How penetration tests are conducted

Many organisations are required to perform penetration tests for insurance or compliance purposes, while others may perform regular penetration tests to help improve their security. In this blog I intend to explain what a penetration test is and how they are typically conducted.

What exactly is a Penetration Test?

A penetration test, or pen test for short, is an IT security exercise that simulates a real-world cyberattack on a computer network, system or software for the purpose of identifying weaknesses in security.

A pen tester (ethical hacker) may employ a range of tools and techniques to circumvent existing security protocols and obtain unauthorised access to systems or data. Some of these techniques may be technical, while other may use flaws in procedures to gather confidential information, such as simply asking a user for their password.

Pen testing scenarios

The scope of a pen test can vary significantly depending on the scenario the test is trying to simulate. With a broad scope the pen tester may be employed to obtain remote access to a network. With a narrow scope they may be asked to test the limits of a single application.

Some common scenarios include:

  • External - Simulates a cyberattack on the firewall, website and external services

  • Internal - Simulates a cyberattack on a compromised network (e.g. malware)

  • Targeted - Attempts to obtain unauthorised to a specific system or data (e.g. finance system)

  • Physical - Attempts to obtain unauthorised access to a physical location (e.g. server room)

There are no hard and fast rules for which scenarios to use, but the pen tester and the client must agree on a scenario before the test can begin.

The stages of a pen test

Pen tests are typically performed in five stages.

Stage 1: Reconnaissance

This is the information gathering stage where the pen tester collects as much information as possible about the target, either passively or actively. Passive reconnaissance involves collecting information from public sources, such as employee names on social media. Active reconnaissance involves collecting information by interacting with the target systems, like sending an email.

Stage 2: Scanning

The next step is to actively scan the target looking for vulnerabilities. The target depends on your agreed scope and could range from a single Internet IP address, or an entire network of thousands of computers. Either way, this stage provides the pen tester with valuable information about weak-spots in the network that can be exploited in the next stage.

Stage 3: Exploitation

Based on the information gathered in the first two stages, the pen tester will attempt to exploit vulnerable systems. This involves the use of specialised tools to attack , such as password crackers, website crawlers, network sniffers and a variety of other tools at the pen testers disposal. Exploitation usually begins with soft targets, such as un-patched computers or systems with default passwords before moving onto something more difficult.

Stage 4: Post-Exploitation

The initial exploitation may not be final target of the pen test, so the pen tester will perform some post-exploitation tasks, such as:

Maintaining access - The pen tester may deploy software to maintain a foothold in the network so that they are no longer reliant on the vulnerable system to obtain access to the network.

Pivoting - This refers to using the initial target (e.g. compromised PC) to attack a secondary target (e.g. a file server). This can be accomplished by running more scans and exploiting more vulnerabilities.

Planting a marker - The pen tester may leave behind a file or entry in a database as evidence of a successful hack.

Exfiltration - This is the act of extracting from the network as evidence of a successful compromise.

Stage 5: Reporting & Clean-up

Once the test is complete, the pen tester will summarise their findings in a report. The report includes any evidence of a successful exploitation, such as vulnerability scan results or cracked passwords. Where systems were successfully compromised, the methods used should be provided together with any recommendations for closing security holes.

Finally, any markers left behind and software for maintaining persistence will be removed. This returns the systems back to normal and marks the end of the pen test.

How long does a pen test take?

The duration of a pen test and the effort expended depends on the scope of the test. Having six full-time pen testers trying to hack an online shopping website over three months is far more likely to result in a successful hack than a single pen tester with 2 days to hack a firewall. In any case, the time and budget for the test should be in proportion to the value of the target you are trying to protect.


Domenic has consulted to Australian businesses of all sizes for over 20 years, delivering end-to-end IT solutions. He has expertise in Information Security, Remote Access and Desktop Management, in addition to traditional cloud and on-premises infrastructure solutions.