Penetration Testing Introduction
Ethical hacking basics. Learn how security professionals find vulnerabilities before attackers do.
🎯 What You'll Learn
- Understand what penetration testing is
- Learn the phases of a pentest
- Know common tools and techniques
- See how it fits in security programs
- Start your pentesting journey
Think Like an Attacker
Penetration testing (pentesting) is authorized hacking — simulating real attacks to find vulnerabilities before malicious actors do.
Instead of waiting to be breached, you hire someone to try to breach you first.
The Pentesting Mindset
| Attacker | Defender |
|---|---|
| Needs ONE way in | Must protect EVERYTHING |
| Has unlimited time | Has limited budget |
| Can be creative | Must follow rules |
Pentesters adopt the attacker mindset within ethical and legal boundaries.
Types of Penetration Tests
By Scope
| Type | What’s Tested |
|---|---|
| Network | Infrastructure, servers, devices |
| Web Application | Websites, APIs |
| Mobile | iOS/Android apps |
| Social Engineering | Human vulnerabilities |
| Physical | Building access, hardware |
By Knowledge
| Type | Tester Knowledge |
|---|---|
| Black Box | No prior information |
| Gray Box | Some information (typical user access) |
| White Box | Full information (source code, diagrams) |
The Pentesting Phases
1. Reconnaissance → 2. Scanning → 3. Exploitation → 4. Post-Exploit → 5. Report
```python
---
## Phase 1: Reconnaissance
Gather information before attacking.
### Passive Reconnaissance
No direct interaction with target:
```bash
# WHOIS lookup
whois example.com
# DNS records
dig example.com ANY
# Search for subdomains
# Google: site:example.com
# Harvesting emails
theHarvester -d example.com -b google
```text
## Active Reconnaissance
Direct interaction:
```bash
# Port scanning
nmap -sV -sC target.com
# Web technology fingerprinting
whatweb target.com
```diff
---
## Phase 2: Scanning & Enumeration
Find vulnerabilities to exploit.
### Port Scanning
```bash
# Quick scan
nmap -F target.com
# Full TCP scan
nmap -p- target.com
# Service version detection
nmap -sV -p 80,443 target.com
```text
## Vulnerability Scanning
```bash
# Web vulnerability scanner
nikto -h http://target.com
# Template-based scanner
nuclei -u http://target.com
```bash
---
## Phase 3: Exploitation
Actually break in.
### Common Web Attacks
- SQL Injection
- XSS (Cross-Site Scripting)
- Authentication bypass
- File inclusion
### Common Network Attacks
- Password attacks
- Exploiting unpatched services
- Man-in-the-middle
### Tools
| Tool | Purpose |
|------|---------|
| **Burp Suite** | Web proxy, scanner |
| **Metasploit** | Exploitation framework |
| **SQLMap** | Automated SQL injection |
| **Hydra** | Password brute-forcing |
---
## Phase 4: Post-Exploitation
What can you do once inside?
- Escalate privileges
- Move laterally to other systems
- Access sensitive data
- Plant persistence mechanisms
- Document everything (you're authorized, but you need to report what you did)
---
## Phase 5: Reporting
A pentest is useless without a good report.
### Report Structure
```markdown
# Executive Summary
Brief overview for leadership
# Scope and Methodology
What was tested, how
# Findings
## Critical
### Finding 1: SQL Injection in Login
- Location: /login endpoint
- Risk: Critical (data breach)
- Evidence: [screenshot]
- Remediation: Use parameterized queries
## High
...
# Remediation Roadmap
Prioritized fix planLegal Considerations
Always get written authorization before testing.
Without it, you’re committing crimes:
- Computer Fraud and Abuse Act (US)
- Computer Misuse Act (UK)
- Similar laws worldwide
Scope Agreement Must Include
- What systems/networks are in scope
- What methods are allowed
- Testing window (dates/times)
- Point of contact
- Emergency procedures
Practice Exercises
Exercise 1: Recon Practice (Beginner)
Practice passive recon on your own domain or a bug bounty target:
- WHOIS lookup
- DNS enumeration
- Subdomain discovery
Exercise 2: Vulnerable Lab (Intermediate)
Set up a vulnerable practice environment:
- OWASP WebGoat
- DVWA (Damn Vulnerable Web App)
- HackTheBox (online)
Exercise 3: Your First Report (Advanced)
After testing a lab, write a pentest report with:
- Executive summary
- Findings with evidence
- Remediation recommendations
Knowledge Check
-
What is penetration testing?
-
What’s the difference between black box and white box testing?
-
Why is written authorization critical?
-
What are the five phases of a pentest?
-
Why is the report important?
Answers
-
Authorized simulation of real attacks to find vulnerabilities before malicious actors do.
-
Black box: No prior knowledge. White box: Full information (source code, architecture).
-
Legal protection. Without authorization, hacking is a crime even with good intentions.
-
Recon, Scanning, Exploitation, Post-Exploitation, Reporting.
-
Findings without remediation are useless. The report communicates risks and fixes to stakeholders.
Summary
| Phase | Goal |
|---|---|
| Recon | Gather information |
| Scanning | Find vulnerabilities |
| Exploitation | Gain access |
| Post-Exploit | Demonstrate impact |
| Reporting | Communicate findings |
What’s Next?
- OWASP Top 10 - What to look for
- Network Security - Infrastructure testing
Want to go deeper?
Weekly infrastructure insights for engineers who build trading systems.
Free forever. Unsubscribe anytime.
You're in. Check your inbox.
Questions about this lesson? Working on related infrastructure?
Let's discuss