Penetration testing deals with legitimate attacks on a computer system so as to assess the level of security the system has. Here, vulnerabilities are identified in the form of: known vulnerabilities, backdoors, loopholes, probability of unauthorized access, or perhaps a vulnerability that has to yet been publicly disclosed (Zero day). Curious about how to pen test a system? A quick overview of such methodologies may help you out:
Reconnaissance: You have to know what you are dealing with, if you are pen testing a particular institution, gather as much information as possible. What kind of clients do they receive? How security-savvy is the target/employees? Any available open ports? What operating systems do the company use? What authentication methods does the login page on the website go through? On what kind of database management system is data stored? Public records can be used as can social networking sites for information gathering. Nmap can also be a fantastic network reconnaissance tool.
