aux | grep root
find / -perm -u=s -type f 2>/dev/null #(finds all perms with s)
ls -la /etc/cron.daily/

whoami | id -u  (for 0 response) | id -un | logname 
/[moomaddafucka]??/b??/[whatever]ho???
ls -la /home/ | ls -l ~/.ssh
cat /etc/passwd | cut -d : -f 1 | cat /etc/shadow | cat /etc/group
history | sudo su -  

network: ifconfig | ip a | ip route | arp a | ip neigh | netstat -ano

passwords
grep --color=auto -rnw '/' -ie "PASSWORD=" --color==always 2> /dev/null
locate password | more
find / -name '*yourtstring*' 
find / -name authorized_keys
find / -name id_rsa 2> /dev/null
find . -writable (For all files under the current directory that are writable by the current user)
find . ! -writable
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

find/ -path /proc -prune -o -type d -perm -o+w 2>/dev/null #find writable dirs
find/ -path /proc -prune -o -type f -perm -o+w 2>/dev/null #find writable files