Penetration testing explained: How ethical hackers simulate attacks

What is penetration testing?

Definition: Penetration testing is a process in which a security professional simulates an attack on a network or computer system to evaluate its security—with the permission of that system’s owners.

Don’t let the word “simulates” fool you: A penetration tester (or pen tester, for short) will bring all the tools and techniques of real-world attackers to bear on the target system. But instead of using the information they uncover or the control they gain for their own personal enrichment, they report their findings to the target systems’ owners so that their security can be improved.

Because a pen tester follows the same playbook as a malicious hacker, penetration testing is sometimes referred to as ethical hacking or white hat hacking; in the early days of penetration testing, many of its practitioners got their start as malicious hackers before going legit, though that is somewhat less common today. You might also encounter the term red team or red teaming, derived from the name given to the team playing the “enemy” in war game scenarios played out by the military. Penetration testing can be carried out by teams or individual hackers, who might be in-house employees at the target company, or may work independently or for security firms that provide specialized penetration testing services.

How does a penetration test work?

In a broad sense, a penetration test works in exactly the same way that a real attempt to breach an organization’s systems would. The pen testers begin by examining and fingerprinting the hosts, ports, and network services associated with the target organization. They will then research potential vulnerabilities in this attack surface, and that research might suggest further, more detailed probes into the target system. Eventually, they’ll attempt to breach their target’s perimeter and get access to protected data or gain control of their systems.

The details, of course, can vary a lot; there are different types of penetration tests, and we’ll discuss the variations in the next section. But it’s important to note first that the exact type of test conducted and the scope of the simulated attack needs to be agreed upon in advance between the testers and the target organization. A penetration test that successfully breaches an organization’s important systems or data can cause a great deal of resentment or embarrassment among that organization’s IT or security leadership, and it’s not unheard of for target organizations to claim that pen testers overstepped their bounds or broke into systems with high-value data they weren’t authorized to test—and threaten legal action as a result. Establishing in advance the ground rules of what a particular penetration test is going to cover is an important part of determining how the test is going to work.

Types of penetration testing

There are several key decisions that will determine the shape of your penetration test. App security firm Contrast Security breaks test types down into a number of categories:

• An external penetration test simulates what you might imagine as a typical hacker scenario, with an outsider probing into the target organization’s perimeter defenses to try to find weaknesses to exploit.
• An internal test, by contrast, shows what an attacker who’s already inside the network—a disgruntled employee, a contractor with nefarious intentions, or a superstar hacker who gets past the perimeter—would be capable of doing.
• A blind test simulates a “real” attack from the attacker’s end. The pen tester is not given any information about the organization’s network or systems, forcing them to rely on information that is either publicly available or that they can glean with their own skills.
• A double-blind test also simulates a real attack at the target organization’s end, but in this type of engagement the fact that a penetration test is being conducted is kept secret from IT and security staff to ensure that the company’s typical security posture is tested.
• A targeted test, sometimes called a lights-turned-on test, involves both the pen testers and the target’s IT playing out a simulated “war game” in a specific scenario focusing on a specific aspect of the network infrastructure. A targeted test generally requires less time or effort than the other options but doesn’t provide as complete a picture.

App security firm Synopsis lays out another way to think about varying test types, based on how much preliminary knowledge about the target organization the testers have before beginning their work. In a black box test, the ethical hacking team won’t know anything about their targets, with the relative ease or difficulty in learning more about the target org’s systems being one of the things tested. In a white box test, the pen testers will have access to all sorts of system artifacts, including source code, binaries, containers, and sometimes even the servers running the system; the goal is to determine how hardened the target systems are in the face of a truly knowledgeable insider looking to escalate their permissions to get at valuable data. Of course, a real-world attacker’s preliminary knowledge might lie somewhere between these two poles, and so you might also conduct a gray box test that reflects that scenario.

Penetration testing steps

While each of these different kinds of penetration tests will have unique aspects, the Penetration Test Executing Standard (PTES), developed by a group of industry experts, lays out seven broad steps will be part of most pen testing scenarios:

• Pre-engagement interactions: As we’ve noted, any pen test should be preceded by the testers and target organization establishing the scope and goals of the test, preferably in writing.
• Intelligence gathering: The tester should begin by performing reconnaissance against a target to gather as much information as possible, a process that may include gathering so-called open source intelligence, or publicly available information, about the target organization.
• Threat modeling: In this phase, the pen tester should model the capabilities and motivations behind a potential real attacker, and try to determine what targets within the target organization might attract that attacker’s attention.
• Vulnerability analysis: This is probably the core of what most people think about when it comes to penetration testing: analyzing the target organization’s infrastructure for security flaws that will allow a hack.
• Exploitation: In this phase, the pen tester uses the vulnerabilities they’ve discovered to enter the target organization’s systems and exfiltrate data. The goal here is not just to breach their perimeter, but to bypass active countermeasures and remain undetected for as long as possible.
• Post exploitation: In this phase, the pen tester attempts to maintain control of the systems they’ve breached and ascertain their value. This can be a particularly delicate phase in regard to the relationship between the pen testers and their clients; it is important here that the pre-engagement interactions in the first phase produced a well-defined set of ground rules that will protect the client and ensure that no essential client services are negatively affected by the test.
• Reporting: Finally, the tester must be able to deliver a comprehensive and informative report to their client about the risks and vulnerabilities they discovered. CSO spoke to a number of security pros about the traits and skills an ethical hacker should have, and many of them said that the communication skills necessary to clearly convey this information is close to the top of the list.

Penetration testing tools

The penetration tester’s suite of tools is pretty much identical to what a malicious hacker would use. Probably the most important tool in their box will be Kali Linux, an operating system specifically optimized for use in penetration testing. Kali (which most pen testers are more likely to deploy in a virtual machine rather than natively on their own hardware) comes equipped with a whole suite of useful programs, including:

• nmap
• Metasploit
• Wireshark
• John the Ripper
• Hashcat
• Hydra
• Zed Attack
• sqlmap

For more details on how all these weapons work together in the pen tester’s arsenal, read about the top penetration testing tools the pros use.

Penetration testing services and companies

Pen testing is an area of specialization in the tech industry that has so far resisted consolidation. To put it another way, there are a lot of companies out there that offer penetration testing services, some of them as part of a larger suite of offerings and some of them specializing in ethical hacking. Research and advisory company Explority put together a list of the top 30 pen testing companies in Hacker Noon, and outline their criteria for inclusion and ranking. It’s a fairly comprehensive list, and the fact that there’s almost no overlap with Clutch’s list of top-rated penetration testing companies or Cybercrime Magazine’s penetration companies to watch in 2021 goes to show how diversified this field really is.

Penetration testing jobs

The fact that there are so many pen testing firms should be a clue that pen testers are in high demand and there are good jobs out there for qualified candidates. And the jobs aren’t just at standalone security firms: Many big tech companies like Microsoft have entire in-house penetration testing teams.

North Carolina State University’s IT Careers department has a good outline what the outlook is in this career category. They tracked over 16,000 open jobs in 2020 alone. One caveat, though, is that NC State combines penetration testing and vulnerability analyst careers in that overview. The two career tracks have many skills in common, but vulnerability analysts focus on finding holes in the security of applications and systems while they’re still in development or before they’re deployed, while pen testers probe active systems as we’ve described here.    

Penetration testing training and certification

The ethical hacking industry was founded by hackers who had once been less than ethical looking for a path to a mainstream and legal way for them to make money from their skills. As is true in many areas of tech, this first generation of pen testers were largely self-taught. While there’s still room for those who’ve developed their skills in this way, penetration testing is now a common subject in computer science or IT college curricula and online courses alike, and many hiring managers will expect some formal training when considering a candidate.

One of the best ways to show that you’ve been cultivating pen testing skills is to get one of several widely accepted certifications in the field. The licensed training offerings that accompany these certs are a great way to acquire or bone up on the relevant skills:

• EC-Council’s Certified Ethical Hacker (CEH) and Licensed Penetration Tester (Master) (LPT)
• IACRB’s Certified Penetration Tester (CPT), Certified Expert Penetration Tester (CEPT), Certified Mobile and Web Application Penetration Tester (CMWAPT), and Certified Red Team Operations Professional (CRTOP)
• CompTIA’s PenTest+
• GIAC’s Penetration Tester (GPEN) and Exploit Researcher and Advanced Penetration Tester (GXPN)
• Offensive Security’s Certified Professional, Wireless Professional, and Experienced Penetration Tester

Penetration testing salary

As with many in-demand tech security jobs, pen testers can command healthy salaries. The Infosec Institute has a good overview of compensation across geographical regions in the US and job titles, with the big picture being that most pen testers can expect salaries in the low six figures. As of December 2021, Indeed.com pegs the average base salary for a penetration tester in the United States at about $111,000, while Glassdoor puts it at just over $102,000. Either way, this is clearly a job with potential, so don’t be afraid to pursue it if you find the world of ethical hacking intriguing.