Testing Methodology

Search…
Testing Methodology
Passive Reconnaissance
This section focuses on the very first part of a penetration test: Passive Reconnaissance. This is where you use all the tools and resources at your disposal to gather up all of the information you can on your target, without interacting with the target in anyway (no scanning).
For more tools and resources on intelligence gathering outside of the below frameworks, please see the OSINT section under Cyber Intelligence.
OSINT
Recon Frameworks
Mapping the Site
Note: Many Recon Frameworks have both passive and active reconnaissance capabilities.
​https://tryhackme.com/room/passiverecon​
​https://tryhackme.com/room/redteamrecon​
Penetration Testing: Information Gathering - pg.113
Active Recon and Scanning
After your passive reconnaissance phase, the next step is active scanning of your target. This usually involves port scanning and scanning for any vulnerabilities that your target might have, preferably with out them noticing. Active scanning does have direct interaction with your target and does run the risk of being detected. There are ways to subtle scan your target and not draw too much attention. This can include slowing the rate of your scanning or performing them in such a way as to not create a full connection request that would trigger any defensive alerts.
The following section will contain scanning tools and resources such as port scanners, vulnerability scanners, and so much more!
​https://tryhackme.com/room/activerecon​
Scanning/Active-Recon
Exploitation
Exploit Research
Exploit Research
Attacking your target
After finding your target and enumerating it, its now time for your initial access. This step is usually focused around exploiting a port/service open to you. There are tons of different ways to do this as you can see with the guides and list below. 
Keep in mind that just because you cannot completely exploit one service does not mean it wont be helpful. Certain services may have interesting intel that might help you exploit something else, such as an open FTP server with anonymous auth, that contains a few docs with valid usernames in it (you will find worse things).
Once you have your initial exploitation, you will essentially attempt a second round of it to escalate your privileges in the target box. Some times that can be done by getting initial access on another trusted box, or even by a service that is running internally on the loopback. Check everything, look everywhere, and dont forget the OSCP catch phrase, "try harder!"
For reference on exploiting specific services please see the Exploitation section.
Exploitation
Payloads and Obfuscation tools
Payloads and Obfuscation
Exploit Development/Buffer Overflow
For details on creating your own exploits, and the dreaded topic of buffer overflows, please see the Exploit Dev section.
Exploit Dev/Buffer Overflow
Actions on Target
Penetration Testing: Post Exploitation - pg.277
Endpoint Enumeration and Harvesting
Enumeration and Harvesting
Network Harvesting and MITM
Network Attacks /Harvesting/MITM
Privilege Escalation
Privilege Escalation
Active Directory
Active Directory
Persistence
Persistence
Offensive Utility
File Transfer
File Transfer
Lateral Movement
Lateral Movement
Pivot/Proxy/Tunnel/Redirect
Pivot/Proxy/Tunnel/Redirect
Defense Evasion
Defense Evasion
Password Attacks
Password Attacks
Cloud
Cloud
Containers
Containers
Special Targets
Special Targets
​
Red - Offensive Operations
Scanning/Active-Recon
Last modified 3mo ago