CPTS Bulletproof Methodology
CPTS Bulletproof Methodology Quick Reference Guide For: CPTS Exam Candidates & Penetration Testers Version: 2.0 Last Updated: May 2026 How to Use This Methodology Follow phases sequentially. After EACH new foothold, RESTART from Phase 1 on the new host. The exam tests methodology, not just tools. Understand WHY each step matters. --- Phase 0: Setup & Recon Prep Tool Checklist Verify all tools present before starting: # Core tools nmap, crackmapexec/netexec, smbclient, smbmap, rpcclient, enum4linux, enum4linux-ng responder, kerbrute, bloodhound/python, sharphound, powerview, rubeus, mimikatz # Impacket suite psexec, wmiexec, secretsdump, smbexec, mssqlclient, GetNPUsers, ticketer, ntlmrelayx # Pivoting & tunneling evil-winrm, xfreerdp, sshuttle, chisel, socat, proxychains, ssh, plink # Cracking & fuzzing hashcat, john, seclists, ffuf, gobuster, nikto, sqlmap # Payload & shell msfvenom, msfconsole, nc/ncat, python3 http servers 6-Layer Enumeration Methodology 1. Internet Presence — domains, subdomains, vHosts, ASN, netblocks, IPs, cloud instances 2. Gateway — firewalls, DMZ, IPS/IDS, EDR, proxies, NAC, VPN, Cloudflare 3. Accessible Services — service type, functionality, config, port, version, interface 4. Processes — PID, processed data, tasks, source, destination 5. Privileges — groups, users, permissions, restrictions, environment 6. OS Setup — OS type, patch level, network config, config files, sensitive files Injection Type Quick Reference Type Payloads SQL Injection ' , ; -- /* */ Command Injection ; && || \ ` $()` LDAP Injection * ( ) & | Directory Traversal ../ ..\ %00 Header Injection \n \r\n \t %0d %0a %09 Workspace Setup mkdir -p loot screenshots notes # Record EVERYTHING: timestamps, commands, output # Every credential found → save immediately # Every host compromised → note IP, hostname, user, method Phase 1: External Recon & Enumeration Passive Information Gathering Decision: Do we have a domain name? ├── YES → proceed with DNS/subdomain enum └── NO → look for ASN, IP ranges, email addresses Tools: viewdns.info, whois, shodan, censys, hunter.io, theHarvester, linkedin2username OSINT Sources: ...