// notes/ Report & Methodology
🧠
Pentest Methodology
The end-to-end mental model — how to approach any engagement.
#methodology#process
source · airouboss/oscp-prep-notes-2026 · methodology/pentest-methodology.md ↗Pentest Methodology
Phase 1: Reconnaissance & Enumeration
code
01nmap -sC -sV -oN nmap/initial TARGET02nmap -p- --min-rate 5000 -oN nmap/allports TARGET03nmap -sU --top-ports 200 -oN nmap/udp TARGET- Identify all open ports and services
- Enumerate each service (see
Enumerationchecklist) - Add discovered hostnames to
/etc/hosts - Note OS version, domain name, usernames
Key outputs: Service list, usernames, hostnames, potential attack surface
Phase 2: Initial Access
- Check for default/weak credentials on all services
- Test web apps for SQLi, LFI, RCE, file upload
- Search
searchsploitfor service version exploits - Spray found credentials across all services
- See
Initial-Accesschecklist
Key outputs: Low-privilege shell or valid credentials
Phase 3: Post-Exploitation (Stabilize & Loot)
- Stabilize shell (full TTY / proper connection)
- Grab proof flags
- Enumerate local system:
- Users, groups, privileges
- Network interfaces, routes, ARP
- Running services, listening ports
- Installed software
- Harvest credentials (see
Credential-Chains) - See
Post-Exploitationchecklist
Key outputs: Credentials, network topology, privilege escalation vectors
Phase 4: Privilege Escalation
- Run automated enumeration (winPEAS/linpeas)
- Check for quick wins first:
- Windows: SeImpersonate, saved creds, service misconfigs
- Linux: sudo -l, SUID, writable cron scripts
- Work through
Privesc-Checklist - Reference
Windows-ChainsorLinux-Chainsfor exploitation steps
Key outputs: Root/SYSTEM access, more credentials
Phase 5: Lateral Movement (Network)
- Test all harvested creds on all known hosts
- Set up pivoting tunnel (see
Pivoting-Chains) - Scan internal networks discovered from dual-homed hosts
- Repeat Phase 1-4 on each new host
Key outputs: Access to additional hosts, broader network access
Phase 6: Domain Compromise (AD)
- Follow
AD-Checklistfrom current position - BloodHound → find shortest path to DA
- Common escalation paths:
- Kerberoast → crack → lateral move
- ACL abuse (GenericWrite, ForceChangePassword, WriteDACL)
- ADCS certificate abuse
- Delegation abuse
- MSSQL impersonation chain
- DCSync once you have the rights
- See
AD-Chainsfor specific attack commands
Key outputs: Domain Admin, all domain hashes
Workflow Summary
code
01Recon/Enum ──→ Initial Access ──→ Post-Exploit ──→ Privesc02 │ │03 ▼ ▼04 Loot Creds ──→ Lateral Movement05 │06 ▼07 Domain CompromiseAt every stage: harvest creds → test everywhere → repeat