Types of Penetration Testing Strategies

Introduction
Penetration testing, or pen testing, is a simulated cyberattack conducted to identify and
exploit vulnerabilities within an organization’s systems, networks, or applications. The
purpose is to assess the effectiveness of security controls and processes. Multiple
strategies are employed in penetration testing, mainly differentiated by the information
available to the tester and the perspective from which the test is conducted.

1. Black Box Penetration Testing

• Definition: In black box testing, the tester has no prior knowledge about the
internal systems, network architecture, or source code of the target. The tester
acts as an external attacker, gathering information as the test progresses.
• Advantages: Closely simulates a real-world attack scenario, revealing
vulnerabilities as an outside attacker would see them.
• Limitations: May not uncover deep internal vulnerabilities due to lack of insight.
• Use Case: Used to assess the security from an outsider's perspective, such as on
internet-facing web applications or network perimeters.

2. White Box Penetration Testing

• Definition: The tester is provided with full information about the target, such as
source code, infrastructure diagrams, credentials, and policy documentation.
Also known as clear box or glass box testing.
• Advantages: Allows for deeper, more thorough analysis and identification of
vulnerabilities including those not exposed to outsiders.
• Limitations: Does not simulate an unknown attacker; may require more time and
resources.
• Use Case: Used for thorough security audits, compliance checks, and code
analysis.

3. Grey Box Penetration Testing

• Definition: The tester is given partial information, such as login credentials or

architecture diagrams, representing an attacker with limited insider knowledge
(e.g., a former employee or a contractor).
• Advantages: Balances realism and depth; effective in testing privileged escalation
and internal risks.
• Limitations: May miss vulnerabilities an external attacker would discover or
issues only visible internally.
 • Use Case: Useful for simulating attacks from malicious insiders or attackers with
some prior access.

4. External Penetration Testing

• Definition: Focuses on assets visible and accessible from outside the

organization’s network, such as web servers, email servers, and public-facing
applications.
• Advantages: Identifies vulnerabilities susceptible to exploitation from outside
threats.
• Limitations: Does not test vulnerabilities that require internal access.
• Use Case: Assessing the organization’s exposure to external attackers.

5. Internal Penetration Testing

• Definition: Simulates an attack by an insider or by an external attacker who

already has access to the internal network, such as via malware or physical
access.
• Advantages: Uncovers threats posed by employees, contractors, or others with
network access.
• Limitations: Does not evaluate perimeter defences.
• Use Case: Testing security controls against insider threats and lateral movement
within the network.

6. Blind Penetration Testing

• Definition: The penetration testing team is given minimal information.

Additionally, the organization’s security team knows about the test but not when
or how it will occur.
• Advantages: Tests both defenses and incident response effectiveness.
• Limitations: Can be time-consuming and challenging for testers.
• Use Case: Used to assess security monitoring and response capabilities.

7. Double-Blind Penetration Testing

• Definition: Neither the security team nor the testers are provided with advance
knowledge. Both operate in real-time, with the test closely emulating real attack
scenarios.
• Advantages: Provides the most realistic simulation of a genuine attack.
• Limitations: Can disrupt operations if not carefully managed.
• Use Case: High-maturity organizations wishing to test both prevention and
detection capabilities.
8. Targeted Penetration Testing

• Definition: Both the penetration tester and the organization’s IT/security team
work together, sharing information during the test.
• Advantages: Enables focused, collaborative testing and real-time threat response
simulation.
• Limitations: Less realistic in terms of simulating an unknown attacker, but
valuable for training.
• Use Case: Training exercises and validation of specific controls or processes.

Conclusion
Each penetration testing strategy serves a unique purpose and helps organizations
identify weaknesses from different perspectives. Selecting the appropriate penetration
testing strategy depends on the organization’s goals, risk profile, regulatory
requirements, and existing security posture. Combining multiple strategies often yields
the most comprehensive security assessment

8. The usefulness of penetration testing results cannot be overstated, especially when

viewed through the lens of a comprehensive security program. For a 16-mark answer,
several dimensions need to be covered, including risk identification, compliance,
operational improvement, and organizational reputation.

Usefulness of Penetration Testing Results

1. Identifying Hidden Vulnerabilities

Penetration testing exposes vulnerabilities in networks, applications, wireless
infrastructure, and endpoints that may not be detectable through automated tools or
regular audits. These include weak encryption on wireless networks, poorly configured
devices, outdated software, susceptibility to social engineering, and unpatched
vulnerabilities—or even issues like rogue access points in wireless environments. This
detailed reporting allows the organization to address not only technical flaws but also
weaknesses in security policies and user behavior.

2. Realistic Risk Assessment

By simulating real-world attack scenarios, penetration testing demonstrates how
vulnerabilities could actually be exploited by external or internal attackers. This
practical demonstration helps organizations prioritize remediation based on actual
business risk, rather than hypothetical threats.
3. Enhancing Incident Response Preparedness
Penetration testing can test the organization’s ability to detect and respond to attacks in
real time. For example, double-blind or blind penetration tests reveal how efficiently
security teams identify and contain breaches, providing valuable lessons for improving
response plans and training.

4. Regulatory Compliance
Many laws, standards, and regulatory frameworks (such as PCI DSS, HIPAA, ISO 27001,
NIST 800-115, and GDPR) require organizations to conduct regular penetration tests
and address discovered issues. Penetration testing results become a key part of
compliance documentation and can help organizations avoid fines and reputational
damage.

5. Informed Security Investments

With evidence-based reporting of vulnerabilities and their potential business impact,
organizations can better justify and target spending on security controls, tools, staff
training, or infrastructure improvements. This ensures resources are spent efficiently to
address the most significant risks.

6. Continuous Security Improvement

Penetration test reports typically include not just a list of findings but also prioritized
recommendations for remediation and mitigation. As organizations work through these
action items and repeat penetration tests regularly, they build a cycle of continuous
improvement, closing security gaps as new threats emerge.

7. Building Customer and Stakeholder Trust

Demonstrating a proactive approach to security, including third-party penetration
testing, reassures stakeholders, customers, and partners that the organization takes
data protection seriously. This helps build trust and can give the organization a
competitive advantage in the market.

8. Education and Awareness

Penetration testing results can be used to raise security awareness among staff and
management. By showing how attacks can succeed—such as through social engineering
or weak Wi-Fi protocols—organizations can drive effective security awareness and
behavioral change across teams.

9. Cost Effectiveness
Addressing vulnerabilities uncovered during penetration tests can prevent costly data
breaches, system outages, or attacks, potentially saving the organization substantial
financial and operational impact in the long run.
10. Strategic Decision-Making
By delivering detailed and structured reports, penetration testing provides the high-
quality data needed for strategic planning, including IT infrastructure changes, policy
updates, or risk management initiatives. The result is a more resilient and mature
information security posture.
In conclusion, penetration testing results are indispensable in securing digital assets.
They reveal actionable vulnerabilities, inform organizational risk decisions, drive
operational and technical improvements, and ensure compliance and trust—all of which
are essential for long-term organizational resilience in the face of evolving threats

4 Mark
1 . Port scanners are highly valuable tools in Vulnerability Assessment and Penetration
Testing (VAPT) because they provide critical information that shapes the rest of the
security assessment process.
Key benefits and roles of port scanners in VAPT:

• Discovery of Open Ports and Services: Port scanners identify which network
ports on a target system are open, closed, or filtered. Since each open port
typically corresponds to a running service or application, this step helps testers
map the network and understand the exposed attack surface.
• Service and Version Detection: Advanced port scanners (like Nmap) can detect
the specific services running on each open port, and sometimes their version
numbers. This enables testers to focus on services that are outdated or known to
be vulnerable.
• Attack Vector Identification: By revealing which services are accessible and
possibly what operating systems are in use, port scanning helps penetration
testers and security teams pinpoint potential entry points and choose relevant
exploits for deeper security testing.
• Prioritization for Vulnerability Scanning: The results from a port scan guide
subsequent steps in VAPT. Vulnerability assessments can be narrowed to only
those systems and services that are actually reachable and active, increasing
efficiency and accuracy.
• Compliance and Inventory: Regular port scanning assists in compliance audits
and asset inventory by highlighting unauthorized or unnecessary services that
could violate policy or regulatory requirements.
• Attack Surface Baseline: Port scans provide a snapshot of the organization’s
external and internal attack surfaces over time, allowing teams to monitor for
new vulnerabilities as systems and infrastructure change.

Example Workflow in VAPT:

 1. Conduct a port scan on the target environment to map all accessible services and
open ports.
2. Use service detection to understand what is running on these ports.
3. Follow up with targeted vulnerability scans and manual exploits based on port
scanning results.

In summary: Port scanners are foundational in VAPT because they reveal what is
accessible, guide where and how to test for vulnerabilities, and ensure resources are
focused on the true points of risk in a network or application environment

2. The general process of malicious hacking—often referred to as the cyber-attack

lifecycle or kill chain—follows a series of well-defined stages that attackers progress
through to successfully compromise a target system or network. While terminology may
vary slightly, the core phases are widely recognized across the cybersecurity industry:

1. Reconnaissance

• Objective: Gather information about the target organization or individual.

• Methods: Attackers collect data from public sources such as social media,
corporate websites, and online databases. They may use tools to scan networks
for open ports, identify employees, assess technologies in use, and detect
possible vulnerabilities.
• Importance: The more information gathered, the higher the chances of a
successful attack.

2. Weaponization

• Objective: Develop or select malware, exploit code, or attack tools tailored to the
target.
• Methods: Create phishing emails, craft malware-laden attachments, assemble
exploit kits, or prepare malicious websites (watering holes) that mimic trusted
resources.
• Importance: Weaponization transforms reconnaissance intelligence into attack
tools.

3. Delivery

• Objective: Transmit the malicious payload to the target.

• Methods: Common delivery vectors include phishing emails, malicious
attachments, infected USB drives, fake websites, or exploiting software
vulnerabilities exposed to the internet.
• Importance: Successful delivery is crucial—the method chosen depends on what
is most likely to bypass defenses and reach the target user or system.
 4. Exploitation

• Objective: Activate the malicious payload on the target system by exploiting a

vulnerability.
• Methods: Tricking a user into opening a malicious file, exploiting an unpatched
vulnerability, or executing code through a compromised website.
• Importance: Exploitation provides the attacker with initial access or foothold in
the target environment.

5. Installation

• Objective: Ensure persistent access to the compromised system.

• Methods: Install malware, remote access trojans (RATs), or backdoors that
survive reboots and evade detection.
• Importance: This allows the attacker to maintain a presence and expand control
within the target network.

6. Command and Control (C2)

• Objective: Establish communication between the attacker and the compromised

system.
• Methods: The malware connects to attacker-controlled servers to receive
commands and exfiltrate data. Communication may use standard protocols
(HTTP, HTTPS) or covert channels.
• Importance: C2 enables the attacker to remotely control infected devices, pivot
within the network, and orchestrate further actions.

7. Actions on Objectives (Execution)

• Objective: Achieve the attacker's ultimate goals.

• Methods: Data theft (exfiltration), encryption for ransomware, destruction of
data, lateral movement to other systems, or disruption of services.
• Importance: This is the final phase where the adversary fulfills their motive,
whether financial gain, espionage, or sabotage.

Summary Table of Malicious Hacking Process

Stage Description

Reconnaissance Information gathering about the target

Weaponization Preparing malware/exploits based on gathered intelligence
Delivery Transmitting the payload (phishing emails, malicious files, etc.)
Exploitation Gaining access by exploiting a vulnerability
Installation Ensuring persistent presence on the victim’s system
Command and Control Maintaining communication to control compromised systems
Actions on Objectives Executing the attacker’s ultimate goals (data theft, disruption, etc.)
Understanding this lifecycle aids defenders in detecting and disrupting attacks at any
stage, thereby mitigating their impact

3. Footprinting and scanning are both reconnaissance techniques in ethical hacking, but
they differ in approach, purpose, and interaction with the target. Including real-world
examples helps illustrate their distinction.
Aspect Footprinting Scanning
Definition Gathering publicly available Actively probing the target network/system to
information to build a profile of the discover live hosts, open ports, and running
target services
Interaction Mostly passive (no direct contact Active (direct interaction with the target's
with the target) systems/networks)
Tools & Search engines, WHOIS lookups, Nmap, Netcat, port scanning, banner grabbing
Methods social media, public records
Purpose To create a general overview and To map the technical attack surface and find
identify potential targets vulnerabilities
Detection Low (harder to detect) High (often triggers security alerts)
risk

Example to Illustrate the Difference

Footprinting Example
An ethical hacker is preparing for a penetration test against "ExampleCorp." They begin
by collecting information through:

• WHOIS lookups: Finding ownership and registrar details of examplecorp.com.

• Google and search engines: Uncovering subdomains like
mail.examplecorp.com or archived employee contact pages.
• LinkedIn/social media: Identifying key personnel and technology mentions (e.g.,
“we use Microsoft Azure servers”).

This stage reveals there are public-facing servers with certain IP ranges and a
potentially outdated webmail URL. No contact is made with ExampleCorp's systems—
this is pure information gathering.

Scanning Example
Armed with the collected IP addresses, the hacker uses a port scanner (e.g., Nmap) to
probe 198.51.100.10:
 • They discover port 80 (HTTP) and 443 (HTTPS) are open, and a mail server
running on port 25.
• They perform banner grabbing on HTTP to see it runs Apache 2.4.29 on Ubuntu.

These activities involve sending packets directly to ExampleCorp's network, which

could be detected by intrusion detection systems, and reveal technical vulnerabilities to
further test.
In summary:

• Footprinting = “What can I learn about the target without touching them?”
Example: Finding ExampleCorp’s IP addresses, domains, and public-facing
services via WHOIS and Google.
• Scanning = “Now that I know what to look at, what’s actually running and
accessible?”
Example: Using Nmap to see which ports are open and what services are running
on ExampleCorp’s IPs.

Both are essential, but footprinting always comes first. Scanning follows to turn general
information into a technical map for potential exploitation.

4. comparison between system hacking and Trojan attacks:

Aspect System Hacking Trojan Attacks
Definition The broader process of compromising and Involves the use of a specific type of
controlling a computer system by exploiting malware (Trojan horse) that disguises
vulnerabilities. It includes activities like itself as legitimate software to trick
password cracking, privilege escalation, users into installing it, giving attackers
installing backdoors, stealing data, or erasing unauthorized system access or control.
evidence.
Method of May use a variety of tools and techniques: Relies on social engineering—tricking
Attack exploitation of software flaws, network users into running malicious software
attacks, phishing, password attacks, social that appears legitimate. The Trojan then
engineering, or installing malware. opens backdoors, spreads additional
malware, or steals data.
Dependenc Not always dependent on user action—can Depends heavily on user action to
e on User result from remote exploits, network execute the malicious file by opening an
Action vulnerabilities, or weak configurations. attachment, downloading a fake app,
etc.
Self- System hacking may use malware that Trojans cannot self-replicate; they do
Replication replicates (like worms or viruses), but not not spread by themselves but rely on
necessarily. being installed by the user.
Objective Gaining unauthorized access, Mainly focused on establishing
stealing/modifying data, disrupting operations, unauthorized access/control, stealing
installing malware, or further attacking other sensitive data, downloading other
systems. malware, or participating in botnets.
Visibility Some techniques (privilege escalation, Often stealthy—Trojans usually run in
exploits) may trigger security alerts or logs; the background, and users may not
others can be stealthy. realize their system is compromised.
Examples - Cracking admin passwords to gain system
control

Exploiting unpatched software

Planting rootkits for persistence
Erasing logs to cover tracks | - Backdoor Trojans (giving remote access)
Banking Trojans (stealing credentials)
Ransomware Trojans (locking files for ransom)
Rootkit Trojans (hiding malicious activity) |
Summary:
System hacking is a broad term that encompasses all activities aimed at
compromising a computer system, which could include using Trojans as just one
method among many.
Trojan attacks are a specific type of attack within the malware category,
leveraging social engineering to trick users and deliver malicious payloads, often
as a means of gaining the initial access needed for broader system hacking.
System hacking may build upon Trojan attacks but is not limited to them—
Trojans are one of several tools and techniques used by hackers for
compromising computer systems.

5. Tools
Nmap
Purpose: Network mapping and port scanning
Use: Discovering hosts, open ports, and services running on target machines;
essential for identifying the network attack surface.
Wireshark
Purpose: Packet analysis and network traffic capturing
Use: Capturing, filtering, and analyzing network packets in real time to identify
vulnerabilities, intercept sensitive information, or troubleshoot network issues.
Metasploit Framework
Purpose: Exploitation and penetration testing
Use: Developing and executing exploit code against a remote target; automates
attacks and post-exploitation activities on networked systems.
John the Ripper / Hashcat
Purpose: Password cracking
Use: Brute-forcing or dictionary attacks on captured password hashes from
network traffic or compromised databases to recover plaintext credentials.
Aircrack-ng
Purpose: Wireless network penetration
Use: Capturing packets to crack WEP and WPA/WPA2-PSK keys, monitor
wireless traffic, and perform other wireless attacks, particularly against Wi-Fi
networks.
THC Hydra
Purpose: Brute-force attacks
Use: Automated brute-force logins against various network services such as SSH,
FTP, and Telnet to identify weak or default credentials.
Angry IP Scanner / Advanced IP Scanner
Purpose: Fast IP and port scanning
Use: Quickly scanning IP address ranges for live hosts and open ports on large
networks, useful for mapping out reachable targets