Penetration testing, or pentesting, is the process of probing a network or system by simulating an attack, which is used to find vulnerabilities that could be exploited by a malicious actor. The main goal of a pentest is to identify security holes and weaknesses so that the organization being tested can fix any potential issues. In a professional penetration test, there are six phases you should know.
Pentesting Lingo
Like many industries, and especially within IT, certain terms can cause initial confusion for people not familiar with them. Penetration testing can get pretty technical, but some of the confusion comes from words that are used before the engagement even begins.
A pentest can either be internal or external. An internal test means the pentester starts inside the network and usually has some sort of access as if they were simulating a rogue employee or an attacker who has breached the perimeter. An external test begins outside the network or system, which most closely resembles a real-world attack.
There are three additional categories to internal versus external testing which describe the level of access the pentester has:
White box testing gives the most access, and the tester will often be given a list of hosts, IP addresses, source code, and even credentials.
Black box testing, on the other hand, assumes the pentester knows very little about the system and basically starts blind. This type of testing simulates an attacker's point of view and can be useful for discovering vulnerabilities on the perimeter of the conduct pentest phases
