Infrastructure27 items

Infrastructure Pentest Checklist

A comprehensive checklist for internal and external infrastructure penetration testing. Covers network enumeration, service exploitation, privilege escalation, and lateral movement techniques for enterprise environments.

NIST SP 800-115PTESOSSTMMCIS Controls

Progress: 0 of 27 items

Define IP ranges, subnets, and network segments in scopeinfo

Document all CIDR blocks, VLANs, and specific hosts included in the assessment.

Confirm rules of engagement for destructive testing

Clarify whether denial-of-service, exploit execution, and credential dumping are permitted.

Obtain network diagrams and asset inventories

Review provided documentation about network topology and critical systems.

Set up VPN or physical access for internal testing

Verify connectivity to all in-scope network segments from the testing position.

Coordinate testing windows to avoid business impact

Schedule intensive scans and exploitation attempts during agreed maintenance windows.

Perform comprehensive port scanning on all in-scope hostsinfo

Run Nmap TCP/UDP scans with service version detection and OS fingerprinting.

Commands

nmap -sS -sV -O -T4 -p- -oA tcp_full target.com

nmap -sU --top-ports 200 -T4 -oA udp_top target.com

rustscan -a target.com --ulimit 5000 -- -sV -sC

References

Nmap Reference Guide

Enumerate running services and banner informationlow

Identify service versions, default pages, and protocol-specific information.

Commands

nmap -sV -sC -p <ports> target.com -oA services

Identify network infrastructure devices (routers, switches, firewalls)medium

Map network devices and check for management interfaces accessible from the testing position.

Enumerate DNS records and zone transfersmedium

Attempt AXFR zone transfers and enumerate internal hostnames through DNS.

Commands

dig AXFR @ns1.target.com target.com

dnsrecon -d target.com -t axfr

fierce --domain target.com

References

OWASP WSTG - Test Network Infrastructure Configuration

Identify SNMP-accessible devices and extract community stringshigh

Test for default and weak SNMP community strings on discovered devices.

Commands

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.0.0.0/24

snmpwalk -v2c -c public 10.0.0.5

Scan for network shares (SMB, NFS) and accessible resourceshigh

Enumerate SMB shares, NFS exports, and FTP directories for sensitive data exposure.

Commands

crackmapexec smb 10.0.0.0/24 --shares

smbclient -L //10.0.0.5 -N

showmount -e 10.0.0.5

Run vulnerability scanners against discovered hostshigh

Use Nessus, OpenVAS, or Qualys to identify known vulnerabilities and misconfigurations.

Commands

nmap --script vuln -p- target.com

nuclei -u https://target.com -severity high,critical

References

NIST SP 800-115 - Technical Guide to Information Security Testing

Check for missing patches on operating systems and servicescritical

Identify unpatched systems vulnerable to known exploits like EternalBlue or PrintNightmare.

Commands

nmap -p 445 --script smb-vuln-ms17-010 10.0.0.0/24

nmap -p 1433,3389,445 --script vuln 10.0.0.0/24

Evidence to capture

scanner output (Nessus/Nmap NSE) showing the CVE ID and affected host, plus a successful exploitation proof or vulnerability check confirmation.

Test for default and weak credentials on all servicescritical

Check SSH, RDP, database, and management console logins for default or easily guessable passwords.

Commands

hydra -L users.txt -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt ssh://10.0.0.5

crackmapexec smb 10.0.0.0/24 -u users.txt -p passwords.txt

Assess SSL/TLS configurations across all encrypted servicesmedium

Test for weak ciphers, expired certificates, and protocol downgrade vulnerabilities.

Commands

testssl.sh https://target.com:443

sslyze --regular target.com

References

OWASP TLS Cipher String Cheat Sheet

Check for unencrypted protocols transmitting sensitive datahigh

Identify FTP, Telnet, HTTP, and LDAP (non-TLS) services handling credentials or sensitive information.

Commands

nmap -p 21,23,80,389,143,110 -sV 10.0.0.0/24

Exploit identified vulnerabilities to gain initial accesscritical

Use Metasploit, manual exploits, or credential attacks to compromise target systems.

Evidence to capture

screenshot of an interactive shell or session on the compromised host with command output (e.g. `whoami`, `hostname`, `id`).

References

MITRE ATT&CK - Initial Access (TA0001)

Perform local privilege escalation on compromised hostscritical

Escalate from standard user to root/SYSTEM using kernel exploits, misconfigurations, or credential reuse.

Commands

linpeas.sh

winpeas.exe

BloodHound.py

Evidence to capture

before/after `whoami` output demonstrating escalation from low-privilege user to root or SYSTEM, plus the technique used.

References

MITRE ATT&CK - Privilege Escalation (TA0004)

Attempt lateral movement to adjacent network segmentscritical

Use harvested credentials, pass-the-hash, or network pivoting to access additional systems.

Commands

crackmapexec smb 10.0.0.0/24 -u Administrator -H <ntlm_hash>

evil-winrm -i 10.0.0.5 -u user -H <ntlm_hash>

References

MITRE ATT&CK - Lateral Movement (TA0008)

Extract and crack password hashes from compromised systemshigh

Dump SAM/NTDS.dit, /etc/shadow, or application database hashes for offline cracking.

Commands

secretsdump.py -just-dc DOMAIN/Administrator@10.0.0.5

hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

References

MITRE ATT&CK - OS Credential Dumping (T1003)

Test network segmentation and firewall rule effectivenesshigh

Verify that segmentation prevents unauthorized traffic between network zones.

Commands

nmap -sS -Pn -p- --max-retries 1 <segmented_target>

Assess data exfiltration paths from critical systemshigh

Test whether sensitive data can be extracted via DNS, HTTP, or other covert channels.

References

MITRE ATT&CK - Exfiltration (TA0010)

Create network attack path diagrams

Visualize the chain of compromises from initial access to domain or critical asset compromise.

Document all compromised hosts and harvested credentials

Provide a complete list of systems accessed and credentials obtained during testing.

Provide prioritized remediation plan based on attack paths

Rank fixes by their effectiveness at breaking the most critical attack chains.

Include network segmentation improvement recommendations

Recommend firewall rules, VLAN changes, and micro-segmentation strategies.

Remove all implants, shells, and testing artifacts

Thoroughly clean up all persistence mechanisms and tools deployed during the assessment.

Related Vulnerabilities

Security Misconfiguration

medium

Identification and Authentication Failures

high

Cryptographic Failures

high

Industries Using This Checklist

Financial Services & Banking

Government & Public Sector

Manufacturing & OT

Infrastructure Pentest Checklist

Pre-Engagement

Reconnaissance

Vulnerability Assessment

Exploitation & Post-Exploitation

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy