Authorization is the line between professional testing and unauthorized access. This chapter covers the five-phase methodology and the Rules of Engagement that make every assessment legal, safe, and defensible. Never skip this β it is how engagements stay out of courtrooms and incident-response war rooms.
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β 1. Pre- β β β 2. Recon β β β 3. Scanning &β β β 4. Analysis &β β β 5. Reporting β
β engagement β β (passive/ β β enumeration β β validation β β & retest β
β & scoping β β active OSINTβ β (non- β β (manual, β β β
β β β + discovery)β β destructive)β β evidence) β β β
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
This mirrors PTES, OWASP Testing Guide, and NIST SP 800-115. Stay strictly within scope at every phase.
The most important phase. Without signed authorization, nothing else matters.
| Item | Detail |
|---|---|
| Authorization | Signed RoE from someone who owns the targets |
| Scope | Exact IP ranges, hostnames, URLs β and explicit out-of-scope list |
| Rules | Testing window, intensity, prohibited actions, emergency contact |
| Deliverables | Report format, severity scale (CVSS v3.1), timeline |
Output: a signed RoE, a machine-readable scope file, and an emergency contact list.
Build a map of the attack surface. Prefer passive techniques first.
# Passive: DNS, WHOIS, Certificate Transparency
dig example.com ANY +short
whois example.com
# Active discovery (scope-checked wrapper β dry-run first):
python3 src/wrappers/nmap_wrapper.py --scope examples/scope.example.yaml --runEnumerate each service for known weaknesses. Non-destructive only.
# Web server checks:
python3 src/wrappers/nikto_wrapper.py -h https://app.example.com
# TLS assessment:
python3 src/wrappers/testssl_wrapper.py --host portal.example.com --port 443Turn scanner output into trustworthy findings. Eliminate false positives manually.
# Score a finding:
python3 src/cvss.py "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
# -> 9.8 (Critical)The report is the product. Every finding must include remediation steps.
python3 src/report_generator.py examples/findings.example.json -o report.mdUse RFC 5737 documentation ranges (203.0.113.0/24, 198.51.100.0/24, 192.0.2.0/24) and example.com hostnames in any public write-ups.
Run the preflight script as a final guardrail before sending a single active packet:
bash scripts/preflight_scope_check.sh --target 203.0.113.10 --scope examples/scope.example.yamlThis toolkit ships no exploitation code. Wrappers are dry-run by default and refuse to target anything outside your scope file. Validation is manual and minimal β the goal is finding and reporting, not weaponizing.
A start-to-finish run sheet for a defensive assessment. Work top to bottom; do not advance a phase until its gate is satisfied. Every unchecked box is a risk β missing one can turn an engagement into an incident.
Gate: signed authorization in hand.
# Guardrail β verify every target against scope before scanning:
bash scripts/preflight_scope_check.sh --target 203.0.113.10 --scope examples/scope.example.yamlGate: every discovered target verified to be in scope.
# Dry-run first β the wrapper prints the exact command:
python3 src/wrappers/nmap_wrapper.py --scope examples/scope.example.yaml
# Add --run and --i-am-authorized to execute:
python3 src/wrappers/nmap_wrapper.py --scope examples/scope.example.yaml --run --i-am-authorizedGate: no exploitation; candidate findings only.
| Scanner | Target | Wrapper |
|---|---|---|
| nikto | Web servers | src/wrappers/nikto_wrapper.py |
| testssl.sh | TLS endpoints | src/wrappers/testssl_wrapper.py |
| nmap | Host discovery | src/wrappers/nmap_wrapper.py |
Gate: a validated, de-duplicated, severity-scored findings list.
Gate: report accepted; findings tracked to closure.
# Generate report from findings JSON:
python3 src/report_generator.py examples/findings.example.json -o report.mdGet the full Penetration Testing Toolkit and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.