Security 13 min read

Penetration Testing Basics: How Ethical Hackers Find Vulnerabilities

Learn the methodology, tools, and techniques security professionals use to legally hack systems and protect organizations from real attackers.

March 26, 2026

What Is Penetration Testing?

Imagine hiring someone to break into your house—legally—to find out how they did it so you can fix the weaknesses before real burglars show up.

That's penetration testing (pen testing). It's a simulated cyberattack performed by authorized security professionals to identify vulnerabilities in systems, networks, and applications before malicious hackers exploit them.

Penetration Testing vs. Real Attacks

Pen Testing (Ethical Hacking)

  • • Authorized by the organization
  • • Controlled scope and rules
  • • Goal: Find and fix vulnerabilities
  • • Report findings to improve security

Real Attacks (Malicious Hacking)

  • • Unauthorized and illegal
  • • No limits or restrictions
  • • Goal: Steal data, cause damage, make money
  • • Criminal activity with serious consequences

Pen testing is legal because you have written permission from the organization. Without permission, it's hacking—and that's a felony.

Advertisement

Types of Penetration Tests

Pen tests come in different flavors depending on what you're testing and how much information the tester has:

Black Box Testing

Information given: Nothing. The tester knows only the company name or target IP.

How it works: Simulates an external attacker with zero insider knowledge. The tester must discover everything through reconnaissance.

Pros: Most realistic external attack simulation
Cons: Time-consuming, expensive, may miss internal vulnerabilities

White Box Testing

Information given: Everything. Network diagrams, source code, credentials, architecture details.

How it works: Simulates an insider threat or a thorough security audit. The tester has full visibility.

Pros: Comprehensive, finds more vulnerabilities, faster
Cons: Less realistic for external attack scenarios

Gray Box Testing

Information given: Partial knowledge. Some credentials, limited documentation.

How it works: Simulates an attacker with some insider access (compromised employee account, for example).

Pros: Balanced approach, realistic, efficient
Cons: May not catch all external attack vectors

The Penetration Testing Methodology

Pen testing isn't random hacking. It follows a structured, methodical approach:

1

Planning & Reconnaissance

Define scope, gather intelligence, understand the target

What happens: Establish rules of engagement (what's in scope, what's off-limits), sign legal agreements, then gather public information about the target.

Techniques: OSINT (Open Source Intelligence), Google dorking, WHOIS lookups, social media reconnaissance, DNS enumeration, subdomain discovery.

Tools: theHarvester, Maltego, Shodan, Recon-ng, Google Dorks

2

Scanning & Enumeration

Identify live hosts, open ports, running services, and potential entry points

What happens: Actively probe the network to discover systems, services, and vulnerabilities. Map the attack surface.

Techniques: Port scanning, service detection, OS fingerprinting, vulnerability scanning, banner grabbing.

Tools: Nmap, Nessus, OpenVAS, Nikto, Masscan

3

Gaining Access (Exploitation)

Exploit vulnerabilities to break into systems

What happens: Use discovered vulnerabilities to gain unauthorized access—SQL injection, buffer overflows, weak passwords, misconfigurations.

Techniques: Exploiting known CVEs, password attacks (brute force, credential stuffing), web app attacks (SQLi, XSS, CSRF), social engineering.

Tools: Metasploit, Burp Suite, SQLmap, Hydra, John the Ripper, Hashcat

4

Maintaining Access & Privilege Escalation

Stay in the system undetected and gain higher privileges

What happens: Install backdoors, escalate privileges from regular user to admin/root, move laterally across the network.

Techniques: Installing persistence mechanisms (backdoors, rootkits), exploiting privilege escalation vulnerabilities, lateral movement (pass-the-hash, Kerberos attacks).

Tools: Mimikatz, PowerShell Empire, Cobalt Strike, Netcat, Meterpreter

5

Covering Tracks

Remove evidence of the attack (ethical hackers document this instead)

What happens: Malicious attackers clear logs and hide their presence. Ethical hackers document what they did and how they could have covered their tracks.

Techniques: Log tampering, timestomping, clearing command history, disabling antivirus.

Note: Ethical hackers don't actually cover tracks—they report exactly what they did.

6

Reporting

Document findings and provide remediation recommendations

What happens: Create a detailed report showing vulnerabilities found, how they were exploited, potential impact, and step-by-step remediation guidance.

Deliverables: Executive summary (for management), technical report (for IT teams), proof-of-concept exploits (with screenshots/videos), risk ratings (CVSS scores).

Common Penetration Testing Techniques

Here are the most common attack vectors pen testers exploit:

Network-Based Attacks

  • Port Scanning – Identify open ports and running services (Nmap)
  • Man-in-the-Middle (MITM) – Intercept network traffic between client and server
  • ARP Spoofing – Redirect traffic through the attacker's machine
  • DNS Hijacking – Redirect users to malicious sites by tampering with DNS
  • Packet Sniffing – Capture unencrypted network traffic (Wireshark)

Web Application Attacks

  • SQL Injection (SQLi) – Inject malicious SQL queries to access databases
  • Cross-Site Scripting (XSS) – Inject JavaScript to steal cookies or session tokens
  • Cross-Site Request Forgery (CSRF) – Trick users into performing unwanted actions
  • Directory Traversal – Access files outside the web root (../../../etc/passwd)
  • Command Injection – Execute arbitrary OS commands through vulnerable inputs

Password Attacks

  • Brute Force – Try every possible password combination (slow but thorough)
  • Dictionary Attack – Try common passwords from a wordlist
  • Credential Stuffing – Use stolen username/password pairs from breaches
  • Pass-the-Hash – Use stolen password hashes to authenticate (no need to crack)
  • Rainbow Tables – Pre-computed hash lookups for fast cracking

Social Engineering

  • Phishing – Fake emails to steal credentials or deliver malware
  • Pretexting – Create a fake scenario to trick targets into revealing info
  • Tailgating – Follow someone through a secure door without authorization
  • Vishing – Voice phishing (phone calls pretending to be IT support, etc.)

Essential Penetration Testing Tools

Every pen tester has a toolkit. Here are the essentials:

Kali Linux

Debian-based Linux distro pre-loaded with 600+ pen testing tools. The industry standard OS for ethical hackers.

Metasploit Framework

The most popular exploitation framework. Contains thousands of exploits, payloads, and post-exploitation modules.

Burp Suite

Web application security testing platform. Intercept HTTP requests, test for SQLi/XSS, and scan for vulnerabilities.

Nmap

Network scanner for host discovery, port scanning, OS detection, and service enumeration. A pen tester's Swiss Army knife.

Wireshark

Packet analyzer for capturing and inspecting network traffic. See everything flowing across the wire.

John the Ripper / Hashcat

Password cracking tools. John is CPU-based, Hashcat uses GPU acceleration for faster cracking.

SQLmap

Automated SQL injection tool. Detects and exploits SQL injection vulnerabilities in web apps.

Cobalt Strike

Commercial adversary simulation and red team platform. Used for advanced post-exploitation and command & control.

Legal & Ethical Considerations

Warning: Hacking Without Permission Is Illegal

Pen testing is only legal with explicit written authorization. Hacking systems you don't own—even for "research" or "just testing"—is a federal crime punishable by fines and imprisonment.

Golden Rules of Ethical Hacking

  • 1. Always get written authorization
    Contracts, scope documents, rules of engagement—signed by authorized personnel.
  • 2. Stay within scope
    If the contract says "test this one web app," don't scan the entire network. Follow the rules.
  • 3. Do no harm
    Don't crash production systems, delete data, or cause business disruption (unless explicitly authorized).
  • 4. Report responsibly
    Disclose findings only to the client. Don't publicly shame organizations or leak sensitive data.
  • 5. Respect confidentiality
    Sign NDAs. Don't brag about your exploits on social media. Protect client information.

Bug Bounty Programs: Legal Hacking for Beginners

If you want to practice pen testing legally without getting hired, check out bug bounty platforms like HackerOne, Bugcrowd, and Synack. Companies publicly invite hackers to find vulnerabilities and pay rewards for valid findings.

Advertisement

How to Get Started in Penetration Testing

Want to become a pen tester? Here's your roadmap:

Step 1: Learn the Fundamentals

Master networking (TCP/IP, DNS, HTTP), operating systems (Linux/Windows), and basic programming (Python, Bash).

Step 2: Practice on Legal Platforms

Use intentionally vulnerable labs and CTF (Capture the Flag) challenges:
• HackTheBox, TryHackMe, PentesterLab
• DVWA (Damn Vulnerable Web App), WebGoat
• OverTheWire, PicoCTF

Step 3: Get Certified

Industry-recognized certifications:
CEH (Certified Ethical Hacker) – Entry-level, broad coverage
OSCP (Offensive Security Certified Professional) – Hands-on, highly respected
GPEN (GIAC Penetration Tester) – Advanced technical skills
CompTIA PenTest+ – Vendor-neutral, practical

Step 4: Build a Portfolio

Document your findings from bug bounties, CTF competitions, and lab walkthroughs. Create a GitHub with scripts and tools you've built.

Step 5: Get Experience

Join bug bounty programs, contribute to open-source security tools, intern at security firms, or start in SOC/incident response roles.

Final Thoughts

Penetration testing isn't just about breaking things—it's about thinking like an attacker to defend like a professional.

Every pen test reveals weaknesses. Some are simple misconfigurations. Others are critical vulnerabilities that could lead to massive breaches. The goal isn't to embarrass organizations—it's to fix problems before attackers exploit them.

It's a constantly evolving field. New vulnerabilities are discovered daily. Attack techniques change. Defenses improve. Pen testers must stay curious, keep learning, and never stop hacking—legally.

Key Takeaways:

  • • Pen testing simulates real attacks to find vulnerabilities before criminals do
  • • Always get written authorization—hacking without permission is illegal
  • • Follow a structured methodology: reconnaissance → scanning → exploitation → reporting
  • • Master networking, Linux, programming, and web application security
  • • Practice legally on platforms like HackTheBox, TryHackMe, and bug bounties
  • • Certifications like OSCP and CEH validate your skills

If you're interested in cybersecurity, pen testing is one of the most exciting, challenging, and rewarding career paths you can choose.

Hack responsibly. Stay legal. Stay curious.

Back to Lessons