Penetration Testing

Penetration Testing is a security assessment methodology that simulates real attacks to identify vulnerabilities before they can be exploited by malicious attackers.

Pentesting Methodologies

OWASP Testing Guide

Comprehensive framework for security testing of web applications, covering everything from information gathering to business logic testing.

PTES (Penetration Testing Execution Standard)

Methodology structured into 7 phases: pre-engagement, information gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.

OSSTMM

Open Source Security Testing Methodology Manual - a scientific methodology for security testing across various channels (human, physical, wireless, telecommunications, and networks).

Phases of Penetration Testing

1. Reconnaissance

  • Passive: Information gathering without direct interaction (OSINT, DNS, WHOIS)
  • Active: Network scanning, service enumeration, technology identification
  • Tools: Nmap, Recon-ng, theHarvester, Shodan, Maltego

2. Scanning & Enumeration

  • Port scanning and service fingerprinting
  • Automated vulnerability scanning
  • Enumeration of users, shares, and services
  • Tools: Nessus, OpenVAS, Nikto, enum4linux

3. Gaining Access (Exploitation)

  • Exploitation of identified vulnerabilities
  • SQL Injection, XSS, Command Injection
  • Buffer Overflow, privilege escalation
  • Tools: Metasploit, Burp Suite, SQLmap, Cobalt Strike

4. Maintaining Access (Post-Exploitation)

  • Installation of backdoors and persistence mechanisms
  • Privilege escalation (horizontal and vertical)
  • Pivoting and lateral movement
  • Data exfiltration

5. Covering Tracks

  • Cleanup of logs and evidence
  • Demonstration of evasion techniques
  • Documentation of the activities performed

Types of Pentesting

Black Box

The tester has no prior knowledge of the target. Simulates a realistic external attack.

White Box

The tester has complete knowledge (source code, architecture, credentials). Enables deeper analysis.

Gray Box

Partial knowledge of the system. Simulates an attack from an insider or privileged user.

Essential Tools

Frameworks and Distributions

  • Kali Linux: Complete distribution with 600+ tools
  • Parrot OS: Alternative focused on privacy and forensics
  • Metasploit Framework: Exploitation and exploit development suite

Web Application Testing

  • Burp Suite: Intercepting proxy and web scanner
  • OWASP ZAP: Open-source automated scanner
  • SQLmap: Automated SQL injection tool
  • Nikto: Web vulnerability scanner

Network Penetration

  • Nmap: Network scanner and service detection
  • Wireshark: Network traffic analysis
  • Responder: LLMNR/NBT-NS/MDNS poisoning
  • Impacket: Python suite for network protocols

Password Cracking

  • John the Ripper: Classic password cracker
  • Hashcat: GPU-accelerated cracker
  • Hydra: Brute force for network services
  • CrackMapExec: Post-exploitation in Windows environments

Common Attack Vectors

Web Applications

  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • XML External Entity (XXE)
  • Insecure Deserialization

Network & Infrastructure

  • Man-in-the-Middle (MitM)
  • ARP Spoofing and DNS Poisoning
  • SMB Relay attacks
  • Kerberoasting
  • Pass-the-Hash/Pass-the-Ticket

Social Engineering

  • Phishing campaigns
  • Vishing (voice phishing)
  • Physical intrusion testing
  • USB drop attacks

Pentesting Report

A quality report should include:

  • Executive Summary: High-level overview for management
  • Methodology: Approach and scope of the test
  • Identified Vulnerabilities: Classified by severity (CVSS)
  • Technical Exploitation: Technical details with screenshots and PoCs
  • Recommendations: Prioritized remediation measures
  • Appendices: Logs, scripts, technical evidence

Professional Certifications

  • OSCP: Offensive Security Certified Professional
  • CEH: Certified Ethical Hacker
  • GPEN: GIAC Penetration Tester
  • CRTP: Certified Red Team Professional
  • PNPT: Practical Network Penetration Tester

Legal and Ethical Aspects

  • Always obtain written authorization (RoE - Rules of Engagement)
  • Clearly define scope and limitations
  • Respect privacy and data protection laws
  • Do not cause damage to the tested systems
  • Maintain confidentiality of the information discovered
  • Follow a professional code of ethics (EC-Council, SANS)

Penetration Testing is an essential discipline for validating an organization's security posture. It combines deep technical knowledge, structured methodology, and creative thinking to simulate real attacks. An effective pentest goes beyond automated scanners, requiring manual analysis, an understanding of the business context, and clear communication of the risks found.