Penetration Testing Methodology

Pre-Engagement Interaction: Understand the scope of the test and permitted attacks, establish communication protocols, and ensure the necessary permissions are in place.

Reconnaissance (Scanning & Enumeration): Gather as much pertinent information as possible by probing the following:

1. External Pentest: (everything must be in scope)-

   1. Domain and subdomains

   2. External IP address ranges

   3. Systems - websites, emails, ticketing ERPs, etc

   4. Exposed data breaches

2. Internal Pentest: (everything must be in scope)-

   1. IP address ranges, systems, devices, etc.

   2. Exposed data breaches

   3. Understand the network structure - gateways, DHCP servers, DNS servers, Gateways, VLANs, etc.

   4. Identify the code operating systems and their respective versions

   5. Identify open ports and the services running on them.

3. Cloud Pentests: (everything must be in scope)-

   1. Domains and subdomains

   2. IP address ranges

   3. Exposed data bridges

   4. Attempt to 'map' the flow of information between systems.

Gaining Access (Exploitation): Focus on gaining unauthorized access to the target system or network and exploit vulnerabilities discovered during the scanning stage. Tools such as password cracking and exploiting software vulnerabilities may be employed to access the target system.

1. Post-Compromise Scanning & Exploitation: Rescan the compromised systems for the following:

   1. System information

   2. Network configurations - additional networks, internal services and ports, WiFi passwords, etc.

   3. Terminal history.

   4. Shared folders.

2. Privilege Escalation: If the initial compromise did not grant system administrator or root access, focus on gaining high-level access within the system.

Maintaining Access (Red Teaming)*: After compromising the system (bypassing security measures), set up back doors or remote access tools and establish persistent access. The objective is to mimic the actions of an actual attacker and assess the potential impact of a successful compromise.

Covering Tracks (Red Teaming)*: Remove any traces of the compromise from the target system or network. The goal is to ensure that the ethical hacking activity remains undetected, leaving no evidence of the penetration testing activity behind.

Reporting: Generate a report for the above phases - IP addresses, open ports, and services, weak passwords, exposed data breaches, application and network vulnerabilities, privilege escalation, system configurations, etc.