Contents

Chapter 1

Chapter 1: Engagement Methodology

Authorization is the line between professional testing and unauthorized access. This chapter covers the five-phase methodology and the Rules of Engagement that make every assessment legal, safe, and defensible. Never skip this β€” it is how engagements stay out of courtrooms and incident-response war rooms.

The five phases

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ 1. Pre-      β”‚ β†’ β”‚ 2. Recon     β”‚ β†’ β”‚ 3. Scanning &β”‚ β†’ β”‚ 4. Analysis &β”‚ β†’ β”‚ 5. Reporting β”‚
β”‚  engagement  β”‚   β”‚ (passive/    β”‚   β”‚  enumeration β”‚   β”‚  validation  β”‚   β”‚  & retest    β”‚
β”‚  & scoping   β”‚   β”‚  active OSINTβ”‚   β”‚  (non-       β”‚   β”‚  (manual,    β”‚   β”‚              β”‚
β”‚              β”‚   β”‚  + discovery)β”‚   β”‚  destructive)β”‚   β”‚  evidence)   β”‚   β”‚              β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

This mirrors PTES, OWASP Testing Guide, and NIST SP 800-115. Stay strictly within scope at every phase.

Phase 1 β€” Pre-engagement

The most important phase. Without signed authorization, nothing else matters.

ItemDetail
AuthorizationSigned RoE from someone who owns the targets
ScopeExact IP ranges, hostnames, URLs β€” and explicit out-of-scope list
RulesTesting window, intensity, prohibited actions, emergency contact
DeliverablesReport format, severity scale (CVSS v3.1), timeline

Output: a signed RoE, a machine-readable scope file, and an emergency contact list.

Phase 2 β€” Reconnaissance

Build a map of the attack surface. Prefer passive techniques first.

bash
# Passive: DNS, WHOIS, Certificate Transparency
dig example.com ANY +short
whois example.com

# Active discovery (scope-checked wrapper β€” dry-run first):
python3 src/wrappers/nmap_wrapper.py --scope examples/scope.example.yaml --run

Phase 3 β€” Scanning & enumeration

Enumerate each service for known weaknesses. Non-destructive only.

bash
# Web server checks:
python3 src/wrappers/nikto_wrapper.py -h https://app.example.com

# TLS assessment:
python3 src/wrappers/testssl_wrapper.py --host portal.example.com --port 443

Phase 4 β€” Analysis & validation

Turn scanner output into trustworthy findings. Eliminate false positives manually.

bash
# Score a finding:
python3 src/cvss.py "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
# -> 9.8 (Critical)

Phase 5 β€” Reporting & retest

The report is the product. Every finding must include remediation steps.

bash
python3 src/report_generator.py examples/findings.example.json -o report.md

Rules of Engagement essentials

  • Authorization letter β€” signed and dated before any active testing
  • Scope precision β€” machine-readable scope file so wrappers enforce it
  • Prohibited actions β€” no DoS, no data exfiltration, no persistence
  • Data handling β€” encrypt evidence, agree on retention/destruction

Use RFC 5737 documentation ranges (203.0.113.0/24, 198.51.100.0/24, 192.0.2.0/24) and example.com hostnames in any public write-ups.

Pre-flight gate checklist

  • [ ] Signed authorization from someone with authority
  • [ ] Hosting provider permission obtained (if relevant)
  • [ ] In-scope and out-of-scope lists in scope file
  • [ ] Testing window and intensity agreed
  • [ ] Emergency contact and abort procedure in place

Run the preflight script as a final guardrail before sending a single active packet:

bash
bash scripts/preflight_scope_check.sh --target 203.0.113.10 --scope examples/scope.example.yaml

Tooling philosophy

This toolkit ships no exploitation code. Wrappers are dry-run by default and refuse to target anything outside your scope file. Validation is manual and minimal β€” the goal is finding and reporting, not weaponizing.

Chapter 2

Chapter 2: Scoping Checklist

A start-to-finish run sheet for a defensive assessment. Work top to bottom; do not advance a phase until its gate is satisfied. Every unchecked box is a risk β€” missing one can turn an engagement into an incident.

Phase 1 β€” Pre-engagement

Gate: signed authorization in hand.

  • [ ] Signed Rules of Engagement obtained (use the template)
  • [ ] Signer confirmed to have authority over the targets
  • [ ] Hosting/cloud provider testing permission obtained
  • [ ] Scope captured as machine-readable YAML file
  • [ ] Out-of-scope assets explicitly listed
  • [ ] Testing window, intensity limits, and notification list agreed
  • [ ] Prohibited actions reviewed with everyone testing
  • [ ] Emergency contact and abort procedure documented
  • [ ] Data-handling, retention, and destruction terms agreed
  • [ ] Secure workspace ready with encrypted evidence storage
bash
# Guardrail β€” verify every target against scope before scanning:
bash scripts/preflight_scope_check.sh --target 203.0.113.10 --scope examples/scope.example.yaml

Phase 2 β€” Reconnaissance

Gate: every discovered target verified to be in scope.

  • [ ] Passive OSINT collected (DNS, WHOIS, certificate transparency)
  • [ ] In-scope hosts confirmed live (dry-run the nmap wrapper first)
  • [ ] Open ports and listening services enumerated
  • [ ] Service/version banners recorded
  • [ ] Asset inventory cross-checked against scope file
bash
# Dry-run first β€” the wrapper prints the exact command:
python3 src/wrappers/nmap_wrapper.py --scope examples/scope.example.yaml

# Add --run and --i-am-authorized to execute:
python3 src/wrappers/nmap_wrapper.py --scope examples/scope.example.yaml --run --i-am-authorized

Phase 3 β€” Scanning & enumeration

Gate: no exploitation; candidate findings only.

  • [ ] Web servers checked for known issues and misconfigurations
  • [ ] TLS/SSL configuration assessed (protocols, ciphers, certificate)
  • [ ] Application endpoints, parameters, and auth flows mapped
  • [ ] Access-control boundaries probed (read-only)
  • [ ] Intensity kept within RoE; production health monitored
  • [ ] Raw tool output saved as timestamped evidence
ScannerTargetWrapper
niktoWeb serverssrc/wrappers/nikto_wrapper.py
testssl.shTLS endpointssrc/wrappers/testssl_wrapper.py
nmapHost discoverysrc/wrappers/nmap_wrapper.py

Phase 4 β€” Analysis & validation

Gate: a validated, de-duplicated, severity-scored findings list.

  • [ ] Each candidate finding manually verified (false positives removed)
  • [ ] Weakness confirmed with minimum non-destructive proof
  • [ ] Impact and likelihood assessed in business context
  • [ ] Every finding scored with CVSS v3.1; full vector recorded
  • [ ] Duplicate or overlapping findings merged
  • [ ] Evidence linked to each finding

Phase 5 β€” Reporting & retest

Gate: report accepted; findings tracked to closure.

  • [ ] Findings entered into the findings JSON file
  • [ ] Report generated from findings data and reviewed
  • [ ] Executive summary written for non-technical readers
  • [ ] Each finding has clear, actionable remediation steps
  • [ ] Critical findings already reported out-of-band (per RoE protocol)
  • [ ] Report delivered securely (encrypted at rest and in transit)
  • [ ] Retest scheduled for remediated findings
  • [ ] Engagement data destroyed per retention terms after acceptance
bash
# Generate report from findings JSON:
python3 src/report_generator.py examples/findings.example.json -o report.md

Daily safety reminders

  • Stay inside scope β€” every host, every hour
  • Dry-run wrappers first; review the printed command before executing
  • Throttle to protect production; stop immediately if something degrades
  • Never download real sensitive data β€” prove access and document instead
  • Protect the report β€” it is a map of weaknesses
Chapter 3
πŸ”’ Available in full product

Chapter 3: Vulnerability Scoring

Chapter 4
πŸ”’ Available in full product

Chapter 4: Reporting Findings

Chapter 5
πŸ”’ Available in full product

Chapter 5: Sample Report

You’ve reached the end of the free preview

Get the full Penetration Testing Toolkit and unlock everything.

All Chapters

Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.

Full Tool Suite

Access all interactive tools with complete data, all workload profiles, and the full scenario library.

Source Files

Downloadable source code, configuration files, and working examples from every chapter.

Lifetime Updates

Free updates for life. Every new chapter, tool, and improvement included.

Buy Now — $49 →
πŸ“¦ Free sample included — download another copy for the full product.
Penetration Testing Toolkit v1.0.0 β€” Free Preview