Penetration Testing Methodology
Overview
A penetration test is a structured, authorized simulation of an attack against an organization's systems. This methodology covers the end-to-end workflow for infrastructure penetration testing, from pre-engagement scoping through final reporting. Each phase has defined objectives, activities, and deliverables.
Pre-Engagement
Scoping
Define the boundaries before any testing begins:
- Target scope — IP ranges, domains, hostnames, and any exclusions
- Test type — black-box (no prior knowledge), grey-box (partial knowledge, e.g., credentials), or white-box (full access, source code)
- Rules of engagement — testing hours, restricted actions (e.g., no DoS, no social engineering), escalation contacts, emergency procedures
- Authorization — signed scope document and Rules of Engagement (RoE); never test without written authorization
Objectives
Agree on what success looks like:
- Identify vulnerabilities and demonstrate impact
- Test detection and response capabilities
- Validate specific compliance requirements
- Assess specific attack paths (e.g., "can an external attacker reach the database?")
Deliverables
- Scope document and signed authorization
- Emergency contact list
- Testing schedule communicated to the client
Reconnaissance
Gather information about the target environment without direct interaction (passive) and with controlled interaction (active).
Passive Reconnaissance
- OSINT on domains, employees, and infrastructure
- DNS records (A, MX, NS, TXT, SPF, DMARC)
- Certificate transparency logs
- Public code repositories, paste sites, breach databases
- Job postings (reveal technology stack)
Active Reconnaissance
- Port scanning and service enumeration
- Banner grabbing and version detection
- Web application fingerprinting
- DNS zone transfer attempts
- SNMP enumeration (community strings)
Key Tools
# Nmap — port scanning and service detection
# https://nmap.org/
nmap -sV -sC -p- --min-rate 5000 -oA scan <target>
# DNS enumeration
dig any <domain>
dig axfr @<nameserver> <domain>
# Web fingerprinting
whatweb http://<target>
Phase Output
- Complete list of live hosts, open ports, and running services
- Identified technologies, versions, and potential attack surface
- Target prioritization based on exposed services
Vulnerability Analysis
Analyze discovered services for known and unknown vulnerabilities.
Approach
- Automated scanning — run vulnerability scanners against discovered services to identify known CVEs and misconfigurations
- Manual verification — confirm scanner findings to eliminate false positives; test for logic flaws that scanners miss
- Research — search exploit databases and vendor advisories for vulnerabilities matching identified software versions
Areas to Assess
- Network services — outdated software, default credentials, misconfigurations
- Web applications — OWASP Top 10: injection, broken auth, XSS, SSRF, insecure deserialization, etc.
- Authentication — weak passwords, password reuse, missing MFA, brute-force protections
- Encryption — weak TLS versions or cipher suites, cleartext protocols, expired certificates
- Patch levels — missing security patches on OS and applications
Phase Output
- Vulnerability findings with severity ratings
- Verified vs. unverified vulnerability list
- Prioritized list of exploitation targets
Exploitation
Attempt to exploit identified vulnerabilities to demonstrate real-world impact. Every exploitation attempt must stay within scope.
Exploitation Workflow
- Select target — prioritize by impact and likelihood of success
- Prepare exploit — adapt public exploits to the target environment, or develop custom exploits where needed
- Execute — run the exploit with appropriate precautions
- Document — capture screenshots, command output, and timestamps
- Stabilize — if a shell is obtained, upgrade to an interactive session and verify stability before proceeding
Common Exploitation Categories
- Service exploits — CVE-based attacks against vulnerable services
- Web attacks — SQL injection, file upload, SSRF, deserialization
- Credential attacks — password spraying, brute-force, default creds
- Client-side — phishing (if in scope), malicious documents
- Misconfigurations — anonymous access, writable shares, open relays
Phase Output
- Documented proof of each successful exploitation
- Initial access footholds with timestamps
- Evidence screenshots and command logs
Post-Exploitation
After gaining initial access, assess the true impact by enumerating the compromised environment, escalating privileges, and moving laterally.
Activities
- Local enumeration — users, groups, privileges, installed software, network connections, running processes, scheduled tasks
- Privilege escalation — exploit misconfigurations or vulnerabilities to elevate from standard user to administrator/root
- Credential harvesting — extract passwords, hashes, tokens, and keys from memory, files, registries, and databases
- Lateral movement — use harvested credentials to access other systems (WinRM, PsExec, SSH, RDP, SMB)
- Data access — identify and document access to sensitive data (PII, financial, intellectual property, credentials)
- Persistence — demonstrate the ability to maintain access (document the mechanism but clean it up afterwards)
Key Tools
# Linux enumeration
# https://github.com/peass-ng/PEASS-ng
./linpeas.sh
# Windows enumeration
# https://github.com/peass-ng/PEASS-ng
.\winPEASx64.exe
Phase Output
- Escalation path documentation (user → admin/root)
- Lateral movement map showing compromised systems
- Inventory of accessed sensitive data
- Evidence of demonstrated business impact
Reporting
The report is the primary deliverable and must clearly communicate findings, risk, and remediation guidance to both technical and executive audiences.
Report Structure
- Executive summary — non-technical overview of scope, key findings, overall risk posture, and strategic recommendations (1-2 pages)
- Methodology — brief description of testing approach and tools used
- Findings — each vulnerability documented with:
- Title and severity (Critical, High, Medium, Low, Informational)
- Description of the vulnerability
- Affected systems/URLs
- Steps to reproduce
- Evidence (screenshots, command output)
- Impact statement
- Remediation recommendation
- Attack narrative — chronological walkthrough of the most significant attack path from initial access to objective completion
- Appendices — full scan output, raw data, and supplementary evidence
Severity Ratings
Use CVSS or a consistent internal scale:
| Severity | Description |
|---|---|
| Critical | Immediate exploitation leads to full system compromise, data breach, or business disruption |
| High | Exploitation likely with significant impact; requires prompt remediation |
| Medium | Exploitation possible with moderate impact; remediate within normal patch cycle |
| Low | Minor issue with limited impact; address when convenient |
| Informational | Best practice recommendation; no direct exploitation path |
Phase Output
- Technical report with all findings and evidence
- Executive summary for management
- Remediation roadmap prioritized by severity
Cleanup
After testing is complete and before the engagement closes:
- Remove all tools, shells, and backdoors deployed during testing
- Delete any files uploaded to target systems
- Remove any user accounts created during testing
- Revert configuration changes made during testing
- Document any artifacts that could not be removed and notify the client