Checklists

Checklists

Source: External-Pentest-Checklist

LibreOffice - if you don’t have Excel or want to use it.

Excel tabs

  1. To Do’s,
  2. Scope
  3. Targets
  4. Password Spraying
  5. Breached Accounts
  6. Login Portals
  7. Findings & Strengths

To Do’s

To Do’s Status Comments
Ensure ROE is signed by client Outstanding
Add IPs in scope to Scope tab Outstanding
Verify customer scope Outstanding
Send kickoff email Outstanding
Conduct vulnerability scanning with Nessus Outstanding
Identify e-mails/users/pass in breach databases (Dehashed, breach-parse, etc.) Outstanding
Identify employees & email address format (LinkedIn, phonebook.cz, clearbit, hunter.io, etc.) Outstanding
Identify client’s website(s) and search for any data useful to help attack (job posting, system information, password policy, etc.) Outstanding
Attempt to enumerate any accounts on portals, password reset functions, etc. Outstanding
Run web app scans, if necessary Outstanding
Conduct manual testing and exploitation on targets Outstanding
Validate scanning tool vulnerabilities Outstanding
Conduct password spraying guessing and brute force on login portals Outstanding
Escalate access from external to internal Outstanding
Validate previous year findings have been resolved Outstanding
Cleanup Outstanding

Scope

IP Range Comments
192.168.66.0/24

Targets

Host IP URL Status Open Port Comments/Findings
192.168.66.21 domain.com/admin Compromised 8080 Password easy to guess

Password Spraying

Site Account List Passwords Tried
domain.com/portal See usernames.txt See passwords.txt

Breached Accounts

Users Password from Breach
Zomby H4x0r$Un173
Admin 123456789

Login Portals

Login Pages Comments
domain.com No credentials
domains.com Found credentials

Findings and Strengths

Finding/Issue System/IP Name Screenshot Comment
Strengths System/IP Name Screenshot Comment