Skip to content
Home
Penetration Testing Guide: Methodology, Tools, and Techniques

Penetration Testing Guide: Methodology, Tools, and Techniques

Cybersecurity Cybersecurity 8 min read 1532 words Beginner ExcellentWiki Editorial Team

Penetration testing — pentesting — is the practice of simulating cyber attacks against systems, networks, and applications to identify vulnerabilities before malicious actors can exploit them. Unlike vulnerability scanning, which automates the discovery of known vulnerabilities, pentesting involves manual, creative, and methodical testing that mimics real attack techniques.

The Pentesting Methodology

Planning and Scope

Every pentest begins with a clear scope definition. What systems are in scope? What testing methods are allowed? Are there any systems that must not be tested? The rules of engagement document defines these parameters and protects both the tester and the client.

This phase also includes obtaining written authorization. Never perform penetration testing without explicit permission — unauthorized testing is illegal, even if you find vulnerabilities. The authorization should specify testing windows, escalation contacts, and data handling procedures.

Reconnaissance

Reconnaissance gathers information about the target before any active testing begins.

Passive Reconnaissance

Passive recon uses publicly available information without interacting with the target’s systems. Techniques include:

  • OSINT (Open Source Intelligence): Collecting information from search engines, social media, job postings, and public documents
  • DNS enumeration: Querying DNS records to discover subdomains, mail servers, and name servers using tools like dig and nslookup
  • WHOIS lookups: Finding domain registration details
  • Shodan and Censys: Searching for exposed devices and services
  • Certificate transparency logs: Finding subdomains through SSL certificate logs

Active Reconnaissance

Active recon involves direct interaction with the target:

# DNS zone transfer attempt
dig axfr @ns1.target.com target.com

# Subdomain enumeration
gobuster dns -d target.com -w subdomains.txt

# Port scanning with Nmap
nmap -sV -sC -O -p- target.com

Scanning and Enumeration

Once you have initial information, scanning reveals more detail about the attack surface.

Port Scanning

Nmap is the industry standard for port scanning. Different scan types reveal different information:

# Stealth SYN scan
nmap -sS -p 1-10000 target.com

# Service version detection
nmap -sV --version-intensity 5 target.com

# Full scan with scripts
nmap -sT -sC -A -p- target.com

Service Enumeration

Each open port represents a potential entry point. Enumerate services thoroughly:

  • Web services (80, 443): Directory busting, parameter discovery, technology fingerprinting
  • SSH (22): Version detection, brute force testing
  • Databases (3306, 5432, 27017): Default credentials, exposed instances
  • SMB (445): Share enumeration, null session testing
  • RDP (3389): BlueKeep vulnerability, credential testing
# Web directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SMB enumeration
smbclient -L //target.com
enum4linux target.com

Vulnerability Analysis

Analyze the gathered information to identify vulnerabilities. This involves correlating service versions with known vulnerabilities (CVEs), testing for common misconfigurations, and manually probing for logic flaws.

Common vulnerability categories include:

  • Injection flaws: SQL injection, command injection, LDAP injection
  • Broken authentication: Weak passwords, session fixation, missing MFA
  • Sensitive data exposure: Unencrypted data, weak cryptography
  • XML External Entities (XXE): Parsing XML from untrusted sources
  • Broken access control: Privilege escalation, IDOR
  • Security misconfiguration: Default credentials, unnecessary services

Exploitation

Exploitation is the phase where you attempt to gain unauthorized access by leveraging identified vulnerabilities. The goal varies by test type — sometimes it is demonstrating proof of concept, other times it is gaining a foothold for deeper testing.

# Metasploit example
msfconsole
use exploit/multi/http/struts2_content_type_ognl
set RHOSTS target.com
set TARGETURI /struts2-showcase/
check
exploit

For web applications, manual exploitation often involves crafting payloads:

POST /login HTTP/1.1
Content-Type: application/json

{
  "username": "admin' OR '1'='1",
  "password": "admin' OR '1'='1"
---

Post-Exploitation

After gaining access, the post-exploitation phase involves:

  • Privilege escalation: Moving from a low-privileged account to root or administrator
  • Persistence: Maintaining access through backdoors or scheduled tasks
  • Lateral movement: Pivoting to other systems on the network
  • Data exfiltration: Demonstrating impact by extracting sensitive data
# Linux privilege escalation check
./linpeas.sh

# Windows privilege escalation check
.\winPEAS.exe

# Dump password hashes (Linux)
cat /etc/shadow
unshadow /etc/passwd /etc/shadow > hashes.txt
john --wordlist=rockyou.txt hashes.txt

Reporting

The report is the most important deliverable of a penetration test. It should include:

  • Executive summary: Non-technical overview for management
  • Technical findings: Detailed descriptions of each vulnerability, including steps to reproduce
  • Risk ratings: Severity classification (Critical, High, Medium, Low)
  • Remediation guidance: Clear, actionable steps to fix each issue

Essential Pentesting Tools

| Category | Tools | |

Penetration Testing Methodology

Penetration testing follows a structured methodology to ensure comprehensive coverage and reproducible results:

Reconnaissance

Gather information about the target before any testing. Passive reconnaissance uses public sources — DNS records, WHOIS data, job postings, social media, search engines. Active reconnaissance involves direct interaction — port scanning, service enumeration, and banner grabbing.

# Passive recon
dig example.com ANY
whois example.com
theHarvester -d example.com -b google

# Active recon
nmap -sV -sC -O example.com
gobuster dns -d example.com -w subdomains.txt

Vulnerability Analysis

Identify and verify vulnerabilities using automated scanners and manual techniques. Cross-reference findings with CVE databases and exploit databases. Prioritize based on CVSS scores, exploitability, and business impact.

Exploitation

Attempt to exploit identified vulnerabilities to gain access. Move from low-privilege access to higher privileges through lateral movement, privilege escalation, and credential harvesting. Document each successful exploitation step for the final report.

Post-Exploitation

Once access is gained, assess the potential impact. Can you access sensitive data? Can you move laterally to other systems? Can you maintain persistence? How long would it take the blue team to detect you?

Reporting

The final report is the most important deliverable. Include executive summary (non-technical), technical findings with reproduction steps, risk ratings, and remediation recommendations. Screenshots and proof-of-concept code add credibility and help the remediation team validate fixes.

Legal and Ethical Considerations

Never test systems without explicit written authorization. Use a formal rules of engagement document that defines scope, exclusions, testing windows, and communication protocols. Penetration testing without authorization is illegal in most jurisdictions.

FAQ

What is the CIA triad? Confidentiality (data accessible only to authorized parties), Integrity (data not tampered with), Availability (systems accessible when needed). These three principles form the foundation of all cybersecurity practices.

How do I start a career in cybersecurity? Learn networking, operating systems, and basic security concepts. Set up a home lab. Earn entry-level certifications like CompTIA Security+. Build hands-on skills through CTF challenges and bug bounty programs.

What is the difference between a vulnerability and an exploit? A vulnerability is a weakness in a system that could be exploited. An exploit is code or technique that takes advantage of a vulnerability to cause unintended behavior.

How often should I change my passwords? Current guidance recommends strong, unique passwords for each account and a password manager. Change passwords immediately if you suspect compromise rather than on a fixed schedule.

What is multi-factor authentication? MFA requires two or more verification factors — typically something you know (password), something you have (phone), and something you are (fingerprint). It dramatically reduces account takeover risk.

Penetration Testing Methodology

Penetration testing follows a structured methodology to ensure comprehensive coverage and reproducible results:

Reconnaissance

Gather information about the target before any testing. Passive reconnaissance uses public sources — DNS records, WHOIS data, job postings, social media, search engines. Active reconnaissance involves direct interaction — port scanning, service enumeration, and banner grabbing.

# Passive recon
dig example.com ANY
whois example.com
theHarvester -d example.com -b google

# Active recon
nmap -sV -sC -O example.com
gobuster dns -d example.com -w subdomains.txt

Vulnerability Analysis

Identify and verify vulnerabilities using automated scanners and manual techniques. Cross-reference findings with CVE databases and exploit databases. Prioritize based on CVSS scores, exploitability, and business impact.

Exploitation

Attempt to exploit identified vulnerabilities to gain access. Move from low-privilege access to higher privileges through lateral movement, privilege escalation, and credential harvesting. Document each successful exploitation step for the final report.

Post-Exploitation

Once access is gained, assess the potential impact. Can you access sensitive data? Can you move laterally to other systems? Can you maintain persistence? How long would it take the blue team to detect you?

Reporting

The final report is the most important deliverable. Include executive summary (non-technical), technical findings with reproduction steps, risk ratings, and remediation recommendations. Screenshots and proof-of-concept code add credibility and help the remediation team validate fixes.

Legal and Ethical Considerations

Never test systems without explicit written authorization. Use a formal rules of engagement document that defines scope, exclusions, testing windows, and communication protocols. Penetration testing without authorization is illegal in most jurisdictions.

———-|——-| | Reconnaissance | Nmap, Masscan, Shodan, theHarvester, Recon-ng | | Web testing | Burp Suite, OWASP ZAP, Dirb, Gobuster, SQLmap | | Exploitation | Metasploit, Empire, Cobalt Strike, Exploit-DB | | Password attacks | John the Ripper, Hashcat, Hydra, Medusa | | Wireless | Aircrack-ng, Reaver, Kismet | | Reverse engineering | Ghidra, IDA Pro, Radare2 | | Post-exploitation | Mimikatz, BloodHound, PowerSploit |

Legal and Ethical Considerations

Penetration testing requires strict adherence to legal and ethical standards. Always obtain written authorization before testing. Stay within the defined scope. Never access or modify data beyond what is necessary. Follow responsible disclosure if you discover vulnerabilities outside the test scope. Consider obtaining certifications like OSCP, GPEN, or PNPT to validate your skills.

Continuous Learning

The security landscape evolves rapidly. Stay current by following security research, participating in bug bounty programs, practicing on platforms like Hack The Box and TryHackMe, and attending security conferences. The best pentesters combine technical skill with creativity and persistence.

For a comprehensive overview, read our article on Cloud Security Architecture.

For a comprehensive overview, read our article on Cloud Security Guide.

Section: Cybersecurity 1532 words 8 min read Beginner 756 articles in section Report inaccuracy Back to top