Vulnerability Assessment & Penetration Testing: Complete Framework

VAPT Fundamentals and Methodology

The industry treats vulnerability assessment and penetration testing as distinct phases, but in practice, they bleed into each other. A scanner finds a potential SQL injection, but manual verification confirms the exploitability. The methodology isn't linear; it's iterative. The kill chain starts with reconnaissance and ends with persistence, but the testing cycle loops back continuously.

Defining the Attack Surface

Your attack surface isn't just external IPs. It's every API endpoint, subdomain, and forgotten S3 bucket. Start with a simple nmap scan to map the perimeter.

nmap -sV -sC -p- --min-rate 1000 -oA initial_scan 10.0.0.0/24

This command performs a full port scan with service detection and default scripts. The output file initial_scan contains raw data for later analysis. The real work begins when you correlate this with asset inventory.

The Testing Lifecycle

The lifecycle isn't a waterfall. It's a feedback loop. Recon feeds scanning, scanning feeds exploitation, and exploitation informs better recon. The critical mistake is treating this as a one-time audit. A penetration test is a snapshot; continuous monitoring is the movie.

Reconnaissance and Asset Discovery

Passive reconnaissance is about gathering intelligence without touching the target. Active reconnaissance is where you start making noise. The goal is to build a complete map of the target's digital footprint.

Passive Intelligence Gathering

Start with OSINT. Use tools like theHarvester to find emails, subdomains, and hosts.

theHarvester -d example.com -b google -l 500

This queries Google for example.com related data. The output is messy, but it reveals the initial attack surface. For subdomain enumeration, use a combination of tools. The subdomain discovery tool on RaSEC automates this by querying multiple sources and certificate transparency logs.

Active Enumeration and Mapping

Once you have a list of live hosts, map the network. Use masscan for speed and nmap for depth.

masscan -p1-65535 --rate 10000 10.0.0.0/24 -oL live_hosts.txt

This scans all ports on the /24 subnet at 10,000 packets per second. The output live_hosts.txt is a list of IPs with open ports. Now, you can run targeted nmap scans on these hosts.

nmap -sV -sC -p- -iL live_hosts.txt -oA detailed_scan

The -iL flag reads the list of live hosts from the file. This is where you find the forgotten admin panel on port 8080 or the legacy FTP server.

Vulnerability Scanning Phase

Automated scanners are a starting point, not the end. They generate noise, but they also find low-hanging fruit. The key is to tune them and manually verify findings.

Automated Scanning with Context

Run a vulnerability scanner, but feed it the context from your reconnaissance. Don't just scan the root domain; scan every subdomain and IP you discovered.

nikto -h https://subdomain.example.com -Tuning x

Nikto is a web server scanner that checks for outdated software and common misconfigurations. The -Tuning x flag excludes dangerous tests. For a more comprehensive scan, integrate the RaSEC URL Analysis tool to analyze the scanner's output and prioritize findings based on exploitability.

Manual Verification and False Positives

Scanners love to flag potential XSS and SQLi. But are they real? Manually verify each finding. For SQLi, use sqlmap to confirm.

sqlmap -u "https://example.com/page?id=1" --batch --dbs

This automates the SQL injection testing and dumps the database names if vulnerable. If the scanner flags a potential RCE, don't just trust it. Use a proof-of-concept to confirm.

Web Application Penetration Testing

Web apps are the primary target for most attackers. The OWASP Top 10 is a starting point, but real-world attacks are more nuanced.

Injection Attacks and Parameter Fuzzing

SQL injection is still prevalent. Test every parameter with a payload that breaks the query structure.

sqlmap -u "https://example.com/search?q=test" --level=5 --risk=3

This tests all parameters with the highest risk and level. For blind SQLi, use the out-of-band helper to confirm data exfiltration via DNS or HTTP callbacks.

Cross-Site Scripting (XSS) Testing

XSS is about injecting scripts into web pages. Test for reflected, stored, and DOM-based XSS.

echo "alert(1)" | xxd -p

This converts the payload to hex for URL encoding. Use the payload generator to create obfuscated payloads that bypass WAFs. Test every input field and URL parameter.

Advanced Exploitation Techniques

Once you have a vulnerability, you need to exploit it. This is where manual testing shines. Automated tools can't chain exploits or adapt to defenses.

Buffer Overflows and Memory Corruption

Buffer overflows are less common in modern apps but still exist in legacy systems. The exploit involves overwriting the return address on the stack.

// Simple buffer overflow example
#include
#include

int main(int argc, char *argv[]) {
char buffer[256];
strcpy(buffer, argv[1]); // No bounds checking
return 0;
}

Compile with gcc -fno-stack-protector -z execstack -o vuln vuln.c. The exploit sends \x41 * 268 to overwrite EIP and jump to shellcode. This is a classic example; real-world exploits require calculating offsets and bypassing ASLR.

Authentication Bypass and Session Hijacking

MFA is common, but it doesn't stop token theft. If you can steal a session cookie, you bypass MFA entirely.

curl -H "Cookie: session=stolen_token" https://example.com/dashboard

Test for session fixation, insecure cookie attributes, and token leakage in logs. Use the AI security chat to analyze session management code for weaknesses.

Post-Exploitation and Lateral Movement

Gaining initial access is just the beginning. The goal is to escalate privileges and move laterally across the network.

Privilege Escalation on Linux and Windows

On Linux, check for misconfigured sudo rights and SUID binaries.

find / -perm -4000 -type f 2>/dev/null

This lists all SUID binaries. If you find a binary like find, you can exploit it to gain root. On Windows, use tools like WinPEAS to find misconfigurations. The privilege escalation pathfinder automates this process by mapping potential paths based on system configuration.

Lateral Movement and Persistence

Once you have a foothold, move laterally. Use tools like Impacket for SMB and RPC attacks.

impacket-smbexec example.com/admin:password@target_ip

This executes commands on the target via SMB. For persistence, create a scheduled task or a service.

schtasks /create /tn "Update" /tr "C:\malware.exe" /sc minute /mo 5

This creates a task that runs malware every 5 minutes. Test your defenses against these techniques.

Network Infrastructure Testing

Network devices are often overlooked. Routers, switches, and firewalls can be entry points.

Firewall and Router Enumeration

Test for open management interfaces and default credentials.

nmap -p 22,23,80,443,8080 --script http-title,ssh-hostkey 10.0.0.1

This scans common management ports and retrieves titles and SSH hostkeys. If you find a router with default credentials, you can reconfigure it to redirect traffic.

VPN and Remote Access Testing

VPNs are critical for remote access. Test for weak encryption and authentication.

ike-scan -M --id=myid 10.0.0.1

This scans for IKE (IPsec) endpoints. If the VPN uses weak encryption, you can decrypt traffic. Always test for CVEs like CVE-2024-24955 (Check Point VPN vulnerability).

Social Engineering Attack Prevention

Social engineering is the weakest link. Technical controls can't stop a user from giving away credentials.

Phishing Simulation and Training

Run phishing simulations to test user awareness. Use tools like Gophish to send fake emails.

gophish --config config.json

This launches the Gophish server. Track click rates and credential submissions. The goal isn't to punish but to train.

Technical Controls Against Social Engineering

Implement DMARC, SPF, and DKIM to prevent email spoofing.

dig +short TXT example.com._dmarc

This checks the DMARC record. If it's missing, emails can be spoofed. Use email filtering to block malicious attachments and links.

Cloud Security Assessment

Cloud environments are dynamic. Traditional scanning doesn't work well here.

Misconfiguration Scanning

Cloud misconfigurations are common. Use tools like Prowler for AWS.

prowler -c check_aws_s3_bucket_public

This checks if S3 buckets are publicly accessible. For Azure, use ScoutSuite.

scout aws --report-dir ./reports

These tools generate reports on misconfigurations. Manually verify critical findings.

Container and Kubernetes Security

Containers introduce new attack vectors. Scan images for vulnerabilities.

trivy image nginx:latest

This scans the nginx image for known CVEs. For Kubernetes, use kube-hunter.

kube-hunter --remote https://k8s.example.com

This hunts for vulnerabilities in the Kubernetes cluster.

Reporting and Remediation

A penetration test is useless without actionable reporting. Reports should be technical and prioritized.

Structuring the Report

Start with an executive summary, but dive deep into technical details. Include proof-of-concept code and remediation steps.

## Description
The `q` parameter is vulnerable to SQL injection.
## Proof of Concept
```bash
sqlmap -u "https://example.com/search?q=test" --dbs

Remediation

Use parameterized queries.

### Prioritizing Findings
Use CVSS scores, but also consider exploitability and business impact. A critical vulnerability in a non-critical system may be lower priority than a medium vulnerability in a payment system.

## Continuous Security Monitoring

Penetration testing is a snapshot. Continuous monitoring is the future.

### Integrating with SIEM and SOAR
Feed vulnerability data into your SIEM. Use the [RaSEC platform features](/features) to automate scanning and alerting.

```bash
curl -X POST https://api.rasec.com/vuln/scan -H "Authorization: Bearer $TOKEN" -d '{"target": "example.com"}'

This triggers a scan via the RaSEC API. Integrate with Splunk or ELK for correlation.

Threat Intelligence and CVE Updates

Stay updated on new CVEs. Use the security blog for the latest threat intelligence. Automate vulnerability scanning for new CVEs.

nmap --script vulners -p 443 example.com

This scans for known vulnerabilities using the vulners script database.

Compliance and Standards

Compliance isn't security, but it drives security initiatives.

Mapping to Frameworks

Map your findings to NIST, ISO 27001, or PCI DSS. Use the documentation to integrate compliance checks into your workflow.

grep -i "pci" report.md

This searches the report for PCI-related findings. Automate compliance reporting with RaSEC.

Auditing and Evidence Collection

Collect evidence for auditors. Use screenshots, logs, and code snippets.

tcpdump -i eth0 -w capture.pcap

This captures network traffic for analysis. Store evidence securely and timestamp it.

Toolchain and Platform Integration

A cohesive toolchain is essential for efficient VAPT.

Building a Custom Toolchain

Integrate open-source and commercial tools. Use RaSEC as the central platform.

nmap -sV -oX - example.com | rasec-cli upload --type nmap

This uploads nmap XML output to RaSEC for analysis.

Automation and Scripting

Automate repetitive tasks. Use Python for custom scripts.

import requests
response = requests.get("https://example.com")
if "admin" in response.text:
print("Potential admin panel found")

This simple script checks for admin panels. Scale this with RaSEC's API.

Conclusion

Vulnerability assessment and penetration testing are not one-time events. They are continuous processes that require technical depth, manual verification, and integration with modern toolchains. Use RaSEC to automate, but never rely solely on automation. The attacker's advantage is speed; your defense is depth.