Hacktricks-skills pentesting-methodology

Use this skill whenever you need to perform penetration testing, security assessments, vulnerability research, or red team operations. This covers the complete pentesting workflow from reconnaissance through privilege escalation and pivoting. Make sure to use this skill when the user mentions pentesting, security testing, vulnerability assessment, network scanning, privilege escalation, or any security-related attack methodology, even if they don't explicitly ask for a 'pentesting methodology'.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/generic-methodologies-and-resources/pentesting-methodology/SKILL.MD

source content

Pentesting Methodology

A comprehensive guide for conducting penetration tests and security assessments. This skill provides a structured approach to security testing from initial reconnaissance through post-exploitation.

⚠️ Ethical Considerations

Always ensure you have explicit authorization before performing any security testing. This methodology should only be used:

On systems you own or have written permission to test
In authorized penetration testing engagements
In controlled lab environments for learning
During bug bounty programs within scope

Methodology Overview

Follow this structured approach for comprehensive security assessments:

Phase 0: Physical Access Assessment

If you have physical access to target systems:

Review physical attack vectors (USB drops, keyloggers, hardware implants)
Consider GUI escape techniques for locked workstations
Document physical security controls and bypass opportunities

Phase 1: Asset Discovery

Internal Tests:

Discover hosts within the network using ARP scanning, Nmap, and network enumeration
Map network topology and identify critical infrastructure

External Tests:

Enumerate company assets on the internet (domains, subdomains, cloud resources)
Use OSINT tools to gather publicly available information
Once internal access is gained, restart from Phase 1 for internal discovery

Phase 2: Network Intelligence (Internal Only)

Before targeting specific hosts:

Passive reconnaissance: Sniff network traffic to understand protocols and data flows
Active reconnaissance: Perform MITM attacks to intercept credentials and sessions
Credential harvesting: Capture NTLM hashes, Kerberos tickets, or plaintext credentials
Document network protocols, services, and potential attack surfaces

Phase 3: Port Scanning & Service Discovery

Essential scanning workflow:

Initial scan: Quick port scan to identify open ports
Service enumeration: Identify running services and versions
Deep scan: Comprehensive scan with version detection and script scanning
Documentation: Record all findings with timestamps

Recommended tools:

Nmap for comprehensive scanning
Masscan for rapid port discovery
Rustscan for fast initial sweeps

Phase 4: Vulnerability Research

For each discovered service:

Version identification: Determine exact service versions
CVE lookup: Search for known vulnerabilities (Exploit-DB, NVD, GitHub)
Exploit availability: Check for public exploits or proof-of-concepts
Risk assessment: Prioritize based on severity and exploitability

Resources:

Exploit-DB for public exploits
NVD for CVE information
GitHub for custom exploits and tools
Vendor security advisories

Phase 5: Service-Specific Testing

When no direct exploits exist:

Test for common misconfigurations
Check for default credentials
Test for authentication bypasses
Look for information disclosure
Attempt parameter tampering

Web applications (highest priority):

SQL injection testing
XSS vulnerability assessment
Authentication/authorization testing
File upload vulnerabilities
Business logic flaws

Common services to test:

SSH, RDP, VNC (remote access)
SMB, NFS (file sharing)
HTTP/HTTPS (web services)
Database services (MySQL, PostgreSQL, MongoDB)
Mail services (SMTP, IMAP, POP3)

Automated tools:

Legion for automated vulnerability assessment
Nessus/OpenVAS for vulnerability scanning
Custom scripts for service-specific testing

Brute-force considerations:

Use wordlists appropriate to the service
Implement rate limiting to avoid detection
Document all attempts for reporting
Consider credential stuffing if hashes are available

Phase 6: Social Engineering

When technical vectors fail:

Phishing campaigns (email, SMS, voice)
Credential harvesting pages
Malicious document delivery
Business email compromise scenarios

Important: Only use social engineering with explicit authorization and within legal boundaries.

Phase 7: Initial Access

Once a vulnerability is identified:

Exploit development: Adapt or write exploits as needed
Payload delivery: Choose appropriate payload (reverse shell, bind shell, web shell)
Shell establishment: Gain initial interactive access
Stabilization: Upgrade to stable shell if needed

Reverse shell considerations:

Choose appropriate language (bash, python, netcat, powershell)
Consider firewall/AV evasion
Use encrypted channels when possible
Have backup access methods ready

Windows-specific:

AV evasion techniques for payloads
Use encoded or obfuscated commands
Consider living-off-the-land binaries (LOLBins)

Phase 8: Post-Access Enumeration

Linux systems:

User enumeration (
```
/etc/passwd
```
,
```
last
```
,
```
w
```
)
Privilege escalation paths (SUID binaries, cron jobs, capabilities)
Network connections and listening services
Installed software and versions
Scheduled tasks and startup scripts

Windows systems:

User and group enumeration
Service and process analysis
Registry persistence locations
Scheduled tasks and startup items
Credential storage locations
Active Directory information (if domain-joined)

Phase 9: Data Exfiltration

Data extraction methods:

Direct file transfer (SCP, FTP, HTTP)
Encrypted channels (DNS tunneling, HTTPS)
Steganography for covert channels
Compression and encoding for large datasets

Data to prioritize:

Credentials and password hashes
Sensitive documents and databases
Configuration files with secrets
Source code and intellectual property
Network topology information

Phase 10: Privilege Escalation

Local Privilege Escalation:

Linux:

Kernel exploits (check kernel version)
SUID/SGID binary abuse
Capability exploitation
Cron job manipulation
Service misconfigurations
Use PEAS (Privilege Escalation Awesome Scripts) for enumeration

Windows:

Service exploitation
Token manipulation
UAC bypass techniques
Unquoted service paths
Weak service permissions
Use WinPEAS for enumeration

Domain Privilege Escalation:

Active Directory enumeration
Trust relationship exploitation
Kerberos attacks (AS-REP roasting, Golden Ticket)
Lateral movement techniques
Credential dumping (Mimikatz, secretsdump)
GPO abuse and manipulation

Phase 11: Post-Exploitation

Looting:

Search for additional credentials
Check for access to other systems
Dump password hashes and cached credentials
Look for configuration files with secrets
Identify high-value targets

Persistence:

Implement 2-3 different persistence mechanisms
Windows: Scheduled tasks, services, registry run keys, WMI subscriptions
Linux: Cron jobs, systemd services, bashrc modifications
Active Directory: GPO modifications, ACL changes, DC shadowing
Document all persistence for cleanup

Phase 12: Pivoting

Network pivoting:

SSH tunneling for port forwarding
SOCKS proxies for network access
Meterpreter pivoting (if using Metasploit)
Chisel/SSHuttle for advanced tunneling

Lateral movement:

Use harvested credentials on other systems
Pass-the-hash/Pass-the-ticket attacks
WMI/WinRM for Windows lateral movement
SSH key abuse for Linux environments

When pivoting:

Restart methodology from Phase 1 for new networks
Document network topology changes
Update asset inventory
Consider new attack vectors

Specialized Testing Areas

Mobile Application Testing

Android application security assessment
APK analysis and decompilation
Runtime analysis and hooking
API security testing

Binary Exploitation

Stack-based buffer overflows
Format string vulnerabilities
Return-oriented programming (ROP)
Windows-specific exploitation techniques

Cryptographic Analysis

ECB mode vulnerabilities
CBC-MAC weaknesses
Padding oracle attacks
Weak key generation and usage

Documentation & Reporting

During the engagement:

Document all findings with timestamps
Capture screenshots and logs
Record commands and outputs
Track progress through methodology phases

Final report should include:

Executive summary for management
Technical findings with severity ratings
Proof-of-concept evidence
Remediation recommendations
Risk assessment and prioritization

Tools Reference

Reconnaissance:

Nmap, Masscan, Rustscan
Subfinder, Amass, Assetfinder
Shodan, Censys for external assets

Vulnerability Assessment:

Legion, Nessus, OpenVAS
Nikto, WPScan for web applications
Burp Suite for web testing

Exploitation:

Metasploit Framework
Custom exploit development
Exploit-DB search tools

Post-Exploitation:

PEAS/WinPEAS for enumeration
Mimikatz for credential access
BloodHound for AD analysis
Empire/Cobalt Strike for C2

Pivoting:

SSH tunneling
Chisel, SSHuttle
Proxychains for routing

Safety Reminders

Authorization: Never test without written permission
Scope: Stay within agreed boundaries
Timing: Avoid production impact during business hours
Data handling: Protect any sensitive data discovered
Cleanup: Remove all persistence and access methods
Reporting: Document everything for the client

When to Use This Skill

Use this methodology when:

Planning a penetration test engagement
Conducting security assessments
Learning penetration testing techniques
Developing security testing procedures
Creating bug bounty testing strategies
Performing authorized red team operations
Documenting security testing processes

This skill provides the framework - adapt specific techniques to your target environment and engagement scope.