Penetration Testing

Penetration Testing

Aniceto Jolela Aniceto Jolela

Aniceto Jolela

Full Stack Developer | Cybersecurity Enthusiast | Python

Published Dec 21, 2024
+ Follow

Penetration testing, commonly known as pen testing, is the act of assessing a computer system, network or organization for security vulnerabilities. A pen test seeks to breach systems, people, processes and code to uncover vulnerabilities which could be exploited. This information is then used to improve the system’s defenses to ensure that it is better able to withstand cyber attacks in the future.

The five-step pen test process

Planning

The pen tester gathers as much information as possible about a target system or network, its potential vulnerabilities and exploits to use against it. This involves conducting passive or active reconnaissance (footprinting) and vulnerability research.

Scanning

The pen tester carries out active reconnaissance to probe a target system or network and identify potential weaknesses which, if exploited, could give an attacker access. Active reconnaissance may include:

  • port scanning to identify potential access points into a target system

  • vulnerability scanning to identify potential exploitable vulnerabilities of a particular target

  • establishing an active connection to a target (enumeration) to identify the user account, system account and admin account.

Gainning access

The pen tester will attempt to gain access to a target system and sniff network traffic, using various methods to exploit the system including:

  • launching an exploit with a payload onto the system

  • breaching physical barriers to assets

  • social engineering

  • exploiting website vulnerabilities

  • exploiting software and hardware vulnerabilities or misconfigurations

  • breaching access controls security

  • cracking weak encrypted Wi-Fi.

Maintaining access

The pen tester will maintain access to the target to find out what data and systems are vulnerable to exploitation. It is important that they remain undetected, typically using backdoors, Trojan horses, rootkits and other covert channels to hide their presence.

When this infrastructure is in place, the pen tester will then proceed to gather the data that they consider valuable.

Analysis and reporting

The pen tester will provide feedback via a report that recommends updates to products, policies and training to improve an organization’s security.

To view or add a comment, sign in

More articles by this author

See all

Others also viewed

Explore topics