hayabusa wrote:Note - that methodology is for learning. I wouldn't necessarily 'fire all cannons', as MaXe pointed out, in a full, REAL pentest (I might, but it depends on the cirumstance.)
I agree that I shouldn't limit myself to a single methodology, but I do use an internal methodology to avoid missing items / attack vectors when I have 100 or more items to test for.
It may sound extreme, but we (the company I work for) try to cover all possible attack vectors, so we don't go as deep as it could otherwise be possible, but the attack surface is limited quite a lot (if the customer remediates all the flaws identified), when all of the services are up to date and configured in line with security best practice. Well, it's just my point of view from a "corporate point of view". (It is after all, much more fun to study a service, fuzz it locally and try to develop an exploit for it.)
I don't use a methodology as the only option though, I usually poke around manually while running the scanners (that must be run anyway, which usually finds all the low hanging fruit), and after that (the automated scans and manually poking around), I go through the methodology (i.e. checklists) to see if I missed anything as I sometimes encounter technology I haven't been exposed to yet, which there usually is a (internal) methodology for.
When it comes to web applications I don't use a methodology though, as even though some attacks can be quite advanced, it's a lot easier to keep the entire methodology of web application pentesting in the mind than with network pentesting, where everything from routing to exploitation of services must be done.
Of course, it depends on how "deep" the client permits you to go, as I am often not allowed to use Social Engineering attacks (meaning all client-side attacks are not allowed, unfortunately
), plus intentional DoS attacks too (which doesn't add any value to the business if you do it on their production equipment during business hours, even though it shouldn't be possible to DoS them with a single computer).
I just try to cover as much as possible by using methodologies when I am unsure whether I tested everything humanly possible
(I should begin to script some of the work I do though, as a lot of the items from the methodology I use could be scripted and save a lot of time.
) And yeah I still agree with hayabusa of course