Penetration Testing Methodology

┬┐Por Que?

In an effort to increase my penetration testing skills and move some of my notes from my OSCP attempts, I am going to put it all here so I can recall it during my future attempts. This will be nothing game-breaking, but rather my own views on what is important during different phases of a pentest. This post is going to be very link-heavy as I refer back to certain resources over and over in my experiences

Sven couldn’t figure out how to ping the gateway, but through determination, he failed very tired

What is this ‘pentest’ you speak of?

A penetration test is a test of a system’s security and it gives the system owner a view of the vulnerabilities that an attacker might be able to take advantage of. Since I am very happy to not be in any sort of educational program at this time, I will link to the Wikipedia definition for a penetration test… But in all reality, they have some good links at the bottom of the page. The party that is conducting the pentest should have the system owner’s best interest in mind. Both parties should protect themselves by ensure that the scope of the test is clearly defined and what, if anything, is completely out of scope.

There are essentially two types of pentests, but you may hear people referring to them by different names or combinations of names. The first is the external pentest. This test is run from outside the network, with (hopefully) no prior knowledge of the network. The attacker’s computer is not on the network at all, but the goal is to gain access to the network while identifying vulnerabilities. The other type of pentest is an internal pentest, which is set up with the attacker’s computer is already on the network. This could be simulating an insider threat or former employee or anything of that nature.

Once the administrative lines are drawn and the contract is solidified, the test can begin. A couple of important items that I have learned… screenshot as much as possible! The client will appreciate the recreation of an exploit without having to watch over your shoulder. This will also give them evidence that they can take to their security team in order to get the vulnerabilities patched. Another tip is to document everything. If you are able to work your way through a vulnerability and are able to exploit it, but cannot explain to the client how it happened, that information is going to be of little to no use to either party.

Hacker words… OSCP… penetration test


Planning and Recon – This phase is first in the methodology and should be used to gather information on your target both on system and off. You should be preparing your tools and note taking process. Some of the most commonly used tools during this phase:

# Useful tools/commands for recon
theharvester -d <target_ip> -l 500 -b all

Scanning – The pentesting team will conduct service enumeration, network mapping, and generally gathering any type of information that they can on the system. Based strictly on the scope, this can include live host identification and OS and application fingerprinting. Depending on your terrain, this set of tools could vary widely, but I will outline some of the resources that I find valuable for the Scanning Phase below:

# Other commands that are helpful
nmap --top-ports 10 --open --dns-server <target_ip> -oA nmap/top10_all_hosts

Exploitation – Once you have identified the vulnerabilities on the system, you can start to attempt to exploit them. These could be vulnerabilities in software running or the OS, if it is missing patches. There are some great tools for throwing exploits at systems, but you should remember that the frameworks and toolsets out there are not all-inclusive. I will outline some of the well-known tools that I have run in my experience.

“I’ll just launch a Hail Mary attack and hack this fool” – @hackerbaby

Post Exploitation – After you have gained initial access, there are many things that you could pivot into based on the scope of your test and what the client wants. You could ensure that you have persistence, gather credentials, try to identify if there is a DC that you can target, or you might just look around and try to move around laterally while gathering important data. Every customer is going to have a different goals for their test and the pentest team needs to keep that in mind.

Reporting – Reporting is, to many people’s dismay, the most important part of the penetration test. Clearly and effectively communicating the vulnerabilities and the possible result of allowing them to remain on the system is the main reason the customer has trusted you with this test. Like I said in a previous paragraph, screenshots are super helpful, take as many as you can. Charts and data representations that can be abstracted from the report are also helpful as they can be used to communicate large amounts of data to the customer quickly and effectively.

Additional Resources:

Leave a Reply

Your email address will not be published. Required fields are marked *