top of page
  • Writer: Tony Stiles
    Tony Stiles
  • Jun 19, 2024
  • 5 min read

Explain the Techniques Used in Penetration Testing


Penetration Testing

Penetration testing is a security assessment technique in which a tester simulates an attack on a system or network to identify vulnerabilities that could be exploited by a malicious actor. The goal of a penetration test is to identify weaknesses in security controls, applications, and infrastructure that could be exploited by an attacker to gain unauthorized access or cause damage.


Penetration testing can be classified into two types:

  • Black box: In black box testing, the tester has no prior knowledge of the target system or network and attempts to identify vulnerabilities as an attacker would.

  • White box: In white box testing, the tester has full knowledge of the target system or network and is able to simulate attacks more accurately.

  • Grey box: In grey box testing, the tester has a limited view of the target system or network and is able to reduce the time collecting information.


An important point of penetration testing is the rules of engagement (ROE), they are the guidelines that define the scope, objectives, and limitations of a penetration testing engagement. These rules are typically agreed upon by the penetration testing team and the organization that is being tested before the engagement begins.


Some techniques utilized during a penetration testing are:

  • Lateral movement: Lateral movement refers to the technique of moving through a network or system to gain access to additional resources or data. This is typically achieved by exploiting vulnerabilities in different areas of the network, such as weak passwords or unpatched systems.

  • Privilege escalation: Privilege escalation refers to the process of gaining higher-level access or permissions on a system or network. This is typically achieved by exploiting vulnerabilities in the system or by using social engineering tactics to trick users into giving up their credentials.

  • Persistence: Persistence refers to the ability of an attacker to maintain their access to a system or network over time. This may involve creating backdoors or other forms of access that can be used to re-enter the system even after the initial attack has been discovered and resolved.

  • Pivoting: Pivoting refers to the technique of using a compromised system as a platform to launch attacks against other systems or networks. This is typically done to bypass security measures that are in place to prevent direct attacks against the targeted systems.


An especial type of penetration testing is Bug Bounty. A bug bounty program is a crowdsourced initiative that rewards individuals for identifying and reporting vulnerabilities in a company's software or systems. This approach can help companies identify and fix vulnerabilities before they can be exploited by attackers.


While the purpose of a penetration testing is to simulate an attack on an organization, the are two extra steps a penetration tester needs to perform as part of a penetration testing:

  • Cleanup: Cleanup refers to the process of removing any traces of the penetration testing activity from the system or network. This is important to ensure that the testing does not cause any damage or disruption to normal operations, and to maintain the confidentiality of any sensitive information that may have been accessed during the testing.

  • Reporting: Once the testing is complete, the penetration tester will prepare a report that summarizes the testing methodology, findings, and recommendations for remediation. The report should include:

  • An executive summary that provides a high-level overview of the testing results and highlights any critical vulnerabilities or risks.

  • A detailed analysis of each vulnerability that was identified, including the severity of the vulnerability, the impact that it could have on the organization, and any recommended remediation actions.

  • Technical details on how the vulnerabilities were exploited, including any tools or techniques that were used.

  • Recommendations for improving the organization's overall security posture.


Passive and Active Reconnaissance

Reconnaissance is the process of gathering information about a target system or network to identify potential vulnerabilities that an attacker could exploit. Reconnaissance can be categorized into two types: passive and active.

  • Passive reconnaissance: Passive reconnaissance involves gathering information about the target without actually interacting with it directly. This can be done by searching public records, social media, or other publicly available information. Passive reconnaissance is less likely to be detected by the target and is a good first step in gathering information about the target.

  • Active reconnaissance: Active reconnaissance involves actively probing the target system or network to gather information. This can be done through techniques such as port scanning, network mapping, or fingerprinting. Active reconnaissance is riskier because it can be detected by security measures and may trigger an alert.


Some examples of reconnaissance are:

  1. Drones: Unmanned aerial vehicles (UAVs) or drones equipped with cameras and sensors can be used to conduct reconnaissance from the air. This technique is particularly useful for large areas and can provide a high level of detail.

  2. War flying: This involves using a wireless-enabled device such as a laptop or smartphone to search for wireless access points while in flight. This technique is often used to identify vulnerable wireless networks.

  3. War driving: This involves driving around with a wireless-enabled device to search for wireless access points. This technique is often used to identify vulnerable wireless networks.

  4. Footprinting: Footprinting involves gathering information about a target organization or individual through various means such as online searches, social engineering, dumpster diving, and physical reconnaissance.

  5. OSINT: Open-source intelligence (OSINT) involves gathering information from publicly available sources such as social media, news articles, forums, and blogs. This technique can provide valuable insights into a target's infrastructure, personnel, and operations.


Exercise Types

Exercise types refer to the different types of security testing and evaluation methodologies used to assess the security posture of an organization or system. These exercises can be used to identify security weaknesses and vulnerabilities, as well as to evaluate the effectiveness of security controls and policies.


The main types of exercise are:

  1. Red-team: A red-team exercise is a simulated attack by an external or internal team of security professionals who try to exploit vulnerabilities in the organization's defenses. The goal of a red-team exercise is to identify and exploit weaknesses that could be used by real attackers.

  2. Blue-team: A blue-team exercise is a defensive exercise that focuses on evaluating the organization's ability to detect, respond to, and recover from a simulated attack. The goal of a blue-team exercise is to assess the effectiveness of the organization's security controls and incident response capabilities.

  3. White-team: A white-team exercise is a collaborative exercise in which members of the red and blue teams work together to identify vulnerabilities and improve security. The white team acts as a neutral party to help resolve any issues that arise during the exercise.

  4. Purple-team: A purple-team exercise is a combination of red and blue team exercises, where the teams work collaboratively to identify vulnerabilities and improve security. The goal of a purple-team exercise is to identify and address weaknesses in a proactive manner, rather than waiting for an actual attack to occur.

bottom of page