Post

Pentesting Fundamentals

Posted
By Vijay Anantharaman
3 min read
Pentesting Fundamentals

A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect these assets and pieces of information. A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.

A penetration test is an authorized audit of a computer system’s security and defenses, as agreed by the owners of the systems.

Penetration Test Scope

The scope defines the boundaries of what is authorized for testing, including:

  • Target systems: IP ranges, domains, applications, or facilities in scope
  • Excluded systems: Assets explicitly off-limits
  • Testing methods: Permitted techniques
  • Time window: When testing may occur
  • Geographic boundaries: Physical or network regions in scope

The 3 Types of Hacker “Hats”

White Hat

Ethical hackers operating with full authorization — penetration testers fall here.

Grey Hat

Operate without explicit authorization but without malicious intent; still illegal.

Black Hat

Malicious hackers operating without authorization, intent on causing harm or theft.

Rules of Engagement (RoE)

A formal pre-test document agreed upon by both parties, covering:

  • Authorization: Written legal permission to test
  • Scope boundaries: Included/excluded systems and methods
  • Communication protocols: Reporting procedures
  • Emergency contacts: Escalation paths for unintended disruption
  • Sensitive data handling: Treatment of discovered credentials or PII
  • Testing windows: Permitted times for active testing

Penetration Testing Phases

1. Planning & Reconnaissance (Information Gathering)

Define scope and RoE; gather passive/active intelligence on the target.

2. Scanning & Enumeration

Probe for open ports, services, software versions, and vulnerabilities.

Very Important! If this is done well, exploiting becomes much easier.

3. Gaining Access (Exploitation)

Exploit discovered vulnerabilities to gain unauthorized access.

4. Maintaining Access

Simulate persistence, privilege escalation, and network pivoting.

5. Post-Exploitation & Lateral Movement

Move through the environment to reach high-value targets.

6. Reporting

Document findings, risk ratings, evidence, and remediation recommendations.

A few frameworks

OSSTMM

Open Source Security Testing Methodology Manual — a scientific, peer-reviewed framework by ISECOM.

  • Tests operational security across networks, systems, people, and physical locations
  • Produces a quantifiable RAV (Risk Assessment Value)
  • Covers channels: human, physical, wireless, telecommunications, and data networks

OWASP Framework

Open Web Application Security Project — community-driven web application security resources.

  • Best known for the OWASP Top 10 critical web risks
  • Provides testing guides, checklists, and tools (e.g., ZAP)
  • Widely used as a baseline for web application penetration testing.

NIST Framework

NIST Cybersecurity Framework — US government risk management guidelines built on 5 functions:

FunctionFocus
IdentifyAsset management, risk assessment
ProtectSafeguards and controls
DetectMonitoring and anomaly detection
RespondIncident response planning
RecoverRestoration and resilience

NCSC CAF

National Cyber Security Centre Cyber Assessment Framework — UK framework for critical national infrastructure.

ObjectiveFocus
Managing security riskGovernance and risk ownership
Protecting against cyberattackProportionate defenses
Detecting cybersecurity eventsMonitoring capabilities
Minimising impact of incidentsResponse and recovery

Testing types

Just like the 3 hats, there are also 3 types of penetration testing: White, Gray and Black.

White Box Testing

Full knowledge provided — source code, architecture, credentials, and network maps.

  • Simulates an insider threat or fully transparent engagement
  • Most thorough; allows deep code-level analysis
  • Less realistic as an external attacker simulation

Gray Box Testing

Partial knowledge provided — limited credentials or network information.

  • Simulates a compromised insider or attacker with a foothold
  • Most commonly used in real-world engagements
  • Balances realism with efficiency

Black Box Testing

No prior knowledge provided — tester starts from scratch.

  • Most realistic simulation of an external attacker
  • Time-intensive with potentially incomplete coverage
  • Relies heavily on reconnaissance and enumeration
Penetration Testing
penetration testing ethical hacking fundamentals frameworks
This post is licensed under CC BY 4.0 by the author.