Penetration Testing: Tools and Ethical Hacking Methodologies
Master authorized, ethical penetration testing - recon, nmap, Burp, ZAP, and professional reporting
Greetings, brave adventurer! You have built the walls, hardened the code, and mapped the threats. Now you take up the most disciplined role of all: the sanctioned besieger. In Penetration Testing, you learn to attack a system the way a real adversary would - but only with permission, only within scope, and always with the goal of making the defenses stronger.
A penetration test is not vandalism; it is a contract. The single most important rule of this quest, larger than any tool or technique, is this: never test a system you are not explicitly authorized to test. Master that, and the tools - nmap, Burp Suite, OWASP ZAP - become instruments of defense.
📖 The Legend Behind This Quest
The earliest “tiger teams” were hired by governments to break into their own systems and report how. They discovered a paradox that still holds: the best way to know if a wall will hold is to attack it yourself, on your own terms, before an enemy does. Ethical hacking turns the attacker’s mindset into a defender’s tool - but only the authorization and the report separate a penetration tester from a criminal.
🎯 Quest Objectives
By the time you complete this journey, you will have mastered:
Primary Objectives (Required for Quest Completion)
- Authorization & Scope - Define and respect the legal, ethical boundaries of a test
- Methodology - Follow the recon → scan → exploit → post-exploit → report lifecycle
- Reconnaissance & Scanning - Discover hosts, ports, and services with nmap
- Web Application Testing - Intercept and manipulate traffic with Burp Suite or OWASP ZAP
- Reporting - Write findings with severity, evidence, and remediation
Secondary Objectives (Bonus Achievements)
- Vulnerability Validation - Confirm a flaw is real, not a false positive
- CVSS Scoring - Assign a defensible severity to a finding
- Retesting - Verify that a remediation actually closed the hole
Mastery Indicators
You’ll know you’ve truly mastered this quest when you can:
- Recite the rules of engagement before touching a target
- Read an nmap scan and identify the interesting attack surface
- Use a proxy to tamper with a request and observe the result
- Write a finding a developer can actually act on
🗺️ Quest Prerequisites
📋 Knowledge Requirements
- Completion of Security Fundamentals (recommended)
- Basic networking: IP addresses, ports, TCP, HTTP
- Familiarity with the OWASP Top 10
🛠️ System Requirements
- Modern operating system (Kali Linux recommended for the toolset)
- nmap installed, plus Burp Suite Community or OWASP ZAP
- An isolated, legal practice target you own or are authorized to test
🧠 Skill Level Indicators
This 🔴 Hard quest expects:
- You are comfortable in a terminal and reading HTTP traffic
- You will operate strictly within authorized scope
- Ready for 120-150 minutes of hands-on lab work
⚖️ Legal warning: Scanning, probing, or exploiting systems without explicit written authorization is illegal in most jurisdictions (e.g., the US Computer Fraud and Abuse Act). Use only deliberately vulnerable targets you control or platforms that grant permission. When in doubt, do not.
🌍 Choose Your Adventure Platform
Set up a safe, authorized lab. The recommended target below is intentionally vulnerable and legal to attack on your own machine.
🍎 macOS Kingdom Path
Click to expand macOS instructions
```bash # Tools brew install nmap brew install --cask zap # OWASP ZAP brew install --cask burp-suite # Burp Suite Community Edition # Legal practice target on localhost only docker run --rm -d -p 3000:3000 bkimminich/juice-shop ```🪟 Windows Empire Path
Click to expand Windows instructions
```powershell # Tools winget install Insecure.Nmap winget install OWASP.ZAP winget install PortSwigger.BurpSuite.Community # Legal practice target docker run --rm -d -p 3000:3000 bkimminich/juice-shop ```🐧 Linux Territory Path (Kali recommended)
Click to expand Linux instructions
```bash # Kali ships these preinstalled; on Debian/Ubuntu install them: sudo apt update && sudo apt install -y nmap zaproxy # Burp Suite Community: download from portswigger.net # Legal practice target on your own machine sudo docker run --rm -d -p 3000:3000 bkimminich/juice-shop ```☁️ Cloud Realms Path
Click to expand Cloud/Container instructions
```bash # Authorized online labs (no setup, permission granted by the platform): # - PortSwigger Web Security Academy (free) # - TryHackMe / Hack The Box (authorized lab environments) echo "Use only platforms that explicitly authorize testing in their terms." ```🧙♂️ Chapter 1: The Contract - Authorization, Scope, and Methodology
Before a single packet is sent, the rules are set. This chapter is the most important in the quest.
⚔️ Skills You’ll Forge in This Chapter
- Rules of engagement and scope definition
- The standard penetration testing lifecycle
🏗️ Rules of Engagement
A legitimate engagement always defines, in writing:
- Scope - exactly which IPs, domains, and applications are in (and out of) bounds
- Authorization - a signed statement from the system owner permitting the test
- Timing - when testing may occur, to avoid business disruption
- Constraints - what is forbidden (e.g., no denial-of-service, no real customer data)
- Reporting - how and to whom findings are delivered
🏗️ The Methodology
Established frameworks (PTES, the OWASP Web Security Testing Guide, NIST SP 800-115) share the same backbone:
1. Planning & Scoping — agree on rules of engagement
2. Reconnaissance — gather information (passive, then active)
3. Scanning & Enumeration — map hosts, ports, services, versions
4. Exploitation — validate that a vulnerability is real
5. Post-Exploitation — assess impact (without overreaching)
6. Reporting — document findings, severity, remediation
7. Remediation & Retest — confirm fixes actually work
🔍 Knowledge Check: The Contract
- What five things must rules of engagement define?
- Why is the report, not the exploit, the real deliverable?
- Name two frameworks that define a testing methodology
🧙♂️ Chapter 2: Reconnaissance and Scanning with nmap
Reconnaissance maps the battlefield. Passive recon gathers public information without touching the target; active recon (scanning) probes it directly - and is only legal within scope.
⚔️ Skills You’ll Forge in This Chapter
- Host discovery and port scanning with nmap
- Service and version detection
- Reading scan output to find attack surface
🏗️ nmap in Practice
# Host discovery — which hosts on a subnet are alive? (in-scope only)
nmap -sn 10.0.0.0/24
# TCP SYN scan of the top 1000 ports on a single in-scope host
nmap -sS 10.0.0.5
# Service + version detection and default scripts (deeper enumeration)
nmap -sV -sC -p- 10.0.0.5
# Scan the local web target from the lab
nmap -sV -p 3000 localhost
A representative result tells you what to investigate next:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9
80/tcp open http nginx 1.18.0
3000/tcp open http Node.js Express framework
Each open service is attack surface. An outdated version is an immediate lead for the “Vulnerable Components” category from the OWASP Top 10.
🔍 Knowledge Check: Recon
- What does
-sVadd over a plain port scan? - Why is passive recon legal where active scanning may not be?
- What makes an outdated service version a finding?
🧙♂️ Chapter 3: Web Testing with Burp Suite / OWASP ZAP, and Reporting
Most modern attack surface is web. An intercepting proxy lets you see and modify every request between browser and server - the heart of web penetration testing.
⚔️ Skills You’ll Forge in This Chapter
- Intercepting and modifying HTTP requests
- Using an automated scanner responsibly
- Writing a clear, actionable finding
🏗️ Intercept and Tamper
Both Burp Suite (Community/Pro) and OWASP ZAP (free, open source) work as a proxy between your browser and the target:
Browser → [ ZAP / Burp Proxy on 127.0.0.1:8080 ] → Target App
Workflow against the legal lab target:
- Configure your browser to proxy through
127.0.0.1:8080and trust the proxy’s CA cert. - Browse the application to populate the proxy’s history.
- Send an interesting request to the Repeater (Burp) / Manual Request Editor (ZAP).
- Tamper with a parameter - e.g., change a user
id- and watch for Broken Access Control.
# ZAP can also run headless for automation against an authorized target
zap.sh -cmd -quickurl http://localhost:3000 -quickout /tmp/zap-report.html
# The report lists alerts by risk level — review and validate each one
Automated scanners produce false positives. Always manually validate a finding before reporting it.
🏗️ Write the Report
A useful finding is structured and actionable:
Title: Broken Access Control on /api/invoices/{id}
Severity: High (CVSS 8.1)
Affected: GET /api/invoices/{id}
Description: Any authenticated user can read any invoice by changing {id};
the server does not verify resource ownership (IDOR).
Evidence: Request as user A for invoice 1042 (owned by user B) returns 200
with B's data. [screenshot / request-response attached]
Impact: Disclosure of all customers' billing data (confidentiality breach).
Remediation: Enforce server-side authorization: confirm the invoice's owner_id
equals the authenticated user before returning it.
Retest: Confirm the same request now returns 403 for a non-owner.
A report’s value is measured by how easily a developer can act on it - clear severity, reproducible evidence, and concrete remediation.
🔍 Knowledge Check: Web Testing & Reporting
- What does an intercepting proxy let you do that a browser alone cannot?
- Why must scanner output be manually validated?
- What are the essential fields of a finding?
🎮 Mastery Challenges
🟢 Novice Challenge: Scan the Lab
Objective: Run nmap against your local Juice Shop target and interpret the output.
Requirements:
- Identify the open port(s) and service versions
- Note one piece of attack surface worth investigating
- Stay strictly on localhost / in-scope
Validation: You can explain what each open port implies.
🟡 Intermediate Challenge: Intercept and Tamper
Objective: Proxy the lab app through ZAP or Burp and modify one request to demonstrate a flaw.
Requirements:
- Capture a request in the proxy
- Tamper with one parameter and observe the response
- Identify the OWASP Top 10 category involved
Validation: The tampered request produces unintended behavior you can reproduce.
🔴 Advanced Challenge: Mini Pentest Report
Objective: Run a small authorized assessment end to end and write a report.
Requirements:
- State the scope and authorization up front
- Document at least two validated findings with evidence
- Assign severity and remediation to each
- Include a retest step
Validation: A developer could fix every finding using only your report.
🏆 Quest Rewards & Achievements
🎖️ Badges Earned:
- 🏆 Sanctioned Siegemaster - You tested defenses ethically and within scope
- 🛡️ Reporter of the Realm - You turned findings into action
🛠️ Skills Unlocked:
- Reconnaissance and Network Scanning - nmap fluency
- Web Application Testing - Burp Suite / OWASP ZAP proficiency
🔓 Unlocked Quests:
- Compliance Standards - Penetration tests are often a required audit control
📊 Progression Points: +100 XP
🗺️ Next Steps in Your Journey
Continue the Main Story:
- 🎯 Compliance Standards - Where pentests become required evidence
Explore Side Adventures:
- ⚔️ Threat Modeling - Plan your attacks before you run them
- ⚔️ Secure Coding Practices - Fix what you find
Character Class Recommendations
💻 Software Developer: Continue to Secure Coding Practices
🏗️ System Engineer: Explore Compliance Standards
🛡️ Security Specialist: Advance to Threat Modeling
📚 Resources
Official Documentation
- nmap Reference Guide - Every flag explained
- OWASP Web Security Testing Guide (WSTG) - The methodology bible
- NIST SP 800-115 Technical Guide to Security Testing
Community Resources
- PortSwigger Web Security Academy - Free, authorized, hands-on labs
- OWASP ZAP - Free, open-source web proxy and scanner
- Penetration Testing Execution Standard (PTES) - Engagement methodology
Tools & Utilities
- Burp Suite Community - Intercepting proxy and Repeater
- Kali Linux - A distribution pre-loaded with testing tools
- Common Vulnerability Scoring System (CVSS) - Standard severity scoring
🤝 Quest Completion Checklist
- ✅ Completed all primary objectives
- ✅ Produced a small report against a legal, in-scope target
- ✅ Answered all knowledge check questions
- ✅ Completed at least one mastery challenge
- ✅ Explored the resource library
- ✅ Identified your next quest in the journey
🕸️ Knowledge Graph
Structured wiki-links connect this quest to the IT-Journey knowledge graph. Open the Obsidian Graph View to explore connections.
Level hub: [[Level 1011 - Security & Compliance]] Overworld: [[🏰 Overworld - Master Quest Map]] Prerequisites: [[Security Fundamentals: CIA Triad and Defense in Depth Strategies]] Unlocks: [[Compliance Standards: SOC 2, GDPR, and HIPAA Requirements]] Related quests: [[Threat Modeling: STRIDE Framework and Attack Trees Analysis]] · [[Secure Coding Practices: OWASP Top 10 Vulnerability Prevention]] Obsidian docs: [[Obsidian Knowledge Graph and Wiki Links]]
🎁 Rewards
Badges
- 🏆 Sanctioned Siegemaster - Tested defenses ethically and within scope
- 🛡️ Reporter of the Realm - Turned findings into actionable remediation
Skills unlocked
- 🛠️ Reconnaissance and Network Scanning (nmap)
- 🕷️ Web Application Testing (Burp Suite / OWASP ZAP)
Features unlocked
- Ability to run a basic authorized penetration test end to end
🕸️ Quest Network
Click a node to open the quest · ⌘/Ctrl-click for a new tab · drag to reposition · scroll to zoom.
Referenced by
- Loading…