Penetration Testing Phases
OpenSploit's five-phase penetration testing methodology with automated phase transitions and tool recommendations.
Dette indhold er ikke tilgængeligt i dit sprog endnu.
OpenSploit follows a structured penetration testing methodology with five phases. The agent automatically transitions between phases based on findings, though you can override this manually.
Phase Overview
Reconnaissance → Enumeration → Exploitation → Post-Exploitation → Reporting1. Reconnaissance
Goal: Discover what’s running on the target
The first phase focuses on understanding the attack surface:
- Port scanning (TCP/UDP)
- Service detection and version identification
- OS fingerprinting
- Web technology detection
Key Tools:
nmap- Port scanning and service detectionweb-fingerprint- Web technology identificationwhatweb- Additional web fingerprinting
Example:
> Perform reconnaissance on 10.10.10.1
Running nmap full port scan...Found open ports: 22/tcp (SSH), 80/tcp (HTTP), 443/tcp (HTTPS)Detected OS: Linux (Ubuntu)Web server: nginx 1.18.02. Enumeration
Goal: Gather detailed information about discovered services
With services identified, enumerate them deeply:
- Directory and file discovery
- Vulnerability scanning
- Version-specific CVE research
- Application mapping
Key Tools:
ffuf/gobuster- Directory bruteforcingnikto- Web vulnerability scanningnuclei- Template-based scanningcve-lookup- CVE research
Example:
> Enumerate the web application on port 80
Running directory scan...Found: /admin, /api, /uploads, /backupRunning nuclei vulnerability scan...Found: CVE-2021-XXXXX in detected CMS3. Exploitation
Goal: Gain initial access to the target
Attempt to exploit discovered vulnerabilities:
- SQL injection testing
- Credential attacks
- Known vulnerability exploitation
- Custom exploit execution
Key Tools:
sqlmap- SQL injectionhydra- Credential brute-forcingmetasploit- Exploitation frameworkexploit-runner- Custom exploits
Example:
> Test the login form for SQL injection
Running sqlmap on /login endpoint...Vulnerability found: time-based blind SQL injectionExtracting database schema...Found credentials in users table4. Post-Exploitation
Goal: Escalate privileges and maintain access
After gaining initial access:
- Privilege escalation
- Credential harvesting
- Lateral movement
- Persistence mechanisms
Key Tools:
privesc- Privilege escalation enumerationssh- Remote accesstunnel- Port forwarding and pivotingmysql/mongodb- Database access
Example:
> I have SSH access as www-data. Escalate privileges.
Running privilege escalation checks...Found: SUID binary /usr/bin/findExploiting via: find . -exec /bin/sh \; -quitGained root access5. Reporting
Goal: Document findings and generate reports
Aggregate all findings into a professional report:
- Finding categorization by severity
- Evidence collection
- Remediation recommendations
- Multiple output formats
Output Formats:
- Markdown
- HTML
- PDF (planned)
Severity Levels:
- Critical - Immediate exploitation possible
- High - Significant security impact
- Medium - Moderate risk
- Low - Minor issues
- Info - Informational findings
Phase Transitions
OpenSploit automatically transitions phases based on:
| Trigger | Transition |
|---|---|
| Ports/services discovered | Recon → Enumeration |
| Vulnerabilities identified | Enumeration → Exploitation |
| Initial access gained | Exploitation → Post-Exploitation |
| Objectives completed | Any → Reporting |
Phase-Appropriate Tools
Each phase has recommended and discouraged tools:
| Phase | Recommended | Discouraged |
|---|---|---|
| Reconnaissance | nmap, web-fingerprint | sqlmap, metasploit |
| Enumeration | ffuf, nuclei, nikto | exploitation tools |
| Exploitation | sqlmap, hydra | reconnaissance tools |
| Post-Exploitation | privesc, tunnel | scanning tools |