Penetration Testing

This Process Street penetration testing checklist is engineered to give a documentation process for staff carrying out penetration testing on either their own networks and services or those of a client. 

Penetration testing is a method of locating vulnerabilities of information systems by playing the character of a cracker. The goal of the tester is to enter into a system and then burrow in as deep as possible. The deeper the tester can embed themselves and the more permanent their access can be, the more damage they can cause. A thorough pen-test aims to reveal these weaknesses so they can be closed as quickly as possible without having a real cracker expose them. 

This Process Street template aims to follow a standard pen-testing process, however, if there are further steps you wish to add or remove you are free to do so. You can simply add this template to your account and click to edit the template. The template is fully editable in order to meet the specific needs of your company. 

Throughout the template you will notice form fields where you can enter information as you run the checklist. All data entered into these form fields is stored in the template overview tab in a spreadsheet format. This data can then be exported as a CSV if you wish to keep an internal backup. You can add or remove form fields from the process in order to change the kind of data you're collecting.

If you want to hear a little more about penetration testing, check out the video below:

Use the form fields provided to record the details of the checklist.

Use the form field below to outline the different methods to be employed during this test. 

This will help to define what has been tested and what wasn't. 

For an in-depth analysis of the different methods available, watch the video below.

Use the form field below to record the different networks and domain names relevant to your exploration. 

A static analysis uses a program to perform a non-runtime assessment of a program's code. 

This provides an initial non-hands-on approach to find vulnerabilities when starting your research. 

Record your notes on the static analysis below or watch the video for inspiration.  

A dynamic analysis is similar to a static analysis except it takes place while the program is running. 

A dynamic test will monitor system memory, functional behavior, response time, and overall performance of the system.

Though static analysis is in ways a more thorough approach, dynamic analysis is capable of exposing a subtle flaw or vulnerability too complicated for static analysis alone to reveal and can also be the more expedient method of testing.

Use the form field below to record your notes.

Whether you find vulnerabilities through your phishing approaches or within your static or dynamic approaches, the first step is to document these potential avenues to exploit.

These weaknesses will have to be addressed in future. Record them now even if they do not lead to a major security breach as the test continues.  

At this step, begin to try to exploit these weaknesses to see what information can be gleaned. 

Use the form field below to record notes on what can or cannot be accessed at this moment in time.

Another key area to test is how embedded you can become within the network. 

Are you able to establish long term access?

Are you able to retain access unnoticed?

Use the form field below to record your attempts at long term exploitation.

Once you have completed your penetration testing, compile your full report and upload it in the form field below.

Use the email widget below to send this report to the relevant people. 

You can use the variables options to enter information into the email automatically. 

• Conducting a Penetration Test on an Organization - SANS Institute
• What is Penetration Testing - Incapsula
• The Penetration Testing Execution Standard - Pentest-Standard
• Chapter 4: Pen-Testing Process - Gray Hat Hacking [PDF]
• 10 Steps to Managing a Successful Network Penetration Test - CSO Online

• Privileged Password Management
• Network Administrator Daily Tasks
• Network Security Audit Checklist
• Firewall Audit Checklist
• VPN Configuration
• Apache Server Setup
• Email Server Security
• Penetration Testing
• Inventory Management Process
• Network Security Management
• Client Data Backup Best Practices
• Computer Maintenance Guide
• Server Setup Process
• Virtual Private Server Setup
• IT Support Process
• Helpdesk Management
• Server Maintenance
• Server Security
• Information Security Incident Response
• SQL Server Audit Checklist