Before a single packet is sent, the engagement must be legally authorized and operationally defined. Scope creep, unauthorized access, and ambiguous rules of engagement are the leading causes of failed engagements — and legal exposure.
- Target IP ranges, domains, and ASNs
- In-scope vs out-of-scope systems
- Acceptable attack techniques
- Testing windows and blackout periods
- Point of contact and escalation path
- Signed Statement of Work (SoW)
- Rules of Engagement (RoE) document
- Get-out-of-jail letter (signed by client)
- Communication and reporting schedule
- Emergency stop procedure
Passive reconnaissance gathers intelligence about the target without directly touching their infrastructure. The goal is to build a complete profile — employees, technologies, exposed services, partner relationships — before any active scanning begins.
- Employee names, titles, email formats
- Technology stack (job postings, headers)
- Exposed subdomains and certificate records
- ASN and IP range ownership
- GitHub repos and leaked credentials
- Shodan, Censys — internet-exposed services
- theHarvester — emails and subdomains
- Amass — DNS enumeration
- LinkedIn, GitHub, WHOIS
- crt.sh — certificate transparency logs
Active scanning directly interacts with target systems to enumerate open ports, running services, software versions, and potential vulnerabilities. This phase generates network traffic and may trigger IDS/IPS alerts — stealth tuning matters.
- Port scan all in-scope ranges
- Service and version fingerprinting
- OS detection and banner grabbing
- Web application discovery (vhosts, dirs)
- Vulnerability scanning against findings
- Nmap — port scanning and service enum
- Masscan — high-speed port discovery
- Nikto — web server misconfiguration
- Feroxbuster / gobuster — directory brute
- Nuclei — templated vuln scanning
-T2 --randomize-hosts for slower, less detectable sweeps. Consider timing against the client's monitoring maturity.The goal is to obtain the first foothold — a shell, session, or credential that grants access to the internal environment. Initial access vectors range from technical exploitation to social engineering to abusing legitimate services.
- Phishing / spearphishing with AiTM proxy
- Exploitation of exposed web services
- Password spraying on OWA, VPN, O365
- Vulnerable public-facing application (RCE)
- Supply chain or third-party access
- Deploy implant / agent on foothold host
- Verify egress and C2 connectivity
- Stage persistence before proceeding
- Document access method and timestamp
- Notify client POC if required by RoE
With a foothold established, the focus shifts to understanding the local host, harvesting credentials, and identifying what internal access is available. Don't rush to move laterally — thorough post-ex on the initial host often yields the fastest path to objectives.
- Current user context and group memberships
- Running processes and installed software
- Network connections and listening ports
- Saved credentials, browser data, config files
- Scheduled tasks and startup items
- LSASS dump (Mimikatz, ProcDump + offline)
- SAM / NTDS.dit extraction
- Browser credential stores
- Windows credential manager
- Config files and environment variables
Lateral movement is the process of expanding access from the initial foothold to other systems in the environment. In Active Directory environments this often means moving toward Domain Controller access — the crown jewel of an AD compromise.
- Pass-the-Hash (PtH) with NTLM hash
- Pass-the-Ticket (PtT) with Kerberos TGT
- Kerberoasting — SPN ticket cracking
- AS-REP Roasting — no preauth accounts
- DCSync — replicating DC credentials
- PSExec, WMI, WinRM remote execution
- RDP with harvested credentials
- SMB share exploitation
- DCOM lateral movement
- SSH key pivoting on Linux hosts
Reaching the engagement's defined objectives — whether that's domain admin, access to sensitive data, proof of exfiltration capability, or demonstrating a specific impact scenario. Document everything; this becomes the core of the technical report.
- Domain Admin / Enterprise Admin access
- Sensitive data access (PII, IP, financials)
- Demonstrate exfiltration capability
- Deploy ransomware simulation payload
- Access crown jewel system (defined in RoE)
- Screenshot of access with timestamp
- Hash of any sensitive data accessed (don't exfil real PII)
- Command history and tool output logs
- Network capture of C2 traffic (if relevant)
- Proof of impact screenshots for exec report
The report is the primary deliverable — it's what the client pays for. A technically brilliant engagement with a poor report has diminished value. Clean up all artifacts and persistence mechanisms before submitting, and walk the client through findings in a debrief call.
- Remove all implants and agents
- Delete created user accounts and backdoors
- Remove modified scheduled tasks and services
- Restore changed registry keys
- Confirm cleanup with client POC
- Executive summary (non-technical)
- Attack narrative and timeline
- Technical findings with CVSS scores
- Evidence and proof-of-concept
- Remediation guidance per finding