This chapter covers the core penetration testing methodology, which is the structured approach used by professional testers to simulate attacks. Understanding this methodology is critical for the PT0-002 exam because it underpins the entire planning and scoping phase (Objective 1.1) and appears in roughly 10-15% of exam questions. You will learn the standard phases—from pre-engagement through reporting—and how each phase maps to real-world testing activities.
Jump to a section
Imagine a team of bank robbers planning a heist. They start with Passive Reconnaissance: casing the bank from across the street, noting guard patrols, camera positions, and safe models using binoculars (like scanning LinkedIn for employee roles or Shodan for exposed services). Next is Active Reconnaissance: they walk past the bank, maybe test a door handle, or pretend to be a customer to ask about vault hours (like port scanning or banner grabbing). Then comes Exploitation: they breach a side door using a copied key (a known vulnerability) or pick the lock (zero-day). Post-Exploitation: inside, they find the vault key in the manager's office (lateral movement, privilege escalation) and crack the safe (data exfiltration). Finally, they cover tracks: wipe the security footage (clear logs) and leave a fake note blaming a rival gang (false flag). Each phase has specific tools and techniques; skipping a step or rushing increases risk. The best teams follow a structured methodology—just like pen testers follow the PTES or NIST SP 800-115—to ensure nothing is missed and the operation is repeatable.
What is a Penetration Testing Methodology?
A penetration testing methodology is a standardized, repeatable process that guides a tester from initial scoping through final reporting. It ensures completeness, consistency, and defensibility of results. The exam expects you to know both the general phases and specific frameworks like PTES (Penetration Testing Execution Standard), OWASP Testing Guide, and NIST SP 800-115. The methodology is not a linear checklist; it involves iterative loops, especially between exploitation and post-exploitation.
Why a Formal Methodology Exists
Without a methodology, tests become ad-hoc, missing critical vulnerabilities or wasting time on irrelevant attacks. A formal methodology provides: - Defensibility: If a client is hacked after your test, you can show exactly what you did and didn't do. - Repeatability: Different testers on the same scope will produce comparable results. - Legal Protection: The signed Rules of Engagement (RoE) are part of the methodology; violating scope can lead to lawsuits. - Efficiency: Phases prevent jumping to exploitation before proper reconnaissance.
The Standard Phases (PTES)
#### 1. Pre-Engagement Interactions This is the contractual phase. Activities include: - Scoping: Define IP ranges, URLs, applications, and exclusions. The client may restrict critical systems. - Rules of Engagement (RoE): Specify testing times (e.g., 9 PM – 5 AM), allowed techniques (no social engineering), and communication channels. - Legal Agreement: Signed contract including liability waivers and data handling. - Kickoff Meeting: Align expectations, share contacts, and confirm scope.
#### 2. Intelligence Gathering (Reconnaissance) Divided into passive and active: - Passive Recon: No direct interaction with the target. Sources: DNS records (whois, nslookup), search engines (Google dorking), social media (LinkedIn employees), job postings (tech stack), Shodan (exposed services), and public breach databases. - Active Recon: Direct interaction. Tools: Nmap (port scanning), Nessus (vulnerability scanning), banner grabbing (Netcat), and service enumeration (enum4linux for SMB).
#### 3. Threat Modeling Identify assets, threats, and attack vectors. Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) or DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability). This phase prioritizes targets: a web server with a public IP is higher risk than an internal printer.
#### 4. Vulnerability Analysis Combine automated scanning with manual verification. Tools like Nessus, OpenVAS, or Qualys produce false positives; manual testing confirms. Common vulnerability types: - Missing patches (e.g., MS17-010 EternalBlue) - Misconfigurations (default credentials, open SMB shares) - Weak encryption (SSLv3, RC4) - Business logic flaws (e.g., changing a price parameter)
#### 5. Exploitation Gain unauthorized access using discovered vulnerabilities. This phase includes: - Authentication bypass: SQL injection, password spraying - Remote code execution: Buffer overflows, deserialization attacks - Social engineering: Phishing emails to capture credentials - Physical access: USB drops (BadUSB)
#### 6. Post-Exploitation After initial access, the tester: - Maintains access: Install backdoors (Metasploit persistence modules), create admin accounts. - Lateral movement: Use compromised host to pivot to other systems (Pass-the-Hash, PsExec). - Privilege escalation: From user to admin (kernel exploits, token manipulation). - Data exfiltration: Extract sensitive data (e.g., database dumps, files). - Persistence: Ensure access survives reboots (scheduled tasks, services).
#### 7. Reporting Deliver a report with: - Executive Summary: Non-technical overview for management. - Technical Details: IPs, vulnerabilities, exploitation steps, commands used. - Risk Ratings: CVSS scores (e.g., 9.8 critical for RCE). - Remediation Steps: Specific patches, config changes. - Raw Data: Logs, screenshots, tool outputs.
Key Components and Values
Scope Creep: The biggest risk. If a tester finds a vulnerability outside scope, they must stop and notify the client.
Authorization Letter: Signed document authorizing the test, often with a specific date range.
NDA: Non-disclosure agreement for sensitive data encountered.
Escalation Path: Pre-defined contact for critical findings (e.g., a remote code execution on production).
Testing Window: Often after hours to avoid disruption; some tests are continuous (red team).
Configuration and Verification Commands
While methodology itself isn't configured, tools are. Example Nmap command for active recon:
nmap -sV -sC -p- -T4 -oA recon_target 192.168.1.0/24-sV: Version detection
-sC: Default scripts
-p-: All ports
-T4: Timing aggressive
-oA: Output all formats
Verification of methodology steps is done through checklists. Many firms use a Master Test Plan (MTP) that tracks each phase with sign-offs.
Interaction with Related Technologies
SIEM: During a test, the client's SIEM may alert on your scans. The RoE should specify if you must avoid detection (stealth) or allow alerts.
WAF: Web application firewalls may block your SQL injection attempts. You may need to adjust payloads or test from whitelisted IPs.
EDR: Endpoint detection may flag your Metasploit payload. You may need to use custom executables or process injection.
Frameworks Compared
| Framework | Focus | Key Feature | |-----------|-------|-------------| | PTES | General pentest | 7 phases, detailed | | OWASP | Web apps | Top 10, testing guide | | NIST SP 800-115 | Technical guide | 4 phases: planning, discovery, attack, reporting | | OSSTMM | Security metrics | RA vs. SA (Remote vs. Physical) | | ISSAF | Peer-reviewed | 7 domains, detailed checklists |
The exam expects you to know that PTES is the most comprehensive for network pentests, while OWASP is for web applications.
Common Mistakes and Exam Traps
Skipping Pre-Engagement: Many candidates think testing starts with scanning. The exam emphasizes that legal agreements must come first.
Confusing Passive and Active Recon: Passive uses no direct interaction (e.g., whois). Active does (e.g., Nmap).
Threat Modeling vs. Vulnerability Analysis: Threat modeling identifies potential threats; vulnerability analysis finds actual weaknesses.
Post-Exploitation vs. Exfiltration: Post-exploitation includes lateral movement and persistence; exfiltration is just one part.
Reporting Phase: Often rushed in practice, but the exam tests that a good report includes both executive summary and technical details.
Pre-Engagement and Scoping
This initial phase involves meeting with the client to define the scope, rules of engagement, and legal boundaries. The tester must obtain signed authorization, including an NDA and a statement of work. Key deliverables: IP ranges to test (e.g., 10.0.0.0/24), excluded systems (e.g., production database), testing window (e.g., 10 PM – 6 AM), and allowed techniques (e.g., no social engineering). The exam tests that you understand the importance of a clear scope to avoid legal liability. A common mistake is assuming all systems in the network are in scope; the client may have critical systems off-limits.
Intelligence Gathering (Recon)
Recon is divided into passive and active. Passive recon uses public sources: WHOIS, DNS lookups, Google dorking, Shodan, and social media. Active recon involves direct interaction: Nmap port scans, banner grabs, and service enumeration. The goal is to map the attack surface—identify open ports, running services, OS versions, and potential vulnerabilities. For example, a scan might reveal port 445 open (SMB) on a Windows server, suggesting a potential EternalBlue exploit. The exam tests that passive recon must be done first to avoid alerting the target. A trap: candidates may confuse OSINT (passive) with scanning (active).
Threat Modeling & Analysis
In this phase, the tester identifies valuable assets (e.g., customer database, admin credentials) and maps potential attack vectors. Use frameworks like STRIDE to categorize threats. For example, a web application might be vulnerable to SQL injection (tampering) and XSS (information disclosure). The output is a prioritized list of threats based on likelihood and impact. The exam tests that threat modeling happens before vulnerability scanning to focus efforts. A common wrong answer is to skip this phase and go straight to scanning, which wastes time on low-risk issues.
Vulnerability Scanning & Verification
Automated scanners like Nessus or OpenVAS are used to identify known vulnerabilities. However, false positives are common, so manual verification is essential. For example, if a scanner reports a critical Apache Struts vulnerability, the tester must confirm by attempting exploitation or checking the version manually. The exam tests that you know to verify findings before reporting. A trap: candidates may think automated scanning alone is sufficient; the exam emphasizes manual verification to avoid false positives.
Exploitation & Post-Exploitation
Exploitation involves using verified vulnerabilities to gain access. Tools like Metasploit, Burp Suite, or custom scripts are used. For example, exploiting a SQL injection to dump credentials. Post-exploitation includes maintaining access (e.g., installing a backdoor), lateral movement (e.g., Pass-the-Hash), and privilege escalation (e.g., kernel exploit). The goal is to demonstrate the maximum impact. The exam tests that post-exploitation is iterative—each new system may lead to further exploitation. A common mistake is to stop after initial access; the exam expects you to continue until the objective is met (e.g., domain admin).
Reporting & Debrief
The final phase produces a professional report detailing findings, exploitation steps, risk ratings (CVSS), and remediation recommendations. The report must include an executive summary for management and a technical section for IT staff. A debrief meeting presents the findings and answers questions. The exam tests that the report includes both the 'what' (vulnerabilities) and 'how' (exploitation steps) for reproducibility. A trap: candidates may omit the executive summary or fail to provide clear remediation steps—both are required for a complete report.
In a typical enterprise engagement, the methodology begins with a kickoff meeting where the client provides a list of IP ranges and explains that the testing must not disrupt business operations. For example, a financial institution may restrict testing to a non-production environment that mirrors production. The tester documents these constraints in the Rules of Engagement (RoE). During recon, the tester uses Shodan to find exposed RDP ports and then uses Nmap to scan those IPs. They discover a Windows Server 2012 running an outdated version of SMB (v1). Using Metasploit, they exploit MS17-010 (EternalBlue) to gain SYSTEM access. Post-exploitation, they dump hashes and use Pass-the-Hash to access a domain controller. They then install a persistent backdoor via a scheduled task. The client's SOC may detect the malicious activity; the RoE should have pre-arranged a 'calling card' (e.g., a specific user agent) to distinguish the test from real attacks. A common production issue is when a tester accidentally crashes a service—this is why the RoE includes a 'stop on red' clause: if a critical alert triggers, testing halts immediately. Another scenario involves a web application pentest for a SaaS provider. The tester uses OWASP ZAP to crawl the application and finds a SQL injection in the login form. They exploit it to extract the user database. The client requests that no data be exfiltrated; the tester must prove impact without actually copying data—by using screenshots or showing that data can be read. Misconfiguration often occurs when the tester forgets to exclude certain IPs and scans a third-party vendor's system, causing a breach of contract. To avoid this, testers use scope validation scripts that compare scan targets against allowed ranges.
The PT0-002 exam tests the penetration testing methodology under Objective 1.1 (Planning and Scoping) and also in later objectives as a cross-cutting concept. Specifically, you must know the seven phases of PTES: Pre-Engagement, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting. The exam will present scenarios where you must identify which phase is being described. Common wrong answers include confusing 'Threat Modeling' with 'Vulnerability Analysis'—threat modeling identifies potential threats, while vulnerability analysis finds actual weaknesses. Another trap is thinking that 'Post-Exploitation' only includes data exfiltration; in reality, it includes lateral movement, privilege escalation, and persistence. The exam loves to test the order: you cannot do exploitation before reconnaissance and vulnerability analysis. A specific value to memorize: the CVSS score range is 0.0 to 10.0, with 9.0-10.0 considered Critical. The exam may ask which phase involves signing the NDA—that's Pre-Engagement. Edge cases: if a tester finds a vulnerability outside scope, they must stop and inform the client; they cannot exploit it without authorization. Another edge: in a red team engagement, the methodology may skip some phases (e.g., no reporting until the end) but still follows a structured approach. To eliminate wrong answers, focus on the action: if the question mentions 'scanning IPs,' it's active reconnaissance or vulnerability analysis. If it mentions 'interviewing staff,' it's pre-engagement. For reporting, remember that an executive summary is non-technical and a technical report includes commands and screenshots.
The seven phases of PTES are: Pre-Engagement, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting.
Passive reconnaissance must be performed before active reconnaissance to avoid alerting the target.
Threat modeling identifies potential threats; vulnerability analysis identifies actual vulnerabilities.
Post-exploitation includes lateral movement, privilege escalation, persistence, and data exfiltration.
The reporting phase must include an executive summary and technical details with remediation steps.
CVSS scores range from 0.0 to 10.0; 9.0-10.0 is Critical.
Scope creep is a major risk; testers must not test systems outside the agreed scope.
Rules of Engagement (RoE) define testing times, allowed techniques, and communication channels.
These come up on the exam all the time. Here's how to tell them apart.
PTES (Penetration Testing Execution Standard)
General-purpose methodology for network, web, and mobile.
Seven phases: Pre-Engagement through Reporting.
Includes threat modeling and post-exploitation.
Best for infrastructure and network pentests.
Emphasizes legal and scoping heavily.
OWASP Testing Guide
Focused exclusively on web applications.
Based on OWASP Top 10 vulnerabilities.
Phases: Information Gathering, Configuration Management, Authentication, etc.
Best for web application security testing.
Includes specific testing techniques for each vulnerability class.
Passive Reconnaissance
No direct interaction with target systems.
Uses public sources: WHOIS, Google, Shodan.
Cannot be detected by the target.
Provides initial footprint (IPs, domains, employee names).
Lower risk of triggering alarms.
Active Reconnaissance
Direct interaction: port scans, banner grabs.
Uses tools: Nmap, Nessus, Netcat.
Can be detected by IDS/IPS and logged.
Provides detailed service and OS information.
Higher risk; requires authorization.
Mistake
Penetration testing is just running automated tools.
Correct
While tools are used, a proper pentest involves manual verification, threat modeling, and creativity. Automated scans produce false positives and miss business logic flaws. The methodology emphasizes manual analysis in every phase.
Mistake
The methodology is linear; you complete one phase and move to the next.
Correct
In practice, phases are iterative. For example, during post-exploitation, you may discover a new network segment that requires additional reconnaissance and exploitation. The methodology allows loops.
Mistake
Passive reconnaissance is optional if you have time constraints.
Correct
Passive recon is critical to avoid alerting the target. Skipping it may result in detection before exploitation begins. The exam tests that passive recon must be performed first.
Mistake
Threat modeling is the same as vulnerability scanning.
Correct
Threat modeling identifies potential threats (e.g., 'an attacker could exploit weak authentication') while vulnerability scanning finds actual vulnerabilities (e.g., 'default admin password'). They are distinct phases.
Mistake
The reporting phase only includes a list of vulnerabilities.
Correct
A pentest report must include an executive summary, technical details, risk ratings, and remediation steps. It should also include the methodology used and limitations. The exam tests that reports are comprehensive.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The first step is Pre-Engagement, which includes scoping, rules of engagement, and legal agreements. Without signed authorization, testing is illegal. The exam tests that you know this phase comes before any technical activity.
Passive reconnaissance gathers information without directly interacting with the target, such as using WHOIS or social media. Active reconnaissance involves direct interaction, like port scanning. Passive recon is done first to avoid detection.
Threat Modeling. STRIDE helps categorize threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). This phase identifies potential attack vectors.
A pentest report should include an executive summary (non-technical), technical details (vulnerabilities, exploitation steps, commands), risk ratings (CVSS), and remediation recommendations. It must be clear and actionable.
No. If a tester discovers a vulnerability outside the agreed scope, they must stop and inform the client. Exploiting it without authorization is illegal and violates the rules of engagement.
Post-exploitation aims to demonstrate the full impact of a breach. It includes maintaining access, lateral movement, privilege escalation, and data exfiltration. It shows how far an attacker could go after initial access.
OWASP is specifically for web applications and focuses on the OWASP Top 10 vulnerabilities. PTES is a general methodology for all types of pentests (network, web, mobile). OWASP has phases like Information Gathering and Authentication Testing, while PTES includes Pre-Engagement and Threat Modeling.
You've just covered Penetration Testing Methodology — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?