What Is Penetration Testing?
Penetration testing (pentesting) is the authorized simulation of cyberattacks against computer systems to evaluate their security. Unlike vulnerability scanning (which is automated), pentesting involves human creativity, lateral thinking, and the ability to chain multiple low-severity findings into a critical exploit path.
Think of it this way: a vulnerability scanner finds that a door is unlocked. A penetration tester opens the door, walks through the building, finds the safe, and demonstrates that the company's crown jewels are accessible—then writes a report explaining how to fix it.
Types of Penetration Tests
| Type | Knowledge Given | Simulates | Best For |
|---|---|---|---|
| Black Box | No information | External attacker with no inside knowledge | Realistic attack simulation |
| Gray Box | Partial info (credentials, network maps) | Compromised insider or partner | Most common, efficient |
| White Box | Full access (source code, architecture) | Insider threat, thorough audit | Finding deep logic flaws |
| Scope | Target | Examples |
|---|---|---|
| Network | Infrastructure, servers, firewalls | Internal/external network assessment |
| Web Application | Websites, APIs, web services | OWASP Top 10, business logic |
| Mobile | iOS/Android applications | Data storage, API communication |
| Cloud | AWS/Azure/GCP infrastructure | IAM misconfig, storage exposure |
| Social Engineering | People and processes | Phishing campaigns, physical access |
| Red Team | Entire organization | Full-scope, multi-vector attack simulation |
The Penetration Testing Methodology
Most pentesters follow a structured methodology based on frameworks like PTES (Penetration Testing Execution Standard) or OWASP Testing Guide:
text
1Penetration Testing Phases:
2
3┌─────────────────────────────────────────────┐
4│ Phase 1: Reconnaissance (Passive & Active) │
5│ ├─ OSINT: Company info, employee names │
6│ ├─ DNS enumeration, subdomain discovery │
7│ ├─ Technology fingerprinting │
8│ └─ Network scanning and service detection │
9├─────────────────────────────────────────────┤
10│ Phase 2: Vulnerability Analysis │
11│ ├─ Automated scanning (Nessus, Nuclei) │
12│ ├─ Manual testing (business logic) │
13│ ├─ Source code review (if white box) │
14│ └─ Configuration analysis │
15├─────────────────────────────────────────────┤
16│ Phase 3: Exploitation │
17│ ├─ Exploit known vulnerabilities │
18│ ├─ Chain multiple findings │
19│ ├─ Bypass security controls │
20│ └─ Demonstrate business impact │
21├─────────────────────────────────────────────┤
22│ Phase 4: Post-Exploitation │
23│ ├─ Privilege escalation │
24│ ├─ Lateral movement │
25│ ├─ Data access and exfiltration proof │
26│ ├─ Persistence (if in scope) │
27│ └─ Pivot to other network segments │
28├─────────────────────────────────────────────┤
29│ Phase 5: Reporting │
30│ ├─ Executive summary │
31│ ├─ Technical findings with evidence │
32│ ├─ Risk ratings (CVSS, business impact) │
33│ ├─ Remediation recommendations │
34│ └─ Retest verification │
35└─────────────────────────────────────────────┘Essential Pentesting Tools
Reconnaissance
bash
1# Subdomain enumeration with Subfinder
2subfinder -d target.com -o subdomains.txt
3
4# Port scanning with Nmap
5nmap -sC -sV -O -oA scan_results target.com
6# -sC: default scripts -sV: version detection
7# -O: OS detection -oA: output all formats
8
9# Comprehensive web recon with httpx
10cat subdomains.txt | httpx -sc -title -tech-detect -o live_hosts.txt
11
12# Directory brute-forcing with Feroxbuster
13feroxbuster -u https://target.com -w /usr/share/wordlists/dirb/common.txtWeb Application Testing
bash
1# Burp Suite is the industry standard (GUI tool)
2# But for CLI-based testing:
3
4# SQLMap — automated SQL injection detection
5sqlmap -u "https://target.com/search?q=test" --batch --dbs
6
7# Nuclei — template-based vulnerability scanner
8nuclei -u https://target.com -t cves/ -t vulnerabilities/ -severity critical,high
9
10# ffuf — fast web fuzzer
11ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403Exploitation and Post-Exploitation
bash
1# Metasploit Framework — exploitation platform
2msfconsole
3msf6 > search eternalblue
4msf6 > use exploit/windows/smb/ms17_010_eternalblue
5msf6 > set RHOSTS target_ip
6msf6 > exploit
7
8# Impacket — Windows protocol attack tools
9# Pass-the-hash attack
10impacket-psexec administrator@target_ip -hashes :ntlm_hash
11
12# CrackMapExec — Active Directory lateral movement
13crackmapexec smb 192.168.1.0/24 -u admin -p password --shares
14
15# BloodHound — Active Directory attack path visualization
16bloodhound-python -u user -p password -d domain.local -c allA Real-World Pentest Example: Web Application
Here's a simplified walkthrough of how a web application pentest might unfold:
text
1Target: https://app.example.com (e-commerce platform)
2Scope: Web application + API endpoints
3Type: Gray box (given test credentials)
4
5Step 1: Reconnaissance
6├─ Technology: Next.js frontend, Django REST API
7├─ Subdomains: api.example.com, staging.example.com
8├─ Staging has default credentials (admin:admin) → Finding #1
9└─ API documentation exposed at /api/docs → Finding #2
10
11Step 2: Vulnerability Analysis
12├─ IDOR on /api/orders/{id} — can view any user's orders → Finding #3 (High)
13├─ No rate limiting on /api/auth/login → Finding #4 (Medium)
14├─ JWT token doesn't expire for 30 days → Finding #5 (Medium)
15└─ Reflected XSS in search parameter → Finding #6 (Medium)
16
17Step 3: Exploitation (chaining findings)
18├─ Use IDOR to enumerate all orders (PII exposure)
19├─ Find admin user's email from order data
20├─ Brute-force admin login (no rate limiting)
21├─ Access admin panel with admin credentials
22├─ Admin panel allows file upload without validation
23└─ Upload web shell → Remote Code Execution → Finding #7 (Critical)
24
25Step 4: Post-Exploitation
26├─ Read database credentials from environment variables
27├─ Access production database (200K customer records)
28├─ Demonstrate data access (screenshot, not exfiltrate)
29└─ Document the full attack chain
30
31Step 5: Report
32├─ Critical: RCE via admin panel file upload + weak auth
33├─ High: IDOR exposing all customer orders
34├─ Medium: Missing rate limiting, long-lived JWT, XSS
35├─ Low: Staging environment exposed, API docs public
36└─ Recommendations for each finding with priorityCVSS Scoring: How Vulnerabilities Are Rated
The Common Vulnerability Scoring System rates findings from 0.0 to 10.0:
| Score | Severity | Example |
|---|---|---|
| 9.0-10.0 | Critical | Remote Code Execution, SQL injection with data access |
| 7.0-8.9 | High | IDOR with PII exposure, privilege escalation |
| 4.0-6.9 | Medium | XSS, CSRF, missing rate limiting |
| 0.1-3.9 | Low | Information disclosure, verbose errors |
| 0.0 | None | Informational findings |
Bug Bounty Programs
Bug bounties allow anyone to find and report vulnerabilities for rewards:
| Platform | Notable Programs | Typical Rewards |
|---|---|---|
| HackerOne | US DoD, GitHub, Shopify | $500-$100K+ |
| Bugcrowd | Tesla, Mastercard, Atlassian | $500-$50K+ |
| Intigriti | European focus, Nokia, ING | €500-€50K+ |
| Direct programs | Google ($500-$250K+), Apple ($5K-$1M), Microsoft ($500-$250K) | Varies |
Certifications for Penetration Testers
| Certification | Provider | Focus | Difficulty |
|---|---|---|---|
| OSCP | OffSec | Practical exploitation, 24-hour exam | Hard (industry gold standard) |
| OSWE | OffSec | Web application exploitation | Hard |
| OSEP | OffSec | Advanced evasion, Active Directory | Very Hard |
| eJPT | INE | Entry-level pentesting | Entry |
| PNPT | TCM Security | Practical, OSINT to report | Intermediate |
| CRTP | Pentester Academy | Active Directory attacks | Intermediate |
| CEH | EC-Council | Broad security knowledge | Entry-Intermediate |
| GPEN | SANS/GIAC | Network penetration testing | Intermediate |
The OSCP (Offensive Security Certified Professional) remains the most respected hands-on certification. The 24-hour practical exam requires exploiting multiple machines in a simulated network.
Legal and Ethical Considerations
Penetration testing without authorization is illegal in most jurisdictions. Before any engagement:
- Written authorization: Signed scope document (Rules of Engagement)
- Scope boundaries: Exactly which systems/IPs are in scope
- Testing windows: When testing is allowed
- Emergency contacts: Who to call if something breaks
- Data handling: How to handle sensitive data discovered during testing
- Legal protections: Liability clauses protecting the tester
Ethical hackers follow the principle: find vulnerabilities, report them, help fix them. The goal is always to make systems more secure, never to cause harm.
Sources: OWASP Testing Guide, PTES Standard, HackerOne Hacktivity
