Penetration testing for the novice

Penetration testing (also known as pen testing) is an attack on an IT infrastructure to safely identify potential vulnerabilities that can be exploited by attackers. Penetration testing, which is performed by gaining access to the data and featured of a computer system, aims to identify security vulnerabilities that may exist in a web application, computer network, operating system, incorrect configurations, application and service flaws, or suspicious end-user behavior.

Scope of penetration testing

Penetration testing also comes handy in validating the effectiveness of various security defense mechanism. Penetration tests are also known as white hat attacks since the system break-in attempt involved in the process is made by the ‘good guys’.

Pen tests, which are generally integral part of IT security audits, are also used for several other objectives, including:

  • Testing an organizations compliance to security policies
  • Assessing employees’ awareness of IT security fundamentals
  • Identifying and responding to security incidents
  • Identify areas where the system’s defense failed

Why use Penetration testing?

There are numerous reasons why an organization should include penetration testing dedicatedly in its process lifecycle, including:

  • Finding holes before an attacker does
  • Report problems to senior management
  • Verify secure configuration
  • Training and orientation of network staff
  • Identify gaps in compliance
  • Test new technologies

Once the penetration tests are completed, test engineers formulate a report that is sent to the system owner or system manager enlisting:

  • Potential impact on the IT architecture and, on the organization in general
  • Recommended measures to strengthen security of the system to mitigate risk

Penetration testing is generally practiced manually while automated software solutions are used for testing complex IT architectures where higher level of accuracy is required. In either case the testing process remains the same for the most part:

  • Collection of information regarding the target (reconnaissance)
  • Identifying potential entry points
  • Break-in attempt (which may be real or virtual)
  • Reporting the findings


Allows the resources to keep their information and data up to date without actually feeling the need to visit the human resource division. This also saves time for the HR division and allows them to emphasize on more vital HR functions instead of administrative tasks and paper work. Pen test strategies include:

Some of the widely used penetration testing strategies are:

Targeted testing

An organization’s pen testing team works in conjunction with IT team to conduct Targeted tests. Since everyone in the organization can practically see the test being conducted, this type of testing is informally known as “lights turned on”.

External testing

As the name implies, this type of testing relates to the externally visible devices or servers of a company such as the firewall, web servers, email servers, domain name servers, etc. The idea is to determine whether or not outside intruders can get in to the system and, if yes, then how far or deep they can reach once they gain access.

Internal testing

This test simulates an intrusion by an authorized user having general access privileges. This test is aimed to determine the intensity and extent up too which a disgruntled employee can cause damage to organization’s systems and IT architecture.

Blind testing

The blind penetration testing strategy mimics the procedures and actions of a real intruder by providing almost no information about the IT setup to the testing team beforehand. In general, they are just provided with the company name since blind testing is one process that does require a significant time span for reconnaissance, so it can really prove expensive for the organization.

Double blind testing

Employees can view and manage their benefits: they can enroll in a benefit, wave a benefit, add/or remove a dependent. This type of test starts with blind approach and take it to an all new level. In this sort of testing just one or two might be aware that a test is being carried out. The advantage of double blind test is that it determines the incident identification and security monitoring competence of the organization.

Penetration testing tools

There’s an array of specialized automated tools used by enterprises the world over for carrying out penetration testing of their IT infrastructure. In general, penetration testing tools are of two types: vulnerability or reconnaissance testing tools and exploitation tools. While pen testing is more inclined towards exploitation utilities, professionals prefer to us some less intrusive test tools for initial scanning. Once target identification is complete, intrusive exploitation tools can be used. However, there’s a very thin line separating these tools. For instance, CORE IMPACT is generally a penetration tool but it also has some robust reconnaissance features. Let have a look at some of the most widely used penetration testing tools:



Nmap is one of the most widely used port scanning tools that comes handy in reconnaissance phase of penetration attack. Attackers may or may not scan all ports but for a penetration tester it is highly important to scan all available ports to ensure none of them is vulnerable. Nmap can also be used to identify the operating system of your targeted system. Different network implementation will provide different response to different network-packets. Nmap works by a sort of database and will tally the responses to predict the type of operating system the targeted computer is running on. Though the forecasting is not cent per cent accurate, it provides the attacker a chance to mend his attack strategy accordingly as per available data.


Nessus is a vulnerability scanner tools used by the majority of security professionals regularly. Nessus has a large inventory of vulnerabilities as well as tests to detect them. In general, Nessus depends on target computer’s responses without exploiting the system. Reported vulnerably can be verified for exploitation using an exploitation tool. Nessus includes OS detection as well as port scanning features.


Exploitation Tools

Exploitation tools are used to confirm the existence of a vulnerability by exploiting it. Numerous exploitation tools are used by both the attackers and professional penetration testers. Unlike reconnaissance tools, the majority of exploitation software utilities are single-purpose tools used for exploiting a specific vulnerability existing on a specific hardware platform on a specific version of any exploitable system.

Some most prominent exploitation tools are listed below:

Metasploit Version 2.5

Metasploit is a newcomer into the penetration testing space attack payloads and attacked libraries that can easily be placed together modularly. The main objective of Metasploit is to access the command prompt of the targeted system. Once a tester gains access of the command line on the target system, it won’t take long for him to control the entire system.

SecurityForest Exploitation Framework

SecurityForest Exploitation Framework, which is still it’s the technical Beta, is a promising open-source utility that can certainly max out the efficiency of penetration testers. This framework is driven by an extensive library of exploit code dubbed ExploitTree. Testers can launch the exploit code on a web-browser using the Exploitation Framework as its front-end UI. Most features of SecurityForest Exploitation Framework resemble those being offered by Metasploit. ExploitTree has a massive number of exploits included; however, the bulk of these exist in “precompiled” formats (mainly in C files). The exploits are not integrated natively in the Framework. Having said that, this framework’s primary functionality is to work as a GUI from where attacks can be launched.


Packet manipulation & password cracking tools

There’s a diversity of tools in the full-packed kitty of penetration testers, but two categories deserve a special mention here: password cracking and packet manipulation tools. For packer manipulation there are gilt-edged, deep-impact tools like hping which permit an attacker or penetration tester the power to create and send different types of specially created TCP/IP packets for testing and exploitation of network-powered security systems, including IDS/IPS and firewalls.

The password cracking category has tools like Cain and Able or John the Ripper, which help in detecting and obtaining multi-authentication mechanisms like those supported by most Windows and Unix operating systems.