Penetration Testing | CompTIA Security+ SY0-601 | 1.8a

In this video you will learn about various aspects of penetration testing such as: known, unknown, & partially known environments; rules of engagement; lateral movements; privilege escalation; persistence; cleanup; & bug bounties.

Penetration Testing

A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment.[1]  The test is performed to identify weaknesses (also known as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.[2]  The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal.  A penetration test target may be a white box (about which background & system information are provided in advance to the tester) or a black box (about which only basic information, if any, other than the company name is provided).  A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor).[3]  A penetration test can help identify a system’s vulnerabilities to attack & estimate how vulnerable it is.[4]

When it comes to penetration testing, the terms that you need to be familiar with to pass the CompTIA Security+ SY0-601 certification are the following:

  • Known Environment:  tester starts out with a significant amount of information about an organization & its infrastructure which would include information like network diagrams, IP addresses, configuration, & a set of user credentials.  The purpose of this test is to identify as many security holes as possible within the organization’s infrastructure.[5]
  • Unknown Environment:  tester is typically provided only a very limited amount of information such as maybe a domain name and some IP addresses for a particular target.  The reason for this test is to have the tester start out with the perspective of that of an external attacker.  An external attacker normally identifies a potential target by gathering information about the target from public information.  The test would not have prior knowledge of the target’s organization and infrastructure.  Another aspect of unknown environment testing is that network support personnel of the target may not be given information about exactly when the test is going to take place which eliminates the issue of a target preparing for the test & not giving a real world view of how the security posture really looks.[5]
  • Partially Known Environment:  this type of test is a hybrid of a known & unknown environment.  Testers may be provided with credentials but not full documentation of the network infrastructure which would allow testers to still provide results of their testing from the perspective of an external attacker’s point of view.[5]
  • Rules of Engagement:  a list that outlines the specifics of a penetration testing project to ensure that both the client and the testers working on the project know exactly what is being tested, when it is being tested, and how it is being tested.[6]  The following elements are typically included in a rules of engagement document:[5]
    • Testing timeline
    • Location of the testing
    • Time window of the testing
    • Preferred method of communication
    • Security controls that could potentially detect or prevent testing
    • IP addresses or networks from which testing will originate
    • Scope of the engagement
  • Lateral Movement (Pivoting):  a post-exploitation technique that can be performed using many different methods.  The main goal is to move from one device to another to avoid detection, steal sensitive data, & maintain access to these devices to exfiltrate sensitive data.  Lateral movement involves scanning a network for other systems, exploiting vulnerabilities in other systems, compromising credentials, & collecting sensitive information for exfiltration.  Proper network segmentation can help prevent lateral movement.[5]
  • Privilege Escalation:  act of exploiting a bug, a design flaw, or a configuration oversight in an OS or software application to gain elevated access to resources that are normally protected from an application or user.  The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
  • Persistence:  after a system has been compromised, additional tasks to maintain a presence in the system are normally commenced such as installing and/or modifying services to connect back to the compromised system.  Some of the ways this can be accomplished are:[5]
    • Creating a bind or reverse shell
    • Creating & manipulating scheduled jobs & tasks
    • Creating custom processes
    • Creating new users
    • Creating backdoors
  • Cleanup:  cleanup refers to a tester being able to cover his tracks after successfully compromising a system.  Many tools can leave behind residual files or data that need to be cleaned from the target systems after the testing phases of a penetration testing engagement are complete.  Some of the items that need to be cleaned from systems include:[5]
    • User accounts created
    • Shells spawned on exploited systems
    • Database input created by automated or manual tools
    • Any tools installed or run from the systems under the test
  • Bug Bounty:  a deal offered by many websites, organizations & software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.[7]  These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.


  1. Penetration Testing. U.S. Department of the Interior.
  2. Funk, M. (2019). Web Application Penetration Testing Checklist. Cybers Guards.
  3. Penetration Testing. National Cyber Security Centre.
  4. Penetration Testing: Assessing Your Overall Security Before Attackers Do. SANS Institute.
  5. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  6. Bork, K. Why Are Rules Of Engagement Important To My Penetration Test? Triaxiom Security.
  7. The Hacker-Powered Security Report – Who are Hackers and Why Do They Hack. HackerOne.