Please note before reading… this is my personal way of doing things and again; like the last post, this is more of a brain dump for those interested. Anyways…

Once inside the target, you will want to conduct host or asset discovery. This process should be pretty self explanatory. It can take a while so be patient. If you are doing an on-site pentest, time is not on your side. If you are doing a remote pentest, again… be patient.

With that, there are two types of asset discovery tests that can be ran, an internal or external test. An internal test would look for hosts on the internal network whereas an external test would look for assets on the perimeter of the network. One of the tricks that can be used for this is port scanning and ping sweeps.

With the right port scanning tool, you can learn all sorts of information about the network and about host devices. I prefer to use NMAP but there are a wealth of others. You can even call NMAP from Metasploit and run it. Once we have a target thoroughly mapped out and we have found all of the information we can, we can then move on to looking for vulnerabilities or known exploits.

In the event that you find multiple hosts on the network, try to do an OS discovery to see what is what and if it may be of any interest later on. One could usually assume that Linux, Mac, and Windows servers have some sort of misconfiguration somewhere. This goes the same for networking appliances such as firewalls, switches, routers, etc…