Why This Matters
Penetration testing sits at the heart of proactive cybersecurity—it's how organizations discover vulnerabilities before malicious actors do. You're being tested on understanding not just what each technique does, but how they chain together in a real-world attack scenario. The kill chain methodology, risk assessment frameworks, and ethical hacking principles all connect here, making this topic central to both certification exams and practical business security assessments.
These techniques follow a logical progression that mirrors how actual attackers operate. Understanding this flow—from initial reconnaissance through exploitation to maintaining access—demonstrates the adversarial mindset that security professionals must adopt. Don't just memorize tool names; know why each phase exists, what business risks it addresses, and how defenders can detect or prevent each technique.
Pre-Attack Intelligence Gathering
Before any exploitation occurs, attackers build a comprehensive picture of their target through passive and active information collection.
- OSINT (Open Source Intelligence) forms the foundation—attackers harvest domain names, IP ranges, employee names, and organizational structure from publicly available sources
- Passive reconnaissance leaves no trace on target systems, using WHOIS lookups, DNS queries, social media scraping, and search engine dorking to map the attack surface
- Attack surface identification translates raw data into actionable entry points, connecting discovered information to potential vulnerabilities
Network Mapping and Enumeration
- Active scanning with tools like
Nmap reveals live hosts, open ports, and running services—this is where attackers transition from passive to detectable activity
- Service fingerprinting identifies specific software versions and configurations, enabling targeted exploit selection
- Network topology mapping exposes trust relationships, segmentation gaps, and high-value targets like domain controllers or database servers
Compare: Reconnaissance vs. Enumeration—both gather intelligence, but reconnaissance is typically passive and external while enumeration actively probes internal systems. FRQ tip: If asked about detection opportunities, enumeration is far more likely to trigger security alerts.
Vulnerability Identification
Once the target environment is mapped, testers systematically identify weaknesses that could enable unauthorized access.
Vulnerability Scanning
- Automated scanners like Nessus, Qualys, or OpenVAS compare discovered services against databases of known vulnerabilities (CVEs)
- Risk prioritization ranks findings by CVSS scores, exploitability, and business impact—not all vulnerabilities warrant immediate action
- False positive analysis distinguishes real vulnerabilities from scanner errors, requiring manual verification of critical findings
Web Application Testing
- OWASP Top 10 vulnerabilities—including SQL injection, XSS, and broken authentication—represent the most common and dangerous web application flaws
- Dynamic application security testing (DAST) tools like Burp Suite or OWASP ZAP probe running applications for input validation failures and logic flaws
- Business logic testing uncovers vulnerabilities that automated tools miss, such as privilege escalation through manipulated workflows
Wireless Network Testing
- Encryption protocol assessment evaluates whether networks use outdated standards like WEP or WPA versus more secure WPA3 implementations
- Rogue access point detection identifies unauthorized devices that could enable man-in-the-middle attacks or network bypass
- Tools like
Aircrack-ng test password strength and capture handshakes for offline cracking attempts
Compare: Vulnerability scanning vs. Web application testing—scanning identifies known infrastructure weaknesses, while web app testing focuses on custom code flaws unique to each application. Both are essential; neither alone provides complete coverage.
Human-Targeted Attacks
Technical controls mean nothing if attackers can manipulate people into bypassing them entirely.
Social Engineering
- Phishing, pretexting, and baiting exploit psychological principles like authority, urgency, and reciprocity to manipulate human behavior
- Attack vectors range from email-based campaigns to phone calls (vishing), SMS messages (smishing), and physical approaches like tailgating
- Security awareness training represents the primary defense, making social engineering tests valuable for measuring organizational resilience
Password Cracking
- Brute force attacks systematically try every possible combination, while dictionary attacks use common passwords and rainbow tables leverage precomputed hashes
- Tools like
Hashcat and John the Ripper accelerate cracking through GPU optimization and rule-based mutations
- Password policy validation tests whether organizational requirements actually prevent weak credentials in practice
Compare: Social engineering vs. Password cracking—social engineering targets human psychology while password cracking targets technical weaknesses, but both often achieve the same goal: unauthorized access. Social engineering typically succeeds faster against organizations with weak security culture.
Active Exploitation
With vulnerabilities identified, testers attempt to gain actual system access and demonstrate real-world impact.
Exploitation Techniques
- Exploit selection matches identified vulnerabilities to available payloads—frameworks like Metasploit automate this process for known CVEs
- Custom exploit development may be necessary when targeting zero-day vulnerabilities or unique application flaws
- Proof of concept demonstrations show stakeholders the actual business impact of theoretical vulnerabilities
Privilege Escalation
- Vertical escalation elevates permissions from standard user to administrator or root, often through kernel exploits, misconfigurations, or credential theft
- Horizontal escalation moves laterally to access other user accounts at the same privilege level, expanding the scope of compromise
- Common vectors include unpatched systems, weak service account permissions, and credential reuse across systems
Lateral Movement
- Post-compromise pivoting uses initial access as a launching point to reach otherwise inaccessible network segments
- Tools like
PsExec, PowerShell remoting, and WMI enable command execution on remote systems using harvested credentials
- Stealth techniques minimize detection by mimicking normal administrative traffic and avoiding endpoint security triggers
Compare: Privilege escalation vs. Lateral movement—escalation increases access depth on a single system, while lateral movement increases access breadth across the network. Attackers typically alternate between both to maximize compromise.
Post-Exploitation Operations
After gaining access, testers demonstrate the full potential impact and establish persistence to simulate advanced threats.
Data Exfiltration
- Sensitive data identification locates crown jewels—customer PII, financial records, intellectual property, or authentication databases
- Exfiltration channels include encrypted tunnels, DNS covert channels, cloud storage uploads, and even physical media in air-gapped environments
- Data loss prevention (DLP) testing evaluates whether existing controls detect and block unauthorized data transfers
Maintaining Access
- Persistence mechanisms ensure continued access even after system reboots or password changes—backdoors, rootkits, scheduled tasks, and registry modifications
- Command and control (C2) infrastructure enables ongoing communication with compromised systems while evading detection
- Defense evasion techniques modify malware signatures, disable logging, and blend malicious traffic with legitimate activity
Post-Exploitation Techniques
- Intelligence gathering from compromised systems reveals additional targets, credentials, and business-critical information
- Impact assessment documents what an attacker could actually achieve—data theft, ransomware deployment, or operational disruption
- Evidence cleanup demonstrates how sophisticated attackers remove forensic artifacts, though ethical testers preserve logs for reporting
Compare: Data exfiltration vs. Maintaining access—exfiltration represents immediate value extraction while persistence enables long-term strategic access. Advanced persistent threats (APTs) prioritize maintaining access; opportunistic attackers focus on rapid exfiltration.
Professional Standards and Deliverables
Penetration testing is only valuable if findings translate into actionable security improvements.
Reporting and Documentation
- Executive summaries communicate business risk to non-technical stakeholders using clear language and risk ratings
- Technical details provide security teams with reproduction steps, affected systems, and evidence supporting each finding
- Remediation recommendations prioritize fixes by risk level and implementation complexity, creating a practical improvement roadmap
Ethical Considerations and Legal Compliance
- Written authorization (rules of engagement) must be obtained before any testing begins—unauthorized testing is illegal regardless of intent
- Scope boundaries define which systems, techniques, and timeframes are permitted, protecting both tester and client
- Responsible disclosure ensures vulnerabilities are reported to appropriate parties before any public discussion
Compare: Reporting vs. Ethical compliance—reporting documents what was found, while compliance ensures how testing was conducted meets legal and professional standards. Both are non-negotiable requirements for legitimate penetration testing engagements.
Quick Reference Table
|
| Intelligence Gathering | Reconnaissance, Network Mapping, OSINT techniques |
| Vulnerability Discovery | Vulnerability Scanning, Web Application Testing, Wireless Testing |
| Human Factor Exploitation | Social Engineering, Password Cracking |
| System Compromise | Exploitation Techniques, Privilege Escalation |
| Network Expansion | Lateral Movement, Maintaining Access |
| Data Targeting | Data Exfiltration, Post-Exploitation |
| Professional Practice | Reporting, Ethical Compliance, Documentation |
Self-Check Questions
-
Which two techniques both involve gathering information about a target, but differ in whether they leave detectable traces on target systems?
-
Compare and contrast privilege escalation and lateral movement—how do they work together in a typical attack chain, and which represents depth versus breadth of access?
-
If an FRQ asks you to explain how an organization could detect a penetration test in progress, which three techniques would be most likely to trigger security alerts and why?
-
What distinguishes social engineering from technical exploitation, and why might an attacker choose one approach over the other based on the target organization's security maturity?
-
A penetration tester discovers a critical vulnerability but realizes they've accidentally accessed systems outside the approved scope. According to ethical and legal compliance principles, what steps should they take immediately?