In this how to I am going to describe how to do a serious pentest in a short time span (two weeks).
The reason I write this is since I think a lot of people really "don't get" it.
A lot of people #even professionals# are completely dependent on third-party tools, a lot of "pentest" companies use Nessus, import this to the MSF launch a bunch of exploits.
Get some shells and call it quits. And if metasploit fails a lot of people just leave it be.

Therefor I feel smug enough to tell everybody how to do it proper in a short time span, just two weeks.
First we determine the parts of a pentest, these are:
 - Legal
 - Reconisance
 - Attack
 - Maintaining Access
 - Reporting
 
All of them are important. And remember, NEVER do something before the previous step is completed.

First you need to get legal in order. Best way of doing this is get a lawyer to do all of this.
And don't even show your face or let them hear your voice. You're going to need these to con the CEO, CISO and Secratary.
Get everything in writing, put the original in your safe and make copies to always have with you when you are 'on the job' this is so you can actually escape if you get caught.
If you don't have this contract on you might have a very nasty evening with law officials.
Consult with your lawyer if it's required you'll need to inform local law enforcement in the area where you are doing this attack.
I assume the contract and initial payment is made on Monday #day 0#. 

Reconisance
 [[  Will be added if people are interested in this  ]]
 
Attack
 [[  Will be added if people are interested in this  ]]
 [[
    Here I'll go on about a serious attack factor. More so than Nessus->MSF->Shell.
    I'll examine the attack factors in this part, these are.
    User -> Social Engineer your way in.
    Application -> 0day attack, and 0day development in a short time span.
    Network -> Gaining access and escalate
    Physical -> Lock pick, look at video cameras
 ]]
 
Maintaining Access
 [[  Will be added if people are interested in this  ]]
 
Reporting
 [[  Will be added if people are interested in this  ]]
 

I've just written the first part of this as I need to get my echo stroked before I finish this write-up.
I hope people are interested in a writeup like this, and if so. I'll gladly finish this write-up.

 - Stolas

Stolas,

i think that your thread would be very interesting in all of its steps. I'm not a professional pen tester but i'm very interested to understand ad to know how a serious pen tester works.. specially the reporting methods/standards

I think that your thread would be very interesting in all of its steps.

Thanks thats exactly what I wanted to hear. You've stroked my Ego.
I'll continue writing this with atleast one more part. (w00tw00t), I've contacted WeVeg about adding two hands.

Cheers,
 - Stolas

Great job, Stolas. This is a really nice way for learning&teaching.Many thanks for the time you're dedicating on it.
We're waiting for the sequel^^

joker__

This topic is well covered in the pentest community and doesn't need another kind of 'interpretation'!

-from an technical point of view, the right place would be: PTES, http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
-from an methodology point of view, the right place would be: OSSTMM, http://www.isecom.org/research/osstmm.html
..and of course, real skills on all OSI-layers (so don't try to be the l33t tester in everything, impossible - be smart and use other folks skillset!)


The most key part always missing in most pentest activities (and mentioned thousand times in the community):
-serious documentation & reporting which is readable by the average it-folks!

...BTW: I really miss that dradis framework (http://dradisframework.org/) is not installed by default in blackbox! This is one of the best documentation tool
you can find for distributed pentest teams (simple, fast & flexible)


...so long, zerohat
old'school security guy...