🔧 Top 10 Techniques in Modern Penetration Testing (with Real-World Context)
By James K. Bishop, vCISO | Founder, Stage Four Security
Pen testers use a blend of creativity and consistency to probe environments. While every engagement is different, some techniques are used again and again—because they work. This post highlights the top 10 methods we see in the field, why they’re effective, and how defenders can stay ahead of them.
🔟 1. Subdomain Takeover
Scenario: DNS records still point to services (e.g., Azure Blob, GitHub Pages) that no longer exist.
Risk: Attackers can register the orphaned resource and hijack traffic or serve malicious content.
Tools: Subjack, Amass, Nuclei
Mitigation: Audit DNS zones regularly and remove stale records.
9️⃣ 2. Password Spraying
Scenario: Test weak passwords across many users to avoid lockout thresholds.
Risk: Especially effective on external-facing login portals (VPNs, OWA, Okta).
Tools: Hydra, CrackMapExec, Burp Intruder
Mitigation: MFA enforcement, user lockout policies, and alerting on failed logins.
8️⃣ 3. Kerberoasting (Windows Environments)
Scenario: Dump service account ticket hashes and crack offline.
Risk: Privileged accounts are often exposed via misconfigured SPNs.
Tools: Rubeus, Impacket, Hashcat
Mitigation: Use strong service account passwords and monitor for ticket anomalies.
7️⃣ 4. LLMNR/NBT-NS Spoofing
Scenario: Trick Windows systems into handing over NTLM hashes via local name resolution.
Risk: Can capture and relay hashes to escalate privileges.
Tools: Responder, ntlmrelayx
Mitigation: Disable LLMNR and NBT-NS; enforce SMB signing.
6️⃣ 5. Misconfigured Cloud Storage
Scenario: S3 buckets or Azure Blobs exposed with public access permissions.
Risk: Sensitive data leaks, secrets exposure, ransomware prep
Tools: S3Scanner, CloudSploit, ScoutSuite
Mitigation: Block public access by default, use org policies, and scan for exposures.
5️⃣ 6. Local File Inclusion (LFI)
Scenario: User-supplied file paths let attackers read arbitrary server files.
Risk: Credential theft, config disclosure, code execution (when chained)
Tools: Burp Suite, custom fuzzers, SecLists
Mitigation: Validate and sanitize input; use allowlists for file access.
4️⃣ 7. SSRF (Server-Side Request Forgery)
Scenario: External input forces a server to make internal requests (e.g., to metadata endpoints).
Risk: Credential theft, lateral movement, internal service discovery
Tools: Burp Collaborator, SSRFmap, custom payloads
Mitigation: Block access to internal resources; validate all outbound requests.
3️⃣ 8. API Enumeration & Exploitation
Scenario: Guessable endpoints, missing auth checks, or improper data exposure via APIs.
Risk: Data theft, privilege escalation, business logic abuse
Tools: Postman, Burp, Swagger-to-Nuclei, OWASP ZAP
Mitigation: Enforce authentication, validate input/output, use schema validation.
2️⃣ 9. Active Directory Delegation Abuse
Scenario: Abusing unconstrained or resource-based delegation for lateral movement.
Risk: Privilege escalation to domain admin
Tools: BloodHound, PowerView, Certify
Mitigation: Audit delegation settings and disable where not needed.
1️⃣ 10. Phishing & Payload Delivery
Scenario: Sending payloads or lures via email, Slack, or shared platforms.
Risk: Initial access, credential theft, malware deployment
Tools: Gophish, Evilginx, custom payloads (macro, HTA, LNK)
Mitigation: Train users, filter attachments, and monitor beacon behavior with EDR.
📣 Final Thought
Pen testers don’t need zero-days—they need visibility and weak configurations. These 10 techniques show how ordinary flaws become extraordinary risks. If you see these methods in reports, treat them as a warning—and a roadmap for defense.
Need help testing your environment or building internal red/purple team capabilities? Let’s talk.