A Complete Guide to Penetration Testing
June 7th, 2026
Penetration Testing
A penetration test is an authorized, simulated cyberattack against an organization's systems, networks, or applications to identify and exploit security vulnerabilities. Unlike a malicious attack, it is conducted ethically and legally by professionals who have explicit permission from the system owner to find weaknesses before a real adversary does. The ultimate purpose is not just to "break in" but to help organizations understand their specific weaknesses so they can be remediated. Successfully exploiting a vulnerability provides proof of impact, demonstrating to stakeholders exactly how an attacker could compromise sensitive data. When conducting a penetration test, there are many important considerations, tools, and techniques to be familiar with, this guide will help decipher the noise around penetration testing and help you carry out penetration tests of your own.
Engagement Management
Pre-engagement activities establish the foundation for legality, scope, communication, and alignment for the entire penetration test. Before carrying out a penetration test, the scope of the test must be defined and agreed upon. The scope defines exactly what is included and excluded from testing to prevent accidental overreach, the interruption of business operations, and exposing sensitive data. The Rules of Engagement (RoE) is the document that defines the dos and don’ts. It specifies any exclusions of certain test cases (attack types), setting up communication channels for emergencies/reporting, and defining the testing window. Target selection is an important component of penetration testing where penetration testers identify which systems and assets to attack. They use specific identifiers like IP addresses, open ports, domains, URLs, the presence of vulnerabilities on the system, and the type of data stored by the system to determine prime testing targets. They use specific assessment types tailored to specific technologies such as Web applications, Networks (infrastructure), Mobile platforms, Cloud environments, APIs, and Wireless infrastructure.
An important consideration for penetration testing within cloud environments is that in cloud environments security is split: the cloud provider is responsible for the security of the cloud (i.e. facilities and physical infrastructure), and the customer is responsible for security in the cloud (i.e. data security, permissions, configurations, and patching). The penetration tester must stay within the authorized scope and not compromise assets deemed off limits or the assets the cloud provider and its other customers.
There are many legal and agreements that every penetration tester must be aware of:
Authorization Letter: Is the legal foundation of the test, without it, testing is considered illegal access of computer resources. Testers must also be aware of mandatory reporting requirements for specific discoveries (i.e. criminal activity) and the personal legal risks of accidental service outages or liability.
NDA: Bars the penetration tester from disclosing confidential client information discovered during the test.
MSA: Establishes the overarching legal and operational framework for the entire vendor relationship.
SoW: Is a project-specific document that details the exact technical testing boundaries, timelines, and pricing for a single engagement.
ToS: Outlines the conditions for using specific services or platforms
Effective collaboration and communication between the testers and the client are essential to ensuring technical findings are understood by all stakeholders and that critical issues are handled promptly. Findings should be validated by a peer review process to ensure technical accuracy, and then root cause analysis should take place to explain why a vulnerability exist to help in articulating to the client the risk the vulnerability poses, based off its severity and potential impact, so that the client can prioritize its remediation. Clients should be given a Business Impact Analysis report which translates technical flaws into business consequences like fines and reputational damage. Stakeholder alignment is essential and ensures technical teams and executives agree on goals and ideal results, and an escalation path must be created to provide testers with predefined contacts for when systems crash or sensitive data is found.
Now lets go over the testing frameworks and methodologies you need to know before carrying out penetration tests:
PTES: The Penetration Testing Execution Standard defines the 7 distinct phases of a penetration test. They are pre-engagement interactions, intelligence gathering (DNS enumeration, Network mapping), threat modeling (Identifying relevant attack scenarios and business assets), vulnerability analysis (Identify security flaws), exploitation (Exploiting validated vulnerabilities), post exploitation (Establish persistence or pivot), and reporting (Disclose all findings and provide remediation strategies).
OSSTM: Is a scientific, peer reviewed methodology for measuring operational security across different areas like human security, physical security, wireless security, telecommunications, and data networks. Focuses on empirical, measurable data derived from controlled interactions instead of arbitrary vulnerability scans.
CREST: Is a global accreditation body emphasizing gthe legal and professional qualities of penetration tests.
MITRE ATT&CK: A knowledge base of real-world Tactics, Techniques, and procedures (TTPs) used for threat simulation and test inspiration.
OWASP Top 10 / MASVS: Industry standard lists of the most prevalent and critical risks for web and mobile applications.
Purdue Model: A framework for securing ICS through network segmentation.
STRIDE: Used for categorizing different types of threats. Stands for Spoofing, Tampering, Repudiation, Information, Disclosure, Denial of Service, and Elevation of Privilege.
DREAD: Used for risk scoring based on a threats level of potential damage, reproducibility, exploitability, affected users and discoverability.
After testing has concluded, it is time to deliver the penetration testing report and offer remediation recommendations. The penetration test report should include an executive summary to serve as a high-level overview for non-technical stakeholders with a focus on the business risks and impact, a methodology section that explains the tools and techniques used, detailed technical findings with evidence of impacted systems and severity, an attack narrative that outlines a step-by-step story of how the attacker chained vulnerabilities together to reach their goal, risk scoring of vulnerabilities (Low, Medium, High, Critical), and a section declaring all limitations and assumptions made in regards to constraints placed on the test by the client. Finally, the tester provides action guidance for remediation including technical (i.e. system hardening), administrative (i.e. stronger security policies), operational (i.e. mandatory vacations and time-of-day restrictions), and physical controls (i.e. CCTV surveillance).
Reconnaissance and Enumeration
Reconnaissance and enumeration are foundational penetration testing concepts used to map a target environment, identify attack surfaces, and discover vulnerable entry points before launching an exploit. Information gathering, or reconnaissance, is the foundational phase of a penetration test where a tester collects data about target to identify potential attack paths. Active reconnaissance is an intelligence technique in which the tester directly interacts with target systems to gather detailed data. While yielding more results, it carries a higher risk of detection by security controls. Passive reconnaissance is the practice of gathering intelligence without direct interaction with the target’s infrastructure. It is stealthy and difficult to detect because it relies on third party sources (i.e. thoroughly examining an organizations and its employee’s social media for attack vectors). Open-source intelligence (OSINT) is the collection of publicly available information. Penetration testers perform OSINT to scope out the target, looking though social media pages, job boards, code repositories, and more to discover leaked credentials, cryptographic flaws, and the use of unpatched systems.
Other important reconnaissance practices include:
Network Reconnaissance: The process of identifying live hosts and the services they expose to build an attack surface map with tools like Nmap and Zenmap.
Protocol Scanning: Identifying open ports and the protocols running on them with TCP scans (uses the TCP three-way handshake to establish connections; SYN scans are a stealthier alternative that identify open ports without completing the connection) and UDP scans (Slower and less reliable; relies on ICMP “Port unreachable” message).
Network Sniffing: Capturing and analyzing network packets in transit to identify plaintext credentials or misconfigurations (Common in ICS, OT, Modbus, and MQTT).
Banner Grabbing: Connecting to a service to collect metadata, such as software type, version, and OS which is essential for identifying known vulnerabilities.
HTML scraping: Analyzing a websites sources code to find hidden dev: Pueloper comments, internal scripts, or technology identifiers.
Certificate Transparency (CT) Logs: Public, append only records of issued certificates that can be used to discover hidden subdomains (i.e. dev and staging environments) and certificate formats issuance patterns.
Google Dorking: Using advanced parameters and operators like “intitle:” or “filetype:” to find indexed content not intended for public view, such as admin panels or config files.
Enumeration is the extraction and documentation of detail information and identifiers from discovered systems to aid in finding specific exploitable weaknesses. Enumeration techniques include:
OS fingerprinting: Determining the target’s operating system based on TCP/IP stack behaviors, TTL values, and response timing.
Service Discovery: Mapping open ports to the specific services and versions running on them.
Protocol enumeration: Analyzing specific protocol behaviors, like SNMP community strings (a shared password used to authenticate SNMP communication between management systems and network devices.), to extract device details.
DNS enumeration: Attempting Zone Transfers (AXFR) to leak entire DNS zones or using brute force to find hidden subdomains — AXFR presents a major information disclosure risk if misconfigured, as it can allow unauthorized users to request the entire DNS zone, mapping an organization's hidden infrastructure, internal IPs, and subdomains.
Directory enumeration: Brute-forcing web paths (e.g., /admin, /backup) using tools like Gobuster and wordlists.
Host Discovery: Identifying live systems with ping, ICMP, ARP scans or TCP SYN probes to determine attack surface.
Share enumeration: Identifying accessible shared folders on a network, via SMB. SMB is a Windows communication protocol used to share files, printers, and serial ports across a local network.
Email enumeration: Identifying valid addresses for phishing using SMTP commands (VRFY, EXPN) or OSINT tools like theHarvester (scans public search engines for leaked emails) for and Hunter.io (calculates likely email patterns).
Wireless network enumeration:
Permissions enumeration: Mapping access points, encryption methods, rogue SSIDs via wardriving or signal analysis.
Secrets enumeration: Searching for hardcoded credentials, API keys, session tokens in configurations or repositories, often using TruffleHog.
Attack Path Mapping: Visualizing relationships (i.e. in Active Directory) to find the most efficient path to a target, often using BloodHound.
WAF enumeration: Identifying Web application Firewall and attempting to find the origin address to bypass its filtering
Web Crawling: Automatically mapping a site’s structure by following links to find unlinked content, often using Spiders.
Manual enumeration: Inspecting metadata like robots.txt (which lists restricted paths) and sitemaps, or identifying vulnerable platform plugins
It can be hard to keep up with which enumeration and reconnaissance tools do what, so here is a comprehensive list to help you make informed decisions when selecting the right tool for gathering intelligence on your targets:
Wayback Machine: Provides historical snapshots of websites to find removed data.
Maltego: A visual tool for mapping relationships between people, domains, and IP addresses.
Recon-ng: A CLI framework for automated OSINT collection.
Shodan: Shodan (hacker's search engine) continuously scans for publicly accessible devices, collecting metadata, banners and configuration details.
SpiderFoot: Automates OSINT collection across hundreds of public sources.
WHOIS: Retrieves domain registration details like owners and nameservers.
nslookup/dig: CLI utilities for manual DNS record queries.
Censys.io: Censys (real-time, comprehensive intelligence on internet-connected devices, services, and host) performs daily internet wide scans of all IPv4 space and ports to create structured data sets
Hunter.io: Focuses on finding and verifying company email address patterns.
DNSdumpster: A passive reconnaissance tool that provides visual DNS maps (reveals subdomains, MX records, IP addresses, misconfigurations and mapping DNS relationships).
Amass: Uses active and passive techniques for deep subdomain discovery (uses certificate analysis, recursive subdomain discovery, and brute forcing to uncover hidden assets)
Nmap: A network scanning tool used to discover hosts, identify open ports, detect running services, determine operating systems, and find potential vulnerabilities on a network. It helps penetration testers map a network and understand what systems and services are exposed before attempting further testing.
Common Commands & Flags:
nmap <IP> → Basic scan of the most common ports.
nmap -p 80,443 <IP> → Scan specific ports.
nmap -p- <IP> → Scan all 65,535 TCP ports.
nmap -sS <IP> → SYN (stealth) scan; identifies open ports without completing the TCP handshake.
nmap -sT <IP> → Full TCP connect scan.
nmap -sU <IP> → UDP scan.
nmap -sV <IP> → Service/version detection.
nmap -O <IP> → Operating system detection.
nmap -A <IP> → Aggressive scan (OS detection, version detection, scripts, and traceroute).
nmap -Pn <IP> → Skip host discovery and assume the target is online.
nmap --script vuln <IP> → Run vulnerability detection scripts.
nmap -oN results.txt <IP> → Save results to a normal text file.
theHarvester: Collects emails, subdomains, and IP addresses from public sources.
WiGLE.net: An online database that aggregates Wi-network data submitted my wardrivers worldwide. It supplies crowdsourced and geolocated visualization data to reveal SSID reuses across locations for prioritizing targets for onsite work.
InSSIDer: Provides radio frequency, RF, situational awareness by displaying SSIDS/BSSIDS (the technical term for your Wi-Fi network's name), channel use, signal strength, channel bonding and Dynamic frequency selection behavior
OSINTframework.com: A directory of tools organized by data category.
Wireshark/tcpdump: Packet analyzers used to inspect traffic and identify plaintext credentials.
Aircrack-ng: A wireless network security testing suite used to assess the security of Wi-Fi networks. It captures wireless traffic, monitors wireless networks, deauthenticates clients, and attempts to crack Wi-Fi passwords (typically WPA/WPA2) for authorized security testing.
airmon-ng: Enables monitor mode on a wireless adapter.
airodump-ng: Captures wireless traffic, clients, and WPA/WPA2 handshakes.
aireplay-ng: Generates traffic or sends deauthentication packets.
aircrack-ng: Attempts to crack captured Wi-Fi handshakes using a wordlist.
Scapy: Python-based interactive packet manipulation library that allows cybersecurity professionals to craft, sniff, dissect, and send network packets.
Scripting
Scripting allows penetration testers use scripting to automate repetitive tasks and parse large datasets. Tester can use scripts for information gathering by automating the collection of data from multiple sources, and they can also use it for data manipulation tasks by transforming raw tool output into structured formats for analysis. Common languages for scripting are Python (“def function(): ” & “print()”), PowerShell (“$var” & “Verb-Noun”), Bash (“echo”, “$var”, & “grep”), Ruby (“end” & “def function”) , and JavaScript (“console_log” & “{};”). Libraries, functions, and classes are useful for utilizing pre-written code (libraries like Scapy) and reusable blocks (functions/classes) to build scalable and modular tools.
Vulnerability Discovery and Analysis
Vulnerability discovery and analysis are the proactive process of identifying security weaknesses across multiple technology domains before an attacker can exploit them. Penetration testers must select the appropriate scanning technique based on the target type and the goals of the engagement. Container scans are a critical aspect of security because they identify outdated packages, vulnerable libraries, and exploitable CVEs. A popular method for container scans is sidecar scans, invoking a secondary container (the “sidecar”) to monitor and analyze the primary workload. Trivy and Grype are the popular scanning tools for container images, with Trivy being a broad security tool, identifying vulnerabilities, secrets, and misconfigurations and Grype being more of narrow security scanner, focusing on vulnerability and CVE scanning. Application scanning is a critical step in securing applications before release, before pushing changes and maintaining an applications security posture. Dynamic application testing (DAST) involves evaluating an application, from an external perspective, while it is running by sending crafted inputs to test its behavior, identify weaknesses, and determine where it fails to properly defend itself against malicious or unexpected input. Static application testing (SAST) evaluates the application's source code, bytecode and configuration, from an internal perspective, without executing it. Interactive Application Security Testing (IAST) combines elements of both SAST and DAST, simulating attacker behavior like DAST while providing the internal visibility and contextual insight typically associated with SAST.
DAST, SAST, and IAST are not the only important types of security testing a penetration tester should be comfortable preforming. Other important security testing concepts include:
Authenticated Scans: The scanner uses credentials to login before testing, providing deeper visibility into the internal patch status and local configuration.
Unauthenticated Scans: Simulates an external attacker’s perspective to identify exposed services and vulnerable versions visible from the outside.
Secrets Scanning: Dedicated tools to search for hardcoded API keys, passwords, session tokens stored improperly in code or repositories.
Mobile Scans: Involves using SAST to decompile APK/IPA packages to find hardcoded secrets and DAST to use proxies to observe insecure API calls and permission flaws.
Host-Based Scans: Examines individual systems for missing patches, weak local permissions, and misconfigured services.
Network Scans: TCP scans using handshake logic (like SYN scans) for discovery, and UDP scans, or stealth scan techniques like NULL, Xmas, or fragmented scans are used to evade detection by IDS/IPS systems.
Software Composition Analysis (SCA): Inventories third-party libraries and dependencies to check against known vulnerability databases.
IaC Scans: Scans infrastructure as code templates (e.g., Terraform) to identify insecure defaults like public S3 buckets or permissive security groups before deployment.
ICS vulnerability Assessment: ICS environments are fragile, so traditional aggressive scanning can cause physical disruption or outages. Tester circumvents this obstacle by performing manual assessments (testers performing manual configuration reviews and low-impact assessments to ensure safety) and port mirroring (a passive monitoring technique where traffic is copied from a switch port to an analyzer, allowing the tester to identify unauthorized commands without interfering with live processes).
Now that we have gone over the many different vulnerability discovery and analysis methodologies, the following are the tools that are commonly used to identify, analyze, and validate vulnerabilities across networks, systems, applications, and wireless environments during security assessments and penetration tests:
Nikto: A specialized web server scanner for finding dangerous files and misconfigurations.
Greenbone/OpenVAS & Tenable Nessus: Enterprise-grade vulnerability scanner used for comprehensive network and host assessments.
TruffleHog: Scans Git repositories for leaked secrets and API keys.
BloodHound: Uses graph theory to visualizes and map Active Directory attack paths, such as hidden privilege escalation chains.
PowerSploit: A collection of PowerShell modules used for post-exploitation tasks like credential harvesting.
Grype & Trivy: Used for scanning container images and filesystems for exploitable packages and secrets.
Kube-hunter: Specifically hunts for vulnerabilities in Kubernetes clusters, such as exposed API servers or insecure RBAC.
After discovering vulnerabilities, testers must validate findings by identifying true positives, false positives, false negatives, and ensuring scans were complete and properly configured. Vulnerabilities are then prioritized using metrics such as CVE (unique vulnerability identifier), CVSS (vulnerability severity score), and EPSS (predicts the likelihood of a vulnerability being exploited), while any public exploit code is vetted in a controlled lab environment before it is used on client systems. Testers may also use custom scripts to automate validation and confirm the accuracy of scan results.
In regard to physical security, penetration testers must evaluate whether social norms and physical barriers can be bypassed to gain internal network access. Penetration testers must determine an organizations susceptibility to tailgating (i.e. an attacker slipping through a secure door behind an authorized individual), site surveys, USB drops (planting a USB with a malicious payload in the workplace), badge cloning, and lock picking (frequently included in OSSTMM).
Attacks and Exploits
Penetration testers must be familiar with a wide range of attack techniques, exploits, and tools commonly used in offensive security operations to effectively plan and conduct penetration tests. However, before they can start actively testing a client’s systems thorough planning, preparations, and prioritization must take place. For effective target prioritization, the ethical hacker must identify attack paths that stay within the bounds of the RoE, high-value assets that, if compromised, would yield the greatest impact (based on CVSS and EPSS), EOL systems, running services on open ports, weak encryption, and defensive capabilities. After high-value value assets have been identified and prioritized capability selection must take place which includes both tool selection and exploit selection and customization. Attackers must choose the tools and exploits that are best suited for the target environment, with exploitation customization being useful for vetting public exploits, modifying them to be more effective for specific versions, and to bypass defensive filters. Other considerations for preparing penetration tests include documentation, dependencies and scope limitations. Testers must maintain a chronological record of the attack path, often supported by high-level diagrams, to help non-technical stakeholders understand the business impact. They should also consider system dependencies and service interconnections to avoid unintended outages during testing. Testers must strictly adhere to the authorization letter, as testing outside the approved scope can result in legal liability. Finally, they should also clearly identify and label sensitive systems, such as those containing PII, to ensure they are handled appropriately throughout the engagement.
Network attacks exploit infrastructure level weaknesses to intercept data or gain unauthorized access. The following are all different types of network attacks that a penetration tester should know while evaluating the security posture of a client’s network:
Default credentials: Exploiting documented vendor logins (e.g. admin/admin) to gain administrative control over systems that have not had their default credentials changed.
On-Path Attack: Positioning the attacker between two hosts to intercept or manipulate traffic (aka “Man-in-the-Middle”).
Certificate Services: Targeting weak PKI infrastructure to forge certificates and impersonate trusted services.
Misconfigured Services Exploitation: Abusing services with excessive permissions or exposed directories to leak data.
Multihomed Hosts: Compromising a system with multiple network interfaces to bridge isolated networks that are meant to be segmented.
Relay attack: Intercepting an authentication attempt, like NTLM, and forwarding it to another host to gain access without knowing the password.
VLAN Hopping: Bypassing Layer 2 segmentation through switch spoofing (impersonating a trunk port) or double tagging (Double tagging occurs when an attacker embeds two VLAN tags within a single packet. The outer VLAN tag is rejected, allowing the packet to be forwarded based on the inner, targeted, VLAN tag to the destination).
Shared Enumeration: Identifying and documenting accessible shared folders on a network, via SMB. SMB is a Windows communication protocol used to share files, printers, and serial ports across a local network.
Packet Crafting: Manually creating network packets to test firewall rules or trigger specific protocol responses.
The following are all different tools that specialize in carrying out network attacks that penetration testers should familiarize themselves with before testing a client’s network:
Metasploit: A modular framework for exploit execution and payload delivery.
Netcat: The “Swiss army knife” for creating reverse shells and transferring files for data exfiltration.
Nmap & NSE: Used for port scanning and automated vulnerability checks vis scripts.
Impacket & Responder: Impacket is a collection of Python classes for interacting with network protocols such as SMB. MSRPC, and LDAP and relay attacks, while Responder poisons name resolution protocols to capture NTLM hashes.
CrackMapExec (CME): An automation tool for lateral movement and credential testing in traffic. It is a post-exploitation tool that streamlines attacks by automating credential validation, enumeration and remote command execution.
Wireshark: Is a passive packet capture and protocol analyzer that provides granular visibility into network communications, can uncover hostnames, services, protocol versions, cleartext credentials, application payloads, and behavior indicators.
tcpdump : Is a lightweight command-line packet capture tool that provides detailed visibility into network traffic for penetration testers and administrators. Packet analysis can reveal active protocols, device communications, unencrypted data, misconfigurations, and open services.
msfvenom: Is a standalone payload generator and encoder that is a part of the Metasploit framework
Hydra: A fast, parallelized login cracker for online brute-force attacks, it trys all passwords from a wordlist.
Authentication attacks target the mechanisms used to verify user identity within an application or system. The following are all different types of authentication attacks that a penetration tester should know while evaluating the security posture of a client’s authentication controls:
MFA Fatigue: Overwhelming a victim with push notifications until they accidently approve one.
Credential Passing:
Pass-the-Hash: Is a credential theft technique in which an attacker obtains a user’s password hash (a cryptographic representation of the password) and uses it directly for authentication. Because many authentication protocols accept hashes as proof of identity, the attacker can log in as the user without ever knowing the actual plaintext password, effectively bypassing traditional login protections.
Pass-the-Ticket: An advanced credential theft technique that targets Kerberos, the primary authentication protocol used in Active Directory (AD). In a PtT attack, an attacker captures, manipulates, or creates a valid Kerberos ticket (such as a Ticket Granting Ticket or service ticket) and reuses it to authenticate as the compromised user. By leveraging the stolen or crafted ticket, the attacker can access network resources without needing the user’s plaintext password, effectively bypassing normal authentication controls.
Pass-the-Token: Is an attack technique in which an adversary captures and reuses valid authentication tokens—such as JSON Web Tokens (JWTs) or session tokens—to impersonate a legitimate user. By leveraging the stolen token, the attacker can access systems and resources without needing the user’s credentials, effectively bypassing the authentication process as long as the token remains valid.
Kerberos Attacks: Kerberoasting (offline cracking of service account tickets) and forging Golden Tickets (domain-wide persistence).
LDAP Injection: Manipulating directory queries to bypass authentication or to extract user objects.
Guessing Attacks:
Dictionary Attacks: Using Wordlists of common passwords.
Brute-Force: Exhaustive attempts of each possible character combination.
Password Spraying: Testing one common password against many accounts to avoid lockouts.
Credential Stuffing: Using leaked Credentials from one site against another.
SSO Attacks: Exploiting weak signature validation in SAML or token manipulation in OIDC.
The following are all different tools that specialize in carrying out authentication attacks that penetration testers should familiarize themselves with before testing a client’s authentication controls:
Hashcat & John the Ripper: Are industry standards for offline password cracking using GPUs or CPUs.
BloodHound: A graph-based tool for visualizing and discovering AD attack paths.
Burp Suite: Used to intercept and manipulate web-based authentication traffic
Host-based attacks target vulnerabilities within individual operating systems and endpoints, often allowing an attacker to gain elevated privileges, maintain persistence, or pivot to other systems on the network. The following are common host-based attack techniques that penetration testers should understand when evaluating the security posture of a client's endpoints:
Privilege Escalation:
Vertical: Gaining higher level access.
Horizontal: Accessing another user’s resources at the same privilege level.
Credential Dumping: Extracting authentication material (like hashes or tickets) from memory, often via LSASS.
Circumventing Security Tools: Disabling endpoint protections like Windows Defender or modifying the registry of a host to weaken defenses.
Persistence & Evasion:
Payload Obfuscation: Used to conceal malicious code so it can evade detection and execute successfully. PowerShell is often leveraged to create and encode obfuscated payloads, while tools like PsExec and Evil-WinRM are used to deliver and execute those payloads on remote Windows systems. Evil-WinRM further complicates detection by transmitting payloads over an encrypted channel. Additionally, PowerShell can encode payloads using techniques such as Base64 encoding to enhance obfuscation.
Process Hollowing: A legitimate process is launched in a suspended state, after which its memory is replaced with malicious code. This makes detection more difficult because the process appears to be trusted and legitimate.
Log Tampering: When an attacker deletes, manipulates or destroys log data to obfuscate or hide their activity
Escapes: Is when an attacker breaks out of a restricted shell into a full shell. Restricted shells include containers, share hosting CLI environments, hardened user accounts, and educational lab systems. Common escape vector: abusing legitimate text editors like Vim that allow command execution and shell spawning.
Configuration Abuse: Exploiting Unquoted Service Paths to execute a malicious binary with elevated privileges when a service starts. Unquoted service paths are common and dangerous misconfigurations in windows environments. They occur when the executable path for a windows service contains spaces but is not enclosed in quotation marks (leading to windows interpreting it from left to right).
The following are all different tools that specialize in carrying out host-based attacks that penetration testers should familiarize themselves with before testing a clients’ endpoints:
Mimikatz & Rubeus: Rubius is a powerful tool for credential manipulation that focuses on Kerberos ticket operations, enabling attackers to request, extract, forge, and reuse tickets for techniques such as Pass-the-Ticket and privilege escalation within Active Directory environments.. Mimikatz is a post-exploitation tool used to extract credentials, plaintext passwords, and NTLM hashes from the Security Account Manager (SAM) database and system memory. Attackers commonly use it to perform techniques such as Pass-the-Hash.
Seatbelt: Is a enumeration utility designed to automate the discovery of misconfigurations and privilege escalation vectors for Windows
PsExec: A legitimate Windows binary abused for remote command execution and exploiting unquoted service paths.
Evil-WinRM: Is an open-source, post-exploitation shell widely used by penetration testers and red teams to interact with and control compromised Windows systems. It leverages the built-in Windows Remote Management (WinRM) protocol, allowing attackers to execute commands. Perfect for Living off the Land attacks becuase it blends in with standard network traffic. It allows operators to load local scripts, DLLs, and executables directly into the target’s memory to avoid triggering antivirus.
LOLBins: Allows the penetration tester to download a malicious binary using built in Windows functionality, reducing the likelihood of triggering endpoint detection tools and blending in with normal activity.
Web application attacks focus on flaws in web code and logic, often defined by OWASP Top 10. The following are common web application attack techniques that penetration testers should understand when evaluating the security posture of a client’s web applications:
Injection Attacks:
SQL Injection: Inserting SQL statements to dump databases or bypass logins.
Command Injection: When an application takes user supplied data and passes it directly to a shell or command interpreter without proper handling.
Cross-Site Scripting (XSS): XSS is a client side code injection vulnerability that allows an attacker to run malicious code in a victims browser.
The Injection: An attacker finds a way to introduce malicious code into a website—usually by exploiting a vulnerability where the site accepts user input (like a comment, search bar, or profile update) and displays it without proper sanitization.
The Execution: When another user loads that web page, the malicious script runs automatically within their browser session
Reflected XSS: Occurs when the malicious script is executed after the user clicks a crafted URL or loads malicious input. An attacker creates a URL containing a malicious JavaScript payload (e.g., in a search parameter or error message). The attacker sends this link to a victim, often via a phishing email or message.
Persistent XSS: Payload is saved on the server and served to multiple users.
DOM XSS: DOM is what is loaded on the webpage client side. The payload is executed entirely in the browser via client-side code.
Request Forgeries:
SSRF: The attacker finds a server-side feature that fetches or processes a URL, input, or webhook (e.g., a "Profile Picture Import" or a "Webpage Preview" tool). The attacker modifies the input to target an internal or unauthorized address (e.g., http://localhost/admin or cloud metadata services). The vulnerable server executes the request and retrieves the data, unknowingly handing over sensitive information to the attacker.
CRSF: You are logged into bank.com with an active session, an attacker gets you to click a link and the fake webpage invisibly triggers a request to bank.com. Because your browser is still authenticated with bank.com, it automatically includes your active session cookie with the image request. The bank processes the transfer, thinking you authorized it.
File Access:
Directory Traversal: The goal of directory traversal is to leave the current directory to gain access to another directory and access to sensitive data (e.g. The web document root directory in webservers at .../var/www and the shadow file in Linux at …/etc/shadow which contains hashed passwords).
LFI: local file inclusion performed by using directory traversal to gain access to sensitive system files (like password files or configuration details) and uploading malicious file, forcing the server to read or execute it locally.
RFI: Remote file inclusion performed by using a malicious executable or URL. E.g. the attacker replaces the file path with a URL pointing to their own server. The application reaches out over the network, fetches the attacker's malicious code (like a PHP webshell), and executes it.
Logic & Session Attacks:
IDOR: Exploiting web applications that expose internal object identifiers in the URL or as an API request parameter.
Session Hijacking: Stealing or fixing session identifiers to impersonate users.
Deserialization Attacks: Are when you take in malicious executables, in structured data form like JSON or XML, and blindly convert it back into a usable object in memory.
Exploiting Modern Web Flaws: An API abuse vector can arise when JWT signatures are not properly validated, requests are not adequately constrained and sanitized, and authentication is not correctly enforced.
The following are all different tools that specialize in carrying out web attacks that penetration testers should familiarize themselves with before testing a client’s web applications:
Burp Suite & OWASP ZAP: Essential proxies for intercepting and manipulating web traffic.
sqlmap: An automated tool for discovering and exploiting SQL injection.
Gobuster/Dirbuster: Used for directory and file brute-forcing to find hidden paths
TruffleHog: Scans web assets and repositories for leaked API keys and secrets
Cloud attacks exploit the unique architecture and shared-responsibility model of cloud environments, often focusing on misconfigurations rather than software flaws. The following are common cloud-based attack techniques that penetration testers should understand when evaluating the security posture of a client's cloud environment:
Metadata Service Attacks: Attackers use Server-Side Request Forgery (SSRF) to force a cloud instance to query its own internal metadata service (typically at 169.254.169.254) to extract temporary IAM credentials and configuration details
IAM Misconfigurations: Overly permissive policies or wildcard permissions allow for rapid privilege escalation. Exposed access keys in code or logs enable direct API authentication and resource enumeration
Resource Misconfigurations:
Exposed Storage Buckets: Publicly accessible S3 buckets or similar containers often leak sensitive PII and corporate data.
Network Controls: Poor segmentation and permissive firewall rules allow attackers to move laterally after gaining an initial foothold
Image and Artifact Tampering: The act of modifying virtual machine images, container images, or software artifacts to insert vulnerabilities, backdoors, or malicious code.
Supply Chain Attacks: When an attacker compromises a trusted vendor, dependency, or upstream service provider to gain access to an organization’s systems and data.
Container and Workload Attacks:
Container Escape: Occur when an attacker who has compromised a container breaks out of it and gains access to the host or other containers.
Trust Relationship Abuse: Occurs when an attacker leverages links or permissions between systems. domains, or cloud services (i.e. federated identity and overly broad OAuth permissions) to move laterally.
The following are all different tools that specialize in carrying out cloud-based attacks that penetration testers should familiarize themselves with before testing a client’s cloud environment:
Pacu: An AWS exploitation framework designed to automate multi-step attack chains across cloud environments. ScoutSuite pulls configuration data via APIs and presents a highly detailed attack surface. Identifies issues like exposed dashboards, open ports, insecure API server settings, and known CVEs.
ScoutSuite: Tools for multi-cloud security auditing to find misconfigurations
Prowler: AWS focused (recently multi-cloud) Cloud Security Posture Management (CSPM) and compliance auditing. Prowler checks your infrastructure against a vast array of industry benchmarks like CIS, NIST, SOC2, HIPAA, and PCI-DSS.
Kube-hunter: Specifically hunts for vulnerabilities and misconfigurations in Kubernetes (automates the deployment, scaling, and management of containerized applications.) clusters.
Wireless attacks exploit the shared radio medium to intercept traffic, recover credentials, or manipulate client behavior. The following are common wireless attack techniques that penetration testers should understand when evaluating the security posture of a client's wireless environment:
Wardriving and Warwalking: Scanning and discovering wireless network while driving and on foot respectively.
Access Point Attacks:
Evil Twin: A rogue AP that clones a legitimate SSID to trick clients into connecting.
Captive Portal: A fake “gateway” on a rogue AP used to harvest credentials or session tokens from unsuspecting users.
Protocol and Signal Exploitation:
Deauthentication: Deauthentication attacks are a form of denial-of-service (DoS) attack that target wireless clients by exploiting deauthentication frames. These frames are legitimate management frames used in Wi‑Fi networks to end a client’s connection to an access point (AP). Attackers abuse this mechanism by sending forged deauthentication frames, forcing clients to disconnect from the network. This forces the client to reconnect, during which the authentication handshake packets are generated. An attacker can then capture this handshake and use it for offline decryption or password‑cracking attempts.
WPS PIN Attack: Wi‑Fi Protected Setup (WPS) is designed for convenience but introduces significant security risks. It allows devices to connect quickly using a PIN, but this PIN is vulnerable because it is effectively split into two parts (the first 4 digits and the next 3, with the final digit as a checksum). This design allows attackers to brute‑force the PIN in smaller segments, verifying each part as correct or incorrect. Once successful, they can gain network access. The most effective mitigation is to disable WPS, even though many users keep it enabled for ease of use.
Protocol Fuzzing: Is a technique used to uncover weaknesses in wireless implementations by sending malformed or unexpected data to Wi-Fi devices and observing how they react. Scapy can generate malformed or unusual frame values to test a device’s ability to safely handle errors and unexpected input. There 3 main categories of Wi-Fi frames:
Management Frames: responsible for establishing and maintain connections (like gate agents and announcements in an airport).
Control frames: coordinate transmissions between devices (like runway signals and air traffic controllers in an airport).
Data frames: that carry actual payload information through the air (like passengers and luggage moving through the system in an airport).
The following are all different tools that specialize in carrying out wireless attacks that penetration testers should familiarize themselves with before testing a client’s wireless environment:
Aircrack-ng: A wireless network security testing suite used to assess the security of Wi-Fi networks. It captures wireless traffic, monitors wireless networks, deauthenticates clients, and attempts to crack Wi-Fi passwords (typically WPA/WPA2) for authorized security testing.
airmon-ng: Enables monitor mode on a wireless adapter.
airodump-ng: Captures wireless traffic, clients, and WPA/WPA2 handshakes.
aireplay-ng: Generates traffic or sends deauthentication packets.
aircrack-ng: Attempts to crack captured Wi-Fi handshakes using a wordlist.
Kismet: Originally known as a wardriving tool, Kismet is a packet sniffer, network detector, and wireless intrusion detection system (WIDS). It operates entirely passively, collecting packets and data traffic from the air without actively participating in or connecting to the networks. It operates entirely passively, collecting packets and data traffic from the air without actively participating in or connecting to the networks.
InSSIDer: Provides radio frequency, RF, situational awareness by displaying SSIDS/BSSIDS (the technical term for your Wi-Fi network's name), channel use, signal strength, channel bonding and Dynamic frequency selection behavior
WiGLE.net: An online database that aggregates Wi-network data submitted my wardrivers worldwide. It supplies crowdsourced and geolocated visualization data to reveal SSID reuses across locations for prioritizing targets for onsite work.
Social engineering attacks rely on psychological manipulation to shortcut technical defenses. The following are common social engineering attack techniques that penetration testers should understand when evaluating the security posture of a client's human firewall:
Psychological Levers: Attackers use Authority (impersonating power), Urgency (scarcity of time), Social Proof (following others), and Fear to increase compliance.
Specialized Phishing Techniques:
Spearphishing: Targeted attacks based on a victims role and permissions.
Whaling: Targeting high-level executives.
Vishing/Smishing: Using voice calls or SMS to exploit the informal nature of mobile communications.
Physical & Remote Methods:
Tailgating & Piggybacking: Following authorized personnel into secure areas either with or without .their knowledge.
Watering Hole: Compromising or creating a “trusted” website a specific group naturally visits.
Dumpster Diving: Searching for discarded documents, diagrams, or hardware that leak sensitive infromation.
The following are all different tools that specialize in carrying out social engineering attacks that penetration testers should familiarize themselves with before testing a client’s human firewall:
Gophish: A framework for designing, conducting, and tracking phishing campaigns.
Evilginx: A reverse-proxy framework used to bypass MFA by capturing session tokens. It is an Adversary-in-the-Middle (AiTM) phishing framework that bypasses Multi-Factor Authentication (MFA). Instead of simply stealing a password, it acts as a reverse proxy, sitting between the victim and the legitimate website to intercept both login credentials and valid session cookies. Evilginx acts as a middleman, relaying the victim's connection to the real, legitimate website in real-time. The victim interacts with the actual website's content, completely unaware that their traffic is passing through the attacker's server
BeEF: The Browser Exploitation Framework is an open-source browser-focused security testing platform used to evaluate client-side attack exposure. A “hooked” browser refers to a browser that has executed BeEF’s hook script, establishing a persistent communication channel back to the testing framework. This enables controlled security assessments such as browser fingerprinting, session analysis, social engineering simulations, and demonstrations of how trusted browser sessions may be abused in real-world attack scenarios.
Attacks against specialized systems include attacks that target non-traditional computing environments like mobile, industrial, or AI platforms. The following are common techniques for attacks against specialized systems that penetration testers should understand when evaluating the security posture of a client's specialized systems:
Mobile Attacks: Focus on Jailbreaking (iOS) or Rooting (Android) to bypass sandboxing. Attackers exploit Permission abuse or information disclosure in sideloaded apps.
Tools: MobSF (An automated mobile application assessment platform that performs static and dynamic analysis to identify insecure code, misconfigurations, hardcoded secrets, weak permissions, and runtime security issues in Android and iOS apps.), Frida (A dynamic runtime instrumentation toolkit that allows security researchers to inject scripts into live applications to observe, intercept, and modify function calls, memory usage, and application behavior in real time.), and Drozer (An Android security assessment framework focused on Inter-Process Communication (IPC), enabling testers to identify exposed components, misconfigured permissions, and insecure app interactions that could allow unauthorized access or privilege abuse.).
Operational Technology: Targets Industrial Control Systems using protocols like Modbus and CAN bus (both widely used industrial communication protocols, but they serve entirely different purposes. Modbus is typically used for supervisory control and data logging (acting as a "question and answer" system), while CAN bus is designed for high-speed, real-time control (acting as a broadcasting system)). Attacks often involve Register manipulation or Replay attacks because these protocols frequently lack authentication
AI Attacks:
Prompt Injection: Crafting malicious inputs to make and AI reveal sensitive data or ignore safety regulations.
Model Manipulation: Altering training data or parameters to create hidden backdoors.
Short-Range Wireless: NFC/RFID cloning is used to impersonate access badges.
Bluejacking: Is the act of sending unexpected messages, contacts, or business cards to another Bluetooth-enabled device nearby.
Bluetooth spamming: Involves sending repeated unsolicited files, messages, or connection requests to multiple nearby devices.
To wrap up this section, let’s talk about scripting for automating attacks. Scripting and Automation allows for repeatable, scalable attack chains that reduce human error. The following are common tools and techniques for automating attacks against a client's systems:
PowerShell Frameworks:
PowerSploit: A collection of modules for in-memory execution, credential harvesting, and privilege escalation.
PowerView: Automates AD reconnaissance, mapping users, groups, and trust relationships.
PowerUpSQL: Specifically designed to discover and exploit misconfigurations in SQL Server environments.
Python Libraries:
Impacket: Is a collection of Python classes for interacting with network protocols such as SMB. MSRPC, and LDAP. It is a library for interacting with network protocols, frequently used for NTLM relay attacks
Scapy: Is a python library that allows penetration testers to craft packets at the IP, TCP, UDP and application levels.
Breach and Attack Simulation (BAS):
Caldera: Automates realistic adversary emulation using the MITRE ATT&CK framework to simulate attacker behaviors and test defensive capabilities.
Infection Monkey: Simulates self-propagating malware and lateral movement to evaluate network segmentation, credential security, and overall resilience.
Atomic Red Team: Delivers lightweight, modular tests mapped to individual MITRE ATT&CK techniques for validating detection and response controls.
Post-exploitation and Lateral Movement
Persistence refers to techniques used to maintain long-term, reliable access to a compromised environment, allowing an attacker to survive reboots, credential resets, and patching.
Scheduled Tasks and Cron Jobs: These are built-in operating system schedulers (for Windows and Linux respectively) used to repeatedly execute a payload at fixed intervals or specific times.
Service Creation: Attackers create or modify long-running processes that start at boot, which often run with elevated privileges and blend into background activity.
Reverses vs. Bind Shell: A reverse shell involves the compromised host initiating an outbound connection TO the attacker, often bypassing firewall rules. A bind shell has the victim open a listening port for the attacker to connect to, which is useful when outbound traffic is restricted.
Accounts and Credentials: Creating new local or domain accounts provides an access path independent of the originally compromised user. Valid credentials can be obtained through credential dumping, keylogging, or phishing.
Registry Keys: In Windows, adding payload references to startup registry keys (HKCU or HKLM) ensures a program executes whenever a user logs in or the system starts.
Command and Control (C2): These provide a remote management layer to coordinate agents. Examples include Empire (in-memory PowerShell/Python), Covenant (.NET-based "Grunts"), and Mythic (modular, cross-platform framework.
Backdoors: Hidden access mechanisms such as web shells (scripts for remote web-server administration), Trojans (malicious code disguised as legitimate software), and rootkits (kernel-level tools that hide processes and files)
Browser extensions: Malicious extensions can read/modify website content to steal credentials or manipulate traffic.
Tampering Security Controls: This involves degrading or disabling firewalls, antivirus, logging services, and other security controls to prevent the detection of persistence artifacts.
Lateral movement is the process of moving from an initial foothold to other systems of the same permissions level to identify high-value assets and escalate privileges.
Pivoting: Using a host as a gateway or relay to access access internal network segments that otherwise unreachable. This includes network pivoting (e.g SSH tunneling) and application-level pivoting (e.g. routing traffic through a Metasploit session).
Relay creation: Forwarding captured authentication attempts (like NTLM) to another system to gain access without needing to crack the password.
Enumeration for Movement: Identifying lateral targets through service discovery (mapping open ports like SMB, RDP, and HTTP), network traffic discovery (inspecting authentication flows with Wireshark/tcpdump), and credential dumping (extracting stored material via Mimikatz).
High-Value Protocols:
SMB: Port 445 is used for share enumeration and relay attacks.
RDP (Port 3389): and VNC: Provide graphical remote control.
Cleartext protocols like: Telnet and FTP expose credentials in plaintext.
Management Protocols: LDAP (directory queries), RPC/DCOM (remote components, WMI (remote command execution), WinRM (PowerShell-based management)
Printer Protocols: LPD, JetDirect (Port 9100), and SNMP can be abused if misconfigured or usijng default community strings.
Tools and LOLBins: Attackers use Living Off the Land Binaries (legitimate signed tools like certutil.exe, powershell.exe, or bitadmin.exe) to blend into normal activity. Key exploitation tools include CrackMapExec (AD automation), Impacket (relays), Netcat (Shells/listeners), sshuttle/Proxychains (pivoting), Metasploit, PsExec, and Mimikatz.
Exfiltration is the covert removal of data from a compromised environment while attempting to avoid detection.
File Encryption and Compression: Used to package and disguise data so it blends into legitmate traffic.
Covert Channels: Mechanisms for hiding communications within trusted protocols.
Steganography: Concealing data inside media files (images/audio/video).
DNS: Encoding data inside subdomain queries.
ICMP: Embedding data in ping requests request/reply payloads.
HTTPS: Hiding traffic withing encrypted web communications.
Abusing Trusted Services: Moving data via email, cloud storage (e.g. Dropbox), cross-account cloud permissions, or public storage sites (e.g. Pastebin).
Abusing Trusted Services (ADS): A feature of NTFS that allows attackers to hide data inside a file’s attributes without changing its visible size or content.
Virtual Drive Mounting: Storing stolen data inside VHD files, which may be overlooked as benign files.
Cleanup and Restoration Activities
The final phase ensures the environment returns to its original baseline and that no residual risk remains from the penetration test.
Remove Persistence Mechanisms: Deleting all malicious scheduled tasks, cron jobs, services, and registry keys.
Revert Configuration Changes: Removing temporary firewall rules, restoring security settings that were weakened for testing, and reverting modified DNS or logging configurations.
Remove Tester-Created Credentials: Deleting local and domain accounts and explicitly revoking API keys and tokens.
Remove Tools: Deleting all executables, scripts, and persistent agents from the target systems.
Spin Down Infrastructure: Terminating all cloud virtual machines, containers, and networking resources used during the engagement.
Preserve Artifacts: Securing logs, screenshots, and evidence generated during the test to support defensible reporting.
Cheat sheet: Tool and Technique Definitions
WiFi-Pumpkin: Is used to create rogue access points to lure users and capture their credentials.
DLL Hijacking and Injection: A DLL is a file used by Windows programs that contains shared code, functions, or resources. DLL Hijacking happens when Windows loads a malicious DLL instead of the legitimate one. DLL Injection is when a DLL is forcibly loaded into another running process.
Host discovery: ICMP echo requests are commonly used to identify live hosts on a network segment prior to deeper scanning.
Service Discovery: Focuses on identifying running services and open ports after hosts have already been identified.
Responder: Poisons name resolution protocols to capture NTLM hashes.
Hydra: A fast, parallelized login cracker for online brute-force attacks, it tries all passwords from a wordlist.
ldapsearch: Is a command used to query LDAP directories.
BloodHound: Collects and analyzes Active Directory objects, permissions, and relationships to graphically identify potential privilege escalation and lateral movement paths, such as ACL misconfigurations or nested group memberships leading to high-value targets.
SpiderFoot: Has customizable modules that allow it to pull data from over 100 public sources automatically, making it highly efficient for gathering a wide range of information without manual effort.
Maltego: Excels at creating visual graphs that display the connections and relationships between various entities, such as IP addresses, domains, email addresses, and other OSINT information.
crontab -e: Allows the tester to edit scheduled tasks that can be configured to execute malicious processes at defined intervals or during system startup, providing a reliable persistence mechanism.
Shell upgrade: When running an exploit, sometimes you don't receive a fully interactive shell in return. If you receive a "dumb shell", you can use Python to spawn a pty. A pty is a pseudo-terminal utility that is built into Python and only works on Linux systems. From here, you can attempt a privilege escalation using su and other commands on the system.
Relay attack: Involves intercepting and forwarding communications between two parties in real time rather than storing and retransmitting previously captured data.
Downgrade attack: It forces a system to use weaker encryption or protocols, such as older SSL/TLS versions, rather than reusing captured authentication traffic.
Fragmentation attack: Targets weaknesses in packet handling, such as WEP fragmentation, to recover encryption material.
getfacl: Retrieves extended ACL entries that may grant additional user or group permissions beyond the traditional rwx model. Used for enumeration permissions.
ls -l: Displays standard Unix permission bits, ownership, and group information. Used for enumeration permissions.
Pastebin: Is a widely used public text storage and sharing service that allows users to upload plain text snippets and retrieve them via a URL, making it attractive for covert text-based data exfiltration.
Karma attack: is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected networks are within range. This allows an attacker to answer the request, allowing the user to connect to them instead as an evil twin. At this point, the attacker is now the on-path between the wireless client and the internet, which is useful for many different exploits.
Shodan identifies publicly reachable systems (unregistered exposed hosts) based on observed SSL certificates, even if they are not listed in DNS records.
Mask attack: Targets specific patterns in passwords.
ProxyChains: is a command-line tool, used in pivoting operations, that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers.
Side-channel attack: When the tester attempts to infer sensitive information by observing physical characteristics of shared resources, such as CPU cache timing and execution patterns, which is the defining behavior of side-channel analysis in multi-tenant environments.
Covenant framework: Creates an agent called a "Grunt". Grunts allow penetration testers to maintain control over the target machine, execute commands, and perform further post-exploitation activities.
Rainbow table attacks: Rainbow table is correct because a rainbow table attack uses precomputed hash values mapped to possible plaintext passwords, significantly reducing the time required to crack hashes such as NTLM. Instead of calculating each hash during the attack, the attacker compares captured hashes against the precomputed table.
Dirbuster: Uses brute force to expose directories and file names on web and application servers.
— Ben Skinner