Lesson Notes
Pentesting Methodology
Module 6: Ethical Hacking Phases. Crypto in recon (cipher suite enum).
Module 6: Pentesting Methodology — Comprehensive Theory Guide
A penetration test must follow a clear methodology so that testing is repeatable, scoped, and legally and contractually authorized. Ad hoc probing without structure leads to missed findings, scope creep, or legal risk. Common phases are: Reconnaissance, Scanning, Gaining Access, Maintaining Access (and Pivoting if in scope), Post-Exploitation, and Reporting. This lesson explains each phase in detail and emphasizes where cryptography assessment fits: during reconnaissance and scanning, you enumerate TLS versions and cipher suites (e.g. nmap --script ssl-enum-ciphers, testssl.sh) to find weak crypto before diving into application or exploit work. Only test targets for which you have explicit written authorization.
Reconnaissance: Information Gathering
Reconnaissance is the phase where you gather information about the target without yet attacking it. Sources: public DNS (subdomains, DNS records), search engines, job postings (technologies in use), social media, and public documents (SSL certs, headers). Goal: build a picture of the organization's internet-facing and technology footprint. This informs what you will scan and test. Passive recon (no direct traffic to the target) is low risk; active recon (e.g. port scans) must be within scope and authorization. Document everything for the report and for later phases.
Scanning: Ports, Services, and Vulnerabilities
Scanning turns the target list into a map of open ports, services, and versions. Use Nmap for port discovery (SYN or connect scan) and version detection (-sV). Run vulnerability scanners (e.g. Nessus, OpenVAS) if in scope. For web applications, use Nikto, Dirb, and manual mapping in Burp. Crypto assessment belongs here: for every HTTPS or TLS-wrapped service (443, 8443, 636, etc.), run ssl-enum-ciphers (Nmap) or testssl.sh to list supported TLS versions and cipher suites. Flag SSLv3, TLS 1.0/1.1, and weak ciphers (RC4, export, NULL). Document open ports, versions, and weak crypto; this drives prioritization for the next phase.
Gaining Access, Maintaining Access, and Post-Exploitation
Gaining Access: exploit the vulnerabilities identified in scanning (e.g. known CVE for a service version, SQLi, weak TLS downgrade, misconfiguration). Use Metasploit, custom exploits, or manual techniques—always within scope. Maintaining Access: if the scope includes persistence or pivoting, establish that (e.g. encrypted C2, SSH tunnel, additional access). Post-Exploitation: document what was accessed, what data or systems were at risk, and collect evidence (screenshots, hashes, configs) for the report. Clean up: remove shells, backdoors, and test accounts unless the client explicitly asks to retain them. Every action must be documented and within the agreed scope.
Reporting and the Role of Crypto Findings
The report should include: executive summary, scope, methodology, findings (with severity, evidence, and remediation), and appendices (e.g. raw scan output). Crypto findings (weak TLS, deprecated ciphers) are often high or medium severity: they enable MITM or downgrade and should be fixed by disabling weak protocols and ciphers. Include the exact cipher names and Nmap/testssl output so the client can remediate. A clear methodology and thorough reporting make the test defensible and valuable. Next: exploitation with Metasploit, including SSL-related modules.
Key Takeaway for Lesson 21
Follow a methodology: recon → scanning (including cipher/TLS enum) → gain access → maintain access (if in scope) → post-exploit → report. Include crypto assessment in recon and document weak TLS in the report. Only test authorized targets. Next: Metasploit and SSL-related exploitation.