Network Security VAPT Checklist

A structured and professional step-by-step guide to performing a Network Security Vulnerability Assessment and Penetration Testing (VAPT) efficiently.

Step 1: Identify Live Hosts

Tools:

• ping
• hping
• nmap

Commands:

ping <Target-IP>
hping3 -1 <Target-IP>
nmap -sn <Target-IP-Range>

Step 2: Identify OS Type

Tools:

• nmap
• Xprobe2
• Banner grabbing using telnet, nc (netcat)

Commands:

nmap -O <Target-IP>
xprobe2 -v -p tcp:80 <Target-IP>
telnet <Target-IP> 80
nc -v <Target-IP> 80

Step 3: Perform Port Scanning

Tools:

• nmap

Commands:

Full SYN Scan with Service Detection:

nmap -Pn -sS -sV -v <Target-IP> -oG nmap_grepable_SYN -oN nmap_normal_SYN

Top 1000 UDP Scan:

nmap -Pn --top-ports=1000 -sU -sV -v <Target-IP> -oG nmap_grepable_UDP -oN nmap_normal_UDP

Full Port Scan with Weak Algo & Cipher Detection:

nmap -Pn -A -T4 -vv --script ssh2-enum-algos,ssl-enum-ciphers <Target-IP>

Step 4: Use Nessus for Vulnerability Scanning

Checklist before Scanning:

✔ Disable DoS Scans
✔ Enable TCP & UDP Scanning
✔ Ensure Plugins are Updated

Run the scan using Nessus GUI.

Step 5: Scan Specific Ports with Nmap

Example: If Port 22 (SSH) is open

nmap -Pn -sS -p22 --script=ssh* -v <Target-IP>

Step 6: SSL Security Audit

Tools:

• testssl.sh
• sslyze

Commands:

testssl.sh <Target-IP>
sslyze --regular <Target-IP>

Check for:

✔ Self-signed Certificates
✔ Weak Hashing Algorithms
✔ SSL v2/v3 Detection
✔ RC4 & CBC Ciphers
✔ Logjam & Sweet32 Issues
✔ POODLE, Heartbleed, BEAST Vulnerabilities

Step 7: Check for Default Credentials

1. Identify running services from Nmap/Nessus reports.
2. Google default username & password.
3. Try logging in.

Examples:

• Cisco: admin:admin
• Apache Tomcat: admin:tomcat

Step 8: Common Port-Specific Tests

DNS (53/UDP):

dig @<Target-IP> any example.com
dnsenum --enum example.com

✔ Check for Zone Transfers
✔ Bruteforce Subdomains
✔ Check for DNS Amplification Attack

SMTP (25/TCP):

echo VRFY root | nc -v <Target-IP> 25
nmap -Pn -sS -p25 --script=smtp* -v <Target-IP>

✔ Check Open Relay
✔ Email Spoofing
✔ Username Enumeration

SNMP (161/UDP):

snmpwalk -c public -v2c <Target-IP>
nmap -Pn -sU -p161 --script=snmp* <Target-IP>

✔ Default Community Strings (public/private)
✔ Extract Usernames, Hostnames
✔ Banner Grabbing

SSH (22/TCP):

nmap -Pn -sS -p22 --script=ssh* -v <Target-IP>

✔ Check for SSHv1 Support
✔ Weak Ciphers & HMAC Algorithms
✔ Bruteforce using Hydra & Medusa

SMB (445,137,139/TCP):

nmap -Pn -sS -p445 --script=smb* -v <Target-IP>

✔ Check Samba Service Version
✔ Check for EternalBlue (MS17-010) Exploit
✔ Extract SMB Users

FTP (21/TCP):

nmap -Pn -sS -p21 --script=ftp* -v <Target-IP>

✔ Anonymous Login Enabled?
✔ Banner Grabbing
✔ Bruteforce using Hydra

Telnet (23/TCP):

nmap -Pn -sS -p23 --script=telnet* -v <Target-IP>

✔ Check for Weak Authentication
✔ Bruteforce Passwords
✔ Banner Grabbing

SQL Server (1433,1434,3306/TCP):

nmap -Pn -sS -p1433,1434,3306 --script=ms-sql* -v <Target-IP>

✔ Banner Grabbing
✔ Default Credentials (root:root)
✔ Bruteforce using SQLPing, SQLRecon

RDP (3389/TCP):

nmap -Pn -sS -p3389 --script=rdp* -v <Target-IP>

✔ Identify Active Users
✔ Check for RDP Encryption Issues
✔ Test for Weak Credentials

Oracle DB (1521/TCP):

nmap -Pn -sS -p1521 --script=oracle* -v <Target-IP>

✔ SID Enumeration
✔ Weak Authentication Check
✔ Bruteforce Accounts

Step 9: Useful Links for VAPT Tools

🔹 Nessus: https://www.tenable.com/products/nessus
🔹 testssl.sh: https://github.com/drwetter/testssl.sh
🔹 Nikto: https://cirt.net/Nikto2
🔹 Nmap: https://nmap.org/
🔹 John The Ripper: https://www.openwall.com/john/
🔹 masscan: https://github.com/robertdavidgraham/masscan
🔹 DNSdumpster: https://dnsdumpster.com/
🔹 Kali Linux: https://www.kali.org/downloads/

Final Notes

Ensuring robust network security through a structured VAPT process helps identify and mitigate vulnerabilities before exploitation. This checklist streamlines assessments, enhances security, and ensures compliance. Regular testing is key to staying ahead of cyber threats.