Table of Contents

Offensive Security Attack Phases and Frameworks

Although I am a security student, I am not a security expert. Please read my general disclaimer. Written for CSEC 202 (Spring 2022).


All information on this page is from other websites, and the sources are provided. The information on this post will be updated occasionally (e.g., broken link).

Furthermore, the information aforementioned is for educational purposes. The acknowledgement that a tool exists does not mean that it is legal to use in all location with all devices or networks. To be safe, do not use any of the tools or attacks in this list unless you have explicit permission from the companies and individuals involved. Lastly, the acknowledgement of these tools and techniques does not imply my endorsement, ability, or usage of the tools and techniques. Please read my Legal Disclaimer.

Testing Types

Source: N-able Types of Penetration Techniques and Methods

NameBlack BoxWhite BoxGrey Box
Attack styleBrute-force

Trial and error
Testing specific parts of the systemWhite and black box hybrid
Common laborAutomatedManualAutomated + manual
Attacker knowledge of infrastructureNothing All-knowing (i.e., access to the source code and software architecture)Partial knowledge (i.e., receive software code, but not system architecture details)
NotesMost closely mimics a real-world scenarioSophisticated tools (i.e., debugging and code analyzers)

🌸👋🏻 Let’s take this to your inbox. You’ll receive occasional emails about whatever’s on my mind—offensive security, open source, academics, boats, software freedom, you get the idea.

Join 2,971 other subscribers



Source: Redlegg Blog’s Pen Testing: Internal vs External and Why Both Are Important

InternalIdentifies how far an attacker can laterally move through a network (aka within the organization) once an external breach has occurred.
ExternalAttacker assesses the externally facing assets for an organization.
OthersBlind testing, double-blind, and targeted testing.


Source: Pratum’s Internal Penetration Testing vs External Penetration Testing: Why You Need Both

NameInternal / ExternalDefinition
Checking Public Information for LeakagesEOnline lists publicize which companies have been hacked; check those sources to see if the company’s name appears
Foot-printing/Banner GrabbingEGathering information from a system in order to launch attacks against it.
IDS/IPSI EExamines whether Intrusion Detection Systems and Intrusion Prevention Systems are doing their job of analyzing network traffic and packets for known cyberattack signatures.
Manual Testing of Identified VulnerabilitiesEAttacker exploits vulnerabilities that are widely known in the hacking community. This is a key step, considering that an estimated 60% of breaches involve vulnerabilities for which patches are available.
Open Source Intelligence (OSINT) reconnaissanceELooking for clues in social media, websites, etc.
Compliance-based Testing (e.g., PCI and HIPPA)EMany frameworks have specific requirements organizations must meet to achieve compliance.
Segmentation TestingEChecks if networks are properly separated to keep an attack from pivoting from one to the other.
Social EngineeringI EAbout 80% of all breaches gain access through social engineering, so security tests should include phishing (bogus emails) and vishing (bogus phone calls).
System/Service/Port Scanning for VulnerabilitiesEAutomated network tests that look for open ports, services, and systems.

Internal things to examine include WiFi networks, physical access, mobile devices, HVAC, cameras, and firewalls.

Attack Phases

Attack phases are the phases of a penetration test, while the Mandiant Attack Lifecycle details the phases of a malicious attack. They are very similar.

Source: N-Able’s Types of Penetration Techniques and Methods

  1. Planning for penetration testing
    • Goal: Understand scope, client logistics, and objectives.
    • Usually involves speaking directly with the client
  2. Reconnaissance and information gathering
    • General Reconnaissance (recon)
      • Gather information about end uses, systems, and applications
      • Used for precision
    • Active recon → directly probing a system
    • Passive recon → info on the internet without direct interaction with the target system
      • Usually OSINT (e.g., search engine queries, domain name searches, internet foot-printing, social engineering, and looking up tax records to find personal information).
  3. Scanning and discovery
    • Goal: discover how the target system responds to various intrusion attempts
    • Usually involves automated tools for initial vulnerability scanning
    • Approach types:
      • Static analysis → inspects an app’s code, attempting to predict how it will react to an incursion.
      • Dynamic analysis → examining an app’s code as it runs, providing a real-time view of how it performs.
      • Other aspects attackers discover include network systems, servers, and devices, as well as network hosts.
  4. Attack and gaining access
    • Goal: see how far the attacker can get into an IT environment without detection in a controlled environment
    • Scope determines the limits of the test (e.g., protect PI and other sensitive data)
    • Example attacks: may take control of a device to extract data; cross-site scripting; SQL injection; physical attacks.
  5. Maintaining access and penetration
    • Goal: stealthily expand access and maintain presence via expanding permissions, and finding user data
    • Already compromised target
  6. Risk analysis, assessment, and reporting
    • Goal: update the clients.
    • The last phase of the engagement.
    • Once the attacker is caught or the timeline is complete, a final report is generated.
    • Report provides:
      • Testing summary
      • How the attacker infiltrated systems and processes
      • All vulnerability details and suggestions for security fixes.
      • How the attacker cleaned up after the stress test, an examination of the limit at which the system or software or hardware breaks (Fran Na Jaya).
      • The estimated value of the compromised systems (i.e., how much financial impact would incursion cost?)

Mandiant Attack Lifecycle

Attack phases are the phases of a penetration test, while the Mandiant Attack Lifecycle details the phases of a malicious attack. They are very similar.

Sources: Mandiant

A fellow RITSEC member, Shannon McHale, and I presented on this topic:

Tooling by Stages

The tooling section will be expanded upon at a later date to include description of the tools and download links.

Source: Mandiant

Initial Compromise

  • Phishing

Establishing Foothold

  • Amadey
  • AndroMut
  • FlawedAmmy
  • Metasploit
  • RMS
  • ServHelper

Escalate Privilege

Internal Reconnaissance

Move Laterally

  • Metasploit
  • Meterpreter. Learn the basics here.
  • PuTTY
  • Remote Desktop Protocol (RDP)

Maintain Presence

  • Amadey
  • Appshim
  • FlawedAmmy
  • Metasploit
  • ServHelper
  • ScheduledTasks

Complete Mission

  • CLOP
  • MBRKiller
  • Compress data using WinRAR
  • Data theft for later use in extortion

Portrait of Olivia Gallucci in garden, used in LNP article.

Written by Olivia Gallucci

Olivia is an honors student at the Rochester Institute of Technology. She writes about security, open source software, and professional development.