Methodology & Mindset
#The Pentest Mindset
#Core Principles
-
Enumeration is everything. You cannot exploit what you haven't discovered. Most failures come from insufficient enumeration, not lack of exploit knowledge. When stuck, go back and enumerate more.
-
Think in attack chains, not isolated exploits. A low-severity information disclosure + a misconfiguration + a default credential = domain admin. Individual findings may be low-risk; chains are what matter.
-
Be methodically thorough. Check every service. Every port. Every parameter. Every HTTP header. Every SMB share. The vulnerability isn't where you're looking — it's in the one place you didn't check.
-
Understand before you exploit. Know WHY an exploit works, not just that it does. Understanding the underlying vulnerability lets you adapt when the public PoC doesn't work on your target.
-
Document as you go. You will not remember everything. Screenshot, timestamp, and note every finding, every command that worked, and every command that didn't.
#Approaching an Unknown Target
#External Penetration Test
Phase 0: Scope clarification
- What IPs/ranges? What domains? What's off-limits?
- Is social engineering authorized? Physical? Credentialed scan?
- Hours of testing? Contact for critical findings?
Phase 1: Passive reconnaissance
- WHOIS, DNS records, certificate transparency logs
- Subdomain enumeration (crt.sh, subfinder, amass)
- OSINT: job postings (tech stack leaks), public repos, social media
- Shodan/Censys for exposed services
- Google dorking: site:target.com filetype:pdf
Phase 2: Active reconnaissance
- Full TCP port scan on ALL in-scope IPs
- UDP scan on common ports (53, 161, 500, 4500)
- Service version detection on discovered ports
- Web server discovery, VHOST enumeration
- SSL/TLS certificate analysis for additional hostnames
Phase 3: Vulnerability identification
- Service version → CVE lookup (searchsploit, Google)
- Web application testing (manual + automated)
- Default credential testing
- Misconfiguration checks (exposed admin panels, verbose errors)
Phase 4: Exploitation
- Exploit identified vulnerabilities
- Chain low-severity findings into higher impact
- Document failed exploitation attempts (they go in the report too)
Phase 5: Post-exploitation
- Determine value of compromised system
- Check for sensitive data
- Attempt privilege escalation
- Map internal network reachability
Phase 6: Reporting
- Executive summary (business risk, not technical detail)
- Technical findings with CVSS, evidence, and remediation
- Attack narrative showing chained vulnerabilities
TEXT
#Internal Penetration Test / Assume-Breach
Phase 0: Credentialed vs non-credentialed start
- Do you start with user credentials? What level?
- Network access: which VLAN/subnet?
Phase 1: Network discovery
- ARP scan, ping sweep, responder passive analysis
- Identify domain controllers, file servers, database servers
- Map the network topology
Phase 2: AD enumeration
- BloodHound data collection
- LDAP enumeration (users, groups, computers, trusts)
- SMB share enumeration across all hosts
- Kerberoastable / AS-REP-roastable user identification
- ADCS enumeration
- Identify attack paths to high-value targets
Phase 3: Credential acquisition
- LLMNR/NBT-NS/mDNS poisoning (Responder)
- Password spraying
- Kerberoasting / AS-REP roasting
- Credential hunting on accessible shares and systems
Phase 4: Lateral movement
- Follow BloodHound attack paths
- Use acquired credentials to move to new systems
- Repeat enumeration from each new context
Phase 5: Domain dominance
- Target domain admin or equivalent
- DCSync, Golden Ticket, or similar
- Demonstrate business impact without causing damage
Phase 6: Reporting
- Attack path visualization (BloodHound graph)
- Timeline of compromise
- Remediation prioritized by attack path criticality
TEXT
#Note-Taking
#What to Record
- Every scan output. Save raw nmap, gobuster, netexec, and BloodHound output as files.
- Credentials discovered. Format:
username:password(oruser::NTLM:for hashes) with source annotation. - Attack paths attempted. What you tried, what worked, what didn't. Prevents re-testing the same dead end.
- Timeline. When you ran each scan, when you achieved each milestone.
- Screenshots. Every proof-of-concept. Flags. Sensitive data found. Critical configuration issues.
#Tools
- CherryTree — Hierarchical note-taking, good for organizing by host/service
- Obsidian — Markdown-based, excellent for linking related findings
- Sublime/VS Code — Simple, fast, searchable plaintext
- OneNote — Good for collaborative engagements
- Ghostwriter — Specialized pentest reporting tool
#Dealing with Rabbit Holes
A "rabbit hole" is a lead that seems promising but wastes time without results.
Signs you're in a rabbit hole:
- You've spent 30+ minutes on one technique with no progress
- You're trying increasingly exotic/edge-case exploits
- The vulnerability "should work" but doesn't, and you're guessing why
- You're the first person to attempt this exploit chain
How to escape:
- Set a time limit per technique (30 min for hard, 15 min for easy)
- When time expires, document what you tried and MOVE ON
- Return later with fresh eyes if nothing else works
- Ask: "Is there a simpler attack path I haven't tried?"
Most real-world compromises don't use zero-days. They use:
- Default/weak credentials
- Misconfigurations
- Known CVEs on unpatched systems
- Phishing (if in scope)
- Overly permissive access controls
Start with the simple stuff first.
#Time Management
For a typical 40-hour external pentest:
| Activity | Time Allocation |
|---|---|
| Reconnaissance | 4 hours (10%) |
| Enumeration & Scanning | 8 hours (20%) |
| Vulnerability Assessment | 8 hours (20%) |
| Exploitation | 12 hours (30%) |
| Post-Exploitation | 4 hours (10%) |
| Reporting | 4 hours (10%) |
For HTB/CTF machines (typical 2-4 hour solve):
| Activity | Time Allocation |
|---|---|
| Enumeration | 45-60 minutes |
| Foothold | 30-60 minutes |
| Privilege Escalation | 30-60 minutes |
| Note-taking | Throughout |
#Common Beginner Mistakes
- Starting Metasploit before nmap finishes. You don't know what you're attacking yet.
- Copy-pasting exploits without understanding them. When they fail, you can't debug.
- Ignoring UDP. DNS (53), SNMP (161), and other UDP services are often overlooked.
- Not checking for default credentials before running complex exploits.
- Running automated scanners without manual verification. False positives waste time.
- Skipping post-exploitation enumeration. The first shell is rarely the goal.
- Not checking firewall rules. Just because a service is running doesn't mean you can reach it.
- Overlooking internal services listening on localhost. Port forward them.
#The "Try Harder" Mentality (Refined)
The HTB motto "Try Harder" is often misunderstood. It doesn't mean:
- Banging your head against the same technique for 8 hours
- Trying random exploits hoping one sticks
- Guessing credentials endlessly
It means:
- Going back to enumeration when exploitation fails
- Reading the source code, not just scanning it
- Understanding the technology, not just attacking it
- Being thorough: every port, every parameter, every share, every user
- Knowing when to take a break and return with fresh perspective
#Recommended Learning Path
- HTB Starting Point → Tier 0, 1, 2 machines
- HTB Academy → Penetration Tester job role path
- HTB Easy Machines → Build enumeration methodology
- HTB Medium Machines → Develop exploitation and privesc skills
- Pro Labs / Offshore → Multi-machine AD environments
- OSCP → Industry certification
- HTB Hard/Insane → Advanced techniques
#Resources
- HackTricks — Comprehensive pentesting encyclopedia
- PayloadsAllTheThings — Payload collection
- GTFOBins — Linux binary exploitation reference
- LOLBAS — Windows Living-off-the-land binaries
- WADComs — Interactive AD cheatsheet
- revshells.com — Reverse shell generator
- HackTricks Cloud — Cloud pentesting