Penetration Testing
A penetration test (pen test) is hiring someone to break into your own systems to find the weaknesses before criminals do. The tester uses the same tools and techniques as real attackers, but with permission and a clear scope. When they finish, they deliver a report listing every vulnerability they found, how severe it is, and how to fix it. Think of it as a fire drill for your security.
Penetration testing is an authorized, simulated attack on a system, network, or application to evaluate its security posture. Unlike vulnerability scanning (automated, surface-level), pen testing involves manual exploitation, chaining vulnerabilities, and demonstrating real-world impact.
Testing types by knowledge:
| Type | Tester Knowledge | Simulates |
|---|---|---|
| Black box | No internal information | External attacker with no insider knowledge |
| Gray box | Partial information (credentials, network diagrams) | Insider threat or compromised employee |
| White box | Full access (source code, architecture, admin credentials) | Maximum vulnerability coverage, code review |
Methodology (PTES / OWASP):
- Reconnaissance: passive (OSINT, DNS, public records) and active (port scanning, service enumeration)
- Vulnerability identification: map services to known CVEs, test for misconfigurations
- Exploitation: attempt to exploit identified vulnerabilities to gain access
- Post-exploitation: privilege escalation, lateral movement, data access, persistence
- Reporting: document findings with severity, evidence (screenshots, command output), and remediation guidance
Scope variants:
- Network pen test: external (internet-facing) or internal (assume attacker is on the LAN)
- Web application pen test: OWASP Top 10 testing against a specific application
- Cloud pen test: misconfigurations in AWS/Azure/GCP (IAM policies, S3 buckets, security groups)
- Red team engagement: multi-week, goal-oriented (e.g., “exfiltrate customer data”), tests detection and response, not just vulnerabilities
Common tools: Nmap (scanning), Burp Suite (web app), Metasploit (exploitation), BloodHound (Active Directory), LinPEAS/WinPEAS (privilege escalation), Responder (credential capture).
Pen test reconnaissance
# Port scanning with nmap
$ nmap -sC -sV -oA scan_results 10.0.0.0/24
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1
80/tcp open http nginx 1.24.0
443/tcp open ssl/http nginx 1.24.0
3306/tcp closed mysql
8080/tcp open http Apache Tomcat 9.0.65
# Web application scanning with nikto
$ nikto -h https://target.example.com
+ Server: nginx/1.24.0
+ /admin/: Directory indexing found
+ /phpmyadmin/: phpMyAdmin accessible without auth
# Directory enumeration
$ gobuster dir -u https://target.example.com \
-w /usr/share/wordlists/dirb/common.txt
/admin (Status: 200)
/backup (Status: 403)
/.git (Status: 301) # Exposed git repo!Penetration testing is a compliance requirement under PCI-DSS (requirement 11.3), SOC 2, and many regulatory frameworks. Most organizations conduct annual pen tests, with more frequent testing for critical applications. The pen test report is one of the most actionable security documents an organization receives: each finding has a severity, evidence, and fix. Common findings include: default credentials on internal services, SQL injection in web applications, overly permissive AWS IAM policies, exposed .git directories, and trivial privilege escalation via misconfigured sudo. Bug bounty programs (HackerOne, Bugcrowd) provide continuous pen testing from the global security community. For career changers, certifications like OSCP (Offensive Security Certified Professional) and CEH (Certified Ethical Hacker) validate pen testing skills.