External Penetration Testing Checklist

🔍 OSINT & Reconnaissance

Domain Intelligence

  • WHOIS lookup (registrar, dates, contacts)
  • DNS enumeration (A, MX, TXT, NS records)
  • Subdomain enumeration
  • Historical DNS data (SecurityTrails)
  • Certificate transparency logs
  • ASN and IP range identification
  • Reverse DNS lookups
# DNS enumeration
dig target.com ANY
dnsrecon -d target.com
subfinder -d target.com -o subs.txt
amass enum -d target.com -o amass.txt


Certificate transparency

curl "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u

Email Intelligence

  • Email format discovery
  • Employee email harvesting
  • Breach data analysis (HIBP)
  • Email security records (SPF, DKIM, DMARC)
  • Hunter.io / Phonebook.cz

Social Media OSINT

  • LinkedIn employee enumeration
  • GitHub repositories
  • Twitter/X presence
  • Job postings (tech stack hints)
  • Public documents (metadata)

Google Dorking

site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com "password" OR "credentials"
site:pastebin.com "target.com"
site:github.com "target.com" password

🌐 Infrastructure Scanning

Port Scanning

# Fast scan
nmap -sS -p- --min-rate=1000 -oA full_tcp target.com


Service detection

nmap -sV -sC -p PORTS -oA services target.com


UDP scan

nmap -sU --top-ports 100 -oA udp target.com


Masscan for large ranges

masscan -p1-65535 --rate=1000 -oL masscan.txt RANGE

Service Enumeration

  • Web servers (80, 443, 8080, 8443)
  • Mail servers (25, 465, 587, 993)
  • DNS servers (53)
  • FTP (21)
  • SSH (22)
  • RDP (3389)
  • SMB (445)
  • VPN endpoints

Web Application Discovery

# Find live hosts
httpx -l subs.txt -o live_hosts.txt -status-code -title


Screenshot all hosts

gowitness file -f live_hosts.txt -P screenshots/


Technology detection

whatweb -i live_hosts.txt -a 3

🔓 Vulnerability Assessment

Automated Scanning

  • Nuclei templates scan
  • Nikto web scanning
  • Nessus/OpenVAS vulnerability scan
  • SSL/TLS assessment
# Nuclei scan
nuclei -l live_hosts.txt -t cves/ -t exposures/ -t vulnerabilities/ -o nuclei.txt


SSL testing

testssl.sh https://target.com


Nikto

nikto -h https://target.com -output nikto.txt

Manual Testing

  • Default credentials check
  • Exposed admin panels
  • Sensitive file exposure (.git, .env, backup)
  • Directory traversal
  • Information disclosure

🔐 Authentication Attacks

Password Spraying

# Office 365
spray -microsoft 365 -u users.txt -p "Summer2024!" -t 1


Web applications

hydra -L users.txt -P passwords.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

Credential Testing

  • Password spray common passwords
  • Test default credentials
  • Check leaked credentials
  • Brute force (if allowed)

VPN/Remote Access

  • VPN gateway enumeration
  • Test VPN credentials
  • Certificate-based auth bypass
  • Check for CVEs

📧 Email Security

Mail Server Testing

  • Open relay testing
  • User enumeration (VRFY, RCPT TO)
  • SPF configuration check
  • DKIM validation
  • DMARC policy review
# SMTP user enumeration
smtp-user-enum -M VRFY -U users.txt -t mail.target.com


SPF check

dig txt target.com | grep spf


DMARC check

dig txt _dmarc.target.com

Phishing Assessment

  • Domain spoofing potential
  • Lookalike domain check
  • Email gateway bypass
  • Attachment handling

☁️ Cloud Infrastructure

Cloud Detection

  • Identify cloud providers
  • S3 bucket enumeration
  • Azure blob storage
  • GCP bucket search
# S3 bucket enumeration
aws s3 ls s3://target-bucket/ --no-sign-request


Azure blob

curl https://TARGET.blob.core.windows.net/CONTAINER?restype=container&comp=list


Cloud enum tools

cloud_enum -k target -k target.com

CDN/WAF Detection

  • Identify CDN provider
  • WAF fingerprinting
  • Origin IP discovery
  • Bypass techniques

🕷️ Web Application Testing

Common Vulnerabilities

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • XML External Entity (XXE)
  • Remote Code Execution
  • File inclusion (LFI/RFI)
  • Insecure deserialization

API Security

  • API endpoint discovery
  • Authentication bypass
  • IDOR vulnerabilities
  • Rate limiting
  • Mass assignment

CMS-Specific

# WordPress
wpscan --url https://target.com -e u,vp,vt


Joomla

joomscan -u https://target.com


Drupal

droopescan scan drupal -u https://target.com

📊 Severity Classification

Vulnerability CVSS Range Priority
RCE 9.0-10.0 Critical
SQLi (Data breach) 8.0-9.9 Critical
Auth bypass 7.0-8.9 High
SSRF (internal) 6.0-8.0 High
XSS (Stored) 5.0-6.9 Medium
Info disclosure 3.0-4.9 Low
Missing headers 0.1-2.9 Info

🛠️ Essential Tools

Category Tools
Recon Amass, Subfinder, httpx
Scanning Nmap, Masscan, Nuclei
Web Burp Suite, ffuf, sqlmap
OSINT theHarvester, Maltego
Exploitation Metasploit, SearchSploit
Reporting Dradis, Faraday

Quick Setup

# Install essential tools
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install github.com/ffuf/ffuf/v2@latest

📋 Report Template

Executive Summary

  • Scope and objectives
  • Critical findings summary
  • Risk rating overview
  • Recommendations priority

Technical Findings

  • Vulnerability description
  • Affected assets
  • CVSS score and vector
  • Proof of concept
  • Remediation steps

Appendices

  • Full tool outputs
  • Screenshots
  • Timeline
  • Methodology reference
Last updated: 2024