Information Security
Penetration Testing Methodology
APT29 (Cozy Bear) spent 9 months conducting reconnaissance before the SolarWinds Orion build server was compromised in 2019. The attackers identified the build pipeline as the highest-leverage target: one backdoor in the build process propagated SUNBURST malware to 18,000 customer organizations. The methodology was the same as a professional pentest - recon, scan, exploit, persist - except without authorization and with far more patience than most engagements allow.
- **SolarWinds 2020**: APT29 used months of passive recon to identify the build pipeline as a single point of failure. Methodical reconnaissance determined the attack's 18,000-organization blast radius.
- **Google Project Zero**: structured exploitation methodology with 90-day disclosure policy. Found 376 zero-days across 2022-2023 with documented minimum-impact PoCs and remediation guidance.
- **Stripe Bug Bounty**: researchers follow structured pentest methodology - recon via public docs, scan via API fuzzing, exploit with minimum data exposure. Reports must include exact reproduction steps and environment details to qualify for rewards.
Reconnaissance: Passive and Active
Reconnaissance gathers intelligence about the target before any direct interaction. Passive recon uses public sources (OSINT) without touching target infrastructure: DNS records via crt.sh, LinkedIn employee enumeration, GitHub leaked credentials, Shodan-indexed services. Active recon sends packets to target systems: DNS zone transfer, subdomain brute-force with subfinder or amass.
APT29 (Cozy Bear) spent 9 months in reconnaissance before the SolarWinds build server compromise was detected. The recon phase identified the build pipeline as the highest-leverage target - one compromise propagated malicious updates to 18,000 customers. Patient, thorough recon determines the quality of subsequent attack phases.
Why does passive reconnaissance precede active scanning in a professional pentest?
Scanning: Service Enumeration and Vulnerability Discovery
Scanning systematically identifies open ports, service versions, and known vulnerabilities. nmap performs host discovery and port scanning; nikto targets web applications for misconfigurations; nuclei runs template-based checks against thousands of CVEs. Scanning should be scoped strictly to authorized IP ranges.
Scanning without written authorization is illegal in most jurisdictions regardless of intent. Even scanning IP ranges adjacent to an authorized target can violate the Computer Fraud and Abuse Act (CFAA) or equivalent laws. Always verify the exact scope in the Statement of Work before running any scans.
What does `nmap -sS` do differently from `nmap -sT`?
Exploitation: Minimum-Impact Approach
Exploitation demonstrates impact without causing damage. The professional standard is minimum viable exploitation: confirm the vulnerability exists and document the impact, then stop. Avoid destructive payloads, data exfiltration beyond proof-of-concept, and lateral movement outside the authorized scope.
The PTES (Penetration Testing Execution Standard) and OWASP Testing Guide both emphasize documentation of exploitation evidence at each step. Courts and insurance companies require a chain of evidence showing scope compliance. Screenshots, timestamps, and packet captures form the audit trail.
During a pentest, a tester finds a remote code execution vulnerability. What is the correct next step?
Reporting: Executive Summary and Technical Findings
A pentest report serves two audiences: executives need to understand business risk without technical detail; engineers need precise reproduction steps and remediation guidance. The report structure: executive summary (1-2 pages), risk rating summary, detailed findings with CVSS scores, reproduction steps, and remediation recommendations.
CVSS (Common Vulnerability Scoring System) provides a standardized 0-10 severity score. CVSS Base Score measures inherent severity; CVSS Environmental Score adjusts for the specific deployment context. A critical CVSS 10.0 vulnerability on an isolated test server may have lower organizational risk than a CVSS 6.0 finding on a public payment endpoint.
Why does a professional pentest report include an executive summary alongside technical findings?
Summary
- **Recon phases**: passive (crt.sh, Shodan, GitHub - no target contact) before active (subfinder, nmap - direct target interaction). Patient recon determines attack quality.
- **Scanning** identifies open services and known CVEs. nmap -sS avoids completing TCP handshakes, reducing log footprint. Always verify scope before scanning.
- **Minimum viable exploitation**: demonstrate impact with benign payloads (whoami, ping callback). No exfiltration, no persistence, no lateral movement beyond scope.
- **Reporting** serves two audiences: executive summary (business risk) and technical findings (CVSS, reproduction steps, remediation). CVSS Environmental Score adjusts for deployment context.
Related Topics
Penetration testing methodology connects to both specific vulnerabilities and operational security:
- SQL Injection — SQLi is a primary exploitation target during web application assessments; sqlmap automates detection and PoC generation within scope.
- Tools: Nmap, Burp, Metasploit — Practical tool usage for each pentest phase: nmap for scanning, Burp for web exploitation, Metasploit for network exploitation.
- Red Team vs Blue Team — Pentest methodology is the foundation of red team operations; blue team uses pentest reports to prioritize defensive improvements.
Вопросы для размышления
- A scan reveals an unpatched Log4Shell on an out-of-scope server adjacent to your target. What do you do?
- Why does passive recon using Shodan not require authorization when scanning the target directly does?
- How does CVSS Environmental Score change the remediation priority of a finding compared to the base score alone?