Overview
Penetration testing is an authorized, controlled simulation of real-world attacks designed to discover vulnerabilities before malicious actors exploit them. While most people think of pentesting as a digital exercise, physical penetration testing is equally important — physical access to a device can completely bypass even the strongest software security controls. Pentesting is performed from three perspectives: offensive (red team), defensive (blue team), and integrated (continuous security improvement).
Physical Penetration Testing
Physical security is a prerequisite for all other security measures. If an attacker can gain physical access to a system, most operating system protections become ineffective. Physical access enables:
- Modifying the boot process — changing which operating system or partition loads on startup
- Booting from external media — inserting a USB drive or optical disc with a different OS that bypasses local authentication
- Modifying or replacing OS files — directly editing system files, adding backdoors, or replacing authentication binaries
This is why servers are locked inside secure data centers: physical access protection is not optional. Physical pentesting evaluates whether unauthorized individuals could gain entry and what damage they could cause if they did.
Physical pentesting targets include:
- Doors, windows, and elevators — can they be entered without authorization?
- Badge and card access systems — can they be bypassed, cloned, or tailgated past?
- Lock mechanisms — are they pickable or otherwise defeatable?
- Reception and lobby controls — can an unauthorized person talk their way in?
- Internal physical access — once inside, what areas are accessible?
Pentesting Perspectives: Red, Blue, and Integrated
Key Terms
- Penetration test (pentest) — authorized simulation of real-world attacks to identify exploitable vulnerabilities
- Physical pentest — testing of physical access controls: doors, badges, locks, building entry procedures
- Red team — offensive group that attacks systems and looks for exploitable vulnerabilities
- Blue team — defensive group that detects, responds to, and blocks attacks in real time
- Integrated pentest — continuous cycle combining red and blue team activities for ongoing security improvement
Overview
Before a penetration test begins, the organization and testing team must agree on how much information the tester will receive about the target environment. This level of prior knowledge fundamentally changes the nature of the test — it determines what the tester must discover independently and what is provided in advance. Three standard levels of working knowledge are used: known environment (full disclosure), partially known environment (hybrid), and unknown environment (blind test).
Known Environment (Full Disclosure)
In a known environment test, the pen tester receives complete information about the target systems before testing begins. This typically includes:
- Network diagrams and IP addressing schemes
- System inventories listing all servers, applications, and services
- Configuration details, operating system versions, and software versions
- Security architecture documentation
Purpose: allows testers to focus their time on identifying and exploiting actual vulnerabilities rather than spending time discovering the environment. Useful when the organization wants thorough testing of specific known systems within time and budget constraints.
Limitation: does not simulate a realistic attack scenario, since real attackers do not receive system documentation before attacking.
Partially Known Environment (Hybrid)
A partially known environment test provides the tester with limited information. Some details are shared — perhaps a list of specific systems that must be tested — while other information must be discovered independently.
Purpose: ensures that specific high-priority systems are tested while also simulating the reconnaissance challenge of a real attack. Useful when the organization has particular systems of concern but also wants realistic attack simulation.
Common use case: share the IP range of the production environment but not individual system configurations; or share which applications are in scope but not their internal architecture.
Unknown Environment (Blind Test)
In an unknown environment test, the pen tester receives no prior information about the target. The tester must discover everything independently through reconnaissance. This is the most realistic simulation of a real-world attack.
Purpose: provides the most accurate picture of what a real attacker would face and what they could achieve. Identifies gaps that would only be found by approaching the environment as a genuine adversary with no insider knowledge.
Challenge: requires significantly more time than known environment tests because reconnaissance must be completed before exploitation can begin.
Knowledge Level Comparison
| Level | Also Called | Information Provided | Best Used For |
|---|---|---|---|
| Known | Full disclosure, White box | Complete system documentation | Thorough testing of specific systems; efficiency over realism |
| Partially Known | Gray box, Hybrid | Some information (scope, key systems) | Balance of targeted testing and realistic simulation |
| Unknown | Blind test, Black box | None; tester discovers everything | Most realistic attack simulation; assesses true external exposure |
Key Terms
- Known environment — full disclosure test; tester has complete information before starting
- Partially known environment — hybrid test; some information shared, some must be discovered
- Unknown environment / blind test — tester has no prior knowledge; must discover everything through reconnaissance
- White box / gray box / black box — alternative terms for known / partially known / unknown environments
Overview
Reconnaissance is the information-gathering phase that precedes any attack attempt. Without adequate reconnaissance, testers may miss critical vulnerabilities or waste time on irrelevant systems. Reconnaissance builds a complete picture of the target environment: which systems exist, what services they run, what security tools protect them, and how they are connected. There are two types: passive reconnaissance (gathering information without touching the target network) and active reconnaissance (directly interacting with target systems).
Why Reconnaissance Matters
Reconnaissance allows the pen tester to:
- Understand the security posture — identify firewalls, security configurations, and defensive tools in place
- Minimize the attack surface — focus on key systems most likely to be vulnerable and valuable
- Build a network map — identify routers, subnets, IP address ranges, and remote site connections
- Identify vulnerabilities before attacking — choose the most likely attack vectors based on discovered services and versions
Real attackers invest heavily in reconnaissance before launching attacks. Effective pentesting must mirror this discipline.
Passive Reconnaissance
Passive reconnaissance collects information from publicly available sources without directly connecting to or querying the target organization's systems. This makes it extremely difficult for the target to detect because no traffic touches their network.
Passive reconnaissance sources:
- Social media — employee profiles revealing job titles, technologies used, organizational structure
- Corporate websites — employee directories, technology vendor mentions, office locations, partner organizations
- Online forums and Reddit — employees discussing technical problems, infrastructure details, security issues
- Social engineering — calling the organization to gather information under a pretext
- Dumpster diving — examining discarded documents, printed network diagrams, old hardware
- Business organizations — trade associations, LinkedIn, conference speaker bios, press releases
- OSINT tools — WHOIS lookups, DNS records, Shodan, certificate transparency logs
Active Reconnaissance
Active reconnaissance involves directly interacting with target systems to gather technical information. Unlike passive reconnaissance, active methods generate traffic that may be detected by security monitoring tools. Evidence of active reconnaissance is typically stored in firewall logs, IDS/IPS alerts, and server access logs.
Active reconnaissance techniques:
- Ping scans — sending ICMP echo requests to discover which IP addresses are live
- Port scans — probing TCP/UDP ports to determine which services are listening
- DNS queries — querying corporate DNS servers to enumerate hostnames and IP addresses
- OS fingerprinting — analyzing TCP/IP characteristics to identify the operating system running on a device
- OS scans — sending crafted packets to determine OS type and version
- Service scans — connecting to open ports to identify which service is running
- Version scans — identifying the specific version of services (e.g., Apache 2.4.52, OpenSSH 8.2) to match against known CVEs
Passive vs. Active Reconnaissance Comparison
| Characteristic | Passive Reconnaissance | Active Reconnaissance |
|---|---|---|
| Target interaction | None — uses public sources only | Direct — sends packets to target systems |
| Detectability | Very difficult to detect | Visible in logs and alerts |
| Information type | Organizational, structural, social | Technical: services, versions, OS, ports |
| Examples | Social media, WHOIS, dumpster diving | Port scans, OS fingerprinting, version scans |
| Risk of detection | Very low | Moderate to high depending on security monitoring |
Key Terms
- Reconnaissance — information-gathering phase before exploitation; builds picture of target environment
- Passive reconnaissance — uses public open sources; does not touch the target network; difficult to detect
- Active reconnaissance — directly queries target systems; generates network traffic; visible in logs
- Dumpster diving — physical passive recon technique: examining discarded documents and hardware
- OS fingerprinting — identifying the operating system type and version through network behavior analysis
- Version scan — identifying specific software versions running on open ports to find matching CVEs
- OSINT — Open Source Intelligence; passive recon using publicly available data