Vous êtes sur la page 1sur 4

External Penetration Testing Plan

1. Inventory company's external infrastructure

2. Create topographical map of network
3.Identify the IP address of the targets
4. locate the traffic routes that go to the web servers.
5. Trace the TCP traffic path to the destination.
6. Trace the UDP traffic path to the destinations.
7. Identify the physical location of the target servers.
8. Examine the use of IPv6 at the remote location.
9. Look up the domain registry for the IP information.
10. Find the block information about the target.
11. Locate the ISP servicing the client.
12. List open ports.
13. List closed ports.
14. List suspicious ports that may be stealth ports.
15. Port scan every port on the target network.
16. Use SYN scan on the target and analyze the response.
17. Use connect scan on the target and analyze the response.
18. Use Xmas scan on the target and analyze the response.
19. Use FIN scan on the target and analyze the response.
20. Use Null scan on the target and analyze the response.
21. Firewalk the routers gateway.
22. Examine TCP sequence number prediction.
23. Examine the use of standard and nonstandard protocols.
24. Examine IP ID sequence number prediction
25. Examine the system uptime of the target.
26. Examine the operating systems used by different targets.
27. Examine the patches applied to the system.
28. Locate the DNS record of the domain and attempt DNS hijacking
29. Download applications from the company's Web site and reverse engineer the
binary code.
30. List programming languages and application software used to create various
programs on the target server.
31. Look for errors and custom Web pages.
32. Guess different sub domain names and analyze different responses.
33. Hijack sessions
34. Examine cookies generated by the server.
35. Examine the access controls used by the WE [application server].
36. Brute force URL injections and session tokens.
37. Check the directory consistency and page-naming syntax of the Web pages.
38. Look for sensitive information in the webpage source code.
39. Attempt URL encoding on the Web pages.
40. try buffer overflow attempts in the input fields.
41. look for invalid ranges in the input fields.
42. Attempt escape character injections
43. try cross-scripting(XSS) techniques
44. Record and replay the traffic to the target Web server and note the response.
45. try various SQL - injection techniques.
46. Examine hidden fields.
47. Examine server-side includes (SSL)
48. Examine e-commerce and payment gateways handled by the Web server.
49. Examine welcome, error and debug messages.
50. probe the server through SMTP mail bouncing.
51. Grab the banners of the HTTP servers.
52. Grab the banners of the SMTP servers.
53. Grab the banners of the POP3 servers.
54. Grab the banners of the FTP servers.
55. Identify the Web extensions used on the server.
56. try to use HTTPS tunnel to encapsulate traffic.
57. OS fingerprint target computers.
58. Check for ICMP responses (Type 3 port unreachable).
59. Check for ICMP responses (Type 8 echo request).
60. Check for ICMP responses (Type 13 time-stamp request).
61. Check for ICMP responses (Type 15 information request).
62. Check for ICMP responses (Type 17 subnet address mask request).
63. Check for ICMP responses from broadcast address.
64. Port scan DNS servers (TCP/UDP 53).
65. Port scan TFTP servers (port 69).
66. Test for NTP ports (port 123).
67. Test for SNMP ports (ports 161 and 162)
68. Test for Telnet ports (port23)
69. Test for LDAP ports (port 389)
70. Test for NetBIOS ports (port 135-139 and 445)
71. Test SQL server ports (ports 1433 and 1434)
72. Test for Citrix ports (port 1495)
73. Test for Oracle ports (port 1521)
74. Test for NFS ports (ports 2049).
75. Test for compaq HP inside manager ports (ports 2301 and 2381).
76. Test for remote desktop ports (port 3389).
77. Test for Sybase ports (port 5000).
78. Test for SIP ports (ports 5060).
79. Test for VNC ports (ports 5800 and 5900).
80. Test for X11 ports (port 6000).
81. Test for JetDirect ports (ports 9100).
82. Port Scan FTP data (port 20)
83. Port scan Web servers (port 80)
84. Port scan SSL servers (port 443)
85. Port scan Kerberos and active Directory (TCP/UDP 88).
86. Port scan SSH servers (port 22)

Source: https://avatarpointsecurity.wordpress.com/2013/02/22/external-