Introduction

Benefits of penetration test

Scope and engagement

Difference between security audit, vulnerability assessment and penetrationtest

FOUNDATION Types of penetration test

OF
PENETRATION Strategies of penetration test

TESTING Difference between manual and automated penetrationtesting

Common areas of penetration testing

Operatingsystems used for penetration testing

Common tools used in penetrationtesting

 Penetration testing, also called pen testing, goes a step ahead of
vulnerability scanning in security assessment. Unlike vulnerability
scanning, which examines the security of individual computers,
network devices or application, penetration testing assesses he security
model of the network as a whole. Penetration testing can reveal the
potential consequences of a real attacker breaking into the accounts of
network-to-network administrators, IT managers, and executives.

Penetration testing is a type of security testing that evaluates an

organizations ability to protect infrastructure such as network,
WHAT IS applications, systems and users from external as well as internal
threats.
PENETRATION
TESTING?

Penetration testing involves a systematic and comprehensive

examination of an organization's information systems, including its
networks, applications, and infrastructure.
Benefits of • Identifying Vulnerabilities: Penetration tests help identify
vulnerabilities and weaknesses in an organization's systems,

conducting networks, and applications. By simulating real-world attacks,

organizations can discover potential entry points for malicious actors.

penetration test • Ri s k Mitigation: Identifying and addressing vulnerabilities

proactively through penetration testing allows organizations to
mitigate the risk of security breaches. By fixing weaknesses before
they can be exploited, organizations reduce the likelihood of data
breaches and other security incidents.

• Compliance Requirements: Many regulatory standards and

compliance frameworks require organizations to conduct regular
security assessments, including penetration testing. Meeting these
requirements helps organizations avoid legal and financial
consequences while demonstrating a commitment to cybersecurity
best practices.

• Security Awareness: Penetration testing raises awareness among

stakeholders about potential security risks. It helps educate
employees, management, and other relevant parties about the
importance of cybersecurity and the potential impact of security
incidents.

• Testing Incident Response: Penetration tests can evaluate an

organization's incident response capabilities. By simulating a
cyberattack, organizations can assess how well their security teams
detect, respond to, and mitigate security incidents.
Benefits of • Prioritizing Remediation Efforts: Penetration test reports provide
insights into the severity of vulnerabilities and their potential impact on

conducting the organization. This information helps prioritize remediation efforts,

focusing on addressing the most critical issues first.

penetration test • Enhancing Security Controls: Penetration tests evaluate the

effectiveness of existing security controls. Organizations can use the
results to fine-tune and improve their security measures, ensuring a more
robust defense against cyber threats.

• Business Continuity: Identifying and addressing vulnerabilities helps

ensure business continuity by reducing the risk of disruptions caused by
security incidents. This is particularly important for critical systems and
services that are essential for daily operations.

• Protecting Reputation: A successful penetration testing program can

contribute to building and maintaining trust with customers, partners, and
stakeholders. Demonstrating a commitment to security reassures others
that the organization takes the protection of sensitive information
seriously.

• Cost Savings: Proactively addressing vulnerabilities through penetration

testing can potentially save organizations significant costs associated
with data breaches, legal consequences, and reputation damage.
Comparison between Security Audit, Vulnerability
Assessment and Penetration Testing
Security Audit
Purpose: A security audit is a systematic evaluation of an organization's information
systems, policies, and procedures. It aims to ensure that security controls are in place,
effective, and compliant with industry standards and regulations.

Focus: The focus of a security audit is on examining the overall security posture of an
organization, including its policies, processes, and technical controls.

Methods: Security audits involve reviewing documentation, interviewing personnel, and

assessing the implementation of security controls. It may include a review of access
controls, data protection measures, and compliance with relevant laws and regulations.

Outcome: The result of a security audit is a comprehensive report that highlights areas
of compliance, areas for improvement, and recommendations for enhancing security
Vulnerability Assessment
Purpose: A vulnerability assessment is a systematic process of identifying,
quantifying, and prioritizing vulnerabilities in a system or network.

Focus: The primary focus of a vulnerability assessment is to discover potential

weaknesses in the infrastructure, applications, and configurations that could be
exploited by attackers.

Methods: Vulnerability assessments typically use automated tools to scan

networks and systems for known vulnerabilities. The assessment may include both
external and internal scans to identify security flaws in various components.

Outcome: The outcome of a vulnerability assessment is a list of identified

vulnerabilities, their severity levels, and recommendations for remediation. It
provides a snapshot of the organization's current security posture.
Penetration Testing
Purpose: Penetration testing, also known as ethical hacking, involves simulating
real-world cyberattacks to identify and exploit vulnerabilities in a controlled and
ethical manner.

Focus: The primary focus of penetration testing is to actively test the security
defenses of an organization by attempting to exploit weaknesses. It provides insights
into how an attacker might compromise systems and networks.

Methods: Penetration testing involves a combination of automated tools and

manual testing techniques. It often includes activities such as network penetration
testing, web application testing, and social engineering to assess the organization's
overall security resilience.
Outcome: The outcome of a penetration test is a detailed report that includes
information on successful exploits, areas of weakness, and recommendations for
improving security. It helps organizations understand their security posture from an
attacker's perspective.
Types of penetration tests

Compliance- Red Team-

Goal-Oriented
Oriented Oriented
Penetration
Penetration Penetration
Testing
Testing Testing
Goal-Oriented Penetration
Testing
Objective: The primary focus of goal-oriented penetration testing
is to achieve specific objectives or simulate targeted attacks based
on identified risks or scenarios. These tests are tailored to address
particular concerns, assess the security of critical assets, or
validate the effectiveness of specific security controls.

Example: A financial institution might conduct a goal-oriented

penetration test to assess the security of its online banking system
with a specific emphasis on protecting customer financial data.
Compliance-Oriented
Penetration Testing
Objective: Compliance-oriented penetration testing is conducted to
meet regulatory or industry-specific requirements. Organizations
subject to compliance standards, such as P C I D S S (Payment Card
Industry Data Security Standard) or HIP AA (Health Insurance
Portability and Accountability Act), may perform these tests to ensure
they adhere to the mandated security practices.

Example: An e-commerce platform may undergo compliance-oriented

penetration testing to validate adherence to P C I D S S standards and
ensure the secure handling of credit card information.
Red Team-Oriented Penetration
Testing
Objective: Red team-oriented penetration testing involves
simulating realistic cyberattacks to assess an organization's
overall security posture. Unlike other forms of testing, the goal of
a red team exercise is to emulate a sophisticated and persistent
adversary, often without providing specific guidelines to defenders.

Example: A red team might be engaged to conduct a covert attack

on an organization, testing not only technical defenses but also the
ability of the security team to detect and respond to the simulated
threat.
Strategies of penetration testing:
 Definition: In black box testing, the tester has no knowledge of the
internal workings, code, or implementation details of the software
being tested.

Objective: The focus is on evaluating the system's functionalities,

input-output behavior, and overall compliance with specifications or
requirements.

Black box
testing Methodology: Testers approach black box testing from an external
perspective, treating the system as a "black box" where inputs are
provided, and outputs are observed. Test cases are designed based on
functional specifications, and the goal is to uncover errors or deviations
in the expected behavior without knowledge of the internal code
structure.

Advantages: Emphasizes user experience and requirements

validation. Testers do not need programming knowledge.
 Definition: In white box testing, the tester has full
knowledge of the internal code, structure, and
implementation details of the software being tested.

Objective: The focus is on assessing the internal logic,

paths, and structure of the code, aiming to uncover issues
related to code quality, security vulnerabilities, and
optimization opportunities.
White box
testing Methodology: Testers design test cases based on an
understanding of the source code. Testing activities
include code coverage analysis, path testing, and
structural testing to ensure that all code paths are
exercised and that the internal logic functions correctly.
Advantages: Allows for in-depth analysis of code quality,
logic, and internal structures. Effective for uncovering
hidden errors and security vulnerabilities.
 Definition: Grey box testing combines elements of both
black box and white box testing. The tester has partial
knowledge of the internal workings of the system.

Objective: The focus is on assessing both functional

aspects and internal structures to uncover defects and
vulnerabilities that may not be apparent with only one
perspective.
Grey box
testing Methodology: Testers have limited knowledge of the
internal code, which may include high-level design
documents, database schemas, or architectural diagrams.
This knowledge is used to design test cases that consider
both functional and structural aspects of the system.
Advantages: Strikes a balance between the thoroughness
of white box testing and the user-centric approach of black
box testing. Useful for uncovering a broad range of issues.
• Methods of penetration testing:
- Manual penetration testing
- Automated penetration testing
Common areas of penetration testing

Social
Network Web application
engineering
penetration penetration
penetration
testing testing
testing

Wireless
Mobile device Cloud
network
penetration penetration
penetration
testing testing
testing
Network • Identify Vulnerabilities: Discover and assess
weaknesses, misconfigurations, and vulnerabilities in
penetration network devices, servers, and other components.
testing • Evaluate Security Controls: Assess the
effectiveness of security controls such as firewalls,
intrusion detection/prevention systems, and access
controls.

• Simulate Real-world Attacks: Mimic the tactics,

techniques, and procedures (TTPs) of malicious actors
to understand potential attack scenarios and
weaknesses.

• Test Incident Response: Evaluate the

organization's ability to detect, respond to, and
mitigate security incidents within the network.

• Verify Compliance: Ensure that the network

complies with industry regulations, standards, and
internal security policies.
Common network attacks

Distributed Man-in-the-
Packet Sniffing
Denial-of-Service Middle (MitM)
(Eavesdropping)
(DDoS) Attack Attack

Worms and
Zero-Day
Malware
Exploits
Propagation
Distributed Denial-of-Service
(DDoS) Attack
Man-in-the-Middle (MitM)
Attack
Packet Sniffing
(Eavesdropping)
Worms and Malware
Propagation
• Brute Force Attack
• Injection Attacks
• Fuzz Testing (Fuzzing)
• Cross-Site Scripting (XSS)
• DDoS (Distributed Denial-of-Service)
• Cross-Site Request Forgery (CSRF)
• X M L External Entity (XXE)
• Path Traversal
• IDOR
• Broken Access Control
Injection
attacks
XSS
Path
Traversal
IDOR
Social engineering
penetration testing
• Social engineering penetration testing is a
cybersecurity practice that assesses an
organization's susceptibility to manipulation and
deceit by simulating various social engineering
attacks. These attacks exploit human psychology to
trick individuals into divulging sensitive
information, providing unauthorized access, or
performing actions that could compromise security.
Social engineering penetration testing helps
organizations identify weaknesses in their human-
centric defenses and implement measures to
mitigate these risks.
Types of social
engineering attacks
• Phishing.

• Whaling.

• Baiting.
• Diversion Theft.

• Business Email Compromise (BEC)

• Pretexting.
Phishing
Whaling
Wireless network
penetration
testing

• Wireless network
penetration testing, also
known as Wi-Fi penetration
testing or wireless security
testing, aims to assess the
security of wireless
networks and identify
potential vulnerabilities
that could be exploited by
unauthorized individuals.
This type of testing helps
organizations ensure the
confidentiality and integrity
of their wireless
communications.
Wifi adapter
Cloud penetration • Cloud penetration testing, also known as
testing cloud security testing or cloud security
assessment, is the process of evaluating
the security of cloud-based
infrastructures, services, and
applications. The objective is to identify
and address vulnerabilities that could be
exploited by attackers to compromise the
confidentiality, integrity, and availability
of data and resources stored in or
processed by cloud environments. Cloud
penetration testing typically involves
assessing the security controls,
configurations, and architecture of cloud
platforms
Common cloud • Inadequate Identity and Access
vulnerabilities Management (IAM)
• Insecure Application
Programming Interfaces (APIs)
• Misconfigured Storage Buckets
• Insecure Object and Data Storage
• Insecure Serverless
Implementations
• Supply Ch a i n Risks
Insecure APIs:
Vulnerabilities in APIs,
including improper
authentication, lack of proper
input validation, and insecure
direct object references.
Inadequate Identity and Access
Management (IAM):
Weaknesses in user authentication,
authorization, and access control
mechanisms can lead to unauthorized
access to cloud resources.
Mobile • Mobile penetration testing, also
penetration known as mobile app security testing
testing or mobile application penetration
testing, involves assessing the
security of mobile applications to
identify and address vulnerabilities
that could be exploited by attackers.
As mobile devices and applications
continue to play a crucial role in
personal and business activities,
ensuring the security of mobile apps
is essential.
Top vulnerabilities:
https://owasp.org/www-project-mobile-top-10/
Operating systems used for
penetration testing
• Kali linux

• Parrot os

• BlackArch Linux
• BackBox

• etc
Important directories in kali linux
• /bin (binaries): This directory contains Linux binaries like the cd and ls command that we
executed earlier.

• /sbin (system binaries): This directory holds system binary files that serve as administrative
commands (like fdisk).

• /boot: This directory contains the Linux bootloader files.

• /dev (devices): This directory contains the device configuration files (like /dev/null ).

• /sys: This is similar to /dev, which contains configurations about devices and drivers.

• /etc (etcetera): This directory contains all the administration system files (like /etc/passwd shows
all the system users in Kali Linux).

• /lib (libraries): This directory hods the shared libraries for the binaries inside /bin and /sbin.

• /proc (processes): This directory contains the processes and kernel information files.

• /lost+found: As in the name, this directory contains the files that have been recovered.
• /mnt (mount): This directory contains the mounted directories (example, a remote file share).

• /media: This directory holds the removable media mounted directories (like DVD).

• /opt (option): This directory is used for add‐on software package installation. It is also used when installing
software by users (example, hacking tools that you download from GitHub).

• /tmp (temporary): This is a temporary folder used temporarily, the holdings are wiped after each reboot. The tmp
folder is a good place to download our tools for privilege escalation once we got a limited shell.

• /usr (user): This directory contains many sub-directories. In fact, /usr/share/ is a folder that we need to memorize
because most of the tools that we use in Kali Linux (like Nmap, Metasploit, etc.) are stored there, and it also
contains the wordlist dictionary files (/usr/share/wordlists).

• /home: This is the home for Kali Linux users (example /home/kali/).

• /root: Home directory for root user.

• /srv (serve): This folder contains some data related to system server functionalities (like data for FTP servers).

• /var (variable): This folder contains variable data for databases, logs, and websites. For an example,
/var/www/html/ contains the files for the Apache2 web server.

• /run (runtime): This directory holds runtime system data (like currently logged‐in users).
Linux commands:
• ls - The most frequently used command in Linux to list directories • w ho a mi - Get the active username

• p w d - Print working directory command in Linux • tar - Command to extract and compress files in Linux

• cd - Linux command to navigate through directories • grep - Search for a string within an output

• mkdir - Command used to create directories in Linux • head - Return the specified number of lines from the top

• m v - Move or rename files in Linux • tail - Return the specified number of lines from the bottom

• cp - Similar usage as mv but for copying files in Linux • diff - Find the difference between two files

• rm - Delete files or directories • c mp - Allows you to check if two files are identical

• touch - Create blank/empty files • comm - Combines the functionality of diff and cmp

• cat - Display file contents on the terminal • sort - Linux command to sort the content of a file while outputting

• clear - Clear the terminal display • zip - Zip files in Linux

• echo - Print any text that follows the command • unzip - Unzip files in Linux

• m an - Access manual pages for all Linux commands • s s h - Secure Shell command in Linux

• u n am e - Linux command to get basic information about the OS • service - Linux command to start and stop services

• ps - Display active processes

• kill and killall - Kill active processes by process ID • apt, pacman, yum, rpm - Package managers
or name depending on the distro
• mount - Mount file systems in Linux • sudo - Command to escalate privileges in Linux
• chmod - Command to change file permissions • whereis - Locate the binary, source, and manual
pages for a command
• chown - Command for granting ownership of files or
folders • whatis - Find what a command is used for
• ifconfig - Display network interfaces and IP • top - View active processes live with their system
addresses usage
• traceroute - Trace all the network hops to reach the • useradd and usermod - Add new user or change
destination existing users data
• wget - Direct download files from the internet • passwd - Create or update passwords for existing
users
• iptables - Base firewall for all other firewall utilities
to interface with
• Locate -