Testing Methodology

Passive Reconnaissance

This section focuses on the very first part of a penetration test: Passive Reconnaissance. This is where you use all the tools and resources at your disposal to gather up all of the information you can on your target, without interacting with the target in anyway (no scanning).
For more tools and resources on intelligence gathering outside of the below frameworks, please see the OSINT section under Cyber Intelligence.
Note: Many Recon Frameworks have both passive and active reconnaissance capabilities.

Active Recon and Scanning

After your passive reconnaissance phase, the next step is active scanning of your target. This usually involves port scanning and scanning for any vulnerabilities that your target might have, preferably with out them noticing. Active scanning does have direct interaction with your target and does run the risk of being detected. There are ways to subtle scan your target and not draw too much attention. This can include slowing the rate of your scanning or performing them in such a way as to not create a full connection request that would trigger any defensive alerts.
The following section will contain scanning tools and resources such as port scanners, vulnerability scanners, and so much more!


Exploit Research

Attacking your target

After finding your target and enumerating it, its now time for your initial access. This step is usually focused around exploiting a port/service open to you. There are tons of different ways to do this as you can see with the guides and list below. Keep in mind that just because you cannot completely exploit one service does not mean it wont be helpful. Certain services may have interesting intel that might help you exploit something else, such as an open FTP server with anonymous auth, that contains a few docs with valid usernames in it (you will find worse things).
Once you have your initial exploitation, you will essentially attempt a second round of it to escalate your privileges in the target box. Some times that can be done by getting initial access on another trusted box, or even by a service that is running internally on the loopback. Check everything, look everywhere, and dont forget the OSCP catch phrase, "try harder!"
For reference on exploiting specific services please see the Exploitation section.

Payloads and Obfuscation tools

Exploit Development/Buffer Overflow

For details on creating your own exploits, and the dreaded topic of buffer overflows, please see the Exploit Dev section.

Actions on Target

  • Penetration Testing: Post Exploitation - pg.277

Endpoint Enumeration and Harvesting

Network Harvesting and MITM

Privilege Escalation

Active Directory


Offensive Utility

File Transfer

Lateral Movement


Defense Evasion

Password Attacks



Special Targets