// notes/ Report & Methodology
🧠

Pentest Methodology

The end-to-end mental model — how to approach any engagement.

#methodology#process
source · airouboss/oscp-prep-notes-2026 · methodology/pentest-methodology.md

Pentest Methodology

Phase 1: Reconnaissance & Enumeration

code
01nmap -sC -sV -oN nmap/initial TARGET
02nmap -p- --min-rate 5000 -oN nmap/allports TARGET
03nmap -sU --top-ports 200 -oN nmap/udp TARGET
  • Identify all open ports and services
  • Enumerate each service (see Enumeration checklist)
  • Add discovered hostnames to /etc/hosts
  • Note OS version, domain name, usernames

Key outputs: Service list, usernames, hostnames, potential attack surface


Phase 2: Initial Access

  • Check for default/weak credentials on all services
  • Test web apps for SQLi, LFI, RCE, file upload
  • Search searchsploit for service version exploits
  • Spray found credentials across all services
  • See Initial-Access checklist

Key outputs: Low-privilege shell or valid credentials


Phase 3: Post-Exploitation (Stabilize & Loot)

  • Stabilize shell (full TTY / proper connection)
  • Grab proof flags
  • Enumerate local system:
    • Users, groups, privileges
    • Network interfaces, routes, ARP
    • Running services, listening ports
    • Installed software
  • Harvest credentials (see Credential-Chains)
  • See Post-Exploitation checklist

Key outputs: Credentials, network topology, privilege escalation vectors


Phase 4: Privilege Escalation

  • Run automated enumeration (winPEAS/linpeas)
  • Check for quick wins first:
    • Windows: SeImpersonate, saved creds, service misconfigs
    • Linux: sudo -l, SUID, writable cron scripts
  • Work through Privesc-Checklist
  • Reference Windows-Chains or Linux-Chains for exploitation steps

Key outputs: Root/SYSTEM access, more credentials


Phase 5: Lateral Movement (Network)

  • Test all harvested creds on all known hosts
  • Set up pivoting tunnel (see Pivoting-Chains)
  • Scan internal networks discovered from dual-homed hosts
  • Repeat Phase 1-4 on each new host

Key outputs: Access to additional hosts, broader network access


Phase 6: Domain Compromise (AD)

  • Follow AD-Checklist from current position
  • BloodHound → find shortest path to DA
  • Common escalation paths:
    1. Kerberoast → crack → lateral move
    2. ACL abuse (GenericWrite, ForceChangePassword, WriteDACL)
    3. ADCS certificate abuse
    4. Delegation abuse
    5. MSSQL impersonation chain
  • DCSync once you have the rights
  • See AD-Chains for specific attack commands

Key outputs: Domain Admin, all domain hashes


Workflow Summary

code
01Recon/Enum ──→ Initial Access ──→ Post-Exploit ──→ Privesc
02 │ │
03 ▼ ▼
04 Loot Creds ──→ Lateral Movement
05
06
07 Domain Compromise

At every stage: harvest creds → test everywhere → repeat