Chapter 84 · Concepts

Penetration Testing — Concept Maps

Structured breakdowns of rules of engagement elements, the four attack phases, pen testing vs. vulnerability scanning, persistence techniques, and the responsible disclosure sequence.

Penetration Testing vs. Vulnerability Scanning
PropertyVulnerability ScanningPenetration Testing
What it doesIdentifies potential weaknesses; checks for conditions that could be exploitedActively exploits confirmed vulnerabilities; demonstrates real-world impact
ExploitationNone — no attacks are performedYes — actual exploitation techniques are attempted
Operational riskMinimal; production-safe in most casesReal risk of service disruption; exploits can crash systems
InvasivenessMinimally invasiveIntentionally invasive — simulates full attacker behavior
What it confirms"This version has a known vulnerability""This vulnerability is exploitable in this environment and here is the impact"
Required authorizationScope defined; rules less formalFormal rules of engagement required before any testing; legal authorization essential
FrequencyContinuous or frequent (weekly, monthly)Periodic (annual, after major changes, or as mandated)
Rules of Engagement — Required Elements
ElementWhat It DefinesWhy It Is Required
Type of testingExternal (from internet), internal (from inside network), physical (breach physical security), social engineeringDifferent test types carry different risk profiles; testers need to know which techniques are authorized
Permitted timingHours during which testing is allowed (e.g., after 6 PM only, weekends only)Protects business operations from disruption; testing during peak hours risks impacting users
In-scope systemsSpecific IP ranges, domains, or applications the tester may probe and attackDefines what the tester is authorized to touch; anything not in scope is off-limits
Out-of-scope systemsExplicitly excluded systems that must not be tested, even if discovered as part of the engagementProtects production-critical systems, third-party infrastructure, and shared systems from unauthorized testing
Emergency contactsNamed contacts for both the testing team and the organization with 24/7 availabilityEnables immediate testing halt if a system becomes critical or a real incident occurs during the test window
Sensitive data handlingProcedures for storing, protecting, and destroying sensitive data discovered during the engagementSensitive data found during a pen test is real data; mishandling creates real liability
The Four Penetration Testing Phases
PhaseGoalCommon TechniquesWhat It Reveals
1. Initial exploitation Gain the first foothold inside the target environment Buffer overflow, SQL injection, phishing, credential brute force, physical tailgating, social engineering Weaknesses in perimeter security; whether external defenses can be bypassed
2. Lateral movement Expand access from the initial foothold to additional internal systems Pass-the-hash, credential theft from memory, shared folder exploitation, remote management protocol abuse (RDP, WinRM) Inadequate internal segmentation; excessive internal trust; lack of internal monitoring
3. Persistence Ensure continued access even if the original vulnerability is patched or session detected Unauthorized account creation, backdoor installation, default password changes, scheduled task modification, startup service modification Gaps in change monitoring; unauthorized account detection; log review adequacy
4. The pivot Use a compromised system as a proxy to reach otherwise-inaccessible network segments Port forwarding through compromised host, SOCKS proxying, exploiting trusted connections between systems (database connections, API calls) Over-permissive network trust relationships; segmentation that exists on paper but not in practice; excessive service permissions
Persistence Techniques — Types and Detection
TechniqueHow It WorksDetection Method
Unauthorized account creationAttacker creates new administrative user accounts on compromised systemsMonitor for new account creation events; audit account lists against baseline; alert on unexpected admin group membership changes
Default password modificationAttacker changes or verifies default service/application account passwords to known values they controlAudit service account credentials against policy; monitor for password change events on service accounts
Backdoor installationRemote access tool (RAT) installed that beacons to attacker C2 on schedule or on startupEndpoint detection for unknown processes; network monitoring for unusual outbound connections; file integrity monitoring
Startup service modificationMalicious code added to startup services, scheduled tasks, or boot scripts to execute on every restartMonitor startup service changes; scheduled task creation/modification events; application whitelisting to block unauthorized executables
Web shell installationScript file placed in web server directory that provides remote command execution through HTTP requestsFile integrity monitoring on web directories; unusual web server process activity; HTTP request pattern analysis
Responsible Disclosure — Four-Step Sequence
StepWho ActsWhat HappensTiming
1. Private report Researcher Reports vulnerability details privately to the vendor through a security disclosure channel or bug bounty platform; no public disclosure; provides reproduction steps and severity assessment Immediately upon discovery
2. Vendor investigates and fixes Vendor / manufacturer Reproduces the issue, identifies root cause, develops and tests a patch, prepares deployment; may consult researcher for clarification Typically 90 days (industry norm); may be faster for critical issues
3. Patch deployed Vendor Distributes patched software version to users; coordinates release timing End of remediation window
4. Public disclosure Vendor + Researcher Vulnerability details and CVE published simultaneously with patch availability; researcher credited; users can protect themselves immediately upon learning of the risk Simultaneous with or after patch deployment
Bug Bounty Programs — How They Work
ElementDetails
Who runs themSoftware vendors and major technology companies (Google, Microsoft, Meta, Apple); some government agencies and financial institutions
Who participatesIndependent security researchers, ethical hackers, students, professional penetration testers — anyone authorized by the program rules
What qualifies for a bountyValid vulnerabilities within the defined scope; must include reproduction steps, impact demonstration, and severity assessment; must be privately reported before any public disclosure
Reward structureTiered by severity: Critical vulnerabilities may earn $10,000–$1,000,000+; High may earn $1,000–$50,000; lower severity findings earn proportionally less or nothing
Researcher obligationsTest only in scope; do not exploit beyond proof of concept; report privately; do not disclose to third parties; do not access or exfiltrate data beyond what is needed to demonstrate the vulnerability
Benefit to vendorAccess to global security research community that exceeds internal testing capacity; cost-effective security testing; improved product security