____ _____ _ _ _____ _____ ____ _____ ___ _ _ ____
| _ \| ____| \ | |_ _| ____/ ___|_ _|_ _| \ | |/ ___|
| |_) | _| | \| | | | | _| \___ \ | | | || \| | | _
| __/| |___| |\ | | | | |___ ___) || | | || |\ | |_| |
|_| |_____|_| \_| |_| |_____|____/ |_| |___|_| \_|\____|
__ __ _____ _____ _ _ ___ ____ ___ _ ___ ____ ___ _____ ____
| \/ | ____|_ _| | | |/ _ \| _ \ / _ \| | / _ \ / ___|_ _| ____/ ___|
| |\/| | _| | | | |_| | | | | | | | | | | | | | | | | _ | || _| \___ \
| | | | |___ | | | _ | |_| | |_| | |_| | |__| |_| | |_| || || |___ ___) |
|_| |_|_____| |_| |_| |_|\___/|____/ \___/|_____\___/ \____|___|_____|____/
A living reference of penetration testing methodologies across 16 assessment disciplines
This repository is a structured collection of penetration testing methodologies built from real-world assessment experience. Each document provides a disciplined, phase-based approach to a specific testing domain β covering reconnaissance through to exploitation, post-exploitation, and reporting considerations.
These are working documents, not checklists. They are intended to be used alongside assessment experience and adapted to the specific rules of engagement, scope, and target environment of each engagement.
Not a replacement for professional training or certifications. These methodologies complement skills built through platforms like HackTheBox, OSCP, and real-world engagements. They are reference documents for practitioners who already understand the fundamentals.
| # | Methodology | Domain | Assessment Type |
|---|---|---|---|
| 01 | Active Directory | Identity & Access | Internal / Red Team |
| 02 | AWS Configuration Review | Cloud | Cloud Security Review |
| 03 | Android Application Testing | Mobile | Mobile App Pentest |
| 04 | iOS Application Testing | Mobile | Mobile App Pentest |
| 05 | Azure Cloud Review | Cloud | Cloud Security Review |
| 06 | Desktop Breakout Assessment | Physical / Kiosk | Assumed Breach |
| 07 | Docker Penetration Testing | Container | Infrastructure |
| 08 | Firewall Assessment | Network | Infrastructure Review |
| 09 | Google Cloud Review | Cloud | Cloud Security Review |
| 10 | Internal Infrastructure | Network | Internal Pentest |
| 11 | Linux Build Review | OS Hardening | Build Review |
| 12 | Stolen Laptop Assessment | Physical / Endpoint | Assumed Breach |
| 13 | Web Application & API | Web | Web App Pentest |
| 14 | Wi-Fi Penetration Testing | Wireless | Network |
| 15 | Windows Build Review | OS Hardening | Build Review |
| 16 | Password Audit Methodology | OS Hardening | Password Review |
File: Active Directory Methodology.md
Active Directory remains one of the most targeted attack surfaces in enterprise environments. This methodology covers the full kill chain from initial domain enumeration through to domain compromise, structured around real-world attack paths rather than theoretical coverage.
Phases covered:
- Initial enumeration (users, groups, GPOs, trusts, OUs, domain controllers)
- Credential harvesting (LLMNR/NBT-NS poisoning, AS-REP Roasting, Kerberoasting)
- Lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash)
- Privilege escalation (ACL abuse, GenericWrite, WriteDACL, DCSync rights)
- Domain persistence (Golden Ticket, Silver Ticket, skeleton key, AdminSDHolder)
- Trust abuse (inter-domain and inter-forest attacks)
Key tools referenced: BloodHound, SharpHound, Impacket, Rubeus, Mimikatz, CrackMapExec, PowerView, Kerbrute, Responder, ldapdomaindump
Relevant frameworks: MITRE ATT&CK (TA0006, TA0008), OWASP Testing Guide
File: Amazon Configuration Methodology.md
Covers AWS cloud security reviews focused on misconfiguration identification, IAM abuse paths, and data exposure risks. Structured for both authenticated reviews (with provided access keys) and assumed-compromise scenarios.
Phases covered:
- IAM enumeration (users, roles, policies, groups, trust relationships)
- Privilege escalation via IAM misconfigurations (PassRole, CreatePolicy, AssumeRole abuse)
- S3 bucket enumeration and access control review (public ACLs, bucket policies)
- EC2 instance metadata service (IMDS v1 abuse, SSRF to credential theft)
- Lambda and API Gateway review
- Secrets Manager and Parameter Store exposure
- CloudTrail, CloudWatch, and GuardDuty coverage assessment
- VPC security group and network ACL review
Key tools referenced: ScoutSuite, Prowler, Pacu, aws-cli, enumerate-iam, cloudsplaining, Trivy
Relevant frameworks: AWS Well-Architected Security Pillar, CIS AWS Foundations Benchmark
File: Android App testing Methodology.md
A structured approach to Android application security testing covering both static and dynamic analysis phases. Covers rooted and non-rooted device testing where applicable.
Phases covered:
- Static analysis (APK extraction, decompilation, manifest review, hardcoded secrets)
- Dynamic analysis (traffic interception, SSL pinning bypass, runtime manipulation)
- Authentication and session management testing
- Data storage review (SharedPreferences, SQLite, external storage, logcat)
- IPC security (Activities, Services, BroadcastReceivers, ContentProviders)
- Binary protections (root detection, emulator detection, anti-tampering)
- Third-party SDK and library review
Key tools referenced: MobSF, APKTool, Jadx, Frida, Objection, adb, Burp Suite, drozer, jadx-gui
Relevant frameworks: OWASP Mobile Application Security Verification Standard (MASVS), OWASP Mobile Top 10
File: Apple IOS Application testing.md
iOS application security methodology covering jailbroken and non-jailbroken device testing approaches, IPA analysis, and runtime inspection.
Phases covered:
- IPA extraction and static analysis (class-dump, binary analysis, plist review)
- Transport security assessment (ATS configuration, SSL pinning bypass)
- Authentication and biometric bypass testing
- Keychain and data storage security review
- Runtime manipulation and method swizzling
- Jailbreak detection bypass techniques
- URL scheme and deep link abuse
- Extension and widget security
Key tools referenced: Frida, Objection, Clutch, MobSF, class-dump, Burp Suite, ipainstaller, Needle, iphonedisk
Relevant frameworks: OWASP MASVS, Apple App Transport Security guidelines
File: Azure Cloud Review Methodology.md
Azure cloud security review methodology covering Entra ID (formerly Azure AD), resource group configurations, RBAC abuse paths, and service-specific misconfigurations.
Phases covered:
- Entra ID enumeration (users, groups, service principals, app registrations, managed identities)
- RBAC and privilege escalation (Owner/Contributor abuse, role assignments, PIM)
- Storage account review (public blob containers, SAS token exposure, shared keys)
- Key Vault access policy review
- Virtual machine and network security group assessment
- App Service and Function App security review
- Conditional Access policy gaps
- Activity log and Defender for Cloud coverage review
Key tools referenced: AzureHound, ROADtools, Stormspotter, az cli, MicroBurst, PowerZure, ScoutSuite
Relevant frameworks: CIS Microsoft Azure Foundations Benchmark, MITRE ATT&CK for Cloud
File: Desktop Breakout Assessment.md
Covers kiosk, thin client, and locked-down desktop breakout assessments β scenarios where an attacker has physical access to a restricted Windows environment and attempts to escape to a full shell or escalate privileges.
Phases covered:
- Application whitelisting bypass (Living-off-the-Land binaries, LOLBins)
- Dialog box and file browser exploitation (Open/Save As abuse)
- Accessibility feature abuse (Sticky Keys, Narrator, Magnifier replacement)
- Task Manager and process manipulation
- Registry editor and PowerShell access attempts
- URL handler and protocol abuse for code execution
- Printer driver and shortcut tricks
- Kiosk mode escape techniques
Key tools referenced: native Windows LOLBins (mshta, wscript, cscript, msiexec, regsvr32), SysInternals suite
Relevant context: Citrix environments, VDI platforms, point-of-sale terminals, locked workstations
File: Docker Pen testing Methodology.md
Container security methodology covering Docker daemon misconfigurations, container escape paths, image security, and Kubernetes-adjacent risks.
Phases covered:
- Docker daemon exposure (TCP socket, Unix socket permissions)
- Container escape techniques (privileged containers, mounted Docker socket, host PID/network namespaces)
- Image analysis (layer inspection, hardcoded secrets, base image vulnerabilities)
- Registry security (unauthenticated access, image pull/push)
- Docker Compose and stack misconfiguration review
- Container runtime hardening (seccomp, AppArmor, capabilities)
- Secret management in container environments
Key tools referenced: Trivy, Grype, Clair, Dive, docker-bench-security, amicontained, CDK, deepce
Relevant frameworks: CIS Docker Benchmark, NIST SP 800-190
File: Firewall Methodology.md
Methodology for assessing firewall rule sets, perimeter security configurations, and network segmentation effectiveness across enterprise firewall platforms.
Phases covered:
- Firewall rule base review (inbound, outbound, inter-zone)
- Implicit deny and default policy verification
- NAT rule review and exposure mapping
- Rule base optimisation and redundancy analysis
- Management interface exposure (web GUI, SSH, SNMP)
- High availability and failover configuration review
- Logging and alerting configuration assessment
- Vendor-specific hardening checks (Palo Alto, Fortinet, Cisco ASA, Check Point)
Key tools referenced: Nmap, Hping3, Scapy, Firewalk, Nipper
Relevant frameworks: CIS Firewall Security Benchmark, vendor hardening guides
File: Google Cloud Review Methodology.md
GCP security review methodology covering IAM hierarchy abuse, service account misconfigurations, and GCP-specific attack paths.
Phases covered:
- IAM enumeration (project, folder, organisation level bindings)
- Service account key exposure and impersonation
- Privilege escalation via IAM (setIamPolicy, actAs, token generation abuse)
- Cloud Storage bucket access review (public access, ACLs, uniform bucket-level access)
- Compute Engine metadata server abuse (IMDS credential theft)
- Cloud Functions and Cloud Run security review
- GKE cluster configuration review
- Secret Manager and KMS key access review
- VPC firewall rule assessment
Key tools referenced: gcloud CLI, ScoutSuite, Forseti, GCPBucketBrute, enumerate-iam, Hayat
Relevant frameworks: CIS Google Cloud Platform Foundation Benchmark
File: Infrastructure Methodology Internal.md
A structured internal network penetration testing methodology covering the full lifecycle from initial network access through to domain compromise and post-exploitation. Suitable for both assumed-breach and full internal assessments.
Phases covered:
- Network discovery and host enumeration
- Service fingerprinting and vulnerability identification
- Credential attacks (default credentials, password spraying, brute force)
- Network protocol abuse (SMB relay, LLMNR/NBT-NS poisoning, IPv6 attacks)
- Exploitation of unpatched services
- Lateral movement across network segments
- Active Directory attacks (where applicable, see AD methodology)
- Pivoting and tunnelling through network boundaries
- Data exfiltration path mapping
Key tools referenced: Nmap, Responder, Metasploit, CrackMapExec, Impacket, mitm6, BloodHound, Nessus
Relevant frameworks: MITRE ATT&CK, PTES (Penetration Testing Execution Standard)
File: Linux Build review Methdology.md
CIS-aligned Linux build review methodology for assessing the security hardening of Linux endpoints and servers. Covers both Debian/Ubuntu and RHEL/CentOS family distributions.
Phases covered:
- OS and kernel version assessment (patch currency)
- User account and authentication hardening (password policy, PAM, sudo configuration)
- SSH configuration review (protocol version, authentication methods, key management)
- File system permissions (SUID/SGID, world-writable files, sensitive file permissions)
- Network configuration (listening services, firewall rules, IP forwarding)
- Cron job and scheduled task review
- Logging and auditing configuration (syslog, auditd)
- Installed package review and unnecessary service identification
- SELinux / AppArmor status
- NFS and Samba configuration review
Key tools referenced: Lynis, OpenSCAP, custom enumeration scripts, bash audit commands
Relevant frameworks: CIS Linux Benchmarks, NCSC Device Security Guidance, DISA STIG
File: Stolen Laptop Assessment Methdology.md
Simulates the scenario of a corporate laptop being lost or stolen. Tests the effectiveness of endpoint protection controls including full disk encryption, pre-boot authentication, BIOS/UEFI security, and data exposure without authenticated access.
Phases covered:
- Full disk encryption verification (BitLocker, FileVault, VeraCrypt)
- Pre-boot authentication and TPM configuration review
- BIOS/UEFI password and secure boot assessment
- Boot order manipulation testing
- Live OS boot and data recovery attempts
- Memory forensics for credential extraction
- Auto-login and credential caching review
- MDM enforcement and remote wipe capability assessment
- Screensaver and lock screen configuration
Key tools referenced: Kon-Boot, Hiren's Boot CD, live Kali USB, chntpw, volatility, dumpit
Relevant context: GDPR breach impact assessment, insurance assessments, endpoint security validation
File: Web application and & API Methodology Detailed.md
A comprehensive web application and API security testing methodology aligned to OWASP standards. Covers both traditional web applications and modern REST/GraphQL APIs, with depth across all major vulnerability classes.
Phases covered:
- Reconnaissance and application mapping (spidering, JS analysis, endpoint discovery)
- Authentication testing (brute force, account enumeration, MFA bypass, SSO/OAuth flaws)
- Session management (cookie security, session fixation, CSRF)
- Authorisation testing (IDOR, BOLA, privilege escalation, BFLA)
- Injection testing (SQLi, XSS, XXE, SSTI, command injection, LDAP injection)
- Business logic flaw identification
- File upload and content type validation
- API-specific testing (mass assignment, excessive data exposure, rate limiting, BOPLA)
- GraphQL security (introspection abuse, nested queries, batching attacks)
- Infrastructure and configuration review (HTTP headers, TLS, error handling)
Key tools referenced: Burp Suite Pro, ffuf, Nuclei, sqlmap, nikto, Postman, jwt_tool, Arjun, GraphQL Voyager
Relevant frameworks: OWASP Top 10 (Web), OWASP API Security Top 10, OWASP Testing Guide v4.2, WSTG
File: Wifi Pentesting Methodology.md
Wireless network security testing methodology covering enterprise (WPA2/3-Enterprise), personal (WPA2-PSK), and legacy protocol assessments. Covers both client-side and infrastructure attacks.
Phases covered:
- Wireless survey and access point enumeration
- WPA2/WPA3-Personal attacks (PMKID capture, 4-way handshake capture, offline cracking)
- WPA2/WPA3-Enterprise attacks (EAP downgrade, RADIUS misconfiguration, credential capture)
- Evil Twin / rogue AP attacks
- KARMA attacks and client probing
- Captive portal bypass techniques
- Guest network segmentation testing
- WPS vulnerability assessment (Pixie Dust, brute force)
- Wireless client isolation testing
Key tools referenced: Aircrack-ng suite, Hashcat, Hcxtools, Hcxdumptool, hostapd-wpe, eaphammer, Kismet, Wireshark
Relevant frameworks: WPA3 specification, NCSC Wi-Fi guidance, PCI DSS wireless requirements
File: Windows Build review Methodology.md
CIS-aligned Windows endpoint and server hardening review methodology. Covers Windows 10/11 workstations, Windows Server 2016/2019/2022, and Group Policy configuration assessment.
Phases covered:
- OS and patch currency review
- Account and password policy assessment (local and GPO-applied)
- Audit policy and event logging configuration
- User Rights Assignment and privilege review
- Windows Defender and security feature status (LSASS protection, Credential Guard, ASR rules)
- AppLocker and WDAC policy review
- Remote access and RDP configuration
- Service and scheduled task hardening
- Network configuration (SMB signing, LDAP signing, NTLMv1 status)
- Registry and GPO hardening checks (AutoRun, UAC, WDigest, LSA)
- BitLocker encryption status
- Windows Firewall configuration
Key tools referenced: Lynis for Windows, PingCastle, Group Policy review, custom PowerShell enumeration scripts, Windows_Enumerator_V2.0
Relevant frameworks: CIS Windows Benchmarks, NCSC Device Security Guidance, DISA STIG, NIST 800-171
These methodologies are structured as Markdown documents designed to be used directly in GitHub, Obsidian, or any Markdown-compatible knowledge base.
During an assessment:
1. Open the relevant methodology at the start of the engagement
2. Work through phases sequentially - don't skip enumeration to jump to exploitation
3. Adapt the scope to the rules of engagement - not every check is appropriate for every engagement
4. Document findings as you go - methodology docs pair well with a findings tracker
5. Cross-reference multiple methodologies where disciplines overlap
(e.g. Internal Infrastructure + Active Directory for an internal pentest)
Methodology overlap guidance:
| Engagement Type | Primary Methodology | Supplement With |
|---|---|---|
| Internal Pentest | Internal Infrastructure | Active Directory, Wi-Fi |
| Red Team | Active Directory | Internal Infrastructure, Desktop Breakout |
| Cloud Review (AWS) | AWS Configuration | Web App & API (if web-facing) |
| Mobile Pentest | Android / iOS | Web App & API (for backend APIs) |
| Build Review (Windows) | Windows Build Review | Active Directory (if domain-joined) |
| Build Review (Linux) | Linux Build Review | Docker (if containerised) |
| Physical Assessment | Stolen Laptop, Desktop Breakout | Internal Infrastructure |
Each methodology document follows a consistent structure:
1. Overview & Scope
ββ What this assessment covers, typical engagement context
2. Prerequisites & Setup
ββ Tools required, access needed, environment setup
3. Phase 1: Reconnaissance / Enumeration
ββ Passive and active information gathering
4. Phase 2: Vulnerability Identification
ββ Service-specific checks, configuration review
5. Phase 3: Exploitation
ββ Attack techniques, proof-of-concept approaches
6. Phase 4: Post-Exploitation / Lateral Movement
ββ (Where applicable) persistence, pivoting, data access
7. Reporting Considerations
ββ Key findings to document, evidence to capture, remediation themes
8. Tool Reference
ββ Consolidated command reference for the engagement
| Framework | Applicable Methodologies |
|---|---|
| MITRE ATT&CK | Active Directory, Internal Infrastructure, Cloud |
| OWASP Top 10 | Web Application & API |
| OWASP API Security Top 10 | Web Application & API |
| OWASP MASVS | Android, iOS |
| CIS Benchmarks | Windows Build Review, Linux Build Review, AWS, Azure, GCP |
| PTES | Internal Infrastructure |
| NCSC Device Security Guidance | Windows & Linux Build Reviews, Stolen Laptop |
| DISA STIG | Windows & Linux Build Reviews |
| PCI DSS | Wi-Fi, Internal Infrastructure |
| NIST SP 800-190 | Docker / Container Security |
If you spot gaps, outdated techniques, or want to add a methodology for a discipline not yet covered, contributions are welcome.
- Fork the repository
- Create a branch:
git checkout -b methodology/your-discipline - Follow the existing document structure and formatting
- Submit a Pull Request with a clear description of what's been added or changed
Disciplines not yet covered that would be good additions: Social Engineering, Physical Intrusion, OT/ICS/SCADA, Thick Client Applications, Kubernetes.
All methodologies in this repository are provided for educational purposes and use in authorised security assessments only.
Performing penetration testing activities against systems you do not have explicit written authorisation to test is illegal in the UK under the Computer Misuse Act 1990 and equivalent legislation worldwide. The author accepts no liability for misuse of any techniques or tools referenced in these documents.
Always operate within your rules of engagement. Get it in writing. Stay in scope.
Author: MrWhiskers Β· Penetration Tester @ Jumpsec
If this has been useful β a β is appreciated.