Once the PenTest-er has gathered information about the target and identified potential vulnerabilities, the next step is to decide which ones to focus on first. This prioritization is based on the goals of the PenTest and the network devices that have been discovered.

After deciding which network resources to target, the PenTest-er will use the information collected earlier to carry out exploits against the target machines.

<aside> <img src="/icons/target_red.svg" alt="/icons/target_red.svg" width="40px" />

Mission Objectives

• Evaluate EOL Software and Systems
• Exploit Default Configurations with Responder
• Execute Scripts to Automate Tasks </aside>

1. Prepare and Prioritize Attacks

Randomly launching exploits is the mark of an amateur. A professional tester prioritizes attacks based on the objective and the Rules of Engagement.

• Exploit Selection: Choosing the "Weapon of Choice" based on the specific version of the service discovered (e.g., choosing a specific Metasploit module for an outdated Apache server).
• Risk Assessment: Evaluating the potential impact of an exploit. Will it crash the service? Will it trigger an alarm in the SOC?
• Prioritization Logic: * High Probability / High Impact: Critical vulnerabilities like unauthenticated Remote Code Execution (RCE).
  • Low Hanging Fruit: Default credentials on management interfaces or open shares.
• Attack Chaining: Planning how one minor exploit (e.g., gaining a low-level user shell) can lead to a major one (e.g., Privilege Escalation).

2. Scripting Automation

Manual testing doesn't scale. Scripting allows a tester to perform tasks across hundreds of machines simultaneously or modify tools to fit a specific environment.

• Bash Scripting: The "Glue" of the Linux command line. Used for chaining tools (e.g., taking a list of IPs from Nmap and automatically running a custom curl command against each).
• Python for PenTest-ing: The industry standard for custom exploit development. Used for creating "PoC" (Proof of Concept) scripts, interacting with APIs, and manipulating network packets via libraries like Scapy.
• PowerShell & WMI: Essential for Windows environments. Used for "living off the land"—utilizing built-in Windows tools to move laterally or extract credentials without bringing in external malware.
• Automation Use-Cases:
  • Log Parsing: Quickly extracting usernames from thousands of lines of text.
  • Credential Brute-forcing: Customizing a script to try common passwords against a login portal.
  • Cleanup: Automating the removal of shells and temporary files after the test is complete.