• Team Magic Dragon
  • No comments

Penetration Testing: Learning from Experienced Hackers

What IT professionals and managers should know

Penetration Testing, also known as "pentesting", is an elementary part of the IT security strategy of companies, organizations and governments. But what is a penetration test? Experienced ethical hackers (i.e. the "good" hackers) explain in this article how pentesting works and how it helps those responsible to protect their systems from cyber attacks.

A pentest examines networks, web applications, mobile apps, physical security and human vulnerabilities for security vulnerabilities.

Table of Contents

What is a penetration test?

A penetration test (Pentest for short) is a controlled attack on an IT system from the perspective of an attacker in order to uncover security gaps. Vulnerabilities found are exploited and combined to check what damage malicious attackers could cause. The result of a penetration test is a report that documents all vulnerabilities found, classifies them according to criticality and provides measures for resolving them.

This is what the result of a pentest can look like in the form of a report with prioritization and measures: Action Plan Demo

How is a pentest different from a real hacking attack?

Pentesters differ from malicious hackers in three main ways:

  1. They hack exclusively on behalf of someone else (not a third party, but the person responsible for the system in question).
  2. They do no harm.
  3. They document all steps and any vulnerabilities found.

Why should companies conduct a pentest?

Strategic advantage in the fight against hackers

Let's imagine a game of chess - or any other strategy game. Before making his next move, a player analyses his current situation and weighs up his options. In doing so, the player must take into account what action his opponent can take afterwards. After some consideration, he is sure that he has found the best option for himself and makes his move. Then it is the opponent's turn - and the player realises that he has overlooked a trap and is now checkmated.

A pentest helps plan the next move – like a game of chess with hackers as opponents.
If you don't know anything about chess, this picture looks good to you. If you do know, you'll quickly see the error. It's the same with the weak points in your company and the trained eye of IT security experts.

How much easier would it have been for the player if he had been able to use a test opponent before his real move to show him what effects his action could have?

In a game, the use of a test opponent would be considered an unfair advantage that is not allowed. In the fight against hackers, however, companies can and should gain this advantage - with a penetration test.

A penetration test gives companies, organizations and governments a strategic advantage in protecting themselves from malicious hackers: They do not have to rely on their internal view of their own security. Penetration testers play the role of attackers for them and find out which security gaps they can use and how far they can penetrate. They then support the company's IT team in gradually closing these gaps so that hackers no longer have any opportunities to attack.

“My IT takes care of that”

Many managers think that IT security is one of the core tasks of their own IT team or an external provider. They feel particularly safe when IT is completely outsourced. The truth is: the company management (board of directors or managing director) is ALWAYS responsible for IT security. They can delegate tasks in this context, but not responsibility.

This responsibility for information security is defined by various laws and regulations. For example, the legality obligation stipulates that managing directors must observe all applicable legal regulations. This also includes the IT Security Act 2.0 and the NIS2 Directive from the time it comes into force.

Is it enough for the managing director to tell his IT team "Make sure we are secure!"? Or if he assumes that everything is secure when using an IT service provider? No, because IT specialists are not automatically IT security specialists; the situation is similar to that of general practitioners and specialists.

Company management can only fulfil its legal obligations in terms of IT security if it either employs proven experts in this field in its own team or calls in appropriate external service providers.

Legal requirements and certificates: NIS2, ISO27001 & Co.

Companies need to optimize their IT security not only for their own benefit, but also to meet legal requirements or obtain certain certifications. The most important requirements include:

  • ISO 27001 certification: Requires the implementation of an information security management system (ISMS) with regular audits such as pentests.
  • NIS2 policy: Tightens cybersecurity requirements across the EU, especially for critical infrastructures.
  • IT Security Act 2.0: Requires KRITIS operators to meet increased security standards, including regular pentests.
  • Industry-specific requirements:
    • BAFIN (Financial sector): Regular security audits for financial companies.
    • BfArm (Healthcare): Focus on security of medical IT systems.
    • EnWG (Energy industry): High security requirements to protect critical infrastructures.

These laws and certificates not only help make IT systems more secure, but are also crucial to avoid penalties and fines.

Do you need to prove a pentest?
With us, you will not only reliably achieve the certificates and compliance you are aiming for, but also real security for your company.
Request advice now

Different types of penetration tests

The idea of ​​different types of pentests is basically based on misconceptions about this service. The truth is that at its core, every pentest has the same goal and the same strategy: Every pentest simulates attacks on an IT infrastructure in order to obtain the most comprehensive picture of security possible and to uncover vulnerabilities.

Differences in penetration testing mainly relate to

  • the target systems
  • the attack scenarios
  • Attacker type
  • the degree of realism
 

Possible combinable variants of penetration tests are:

Target systems

  • Infrastructure Pentest
    • Focus: The entire IT infrastructure of a company, including networks, servers, firewalls, routers and other components.
    • Goal: Identify vulnerabilities that could be exploited by internal or external attackers to attack critical IT components or gain unauthorized access.
    • Typical vulnerabilities: misconfigurations, outdated software or inadequately secured network connections.
  • Web Application Pentest
    • Scans web applications for vulnerabilities such as SQL injection or cross-site scripting (XSS).
    • Particularly relevant for applications used by external users.
  • Mobile application pen testing
    • Tests mobile applications for security vulnerabilities, such as insecure data storage and faulty authentication.
    • The aim is to find vulnerabilities that occur when using mobile devices.
  • Cloud Pentesting
    • Focus: Security audit of cloud infrastructures and services (e.g. AWS, Azure/ Entra, Google Cloud).
    • Objective: Identifying vulnerabilities in cloud environments, such as misconfigured access rights, insecure API endpoints, or weaknesses in cloud storage management. (Note: Cloud pentesting is not much different from an on-premise pentest - after all, a cloud is just "someone else's computer".)
  • Container security (container pentesting)
    • Focus: Testing the security of containers and orchestration systems (e.g. Docker, Kubernetes).
    • Objective: Identify vulnerabilities caused by container isolation failures or insecure configurations to ensure container security.

Attack scenarios

  • Technical Pentest
    • Remotely checking the security of systems. These tests uncover security gaps that can arise due to misconfigurations (e.g. in Active Directories such as Microsoft Entra), missing security updates or unsecured interfaces.
  • Social Engineering Pentest (Phishing)
    • Tests the human factor by simulating attacks such as phishing to see how easily employees fall for manipulative tactics.
  • Physical Security Pentest
    • Check physical security to determine whether attackers can gain access to server rooms or other critical infrastructure. Freely accessible printers with network access are also a popular point of attack.

Degree of realism

The level of realism of a penetration test determines how close the test is to a real attack scenario. Note: "The more realistic, the better" does not necessarily apply! Tools such as a pentest box can be useful for obtaining the broadest possible overview of your own security in a time- and cost-efficient manner. Passing on internal company information beforehand can also be important to avoid damage to particularly sensitive systems through a pentest.

  • Blackbox pentest (also called external pentest) means that the tester has no internal information about the target system and acts from the perspective of an external attacker.
  • Whitebox Pentest (also known as internal pentest), on the other hand, gives the tester access to information such as source code, architecture or network details in order to specifically detect vulnerabilities.
  • Pentest box: Simulates an attacker's successful initial access to a target system. Is used to quickly check how far attackers could penetrate after successful access and what damage they could cause.

Penetration test process: From planning to the final report (and beyond)

A penetration test is a project that runs in several successive phases. Each individual phase is important in order to obtain the most comprehensive picture of IT security possible, while at the same time avoiding causing any real damage.

  1. Preparation: Determination of test objectives, scope and framework conditions in close coordination with the customer.
  2. Information gathering: Collecting data about the target system to identify potential attack vectors.
  3. Analysis and evaluation: Evaluating the information collected to develop attack strategies.
  4. usage: Exploiting and combining vulnerabilities to simulate potential risks.
  5. Reporting: Preparation of a detailed report with identified vulnerabilities (findings), classification according to criticality and recommended measures.
  6. Presentation of results and workshop (optional, but recommended):Presentation of the results and conduct of workshops to prioritize measures and develop solutions.
  7. Correction of findings (internally or with service provider): Step-by-step and prioritized elimination of the vulnerabilities found (findings).
  8. Validation/Retest: Re-examination of IT security to validate measures taken and to check whether new vulnerabilities have been added (e.g. due to new zero-day vulnerabilities)
Pentesting explained by hacker

How hackers conduct penetration testing: tools and techniques

Penetration testers work in the same way as malicious attackers. This means that they use existing frameworks and tools, but also develop their own approaches when necessary. Unlike malicious hackers, they always have to make sure that they do not cause any real damage. To do this, they need extensive expertise and the creativity needed to skillfully combine different approaches.

These are some of the most common tools and procedures for penetration testing:

Procedures

  • Recognition: In this phase, hackers collect information about the target system, often through public sources (OSINT) or through network scans.
  • Scanning & Enumeration: Tools like Nmap or Nessus are used to identify the vulnerabilities of the network or applications in detail.
  • Exploitation: Here, hackers try to exploit vulnerabilities in a targeted manner. This can be done through manual attacks or through frameworks such as Metasploit.
  • Privilege Escalation: After initial access, hackers attempt to increase their access rights to access sensitive data or take over critical systems.
  • pivoting: Once hackers gain access to a system, they use it to attack other systems on the network.

Techniques and approaches

  • Social Engineering: Hackers often use phishing or other deceptive techniques to obtain information from employees.
  • Brute Force: An approach that systematically tries passwords to gain access to accounts.
  • Man-in-the-Middle (MitM): Attacks in which hackers intercept and manipulate traffic between two systems.

Frameworks and automation

  • OWASP ZAP: An open source automated web application security tool used for vulnerability scanning.
  • Nobody: Another open source tool that checks web servers for vulnerabilities.
  • Cobalt Strike: A popular red teaming simulation tool that hackers use to simulate attacks and test security measures.

Tools

  • Nmap: For network scanning and analysis to collect information about open ports, services and operating systems.
  • Metasploit Framework: An exploit framework that hackers use to automatically attack vulnerabilities.
  • Burp Suite: A web security tool used to examine web applications, specifically to analyze HTTP requests.

The right time for a penetration test

The right time for a penetration test is: Now. (If the last penetration test was more than 12 months ago.)

As a service provider in the field of penetration testing, we often experience that customers see the need for a pentest and would like to commission it, but would like to postpone the start of the project several months into the future.

The usual reasons for postponing penetration testing are:

  • Acute lack of time due to staff shortages or other projects
  • “We already know that we are not safe at this point and we want to fix that first.”
  • Decision-makers must first be brought on board and the processes for this are lengthy.

 

The point is: hackers don't care about any of these things. They attack even if the vulnerability is supposed to be closed in two weeks or if an important deadline is approaching.

Good reasons for conducting a pentest promptly are:

  • Time is always in short supply. Why not prioritize immediately?
  • Who says that the security vulnerabilities you are currently working on are the most important? A neutral external audit helps with strategic planning of measures and saves time.
  • Good pentest providers help you mediate between IT and management. This allows you to speed up decision-making processes and free up resources.
  • At first, a pentest costs time and money, but in the medium term it saves both. Especially compared to a successful hacking attack.

How to choose the right pentest provider

When choosing the right pentest provider, three aspects are crucial:

  1. The pentest provider must work with high quality and cleanly.
  2. The pentest provider must be trustworthy.
  3. The pentest provider must be a good fit for you.

 

How can you find out if these points apply to a provider?

How to evaluate the quality of a pentest service provider

  • Ask your business partners or customers: Have they recently completed a pentest? How satisfied were they with their provider?
  • The end product of a pentest project is the final report/action plan. Check whether the company provides a demo version and, if so, whether it is clearly structured and solution-oriented.
  • Check out the company's website: are the people there able to communicate in both technical and general language? This will help you mediate between IT and management in your own company.
  • Does the company cover social engineering and physical access in addition to technical testing in its pentests?
  • In addition to penetration testing, does the company also offer support in resolving vulnerabilities without trying to sell its own tools?

Is the pentest provider right for you?

  • Does the company have experience with projects of your size?
  • Does the company fit your goals? For example, are you primarily concerned with meeting legal requirements and certifications? Or are you looking for a partner with whom you can build real security in the long term?
  • Do your companies' mentalities match? You can get a first impression of this on the company's website and social media channels. An introductory conversation is then a good way to clarify this point.
Do we suit you?
Find out in a personal conversation!
Make a non-binding appointment

FAQ

A penetration test is a controlled attack on an IT system to identify security vulnerabilities before real attackers exploit them.

A pentest uncovers vulnerabilities, improves IT security and helps meet legal compliance requirements.

In a black box pentest, the tester has no internal information, while in a white box pentest, the tester has full access to system information.

Networks, web applications, mobile apps, physical security and human vulnerabilities are examined for security vulnerabilities.

Ideally annually or after major IT changes.

A pentest simulates real attacks and exploits vulnerabilities, while a vulnerability scan lists known vulnerabilities.

Regulations such as ISO 27001, IT Security Act 2.0 and NIS2 require regular security checks such as pentests.

Follow for more!
Linkedin-in Instagram Youtube Facebook f
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

OTHER CONTRIBUTIONS

Table of Contents

Do you have any questions or additions? bring it on!
Write a comment and we will reply as soon as possible!

Your email address will not be published. Required fields are marked with *.

Share your feedback and help us improve our services!

Share your feedback and help us improve our services!

Take 1 minute to give us some feedback. This way we can ensure that our IT security solutions meet your exact needs.

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

Please accept the cookies at the bottom of this page to be able to submit the form!