Penetration Testing
Learn how to conduct comprehensive penetration testing to identify and address security vulnerabilities in your applications and infrastructure.
Prerequisites
- Strong understanding of network and web security concepts
- Familiarity with common vulnerabilities and attack vectors
- Knowledge of programming and scripting
- Understanding of system administration
- Legal authorization to test target systems
⚠️ Important Warning
Penetration testing without proper authorization is illegal and unethical. Always ensure you have explicit written permission before testing any system. The techniques described in this tutorial should only be used on systems you own or have permission to test.
Penetration Testing Overview
Visual representation of the penetration testing methodology and process flow.
1
Reconnaissance
Gather information about the target system:
// Information gathering tools and techniques
const reconnaissance = {
// Passive reconnaissance
passive: {
async domainInfo(domain) {
return {
whois: await this.whoisLookup(domain),
dns: await this.dnsRecords(domain),
subdomains: await this.findSubdomains(domain),
emailAddresses: await this.harvestEmails(domain),
socialMedia: await this.findSocialProfiles(domain)
};
},
async webIntelligence(domain) {
return {
technologies: await this.detectTechnologies(domain),
headers: await this.analyzeHttpHeaders(domain),
robots: await this.checkRobotsTxt(domain),
sitemaps: await this.analyzeSitemap(domain),
archives: await this.searchWebArchives(domain)
};
}
},
// Active reconnaissance
active: {
async networkScan(target) {
return {
openPorts: await this.portScan(target),
services: await this.serviceDetection(target),
operatingSystems: await this.osFingerprinting(target),
networkMap: await this.createNetworkMap(target)
};
},
async webScan(url) {
return {
directories: await this.directoryBruteforce(url),
files: await this.fileBruteforce(url),
parameters: await this.parameterDiscovery(url),
apis: await this.apiEndpointDiscovery(url)
};
}
}
}2
Vulnerability Scanning
Identify potential vulnerabilities in the target system:
// Vulnerability scanning configuration
const vulnerabilityScanner = {
// Scanner types
scanners: {
network: {
name: 'Network Vulnerability Scanner',
targets: ['servers', 'network_devices', 'endpoints'],
checks: [
'open_ports', 'service_vulnerabilities', 'misconfigurations',
'default_credentials', 'weak_encryption'
]
},
web: {
name: 'Web Application Scanner',
targets: ['websites', 'web_applications', 'apis'],
checks: [
'injection', 'broken_auth', 'sensitive_data_exposure',
'xxe', 'broken_access_control', 'security_misconfigurations',
'xss', 'insecure_deserialization', 'vulnerable_components',
'insufficient_logging'
]
},
code: {
name: 'Static Code Analysis',
targets: ['source_code', 'dependencies'],
checks: [
'security_bugs', 'vulnerable_dependencies', 'hardcoded_secrets',
'insecure_functions', 'input_validation', 'output_encoding'
]
}
},
async scan(target, scannerType) {
const scanner = this.scanners[scannerType];
if (!scanner) {
throw new Error(`Unknown scanner type: ${scannerType}`);
}
console.log(`Starting ${scanner.name} scan on ${target}`);
const results = {
target,
scannerType,
timestamp: new Date(),
vulnerabilities: [],
summary: {
critical: 0,
high: 0,
medium: 0,
low: 0,
info: 0
}
};
// Run appropriate scanner
if (scannerType === 'network') {
results.vulnerabilities = await this.runNetworkScan(target);
} else if (scannerType === 'web') {
results.vulnerabilities = await this.runWebScan(target);
} else if (scannerType === 'code') {
results.vulnerabilities = await this.runCodeScan(target);
}
// Update summary counts
results.vulnerabilities.forEach(vuln => {
results.summary[vuln.severity]++;
});
return results;
}
}3
Exploitation
Exploit identified vulnerabilities to assess impact:
// Exploitation framework
const exploitationFramework = {
// Exploitation modules
modules: {
injection: {
name: 'Injection Exploits',
types: ['sql', 'nosql', 'os_command', 'ldap', 'xpath'],
risk: 'high',
async exploit(target, params) {
console.log(`Testing ${params.type} injection on ${target}`);
// Safety checks
if (!this.isSafeToExploit(target, params)) {
throw new Error('Exploitation aborted: Safety check failed');
}
// Create appropriate payloads
const payloads = this.generatePayloads(params.type);
// Test each payload
const results = [];
for (const payload of payloads) {
const result = await this.testPayload(target, payload, params);
if (result.success) {
results.push(result);
}
}
return {
vulnerable: results.length > 0,
results,
details: results.length > 0 ? this.analyzeResults(results) : null
};
}
},
authentication: {
name: 'Authentication Bypasses',
types: ['brute_force', 'credential_stuffing', 'default_credentials', 'logic_flaws'],
risk: 'high',
async exploit(target, params) {
console.log(`Testing authentication bypass on ${target}`);
// Safety checks
if (!this.isSafeToExploit(target, params)) {
throw new Error('Exploitation aborted: Safety check failed');
}
// Select appropriate technique
let result;
switch (params.type) {
case 'brute_force':
result = await this.bruteForceAuth(target, params);
break;
case 'credential_stuffing':
result = await this.credentialStuffing(target, params);
break;
case 'default_credentials':
result = await this.checkDefaultCreds(target, params);
break;
case 'logic_flaws':
result = await this.testAuthLogic(target, params);
break;
default:
throw new Error(`Unknown authentication bypass type: ${params.type}`);
}
return result;
}
}
},
// Safety checks
isSafeToExploit(target, params) {
// Check if we have permission
if (!this.hasPermission(target)) {
return false;
}
// Check if target is in scope
if (!this.isInScope(target)) {
return false;
}
// Check if exploitation could cause damage
if (this.couldCauseDamage(params)) {
return false;
}
return true;
}
}4
Post-Exploitation
Assess the impact of successful exploitation:
// Post-exploitation framework
const postExploitation = {
// Post-exploitation activities
activities: {
async privilegeEscalation(session) {
console.log('Attempting privilege escalation');
const techniques = [
'kernel_exploits',
'sudo_misconfigurations',
'suid_binaries',
'cron_jobs',
'path_hijacking'
];
for (const technique of techniques) {
const result = await this.tryEscalationTechnique(session, technique);
if (result.success) {
return {
success: true,
technique,
newPrivileges: result.newPrivileges,
details: result.details
};
}
}
return { success: false };
},
async lateralMovement(session) {
console.log('Attempting lateral movement');
// Discover network
const network = await this.discoverNetwork(session);
// Identify potential targets
const targets = await this.identifyTargets(network);
// Attempt movement
const results = [];
for (const target of targets) {
const result = await this.moveToTarget(session, target);
if (result.success) {
results.push(result);
}
}
return {
success: results.length > 0,
targets: targets.length,
successful: results.length,
details: results
};
},
async dataExfiltration(session) {
console.log('Simulating data exfiltration');
// Identify sensitive data
const dataStores = await this.locateSensitiveData(session);
// Test exfiltration methods
const methods = [
'dns_tunneling',
'https_encapsulation',
'steganography',
'encrypted_channels'
];
const results = [];
for (const method of methods) {
for (const dataStore of dataStores) {
const result = await this.testExfiltration(session, dataStore, method);
if (result.success) {
results.push(result);
}
}
}
return {
success: results.length > 0,
dataStores: dataStores.length,
successfulMethods: [...new Set(results.map(r => r.method))],
details: results
};
}
},
// Document findings
async documentFindings(session, activities) {
const findings = {
timestamp: new Date(),
sessionInfo: this.getSessionInfo(session),
activities: {},
impactAssessment: {}
};
// Document each activity
for (const [activity, result] of Object.entries(activities)) {
findings.activities[activity] = {
success: result.success,
details: result.details
};
}
// Assess impact
findings.impactAssessment = await this.assessImpact(activities);
return findings;
}
}5
Reporting
Document findings and create a comprehensive report:
// Penetration testing report generator
const reportGenerator = {
// Report sections
sections: {
executiveSummary: {
title: 'Executive Summary',
content: async (data) => {
return {
overview: await this.generateOverview(data),
keyFindings: await this.summarizeKeyFindings(data),
riskAssessment: await this.summarizeRisks(data),
recommendations: await this.summarizeRecommendations(data)
};
}
},
methodology: {
title: 'Methodology',
content: async (data) => {
return {
approach: this.describeApproach(),
scope: data.scope,
tools: await this.listToolsUsed(data),
timeline: data.timeline
};
}
},
findings: {
title: 'Findings',
content: async (data) => {
return {
summary: await this.generateFindingsSummary(data),
vulnerabilities: await this.formatVulnerabilities(data.vulnerabilities),
evidenceAndProofs: await this.organizeEvidence(data.evidence)
};
}
},
recommendations: {
title: 'Recommendations',
content: async (data) => {
return {
prioritizedActions: await this.prioritizeRecommendations(data),
remediationSteps: await this.generateRemediationSteps(data),
defensiveStrategies: await this.suggestDefensiveStrategies(data)
};
}
}
},
// Generate full report
async generateReport(data) {
const report = {
title: `Penetration Test Report: ${data.target}`,
date: new Date(),
version: '1.0',
sections: {}
};
// Generate each section
for (const [key, section] of Object.entries(this.sections)) {
report.sections[key] = {
title: section.title,
content: await section.content(data)
};
}
// Add appendices
report.appendices = await this.generateAppendices(data);
return report;
},
// Format report
async formatReport(report, format = 'html') {
switch (format) {
case 'html':
return await this.formatHtml(report);
case 'pdf':
return await this.formatPdf(report);
case 'markdown':
return await this.formatMarkdown(report);
default:
throw new Error(`Unsupported report format: ${format}`);
}
}
}Best Practices
Scope Definition
Best practices for defining test scope:
- Clearly define boundaries
- Identify critical assets
- Document exclusions
- Obtain proper authorization
Testing Methodology
Follow a structured testing approach:
- Use established frameworks
- Document all activities
- Maintain evidence
- Verify findings
Ethical Considerations
Maintain ethical standards:
- Obtain proper authorization
- Respect data privacy
- Avoid service disruption
- Secure sensitive findings
Common Vulnerability Categories
Injection Vulnerabilities
Vulnerabilities that allow attackers to inject malicious code or commands into an application.
- SQL Injection
- Command Injection
- LDAP Injection
- XPath Injection
- NoSQL Injection
Impact: High
Authentication Flaws
Weaknesses in authentication mechanisms that allow unauthorized access.
- Weak Password Policies
- Brute Force Vulnerabilities
- Session Management Flaws
- Credential Storage Issues
- Multi-factor Authentication Bypass
Impact: High
Access Control Issues
Flaws that allow users to access resources or perform actions beyond their permissions.
- Insecure Direct Object References
- Missing Function Level Access Control
- Privilege Escalation
- JWT Vulnerabilities
- CORS Misconfigurations
Impact: High
Cross-Site Scripting (XSS)
Vulnerabilities that allow attackers to inject client-side scripts into web pages.
- Reflected XSS
- Stored XSS
- DOM-based XSS
- Blind XSS
- mXSS (Mutation-based XSS)
Impact: Medium
Security Misconfigurations
Improperly configured application, server, or cloud services.
- Default Credentials
- Open Cloud Storage
- Unnecessary Services Running
- Outdated Software
- Verbose Error Messages
Impact: Medium
Sensitive Data Exposure
Inadequate protection of sensitive information.
- Insufficient Encryption
- Insecure Data Storage
- Cleartext Transmission
- Inadequate Key Management
- Information Disclosure
Impact: High
Penetration Testing Tools
Reconnaissance Tools
- Nmap - Network discovery and security auditing
- Shodan - Search engine for Internet-connected devices
- Maltego - Open source intelligence and forensics
- Recon-ng - Web reconnaissance framework
- theHarvester - Email, subdomain and name harvester
Vulnerability Scanners
- OpenVAS - Open Vulnerability Assessment Scanner
- Nikto - Web server scanner
- OWASP ZAP - Web application security scanner
- Burp Suite - Web vulnerability scanner
- SQLmap - Automatic SQL injection tool
Exploitation Frameworks
- Metasploit - Exploitation framework
- BeEF - Browser Exploitation Framework
- Hydra - Login cracker
- Aircrack-ng - Wireless security assessment
- Hashcat - Password recovery tool
Post-Exploitation Tools
- Mimikatz - Credential extraction tool
- PowerSploit - PowerShell post-exploitation framework
- Empire - Post-exploitation framework
- Bloodhound - Active Directory visualization tool
- Impacket - Network protocol toolkit
Common Challenges
Technical Challenges
Common technical issues:
- WAF detection and evasion
- Rate limiting and blocking
- False positives
- Tool compatibility issues
Operational Challenges
Operational considerations:
- Scope limitations
- Time constraints
- System availability
- Unexpected system behavior