Penetration Testing

Thinking like an attacker to find vulnerabilities before the real ones do

Application Security: Secure Coding OWASP Top 10 SAST & DAST Penetration Testing API Security Container Security
← SAST & DAST API Security →
⏱ 12 min read 📊 Advanced 🗓 Updated Jan 2025

🏭 Penetration Testing Fundamentals

A penetration test is a simulated, authorized attack against a target system to identify exploitable vulnerabilities. It differs fundamentally from a vulnerability scan (automated tool finding known CVEs) and a red team exercise (long-duration, objectives-based, adversary simulation).

Pentest TypeKnowledge LevelCoverageCostUse Case
Black Box None — simulates external attacker Lower — time limited by discovery Lower External attack surface, pre-launch check
Grey Box Partial — credentials, some docs Medium Medium Most common; simulates authenticated attacker
White Box Full — source code, architecture docs Highest Higher Deep dive, compliance requirements, code review

Legal Authorization Is Mandatory

Penetration testing without written authorization is illegal under the Computer Fraud and Abuse Act (US), Computer Misuse Act (UK), and equivalent laws worldwide. Always obtain a signed Rules of Engagement (RoE) document that defines: in-scope systems (IP ranges, domains), out-of-scope systems, allowed testing methods, contact information for emergency stop, and test window dates.

PTES Phases (Penetration Testing Execution Standard)

  • 1. Pre-Engagement — scope definition, rules of engagement, legal authorization, timeline, communication plan.
  • 2. Intelligence Gathering — OSINT, passive and active reconnaissance to build target profile.
  • 3. Threat Modeling — identify most likely attack paths given the target's profile and value.
  • 4. Vulnerability Analysis — map discovered information to potential vulnerabilities; prioritize for exploitation.
  • 5. Exploitation — attempt to exploit identified vulnerabilities to establish access or demonstrate impact.
  • 6. Post-Exploitation — demonstrate business impact: data access, lateral movement, persistence, privilege escalation.
  • 7. Reporting — document findings with severity ratings, evidence, and remediation guidance.

🔎 Reconnaissance & Enumeration

Passive Reconnaissance (OSINT)

  • theHarvester — harvests emails, subdomains, hosts, employee names from public sources (Google, Bing, LinkedIn, Shodan).
  • Maltego — visual link analysis tool. Maps relationships between domains, IPs, emails, people. Powerful for target profiling.
  • Shodan — search engine for internet-connected devices. Find exposed services, open ports, and vulnerable software versions without touching the target.
  • Censys — similar to Shodan; strong TLS certificate data for subdomain discovery.
  • WHOIS / RDAP — domain registration data, IP ownership, ASN information.
  • GitHub — search for hardcoded credentials, API keys, internal infrastructure details in public repos.
  • LinkedIn — employee enumeration, technology stack from job postings, organizational structure.

Active Reconnaissance

  • nmap — the standard port scanner. OS fingerprinting (-O), service/version detection (-sV), NSE scripting engine (-sC, --script).
  • Gobuster / ffuf — directory and file enumeration via wordlist brute force. Find hidden paths, backup files, admin panels.
  • Nikto — web server scanner. Checks for dangerous files, outdated software, security misconfigurations.
  • Scout Suite — multi-cloud security auditing tool. Scans AWS, Azure, GCP for misconfigurations.
  • Prowler — AWS security best practice assessment. Maps findings to CIS Benchmark and compliance frameworks.
# nmap scan examples

# Fast TCP scan — top 1000 ports
nmap -T4 -F target.com

# Full TCP scan with service/version detection
nmap -sV -sC -p- -T4 target.com

# UDP scan (slower but finds DNS, SNMP, TFTP)
nmap -sU -T4 --top-ports 200 target.com

# OS fingerprinting (requires root/admin)
nmap -O target.com

# NSE vulnerability scripts
nmap --script vuln target.com

# Stealth SYN scan (half-open, less noisy)
nmap -sS -T2 target.com

# Output formats for reporting
nmap -sV -p- -oA scan_results target.com

⚡ Exploitation Techniques

Metasploit Framework

  • The most widely used exploitation framework. Modules for hundreds of known CVEs.
  • Modules — exploit (delivers payload), auxiliary (scan, brute force, fuzz), post (post-exploitation), payload (shellcode, stagers).
  • Meterpreter — advanced in-memory payload. File system access, privilege escalation, persistence, network pivoting — all without writing to disk.
  • msfvenom — standalone payload generator. Creates executables, scripts, and shellcode for client-side attacks.
  • Use responsibly and only against authorized targets — Metasploit activity is logged and detected by modern EDR solutions.

Web & Password Attacks

  • SQLmap — automates SQL injection detection and exploitation. Supports union, blind, time-based, and out-of-band techniques. Can dump databases, read/write files.
  • Hashcat — GPU-accelerated password cracker. Handles bcrypt, NTLM, MD5, SHA-1, and hundreds of other formats. RockYou wordlist + rules is highly effective against weak passwords.
  • John the Ripper — CPU-based cracker; useful for diverse formats and rule-based attacks.
  • Credential stuffing — automated login attempts with breached credentials using tools like Snipr, Storm, or custom scripts with residential proxies.

Post-Exploitation & Stealth

  • Privilege escalation — SUID/GUID abuse, sudo misconfigurations, kernel exploits, scheduled tasks, DLL hijacking on Windows.
  • Lateral movement — Pass-the-Hash (Windows NTLM), Pass-the-Ticket (Kerberos), SSH key reuse, credential pivoting.
  • Living off the land (LOTL) — use built-in OS tools (PowerShell, WMI, certutil, net.exe) to avoid EDR detection. Minimizes attacker-created artifacts.
  • Document all post-exploitation steps — the pentest report needs to show actual business impact, not just technical access.

🌐 Web Application Pentesting

Web application pentesting requires a systematic methodology. The OWASP Testing Guide (OTG) provides a comprehensive framework covering authentication, authorization, session management, input validation, and business logic testing.

Burp Suite Workflow

  • Configure browser to proxy through Burp (127.0.0.1:8080). Import Burp CA certificate for HTTPS interception.
  • Walk through application normally while Burp captures traffic — builds a sitemap of all endpoints.
  • Use Repeater to manually probe each endpoint for injection, auth bypass, IDOR.
  • Use Intruder for fuzzing parameter values, brute forcing, or enumerating user IDs.
  • Run passive scan and active scan against the captured sitemap.
  • Use Autorize extension to test access control by replaying requests with different roles/tokens.

Business Logic & Auth Testing

  • Business logic flaws — price manipulation (negative quantities, zero-value items), workflow bypass (skip payment step), race conditions (double-spend), privilege assumption.
  • Authentication bypass — SQL injection in login, forced browsing to authenticated pages, token prediction, password reset flaws (predictable tokens, user enumeration).
  • File upload vulnerabilities — upload PHP/JSP/ASP webshells disguised as images. Test MIME type validation, extension filtering, and server-side execution.
  • JWT attacks — alg:none, weak secret brute force (hashcat), kid injection, JWK injection.

Advanced Web Testing

  • GraphQL introspection — query the schema to enumerate all types, queries, mutations. Disabled in production is a must.
  • GraphQL depth/complexity attacks — deeply nested or batch queries can cause DoS if no depth limit or complexity analysis is enforced.
  • CORS testing — reflect arbitrary Origin header with credentials; test null origin; check for localhost origin acceptance.
  • API endpoint enumeration — fuzz REST paths with ffuf/Gobuster, check Swagger/OpenAPI endpoints, examine JavaScript bundles for hardcoded API paths.

Automated Scanners Miss 60–70% of Web Vulnerabilities

DAST tools are excellent at finding injection and misconfiguration but consistently miss business logic flaws, multi-step authentication bypasses, and second-order vulnerabilities. A scanner cannot understand that a user's account balance should never be negative, or that a discount code should only be used once. Manual testing by an experienced tester is essential for any application that processes sensitive data or financial transactions.

📄 Reporting & Remediation

Pentest Report Structure

  • Executive Summary — 1–2 pages for non-technical leadership. Overall risk posture, critical findings count, top 3 business risks. No technical jargon.
  • Methodology — scope, dates, testing approach, tools used, limitations.
  • Technical Findings — one page per finding: title, severity (CVSS), description, steps to reproduce, evidence (screenshots, request/response), impact, remediation.
  • Risk Summary — findings matrix by severity, overall risk rating.
  • Appendices — full scan output, raw evidence, tool configurations.

CVSS Scoring

  • CVSS v3.1 scores range from 0.0–10.0: Critical (9.0–10.0), High (7.0–8.9), Medium (4.0–6.9), Low (0.1–3.9).
  • Base score components: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality/Integrity/Availability impact.
  • Temporal score adjusts for exploit maturity and remediation status.
  • Environmental score adjusts for your specific environment and asset criticality.
  • CVSS is a starting point — business context may justify rating a "Medium" CVSS as "Critical" for your specific asset.

Remediation Tracking & Retest

  • Every finding needs an owner, remediation guidance, and SLA (critical: fix in 7 days, high: 30 days, medium: 90 days).
  • Include a retest — verify that the fix actually addresses the vulnerability and didn't introduce a regression.
  • Track findings to closure in a ticketing system; don't let pentest findings disappear into a PDF.
  • Bug bounty programs (HackerOne, Bugcrowd) provide continuous testing by the security community — an ongoing pentest at variable cost, paid per valid finding.

A Finding With No Remediation Path Is a Wasted Finding

Pentest reports are only valuable if they drive remediation. Every finding must include actionable, specific remediation guidance — not just "fix the SQL injection." Include the specific code pattern to change, the library or framework function to use instead, and a code example. Vague remediation ("sanitize user input") results in developers guessing and often re-introducing the same vulnerability in a slightly different form.

PTES Metasploit Burp Suite nmap SQLmap Hashcat CVSS Bug Bounty OWASP Testing Guide