Penetration Testing 101: How to Get Started

You’ll find Penetration Testing, often just called Pen Testing, explained differently, depending on where you get your input. Most sources agree that Pen Testing is essentially an ethical hacker carrying out attacks, like a malicious attacker, to help expose environmental vulnerabilities. While accurate, that’s a bit of a convoluted definition. Let’s pull it apart a bit.

First and foremost, Pen Testing is an activity intended to help an organization – not to hurt it. The idea is to have security professionals, (i.e. the “good actors” or “white hat hackers”), act like attackers (i.e. the “bad actors” or “black hat hackers”.) Pen Testers do this to expose weaknesses, or vulnerabilities in systems, networks, and devices, before real attackers find them. Pen Testing can be a valuable part of a solid security if it is implemented well and the sponsoring organization responds to the findings.

Modern Test Case Management Software
for QA and Development Teams

Where to Start?

Penetration Testing. Introduction to Penetration Testing. Pen Testing Strategies. Software Testing. Gurock

Being a Pen Tester can be fun. You get to act like an attacker without actually being bad. So, how does one get started in having fun and making environments more secure at the same time? A quick Internet search will return many articles on how to do just that. The problem is, many of them jump into the process too far in. Its easy to find books and articles on “Pen Testing using ______ (insert your favorite tool or scripting language here.) Common titles include Pen Testing using Kali Linux, Python, Bash Shell, Powershell, Perl, and the list goes on and on. The point is that many of the resources you’ll find focus on tools, as opposed to the actual process. A much better place to start is at the beginning.

Understanding Pen Testing

Penetration Testing. Introduction to Penetration Testing. Pen Testing Strategies. Software Testing. Gurock

Pen Testing is far more than just running software. Pen Testing software tools are just that – tools. If you don’t really know why you need each one, you aren’t adding much value to the process. I think of Pen Testing like the process of flying an airplane. If you know what you’re doing, flying an airplane isn’t really that hard. But you just don’t jump into an airplane and go. You need some training and experience on things like weather awareness, airplane preparation, airport and airspace navigation, and interacting with air traffic control. And all that is in addition to knowing how to actually fly an airplane. Successful pen testing, like flying, is all about being prepared and planning well.

Pen Testing is all about looking at a computing environment to find the vulnerabilities an attacker wants to find and exploit. You can only do that if you thoroughly understand how your environment works, its architecture, and its attack surface. That’s a LOT more than just downloading a Kali Linux virtual machine image and running some tools from a menu. But that doesn’t really answer our question yet. Where do I start to become a Pen Tester?

Know Thy Environment

Penetration Testing. Introduction to Penetration Testing. Pen Testing Strategies. Software Testing. Gurock

Before you start running Pen Testing tools, you need to know a good bit about your network, its connected systems, and its devices. In almost all cases, a good place to start is learning about TCP/IP and its administration. System administration skills are essential. Know how to add computers and devices to your network, and then configure each one. Can you add a new database server to your network and ensure that only the ports needed to operate are opened? Can you add a new user to your environment and permit that user to access only required resources? Those skills will help you to better understand how various components work together in an environment.

Hers’s a great self-test to see how well you understand your environment. Describe the process that starts with a user entering a URL in a web browser, and ends with active content being rendered in that user’s browser. Can you describe precisely what traffic travels across the network, and where? Can you explain all of the devices and systems in your network involved in the process? If so, you have a good understanding of all of the pieces – and the opportunities for vulnerabilities to exist. A solid understanding of network protocols is needed to explain the round trip of a web request. You can bet that the attackers that launch successful attacks understand these protocols, implementations, and their weaknesses.

Scripting is Helpful

Penetration Testing. Introduction to Penetration Testing. Pen Testing Strategies. Software Testing. Gurock

Another key skill a good Pen Tester possesses is the ability to write scripts. You don’t have to be a scripting guru, but a good knowledge of at least a couple scripting languages will make your life easier and unlock lots of neat tools that others have written for their own use. If you are completely new to scripting, I’d suggest learning Python and either Powershell, if you primarily work in Windows, or bash shell scripting, if you primarily work in UNIX or Linux. Knowing these two scripting languages will enable you to build your own toolbox and leverage your time when conducting Pen Testing.

Receive Popular Monthly Testing & QA Articles

Join 34,000 subscribers and receive carefully researched and popular article on software testing and QA. Top resources on becoming a better tester, learning new tools and building a team.

We will never share your email. 1-click unsubscribes.

What About Permission?

Penetration Testing. Introduction to Penetration Testing. Pen Testing Strategies. Software Testing. Gurock

Before you ever run the first Pen Test, be aware that you are simulating attack activity. Some of the activities you’ll carry out in Pen Testing can be dangerous, or even outright harmful. NEVER conduct Pen Testing activities without explicit permission from the system owners. Pen Testing without appropriate permission can result in civil or criminal proceedings. In short, if you don’t have permission (in writing), you could be sued or prosecuted for your activities. Don’t risk it. Get explicit permission in writing first.

Permission includes the network you use as well. If you are operating within a single organization, make sure you have permission to access the network as well as computers and devices. Your tests may cause excessive or malicious traffic that could interrupt normal operations. If you are conducting tests remotely, be aware that your Internet Service Provider (ISP) may very well take a dim view of having their network used for attack purposes. You could see your home or business Internet service terminated. Understand your ISP policies.

Finally, Using the Tools?

Penetration Testing. Introduction to Penetration Testing. Pen Testing Strategies. Software Testing. Gurock

Once you have the basics under your belt, its time to roll up your sleeves and get started. But that doesn’t mean to start running Pen Testing tools (yet). There’s still a lot left to do. In the next two articles, we’ll talk about how to plan your Pen Testing activities as a project, and how to determine which tools you’ll need. Planning is crucial to determine the scope of your tests and set expectations for your stakeholders. After that we’ll talk about Kali Linux and a few alternatives to get started. But you’ll have to wait until next time for those details. In the meantime, review the basics. Knowing how your environment really works is the most important requirement to becoming an effective Pen Tester.

Article by Michael Solomon. Michael Solomon PhD CISSP PMP CISM is Professor of Information Systems Security and Information Technology at University of the Cumberlands and Director of the Ph.D. Information Technology Program.

All-in-one Test Automation
Cross-Technology | Cross-Device | Cross-Platform

In This Article:

Sign up for our newsletter

Share this article

Other Blogs

General, Agile, Software Quality

How to Identify, Fix, and Prevent Flaky Tests

In the dynamic world of software testing, flaky tests are like unwelcome ghosts in the machine—appearing and disappearing unpredictably and undermining the reliability of your testing suite.  Flaky tests are inconsistent—passing at times and failin...

Software Quality

Test Planning: A Comprehensive Guide for Success

A comprehensive test plan is the cornerstone of successful software testing, serving as a strategic document guiding the testing team throughout the Software Development Life Cycle (SDLC). A test plan document is a record of the test planning process that d...

Software Quality, Business

Managing Distributed QA Teams

In today’s landscape of work, organizations everywhere are not just accepting remote and hybrid teams—they’re fully embracing them. So what does that mean for your QA team? While QA lends itself well to a distributed work environment, there ar...