Introduction to Penetration Testing

Penetration testing (pentesting) is the practice of simulating real-world attacks against systems, networks, and applications — with explicit authorisation — to identify vulnerabilities before malicious actors do. This lesson covers the fundamentals: what pentesting is, the different types, industry-standard methodologies, and the critical legal and ethical framework you must follow.

---

Important: Every technique in this course must only be used on systems you own or have written permission to test. Unauthorised access to computer systems is a criminal offence in virtually every jurisdiction.

---

What Is Penetration Testing?

A penetration test is a controlled, authorised attempt to exploit vulnerabilities in a target system. The goal is to:

• Discover security weaknesses before attackers do
• Demonstrate the real-world impact of those weaknesses
• Provide actionable remediation recommendations
• Validate that existing security controls work as intended

Pentesting vs Vulnerability Scanning

Aspect	Vulnerability Scan	Penetration Test
Automation	Fully automated	Manual + automated
Depth	Surface-level	Deep exploitation
False positives	Common	Verified by exploitation
Risk demonstration	Theoretical	Proven impact
Frequency	Weekly/monthly	Quarterly/annually
Skill required	Low–medium	High

---

Types of Penetration Testing

By Knowledge Level

┌───────────────────────────────────────────────────────┐
│                                                       │
│   Black Box          Grey Box          White Box      │
│   ──────────         ────────          ─────────      │
│   No internal        Partial           Full access    │
│   knowledge          knowledge         to source,     │
│                      (some creds,      architecture,  │
│   Simulates an       limited docs)     credentials    │
│   external                                            │
│   attacker           Simulates an      Simulates an   │
│                      insider or        insider with    │
│                      partner           full access     │
│                                                       │
└───────────────────────────────────────────────────────┘

Type	Knowledge Given	Simulates	Time Required
Black box	None	External attacker	Longest
Grey box	Partial (e.g. user creds)	Insider / partner	Medium
White box	Full (source code, diagrams)	Trusted insider	Shortest

By Target

• Network pentest — internal/external infrastructure, servers, firewalls
• Web application pentest — websites, APIs, authentication flows
• Mobile application pentest — iOS/Android apps and their backends
• Wireless pentest — WiFi networks, Bluetooth
• Social engineering — phishing, pretexting, physical access
• Cloud pentest — AWS, Azure, GCP configurations
• IoT pentest — embedded devices, firmware

---

Penetration Testing Methodologies

OWASP Testing Guide

The Open Web Application Security Project provides a comprehensive testing guide focused on web applications:

• 66 controls across 11 categories
• Detailed test procedures for each control
• Regularly updated to reflect new attack vectors
• Free and community-driven

PTES (Penetration Testing Execution Standard)

┌──────────────┐   ┌──────────────┐   ┌──────────────┐
│ 1. Pre-      │──▶│ 2. Intel     │──▶│ 3. Threat    │
│  engagement  │   │  Gathering   │   │  Modelling   │
└──────────────┘   └──────────────┘   └──────────────┘
       │                                      │
       ▼                                      ▼
┌──────────────┐   ┌──────────────┐   ┌──────────────┐
│ 7. Reporting │◀──│ 6. Post-     │◀──│ 5. Exploit-  │
│              │   │  Exploitation│   │  ation       │
└──────────────┘   └──────────────┘   └──────────────┘
                                              ▲
                                              │
                                   ┌──────────────┐
                                   │ 4. Vuln      │
                                   │  Analysis    │
                                   └──────────────┘

Seven phases: Pre-engagement Interactions, Intelligence Gathering, Threat Modelling, Vulnerability Analysis, Exploitation, Post-Exploitation, Reporting.

OSSTMM (Open Source Security Testing Methodology Manual)

• Focuses on operational security and measurable results
• Defines a Risk Assessment Value (RAV) for quantifiable metrics
• Covers five channels: Human, Physical, Wireless, Telecommunications, Data Networks

NIST SP 800-115

• US government standard for technical security testing
• Covers planning, execution, and reporting phases
• Often required for government/defence contracts

---

Legal and Ethical Considerations

Always Get Written Authorisation

Before any testing begins, you must have:

1. A signed contract / statement of work (SOW)
2. Written authorisation (permission to test)
3. Clearly defined scope — what is in/out of bounds
4. Rules of engagement — hours, techniques, escalation procedures
5. Emergency contact details — who to call if something breaks
6. Data handling agreement — how findings and captured data are stored/destroyed

Rules of Engagement (RoE) Checklist

Item	Description
Scope	IP ranges, domains, applications in scope
Exclusions	Systems/networks explicitly excluded
Testing window	Permitted hours/days (e.g. business hours only)
Allowed techniques	Social engineering, DoS testing, physical access?
Notification	Will defenders (SOC/blue team) be informed?
Data handling	Encryption, storage, deletion timeline
Escalation procedure	Steps if critical vulnerability or system crash occurs
Point of contact	Client-side and tester-side emergency contacts

Relevant Laws

Jurisdiction	Law
UK	Computer Misuse Act 1990
US	Computer Fraud and Abuse Act (CFAA)
EU	Directive 2013/40/EU on attacks against info systems
Australia	Criminal Code Act 1995, Part 10.7

Remember: "I was just testing" is not a legal defence without written authorisation.

---

The Pentest Lifecycle

1. Scoping & Planning
   └──▶ 2. Reconnaissance
        └──▶ 3. Scanning & Enumeration
             └──▶ 4. Exploitation
                  └──▶ 5. Post-Exploitation
                       └──▶ 6. Reporting
                            └──▶ 7. Remediation & Retesting

Each phase builds on the previous one. This course dedicates a lesson to each major phase.

---

Essential Pentesting Platforms

Platform	Type	Description
Kali Linux	OS	Debian-based distro with 600+ security tools
Parrot OS	OS	Security-focused distro, lighter than Kali
HackTheBox	Lab	Online platform with vulnerable machines
TryHackMe	Lab	Guided learning paths with virtual rooms
VulnHub	Lab	Downloadable vulnerable VMs
DVWA	Practice app	Deliberately vulnerable web application

---

Certifications Roadmap

Beginner ──▶ CompTIA Security+ / CEH
             │
             ▼
Intermediate ──▶ eJPT / PNPT
                 │
                 ▼
Advanced ──▶ OSCP / OSWE / GPEN
             │
             ▼
Expert ──▶ OSCE3 / OSEE / GXPN

---

Summary

• Penetration testing is the authorised simulation of real attacks to find vulnerabilities.
• Tests can be black, grey, or white box depending on the information provided.
• Industry methodologies include OWASP, PTES, OSSTMM, and NIST SP 800-115.
• Legal authorisation and clearly defined rules of engagement are mandatory before any testing.
• The pentest lifecycle flows from scoping through reconnaissance, scanning, exploitation, post-exploitation, and reporting.
• Always operate within legal and ethical boundaries — never test without permission.