Overview
This methodology provides a systematic framework for penetration testing engagements. Whether you are performing an internal or external test, following this structured approach ensures thorough coverage and reproducible results.The Methodology
Physical Attacks (Step 0)
If you have physical access to the target machine, consider physical attack vectors and escaping from GUI applications before moving to network-based testing.
Discover Hosts / Assets (Step 1)
Depending on whether you are performing an internal or external test:
- Internal test: Find hosts inside the company network.
- External test: Find company assets exposed on the internet using External Recon.
Network Fun (Step 2 — Internal Only)
Before attacking individual hosts, consider stealing credentials from the network or passively/actively sniffing data (MitM). See Pentesting Network.
Port Scan — Service Discovery (Step 3)
The first step when looking for vulnerabilities in a host is knowing which services are running on which ports. Use tools like
nmap, masscan, and service fingerprinting.Search for Service Version Exploits (Step 4)
Once you know which services and versions are running, search for known vulnerabilities. A public exploit may give you a shell directly.See Search Exploits for tools and resources.
Pentest Services (Step 5)
If no public exploit exists, look for common misconfigurations in each running service. This book contains guides for the most common services.
- Automatic tools: Consider Legion for automated vulnerability assessment.
- Brute-force: Use the Brute Force CheatSheet when credentials may be weak.
Phishing (Step 6)
If no interesting vulnerability is found, Phishing can be a powerful way to get inside the network or capture credentials.Note: Be aware of modern AI-assisted tooling vulnerabilities — for example, CVE-2025-61260 allows code execution via malicious MCP server configurations committed to a repo.
Getting a Shell (Step 7)
Once you have code execution, use Reverse Shells to obtain an interactive shell. On Windows, you may need AV bypass techniques.
Post-Exploitation Commands (Step 8)
With a shell, use these key command references:
- Linux: Useful Linux commands for pentesters
- Windows CMD: Basic CMD commands for pentesters
- Windows PowerShell: Basic PowerShell for pentesters
Exfiltration (Step 9)
Extract data from the victim or introduce scripts (like privilege escalation tools). See Exfiltration for common techniques.
Privilege Escalation (Step 10)
If you are not root/Administrator, escalate your privileges.
- Local PrivEsc: Linux and Windows local privilege escalation guides.
- Domain PrivEsc: Active Directory methodology for escalating privileges and persisting.
- Tool: Use PEASS-ng (Suite PEAS) to enumerate escalation paths.
Post Exploitation (Step 11)
- Looting: Search for more passwords, access to other machines, or dump credentials.
- Persistence: Establish 2–3 different persistence mechanisms so you do not need to re-exploit.
Pivoting (Step 12)
With gathered credentials, gain access to other machines or scan new internal networks. Use Tunneling and Port Forwarding to move laterally.
Key Resource Cards
External Recon
Discover company assets, domains, subdomains, and cloud resources before touching any target.
Pentesting Network
Host discovery, port scanning, sniffing, ARP spoofing, and LAN attacks.
Brute Force CheatSheet
Brute-force techniques for dozens of services, from SSH to databases.
Reverse Shells
Shell generators and techniques for Linux, Windows, and more.
Exfiltration
Transfer files and data out of compromised environments.
Tunneling & Port Forwarding
SSH tunnels, SOCKS proxies, Chisel, Ligolo-ng, and more pivoting tools.
Additional Topics
- Android Applications — Mobile pentesting methodology
- Binary Exploitation — Basic Linux/Windows exploiting and exploitation tools
- Crypto Tricks — ECB, CBC-MAC, Padding Oracle attacks
- Side-Channel Attacks on messaging protocols