Methodology

Usually penetration testing are having a structure, with which hackers are working. So here I'll try to explain shortly about each part of engagement.

1. Pre-Engagement (Planning)

Objective: Establish clear goals, scope, and boundaries with the client.

Activities:

  • Define scope: systems, networks, and applications included.

  • Set legal boundaries, expectations, and success criteria.

  • Draft and sign a Rules of Engagement (RoE) document.

Tools & Techniques: Legal contracts, RoE agreements. Outcome: A shared understanding of what will be tested and how.

2. Information Gathering (Reconnaissance)

Objective: Collect intelligence about the target.

Activities:

  • Passive reconnaissance: Gather open-source intelligence (domain names, IP ranges, email addresses).

  • Active reconnaissance: Perform scans to discover open ports, services, and potential weaknesses.

Tools & Techniques:

  • Passive: WHOIS, Shodan, theHarvester, Google search operators.

  • Active: Nmap, Masscan, banner grabbing.

MITRE ATT&CK Mapping: Reconnaissance (T1595), Initial Access (T1078).

3. Vulnerability Assessment

Objective: Identify potential vulnerabilities and misconfigurations.

Activities:

  • Run automated vulnerability scans.

  • Perform manual validation for accuracy.

  • Check for missing patches, weak encryption, or insecure coding practices.

Tools & Techniques: Nessus, OpenVAS, Qualys, Burp Suite, Nikto, manual code review. Outcome: A prioritized list of vulnerabilities and potential attack vectors.

MITRE ATT&CK Mapping: Discovery (T1083), Network Service Scanning (T1046).

4. Exploitation

Objective: Validate vulnerabilities by exploiting them to gain access.

Activities:

  • Execute exploits against identified weaknesses.

  • Attempt to bypass security controls.

Tools & Techniques: Metasploit, ExploitDB, custom scripts, SQL injection, XSS, RCE. Outcome: Initial access to the target system.

MITRE ATT&CK Mapping: Execution (T1203), Exploitation for Client Execution (T1203).

5. Post-Exploitation

Objective: Assess the value of compromised systems and maintain access.

Activities:

  • Extract sensitive data (credentials, tokens, files).

  • Establish persistence for continued access.

  • Cover tracks by cleaning or manipulating logs.

Tools & Techniques: Mimikatz, Windows Credential Manager, cron jobs, registry modifications, SSH backdoors. Outcome: Maintained access and intelligence on the compromised environment.

MITRE ATT&CK Mapping: Persistence (T1547), Collection (T1114), Defense Evasion (T1070).

6. Lateral Movement

Objective: Expand control across the target environment.

Activities:

  • Use harvested credentials or tokens to access other systems.

  • Pivot through compromised hosts.

  • Exploit remote services (SMB, RDP, SSH).

Tools & Techniques: Proxychains, Metasploit pivoting, Pass-the-Hash, PsExec. Outcome: Compromise of additional systems.

MITRE ATT&CK Mapping: Lateral Movement (T1021), Pass-the-Hash (T1550), Exploitation of Remote Services (T1210).

7. Privilege Escalation

Objective: Obtain administrative or root-level privileges.

Activities:

  • Exploit misconfigurations or kernel vulnerabilities.

  • Abuse permission weaknesses.

Tools & Techniques:

  • Linux: SUID exploits, kernel exploits (e.g., Dirty Cow), weak sudo permissions.

  • Windows: UAC bypass, token manipulation, vulnerable service exploits (e.g., PrintNightmare).

Outcome: Elevated privileges on the compromised system.

MITRE ATT&CK Mapping: Privilege Escalation (T1068), Exploitation for Privilege Escalation (T1068).

8. Proof of Concept (PoC)

Objective: Demonstrate the real-world impact of vulnerabilities.

Activities:

  • Provide evidence of successful exploitation.

  • Show access to sensitive data or system control.

Tools & Techniques: Custom exploits, screenshots, data extraction. Outcome: Documented proof of exploitation impact.

MITRE ATT&CK Mapping: Impact (T1486).

9. Post-Engagement

Objective: Deliver results and restore the environment.

Activities:

  • Prepare detailed technical and executive reports.

  • Provide recommendations for remediation.

  • Remove all artifacts, backdoors, and persistence mechanisms.

Tools & Techniques: Manual cleanup, forensic validation, reporting frameworks. Outcome: Systems restored and client equipped with actionable remediation guidance.

Key Differences: Post-Exploitation vs. Lateral Movement vs. Privilege Escalation

  • Post-Exploitation: Focuses on data collection, persistence, and stealth within a single compromised system.

  • Lateral Movement: Expands access by moving across the network using compromised credentials or pivoting.

  • Privilege Escalation: Elevates privileges on the current system to gain more control.

End-to-End Workflow Example

  1. Pre-Engagement: Define scope and rules with contracts and RoE.

  2. Information Gathering: WHOIS lookups, Nmap scans.

  3. Vulnerability Assessment: Automated scan with Nessus, validate with Burp Suite.

  4. Exploitation: Gain access via an RCE exploit using Metasploit.

  5. Post-Exploitation: Dump credentials with Mimikatz, set persistence with cron jobs.

  6. Lateral Movement: Pivot into SMB shares with proxychains.

  7. Privilege Escalation: Exploit kernel vulnerability for root access.

  8. Proof of Concept: Document access to sensitive files.

  9. Post-Engagement: Remove persistence, deliver report with recommendations.

PreviousCTF ToolsNextProtocols

Last updated