Introduction to Penetration Testing

Overview

Penetration testing (pentesting) is the practice of simulating real-world attacks against systems, networks, and applications to identify security weaknesses before adversaries do. It requires a blend of technical skills across multiple domains — no single area of expertise is sufficient.

This page outlines the foundational knowledge required to begin learning penetration testing effectively. These are not optional extras — they are the baseline that separates productive learning from frustration.

Prerequisites

Systems Administration

A solid understanding of how operating systems work is essential. Pentesters exploit misconfigurations, weak defaults, and design flaws — recognizing them requires knowing what "normal" looks like.

Linux fundamentals:

• Filesystem hierarchy (/etc, /var, /tmp, /home, /proc)
• Process management (ps, top, kill, signals)
• User and group permissions (ownership, SUID/SGID bits, chmod, chown)
• Service management (systemd: systemctl, journalctl; non-systemd distros use OpenRC/SysV/runit)
• Scheduled tasks (cron, at)
• Package management (Debian/Ubuntu: apt; RHEL/Fedora/CentOS: dnf/yum)
• Log locations and formats (Debian/Ubuntu: /var/log/auth.log, /var/log/syslog; RHEL-like: /var/log/secure, /var/log/messages; systemd-only: journalctl)

Windows fundamentals:

• Architecture basics (Registry, SAM, LSASS, Windows services)
• User and group management (local accounts, domain accounts, built-in groups)
• Privilege model (UAC, integrity levels, access tokens)
• File system permissions (NTFS ACLs, inheritance)
• Scheduled tasks and startup locations
• Event Logs (Security, System, Application)
• PowerShell basics for administration

Networking

Networking is the backbone of most penetration tests. Without a clear understanding of how systems communicate, identifying attack vectors becomes guesswork.

Core concepts:

• OSI and TCP/IP models — understand which protocols operate at which layers
• IP addressing and subnetting (CIDR notation, subnet masks, broadcast addresses)
• TCP vs UDP — connection-oriented vs connectionless, the three-way handshake
• Common protocols and their default ports (SSH/22, HTTP/80, HTTPS/443, SMB/445, RDP/3389, DNS/53)
• DNS resolution process (recursive queries, zone transfers, record types)
• ARP, DHCP, and how local network communication works
• Basic routing and NAT concepts
• Packet capture and analysis fundamentals (Wireshark, tcpdump)

Programming and Scripting

You do not need to be a software developer, but you do need to read and write code. Scripting automates repetitive tasks, helps you understand exploits, and lets you modify tools to fit specific engagements.

Recommended starting point:

• Python — the de facto language for security tooling. Automating scans, writing custom exploits, parsing output, interacting with APIs
• Bash — essential for chaining commands, writing quick one-liners, and automating Linux tasks
• PowerShell — critical for Windows environments, Active Directory enumeration, and post-exploitation

What to focus on:

• Reading and modifying existing scripts (more common than writing from scratch)
• String manipulation, file I/O, network sockets
• Understanding how exploits work at a code level (buffer overflows, injection payloads)
• Regex basics for log parsing and pattern matching

Security Fundamentals

Before attacking systems, understand the landscape you operate in.

Threat landscape:

• Who are the adversaries — cybercriminals (ransomware gangs, initial access brokers), nation-state actors (APTs), hacktivists, insider threats
• Motivation matters — financial gain, espionage, disruption, ideology
• Attack trends — supply chain attacks, ransomware-as-a-service, credential theft at scale

Attack frameworks:

• Cyber Kill Chain (Lockheed Martin) — reconnaissance, weaponization, delivery, exploitation, installation, command & control, actions on objectives. Useful for understanding the attacker's progression
• MITRE ATT&CK — a knowledge base of real-world adversary tactics, techniques, and procedures (TTPs). Mapped by tactic (what the attacker wants to achieve) and technique (how they achieve it). The industry standard for describing adversary behavior

Penetration testing methodology:

• Pre-engagement — scope definition, rules of engagement, legal authorization
• Reconnaissance — passive and active information gathering
• Enumeration — detailed service and vulnerability discovery
• Exploitation — gaining initial access
• Post-exploitation — privilege escalation, lateral movement, data collection
• Reporting — documenting findings with evidence and remediation guidance

Security Principles

Core security principles guide both defenders and attackers. Understanding them helps you identify where they are violated — which is exactly where vulnerabilities live.

• Principle of least privilege — users and processes should have only the minimum permissions required to perform their function. Violations are a primary source of privilege escalation paths
• Separation of duties — no single individual should control all aspects of a critical process. In technical terms: the web server should not run as root, the backup admin should not be the domain admin
• Defense in depth — multiple layers of security controls so that the failure of one does not compromise the whole system. Attackers look for single points of failure
• Need-to-know / compartmentalization — information access restricted to those who require it. Excessive access leads to data exfiltration opportunities
• Fail-safe defaults — systems should deny access by default and grant it explicitly. Misconfigured defaults (open ports, default credentials, permissive ACLs) are among the most common findings in penetration tests

Security Tools

Familiarity with both hardware and software security controls helps you understand what you are up against — and what you are trying to bypass.

Network security:

• Firewalls (packet filtering, stateful inspection, next-gen)
• IDS/IPS (Snort, Suricata — signature-based vs anomaly-based)
• Network segmentation (VLANs, DMZ architecture)
• VPN and encrypted tunnels

Endpoint security:

• Antivirus and EDR solutions (Windows Defender, CrowdStrike, SentinelOne)
• Host-based firewalls and application whitelisting
• Full disk encryption (BitLocker, LUKS)

Identity and access:

• Active Directory and Group Policy
• Multi-factor authentication (MFA)
• PAM (Privileged Access Management) solutions

Understanding these controls is essential — not just to bypass them during engagements, but to recommend improvements in your reports.

Where to Start

There is no single correct path, but a practical approach:

1. Build a home lab — install VMs (Kali Linux, Windows Server, Ubuntu) and practice in a controlled environment
2. Learn Linux first — most pentest tools run on Linux, and many targets are Linux-based
3. Practice on intentionally vulnerable platforms — Hack The Box, TryHackMe, VulnHub, PortSwigger Web Security Academy
4. Follow a structured methodology — avoid random tool usage. Work through reconnaissance → enumeration → exploitation systematically
5. Read reports — published penetration test reports teach you what professional output looks like
6. Get certified when ready — certifications like OSCP, eJPT, or CompTIA PenTest+ validate skills and provide structured learning paths

References

Frameworks & Standards

• MITRE ATT&CK Framework
• Lockheed Martin - Cyber Kill Chain
• NIST SP 800-115 - Technical Guide to Information Security Testing and Assessment
• PTES - Penetration Testing Execution Standard

Learning Platforms

• Hack The Box
• TryHackMe
• PortSwigger Web Security Academy