Penetration Testing Introduction: Scanning & Reconnaissance by Nicholas Handy


Learning Goals

  • What pen testing is and how it is used
  • Penetration testing methodology
  • Penetration testing environment — kali linux & virtual machine tools
  • Information gathering — scanning & reconnaissance
  • Information gathering tools — nmap, wireshark, google dorking etc.


Reminder: Attacking systems you do not have permission to attack is illegal. Only perform attacks on machines and networks you own or have permission for.

Current State Cybersecurity

Over the past year or so hacking has gained mainstream attention from some high profile attacks. Theses attacks such as the Equifax data breach, Wanna Cry ransomware and many others have cost companies millions of dollars. With so much attention placed on data breaches, questions have been brewing of how safe user data is with each company. As long as these attacks keep happening companies will have to place more and more emphasis on their security procedures. Within cybersecurity penetration testing (pen testing) is one of the ways of mitigate attacks by plugging up security holes.

What is penetration testing?

Penetration testing is a process used by companies to test the security of their software and infrastructure. In penetration testing, a group of security professionals act as attackers in order to identify holes before hackers do. A pen tester’s goal is to provide information to the company about their vulnerabilities. In the world of security this is commonly referred to as red teaming. On the other side of penetration testing the company’s security team, the blue team, figure out what areas of their security need to be strengthened.

Is a Penetration Tester Just a Hacker?

A major difference between a malicious hacker and pen tester is permission and reporting. Most companies provide a scope of areas where they would like the pen tester to focus. These could be specific domains, networks, systems etc. Pen testers also record any vulnerabilities found during their testing and can suggest solutions to patch the issue.

Types of Penetration Testing

The types of penetration testing can vary depending on the technology. Here are some of the common types of pen testing:

  • Network Testing
  • Mobile Application Testing
  • Web Application Testing
  • Cloud Testing
  • Social Engineering Testing


Even though each area of penetration testing have differing tool sets, they share a common methodology.

Penetration testing methodology

  1. Scanning and Reconnaissance — Getting to know the target using passive methods like researching publicly available information and network scanning.
  2. Threat Modeling — A description or model of all the security concerns and why they should be resolved.
  3. Vulnerability Analysis — Identifying vulnerabilities and determining their severity.
  4. Exploitation — Gaining access by breaching security of a system or finding an bug to exploit in the software.
  5. Post-Exploitation Reporting — Detailing the vulnerabilities found and providing information on potential impact on the company if exploited.

With the general methodology laid out, let’s jump into the initial steps to get up and running with penetration testing.

Introducing the environment

Cybersecurity like other technology fields has an abundance of tools available. To make this simpler Kali Linux was developed to bring together the most common tools in one OS environment. Kali Linux is a debian based linux system that can be used in a virtual environment such as Virtualbox or VMware. With virtual machines we can make a closed off network of multiple machines. This is a great way to practice attacks without opening up your own machine to attacks.

Virtualbox and Kali Linux testing environment

Going deeper into Scanning and Reconnaissance

Unlike the movies hackers don’t just start typing and automatically get access to a system. Scanning and reconnaissance is a key part of an attack in that it can detail vulnerable areas of a system. The first step of information gathering can be as simple as a quick google search.

One way to think about information gathering is like breaking into a house. There’s no need to break down the door to get inside when there is a window open. In information gathering we want to find if the company we are testing has left any doors unlocked or maybe a window open.

What are we looking for?

Information gathering starts in a passive way. We want to get clues on what the company architecture looks like and if there is any routine we can map out. This comes down to finding some key publicly available information such as:

  • Email addresses
  • Phone numbers
  • System information
  • Job Postings
  • Resumes
  • Contact Names


Nmap is a powerful command line scanning tool. Using nmap network architectures and open ports are easier to locate. As a command line tool the main interaction with the tool is based on giving the correct commands for the job. To get a better understanding of how nmap could be used, let’s run through a couple commands.

To do a simple scan we can just provide an address to scan.

We will use which gives permission for scanning. Make sure you have permission before you scan a system you do not own.


The results show the open ports of the target. With this simple scan you could identify if any vulnerable ports are open. By adding additional modifiers we can focus on certain aspects of the targets.

nmap -A

In this case the nmap scan also finds the OS type, version and any open ports. Nmap is a powerful tool with many more commands to do specific tests. Checkout nmap’s official website for a the learning guide or take a look at the variety of nmap cheat sheets available online.


During a penetration test we may want to monitor what is on the network. To do this we can use Wireshark which is a network monitoring tool. Wireshark has shows collects information on all network traffic by providing information on IP addresses, protocols, requests etc.

By filtering the network information we can focus on particular systems and interactions on the network. In a work setting we could filter for any network traffic going to YouTube or Netflix to identify how heavily they are used during work ours. In the same way during a penetration test we could identify what systems.

Google Hacking (a.k.a Google Dorking)

Even though their are great tools for doing scanning and recon, we can just use google to find the same information. Many security issues happen because of misconfiguration of software or accidentally opening information up to public. By querying google with specific strings we can find information not available on a website itself. Using these searches we can find files with user information, passwords, vulnerable servers etc. These search queries are being included into more scanning tools so that this process of searching for these files is automated.

Checkout the Google Hacking Database to see some current examples.

Up Next — Exploitation

The exploitation phase of a penetration test also utilizes its own set of tools. The go to tool for many penetration testers attacking other systems on a network is the Metasploit Framework.

The Metasploit Framework

The Metasploit Framework is developed by Rapid7 and comes pre-installed on Kali Linux. Metasploit has a database of exploitation and payloads built-in that updated regularly. Check out our other article — Kali Linux & Metasploit: Getting Started with Pen Testing — to learn more about using metasploit.

Opening the metasploit console

Additional Resources

There are many courses out in the wild that cover penetration testing. Below are a few options that I have found to be good investments of time. If you have any suggestions then comment below!


Offensive Security Certified Professional Certificate — A very in depth course on penetration testing provided by the developers of Kali Linux.


Grey Hat Hacking: The Ethical Hacker’s Handbook — Introduction to both hacking and penetration testing.

Penetration Testing: A Hands-On Introduction to Hacking — A good introduction to the main concepts of pen testing with hands-on exercises.


PentesterLab — Provides walkthroughs and vulnerable machines to learn and practice on.

Originally posted:

January 25, 2019


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Tammie Houston
Tammie Houston
3 years ago

Wow, I didn’t know that cybersecurity uses a different testing methodology like pen-testing, scanning, and reconnaissance. I love that you mentioned in your article that it is a must for every company to test their security through different software and infrastructure. I’m thinking if my sister already knows about it or if she’s already applying it in her small business, I’ll be sure to check it up with her. Cheers!

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023