Below is a general methodology on how one would begin a pentest.  Do more research on your own to get the technical and legal details that are required:

  • Get permission to attack the target in writing.  If you don’t receive permission, do NOT proceed.
  • Use a search engine to see what comes up for your target.  Use passive technology.
  • Run HTTrack to get a copy of the website so you can browse offline.  This is not passive, so proceed with caution.
  • Use google-fu.
  • Run theHarvester on the target to get email addresses and other company information.
  • Review whois.
  • Review netcraft.
  • Run host on ip address.
  • Try a zone transfer.
  • Run nslookup to get dns and mail server information.
  • Run dig on ip address
  • Run metagoofil to locate/download .pdf, .docs, ppt files, etc.
  • Put all results in tool like mindmap.
  • Review perimeter devices and end-points – if they are in scope.
  • Do a ping sweep with fping to see what’s alive.
  • Run Nmap to see what services are running.
  • Try to log in with information you have accumulated.
  • Run using proxychains and Tor browser
  • Use any information found during reconnaissance stage.
  • Run Nessus (port:  8834)
  • Create a legal scan policy
  • Run brute force – hydra or medusa
  • If you can remotely log into network, you WIN.
  • Run metasploit if you are in.
  • Take results from Nessus and use them to search for exploits and payloads in metasploit.