Penetration Testing Explained — Complete Beginner's Guide
Penetration testing is a simulated cyber attack against a computer system to identify exploitable vulnerabilities, performed with the system owner’s full authorization and within a defined scope.
What You’ll Learn
By the end of this tutorial, you’ll understand the three types of penetration testing (black-box, white-box, grey-box), the standard testing methodology, common tools, and how to structure a professional security report.
Why Penetration Testing Matters
Companies spend billions on security tools, but without regular penetration testing, they don’t know if those tools actually work. A 2025 study found that organizations who perform quarterly penetration tests detect and fix vulnerabilities 60% faster than those who don’t. At DodaTech, every release of Durga Antivirus Pro and Doda Browser undergoes rigorous penetration testing before rollout.
Penetration Testing Learning Path
flowchart LR
A[Security Basics] --> B[Network Security]
B --> C[Web Security]
C --> D[Cryptography]
D --> E[Ethical Hacking]
E --> F[Pen Testing]
F --> G{You Are Here}
style G fill:#f90,color:#fff
What Is Penetration Testing? (The “Why” First)
Think of penetration testing like a fire drill for cybersecurity. A fire drill doesn’t start a real fire — it simulates one so you can practice your response, find weaknesses in your evacuation plan, and fix them before a real emergency.
Penetration testing works the same way. Instead of waiting for a real attacker, you hire ethical hackers to simulate attacks. They find the weaknesses, document them, and help you fix everything before a real attacker exploits it.
The Key Difference from Ethical Hacking
While Ethical Hacking covers the theory and techniques, penetration testing is a formal, structured service with:
- A signed contract and scope
- Defined rules of engagement
- A scheduled timeline
- A professional report
- Compliance requirements (PCI DSS, HIPAA, SOC 2)
Types of Penetration Testing
Pen testers classify tests by how much information they have about the target. Think of it like testing a lock:
Black-Box Testing
The tester knows nothing about the target — just the company name or website URL. Like a burglar who walks past your house and decides to try breaking in.
flowchart LR
A[Tester] -->|No info| B[Target]
B -->|Discovers everything| C[Vulnerabilities]
A --> D{No prior knowledge}
Pros: Most realistic simulation of an external attacker. Cons: Time-consuming, may miss deep vulnerabilities.
White-Box Testing
The tester has full information — source code, architecture diagrams, credentials, and network maps. Like a security consultant who knows every door, window, and alarm in your house.
flowchart LR
A[Tester] -->|Full info| B[Source Code]
A -->|Full info| C[Network Maps]
A -->|Full info| D[Credentials]
B --> E[Vulnerabilities]
C --> E
D --> E
A --> F{Full knowledge}
Pros: Thorough, can find complex logic flaws, efficient. Cons: Less realistic (real attackers don’t have this info).
Grey-Box Testing
The tester has partial information — perhaps a low-privilege account or limited network access. Like a disgruntled employee or someone who found a building access card.
- Most common in real-world engagements
- Balances realism with efficiency
- Simulates insider threat scenarios
| Aspect | Black-Box | Grey-Box | White-Box |
|---|---|---|---|
| Time | Long (weeks) | Moderate (days) | Shorter (days) |
| Cost | Highest | Moderate | Lower |
| Realism | Very realistic | Moderate | Less realistic |
| Depth | Surface-level | Moderate | Deep |
| Best for | External perimeter | Web applications | Code review |
Penetration Testing Methodology
Pre-Engagement Phase
Before any testing begins, you need:
- Scope definition: What systems, IP ranges, and applications are in scope?
- Rules of engagement: Testing hours, allowed techniques, excluded actions
- Contact information: Who to notify during the test
- Legal authorization: Signed agreement (Statement of Work)
- Emergency stop: How to abort the test if something goes wrong
Intelligence Gathering
Collect as much information as possible about the target:
# DNS enumeration
dnsrecon -d example.com
# Subdomain discovery
sublist3r -d example.com
# Technology fingerprinting
whatweb example.com
# Email harvesting
theHarvester -d example.com -b googleThreat Modeling
Identify which attacks are most likely and most damaging:
| Asset | Threat | Likelihood | Impact | Priority |
|-------|--------|------------|--------|----------|
| User database | SQL injection | Medium | Critical | High |
| Admin panel | Brute force | High | High | High |
| API endpoint | Rate limiting bypass | Low | Medium | Low |Vulnerability Analysis
Combine automated scanning with manual testing:
# Automated scanning
nmap -sV --script vuln target.com
nikto -h target.com
wapiti -u https://target.com
# Manual verification of each finding
# (Automated scanners produce false positives!)Exploitation
Attempt to exploit confirmed vulnerabilities:
# Example: SQL injection testing with sqlmap
sqlmap -u "https://target.com/page?id=1" --batch --dbs
# Example: Metasploit module for known vulnerability
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; set RHOSTS target.com; run"Post-Exploitation
After gaining access, determine the depth of compromise:
# Check current privileges (Windows)
whoami
whoami /priv
# Check current privileges (Linux)
whoami
id
sudo -l
# Enumerate connected systems
arp -a
netstat -anReporting
Document everything in a structured report. This is the most important deliverable.
The Penetration Testing Report
A professional report typically includes:
Executive Summary
For managers and non-technical stakeholders:
Executive Summary: Example Corp’s web application was found to contain 3 critical, 5 high, and 8 medium-severity vulnerabilities. The most critical finding — an SQL injection in the login form — could allow attackers to access the entire user database. We recommend immediate remediation of all critical findings.
Technical Findings
For developers and system administrators:
## Finding: SQL Injection in Login Endpoint
**Severity**: Critical
**CVSS Score**: 9.8
**Location**: POST /api/login (username parameter)
**CVE**: N/A (custom application)
### Proof of Concept
Payload: `admin' OR '1'='1`
Technique: Parameterized query bypass
Result: Returns first user account without valid password
### Impact
An attacker can:
- Bypass authentication entirely
- Dump all user credentials
- Escalate privileges to admin
### Remediation
Use parameterized queries instead of string concatenation:
```python
# Instead of:
cursor.execute(f"SELECT * FROM users WHERE id = '{user_input}'")
# Use:
cursor.execute("SELECT * FROM users WHERE id = ?", (user_input,))CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
### Risk Rating Matrix
| Severity | Count | Examples |
|----------|-------|----------|
| Critical | 3 | SQL injection, RCE, auth bypass |
| High | 5 | XSS, privilege escalation, IDOR |
| Medium | 8 | Missing security headers, info disclosure |
| Low | 12 | Verbose error messages, outdated version headers |
### Remediation Plan
```markdown
### Immediate (24 hours)
- Fix critical SQL injection in login form
- Patch Apache Struts vulnerability (CVE-2023-XXXX)
### Short-term (1 week)
- Implement Content Security Policy headers
- Enable rate limiting on login endpoint
- Remove debug information from error pages
### Long-term (1 month)
- Conduct code review of all authentication logic
- Implement Web Application Firewall (WAF)
- Schedule next penetration testCommon Penetration Testing Mistakes
1. Relying Only on Automated Tools
Automated scanners miss logic flaws, business logic vulnerabilities, and complex attack chains. Manual testing by experienced testers is irreplaceable.
2. Reporting Without Context
“Port 22 is open” is not a vulnerability. SSH on port 22 is expected. Report findings that actually pose a risk, not observations.
3. No Remediation Guidance
Don’t just find problems — help fix them. Every finding should include clear, actionable remediation steps. This is what separates professional testers from script kiddies.
4. Destructive Testing
Some exploits can crash servers, corrupt databases, or trigger alerts. Understand the impact before running an exploit. Have a rollback plan.
5. Testing in Production Without a Rollback Plan
If you must test in production, have verified backups and a tested recovery procedure. Test during low-traffic hours.
6. Not Verifying False Positives
Automated scanners generate false positives. Every finding must be manually verified before including it in the report.
7. Poor Communication During Testing
If you find a critical vulnerability on day 1, don’t wait for the day 30 report. Notify the client immediately.
Common Mistakes Beginners Make
1. Skipping the Fundamentals
Many beginners jump straight to advanced topics without mastering the basics. Take time to understand the core concepts before moving on.
2. Not Practicing Enough
Reading tutorials without writing code leads to shallow understanding. Code along with every example and experiment on your own.
3. Ignoring Error Messages
Error messages tell you exactly what went wrong. Read them carefully — they usually point to the line and type of issue.
4. Copy-Pasting Without Understanding
It’s tempting to copy code from tutorials, but typing it yourself and understanding each line builds real skill.
5. Giving Up Too Early
Every developer hits frustrating bugs. Take breaks, ask for help, and remember that struggling is part of learning.
Practice Questions
1. What’s the difference between black-box and white-box testing?
Black-box testing gives the tester no prior information about the target. White-box testing provides full access to source code, architecture, and credentials.
2. What is a CVSS score?
The Common Vulnerability Scoring System (CVSS) rates vulnerability severity from 0.0 to 10.0 based on exploitability, impact, and complexity. A score of 9.0+ is critical.
3. Why can’t you rely solely on automated scanning?
Automated scanners produce false positives, miss logic flaws, and cannot test business logic vulnerabilities. Manual validation and creative thinking are essential.
4. What should be in an executive summary?
A non-technical overview of findings, key risks, and recommended actions. Written for managers and executives who need to understand the business impact.
5. Challenge: Write a CVSS 3.1 vector string for a network-based, low-complexity, no-authentication-required SQL injection with high confidentiality and integrity impact.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (that’s the maximum base score of 10.0).
Real-World Task: Plan a Penetration Test
Create a penetration test plan for a fictional web application called “ShopEasy”:
## Penetration Test Plan — ShopEasy
### Scope
- URL: https://shopeasy.com
- API: https://api.shopeasy.com/v1
- IP Range: 203.0.113.0/24
- Excluded: payment processor (third-party)
### Timeline
- Pre-engagement: Day 1
- Reconnaissance: Days 2-3
- Scanning: Days 4-5
- Exploitation: Days 6-8
- Post-exploitation: Day 9
- Reporting: Days 10-12
### Tools
- Recon: theHarvester, Sublist3r, Shodan
- Scanning: nmap, Nikto, Burp Suite
- Exploitation: Metasploit, sqlmap, custom scripts
- Reporting: Faraday, Dradis
### Rules of Engagement
- Testing hours: 9 AM - 6 PM EST (Mon-Fri)
- No social engineering
- No DoS/DDoS attacks
- Production data must not be modified
- Emergency contact: security@shopeasy.comFAQ
Try It Yourself
Write a Python script that simulates a penetration testing report generator:
# pentest_report.py
import json
from datetime import datetime
class PenTestReport:
def __init__(self, client_name, tester_name):
self.client = client_name
self.tester = tester_name
self.date = datetime.now().strftime("%Y-%m-%d")
self.findings = []
def add_finding(self, title, severity, cvss, location, description, remediation):
self.findings.append({
"title": title,
"severity": severity,
"cvss": cvss,
"location": location,
"description": description,
"remediation": remediation
})
def generate_summary(self):
counts = {"Critical": 0, "High": 0, "Medium": 0, "Low": 0}
for f in self.findings:
counts[f["severity"]] += 1
return {
"client": self.client,
"tester": self.tester,
"date": self.date,
"total_findings": len(self.findings),
"severity_counts": counts
}
def print_report(self):
summary = self.generate_summary()
print("=" * 60)
print(f"PENETRATION TEST REPORT")
print(f"Client: {summary['client']}")
print(f"Tester: {summary['tester']}")
print(f"Date: {summary['date']}")
print(f"Total findings: {summary['total_findings']}")
print("-" * 60)
for sev, count in summary["severity_counts"].items():
print(f" {sev}: {count}")
print("=" * 60)
for i, f in enumerate(self.findings, 1):
print(f"\nFinding #{i}: {f['title']}")
print(f" Severity: {f['severity']} (CVSS: {f['cvss']})")
print(f" Location: {f['location']}")
print(f" Description: {f['description']}")
print(f" Remediation: {f['remediation']}")
# Example usage
report = PenTestReport("ShopEasy Corp", "Jane Doe (Ethical Hacker)")
report.add_finding(
"SQL Injection in Login Form",
"Critical", 9.8,
"/api/login (username parameter)",
"Attacker can bypass authentication and dump user database using UNION-based SQL injection.",
"Use parameterized queries with prepared statements."
)
report.add_finding(
"Cross-Site Scripting in Search",
"High", 6.1,
"/search (q parameter)",
"Reflected XSS allows attacker to execute JavaScript in victim's browser session.",
"Escape all user input before rendering with html.escape() or template engine auto-escaping."
)
report.add_finding(
"Missing HSTS Header",
"Medium", 5.3,
"HTTP Response Headers",
"Without HSTS header, users are vulnerable to SSL stripping attacks.",
"Add Strict-Transport-Security header with max-age=31536000."
)
report.print_report()Expected output:
============================================================
PENETRATION TEST REPORT
Client: ShopEasy Corp
Tester: Jane Doe (Ethical Hacker)
Date: 2026-06-06
Total findings: 3
------------------------------------------------------------
Critical: 1
High: 1
Medium: 1
============================================================
Finding #1: SQL Injection in Login Form
Severity: Critical (CVSS: 9.8)
Location: /api/login (username parameter)
Description: Attacker can bypass authentication...What’s Next
What’s Next
Congratulations on completing this Penetration Testing tutorial! Here’s where to go from here:
- Practice daily — Consistency is more important than long study sessions
- Build a project — Apply what you learned by building something real
- Explore related topics — Check out other tutorials in the same category
- Join the community — Discuss with other learners and share your progress
Remember: every expert was once a beginner. Keep coding!
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro