Welcome to Penetration Testing Basics! Penetration testing, often called ethical hacking, is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. The main goal is to identify security weaknesses before malicious hackers do, allowing the organization to fix them and strengthen their defenses.
It is crucial to understand the distinction between a penetration tester and a malicious hacker. While both use similar tools and techniques, the difference lies entirely in intent and permission. A malicious hacker attacks systems to steal data, cause damage, or demand a ransom. A penetration tester works with the organization's explicit permission to improve security. By the end of this course, you will understand how to assess systems professionally and safely.
The most critical component of penetration testing is not technical skill, but legal authorization. Without permission, the activities you perform during a penetration test are illegal in most parts of the world. Even if your intentions are good and you plan to report the bugs you find, accessing a system without ownership or permission is considered a crime.
This brings us to the concept of the Scope of Work (SOW). Before you ever touch a keyboard to test a system, you must have a signed agreement that outlines exactly what you are allowed to test and how. This document protects both you and the client. It specifies which IP addresses, URLs, or applications are in scope for testing, and which are out of scope and must be left alone. The SOW may also limit which tools and techniques you are permitted to use — for example, a client might prohibit denial-of-service attacks or social engineering tactics that could disrupt business operations.
Imagine you are hired to test a company's website. If you accidentally attack a third-party server that hosts their images because you didn't check the scope, you could be liable for damages.
- Always obtain written authorization.
- Never test systems you do not own or have permission to test.
- Respect the boundaries set in the scope.
To effectively protect a system, you must understand how to break it. This requires adopting the attacker's mindset. While a developer looks at an application and thinks about how to make it work or how to add new features, an attacker looks at the same application and asks, "How can I make this behave in a way it wasn't intended to?"
Attackers are driven by curiosity, persistence, and creativity. They look for assumptions that developers made but didn't verify. For example, a developer might assume that a user will always enter a number for their age. An attacker will try entering letters, symbols, or massive numbers to see if the system crashes or reveals sensitive errors. This mindset shift is about looking for the "unhappy path" — the scenarios that weren't planned for.
Let's look at a simple example using our Pastebin application. Here is a basic web server setup using TypeScript and Express.
When a normal user visits the /api/status page, they just see that the site is online. However, when we think like an attacker, we see valuable information. The code reveals the version (1.0.0) and the environment. If we know the exact version of the application or the libraries it uses, we can search for known vulnerabilities specific to that version. This seemingly harmless status page is actually a form of information leakage.
Professional penetration testing is not chaotic; it follows a structured methodology to ensure nothing is missed. Most frameworks, such as the EC-Council's methodology, break the process down into five distinct phases. Understanding these phases helps you organize your work and ensures you provide comprehensive results to your client.
- Reconnaissance: This is the information-gathering phase. Before interacting with the target aggressively, you gather as much data as possible. This includes finding
IP addresses, email addresses, technology stacks, and other public information. - Scanning: In this phase, you use technical tools to interact with the target system to identify open ports and services. You are looking for potential entry points.
- Exploitation: This is where you attempt to bypass security controls using the vulnerabilities found during scanning. The goal is to verify if a vulnerability is real and if it allows unauthorized access.
- Post-Exploitation: Once inside, you determine the value of the machine. Can you access sensitive data? Can you use this machine to jump to other systems in the network?
- Reporting: This is the most important phase for the business. You document your findings, explain the risks, and provide recommendations on how to fix the issues.
In our course, we will follow these phases. We will start by learning how to set up our tools (though in CodeSignal, many are pre-installed for you), then move to gathering information, and finally look for weaknesses in code like the Pastebin application shown above.
A penetration test is a professional project, and like any project, it needs structure. It begins with Planning and Preparation. During this stage, you define the goals of the test. Is the client worried about data theft? Are they worried about their website going offline? Understanding the business goal helps you focus your testing efforts on what matters most to them.
During the assessment, communication is key. If you find a critical vulnerability that exposes all customer credit card data, you shouldn't wait until the final report to tell the client. You need a communication plan that allows for immediate notification of critical risks. Conversely, you also need to know who to contact if your testing accidentally crashes a server.
Finally, the Deliverable is your report. A professional report usually contains an Executive Summary (for management, focusing on business risk) and a Technical Report (for developers, focusing on code fixes).
- Executive Summary: "We found a flaw that allows outsiders to steal data."
- Technical Report: "The API endpoint
/api/statusleaksversioninformation which led to..."
In this lesson, we established the groundwork for becoming a penetration tester. We defined penetration testing as an authorized simulation of an attack, distinguished it from malicious hacking, and emphasized the absolute necessity of legal authorization. We also explored the attacker's mindset — looking for the unexpected — and outlined the five phases of a pentest: Reconnaissance, Scanning, Exploitation, Post-Exploitation, and Reporting.
Now that we have covered the foundational concepts, we are ready to move into the technical phase of our course. In the next lesson, Reconnaissance with Nmap, we will begin using professional scanning tools to discover open ports and identify running services on our target systems.
