Penetration Testing Methodology, Part 1/6 — Recon

Daniel Holdsworth
Dec 29, 2017 · 7 min read

In this series of articles we will be going through the methodology, techniques and tools used when conducting a penetration test.

Rather than making these articles a concise and regimented list on the definitive ways in which you are to conduct a test, I will be making it more of an informal chat between friends in that I will be discussing the 6 phases, what they mean, how you conduct them and what easily and readily available tools you can use to conduct each phase, whilst keeping it informal and relaxed.

6 Phases of a Pen Test

  1. Reconnaissance
  2. Scanning and Enumeration
  3. Gaining Access
  4. Escalation of Privileges
  5. Maintaining Access
  6. Covering Your Tracks

Whilst I know all these steps can at first seem daunting, be confident in the fact that the internet has a huge wealth of information and knowledge on all these steps and there are (more than likely) hundreds of different ways you can approach and successfully complete a penetration test.

This first article will focus on the very first, and what I consider the most enjoyable phase of the methodology, Reconnaissance.

A huge portion of your penetration testing time will be spent on this first critical part of the test, therefore if you take anything away from this series, make sure its this part.

Reconnaissance is the systematic approach where you attempt to locate and gather information on your target, others may refer to this part as ‘foot-printing’.

The techniques involved in foot-printing include, social engineering (great fun), internet research and ‘Dumpster-Diving’.

So what are we looking for?

Well, the important things would be, contact names within the organization, email addresses (which we could later use for phishing, whaling, or spear phishing), phone numbers of important figures within the company (can be used for vishing), systems used within the company such as windows or linux etc, and finally job postings or CV’s.

You may think that job postings would be a strange one to go for but the information held within can be an absolute goldmine!
If you were to go looking for a new job as a network admin for instance, you would need to know what system the company use right? And if the company needed specific systems skills, they would need to put such systems on their job posting. All this information that the company is posting out there on the internet can help you when it comes to later finding, or creating, specific exploits in order to gain access or maintain a footing on the system.

CV’s work in a very similar way in that, if someone had worked at SuperHacker Inc in the past, then that individual will more than likely list the work that they did at that company in their CV, this pretty much always includes information on the systems they used and usually what size of network they were looking after and whether or not it incorporated virtualization or if they had to setup multiple DMZ’s and HIPS’s etc, all extremely valuable information to the pen tester.

So remember when I said I would also cover the free to use and open source tools that you can use for this phase? Well here is a small list of just a few tools you can use, I will then go through each one in minor detail;


Nslookup is an awesome tool to use when using Kali and is used to resolve a fully qualified domain name into an IP address, for instance if you where to type ‘nslookup’, the basic use of nslookup would return the IP address ‘’

Nslookup has a lot more capabilities that we wont go through in this small introduction to reconnaissance, more information can easily be found online.


Traceroute is a great tool for seeing where your ‘ping’ goes before it hits the system you are actually trying to ping, it displays the path between you and your target and is great for showing any firewalls and routers, that it hits on the way, allowing for greater situational awareness on your target.

One thing that makes it great is is called a Time-To-Live (TTL), to put it simply, your first three packets will only have a TTL value of 1, the next three will be 2, and so on until you hit your target, this allows you to see how many ‘hops’ the packets took before they hit the target.

If the first packet hits the target then you will just receive the time that it took to hit the target system.

When it comes to time taken, this in itself can tell you some small details about the target;

ISDN Line — 40–50 ms

Cellular Modem — 50–150 ms

Satellite Modem — 650–750 ms

Fiber — 5- 40 ms

Cable Modem — 15- 100ms

As with the other tools, there is a ton of information out there and traceroute has a lot more to offer than the small details I have covered.


Ping doesn’t need too much covering but we’ll cover it none the less.

Ping is used to check the connectivity between two devices and is mainly used in trouble shooting

When ping is activated on a linux system it pings until the users stops it but as for mac or windows systems there are some good commands that you will need to know.

Ping -c — will ping 10 times then stop

ping -6 — will ping only IPv6 addresses


Whois provides information on the owner of the domain itself with information like, server addresses, phone numbers, owners name, owners addresses.

The best use for this tool in my opinion is to carry this information across to social engineering as more often than not, the domain owner is the admin of the site, therefore he/she will be a prime person to target.

The results of this tool can also provide you with internet and domain service providers which will come in handy if you want to phish the above individual and it will make the email look more credible.


The most obvious but sometimes most effective tool, and one that can feed you information to utilize in the other tools and Google is the best source for finding information on a company and can give you all the open source information that you could wish for.

There is a lot of information out there for ‘google hacking’ which will explain to you the best ways to search for companies but actually return something that has worth, such as adding a filetype to the end of your search, adding xls or pdf to the end of a company name will return all pdfs and xls files related to that company along as they exist on the internet.

While getting a pdf or xls file from the company may not seem like much, the information contained within could help you greatly. Also don’t forget the stages to come, having a pdf from a company in your possession would easily become a weapon once malware has been added to the document and it has been spat back out to the company in a phishing attack.

Social Media

Social media is an absolute gold mine for information and great way to launch spear phishing campaigns against personal targets at the targeted company.

With Facebook, LinkdIn, Twitter, Pinterest, Tumblr and many more out there, all you need to launch a successful attack is a small bit of personal information about a target, such as a salon that they use to get their nails done, this information can easily be used to craft a genuine looking email about an offer on a manicure with a malicious link added.

Other information you can gather from these sites are as follows;

Facebook — Birthdays, family members, home addresses

Linkdin — Employment history and skills

Twitter — Controversial (?) personal views

Google+ — Pattern of life, friend circle

This tool is such a huge topic, and the internet is a treasure trove for this information, there are also some great books out there that focus solely on this exploit.

Now that we have gone through some techniques and tools to get started, its time to put all this information together in order to successfully move forward in the test.

At this stage you should of collected a vast amount of information such as;

  • Names
  • Phone numbers
  • Email addresses
  • Target systems
  • Rough target network strength (how long the TTL test took determines how ‘thick’ the network is to get to target system’
  • Server addresses
  • Mail server addresses
  • Legit documents

All of this information can be used to craft legitimate looking phishing and vishing attacks as you can drop real employee names and you can imitate the company email style to appear more genuine.

Hopefully you take away some valuable information from this first part of the penetration testing basics series, as I stated at the start, this will be a very informal, short and to the point series that in no way will make you an expert, but it will give you the general overview needed to know where to start.

Coming soon Part 2: Scanning and Enumeration


@dvlp.r on instagram