Systematic Penetration Testing: A Methodological Approach to Security Assessment

Introduction: The Art of Methodical Security Assessment

Proficiency in penetration testing transcends tool mastery—it demands a systematic methodology that adapts to each unique target while maintaining consistency in approach. Success comes from understanding not just what tools to use, but when and why to use them, how to chain vulnerabilities, and where to find the right exploits for discovered weaknesses.

This methodology, refined through countless assessments and capture-the-flag challenges, provides a framework that balances thoroughness with efficiency. The key lies not in memorizing commands but in understanding the decision tree that guides your actions at each phase of the assessment.

Foundation: Environmental Preparation and Mindset

Setting Up Your Testing Infrastructure

Before engaging any target, establish a robust testing environment. Use tmux or screen for persistent terminal sessions that survive connection drops. Create structured directories for each engagement—separate folders for scans, exploits, screenshots, and notes. This organization proves invaluable when writing reports or revisiting old assessments.

Consider using specialized distributions like Kali Linux or Parrot OS, but remember that understanding the tools matters more than the distribution. Many professionals maintain custom toolsets on standard Linux distributions, adding tools as needed.

Documentation and Note-Taking

Maintain detailed notes throughout the assessment using tools like CherryTree, Obsidian, or even simple markdown files. Document not just successful attacks but also failed attempts—they often reveal important information about the target's security posture. Screenshots and command outputs should be timestamped and labeled clearly.

Phase 1: Intelligence Gathering and Reconnaissance

The Reconnaissance Mindset

Reconnaissance determines the success of subsequent phases. Rushing through this stage often means missing critical attack vectors. Run background scans while actively exploring—tools like GoBuster or SQLMap can work while you manually investigate services.

Network Mapping Strategy

Start with Nmap for port discovery, but understand its limitations. Use different scan types based on your situation:

• TCP SYN scans (-sS) for stealthy reconnaissance
• TCP Connect scans (-sT) when SYN scans aren't possible
• UDP scans (-sU) for often-overlooked services like SNMP or TFTP
• Version detection (-sV) enables version detection to identify the exact versions of services running, which can be crucial for finding known vulnerabilities.
• Script scans (-sC) performs a script scan using default, often intrusive, scripts to identify common vulnerabilities or information.
• Output --oV for easy parsing later

Generally, you can use the following command:

nmap -sC -sV -oV nmap {TARGET_IP}

Don't rely solely on default ports—services often run on non-standard ports. A full port scan (-p-) reveals these hidden services, though it takes longer.

Service-Specific Enumeration Approaches

Web Applications (Ports 80, 443, 8080, 8443, 3000, 5000)

Web applications offer the largest attack surface. Your approach should be multi-layered:

1. Technology Identification: Use Wappalyzer browser extension or WhatWeb to identify frameworks, programming languages, and server software. This information guides your exploit research.

2. Content Discovery: Deploy GoBuster, Feroxbuster, or Dirsearch with appropriate wordlists:

   • SecLists provides comprehensive wordlists organized by purpose
   • Consider file extensions based on identified technology (.php for PHP, .aspx for ASP.NET, .jsp for Java)
   • Don't forget backup extensions (.bak, .old, .backup, ~)

3. Virtual Host Discovery: Many servers host multiple applications. Use GoBuster's vhost mode or wfuzz to discover subdomains and virtual hosts. Add discovered hosts to /etc/hosts for proper routing.

4. Parameter Fuzzing: Use Arjun or ParamSpider to discover hidden parameters that might be vulnerable to injection attacks.

SMB/NetBIOS (Ports 445, 139)

SMB often exposes sensitive information or provides initial access:

• smbclient for manual share enumeration and file retrieval
• smbmap for automated share discovery and permission testing
• enum4linux for comprehensive SMB enumeration on older systems
• CrackMapExec for modern SMB assessment and exploitation
• Responder for capturing NTLM hashes on the network

Look for configuration files, backup files, or scripts containing credentials. Files like .xml configurations, VPN profiles, or database connection strings often contain plaintext passwords.

Database Services

Direct database access often means game over. Test for:

• MySQL (3306): Default root accounts with no password
• MSSQL (1433): SA account with weak passwords, xp_cmdshell for command execution
• PostgreSQL (5432): Default postgres account
• MongoDB (27017): Often exposed without authentication
• Redis (6379): Frequently misconfigured allowing arbitrary file writes

Other Critical Services

• FTP (21): Check for anonymous access, look for writable directories
• SSH (22): Useful for password spraying if you've found usernames
• Telnet (23): Often has weak or default credentials
• VNC (5900-5906): Sometimes poorly secured with weak passwords
• WinRM (5985/5986): Enables PowerShell remoting with valid credentials

Phase 2: Vulnerability Analysis and Prioritization

Understanding Vulnerability Classes

Different vulnerability types require different approaches and tools:

Injection Vulnerabilities

SQL injection remains prevalent despite being well-understood. When testing:

1. Manual Testing First: Understand the application's behavior with single quotes, comment operators, and boolean conditions
2. SQLMap for Automation: Once you've identified injection points, use SQLMap to automate extraction
3. NoSQL Injection: For MongoDB or similar, test with arrays and operators like $ne, $gt, $regex
4. Command Injection: Test with command separators (;, |, &, ||, &&) and encoding techniques

Resources for injection payloads:

• PayloadsAllTheThings GitHub repository
• HackTricks for technique explanations
• PortSwigger Web Security Academy for learning

Authentication and Session Vulnerabilities

• Default Credentials: Check product documentation and databases like SecLists/Passwords/Default-Credentials
• Password Spraying: Use Hydra, Medusa, or CrackMapExec with common passwords
• Session Fixation/Hijacking: Analyze session token generation and transmission
• Multi-Factor Bypass: Look for backup codes, implementation flaws

File Handling Vulnerabilities

File upload and inclusion vulnerabilities provide reliable shells:

1. Upload Bypass Techniques:

   • Extension manipulation (.php5, .phtml, .php.jpg)
   • MIME type confusion
   • Null byte injection (older systems)
   • Magic byte manipulation

2. Local File Inclusion (LFI):

   • Start with /etc/passwd to confirm vulnerability
   • Check application configuration files
   • Use PHP wrappers (php://filter, data://, expect://)
   • On Windows, try UNC paths for NTLM hash capture

3. Remote File Inclusion (RFI):

   • Less common due to default PHP configurations
   • Test with external URLs if allow_url_include is enabled

Deserialization Attacks

Modern applications frequently suffer from deserialization vulnerabilities:

• Java: Use ysoserial for gadget chain generation
• .NET: Deploy ysoserial.net for ViewState and other attacks
• Python: Pickle deserialization with custom payloads
• Node.js: node-serialize vulnerabilities with function injection
• PHP: unserialize() attacks with magic methods

Finding Exploits and References

Primary Exploit Databases

• Exploit-DB: Comprehensive database with PoC code
• Rapid7 Metasploit: Modules often provide reliable exploits
• GitHub: Search for CVE numbers or product names + "exploit"
• PacketStorm Security: Alternative exploit database
• CVE Details: For understanding vulnerability impact and affected versions

Vulnerability Research Resources

• GTFOBins: Unix binaries that can be exploited for privilege escalation
• LOLBAS: Windows binaries for living-off-the-land techniques
• HackTricks: Comprehensive penetration testing methodology
• PayloadsAllTheThings: Extensive payload collection
• 0day.today: Premium exploit marketplace (use with caution)

Phase 3: Exploitation and Initial Access

Choosing Your Attack Vector

Prioritize attack vectors based on:

1. Reliability: Prefer stable exploits over those that might crash services
2. Stealth: Consider detection likelihood in monitored environments
3. Privilege Level: Target services running as privileged users
4. Persistence Potential: Choose vectors that enable maintaining access

Payload Selection and Delivery

Reverse Shell Considerations

Select reverse shell types based on available interpreters:

• Bash: Most reliable on Linux systems
• Python/Python3: Widely available, easy to encode
• PowerShell: Preferred for Windows targets
• Netcat: When traditional netcat is available
• PHP/ASP/JSP: For web application exploitation

Use revshells.com for quick payload generation across multiple languages.

Establishing Persistence Early

Once you gain initial access:

1. Upload additional tools (chisel for tunneling, linpeas/winpeas for enumeration)
2. Create backup access methods (SSH keys, web shells)
3. Identify quick wins for privilege escalation before deep enumeration

Handling Unstable Shells

Stabilize shells immediately to prevent disconnection:

• Use Python's pty module for pseudo-terminal allocation
• Background the shell and use stty raw -echo for full interactivity
• Consider upgrading to SSH access when possible

Phase 4: Privilege Escalation Mastery

Linux Privilege Escalation Methodology

Automated Enumeration First

Deploy enumeration scripts to quickly identify obvious vectors:

• LinPEAS: Comprehensive enumeration with color-coded findings
• LinEnum: Lighter alternative with good coverage
• Linux Exploit Suggester: Kernel vulnerability identification
• pspy: Monitor processes without root privileges

Manual Verification Second

Automated tools miss context-specific vulnerabilities:

1. SUID/SGID Binaries: Cross-reference with GTFOBins
2. Sudo Permissions: Check sudo -l output against GTFOBins
3. Cron Jobs: Look for writable scripts or missing dependencies
4. Service Configurations: MySQL running as root, Docker socket exposure
5. Kernel Exploits: Use cautiously as they can crash systems

Special Considerations

• Container Escapes: Check capabilities with capsh --print
• Restricted Shells: Bypass using various techniques (vim, less, programming languages)
• Password Reuse: Try discovered passwords for other users
• History Files: Check .bash_history, .mysql_history for credentials

Windows Privilege Escalation Methodology

Information Gathering

• WinPEAS: Automated Windows enumeration
• Seatbelt: Comprehensive security checks
• SharpUp: C# implementation for constrained environments

Common Windows Vectors

1. Service Vulnerabilities:

   • Unquoted service paths
   • Weak service permissions
   • DLL hijacking opportunities

2. Token Impersonation:

   • JuicyPotato/RoguePotato for SeImpersonatePrivilege
   • PrintSpoofer for newer Windows versions

3. Credential Access:

   • SAM/SYSTEM registry hives
   • Cached credentials in memory
   • Saved RDP/VNC passwords

4. Scheduled Tasks: Writable scripts or binaries executed by SYSTEM

Windows Exploit Resources

• Windows-Exploit-Suggester: Identify missing patches
• LOLBAS Project: Living off the land techniques
• Covenant/Empire: C2 frameworks with escalation modules

Phase 5: Post-Exploitation and Persistence

Maintaining Access

Establish multiple persistence mechanisms:

• Linux: Cron jobs, SSH keys, systemd services, shell profile modifications
• Windows: Registry run keys, scheduled tasks, services, WMI event subscriptions

Lateral Movement Strategies

Network Pivoting Tools

• SSH: Native port forwarding capabilities (-L, -R, -D flags)
• Chisel: Cross-platform TCP/UDP tunnel over HTTP
• Socat: Versatile relay tool for complex redirections
• Proxychains: Route tools through SOCKS proxies
• Metasploit: Built-in pivoting through meterpreter

Credential Harvesting

• Mimikatz: Windows credential extraction
• LaZagne: Multi-platform password recovery
• Firefox/Chrome Decrypt: Browser password extraction
• Hashcat/John: Password cracking with appropriate rules

Data Exfiltration Considerations

• Use encrypted channels (SCP, SFTP, HTTPS)
• Consider data volume and network monitoring
• Stage data before exfiltration to minimize detection
• Clean up artifacts after successful exfiltration

Critical Success Factors

Patience and Persistence

Avoid rabbit holes while maintaining thoroughness. Set time limits for each approach, but don't abandon promising vectors too quickly. If stuck, step back and review your notes—often the answer lies in overlooked details from earlier enumeration.

Understanding Over Memorization

Focus on understanding why exploits work rather than memorizing commands. This knowledge enables you to adapt when standard approaches fail and to chain seemingly unrelated vulnerabilities into successful compromises.

Continuous Learning

The security landscape evolves rapidly. Stay current through:

• Security Conferences: DEF CON, Black Hat, BSides recordings
• Online Platforms: HackTheBox, TryHackMe, VulnHub for practice
• Bug Bounty Programs: Real-world experience with modern applications
• Security Blogs: Follow researchers who publish technical write-ups
• CVE Feeds: Monitor new vulnerabilities in common software

Ethical Considerations

Always operate within legal boundaries and with proper authorization. Document your methodology thoroughly for reproducibility and accountability. Consider the potential impact of your actions on production systems and have rollback plans for any changes made during testing.

Conclusion

Successful penetration testing requires more than technical skills—it demands methodology, patience, and continuous adaptation. This systematic approach provides a framework for thorough assessment while maintaining the flexibility to handle unique scenarios.

Remember that tools are merely implements; understanding when and why to use them distinguishes professionals from script kiddies. Each assessment teaches new lessons, and maintaining detailed documentation of both successes and failures builds a personal knowledge base that becomes invaluable over time.

The methodology presented here serves as a foundation, but real expertise comes from practice, failure, and the persistent pursuit of understanding not just how to exploit systems, but why those exploits work. Stay curious, remain ethical, and never stop learning—the field of security assessment rewards those who approach it with discipline and dedication.