Skip to content

Methodology

2. PENETRATION TESTING METHODOLOGY (PTES)

2.1 Penetration Testing Execution Standard (PTES) Framework

Abhavtech follows the industry-standard PTES methodology with 6 distinct phases:

┌─────────────────────────────────────────────────────────────────────────────────┐
│                        PTES 6-PHASE METHODOLOGY                                  │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│  PHASE 1: PRE-ENGAGEMENT                                                        │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Duration: 1 week before test starts                                            │
│  Objective: Define scope, rules of engagement, obtain legal authorization       │
│                                                                                  │
│  Key Activities:                                                                │
│  ✓ Scope definition (in-scope systems, attack surfaces, prohibited attacks)     │
│  ✓ Rules of Engagement (ROE) document creation                                  │
│  ✓ Legal authorization letter (signed by CISO, Legal, CTO)                      │
│  ✓ Emergency contact escalation path (24x7 phone tree)                          │
│  ✓ Define success criteria (metrics, deliverables, reporting)                   │
│  ✓ Schedule kickoff meeting (Red Team, Blue Team, Network Engineering)          │
│                                                                                  │
│  Deliverables:                                                                  │
│  • Signed Rules of Engagement (ROE) document                                    │
│  • Penetration Testing Authorization Letter                                     │
│  • Scope definition spreadsheet (IP ranges, systems, credentials)               │
│  • Emergency stop procedures document                                           │
│                                                                                  │
│  ┌────────────────────────────────────────────────────────────────────┐         │
│  │  SAMPLE ROE COMPONENTS                                             │         │
│  │  ─────────────────────────────────────────────────────────────     │         │
│  │  • Test Window: Monday 0000 IST - Friday 2359 IST (Week of Jan 15) │         │
│  │  • Attack Sources: Red Team lab (10.200.0.0/24), Internet (external)│        │
│  │  • Permitted Techniques: All except DoS, ransomware, data deletion │         │
│  │  • Credentials Provided: 5 standard user accounts (no admin)       │         │
│  │  • Social Engineering: Email phishing (no phone vishing)            │         │
│  │  • Physical Access: Badge cloning test (HQ only, with security)    │         │
│  │  • Stop Condition: Production service disruption >5 minutes         │         │
│  │  • Daily Debriefs: 1700 IST (Red Team + Blue Team + CISO)          │         │
│  └────────────────────────────────────────────────────────────────────┘         │
│                                                                                  │
│  PHASE 2: INTELLIGENCE GATHERING (Reconnaissance)                               │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Duration: Days 1-3 of test                                                     │
│  Objective: Gather information about target infrastructure                      │
│                                                                                  │
│  Passive Reconnaissance (No Direct Target Contact):                             │
│  ✓ OSINT (Open Source Intelligence) collection                                  │
│    • DNS enumeration (nslookup, dig, dnsdumpster.com)                           │
│    • WHOIS lookups (domain registration, IP ownership)                          │
│    • LinkedIn reconnaissance (employees, roles, org structure)                  │
│    • Google dorking (site:abhavtech.com, inurl:admin, filetype:pdf)             │
│    • Shodan/Censys searches (exposed services, SSL certificates)                │
│    • GitHub/GitLab code searches (leaked credentials, API keys)                 │
│  ✓ Public breach databases (HaveIBeenPwned, DeHashed - password reuse)          │
│  ✓ Social media scraping (employee emails, phone numbers)                       │
│                                                                                  │
│  Active Reconnaissance (Direct Target Interaction):                             │
│  ✓ Network mapping (Nmap, Masscan)                                              │
│    • Port scanning (TCP/UDP, service version detection)                         │
│    • OS fingerprinting (TTL analysis, TCP stack behavior)                       │
│    • Service enumeration (SSH banners, HTTP headers, SNMP walks)                │
│  ✓ Wireless network discovery (Airodump-ng, Kismet)                             │
│  ✓ Email harvesting (TheHarvester, Hunter.io)                                   │
│  ✓ Subdomain enumeration (Amass, Sublist3r, certificate transparency logs)      │
│                                                                                  │
│  Deliverables:                                                                  │
│  • Network map (IP ranges, open ports, services)                                │
│  • Employee database (names, emails, roles, departments)                        │
│  • Technology stack identification (Cisco equipment, software versions)         │
│  • Attack surface analysis (exposed services, potential entry points)           │
│                                                                                  │
│  PHASE 3: VULNERABILITY ANALYSIS                                                │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Duration: Days 3-5 of test                                                     │
│  Objective: Identify exploitable vulnerabilities in discovered systems          │
│                                                                                  │
│  Automated Vulnerability Scanning:                                              │
│  ✓ Nessus Professional (comprehensive vulnerability scanner)                    │
│  ✓ OpenVAS (open-source alternative)                                            │
│  ✓ Qualys/Rapid7 Nexpose (cloud-based scanning)                                 │
│  ✓ Nmap NSE scripts (vulnerability-specific checks)                             │
│                                                                                  │
│  Manual Vulnerability Assessment:                                               │
│  ✓ Configuration review (hardening benchmarks - CIS, NIST)                      │
│    • Cisco IOS/IOS-XE config analysis (weak passwords, old protocols)           │
│    • ISE policy review (weak 802.1X configurations, default certs)              │
│    • FTD rule analysis (overly permissive firewall rules, any/any)              │
│    • vManage security posture (default credentials, API exposure)               │
│  ✓ Web application testing (OWASP Top 10)                                       │
│    • SQL injection (SQLmap)                                                     │
│    • Cross-site scripting (XSS)                                                 │
│    • Authentication bypass                                                      │
│    • Insecure direct object references (IDOR)                                   │
│  ✓ Wireless security testing                                                    │
│    • WPA2/WPA3 encryption strength                                              │
│    • Enterprise authentication (EAP-TLS certificate validation)                 │
│    • Rogue AP detection capabilities                                            │
│                                                                                  │
│  Vulnerability Prioritization:                                                  │
│  • CVSS scoring (Common Vulnerability Scoring System)                           │
│  • Exploitability assessment (public exploits available?)                       │
│  • Business impact analysis (PCI-DSS scope, customer data exposure)             │
│                                                                                  │
│  Deliverables:                                                                  │
│  • Vulnerability report (sorted by severity: Critical/High/Medium/Low)          │
│  • Exploitability matrix (likelihood vs impact)                                 │
│  • Remediation recommendations (patch, config change, compensating controls)    │
│                                                                                  │
│  PHASE 4: EXPLOITATION                                                          │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Duration: Days 5-10 of test                                                    │
│  Objective: Exploit identified vulnerabilities to gain access, prove impact     │
│                                                                                  │
│  Initial Access:                                                                │
│  ✓ External attack vectors:                                                     │
│    • Phishing campaigns (credential harvesting)                                 │
│    • Exploit public-facing web apps (SQL injection, RCE)                        │
│    • VPN attacks (brute force, credential stuffing)                             │
│    • Exploit CVEs in exposed services (unpatched systems)                       │
│  ✓ Internal attack vectors (assumes compromised user):                          │
│    • 802.1X bypass attempts (MAB spoofing, VLAN hopping)                        │
│    • ARP spoofing, LLMNR/NBT-NS poisoning (Responder.py)                        │
│    • SMB relay attacks (ntlmrelayx)                                             │
│                                                                                  │
│  Post-Exploitation:                                                             │
│  ✓ Privilege escalation:                                                        │
│    • Windows: Kernel exploits, token impersonation, UAC bypass                  │
│    • Linux: SUID binaries, kernel exploits, sudo misconfiguration               │
│    • Network devices: SNMP default community strings, Cisco IOS exploits        │
│  ✓ Lateral movement:                                                            │
│    • Pass-the-Hash (Mimikatz, CrackMapExec)                                     │
│    • Kerberoasting (request TGS for service accounts)                           │
│    • RDP/SSH pivot (compromised credentials)                                    │
│    • VLAN hopping (if SGT segmentation fails)                                   │
│  ✓ Persistence:                                                                 │
│    • Registry run keys (Windows)                                                │
│    • Scheduled tasks / cron jobs                                                │
│    • Web shells on compromised servers                                          │
│    • Backdoor user accounts                                                     │
│  ✓ Data exfiltration simulation:                                                │
│    • Locate sensitive data (PCI-DSS cardholder data, PII)                       │
│    • Exfiltrate small sample (proof of concept, no actual breach)               │
│    • Test DLP controls (Umbrella, FTD, Secure Email)                            │
│                                                                                  │
│  Deliverables:                                                                  │
│  • Exploitation report (successful attacks, proof-of-concept screenshots)       │
│  • Privilege escalation paths (attack chains)                                   │
│  • Lateral movement map (compromised systems, pivot points)                     │
│                                                                                  │
│  PHASE 5: POST-EXPLOITATION                                                     │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Duration: Days 10-12 of test                                                   │
│  Objective: Assess full impact, demonstrate business risk, maintain access      │
│                                                                                  │
│  Business Impact Demonstration:                                                 │
│  ✓ Crown jewel access (critical business systems):                              │
│    • ERP systems (SAP, Oracle)                                                  │
│    • CRM databases (Salesforce)                                                 │
│    • Payment processing systems (PCI-DSS in-scope)                              │
│    • Backup systems (Veeam, test recovery data access)                          │
│  ✓ Data classification and exfiltration risk:                                   │
│    • PII (Personally Identifiable Information)                                  │
│    • CHD (Cardholder Data - PCI-DSS)                                            │
│    • PHI (Protected Health Information - HIPAA if applicable)                   │
│    • Trade secrets, intellectual property                                       │
│                                                                                  │
│  Persistence & Command and Control (C2):                                        │
│  ✓ Establish covert channels:                                                   │
│    • DNS tunneling (iodine, dnscat2) - test Umbrella detection                  │
│    • HTTPS C2 beaconing (Cobalt Strike, Metasploit) - test XDR detection        │
│    • ICMP tunneling (ptunnel) - test FTD inspection                             │
│  ✓ Evade detection mechanisms:                                                  │
│    • AMP signature evasion (obfuscation, polymorphism)                          │
│    • FTD IPS bypass (fragmentation, encoding)                                   │
│    • Splunk log evasion (event log tampering, sysmon bypass)                    │
│                                                                                  │
│  Deliverables:                                                                  │
│  • Crown jewel access report (business-critical system compromises)             │
│  • Data exfiltration simulation results (what could be stolen)                  │
│  • Persistence mechanisms report (how attacker maintains access)                │
│  • Detection evasion techniques report (what bypassed security controls)        │
│                                                                                  │
│  PHASE 6: REPORTING                                                             │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Duration: Days 13-14 (post-test)                                               │
│  Objective: Document findings, provide remediation roadmap, present to stakeholders│
│                                                                                  │
│  Report Components:                                                             │
│  ✓ Executive Summary (for CISO, CTO, Board):                                    │
│    • Overall security posture score (0-100)                                     │
│    • Critical findings summary (top 5 risks)                                    │
│    • Business impact (financial, reputational, regulatory)                      │
│    • High-level remediation roadmap (timeline, resources)                       │
│                                                                                  │
│  ✓ Technical Findings (for Security, Network Engineering):                      │
│    • Detailed vulnerability descriptions                                        │
│    • Exploitation procedures (step-by-step)                                     │
│    • Evidence (screenshots, packet captures, log excerpts)                      │
│    • CVSS scores, MITRE ATT&CK technique mapping                                │
│    • Remediation recommendations (technical steps)                              │
│                                                                                  │
│  ✓ Attack Narrative (for all stakeholders):                                     │
│    • Timeline of attack progression                                             │
│    • Attack chain diagram (initial access → lateral movement → data exfiltration)│
│    • Detection gaps identified (where Blue Team missed alerts)                  │
│    • Defense-in-depth analysis (which layers failed/succeeded)                  │
│                                                                                  │
│  ✓ Remediation Roadmap:                                                         │
│    • Prioritized action plan (Critical = 7 days, High = 30 days, etc.)          │
│    • Ownership assignments (Network, Security, IT Ops)                          │
│    • Re-test plan (validate fixes in next test cycle)                           │
│                                                                                  │
│  Deliverables:                                                                  │
│  • Executive summary presentation (PowerPoint, 10-15 slides)                    │
│  • Technical report (PDF, 50-100 pages)                                         │
│  • Remediation tracking spreadsheet (Excel/Google Sheets)                       │
│  • Evidence package (screenshots, PCAPs, logs - encrypted ZIP)                  │
│  • Re-test procedures document                                                  │
│                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────┘

2.2 MITRE ATT&CK Mapping

All penetration test findings are mapped to the MITRE ATT&CK framework to provide standardized taxonomy and improve detection coverage.

Primary Tactics Tested:

Tactic Description Test Coverage
TA0001: Initial Access How attackers gain initial foothold Phishing, VPN exploitation, external web app compromise
TA0002: Execution How attackers run malicious code PowerShell, command-line tools, malware deployment
TA0003: Persistence How attackers maintain access Registry keys, scheduled tasks, backdoor accounts
TA0004: Privilege Escalation How attackers gain higher privileges Kernel exploits, token manipulation, sudo misconfiguration
TA0005: Defense Evasion How attackers avoid detection AMP bypass, log tampering, obfuscation
TA0006: Credential Access How attackers steal credentials Mimikatz, Kerberoasting, password cracking
TA0007: Discovery How attackers learn about environment Network scanning, AD enumeration, service discovery
TA0008: Lateral Movement How attackers move through network Pass-the-Hash, RDP pivoting, SMB exploitation
TA0009: Collection How attackers gather data Database queries, file server access, email harvesting
TA0010: Exfiltration How attackers steal data DNS tunneling, HTTPS upload, cloud storage
TA0011: Command and Control How attackers communicate with compromised systems Cobalt Strike beaconing, DNS C2, HTTPS C2

Detection Coverage Goals:

ATT&CK Tactic Current Detection Rate Target Detection Rate Gap Analysis
Initial Access 75% 90% Need better phishing detection (Secure Email tuning)
Execution 80% 95% PowerShell logging improvements (Event ID 4104)
Persistence 60% 85% Registry monitoring, scheduled task alerts
Privilege Escalation 65% 90% Kernel exploit detection (AMP behavioral)
Defense Evasion 50% 75% Log tampering detection (Splunk correlation)
Credential Access 70% 90% Mimikatz detection (AMP signatures, behavioral)
Discovery 55% 80% Network scanning alerts (NetFlow anomalies)
Lateral Movement 60% 85% Pass-the-Hash detection (Splunk Event ID 4624 type 3)
Collection 40% 70% Data access monitoring (UEBA baselines)
Exfiltration 55% 80% DLP tuning (Umbrella, FTD, Secure Email)
Command and Control 65% 85% C2 beaconing detection (XDR, Umbrella Investigate)