| 1. Enumerate and Scan |
Identify live hosts and open ports on the subdomains. |
Nmap, Masscan |
| 2. Fingerprinting |
Determine the technology stack (web server, frameworks, etc.) used by the target applications. |
Wappalyzer, BuiltWith |
| 3. Vulnerability Scanning |
Scan the services and applications running on the subdomains to identify known vulnerabilities. |
Nessus, OpenVAS, Burp Suite |
| 4. Manual Analysis and Verification |
Manually verify potential vulnerabilities to reduce false positives. |
Manual testing, Custom scripts |
| 5. Exploitation |
Attempt to exploit identified vulnerabilities to gain further access or information. |
Metasploit, Custom exploits, SQLMap |
| 6. Post-exploitation |
Explore the compromised system to gain more access or data, establish persistence, and escalate privileges. |
Mimikatz, PowerShell Empire |
| 7. Reporting |
Document findings, including the impact of discovered vulnerabilities, and recommend mitigation strategies. |
Custom report templates, Markdown, LaTeX |