The first step will be to agree on the proper process for penetration testing, the tools used. From there, we will generate a template to make a request, and build the process that should follow.

Process

Method 1

  • Template request is submitted
  • request is validated by us
  • system is tested using tools
  • results from testing are placed into results template
  • results template provided to requester

Method 2: Web Apps

  • Request is submitted. NOTE: For security reasons the requester should add a comment on the root index file showing ownership of the site and requesting the pentest.
  • Initial Recon
    • Whois records
    • robots.txt
    • Structure of the site and how it works
    • Search for hidden subdomains(http://code.google.com/p/dnsmap/)
    • Search for hidden directories
  • Fuzz and create a vulnerabilities log.
  • Attempt to create a proof of concept exploit.
  • Write down result/s and include proof of concept/s.

Tools

  • nmap and zenmap.
  • Nessus and Metasploit.

Web App Pentesting

Fuzzing string: <|’\0%00 || Please contribute to this string. :)

  • Firefox
    • Firebug
    • A JavaScript deobfuscator.
    • NoScript
    • RefControl
    • TamperData
    • User Agent Switcher
    • Web Developer
    • WorldIP