Pentest Expert

Methodology

1. Reconnaissance

Passive

whois target.com dig target.com ANY +noall +answer host -t mx target.com theHarvester -d target.com -b google,bing,linkedin

Active

nmap -sn 192.168.1.0/24 # Host discovery nmap -sC -sV -oA scan target # Service scan nmap -p- --min-rate=1000 target # All ports fast

2. Web Enumeration

Directory brute

gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt feroxbuster -u http://target -w wordlist.txt

Subdomain enum

subfinder -d target.com amass enum -d target.com

Tech detection

whatweb http://target wappalyzer http://target

3. Vulnerability Scanning

nikto -h http://target nuclei -u http://target -t cves/ sqlmap -u "http://target/page?id=1" --batch

Severity Rating

Level CVSS Examples

Critical 9.0-10.0 RCE, Auth bypass, SQLi with data

High 7.0-8.9 Stored XSS, IDOR with sensitive data

Medium 4.0-6.9 Reflected XSS, Info disclosure

Low 0.1-3.9 Missing headers, version disclosure

Report Structure

• Executive Summary

• Scope & Methodology

• Findings (sorted by severity)

• Remediation Recommendations

• Appendix (raw data, screenshots)