I like to break a pentest into a few categories:
Intruder Scope: who is able to do this attack? Entire Internet (worst) / Local Area (think Wifi) / Targeted (USB stick dropped in your parking lot, very narrow)
For a first audit i would focus on Internet scope and maybe put a little time into Wifi.
What info can I get from their website? phone #? HTTPS?
are Email addresses protected from webcrawlers? browse to Https://websitename/robots.txt investigate
if documents are public, a tool like FOCA can read the metadata to retrieve email addresses and employee names
Google search them. Find their CEO name. Google search them. Linked-in them.
https://www.seoptimer.com enter the website name, note item in the security section. doesn’t do a good job of finding email addresses.
in the technology section; look for platforms that are easy to compromise ie WordPress. google search the platforms + vulnerability
https://www.dnsinspect.com look for red items, look for an SPF record
https://hunter.io enter website name, note which other websites this email appears on
mxtoolbox.com a record search, note hosting provider
lookup MX record, who hosts their email, check email health!
linkedin.com search for names
dnsdumpster.com creates a nice visual map of DNS tree
https://lookup.icann.org/lookup enter a domain name and find their DNS registrar
https://securitytrails.com requires creating an account but lots of information in 1 spot
put a mailinator.com email address into every reset-your-password box to see if the message is different for valid/invalid email addresses.
tracing pixel send by email can determine their public ip address
Kali Linux will tell you SSH is started, it LIES
sudo service ssh start
ip address (linux) or ipconfig /all (windows)
DHCP will give you a DNS server, may also be a domain controller, lets verify
nmap –script=ldap* IP-Addresss-Of-Dns-Server
this should return a bunch of info, if it includes a DN, this is a domain controller
| LDAP Results
| domainFunctionality: 6
| forestFunctionality: 6
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=my,DC=domain,DC=com
nmap –script=smb2-security-mode target.dns.name.or.IP (or a range of ip addresses)
|_ Message signing enabled but not required
Nmap and 12 useful NSE scripts