Chapter 119 · Security Advisory

Penetration Tests

Physical penetration testing; offensive red team, defensive blue team, and integrated perspectives; known, partially known, and unknown (blind) environment types; passive reconnaissance using open sources; and active reconnaissance using direct network interaction.

PENTEST-2024-001
Physical Penetration Testing and Pentesting Perspectives
Severity: Critical

Overview

Penetration testing is an authorized, controlled simulation of real-world attacks designed to discover vulnerabilities before malicious actors exploit them. While most people think of pentesting as a digital exercise, physical penetration testing is equally important — physical access to a device can completely bypass even the strongest software security controls. Pentesting is performed from three perspectives: offensive (red team), defensive (blue team), and integrated (continuous security improvement).

Physical Penetration Testing

Physical security is a prerequisite for all other security measures. If an attacker can gain physical access to a system, most operating system protections become ineffective. Physical access enables:

  • Modifying the boot process — changing which operating system or partition loads on startup
  • Booting from external media — inserting a USB drive or optical disc with a different OS that bypasses local authentication
  • Modifying or replacing OS files — directly editing system files, adding backdoors, or replacing authentication binaries

This is why servers are locked inside secure data centers: physical access protection is not optional. Physical pentesting evaluates whether unauthorized individuals could gain entry and what damage they could cause if they did.

Physical pentesting targets include:

  • Doors, windows, and elevators — can they be entered without authorization?
  • Badge and card access systems — can they be bypassed, cloned, or tailgated past?
  • Lock mechanisms — are they pickable or otherwise defeatable?
  • Reception and lobby controls — can an unauthorized person talk their way in?
  • Internal physical access — once inside, what areas are accessible?

Pentesting Perspectives: Red, Blue, and Integrated

RED TEAM Offensive perspective. Red teams simulate real attackers. They actively search for vulnerabilities and attempt to exploit them. Their goal is to think and act like adversaries — identifying weaknesses in systems, applications, physical security, and human behavior. Red team findings reveal how a real attack could unfold.
BLUE TEAM Defensive perspective. Blue teams identify, respond to, and block attacks in real time. They operate monitoring tools, intrusion detection systems, and security procedures. Blue teams defend systems while red teams attack — creating a realistic simulation of the attacker-defender dynamic.
INTEGRATED Continuous improvement perspective. The integrated approach combines both teams. Red team finds a gap → passes information to blue team → blue team patches or improves detection → red team tests again. This creates a self-reinforcing feedback loop that continuously strengthens security over time.
The integrated model converts pentesting from a one-time event into an ongoing process: constant attack, continuous detection improvement, repeated testing. Each cycle makes the organization harder to compromise.

Key Terms

  • Penetration test (pentest) — authorized simulation of real-world attacks to identify exploitable vulnerabilities
  • Physical pentest — testing of physical access controls: doors, badges, locks, building entry procedures
  • Red team — offensive group that attacks systems and looks for exploitable vulnerabilities
  • Blue team — defensive group that detects, responds to, and blocks attacks in real time
  • Integrated pentest — continuous cycle combining red and blue team activities for ongoing security improvement
PENTEST-2024-002
Working Knowledge Levels: Known, Partially Known, and Unknown Environments
Severity: High

Overview

Before a penetration test begins, the organization and testing team must agree on how much information the tester will receive about the target environment. This level of prior knowledge fundamentally changes the nature of the test — it determines what the tester must discover independently and what is provided in advance. Three standard levels of working knowledge are used: known environment (full disclosure), partially known environment (hybrid), and unknown environment (blind test).

Known Environment (Full Disclosure)

In a known environment test, the pen tester receives complete information about the target systems before testing begins. This typically includes:

  • Network diagrams and IP addressing schemes
  • System inventories listing all servers, applications, and services
  • Configuration details, operating system versions, and software versions
  • Security architecture documentation

Purpose: allows testers to focus their time on identifying and exploiting actual vulnerabilities rather than spending time discovering the environment. Useful when the organization wants thorough testing of specific known systems within time and budget constraints.

Limitation: does not simulate a realistic attack scenario, since real attackers do not receive system documentation before attacking.

Partially Known Environment (Hybrid)

A partially known environment test provides the tester with limited information. Some details are shared — perhaps a list of specific systems that must be tested — while other information must be discovered independently.

Purpose: ensures that specific high-priority systems are tested while also simulating the reconnaissance challenge of a real attack. Useful when the organization has particular systems of concern but also wants realistic attack simulation.

Common use case: share the IP range of the production environment but not individual system configurations; or share which applications are in scope but not their internal architecture.

Unknown Environment (Blind Test)

In an unknown environment test, the pen tester receives no prior information about the target. The tester must discover everything independently through reconnaissance. This is the most realistic simulation of a real-world attack.

Exam term: the unknown environment test is commonly called a "blind test" because the tester is working without knowledge of the target systems. The tester must find all information before any attack can be attempted.

Purpose: provides the most accurate picture of what a real attacker would face and what they could achieve. Identifies gaps that would only be found by approaching the environment as a genuine adversary with no insider knowledge.

Challenge: requires significantly more time than known environment tests because reconnaissance must be completed before exploitation can begin.

Knowledge Level Comparison

LevelAlso CalledInformation ProvidedBest Used For
KnownFull disclosure, White boxComplete system documentationThorough testing of specific systems; efficiency over realism
Partially KnownGray box, HybridSome information (scope, key systems)Balance of targeted testing and realistic simulation
UnknownBlind test, Black boxNone; tester discovers everythingMost realistic attack simulation; assesses true external exposure

Key Terms

  • Known environment — full disclosure test; tester has complete information before starting
  • Partially known environment — hybrid test; some information shared, some must be discovered
  • Unknown environment / blind test — tester has no prior knowledge; must discover everything through reconnaissance
  • White box / gray box / black box — alternative terms for known / partially known / unknown environments
PENTEST-2024-003
Reconnaissance: Passive and Active Information Gathering
Severity: High

Overview

Reconnaissance is the information-gathering phase that precedes any attack attempt. Without adequate reconnaissance, testers may miss critical vulnerabilities or waste time on irrelevant systems. Reconnaissance builds a complete picture of the target environment: which systems exist, what services they run, what security tools protect them, and how they are connected. There are two types: passive reconnaissance (gathering information without touching the target network) and active reconnaissance (directly interacting with target systems).

Why Reconnaissance Matters

Reconnaissance allows the pen tester to:

  • Understand the security posture — identify firewalls, security configurations, and defensive tools in place
  • Minimize the attack surface — focus on key systems most likely to be vulnerable and valuable
  • Build a network map — identify routers, subnets, IP address ranges, and remote site connections
  • Identify vulnerabilities before attacking — choose the most likely attack vectors based on discovered services and versions

Real attackers invest heavily in reconnaissance before launching attacks. Effective pentesting must mirror this discipline.

Passive Reconnaissance

Passive reconnaissance collects information from publicly available sources without directly connecting to or querying the target organization's systems. This makes it extremely difficult for the target to detect because no traffic touches their network.

Passive reconnaissance sources:

  • Social media — employee profiles revealing job titles, technologies used, organizational structure
  • Corporate websites — employee directories, technology vendor mentions, office locations, partner organizations
  • Online forums and Reddit — employees discussing technical problems, infrastructure details, security issues
  • Social engineering — calling the organization to gather information under a pretext
  • Dumpster diving — examining discarded documents, printed network diagrams, old hardware
  • Business organizations — trade associations, LinkedIn, conference speaker bios, press releases
  • OSINT tools — WHOIS lookups, DNS records, Shodan, certificate transparency logs
Passive reconnaissance is remarkably difficult to protect against because it relies entirely on public information. Organizations often have no idea how much of their infrastructure is visible through open sources.

Active Reconnaissance

Active reconnaissance involves directly interacting with target systems to gather technical information. Unlike passive reconnaissance, active methods generate traffic that may be detected by security monitoring tools. Evidence of active reconnaissance is typically stored in firewall logs, IDS/IPS alerts, and server access logs.

Active reconnaissance techniques:

  • Ping scans — sending ICMP echo requests to discover which IP addresses are live
  • Port scans — probing TCP/UDP ports to determine which services are listening
  • DNS queries — querying corporate DNS servers to enumerate hostnames and IP addresses
  • OS fingerprinting — analyzing TCP/IP characteristics to identify the operating system running on a device
  • OS scans — sending crafted packets to determine OS type and version
  • Service scans — connecting to open ports to identify which service is running
  • Version scans — identifying the specific version of services (e.g., Apache 2.4.52, OpenSSH 8.2) to match against known CVEs

Passive vs. Active Reconnaissance Comparison

CharacteristicPassive ReconnaissanceActive Reconnaissance
Target interactionNone — uses public sources onlyDirect — sends packets to target systems
DetectabilityVery difficult to detectVisible in logs and alerts
Information typeOrganizational, structural, socialTechnical: services, versions, OS, ports
ExamplesSocial media, WHOIS, dumpster divingPort scans, OS fingerprinting, version scans
Risk of detectionVery lowModerate to high depending on security monitoring

Key Terms

  • Reconnaissance — information-gathering phase before exploitation; builds picture of target environment
  • Passive reconnaissance — uses public open sources; does not touch the target network; difficult to detect
  • Active reconnaissance — directly queries target systems; generates network traffic; visible in logs
  • Dumpster diving — physical passive recon technique: examining discarded documents and hardware
  • OS fingerprinting — identifying the operating system type and version through network behavior analysis
  • Version scan — identifying specific software versions running on open ports to find matching CVEs
  • OSINT — Open Source Intelligence; passive recon using publicly available data