Pentest_Notes

🗺️ Master Penetration Testing Methodology Checklist

Domain-agnostic, phase-by-phase penetration testing methodology. Last Updated: 2026-03-27

---

Pre-Engagement

• Define scope (IP ranges, domains, exclusions)
• Obtain signed Rules of Engagement (RoE) / authorization
• Set up note-taking environment (Obsidian, Cherry Tree, or similar)
• Configure tmux logging: prefix + Shift+P
• Verify VPN / network connectivity to target environment
• Prepare tool arsenal (see Tool Readiness Checklist)
• Set up file structure for engagement evidence
• Configure /etc/hosts with known hostnames
• Start tmux session: tmux new -s pentest

---

Phase 1: Reconnaissance / Information Gathering

Passive Reconnaissance

• OSINT on target organization → See 14_OSINT_Passive_Recon.md
• DNS enumeration (passive): dnsrecon -d domain.com
• Subdomain enumeration: subfinder -d domain.com -silent
• Google dorking for exposed files, login pages, sensitive data
• Search for leaked credentials (breach databases, paste sites)
• Harvest emails: theHarvester -d domain.com -l 500 -b google
• Check for exposed Git repos, cloud storage, S3 buckets
• Review website for employee names, tech stack hints, metadata

Active Reconnaissance

• Passive network discovery: netdiscover -i eth1 -r 192.168.x.0/24 -p
• Listen for traffic: sudo tcpdump -i eth1 'dst host <YOUR_IP>'
• Run Responder in analyze mode: responder -I eth1 -A
• Active host discovery: nmap -sn -PE -PM -PP -n --open <SUBNET>
• Ping sweep: fping -asgq <SUBNET>

---

Phase 2: Enumeration

Network Enumeration

• Quick port scan: masscan -p20-25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 <SUBNET>
• Full TCP scan: nmap -p- -v --min-rate 4000 -sV <IP>
• Service version scan: nmap -p <PORTS> -sV -sC <IP>
• UDP scan: sudo nmap -Pn -n -sU --top-ports=100 <IP>
• Identify all services and versions across all targets

Service-Specific Enumeration

• SMB — Null sessions, guest access, share enumeration → See 01_Network_Pentesting.md
• HTTP/HTTPS — Tech stack, directories, subdomains → See 02_Web_Application_Pentesting.md
• DNS — Zone transfers, subdomain brute-force
• LDAP — Anonymous bind, domain enumeration
• RPC — Null sessions, user enumeration
• SNMP — Community string brute-force
• FTP — Anonymous access, file listing
• NFS — Exports, mount and inspect
• SMTP — User enumeration (VRFY, EXPN, RCPT)
• MSSQL/MySQL — Default credentials, command execution
• IPMI — Hash dumping, default credentials

Active Directory Enumeration (if applicable)

• Enumerate users via Kerbrute
• Check for ASREPRoastable users
• Run BloodHound / SharpHound collection
• Enumerate domain trusts
• Enumerate group memberships
• Check ACLs/ACEs
• → See 03_Active_Directory_Pentesting.md

---

Phase 3: Vulnerability Assessment

• Cross-reference service versions with known CVEs
• Run searchsploit <service_name>
• Run cvemap -p <product> -k
• Check Sploitus, Exploit-DB
• Run Nessus / Nuclei / Nikto scans
• Check for default credentials on all services
• Run Burp Suite Pro active scan on web applications
• Check for misconfigurations (SMB signing, LDAP signing, etc.)
• → See Finding Vulnerabilities Checklist

---

Phase 4: Exploitation

• Prioritize exploitation paths by likelihood of success
• Attempt exploitation of identified vulnerabilities
• Web application attacks (SQLi, XSS, LFI/RFI, file upload, SSTI, deserialization)
• Service exploits (SMB, FTP, MSSQL, etc.)
• Password attacks (spraying, brute-force, credential stuffing)
• Client-side attacks if in scope
• Document every exploitation attempt (success and failure)
• Take screenshots of every successful exploit

---

Phase 5: Post-Exploitation

Immediate Actions After Shell

• Stabilize shell (upgrade to full TTY if needed)
• whoami / id — identify current user
• hostname — identify current system
• ipconfig / ip a — check network interfaces
• systeminfo / uname -a — system details
• Check for additional network interfaces (pivot points)
• Check for domain membership
• Screenshot: proof of access

Credential Harvesting

• Search for credentials in files, configs, environment variables
• Dump SAM/LSASS/NTDS (Windows)
• Check /etc/shadow, SSH keys, history files (Linux)
• → See 06_Password_Attacks.md

Privilege Escalation

• Run automated enumeration (LinPEAS / WinPEAS / Seatbelt)
• Check sudo privileges / SUID binaries (Linux)
• Check services, scheduled tasks, registry (Windows)
• → See 04_Privilege_Escalation_Linux.md
• → See 05_Privilege_Escalation_Windows.md

Lateral Movement

• Test credentials across other hosts
• Pass-the-Hash / Pass-the-Ticket
• PSExec / WMI / WinRM / DCOM
• Check for accessible shares
• → See 03_Active_Directory_Pentesting.md

Pivoting

• Identify additional subnets
• Set up tunnels (Ligolo-ng, SSH, Chisel)
• Repeat enumeration from new network position
• → See 07_Pivoting_Tunneling_Port_Forwarding.md

---

Phase 6: Objectives Completion

• Collect all required flags/evidence
• Verify all objectives met per scope
• Ensure sufficient screenshots for every finding
• Document full attack paths

---

Phase 7: Cleanup & Reporting

• Remove uploaded tools and files from targets
• Remove persistence mechanisms (if planted for testing)
• Remove route entries and tunnel configurations
• Write comprehensive report → See 15_Reporting_Documentation.md
• Peer review report
• Submit deliverables

---

Tool Readiness Checklist

Must-Have Tools Installed

Category	Tools
Scanning	Nmap, Masscan, Rustscan
Web	Feroxbuster, Gobuster, Nikto, Nuclei, Burp Suite Pro, SQLMap, wfuzz
AD	BloodHound, SharpHound, RustHound, Kerbrute, Rubeus, Mimikatz, PowerView, BloodyAD, Certipy-AD
Credential	Hashcat, John, Hydra, CrackMapExec/NetExec, Responder
Pivoting	Ligolo-ng, Chisel, SSHuttle
PrivEsc	LinPEAS, WinPEAS, Seatbelt, PowerUp, pspy
Shells	rlwrap, nc/ncat, Metasploit, Sliver, Villain
Enumeration	enum4linux, ldapsearch, rpcclient, snmpwalk, smbclient
Recon	subfinder, theHarvester, httpx, whatweb, Katana
Misc	tmux, Obsidian/CherryTree, Python3, impacket suite

Pre-Engagement Verification

• All tools installed and updated
• Wordlists available (SecLists, rockyou.txt)
• Impacket suite functional
• VPN configuration tested
• Note-taking system ready
• Tmux logging configured
• /etc/hosts template prepared

---

Post-Exploitation Checklist (Consolidated)

Linux Post-Exploitation

• id && whoami && hostname
• ip a && ip route
• cat /etc/passwd && cat /etc/shadow (if readable)
• sudo -l
• find / -perm /4000 2>/dev/null (SUID)
• crontab -l && ls -la /etc/cron*
• env && cat ~/.bash_history
• netstat -tulpn (internal services)
• ps aux (running processes)
• Run LinPEAS: timeout 5m ./linpeas.sh

Windows Post-Exploitation

• whoami /all
• systeminfo
• ipconfig /all
• net user && net localgroup administrators
• cmdkey /list (stored credentials)
• netstat -ano (listening ports)
• tasklist /v (running processes)
• Check C:\Users\* for interesting files
• Run WinPEAS or Seatbelt
• Check PowerShell history: Get-History / (Get-PSReadlineOption).HistorySavePath