Penetration Testing Guide: A Step-by-Step Playbook from OSINT to Post-Exploit
A professional pentest is not a matter of stitching a few tool outputs together; it demands a methodical flow, a repeatable checklist and evidence-based reporting. This playbook walks through the steps the VefaSec pentest team applies.
OSINT and Passive Reconnaissance
Before any direct interaction with the target, public sources are mined for information: WHOIS, certificate transparency logs, Shodan/Censys, GitHub code, the Wayback Machine and LinkedIn staff lists. Amass and Subfinder are the industry standard for subdomain discovery.
The OSINT phase typically reveals around 70% of what you need to know about the organization: technology stack, cloud provider, security investment level and potential phishing targets. This intelligence is critical for narrowing the attack surface in subsequent steps.
Active Reconnaissance: Port Scanning and Service Fingerprinting
Nmap performs TCP SYN scans followed by service/version detection and default scripts (-sC) to pull version information from critical services. Masscan handles fast sweeps across large IP ranges. Naabu, a modern Go-based alternative, integrates smoothly with subdomain discovery.
For web services, Httpx checks live hosts, then Aquatone or Gowitness captures screenshots; Nuclei runs template-based vulnerability scans. This pipeline can cover 1000+ subdomains within 10 minutes.
Web Application Testing: OWASP WSTG
OWASP WSTG (Web Security Testing Guide) delivers systematic testing via 100+ test scenarios. It contains a detailed checklist for authentication bypass, authorization flaws, input validation, business logic, client-side flaws and API testing.
Burp Suite Pro covers manual testing and active scanning; extensions (Autorize, JWT Editor, Param Miner) unlock deep analysis. Every finding is verified manually and PoC (proof-of-concept) steps are documented.
Exploit Validation and Post-Exploitation
Once a vulnerability is detected, is it actually exploitable? We prove it by building a PoC. Metasploit modules, public exploit code or custom Python/Go scripts are tested in a safe sandbox.
In the post-exploitation phase: privilege escalation, lateral movement, credential dumping, sensitive data access and persistence. Mapping techniques to the MITRE ATT&CK framework lifts report quality to the industry standard.
Reporting and Free Retest
A pentest report is not just a findings list; it must include an executive summary, technical appendix, CVSS 4.0 scoring, priority-sorted remediation and business impact analysis. VefaSec reports run 30–80 pages with screenshots and step-by-step exploitation for each finding.
A free retest after remediation is built into the process; fixed issues are re-verified and the report is updated with a 'fixed' tag. You leave with a defensible evidence package for internal audits and client conversations.
Talk to VefaSec about your project or audit needs.
Our Diyarbakır-based team delivers end-to-end software development, penetration testing and cybersecurity advisory to enterprise clients. The discovery call is free and non-binding.