Use Whois , Nslookup , and theHarvester to find domain ownership, IP ranges, and employee emails without touching the target's servers. Active Recon: Use Nmap to discover open ports and services.
This is the "hacking" phase where you bypass security controls.
Using the compromised machine to attack other systems on the internal network that weren't previously accessible. 6. Reporting
High-level risks for non-technical stakeholders.
Step-by-step reproduction of the exploit.
Actionable advice on how to patch the vulnerabilities.
The most important part for a professional. A good report includes: