Advanced Pentest & Offensive Updated on Jun 25, 2025

Pentest methodology — recon, enum, exploit, post-exploit, report

A penetration test is a structured, authorized process to find vulnerabilities before real attackers do. Without methodology, a test becomes random guessing — with methodology, it produces traceable, actionable evidence.

Phase 1 — Reconnaissance (Recon)

Gather information about the target before any direct interaction.

Passive recon (no direct contact with target):
  - WHOIS, DNS, TLS certificates (crt.sh)
  - Shodan / Censys — internet-exposed assets
  - LinkedIn — technologies, employees, vendors
  - Google dorks — indexed sensitive files

Active recon (direct interaction with target):
  - DNS enumeration: zone transfer, subdomain brute force
  - Initial port scan to map attack surface
  - Ping sweep for host discovery

Phase 2 — Enumeration (Enum)

Detailed extraction of information from identified services.

Goals:
  - Exact service versions (Apache 2.4.49, OpenSSH 7.2)
  - Valid users exposed (SMTP VRFY, SMB null session)
  - Network shares, web directories, accessible databases
  - Default configurations left in place (default credentials, admin endpoints)

Phase 3 — Exploitation (Exploit)

Leveraging discovered vulnerabilities to gain access — always within authorized scope.

Exploitation types:
  - Public CVE with available exploit
  - Weak or default credentials
  - Misconfiguration (e.g., upload endpoint without auth)
  - Injection (SQLi, command injection, SSTI)

Typical flow:
  Vulnerability identified
    → research exploit (ExploitDB, Metasploit, GitHub)
    → adapt to target environment
    → controlled execution
    → confirm access

Phase 4 — Post-Exploitation (Post-Exploit)

Simulate what a real attacker would do after initial access.

Post-exploitation activities:
  - Privilege escalation (local → root/SYSTEM)
  - Persistence: cron job, service, SSH key
  - Credential harvesting: hash dumps, plaintext in files
  - Pivoting: use compromised host as a jump point to internal networks
  - Simulated exfiltration: demonstrate access to sensitive data
  - Evidence cleanup (in real pentest, log everything before cleaning)

Phase 5 — Report

The most valuable deliverable for the client. Without a report, the pentest has no impact.

Minimum structure:
  1. Executive summary — overall risk in business language
  2. Scope and methodology
  3. Vulnerabilities — by severity (Critical → Informational)
     - Description, evidence (screenshot/log), CVSS, step-by-step reproduction
  4. Remediation recommendations — concrete and prioritized
  5. Conclusion and next steps

Engagement types

Black box:  pentester receives no prior information — simulates external attacker
Grey box:   receives credentials or partial diagram — simulates insider or successful phishing
White box:  full access to code, infrastructure, credentials — maximum coverage, fewer surprises

Scope checklist (before starting)

[ ] Rules of Engagement signed
[ ] Authorized IPs and domains listed
[ ] Time window defined
[ ] Client emergency contact
[ ] What is off-limits (e.g., DoS, production systems)
[ ] Evidence storage location agreed upon

Methodology is not bureaucracy — it is what separates professional pentesting from illegal intrusion.