Penetration Testing

When it comes to testing the security flaws of a system, we might often think about a singular element, like a website or application that we would attempt to breach. The reality behind penetration testing is that there is a standard to follow. This protocol/standard outlines and details the following sections;

  1. Reconnaisance
  2. Scanning
  3. Vulnerability Assessment
  4. Exploitation
  5. Post Exploit Reporting

Each phase allows a penetration tester to gather and collect valuable insight and information throughout, which is then fed directly into the exploitation and reporting phases. There are also tools that are made specifically for each phase that allow hackers to navigate themselves correctly during the overall procedure.

An unspoken requirement that's not often mentioned is using Kali Linux or Linux for penetration testing, because of the flexibility you have and access to a large ecosystem of purpose-built tools. There are trade secrets in every field of profession, and whilst I give you what I know here to showcase my skills, I would like to add that for each phase, there are many other resources that can be used throughout.

Network Mapper Icon

NMAP

John The Ripper Password Cracker

John The Ripper

Directory Buster Brute Force

Directory Buster

Website Directory Fuzzer

Website Fuzzer

SQL Mapper and Injections

SQL Map

Burp Suite

Burp Suite

WireShark

WireShark

Network Mapper Icon

NMAP

The Network Mapper tool was designed by Gordon Lyon and helps penetration testers like us identify flaws within a network. It not only reveals information on the network itself but can also provide information like open ports or service information that can then help security analysts identify where they would need to implement enhanced security measures.

The command format or style on nmap looks like the following: nmap [IP Address] [ports] [switches]. An example could be nmap 111.111.111 -p- -sV, which would reveal the service information for the ports specified. Of course, the more you use this tool, the more methods you learn for using different commands to perform different tasks.

Overall, this tool provides insight into a network and its devices, which is used to strengthen a system. It’s primarily used within the reconnaissance and scanning phases, which help pentesters understand what entry points there could be into a network and system.

John the Ripper is a password-cracking tool that attempts to recover passwords by systematically trying entries from a dictionary or precompiled list. This method is particularly effective against weak or commonly used passwords. The tool often leverages large password databases, including publicly available lists, to guide its attempts.

Using John the Ripper highlights the importance of strong password policies and secure storage practices. Modern tools like rainbow tables store encrypted versions of passwords alongside their plaintext equivalents, allowing testers to quickly determine if a password can be derived from its hash. This demonstrates how easily weak credentials can be compromised if proper safeguards are not in place.

In penetration testing, John the Ripper is primarily employed during the vulnerability assessment phase. It allows testers to evaluate the strength of passwords in use, identify weak or reused credentials, and provide actionable recommendations to improve authentication security, such as enforcing complexity requirements or implementing multi-factor authentication.

John The Ripper Password Cracker

John The Ripper

Directory Buster Brute Force

Directory Buster

Similar to John the Ripper, this tool utilizes a dictionary of file types and names to identify hidden directories within a server or application. By leveraging this approach, it is possible to locate sensitive, valuable, or misconfigured files that may require further investigation.

Directory busters work by sending a large volume of HTTP requests to uncover potential paths. For example, files or directories may be hidden from search engines using a robots.txt file, which instructs crawlers not to index certain paths. However, the presence of such files is not eliminated—they can still be discovered if the filename is known. This tool enables the identification of hidden directories or files so that appropriate measures, such as access restriction or improved security controls, can be applied.

Typically, security teams incorporate this tool into routine scanning or vulnerability assessments to proactively identify and remediate potential risks.

Website fuzzers operate the same functions as Directory Busters, but are performed on a website or application. These allow you to find any anomalies that could suggest hidden parameters, functionality, or improper input handling.

A better explanation of this would be to think of having implemented a form on your website, which is usually secure. With the correct inputs, it could bring back results that contain information regarding the backend of your server, which then would pose a security flaw, as a hacker could now sit and potentially find various ways of entry into your system.

You’ll usually use this tool during the vulnerability assessments and scanning phases, as this is all to do with collecting information and resources. This also highlights a topic renowned as injection attacks.

Website Directory Fuzzer

Website Fuzzer

SQL Mapper and Injections

SQL Map

Injection attacks are intrusive in the sense that they are done with almost no visibility into the backend of a system, but are used to provide detailed information about it. In my experience of using tools like SQLmap, you are able to build queries that are processed as usual but have malicious intent.

SQLmap, in particular, looks to perform injection attacks on databases that are associated with your website or application. It can help someone identify what types of input sanitisation methods would be needed to prevent attacks like this from happening.

This type of tool is used during the vulnerability assessment and exploit phases, as it is used to not only perform the attacks to get into a system by retrieving sensitive information, but also allow entry into a system through errors.

Burp Suite is an application that allows for intercepting, analysing, and manipulating web requests in real-time. Think of loading your browser and searching for a website on Google, which then brings you back results. This is handled as a request that is sent with much information included their like a get, put, post, or delete request.

I’m sure that the list of requests above can ignite a brainstorm of how requests can be handled by the web. Now, what if we were able to stop a request midway through, modify the request type and then have that sent to the server? Almost like being in the middle of a connection between two users.

The options available within this tool make it a valuable resource to use during scanning and vulnerability assessment phases.

Burp Suite

Burp Suite

WireShark

WireShark

Wireshark is used to analyze packet captures, validate protocol behavior, investigate potential data exfiltration paths, and gather authoritative network-level evidence. Through detailed inspection and annotation of relevant traffic flows, it supports technical findings and informs remediation guidance.

Conceptually, Wireshark decodes captured packets to reveal protocol exchanges across multiple network layers. Common analysis tasks include isolating conversations between hosts, identifying plaintext credential exposure, and verifying the presence and integrity of encrypted channels. Typical outputs consist of filtered capture segments, annotated protocol streams, and timeline visualizations that corroborate higher-level assessment results.

This technique is most often applied during reconnaissance or vulnerability assessment phases. The rationale is that packet analysis provides low-level confirmation of network behaviors and helps validate or contextualize vulnerabilities identified at the application or infrastructure level. Portfolio examples might describe neutral cases such as extracting and annotating protocol streams to demonstrate configuration weaknesses within technical appendices.