Penetration Testing Tools19 min read0 views

Network Penetration Testing Methodology: A Professional Framework

A structured framework for conducting network penetration tests used by professional security teams. We break down the 7-phase methodology (scoping through reporting), explain which tools fit each phase, and share the documentation templates that turn raw findings into actionable client reports.

Ugbeda Preacher

Ugbeda Preacher

Security Tools Reviewer · June 25, 2026

Network Penetration Testing Methodology: A Professional Framework

Key Takeaways

  • Professional pen tests follow a structured 7-phase methodology: Pre-engagement → Reconnaissance → Scanning → Vulnerability Assessment → Exploitation → Post-Exploitation → Reporting
  • The scoping and rules of engagement (ROE) document is the most important deliverable before testing begins — it defines what you can test, when, and what happens if something breaks
  • Reconnaissance should take 30-40% of your total testing time — the more you know about the target before attacking, the higher your success rate during exploitation
  • Every finding needs a CVSS score, business impact explanation, proof-of-concept screenshot, and specific remediation steps — vague findings get ignored by clients
  • The three industry-standard frameworks are PTES (Penetration Testing Execution Standard), OSSTMM (Open Source Security Testing Methodology Manual), and NIST SP 800-115 — most teams blend elements from all three

A penetration test without a methodology is just random hacking. Professional pen testers follow a structured framework that ensures nothing gets missed, findings are reproducible, and clients get reports they can actually use to fix things.

This guide covers the complete network penetration testing methodology used by security firms worldwide. Whether you are preparing for your first professional engagement or building a career in offensive security, this framework gives you the step-by-step process from initial client conversation to final report delivery.

Industry Standard Frameworks

Three major frameworks guide professional penetration testing. Most security teams take elements from all three:

FrameworkFull NameBest ForKey Strength
PTESPenetration Testing Execution StandardGeneral pen testingMost detailed phase-by-phase guidance, widely adopted
OSSTMMOpen Source Security Testing Methodology ManualCompliance-driven testsQuantitative risk scoring (RAV), audit-ready documentation
NIST SP 800-115Technical Guide to Information Security TestingGovernment/regulatoryOfficially recognized by US government agencies
OWASP Testing GuideOpen Web Application Security ProjectWeb applications onlyMost comprehensive web-specific testing checklist
CRESTCouncil of Registered Ethical Security TestersUK/internationalAccreditation body with standardized exam requirements

Our recommendation: Use PTES as your primary structure. It covers the entire engagement lifecycle and is the framework referenced in most pen testing certifications (OSCP, PNPT, CEH).

The 7 Phases of a Network Penetration Test

Phase 1: Pre-Engagement (Scoping)

This happens before any testing. You and the client agree on exactly what will be tested and how. This phase produces the two most important documents of the entire engagement:

DocumentWhat It ContainsWhy It Matters
Statement of Work (SOW)Scope, timeline, cost, deliverables, testing windows, emergency contactsLegal contract — protects both you and the client
Rules of Engagement (ROE)Allowed/forbidden techniques, IP ranges in scope, testing hours, escalation proceduresKeeps you out of legal trouble and prevents accidental damage

Key scoping questions to ask the client:

  • How many IP addresses or hosts are in scope? (External? Internal? Both?)
  • Are there any systems that absolutely cannot be tested? (Production databases, medical devices, etc.)
  • What testing hours are allowed? (Business hours only? After hours? Weekends?)
  • Is social engineering in scope? (Phishing? Physical access attempts?)
  • Who do we contact if we accidentally cause an outage?
  • What is the expected timeline and report delivery date?
  • Has the network been pen tested before? Can we see the previous report?

Phase 2: Reconnaissance (Information Gathering)

This is where you learn everything possible about the target before touching it with scanning tools. Good recon separates amateur testers from professionals. Spend 30-40% of your total engagement time here.

Recon TypeWhat You DoToolsWhat You Find
Passive (OSINT)Gather info without touching the targetShodan, Google Dorks, Maltego, LinkedIn, WHOISSubdomains, employee names, tech stack, email format, leaked credentials
ActiveInteract directly with target systemsNmap, Amass, DNS zone transfers, Banner grabbingOpen ports, running services, OS versions, network topology

Critical OSINT sources most beginners overlook:

  • Certificate Transparency logs — crt.sh reveals all SSL certificates issued for a domain, exposing subdomains the client forgot about
  • Wayback Machine — web.archive.org shows old versions of the target website, often with configuration files or admin pages that still exist
  • GitHub/GitLab — employees accidentally commit API keys, database passwords, and internal documentation to public repos
  • Job listings — a job posting for a "Senior FortiGate Admin" tells you they use Fortinet firewalls
  • Shodan/Censys — shows internet-facing services, default credentials, and known vulnerabilities without scanning the target yourself

Phase 3: Scanning

Now you actively probe the target. The goal is to map every open port, identify every running service, and build a complete picture of the attack surface.

Scan TypeToolCommand ExamplePurpose
Port DiscoveryNmapnmap -sS -p- -T4 targetFind all 65,535 ports (not just common ones)
Service DetectionNmapnmap -sV -sC -p [ports] targetIdentify software and version on each port
OS DetectionNmapnmap -O targetIdentify operating system (Windows vs Linux vs router)
Web DirectoryGobustergobuster dir -u target -w wordlistFind hidden pages, admin panels, backup files
DNS EnumerationDNSrecondnsrecon -d target.comFind subdomains, mail servers, DNS misconfigs
SMB EnumerationEnum4linuxenum4linux -a targetWindows shares, users, policies, domain info
SNMP Walkingsnmpwalksnmpwalk -v2c -c public targetNetwork device configs, interfaces, routing tables
Network Pen Test Methodology: 7 Phases with Time Allocation 1. PRE-ENGAGE Scope & ROE SOW contract Emergency plan 5-10% 2. RECON OSINT gathering Passive intel Target mapping 30-40% ★ 3. SCANNING Port discovery Service detection DNS/SMB enum 10-15% 4. VULN ASSESS Nessus/OpenVAS Manual testing Prioritize targets 10-15% 5. EXPLOIT Metasploit/manual Gain access Prove impact 10-15% 6. POST-EXPLOIT Priv escalation Lateral movement Data access proof 5-10% 7. REPORTING Exec summary Detailed findings Remediation steps 15-20% Vulnerability Scan ≠ Penetration Test Vuln Scan: Automated → List of potential issues → No exploitation Pen Test: Human tester → Verified exploits → Proven impact Vuln Scan: $500-2,000 → Hours to run Pen Test: $5,000-100,000+ → Days to weeks Key: Pen tests PROVE exploitation. Scans only SUGGEST risk. Top Pen Test Certifications OSCP — Gold standard, 24hr practical exam PNPT — Includes report writing, practical GPEN — Enterprise-focused, GIAC family PenTest+ — Entry-level, CompTIA CEH — Widely recognized, more theoretical
Professional pen tests follow these 7 phases in order. Reconnaissance gets the most time because better recon leads to better exploitation results.

Phase 4: Vulnerability Assessment

Now you analyze your scanning results to identify real vulnerabilities worth exploiting. This is where you separate actual risks from false positives.

Assessment MethodToolStrengthWeakness
Automated scanningNessus, OpenVAS, QualysFast, identifies thousands of known CVEsHigh false positive rate (20-40%), cannot find logic flaws
Manual testingBurp Suite, curl, custom scriptsFinds complex chained vulnerabilitiesSlower, requires expertise, easy to miss simple issues
Credential testingHydra, CrackMapExec, MedusaFinds default/weak passwords on network servicesAccount lockout risk if not careful

Prioritization framework: Not every vulnerability is worth exploiting during a time-limited engagement. Focus on vulnerabilities that are: (1) remotely exploitable, (2) have public exploit code available, (3) affect critical systems, and (4) are likely to give you elevated access. A critical SQL injection on the main web server matters more than a medium-severity information disclosure on a print server.

Phase 5: Exploitation

This is the phase most people think of as "hacking." You use the vulnerabilities found in Phase 4 to gain unauthorized access. But exploitation in a professional test is very different from what you see in movies:

  • Document every step. Before running an exploit, screenshot your terminal. After it succeeds, screenshot the result. You need proof for the report.
  • Minimize impact. Never run a destructive exploit. Never delete data. Never modify production configurations. If an exploit crashes a service, stop and notify the client immediately.
  • Chain vulnerabilities. Individual medium-severity findings can combine into critical ones. A weak password + privilege escalation + network access = complete domain compromise. This chaining is what makes human pen testers more valuable than automated scanners.

Common exploitation paths on corporate networks:

Attack PathInitial AccessEscalationImpact
Password sprayingGuess common passwords across many accountsFind admin account with the same passwordDomain admin access
Unpatched serviceExploit known CVE (e.g., EternalBlue)Meterpreter → hashdump → pass-the-hashFull network control
Default credentialsLogin to network device (router, switch, printer) with admin/adminModify routing, capture trafficMan-in-the-middle on all traffic
Responder/LLMNRCapture NetNTLM hashes from broadcast trafficCrack hashes → relay to other systemsLateral movement across the network
Web app to internalSQLi or file upload on public-facing web appPivot from DMZ to internal networkAccess internal systems from the internet

Phase 6: Post-Exploitation

After gaining initial access, you demonstrate the real business impact of the vulnerability. This phase answers the client's most important question: "So what? What can an attacker actually do?"

  • Privilege escalation: Can you go from a regular user to admin/root? Use LinPEAS (Linux) or WinPEAS (Windows) to find escalation paths.
  • Lateral movement: Can you access other systems? Use CrackMapExec, PsExec, or SSH with stolen credentials to move through the network.
  • Data access: Can you reach sensitive data? Show that you can access customer databases, financial records, or intellectual property (screenshot the access, never exfiltrate real data).
  • Persistence: Could a real attacker maintain access? Describe (but do not actually implement) persistence mechanisms like scheduled tasks, registry keys, or authorized_keys additions.

Phase 7: Reporting

The report is the actual product of a penetration test. A brilliant exploitation means nothing if the report is unclear. Here is what every finding needs:

Report ElementWhat to IncludeWhy It Matters
Finding TitleClear, descriptive name (not CVE numbers)"Default Admin Credentials on Core Switch" is better than "CVE-XXXX"
SeverityCVSS v3.1 score + Critical/High/Medium/Low/InfoHelps the client prioritize fixes
DescriptionWhat the vulnerability is in plain EnglishNon-technical stakeholders need to understand the risk
Business ImpactWhat an attacker could do with this vulnerability"Could lead to complete network compromise" motivates action
Proof of ConceptScreenshots and commands showing the exploit workedProves the finding is real, not theoretical
RemediationSpecific steps to fix the issue"Change the password" is not enough — specify complexity, rotation, MFA
ReferencesCVE IDs, vendor advisories, CWE numbersHelps the client research the issue further
Professional Pen Test Report Structure Executive Summary 1-2 pages • Overall risk level • Top 3-5 findings • Business language • No technical jargon AUDIENCE: C-Suite, Board, Non-technical ★ Most important section Methodology 2-4 pages • Scope (IPs, dates) • Tools used • Testing approach • Limitations noted AUDIENCE: Security team, Auditors Detailed Findings 20-60 pages • CVSS severity score • Proof-of-concept • Business impact • Fix instructions AUDIENCE: IT teams, Sysadmins, Devs ★ Biggest section Appendices 5-20 pages • Raw scan outputs • Full Nmap results • Nessus exports • Supporting evidence AUDIENCE: Technical verification A professional report is 30-80 pages. The executive summary is what drives budget decisions. Detailed findings drive actual fixes.
Each section of the report serves a different audience. The executive summary is short but drives the most business decisions.

Severity Ratings: How to Score Findings

Use CVSS v3.1 (Common Vulnerability Scoring System) to assign consistent severity ratings. Here is a quick reference:

CVSS ScoreSeverityExampleExpected Fix Timeline
9.0 - 10.0CriticalRemote code execution on public-facing server, default admin on domain controllerImmediate (24-48 hours)
7.0 - 8.9HighSQL injection on authenticated page, privilege escalation, weak domain passwordsWithin 1 week
4.0 - 6.9MediumCross-site scripting, information disclosure, outdated softwareWithin 30 days
0.1 - 3.9LowMissing HTTP headers, verbose error messages, cookie flagsWithin 90 days
0.0InformationalServer banner disclosure, open ports that are expectedAt client discretion

Internal vs External Testing: Key Differences

AspectExternal TestInternal Test
PerspectiveInternet attacker with no insider knowledgeMalicious insider or attacker who breached the perimeter
ScopePublic-facing IPs, web apps, mail servers, VPNInternal network, Active Directory, file shares, printers
Common findingsOutdated web servers, weak SSL, exposed admin panelsWeak AD passwords, LLMNR poisoning, SMB signing disabled
Typical duration1-2 weeks1-3 weeks
Usual resultHarder to break in (perimeter is usually strong)Easier to escalate (internal networks are usually softer)
Key toolsNmap, Burp Suite, Nuclei, ffufCrackMapExec, Responder, BloodHound, Mimikatz

Documentation Tips That Save Hours

  • Use CherryTree or Obsidian. Create a tree structure: Target → Service → Finding. Paste every command and output as you go.
  • Screenshot everything. Use Flameshot on Kali for easy annotated screenshots. Capture BEFORE and AFTER states for each exploit.
  • Timestamp your notes. When the client asks "when did you run that scan?", you need to know the exact time.
  • Save all raw tool outputs. Redirect everything to files: nmap -sV target -oA scan_results. You will reference these when writing the report.
  • Write finding summaries immediately after exploitation. Do not wait until the end of the engagement — you will forget important details.

A structured methodology transforms penetration testing from guesswork into a repeatable, professional service. Follow these 7 phases, document everything, and deliver reports that actually help clients fix their security — that is what separates a professional pen tester from someone who just runs tools.

Frequently Asked Questions

A typical external network pen test takes 1-2 weeks. An internal test takes 1-3 weeks. A comprehensive test (external + internal + wireless + social engineering) takes 3-6 weeks. The timeline depends on the scope — testing 10 IP addresses is very different from testing 10,000. Most of the time is spent on reconnaissance and documentation, not exploitation.

Ugbeda Preacher

Ugbeda Preacher

Security Tools Reviewer

Pen Testing & Tool Reviews

Ugbeda is a certified ethical hacker (CEH, OSCP) and security tools specialist with five years of hands-on penetration testing experience. He brings a rigorous, no-nonsense approach to testing and reviewing security products, cutting through marketing hype to deliver honest, real-world assessments. His reviews help security teams and IT professionals choose the right tools for their specific environments.

You Might Also Like

Free Newsletter

Stay Ahead of Cyber Threats

Get weekly cybersecurity insights and practical tips. No spam, just actionable advice to keep you safe.