Check List
My thought process and general guidelines to approach a target
Web (80/443)
Fingerprint Web Server
Apache/Nginx/IIS Server Headers
Etag Headers Information Leakage
Source Code (HTTP/JS/CSS) Comments
Burp Suite Map → Engagement Tools → Find Comments/Scripts
egrep -r '|[^:]/[/*][^/]' .html/.js
Metafiles (robots.txt, sitemap.xml, .htaccess, aspnet_client)
Old, Backup and Forgotten Files (Wayback URLs)
Finding Hidden Parameters
Technology Stack
CMS & Services
Default Credentials & Paths
Version Number
Identify Entry Point
Directory Brute-forcing
DNS Subdomain Brute-forcing
Virtual Host Brute-forcing
Configuration
HTTP Methods
Security Headers
Cipher Suites
HTTP Request Smuggling
HTTP Strict Transport Security (80 -> 443 Redirection)
RIA Cross Domain Policy (crossdomain.xml, clientaccesspolicy.xml)
Subdomain Takeover
Authentication Management
Account Takeover
Weak Lockout Policy
Weak Password Policy
Weak Security Question
Weak Password Change Functionality
Remember Password Functionality
Multi-Factor Authentication
Browser Cache Weakness
Rate Limiting Controls
Authorization Management
IDOR
Directory Traversal, File Inclusion
OAuth & OIDC Testing / SAML Testing
Session Management
Cookies Attributes
Session Hijacking
Session Fixation
Session Puzzling
Session Timeout
CSRF
Logout Functionality
Input Validation
SQLi, Reflected XSS, Stored XSS
SSTI, XXE, XPATH, LDAP, OS Command Injection
HTTP Verb Tampering
HTTP Parameter Pollution
Prototype Pollution
Host Header Injection (CRLF)
Server-Side Request Forgery (SSRF)
Client Side Testing
DOM-XSS, Clickjacking, CORS
Business Logic
File Uploads
Workflow Circumvention
Error Handling
Verbose Error Information Exposure
Stack Traces
Miscellaneous
Log Poisoning
Web Cache Poisoning
Web Cache Deception
Insecure Deserialization
GraphQL
FTP (21)
Banner Grabbing
Anonymous Authentication
Hydra Brute Forcing
vsFTPd Backdoor
SSH (22)
Banner Grabbing
Weak Ciphers & Algos
Hydra Brute Forcing
Telnet (23)
Vulnerability Check
Hydra Brute Forcing
SMTP (25)
Username Enumeration
Email Information Disclosure
DNS (53)
Cache Snooping Remote Information Disclosure
Spoofed Request Amplification DDoS
Recursive Query Cache Poisoning
Kerberos (88)
Domain User Enumeration
MS14-068 Vulnerabilities
Tools
Kerbrute
Rubeus
MSRPC (135/593)
NULL & Authenticated Session
Enumeration
Domain Information Query
User Queries
Group Queries
Privileges
SID Lookup
LSA Query
Tools
rpcclient
rpcinfo
rpcdump
NetBIOS (137/138/139)
Enumeration
Computers
Shares
Policies
Passwords
Tools
nbtstat
nbtscan
nmblookup
SMB (139/445)
Open Shares
SMB NULL Session Authentication (Anonymous)
SMB Signing Disabled
Relay Attack
SMB Version & Protocols
MS17-010 Vulnerabilities
User Enumeration
Tools
smbclient
smbmap
enum4linux
SNMP (161)
Agent Default Community Name
Public
Private
Community
Enumeration
Interfaces
Netstat
Processes
Services
Shares
Software
Users
Tools
snmpwalk
snmpbulkwalk
snmpenum
snmp-test
onesixtyone
LDAP (389)
Anonymous Bind
Tools
ldapsearch
ldapdomaindump
windapsearch
MSSQL (1433)
MYSQL (3306)
RDP (3389)
Network Level Authentication (NLA) Disabled
Terminal Services Encryption Level is Medium or Low
Terminal Services Encryption Level is not FIPS-140 Compliant
WinRM (5985)
Active Directory
No Credentials
LLMNR Poisoning or SMB Relay
Coerce NTLM Authentication with PetitPotam
Enumerate AD Users via SMB NULL sessions or LDAP Anonymous Binds
linkedin2username -> Password Spraying
With Credentials
Lay-of-the-Land - BloodHound, PowerView
Credentials Spraying - CrackMapExec, Evil-WinRM, PSExec, SMBExec, WMIExec
Kerberos Attacks
DACL & GPO Abuse
Active Directory Certificate Services (AD CS)
Hunt for Juicy Data
.txt.vmdkweb.config
Public Exploits
PrintNightmare, ZeroLogon, AutoBlue, BlueKeep
Last updated