by peter


What is Penetration Testing

Penetration testing is the art/science mix of identifying weakness, misconfiguration and vulnerabilities in People, Process and Technology. Also known as ethical hacking, penetration testing has many other shortenings. These include pen testing, pentesting, and security testing. You may even see it written as PEN Testing. Regardless, it describes the intentional launching of simulated cyberattacks by “white hat” penetration testers using strategies and tools to access or exploit computer systems, networkswebsites, and applications. The main objective of penetration testing is to identify exploitable issues to implement adequate security controls. Security managers and teams also use penetration testing techniques and specialised testing tools to test an organisation’s security robustness. Organisations should review their policies, regulatory compliance, employees’ security awareness, and their ability to identify and respond to security issues annually. Penetration Testing is an effective way to do this.

Penetration Testing is best thought of as a simulated cyberattack. It uses the same techniques as the criminals. It helps security professionals evaluate the effectiveness of information security measures within their organisations. The pen test attempts to pierce the armour of an organisation’s cyber defenses, checking for exploitable vulnerabilities and weaknesses. These will be in People, Process and Technology. While many think a pentest focuses on just networks, web apps, and general IT systems, a good tester will try to exploit everything. The objective is to find vulnerabilities and weaknesses and report back on these.

Looking at IT networks and the systems attached to them, the high-level goal is to strengthen security posture by patching systems correctly, identifying missing service packs, closing unused ports, calibrating firewall rules, and eliminating all security misconfigurations.

In the case of web applications, penetration testing identifies, analyses, and reports on common web application vulnerabilities. These vulnerabilities include classes such as buffer overflow, SQL injection, cross-site scripting, to name just a few.

Additionally, penetration testing attempts to gain privileged access to sensitive systems or steal data from a system that should be secure.

Penetration testing provides insights critical to the organisation’s ability to fine-tune its security policies and patch detected vulnerabilities. Penetration testing exposes security flaws and weaknesses that allow attackers to target users, systems, networks, or applications.

The Penetration Testing process involves:

  • gathering as much information about possible targets within the scope of the test
  • identifying their potential entry points
  • attempting to break in, either virtually or actually
  • reporting findings to the organisation’s security team.

Common Penetration Testing Practices

Based on the objectives of the organisation, here are some commonly used penetration testing strategies:

  • External testing involves attacks on the organisation’s network perimeter using procedures performed from outside the organisation’s systems, e.g., the Extranet and Internet.
  • Internal testing: This comes from within the organisation’s environment. Internal testing identifies risks posed to the organisation should the network perimeter be penetrated. It also identifies specific information resources that unauthorised individuals could access within its network.
  • Blackbox testing: This is where the tester simulates the actions and attacks of a genuine hacker/criminal. The penetration testing team will have little or no information about the organisation. Instead, it must rely on publicly available information to gather information about the target and conduct its penetration tests. These sources may include the corporate website, domain name registry and other data sources.
  • Red team testing: In this exercise, the testing builds on top of the black box testings. Only a few people within the organisation will be aware of the testing. It is common for none of the IT and security staff is not notified or informed beforehand. Red team testing helps organisations test their security monitoring and incident response processes and escalation and response procedures.

Common Penetration Testing Tools

There are many standard pen-testing tools available. The majority are open-source, although many of the critical tools are licensed. Here are some of the routine penetration testing used by the test team at Hedgehog.


Hashcat is a speedy and efficient offline password cracking application that uses GPUs to accelerate password recovery from hashes captured during a penetration test. At Hedgehog Security, we have internally an 8 GPU system dedicated to converting password hashes into clear text passwords. Our password cracking server averages 294 billion password attempts a second. With this speed, it does not take long to convert captured password hashes into clear text passwords that our penetration testers can use in their pentest.

John the Ripper

John the Ripper is a fast, efficient password cracker currently available for many operating systems (Unix, macOS, Windows, DOS, BeOS, and OpenVMS). Pen testers can use it to detect weak passwords and occasionally crack more complex passwords. JTR is an open-source platform and is available here:


Nessus is a vulnerability scanner and is very efficient in how it scans networks. Nessus is one of the most robust vulnerability identifier tools available and specialises in compliance checks, sensitive data searches, IPs scans, website scanning and aids in finding the “weak-spots”. Nessus works well in most of the environments we test in routinely. The only area we do not typically use Nessus is when we are assessing SCADA systems.


Nmap is an excellent network enumeration tool. It can also discover weaknesses in an enterprise’s network environment. It uses several scripts developed by the security community to extend its usefulness. It can even perform some vulnerability scanning functions. Nmap is excellent for auditing purposes, especially around the Cyber Essentials standard. Nmap is good for:

  • identifying what hosts are available on a particular network trunk or segment
  • providing information about the services which these hosts are providing
  • determining the operating system in use
  • displaying the versions and the types of services in use by any particular host

By using NMAP, organisations can create a virtual map of the network segment and, from there, pinpoint the significant areas of weakness that a cyber attacker could potentially penetrate. Good penetration testers will be using Nmap at every stage in the pen testing process.


Metasploit is more than a single tool. Metasploit is a framework bringing together multiple different pen-testing applications and scripts. It is a constantly evolving framework to keep up with today’s ethical hackers. They can contribute their knowledge to this platform as well. Metasploit has more than 1000 built-in exploits that execute various attacks. Metasploit is highly customisable, and writing new exploits for the framework is easy. For example, at Hedgehog, we have created over 190 Metasploit modules to automate most of the client reconnaissance tasks in internal and web-focused penetration testing.


SQLMap is again an excellent open-source Pen-Testing tool used to detect and exploit SQL injection issues in an application and hack over database servers. It comes as a command-line interface installable on Linux, Apple Mac OS X, and Microsoft Windows. With a broad spectrum of OS support, SQLMap is easily deployed on tests and is a go-to tool for working with databases.


Wireshark is a network protocol and data packet analyser used to listen in on network traffic. Wireshark can point out what is happening with the network and assess traffic for vulnerabilities. Reviewing connection-level information and the constituents of data packets highlights their characteristics, origin, destination, and more. Wireshark flags potential weaknesses but requires a skilled penetration tester to exploit them.

Note: A key advantage of using open-source pen-testing tools is that contributors and other cybersecurity professionals are constantly refining them. Open-source penetration testing tools help ensure that penetration testers stay at the forefront of the ever-changing threat landscape.

Automated or Proper Penetration Testing

There are a lot of businesses out there selling fully automated penetration tests. These can be misleading, and we urge caution, as you may purchase a costly vulnerability scan. Penetration testing can be manual, automated or a hybrid of the two. Good penetration testing is performed manually during a time served penetration testing, using automation tools to increase efficiency.

Automated testing tools save time and assist the penetration tester in producing better results than where all of the work is manual. Let me give you an example of a recent penetration test. Our client required a penetration test against 17,000 assets contained within 82 networks. To scan each of these assets and then perform pentesting on them manually would take months. It was possible to identify all of the “low hanging vulnerabilities” with automation in a couple of hours. The penetration tester then spent more valuable time penetrating the network to achieve the goals set by the client.

Costly breaches, loss of data, compromised systems, users, and applications all bring high risk to the enterprise. Penetration testing is a highly effective tool to help prevent real-world attacks and mitigate these vulnerabilities. They also deliver fewer false positives.

Industry Standards

OWASP, the Open Web Application Security Project is the defacto pen testing methodology for web applications. It provides pen-testing guides and a penetration testing framework for testing web applications. OWASP is the standard and process we use when working with web applications. For other styles of engagement, we use PTES, the Penetration Testing Execution Standard. PTES separates penetration testing into seven phases, and these act as a roadmap for global companies as they manage their pen testing efforts:

1. Pre-engagement interactions

2. Intelligence gathering

3. Threat modelling

4. Vulnerability analysis

5. Exploitation

6. Post exploitation

7. Reporting

In Summary

Cyberattacks are incredibly sophisticated and forever on the rise. Organisations must perform regular penetration testing to identify their exposures and weaknesses, block holes, and ensure that cyber controls are working as intended. These tests help the organisation take a proactive stance. Penetration Testing seeks out flaws in its infrastructure (hardware), applications (software), and people to develop adequate continuous controls and keep up with the ever-evolving cyber threat landscape.