Check List

My thought process and general guidelines to approach a target

Web (80/443)

Fingerprint Web Server
- Apache/Nginx/IIS Server Headers
- Etag Headers Information Leakage
- Source Code (HTTP/JS/CSS) Comments
  - Burp Suite Map → Engagement Tools → Find Comments/Scripts egrep -r '|[^:]/[/*][^/]' .html/.js
- Metafiles (robots.txt, sitemap.xml, .htaccess, aspnet_client)
- Old, Backup and Forgotten Files (Wayback URLs)
- Finding Hidden Parameters
Technology Stack
- CMS & Services
  - Default Credentials & Paths
  - Version Number
Identify Entry Point
- Directory Brute-forcing
- DNS Subdomain Brute-forcing
- Virtual Host Brute-forcing
Configuration
- HTTP Methods
- Security Headers
- Cipher Suites
- HTTP Request Smuggling
- HTTP Strict Transport Security (80 -> 443 Redirection)
- RIA Cross Domain Policy (crossdomain.xml, clientaccesspolicy.xml)
- Subdomain Takeover
Authentication Management
- Account Takeover
- Weak Lockout Policy
- Weak Password Policy
- Weak Security Question
- Weak Password Change Functionality
- Remember Password Functionality
- Multi-Factor Authentication
- Browser Cache Weakness
- Rate Limiting Controls
Authorization Management
- IDOR
- Directory Traversal, File Inclusion
- OAuth & OIDC Testing / SAML Testing
Session Management
- Cookies Attributes
- Session Hijacking
- Session Fixation
- Session Puzzling
- Session Timeout
- CSRF
- Logout Functionality
Input Validation
- SQLi, Reflected XSS, Stored XSS
- SSTI, XXE, XPATH, LDAP, OS Command Injection
- HTTP Verb Tampering
- HTTP Parameter Pollution
- Prototype Pollution
- Host Header Injection (CRLF)
- Server-Side Request Forgery (SSRF)
Client Side Testing
- DOM-XSS, Clickjacking, CORS
Business Logic
- File Uploads
- Workflow Circumvention
Error Handling
- Verbose Error Information Exposure
- Stack Traces
Miscellaneous
- Log Poisoning
- Web Cache Poisoning
- Web Cache Deception
- Insecure Deserialization
- GraphQL

FTP (21)

Banner Grabbing
Anonymous Authentication
Hydra Brute Forcing
vsFTPd Backdoor

SSH (22)

Banner Grabbing
Weak Ciphers & Algos
Hydra Brute Forcing

Telnet (23)

Vulnerability Check
Hydra Brute Forcing

SMTP (25)

Username Enumeration
Email Information Disclosure

DNS (53)

Cache Snooping Remote Information Disclosure
Spoofed Request Amplification DDoS
Recursive Query Cache Poisoning

Kerberos (88)

Domain User Enumeration
MS14-068 Vulnerabilities
Tools
- Kerbrute
- Rubeus

MSRPC (135/593)

NULL & Authenticated Session
Enumeration
- Domain Information Query
- User Queries
- Group Queries
- Privileges
- SID Lookup
- LSA Query
Tools
- rpcclient
- rpcinfo
- rpcdump

NetBIOS (137/138/139)

Enumeration
- Computers
- Shares
- Policies
- Passwords
Tools
- nbtstat
- nbtscan
- nmblookup

SMB (139/445)

Open Shares
- SMB NULL Session Authentication (Anonymous)
SMB Signing Disabled
- Relay Attack
SMB Version & Protocols
MS17-010 Vulnerabilities
User Enumeration
Tools
- smbclient
- smbmap
- enum4linux

SNMP (161)

Agent Default Community Name
- Public
- Private
- Community
Enumeration
- Interfaces
- Netstat
- Processes
- Services
- Shares
- Software
- Users
Tools
- snmpwalk
- snmpbulkwalk
- snmpenum
- snmp-test
- onesixtyone

LDAP (389)

Anonymous Bind
Tools
- ldapsearch
- ldapdomaindump
- windapsearch

MSSQL (1433)

MYSQL (3306)

RDP (3389)

Network Level Authentication (NLA) Disabled
Terminal Services Encryption Level is Medium or Low
Terminal Services Encryption Level is not FIPS-140 Compliant

WinRM (5985)

Active Directory

No Credentials
- LLMNR Poisoning or SMB Relay
- Coerce NTLM Authentication with PetitPotam
- Enumerate AD Users via SMB NULL sessions or LDAP Anonymous Binds
- linkedin2username -> Password Spraying
With Credentials
- Lay-of-the-Land - BloodHound, PowerView
- Credentials Spraying - CrackMapExec, Evil-WinRM, PSExec, SMBExec, WMIExec
- Kerberos Attacks
- DACL & GPO Abuse
- Active Directory Certificate Services (AD CS)
- Hunt for Juicy Data
  - .txt
  - .vmdk
  - web.config
Public Exploits
- PrintNightmare, ZeroLogon, AutoBlue, BlueKeep