Planning the Engagement
2.1 Scope Definition
- In-scope systems/applications/networks
- Out-of-scope items
2.2 Legal & Regulatory Compliance
- Follow applicable laws (e.g. HIPAA)
- Meet industry-specific regulations
2.3 Rules of Engagement (RoE)
- Permitted vs. prohibited activities
- Testing windows (e.g. off-peak only)
2.4 Non-Disclosure Agreement (NDA)
- Confidentiality of findings and sensitive info
2.5 Statement of Work (SOW)
- Tasks, timelines, deliverables (e.g. 4-week vulnerability assessment)
2.6 Communication & Escalation Paths
- Primary contacts for status updates
- Immediate reporting for critical issues
2.7 Client Risk Tolerance & Business Impact
- Agreed acceptable downtime vs. test depth
3.1 Passive Reconnaissance
- WHOIS, ARIN, Maltego, Recon-ng
- Public sources: corporate website, job postings
3.2 Active Reconnaissance
- Network scans (Nmap)
- Banner grabbing, DNS enumeration (dig/nslookup)
- Shodan for internet-connected devices
3.3 Documentation & Stealth
- Record every finding (dates, commands, outputs)
- Use proxies/timing to avoid detection
Attacks & Exploits
4.1 Prioritizing Targets
- Focus on high-value assets & critical CVEs
4.2 Automated Frameworks
- Metasploit for exploit development/execution
4.3 Password Attacks
- Brute-force/dictionary with Hydra, John the Ripper
4.4 Phishing Attacks
- Craft spoofed emails to harvest credentials
4.5 Web Application Attacks
- SQL Injection (sqlmap)
- XSS (steal sessions via injected scripts)
4.6 Documentation
- Detail tools, commands, outputs, screenshots
Post-Exploitation
5.1 Persistence
- Create admin accounts; scheduled tasks/cron jobs
5.2 Privilege Escalation
- Local exploits; Mimikatz for in-memory creds
5.3 Lateral Movement
- PsExec (Windows), SSH (Linux)
5.4 Data Gathering & Exfiltration
- Harvest files/databases; covert channels (DNS tunneling)
5.5 Cleanup & Stealth Best Practices
- Remove tools, clear logs, delete test accounts
Reporting
6.1 Executive Summary
- Non-technical overview of risks & impacts
6.2 Scope & Methodology
6.3 Findings
- Detailed vuln descriptions + evidence
- Severity ratings (CVSS)
6.4 Recommendations
- Actionable fixes (patch versions, code reviews)
6.5 Overall Security Posture
- High-level strengths & weaknesses
6.6 Limitations & Assumptions
- Testing constraints (off-limits systems, time windows)
6.7 Call to Action
- Next steps: remediation priorities, retest, continuous monitoring