2026 Edition

The Essential Penetration Testing Framework

A practical, no-nonsense guide to planning and executing professional penetration tests. Modern tools, modern targets, zero fluff.

This guide defines a mini penetration testing framework and provides the essential knowledge and tooling to deliver a professional engagement. No exotic tools, no unnecessary complexity — only what you actually need in the field. The framework is structured in six phases and has been updated to reflect the current threat landscape: cloud-native infrastructure, Active Directory dominance, API-first applications, IPv6 dual-stack networks, and Layer 2 attack surfaces that most testers still overlook.

Who this is for: Entry to mid-level penetration testers, OSCP/OSCP+ candidates, and security engineers transitioning into offensive work. If you are delivering pentest engagements professionally or preparing for your first one, this is your operational baseline.

Phase 1

Planning Your Penetration Test

Before touching a single tool, define what you are delivering. Security testing is a product — you sell it, scope it, and package the output for a client who needs to act on it. Planning failures cascade into every subsequent phase.

Types of Security Testing

Understand the distinctions because they affect scope, pricing, legal exposure, and client expectations:

Type	Proof of Concept	What You Deliver
Penetration Test	Yes — you exploit and demonstrate real impact	Evidence of compromise: data extraction, lateral movement, privilege escalation chains
Vulnerability Assessment	No — you assess and report potential risk	Qualified risk statements, remediation priorities, no active exploitation
Security Audit	No — passive, policy-driven	Compliance gap analysis against frameworks (PCI DSS, ISO 27001, SOC 2, NIST CSF)
Red Team Engagement	Yes — goal-oriented, adversary simulation	Objective-based assessment mapped to MITRE ATT&CK
Purple Team Exercise	Collaborative — attack + detect together	Joint exercise with the blue team to test and improve detection and response capabilities

PoC-oriented methods dominate modern engagements because they translate technical findings into business risk that stakeholders actually understand. A CVSS 9.8 means nothing to a CFO — showing them you extracted the customer database in 4 steps does.

Legal Considerations

You must understand the legal framework before you test. What has changed is jurisdictional complexity — cloud infrastructure means your packets may traverse multiple legal jurisdictions in a single engagement.

United States: Computer Fraud and Abuse Act (CFAA) — see Van Buren v. United States, 2021 Supreme Court ruling that narrowed "exceeds authorized access"
United Kingdom: Computer Misuse Act 1990 (amended 2015) — Section 3A added offenses for supplying tools for computer misuse
European Union: NIS2 Directive (effective October 2024) — cybersecurity obligations and incident reporting across member states
Germany: StGB §202a-d — notably strict; accessing data "not intended for you" is sufficient for prosecution
Canada: Criminal Code Section 342.1 — unauthorized use of computer
General: Budapest Convention on Cybercrime — the international baseline treaty

Non-negotiable: Get a signed Rules of Engagement (RoE) and authorization letter before any testing begins. The RoE must specify: exact scope (IPs, domains, cloud accounts), testing window, permitted techniques, emergency contact procedures, and data handling requirements. If the client's infrastructure uses a third-party cloud provider (AWS, Azure, GCP), check whether the provider requires separate notification.

Engagement Models

Model	Attacker Knowledge	Realism	Cost
Black Box	Zero prior knowledge	Most realistic external attacker simulation	Higher (more recon time)
Grey Box	Partial info (credentials, network diagrams, API docs)	Simulates an insider or compromised user	Medium
White Box / Crystal Box	Full access: source code, architecture, credentials	Maximum coverage, deeper findings	Most efficient use of time

Technical Categories of Testing

Network Services Testing (internal and external perimeter)
Web Application Testing (aligned with OWASP Testing Guide v5)
API Testing (REST, GraphQL, gRPC, WebSocket)
Cloud Infrastructure Testing (AWS, Azure, GCP misconfigurations)
Active Directory / Identity Testing
Mobile Application Testing (Android/iOS)
Wireless Testing (Wi-Fi, Bluetooth, RFID/NFC)
Client-Side / Social Engineering Testing
Container / Kubernetes Testing
Physical Security Testing
Layer 2 / Network Infrastructure Testing (VLAN hopping, broadcast analysis, ARP-level attacks)

Hardening Your Pentest Machine

Your testing platform is an offensive weapon loaded with client data. Treat it accordingly:

Full disk encryption (LUKS on Linux, BitLocker with TPM + PIN)
MFA for all logins — hardware key preferred (YubiKey / FIDO2)
Dedicated testing OS — Kali Linux or Parrot Security, separate from your daily driver
Minimal attack surface — disable unnecessary services, firewall inbound connections
Encrypted comms — GPG/PGP for file transfer, WireGuard or OpenVPN for tunnel access
Update before every engagement: sudo apt update && sudo apt full-upgrade
Sanitize between engagements — wipe all client data, rotate credentials, destroy VMs
Harden C2 infrastructure — Cobalt Strike, Mythic, or Sliver servers need to be locked down as aggressively as the client's production systems

OPSEC reminder: Your pentest laptop, C2 servers, and VPS nodes are targets too. Threat actors actively hunt for pentest infrastructure — credential-stuffed VPS panels, exposed Cobalt Strike teamservers, and unsecured Burp Collaborator instances are found in the wild regularly.

Phase 2

Scoping

Scoping is where engagements succeed or fail. A poorly scoped test leads to missed targets, scope creep, and disputes over deliverables. Be precise.

Scoping Checklist

Agree on engagement type and model (black/grey/white box)
Agree on technical category (web app, network, cloud, AD, etc.)
Define man-days and team composition from both sides
Identify team leads and emergency contacts: sysadmin, network admin, cloud admin, SOC/IR lead, application owner, firewall/WAF admin
Define testing windows — business hours only? After-hours permitted?
Document everything — RoE signed by authorized personnel on both sides

Technical Scope Definition

Target domain names and subdomains (wildcard *.target.com or explicit list?)
IPv4 and IPv6 ranges — dual-stack networks are now the norm
Cloud account IDs (AWS account numbers, Azure subscription IDs, GCP project IDs)
Specific applications and API endpoints
Network devices in scope (switches, routers, firewalls, load balancers)
VLAN segmentation scope — are you testing VLAN isolation and Layer 2 controls?
PoC boundaries: Is DoS permitted? Destructive exploits? Data exfiltration (real vs. simulated)?
Exclusions — production databases, critical medical devices, SCADA/ICS systems unless explicitly in scope

Cloud scoping note: AWS allows pentesting against most services without prior approval. Azure requires no notification for most tests. GCP follows similar guidelines. Always verify current provider policies before testing — DoS testing against cloud infrastructure almost always requires separate authorization from the provider.

Phase 3

Reconnaissance

Reconnaissance is intelligence gathering. The quality of your recon directly determines the quality of your exploitation. You are building a target profile covering people, technology, and infrastructure.

What You Are Looking For

People & Organization

Employee names, roles, email formats (firstname.lastname@corp.com vs. flastname@corp.com)
Org chart structure — department mapping
Career postings — technology stack revealed in job descriptions
Social media profiles — LinkedIn, GitHub, personal blogs
Conference talks and published research by employees
Credential leaks — breach databases (ethical and legal boundaries apply)

Technical Infrastructure

Domain names, subdomains, DNS records (A, AAAA, MX, NS, TXT, SPF, DKIM, DMARC, SRV)
IPv4 and IPv6 address ranges (ARIN, RIPE, APNIC whois + BGP data)
ASN ownership and BGP prefix analysis
Cloud infrastructure fingerprinting (S3 buckets, Azure blobs, CloudFront distributions)
SSL/TLS certificate transparency logs — exposed subdomains, internal hostnames
Public code repositories — GitHub, GitLab (leaked credentials, API keys)
Exposed services on Shodan, Censys, and Fofa
Web technology fingerprinting (Wappalyzer, whatweb)

Reconnaissance Tooling — 2026

Task	Tools
Subdomain enumeration	`subfinder`, `amass`, `assetfinder`, `knockpy`, `dnsrecon`
DNS analysis	`dnsx`, `massdns`, `dig`, `fierce`
Certificate transparency	`crt.sh`, `certspotter`, `ctfr`
Cloud asset discovery	`cloud_enum`, `S3Scanner`, `grayhatwarfare.com`
GitHub/code recon	`trufflehog`, `gitleaks`, `gitdorker`
OSINT frameworks	`theHarvester`, `SpiderFoot`, `recon-ng`, `Maltego`
Email / people enumeration	`theHarvester`, `hunter.io`, `phonebook.cz`
Metadata extraction	`exiftool`, `FOCA`, `metagoofil`
Credential leak checking	`dehashed`, `haveibeenpwned` API
Search engine dorking	Google Dorks, Shodan Dorks, Censys queries
Whois / IP / ASN	`whois`, `bgp.he.net`, RIPE/ARIN, `ipinfo.io`
IPv6-specific recon	`dnsx` (AAAA records), `ping6`, `thc-ipv6`
Internet-wide scan data	`Shodan`, `Censys`, `Fofa`, `ZoomEye`

Tracerouting: IPv4, IPv6, and Protocol Variants

# Standard ICMP traceroute (IPv4) traceroute -I target.com # TCP traceroute on port 443 (bypasses ICMP-blocking firewalls) tcptraceroute target.com 443 # UDP traceroute traceroute -U target.com # IPv6 ICMP traceroute traceroute6 target.com # IPv6 TCP traceroute tcptraceroute -6 target.com 443 # MTR for continuous path analysis mtr --report target.com mtr -6 --report target.com

ICMP Refresher: What Responses Tell You

ICMP Response	What It Means To You
Echo Reply (Type 0)	Host is alive and responding to ICMP
Destination Host Unreachable (Type 3, Code 1)	Last-hop router cannot reach the host
Destination Port Unreachable (Type 3, Code 3)	UDP port is closed — this is how UDP scanning works
Network Administratively Prohibited (Type 3, Code 9)	Firewall explicitly blocking — confirmed filtering device
Host Administratively Prohibited (Type 3, Code 10)	Host-level firewall blocking — confirms host exists behind a filter
Communication Administratively Prohibited (Type 3, Code 13)	Firewall dropping traffic with explicit deny response
TTL Exceeded in Transit (Type 11, Code 0)	Used in tracerouting — reveals intermediate hops
Fragment Reassembly Timeout (Type 11, Code 1)	Useful for detecting fragmentation-based IDS evasion behavior

IPv6 note: ICMPv6 is mandatory in IPv6. It handles NDP (Neighbor Discovery Protocol), which replaces ARP. ICMPv6 filtering is more nuanced — aggressive filtering breaks IPv6 networking. NDP solicitation/advertisement messages, Router Advertisement (RA), and MLD messages may leak topology information that would be filtered in IPv4.

Phase 4

Scanning

Scanning is active probing — you are now touching the target infrastructure. Configure tools to target IP addresses, not domain names (to avoid load balancers and CDN endpoints masking real infrastructure).

Scanning Fundamentals

Run a packet capture during scanning — tcpdump or Wireshark in the background
For large scopes: use representative IP sampling by network segment
For small scopes: extend port ranges for better coverage
Always scan both IPv4 and IPv6 — many organizations have IPv6 enabled with zero security controls

TCP/UDP Protocol Refresher

Flag	Purpose	Scanning Relevance
`SYN`	Initiate connection	SYN scan — the default and most common
`ACK`	Acknowledge received data	ACK scan — firewall rule mapping
`RST`	Reset / abort connection	Response indicator — closed ports send RST
`FIN`	Graceful close	FIN scan — evasion technique against non-stateful firewalls
`PSH`	Push buffered data	Used in Xmas scan combination
`URG`	Urgent data pointer	Used in Xmas scan combination

Core Scanning Tools — 2026

Tool	Primary Use
`nmap`	The standard. Port scanning, service detection, OS fingerprinting, NSE scripts.
`masscan`	High-speed port scanning for large IP ranges. Follow up with nmap for detail.
`naabu`	Fast port scanner from ProjectDiscovery. Good integration with other PD tools.
`rustscan`	Ultra-fast port scanner that pipes results into nmap automatically.
`hping3`	Custom packets — TCP/UDP/ICMP. Firewall testing, idle scan, custom flag combinations.
`tcpdump` / `Wireshark`	Packet capture during scanning — mandatory for evidence and debugging.

Nmap Command Patterns

# Discovery: TCP SYN ping + ICMP echo nmap -sn -PE -PS80,443,8080 -PA3389,22 --reason -oA discovery target_range # IPv6 discovery nmap -6 -sn -PE --reason -oA discovery_v6 target_v6_range # Full TCP SYN scan — top 1000 ports, service versions nmap -sS -sV --reason -n -Pn -oA tcp_syn target_ip # UDP scan — top 100 ports nmap -sU --top-ports 100 --reason -n -Pn -oA udp_scan target_ip # Aggressive service + OS detection + default scripts nmap -sS -sV -O -sC --reason -n -Pn -oA full_scan target_ip # All 65535 TCP ports (small scopes / high-value targets) nmap -sS -p- --reason -n -Pn -oA all_ports target_ip # NSE vulnerability scanning nmap --script vuln --reason -n -Pn -oA vuln_scan target_ip # IPv6 full scan nmap -6 -sS -sV -O --reason -n -Pn -oA full_v6 target_v6

Scan Types: Packet Flow Reference

TCP SYN Scan (Half-Open)

Scanner ──SYN──────────────► Target Scanner ◄──SYN/ACK────────── Target [Port OPEN] Scanner ──RST──────────────► Target [Connection torn down] Scanner ──SYN──────────────► Target Scanner ◄──RST─────────────── Target [Port CLOSED] Scanner ──SYN──────────────► Target ... timeout ... [Port FILTERED]

TCP ACK Scan (Firewall Mapping)

Scanner ──ACK──────────────► Target Scanner ◄──RST─────────────── Target [Port UNFILTERED] Scanner ──ACK──────────────► Target ... timeout / ICMP error ... [Port FILTERED]

UDP Scan

Scanner ──UDP──────────────► Target Scanner ◄──ICMP Port Unreach── Target [Port CLOSED] Scanner ──UDP──────────────► Target ... timeout ... [Port OPEN|FILTERED] Scanner ──UDP──────────────► Target Scanner ◄──UDP Response─────── Target [Port OPEN]

TCP NULL / FIN / Xmas Scans (Evasion)

# FIN scan Scanner ──FIN──────────────► Target Scanner ◄──RST─────────────── Target [Port CLOSED] ... timeout ... [Port OPEN|FILTERED] # Xmas scan: FIN+URG+PSH Scanner ──FIN,URG,PSH──────► Target Scanner ◄──RST─────────────── Target [Port CLOSED] ... timeout ... [Port OPEN|FILTERED] NOTE: Most effective against Linux/Unix/BSD targets. Modern Windows stacks send RST regardless of port state.

TCP Idle Scan (Zombie Scan)

# Step 1: Probe zombie's IP ID Scanner ──SYN/ACK──────────► Zombie Scanner ◄──RST (IP ID=N)──── Zombie # Step 2: Send forged SYN from zombie's IP to target Scanner ──SYN [src=Zombie]──► Target # If target port OPEN — zombie's IP ID increments by 2 # If target port CLOSED — zombie's IP ID increments by 1

Idle scan caveat: Finding a suitable zombie (globally incrementing IP ID, low traffic) is increasingly difficult. Most modern OS stacks randomize IP IDs. Documented for completeness — rarely viable in modern environments.

Version and OS Detection

# Service version detection nmap -sV --version-intensity 5 target_ip # OS fingerprinting nmap -O --osscan-guess target_ip # Manual banner grabbing echo "" | ncat -v target_ip port curl -I -k https://target.com

Network Internals

Layer 2 Attacks, VLAN Hopping, and Broadcast Analysis

Layer 2 attacks operate below the IP layer — your client's firewall rules, IDS signatures, and SIEM alerts are largely blind to them. If you are doing an internal pentest and not testing Layer 2 controls, you are leaving critical attack surface untested.

VLAN Hopping

Switch Spoofing (DTP)

If a switch port is configured to auto-negotiate trunking via DTP, an attacker can craft DTP frames to form a trunk link, gaining access to all VLANs on that trunk.

# Yersinia — DTP spoofing to enable trunking yersinia dtp -attack 1 -interface eth0 # Or craft DTP frames with Scapy / frogger.sh

Double Tagging (802.1Q)

Exploits the fact that switches strip only the outer 802.1Q tag. Send frames with two headers — the switch strips the outer tag and forwards the inner-tagged frame to the target VLAN.

# Double-tagging with Scapy from scapy.all import * pkt = Ether(dst="ff:ff:ff:ff:ff:ff") / \ Dot1Q(vlan=1) / \ Dot1Q(vlan=100) / \ IP(dst="192.168.100.1") / \ ICMP() sendp(pkt, iface="eth0")

Limitation: Double tagging is unidirectional — you can send frames into the target VLAN but cannot receive responses. Only works when the attacker is on the native VLAN. Use as a PoC to demonstrate VLAN segmentation failure.

What to Check

DTP enabled on access ports — should be switchport mode access with switchport nonegotiate
Native VLAN on trunks matching a user VLAN — native VLAN should be unused (e.g., VLAN 999)
Unused ports active in default VLAN — should be shut down or placed in a quarantine VLAN

ARP-Level Attacks

# ARP spoofing with arpspoof echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 -t victim_ip gateway_ip arpspoof -i eth0 -t gateway_ip victim_ip # Bettercap — modern MitM framework sudo bettercap -iface eth0 # In console: net.probe on set arp.spoof.targets victim_ip arp.spoof on net.sniff on # Local network ARP discovery arp-scan --localnet --interface=eth0

Broadcast Analysis

Passive sniffing of broadcast and multicast traffic is nearly undetectable and leaks operational intelligence: protocols in use, device types, misconfigured services, and segmentation failures.

# Capture broadcast traffic tcpdump -i eth0 -n broadcast or multicast -w broadcast.pcap # Wireshark display filters arp.opcode == 1 # ARP requests — who is looking for what? bootp.option.dhcp == 1 # DHCP discovery nbns # NetBIOS name queries mdns # mDNS / Bonjour llmnr # LLMNR (Windows — poisoning target) ssdp # UPnP / SSDP stp # Spanning Tree — network topology cdp or lldp # CDP/LLDP — switch/router discovery

Key intel: LLMNR and NBT-NS broadcasts are the bread and butter of internal pentests. Poison these with Responder to capture NTLMv2 hashes. CDP/LLDP frames leak switch model, IOS/firmware version, management VLAN, and IP addresses — gold for lateral movement planning.

IPv6-Specific Layer 2 Attacks

# Router Advertisement spoofing — announce yourself as IPv6 router fake_router6 eth0 fe80::1/64 # Neighbor Advertisement spoofing (IPv6 equivalent of ARP spoofing) parasite6 -l eth0 # IPv6 host discovery via multicast ping6 -c 3 ff02::1%eth0 # All nodes on link-local ping6 -c 3 ff02::2%eth0 # All routers on link-local

Why this matters: Many networks have IPv6 enabled by default (Windows enables it out of the box) with zero IPv6 security controls — no RA Guard, no DHCPv6 snooping, no IPv6 ACLs. An attacker can inject a rogue Router Advertisement and become the default IPv6 gateway even in networks that "don't use IPv6." Use mitm6 combined with ntlmrelayx for the full attack chain.

Layer 2 Toolkit Summary

Tool	Purpose
`yersinia`	DTP, STP, DHCP, CDP, 802.1Q, HSRP, VTP attacks — the Layer 2 Swiss army knife
`bettercap`	Modern MitM framework — ARP spoof, DNS spoof, HTTPS proxy, credential capture
`Responder`	LLMNR/NBT-NS/mDNS poisoner + credential capture — essential for AD pentests
`mitm6`	IPv6 RA spoofing + DHCPv6 for NTLM relay attacks
`thc-ipv6`	IPv6 attack toolkit — RA spoofing, NDP attacks, alive scanning
`arp-scan`	Fast ARP-based local network discovery
`Scapy`	Packet crafting in Python — build any Layer 2/3/4 attack
`macchanger`	MAC address spoofing — bypass port security, NAC

Evasion

Detecting and Bypassing Honeypots

Modern defensive environments deploy honeypots and deception technology (Thinkst Canary, Attivo, Illusive Networks) to detect lateral movement. Walking into a honeypot alerts the blue team and burns your access.

Indicators of Honeypots

Network-Level Indicators

Too many open ports: A host with 20+ services (SSH, RDP, SMB, HTTP, FTP, Telnet, SNMP) is suspicious — real servers have a purpose
Perfect banners: Exact matches to known vulnerable versions without configuration drift
Virtual MAC addresses: VMware/VirtualBox/KVM MAC prefixes on what should be physical infrastructure — check with arp-scan
Inconsistent TTL values: Different TTLs from hosts in the same subnet
No DNS/AD presence: Hosts in ARP tables but not in DNS, DHCP leases, or AD computer objects

Service-Level Indicators

Fake file shares: SMB shares named "Passwords", "HR_Data", "CEO_Files" — real shares have boring names
Credential traps: Services that accept any credential — test with intentionally wrong creds first
Limited command emulation: Cowrie SSH honeypots fail on deep system queries (cat /proc/cpuinfo, lsmod, dmesg)

# Check ARP for virtual MAC prefixes arp-scan --localnet | grep -i "vmware\|virtualbox\|qemu\|xen" # Timing analysis across hosts for port in 22 80 443 3389; do hping3 -S -p $port -c 3 target_ip 2>&1 | grep "rtt" done # DNS consistency check nslookup target_ip dig -x target_ip

Operational discipline: Before exploiting any host, cross-reference against: AD computer objects, DNS records, DHCP leases, observed network traffic patterns, and asset inventories (if white/grey box). A host that appears in none of these registries is either a honeypot or a rogue device — both are worth reporting, neither is worth burning access on.

Phase 5

Exploitation

Exploitation comes down to three categories, unchanged since the original framework:

Misconfiguration exploitation — default credentials, missing authentication, excessive privileges, insecure protocols
Credential exploitation — weak passwords, credential reuse, hash cracking, relay attacks
Vulnerability exploitation — unpatched software, zero-days, logic flaws

Exploit Categories

Category	Examples	Modern Context
Server-side	RCE in web servers, SMB, RDP	ProxyShell/ProxyNotShell, Log4Shell, MOVEit, Citrix Bleed, ConnectWise ScreenConnect
Client-side	Browser exploits, malicious docs	HTML smuggling, OneNote/PDF lures, macro-enabled docs (increasingly blocked by default)
Web application	SQLi, XSS, SSRF, IDOR, auth bypass	API-first attacks (BOLA, BFLA), GraphQL injection, JWT manipulation, SSRF to cloud metadata
Local privilege escalation	Kernel exploits, service misconfigs	PrintNightmare, PetitPotam, KrbRelayUp, DirtyPipe, GameOver(lay), misconfigured sudo/SUID
Active Directory	Kerberoasting, AS-REP, DCSync	ADCS abuse (ESC1-ESC13), RBCD, Shadow Credentials, noPac
Cloud	SSRF to metadata, IAM misconfig	IMDSv1 exploitation, over-permissioned IAM roles, public S3/blob storage

Memory Protection Mechanisms

ASLR: Randomizes base addresses of executables, libraries, heap, and stack. Bypasses: info leaks, partial overwrites, brute force on 32-bit.
DEP/NX: Marks memory regions as non-executable. Bypassed via ROP (Return-Oriented Programming) and variants.
Stack Canaries: Random values before return addresses. Bypasses: info leaks, fork-based brute force, non-stack overflows.
CFI: Validates indirect calls/jumps target valid function entries. Windows CET, Linux CET — newer and harder to bypass.
SafeSEH / SEHOP: Validates SEH chain integrity — largely defeated classic SEH overwrite techniques.

Exploitation Tooling — 2026

Tool	Purpose
`Metasploit Framework`	Exploit framework. Use `check` before firing. Understand exit functions (thread, process, seh).
`Cobalt Strike`	Commercial C2. Industry standard for red teams. Malleable C2 profiles for evasion.
`Sliver`	Open-source C2 by BishopFox. Supports mutual TLS, WireGuard, HTTP(S), DNS C2.
`Mythic`	Open-source C2 platform. Modular agent architecture, web UI.
`NetExec` / `CrackMapExec`	Swiss army knife for AD/SMB/WinRM/LDAP/MSSQL — credential spraying, execution, enumeration.
`Impacket`	Python protocol toolkit — `psexec.py`, `ntlmrelayx.py`, `secretsdump.py`
`BloodHound CE`	AD attack path mapping. Visualize paths from compromised accounts to Domain Admin.
`Certipy`	ADCS abuse — ESC1 through ESC13 attack paths.
`Rubeus`	Kerberos abuse: Kerberoasting, AS-REP roasting, ticket manipulation, delegation attacks.
`Responder`	LLMNR/NBT-NS/mDNS poisoning + credential capture. Pair with `ntlmrelayx`.
`Burp Suite Pro`	Web application testing. Extensions: ActiveScan++, Autorize, JWT Editor, Param Miner.
`Nuclei`	Template-based vulnerability scanner. Massive community template library.

Active Directory Attack Path

Initial Access (phishing, cred spray, or exploit) │ ▼ Credential Capture (Responder, Kerberoast, LSASS dump) │ ▼ Lateral Movement (pass-the-hash, WMI, PsExec, WinRM) │ ▼ Privilege Escalation (ACL abuse, ADCS, delegation attacks) │ ▼ Domain Dominance (DCSync, Golden Ticket, Shadow Credentials)

# Kerberoasting GetUserSPNs.py domain/user:password -dc-ip dc_ip -request -outputfile kerberoast.txt # AS-REP Roasting GetNPUsers.py domain/ -dc-ip dc_ip -usersfile users.txt -format hashcat # ADCS — find vulnerable certificate templates certipy find -u user@domain.com -p password -dc-ip dc_ip -vulnerable # Pass-the-Hash crackmapexec smb target_ip -u admin -H ntlm_hash # DCSync — extract all domain hashes (requires DA or equivalent) secretsdump.py domain/da_user:password@dc_ip # Password spraying (respect lockout policy) kerbrute passwordspray -d domain.com users.txt 'Spring2026!' --dc dc_ip # Hashcat cracking hashcat -m 1000 hashes.txt rockyou.txt # NTLM hashcat -m 13100 hashes.txt rockyou.txt # Kerberoast TGS-REP hashcat -m 18200 hashes.txt rockyou.txt # AS-REP hashcat -m 5600 hashes.txt rockyou.txt # NTLMv2 (from Responder)

Critical: Never fire an exploit at a production system without understanding what it does. Stick to Metasploit modules rated "Great" or "Excellent." Always use the check command first when available. Never lock out accounts — determine the lockout policy before any credential attacks.

Phase 6

Deliverables

The report is the product. Everything you did is meaningless if the client cannot understand it, act on it, and use it to improve their security posture.

Report Structure

Statement of Confidentiality — NDA/confidentiality agreement reference
Executive Summary — 1-2 pages max. Written for non-technical leadership. Business risk narrative, not vulnerability counts.
Scope and Methodology — what was tested, what was excluded, methodology followed (PTES, OWASP, NIST SP 800-115)
Attack Narrative — chronological story: initial access → lateral movement → privilege escalation → objective achieved
Findings Summary — table of all findings with severity ratings (CVSS v4.0), sorted by risk
Detailed Findings — each finding includes:
- Title and severity rating
- Affected asset(s)
- Technical description
- Proof of concept (screenshots, sanitized command output)
- Business impact assessment
- Remediation recommendation (specific, actionable, prioritized)
- Reference (CVE, CWE, OWASP category)
Remediation Roadmap — immediate (critical/high), short-term (30 days), medium-term (90 days)
Positive Findings — what the client is doing right. Controls that worked. Defenses that blocked you.
Tools and Techniques Used — mapped to MITRE ATT&CK techniques where applicable
Appendices — raw scan output, full screenshots, evidence, IP/port inventories

Reporting tooling: Maintain a real-time evidence log during the engagement — timestamps, commands, screenshots. Tools: Obsidian, CherryTree, SysReptor, Ghostwriter by SpecterOps. Commercial platforms: PlexTrac, AttackForge.

Map to MITRE ATT&CK

Map your findings and techniques to MITRE ATT&CK. This provides a common language between your report and the client's SOC/IR team and helps them understand which TTPs their controls failed to detect.

Reference

Quick Reference: Frameworks and Standards

Framework	Use
PTES	End-to-end pentest methodology
OWASP Testing Guide v5	Web application testing methodology
OWASP API Security Top 10	API-specific vulnerabilities
MITRE ATT&CK	Adversary TTP mapping
NIST SP 800-115	Technical guide to information security testing
OSSTMM	Open-source security testing methodology
CVSS v4.0	Vulnerability severity scoring (supersedes v3.1)
CWE	Common Weakness Enumeration — vulnerability classification

Mini Penetration Testing Framework