Penetration Testing: 5 Phases of Ethical Hacking (2026)

PerfectNotes Team•Updated May 2026

Share

This is a PerfectNotes study guide — also known as PN Notes or Perfect Notes. PerfectNotes provides free computer science student notes, MCQs, and interview preparation guides at perfectnotes.org.

Download PDF

Introduction: The Hacker You Hire

Every day, cybercriminals probe the internet looking for unpatched servers, misconfigured databases, and careless employees. The most effective way to discover these weaknesses before attackers do is to simulate the attack yourself — using the exact same tools, techniques, and mindset as a real threat actor.

Penetration Testing (commonly called pen testing or ethical hacking) is a structured security assessment in which a qualified professional actively attempts to exploit vulnerabilities in a target system. The goal is to demonstrate actual business impact: proving that a series of technical bugs can result in unauthorized data access, financial fraud, or operational disruption.

Why Companies Pay Hackers to Attack Them

The question organizations inevitably ask is: "Why would we pay someone to hack us?" The answer is rooted in asymmetric risk:

• Attackers only need to find one way in; defenders must secure everything. A pen tester helps find the weakest links before real attackers can.
• Compliance mandates it. PCI DSS Requirement 11.4 mandates annual pen testing for all organizations handling card data. ISO 27001, SOC 2, and HIPAA all require regular security assessments.
• Cyber insurance requires it. Underwriters increasingly require evidence of annual penetration testing before issuing or renewing cyber liability policies.
• The cost of testing is a fraction of a breach. The average cost of a data breach in 2025 was $4.88 million (IBM). A professional pen test costs $5,000–$50,000.
• Bug bounty economics. Companies like Google, Apple, and Microsoft pay ethical hackers up to $1 million+ to find zero-day vulnerabilities — cheaper than emergency incident response.

The 5 Phases of Penetration Testing

Every professional penetration test — from a small web application assessment to a full-scale network breach simulation — follows a rigorous, 5-step methodology:

Phase 1: Reconnaissance (Information Gathering)

The attacker collects as much information as possible about the target before touching any system. This phase is divided into:

• Passive Reconnaissance: Gathering publicly available information without interacting with target systems. Sources include WHOIS records, DNS lookups, LinkedIn profiles, job postings (which reveal tech stack), GitHub repositories, and Google dorking.
• Active Reconnaissance: Direct interaction with target systems — DNS zone transfers, traceroute, port scanning of publicly exposed services.

Key Tools: Maltego (relationship mapping), Shodan (internet-connected device search engine), theHarvester (email/subdomain enumeration), Recon-ng, FOCA, LinkedIn OSINT.

Example:A pen tester discovers the company uses an unpatched version of Apache Tomcat 9.0.22 by reading a developer's Stack Overflow post — without ever touching the company's servers. This information informs the attack strategy before a single packet is sent.

Phase 2: Scanning & Enumeration

Using the intelligence gathered in Phase 1, the tester now actively probes target systems to identify open ports, running services, software versions, and potential vulnerabilities.

• Port Scanning: Identify open TCP/UDP ports using Nmap — nmap -sS -sV -O 192.168.1.0/24
• Service Fingerprinting: Determine exact software versions (Apache 2.4.49, OpenSSH 7.4, etc.) to match against CVE databases.
• Vulnerability Scanning: Automated scanners like Nessus, OpenVAS, and Qualys map identified services against known CVEs.
• Web Enumeration: Directory brute-forcing with Gobuster or Dirb, parameter discovery, API endpoint mapping.

Key Tools: Nmap, Nessus, OpenVAS, Masscan, Nikto (web server scanner), Burp Suite (web application proxy), OWASP ZAP.

Phase 3: Exploitation (Gaining Access)

This is the phase most people associate with "hacking." The tester now uses the vulnerabilities discovered in Phase 2 to gain unauthorized access to systems. Critically, the goal is demonstrated impact — proof that the vulnerability is exploitable, not just listed as potential.

• Known CVE Exploitation: Using existing public exploits for unpatched software (e.g., EternalBlue for MS17-010, Log4Shell for Log4j).
• Web Application Attacks: SQL injection to dump database credentials, XSS to steal session cookies, IDOR to access other users' data.
• Password Attacks: Credential stuffing with leaked databases, brute-force with Hydra, password spraying against Active Directory.
• Social Engineering: Phishing emails crafted with GoPhish, pretexting phone calls, malicious USB drops.
• Metasploit & Exploitation: Professional penetration testing relies on automated frameworks like the Metasploit Project — widely used in authorized testing engagements and also by real attackers, which is why Next-Generation Firewalls (NGFWs) are essential to block known exploit patterns.

Key Tools: Metasploit Framework (exploit framework), SQLmap (automated SQL injection), BeEF (browser exploitation), Hydra (password brute-forcer), Responder (LLMNR/NBT-NS poisoning), GoPhish (phishing simulation).

Phase 4: Post-Exploitation (Maintaining Access & Pivoting)

Once initial access is established, a real attacker would not immediately alert the target — they would attempt to maintain persistence, escalate privileges, and move laterally across the network to reach high-value crown jewel assets (domain controllers, financial databases, IP repositories).

• Privilege Escalation: Exploiting local kernel vulnerabilities or misconfigured services to move from a low-privileged user to Administrator or root (WinPEAS, LinPEAS, BeRoot).
• Credential Harvesting: Dumping password hashes from LSASS memory with Mimikatz, extracting browser-stored credentials, reading SAM/NTDS.dit database files.
• Lateral Movement: Using harvested credentials to pivot to other systems via RDP, SMB, WinRM (CrackMapExec, BloodHound for Active Directory attack path mapping).
• Persistence Mechanisms: Creating scheduled tasks, registry run keys, or installing backdoors to maintain access if the initial entry point is patched.
• Data Exfiltration Simulation: Demonstrating that sensitive data can be extracted — but not actually exfiltrating real customer data.

Key Tools: Cobalt Strike (commercial C2 framework), Sliver (open-source C2), Metasploit Meterpreter, Mimikatz, BloodHound, Impacket suite, Covenant.

Phase 5: Reporting & Remediation

The most important deliverable of any penetration test is the final report. A well-written pen test report bridges the gap between technical findings and business decisions.

A professional report includes:

• Executive Summary: Non-technical overview of overall risk posture, key findings, and business impact — written for C-suite and board audiences.
• Technical Findings: Each vulnerability documented with CVE ID, CVSS score, affected system, step-by-step reproduction steps, and screenshot evidence.
• Attack Chain Narrative: How individual findings were chained into a complete attack path showing the full kill chain.
• Risk-Prioritized Remediation: Specific, actionable fix recommendations ranked by exploitability and business impact (not just CVSS score).
• Retest Plan: Schedule for re-testing after patches are applied to verify findings are fully remediated.

CVSS Scoring: Each finding is rated using the Common Vulnerability Scoring System v3.1. A base score considers Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity, Privileges Required, User Interaction, Scope, and CIA impact. Final scores determine patch priority: Critical (9.0–10.0) → patch within 24–72 hours; High (7.0–8.9) → patch within 30 days; Medium (4.0–6.9) → patch within 90 days; Low (0.1–3.9) → next quarterly patching cycle.

Advanced: VAPT — Vulnerability Assessment and Penetration Testing

In enterprise security practice, the combined discipline is often called VAPT (Vulnerability Assessment and Penetration Testing) — a two-stage approach that combines the breadth of automated scanning with the depth of manual exploitation.

The VAPT methodology maximizes ROI: automated scanners run continuously to catch known CVEs, while manual pen testers focus their limited time on business logic flaws, chaining vulnerabilities, and novel attack paths that no scanner can detect.

Advanced: Red Teaming and the MITRE ATT&CK Framework

Red teaming is the most advanced and realistic form of security testing. Unlike a standard pen test (which has a defined scope and a fixed start date known to the security team), a red team engagement simulates a sophisticated, persistent threat actor operating covertly over weeks or months.

Key characteristics:

• Full-scope: People (phishing staff), physical (tailgating into offices), and technology (network intrusion) are all in scope simultaneously.
• No advance warning: The defensive blue team (SOC, incident responders) is not told when or where the red team will strike — they must detect the attack organically.
• Objective-driven: Instead of finding all vulnerabilities, the red team pursues specific objectives (e.g., exfiltrate the CEO's email, access the production database).
• TTPs-based: Red teamers replicate the exact Tactics, Techniques, and Procedures (TTPs) of known threat actor groups (APT28, Lazarus, FIN7) to test whether existing defenses can detect them.

The MITRE ATT&CK® framework (Adversarial Tactics, Techniques, and Common Knowledge) is the industry-standard taxonomy for describing adversary behavior. It maps 14 tactic categories (from Initial Access to Impact) against hundreds of specific techniques and sub-techniques, each documented with real-world threat actor usage examples, detection strategies, and mitigation controls.

Red teams document every action taken during an engagement using ATT&CK technique IDs. The final report maps these to the matrix, showing defenders which detection controls are missing, which tactics their SIEM rules cover, and where gaps in visibility exist.

Advanced: CVSS Scoring & Quantifying Risk with ALE

Security professionals need to communicate findings in terms that business leaders understand: money and probability. Two models achieve this:

CVSS v3.1 — Common Vulnerability Scoring System

CVSS provides a standardized numerical score (0.0–10.0) for each vulnerability based on six base metrics:

• Attack Vector (AV): Network (N) → Adjacent (A) → Local (L) → Physical (P) — Network is highest risk
• Attack Complexity (AC): Low (L) or High (H) — Low means no special conditions needed
• Privileges Required (PR): None (N) → Low (L) → High (H)
• User Interaction (UI): None (N) or Required (R)
• Scope (S): Unchanged (U) or Changed (C) — Changed means exploit can impact components beyond the vulnerable component
• CIA Impact: Confidentiality, Integrity, Availability — each rated None/Low/High

Example: Log4Shell (CVE-2021-44228) received a perfect 10.0 Critical score — Network attack vector, Low complexity, No privileges required, No user interaction, Changed scope, and High impact on all three CIA pillars.

ALE — Annualized Loss Expectancy

Risk quantification uses the formula: ALE = SLE × ARO

• SLE (Single Loss Expectancy): The cost if the attack happens exactly once (Number of Records × Cost per Record). Example: 50,000 records × $180 per record = SLE of $9,000,000.
• ARO (Annualized Rate of Occurrence): The probability of the attack happening in a given year. Example: 0.30 (30% annual probability of exploitation).
• ALE = $9,000,000 × 0.3 = $2,700,000 per year. If the security fix costs $15,000, the ROI of patching is 180×. This is how CISOs justify security budgets to CFOs.

The table below applies the ALE formula to three realistic breach scenarios — showing how a seemingly affordable patch ($15,000) eliminates millions of dollars in annualized risk:

⭐ Mid-Size DB is the standard scenario from the CISO training example (50K records × $180 × 30% ARO). $180/record = IBM Cost of a Data Breach 2025 industry average.

Advanced: EDR/AMSI Evasion Techniques

Modern enterprises deploy Endpoint Detection and Response (EDR) solutions (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) that use behavioral analysis, machine learning, and kernel-level telemetry to detect and block malicious activity. Advanced red teams must test whether their TTPs evade these defenses — because real threat actors certainly try.

Common EDR/AMSI bypass research techniques (documented for defensive purposes):

• AMSI Bypass: The Antimalware Scan Interface (AMSI) in Windows hooks PowerShell and .NET to scan scripts before execution. Attackers patch the AmsiScanBuffer function in memory to return a clean result, bypassing real-time script scanning.
• Process Injection: Injecting shellcode into legitimate processes (svchost.exe, explorer.exe) to make malicious activity appear as normal process behavior to EDR telemetry.
• Living off the Land (LotL): Using legitimate Windows binaries (LOLBins) like certutil.exe, mshta.exe, and regsvr32.exe to execute malicious payloads — these signed system binaries are harder for EDR to flag.
• Reflective DLL Loading: Loading malicious DLLs entirely in memory without writing to disk, evading file-based AV scanning.
• Sleep Obfuscation: Encrypting the malicious payload in memory while the implant is idle between C2 check-ins, evading memory scanning by EDR solutions.

Understanding these techniques is essential for blue teams to configure EDR policies, write custom detection rules, and validate that their controls function against modern adversary TTPs.

Real-World Case Study: The 2016 Uber Data Breach Cover-Up

The 2016 Uber breach is the definitive case study in how an organization responds to penetration test findings — and what happens when a company chooses to cover up a breach rather than disclose it. A single exposed credential on a public GitHub repository compromised the data of 57 million users worldwide.

Key Penetration Testing Statistics & Industry Data (2026)

• Breach Cost vs Test Cost — Average breach cost in 2025 was $4.88M. A pen test costs $5,000–$50,000 — 97–99.5% cost saving vs breach remediation. (Source: IBM, 2025)
• Compliance Driver — PCI DSS Requirement 11.4 mandates annual pen testing for all organisations processing card data. 71% of all enterprise pen tests are compliance-driven. (Source: Verizon DBIR, 2025)
• Finding Reality — Average enterprise pen test discovered 17 critical/high vulnerabilities that automated scanners had missed. Bug chaining elevated 62% of medium-severity findings to critical attack paths. (Source: Cobalt, 2025)
• Dwell Time — Median attacker dwell time before detection is 16 days in 2025 — down from 24 days in 2022. (Source: Mandiant M-Trends, 2025)
• Bug Bounty Economics — Google, Apple, and Microsoft have paid over $300 million in bug bounty rewards since 2010. Google's largest single payout was $4 million for a critical Android zero-day chain. (Source: HackerOne, 2025)

Quick Reference Cheat Sheet

The essential penetration testing concepts at a glance.

Frequently Asked Questions (FAQ)