Cybersecurity, Cyber, IT, news, computer, security, hacker, whitehat, blackhat, gray hat, education, penetration tester, information security, hacking, video, operating system, OS, google,googledork, VM, online safety, internet security research, article, ethical, elearning, security+, technology, google hacking, windows administrator, tools, free tools, networking resources, SMB,help, cyber-security

Pentesting- General     How-To's       Tools    Practice Sites   Scripts       Links    New Interesting Exploit Code

 Definition

What is Penetration Testing?

The art of penetration testing (pentest) involves the analysis of existing system architectures and their underlying hardware and software functions to determine if they can be manipulated to perform in a manner not originally intended by their developers and operators.  If a piece of software is poorly written and its code bounds not properly sanitized and registers set, then it may be possible to introduce instability.  This instability could be for the purposes of crashing the application and its host or to inject new commands, functions, or processes designed to provide illicit access to the application or underlying host.  Penetration Testing is considered an offensive operation and is the sexier cousin of the Certified Ethical Hacker (CEH), which is strictly focused on defensive measures.  In a mature organization, both the functions of the CEH and Pentester are integrated as part of the overall software lifecycle and would be conducted both during the development stage and prior to release into production as part of the overall organizational risk reduction strategy.

How does it differ from Hacking?

A penetration test is conducted between the legal owner of the system or application and the contracted penetration tester(s).  A typical pentest conforms to Rules of Engagement that define the scope, level, back-out triggers, and report procedures involved in the testing.  Penetration testing is a form of Computer Systems Engineering and Security Analysis and like all other scientific testing must be documented using a process consistent with established scientific methods.  The testing goal is to identify system weaknesses prior to their exploitation by unknown actors. 

Hacking is conducted in a similar manner, although traditionally lacks a scientific documentation methodology, has no pre-established Rules of Engagement between the system owner and the hacker(s), and is conducted without legal permission.  In some countries, simply probing a perimeter for open ports could be illegal.  Hacking is traditionally performed for one of 6 reasons:

·         Nation-State purposes (either officially sponsored or passively supported 3rd parties)

·         Espionage (Industrial or other)

·         Hacktivism (Based on a shared ideal or geo-political position)

·         Cyber-Terrorism (as part of an organization or lone-wolf)

·         Theft or Unauthorized Exposure of Government, Corporate, or personal information

·         Technical curiosity, research, and education (without the system owners written permission)