pirate.moo's pentest checklist

A working/living curated checklist that can be modified as needed for various penetration testing engagements. Please feel free to build, modify and edit this list as you like.

---

Note taking: OneNote, GoogleDocs, GitBook, notepad++, Joplin, Obsidian
Screen shots: Snipping tool, Greenshot, ShareX (GIF/video creation)
Network Screenshots: Eyewitness, Gowitness, Aquatone

---

PROJECT LINKS:
DATE RANGE: October 28st 2022 - November 28, 2022
EXTRA NOTES:

---

Passive Enumeration

---

Passive Enumeration	Task Completion
Websites:
Shodan	☐
Maltego	☐
Censys	☐
Zoomeye	☐
DNS:
Wappalyzer	☐
DNS Dumpster	☐
crt-sh	☐
Netcraft	☐

---

OSINT

---

OSINT	Task Completion
Social Media Checks:
Facebook	☐
Twitter	☐
LinkedIn	☐
Reddit	☐
YouTube	☐
Cross-Platform Checks:
Sherlock	☐
WhatsMyName	☐
Email:
phonebook.cz	☐
TheHarvester	☐
GHunt	☐
HaveIbeenPwned	☐
Email Hippo	☐
h8mail	☐
Google Dorks:
info:	☐
define:	☐
insite:	☐
inurl	☐
filetype:	☐
GHDB check	☐
Google Advanced Search	☐
Breaches & Business:
IntelX	☐
DeHashed	☐
LeakCheck	☐
SnusBase	☐
CrunchBase	☐
Images:
Google Image Search	☐
Bing Image Search	☐
Aperisolve	☐

---

External Enumeration

---

External Enumeration	Task Completion
Major scanners:	☐
Nessus	☐
NMAP	☐
OpenVAS	☐
Directory Searches:
dirsearch	☐
Feroxbuster	☐
Gobuster	☐
Dirbuster	☐
Web:	☐
Burp Suite	☐
OWASP ZAP	☐
SQLmap	☐
Nikto	☐
WAF:	☐
wafw00f	☐
whatwaf	☐
Scans:	☐
Do initial scans require further testing?	☐
Scans exported	☐
VAPT created/modified	☐
Draft report created	☐
Report reviewed	☐
Screenshots and Notes Included?	☐

---

Internal Enumeration

---

Internal Enumeration	Task Completion
Basic Setup:	☐
ROE Signed?	☐
Jumpbox ready?	☐
Connection checks	☐
Folders created	☐
Tools installed/updated	☐
Wireshark/tcpdump setup?	☐
Metasploit:	☐
Updated?	☐
Metasploit DB started?	☐
Capturing output of modules?	☐
Set global variables	☐
DNS:	☐
Sublist3r	☐
Amass	☐
dnsrecon	☐
DNspy	☐
Fierce	☐
dnsenum	☐
Kerberos Abuse/NTLM:	☐
Bloodhound	☐
Responder	☐
Rubeus	☐
Kerbrute	☐
MS-RPRN RPC:	☐
PetitPotam	☐
spoolsample	☐
SMB/SNMP/RPC:	☐
crackmapexec	☐
smbclient	☐
smbmap	☐
onesixtyone	☐
enum4linux	☐
rpcclient	☐
Impacket-rpcdump	☐
Brute-Forcing:	☐
Accounts Sprayed?	☐
Hashes cracked? Mimikatz, John, Hashcat	☐
Usernames/passwords exported to file	☐
Credentials stuffed?	☐
Default credentials checked?	☐
Specific Scans:	☐
Telnet	☐
SSH	☐
FTP	☐
SNMP	☐
Specialized Scans:	☐
Itwasalladream	☐
PRET	☐
log4j-scan Includes Apache Commons	☐
Spring4Shell	☐
IKE-scan	☐
Fuzzers:	☐
WFuzz	☐
ffuf	☐
Create Lists for:	☐
DC's, Exchange, SQL, FTP, Printers, VOIP, Mail, etc..	☐
Information Disclosures:	☐
Login Portals	☐
IIS	☐
VOIP	☐
Printers	☐

---

Post Exploitation/Privesc

---

Post Exploitation	Task Completion
Tools:	☐
Peass-ng	☐
LinEnum	☐
Evil-WinRM	☐
GTFO (LOLBAS) bins	☐
Linuxprivchecker	☐
Exploit Suggester (Windows/Linux)	☐
Permissions/Information:	☐
System	☐
Services	☐
History	☐
Users	☐
Passwords	☐
Network	☐
Writeable Checks:	☐
/dev/shm	☐
/tmp/	☐
/var/tmp/	☐
/var/spool/vbox	☐
/var/spool/samba	☐

---

Please feel free to hit me up on Mastodon @apiratemoo if you have any questions, comments or concerns. You are free to use/edit/improve this list as you wish.

Happy Hacking 😄