Talk:Penetration test

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
WikiProject Computer Security / Computing  (Rated C-class, Mid-importance)
WikiProject iconThis article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.

External Links Revisited[edit]

This page has historically been used to boost vendor credibility by inserting overt or covert references, linking back to a vendor page. Currently there are two examples linking to vendor pages. The two examples below have been added in historically by vendors. One is a link to a vendor's service catalogue, the other to a vendors training courses. Neither are WP:PRIMARY links for the term "security audit". They are simply advertising links to vendor pages. They provide no content to the page and a reader clicking on them is not presented with additional information on the subject, only vendor sales material. These links should be removed entirely, and replaced with a link to the wiki page for "security audit", which does provide additional information useful to the reader. (talk) 09:35, 31 August 2014 (UTC)

The offending links are:

  • 3. "Penetration test". Network Security Services. Retrieved 16 April 2012.
  • 4. "Corporate IT Security Courses". eLearnSecurity. 16 April 2012.

Web Application Testing vs Penetration Testing[edit]

Disagree It's not right. Web Application Testing is a subset of Penetration Testing. Some examples are internal penetration testing and wireless penetration testing. — Preceding unsigned comment added by (talk)

I agree. Any means by which someone can gain unauthorized access to a system or confidential information is an exploit. Pen-testing, ideally, should not just examine static open ports and services but do so under operational conditions. Today, an exploit can be temporal, such as a confidential file attachment being sent via a Web-based email client, that would not show up in a conventional static pen-test. —Preceding unsigned comment added by Schratboy (talkcontribs)

Agree - penetration testing of web applications is definitely a component of penetration testing, and the page isn't big enough to warrant standing on its own. njan 15:27, 22 April 2007 (UTC)

I disagree Pen Testing is not limited to Web Application testing.

I agree If Web Application Penetration Testing is a subset of Penetration Testing, simply include whatever is the "main point" as a paragraph im this article. Thomas Yen 16:18, 27 July 2007 (UTC)thomasyen

Not Sure Maybe it would be better to refer to penetration testing in the general capacity and split Network/Infrastructure testing and App testing into two separate articles? —Preceding unsigned comment added by (talk) 10:10, 1 June 2008 (UTC)

Disagree I think we need a re-org. The Penetration Test article is about what a Penetration Test is. In its 'Classic' form this means a network test. Maybe it would be a good idea to have a 'Security Testing' category so we can have different articles for different types of testing. That way app testing can be split into its own article. The primary reason I'm against App testing being part of it is that other forms of security testing could legitimately end up in this article if it's kept in. —Preceding unsigned comment added by (talk) 00:04, 21 August 2008 (UTC)

Disagree I agree with the previous comment, that pen testing and app testing are parts of a bigger 'security' category, along with honeypots, etc. At it's purest, pen testing is about finding a way into a system, whether that system is a server, a web application, or an entire network. If I can walk into an office and plug my laptop into a spare network point, then that is a successful penetration test - not in the classic 'find a hole through the firewall' sense but certainly to a modern security officer it's just as dangerous. JohnBBrookes (talk) 12:59, 14 July 2009 (UTC)

Redirect The precise meaning of the terms depends on the context. "Web Application Penetration Testing" is a subset of both "Web Application Testing" and "Penetration Testing", but "Web Application Testing", as such, is distinct from "Penetration Testing". (Comprehensive testing of a web application obviously includes a lot more than just validating and verifying security features.) — Preceding unsigned comment added by (talkcontribs) 16:11 2012-04-13 (UTC)

External Links[edit]

I think I've cleaned up the links to the point where we can remove that "please clean up external links in this article" header. Any complaints? Random name (talk) 09:13, 2 February 2008 (UTC)

I've gone over all the remaining links, formatting those used as reference, removing the rest as promotional. --Ronz (talk) 03:45, 16 August 2008 (UTC)
You seem to be treating all external links whatsoever as being "promotional," even when said links are to non-profit organisation providing free copies of the methodologies explicitly discussed in the article. Can you explain this, without simply citing WP:SPAM? I'm tempted to revert some of your edits, but will wait to hear from you. Random name (talk) 07:09, 16 August 2008 (UTC)
Actually, I guess I can understand removing the linkfarm. It's a shame, as those really are the best training tools out there, and they were free, but I guess Wikipedia doesn't intend help people in that way - it just wants to hold definitions? I'm still puzzled as to why the links to open source methodologies such as the OSTTM were removed - further to not being a repository of links (useful and free or not), does Wikipedia also simply prohibit linking to discussed material? Random name (talk) 07:18, 16 August 2008 (UTC)
"You seem to be treating all external links whatsoever as being 'promotional'" Pretty much, though I should have probably referenced WP:EL rather than WP:SPAM. The links weren't there as references. They don't belong within the article body. I don't think they are relevant enough to the article to be moved to and External links section. See also WP:NOT#LINK. --Ronz (talk) 01:59, 17 August 2008 (UTC)
Ah right - having properly read WP:EL, I can see what you mean. Cheers for the response! Random name (talk) 19:02, 18 August 2008 (UTC)
Sorry about the confusion there. --Ronz (talk) 19:17, 18 August 2008 (UTC)

Stuff at the end of Methodologies[edit]

What is this random methodology supposed to be from?

"Methodology for penetration testing :

  1. port scanning
  2. task to perform for a thorough port scan
  3. system fingerprint
  4. service probing
  5. foot printing"

Is this from one of the methodologies cited in the article? It is something generic which has been made up by various editors? I'd suggest it either needs to be clearly from one of the methodologies discussed, or it needs removing. Alternatively, maybe it just needs to be described as "the key tasks in a pen testing methodology?" —Preceding unsigned comment added by Random name (talkcontribs) 11:55, 29 February 2008 (UTC)

Having had no comments back, I've removed it - the section is meant to discuss formal methodologies, rather than describing a generalised methodology for penetration testing infrastructure. Random name (talk) 23:09, 12 July 2008 (UTC)

Tiger Scheme[edit]

Does anyone have any links to coverage / info on the Tiger Scheme? I can't find anything much out there, apart from the rather minimalist page of the scheme itself. I'm not even entirely sure it deserves to be listed as "one of the main schemes" for certification. Random name (talk) 19:17, 18 August 2008 (UTC)

Hi, I tried adding some more detailed info on Tiger but for some reason the edit didn't go ahead.

Can we get some info on non-UK schemes too? —Preceding unsigned comment added by (talk) 00:01, 21 August 2008 (UTC)

Yeah for sure, I don't know any of them, but I'm happy to read up on them if someone posts the names. (I see one on the article page - will google it.) Random name (talk) 22:33, 1 September 2008 (UTC)
On this subject, isnt the GCHQ CHECK scheme now defunct/no-longer updated? I thought they were looking for industry sponsorship (i.e. for commercial entities to run the scheme, but nobody stepped forwards?). Shouldnt this be removed or moved to a "historical importance" section? (talk) —Preceding undated comment was added at 18:43, 21 September 2008 (UTC).
CHECK was never completely closed - new leaders / members were still being certified, however no new "green light" companies were being appointed. This has just changed as of the 18th, and companies can now start applying again.
See Random name (talk) 11:06, 22 September 2008 (UTC)

Merger proposal[edit]

The following discussion is closed. Please do not modify it. Subsequent comments should be made in a new section. A summary of the conclusions reached follows.
The result was merge into Penetration test. -- Random name (talk) 19:34, 22 January 2010 (UTC)

I'm thinking that the Ethical hack page, or at least whatever content is deemed useful should be merged into here - can't see why there's a separate ethical hack page myself. Any thoughts? Random name (talk) 09:33, 1 May 2009 (UTC)

I also Believe That this is a very good proposal. The information that is on the Ethical hack page is very much related to the topic of penetration test's. It almost seems like they are the same article just with different spins on them, this could be the reason why they are separate. —Preceding unsigned comment added by Kadoskracker (talkcontribs) 16:25, 4 May 2009 (UTC)

I think there are significant differences between ethical hacking and pen testing - but you'ld never know it from reading the 'ethical hack' page. If anybody would like to rewrite it to show what the differences are, it would be better than getting rid of it altogether. JohnBBrookes (talk) 13:05, 14 July 2009 (UTC)

I'd defy anyone to quantify the difference between the two. The biggest issue I see having proposed this is that the ethical hack page is an entirely unreferenced methodology, possibly based off whatever methodology people learn on the CEH course. I'm no longer sure what to do with the ethical hack page. Random name (talk) 16:28, 20 July 2009 (UTC)

Ok, I haven't touched this in a while, but am now thinking a line needs to be drawn under it. I honestly don't see anything left in the ethical hack article to bring across, so I'm going to get a redirect set up and lose the OR left on the ethical hack page, unless there are objections. :) Random name (talk) 10:46, 18 October 2009 (UTC)

The two can be clubbed under the wide umbrella of VAPT - Vulnerability assesments and penetration testing. this is a standard used to certify companies —Preceding unsigned comment added by (talk) 08:02, 13 January 2010 (UTC)

I see a distinction between the two so I'll attempt a comparrison of the two terms. Penetration testing is narrowly the attempt to breach a system. Ethical hacking can be a penetration test, but it can also be the study of potential attacks and controls to mitigate the risk of those attacks. To draw a comparrison, I see this as similar to the distinction between cryptography and cryptology. Cryptology includes cryptography [the use of cryptographic techniques] but also includes cryptanalysis [the study of attacks against cryptagraphic techniques]. Having said that, I don't think that distinction is reflected in the articles. talk 20:47 18 January 2010 —Preceding unsigned comment added by (talk) 19:47, 18 January 2010 (UTC)

There's no source material I can find on this, appears to be an opinion, which is fine, but not a reason to keep the separate articles. Random name (talk) 19:17, 22 January 2010 (UTC)

The above discussion is closed. Please do not modify it. Subsequent comments should be made in a new section.

Adding Pen Test Framework Link, Thoughts?[edit]

I added the PTF link into methodologies but forgot that I'd added it previously and that it had been removed by User:Random Name. I think the link is useful (as I'm a penetration tester and have used it in the past as a tools reference) but don't want to put it back in if it's been removed and make it look like spamming (FWIW I'm not connected to the PTF). The proposed text would be:

In addition to formal methodologies, other frameworks such as the Penetration Testing Framework provide more detailed (if informal) guidance on typical penetration test processes.

Is that reasonable? —Preceding unsigned comment added by (talk) 09:49, 23 October 2009 (UTC)

Firstly I'd say it's not really a methodology, per se, it's more of a huge collection of links and some tips. A useful resource for testers, but not a methodology. As unintuitive as this might seem, wikipedia is not a collection of useful links, so I don't see a reason to include this. Secondly, I'd note that even if it was a methodology, there's no way it has the noteworthiness of say, OSSTMM. Random name (talk) 08:29, 24 October 2009 (UTC)
Agreed. Please see WP:Links before adding what you think are good links. People have been discussing this for several years and have come up with some guidelines of what makes a good link and what doesn't. --Walter Görlitz (talk) 20:55, 18 January 2010 (UTC)

Removing books?[edit]

The following entries were removed from the Further reading section:

  • Kimberly Graves; Official Certified Ethical Hacker Review Guide, Sybex Publishing, 2006. ISBN 978-0782144376
  • Michael Gregg; Certified Ethical Hacker Exam Prep, Que Publishing, 2006. ISBN 978-0789735317

with the comment Removed the two exam-specific books - doesn't seem appropriate, especially the official one. I'm just curious why they are not appropriate? Will add back if no further rationale can be provided. --Walter Görlitz (talk) 01:04, 23 February 2010 (UTC)

Sure thing - books being put forward really ought to be "vendor neutral" if you will - I'd no sooner want a SANS guide listed than an CEH book. To be honest, I'm inclined to question whether there is any need for a book section at all; everyone is going to come along and add in their randomly favorite books, authors will drop by and add their own, etc. I'll have a poke around and see if there are any firm guidelines on book lists. In the meantime, I would really suggest that books dedicated to the requirements of particular certifications not be added. Random name (talk) 18:44, 23 February 2010 (UTC)

Quite confusing article and thin on details[edit]

penetration testing is very ambigious topic and this page does not really clarify it. Also, certifications list is very out of date. I've been assembling a better list in Template:Computer_Security_Certifications here. Truekonrads (talk) —Preceding undated comment added 11:09, 20 May 2010 (UTC).


Repeatedly reintroducing unsourced content into the article, years after it's been tagged, is a Bad Thing. Either back the content up with a source, or get rid of it. bobrayner (talk) 20:07, 14 December 2012 (UTC)

No it's not. There are a great many testing articles that have been tagged for years. Some where it's the whole article. But to oblige you, I'll delete everything that's been tagged since that duration and everything else that should be tagged that hasn't been. Feel free to revert that. --Walter Görlitz (talk) 20:37, 14 December 2012 (UTC)
And While I'm in there, I'll remove all of the self-referenced material since the article has been tagged for that as well. I'll also tag the material that's left with a citation needed as well and then you can come along in eighteen months' time and delete that too. --Walter Görlitz (talk) 20:39, 14 December 2012 (UTC)
So much better. All that unsourced fluff is gone. I trust that this is a much better article now. Thanks for watching over such an important topic. Please raise any further concerns as you have done here. --Walter Görlitz (talk) 20:50, 14 December 2012 (UTC)

Minor Changes[edit]

I went ahead and added several more certifications in the certification section, including appropriate references. I also added citation information to the section regarding OS Distributions. In doing so, I have also removed the request for references for that particular section. I'll try to find more information as time permits. Aneah|talk to me 14:39, 17 May 2013 (UTC)

Question Regarding Penetration test Article[edit]

I can see why the information regarding the various certifications was removed in regards to possible copyright violations, that is understandable. I do not understand why the citations and information regarding the various operating systems was removed, especially since it had been sourced. Please help me to understand the reasoning regarding this. Thanks, Aneah|talk to me 14:50, 17 May 2013 (UTC)

I noticed that you added links, but they were not really references. They were links to the product's pages on the Web. How is that a reference to anything other than that they exist, but the links to the product articles did that, which were also removed. What we need is a link to indicate that there are such OSes, not to advertise those OSes. Walter Görlitz (talk) 16:12, 17 May 2013 (UTC)
Using/reviewing WP:PRIMARY does allow for the use of a primary source. Since the article is on a general topic and not a particular topic, I used the primary source of those specific product pages for the particular descriptions of certifications which were not copied from the source listed as the reasoning for the reversion, as evidenced by reading <>, and presented with specific requirements defined by the particular vendor. I felt that was necessary to include it, to define the certification requirements, examples which include varying requirements. While the BCS article does state that there are certifications, it does not specify the specific requirements for some of the certifications, which for the most part, were vendor-neutral. The first paragraph, that existed and which was reverted to in regards to certifications, I did not know was a copyright violation, as it had already existed and I did not check the source. The other certifications and associated requirements were summarized from the product pages associated with those certifications. Those several certifications were gathered from the bottom ofInformation security page.
As for the inclusion of specific distributions, I felt that since those were defined within the article, those should be listed and each of the sources listed, while primary sources, does indicate that the distribution is a penetration testing distribution, which allows, under WP:NOR, for the reader to go to those articles and summarize that there are several defined penetration testing distributions out there which, are defined by the publishers as being penetration testing distributions. One quick reference that I had glanced over, was a published opinion piece on a Top 10 list of penetration testing distributions. I felt that an opinion piece would not have been a suitable reference. However, if you feel that is such, then feel free to include it. Personally, I feel that any source, is better than no source at all.
This evening, in my free time, I will attempt to source more information regarding the topic. But I feel that the material included served as an example to readers of penetration testing and requirements, as well as distributions that existed, all of which were open source and not requiring payment to use. Aneah|talk to me 17:38, 17 May 2013 (UTC)
PRIMARY does allow for the use of primary sources. A valid use of PRIMARY would be if a penetration testing expert were to describe a new method. What you have borders on WP:SPAMLINKs
This is the combination of your edits. The links you included as various "references" were
We've already concluded that some of the material in the edits was a copyright violation. I'm sorry if I made the assumption that it all was. If you think that there's material in there that isn't a copyright violation and that actually provides encyclopedic information, feel free to add it back in. When you say "it had already existed", I'm not sure what you mean. Describing the top 10 list of penetration testing distributions and referencing that list, assuming it's from a reliable source, would be an even better addition though. Walter Görlitz (talk) 18:21, 17 May 2013 (UTC)
I think that Walter Görlitz was right to remove that content.. but the article now looks like it's full of holes. Can we work together to build better content? Certs/accreditations would be an area where it's relatively easy to write new content, but right now that section just has a brief mention of CPT. bobrayner (talk) 23:32, 19 May 2013 (UTC)
Someone removed the certifications well before I did. It would be best to discuss them from a secondary source though. Walter Görlitz (talk) 01:25, 20 May 2013 (UTC)

Changes from Sydney[edit]

Anon from Sydney made a number of changes. The largest was taking the referenced lede sentence

A penetration test, occasionally pentest, is a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats

and replacing it with something that is not supported with the reference. Anon refuses to acknowledge how this is not correct and has been edit warring over this. I'm done and would like Sydney to respond or another editor to fix it. Walter Görlitz (talk) 02:28, 16 January 2014 (UTC)

I checked on the links of the deleted references, but I see very little value in those. I have to agree with anon, those references are not actually relevant to this article. --K0zka (talk) 15:19, 31 August 2014 (UTC)


There are a cluster of formal certification schemes, and yet this page only lists one. Surely the reader would be better served with an unbiased, more comprehensive list? The list is not an onerous one, with less than a dozen candidates, many of which seem to have an existing wikipedia page. I think this would be better dealt with by the creation of a new "penetration testing certifications" page, and a reference to it, rather than having a single vendor certification listed. (talk) 10:08, 31 August 2014 (UTC)

Someone removed the others several months ago because they were sourced only by themselves but they could exist here.
As for your removal of WP:PRIMARY sources and calling it a WP:SPAMLINK, stop it. Walter Görlitz (talk) 16:18, 31 August 2014 (UTC)
The nature of penetration testing means that most sources will be businesses in the industry. It's no big deal. bobrayner (talk) 19:59, 31 August 2014 (UTC)

MrOllie, why did you remove the section with the list of certifications? A list of certifications covered by secondary (non-business) sources does not a directory make. (talk) 20:40, 16 May 2017 (UTC)

What is the correct definition of "Penetration testing" ?[edit]

Hello Walter,

I do understand that you remove the (not wiki standard) comments added recently. I do not understand how just removing it instead of leaving a (wiki standard) comment about the issue that needs to be resolved?

Copy of comment: It seems like the term "Penetration test" has been hijacked by commercial organisations. Just like "hacker" has been turned into 'criminal' by the media and the term "Fresh" is now used by the food industry for processed packaged food. "Penetration Testing" used to be used only for white-hat attack simulation, to test how far attackers can gain control, thus only black box, to get a realistic picture of how resilient the target organisation is. This also means that unlike vuln-testing there should be no technical target scope limitation like only defining a IP subnet for testing, but the target is the organisation by any means which a black-hat attacker could also gain access/penetrate. Actual Penetration testing is still the only method available to close the visibility gap between the relative narrow scope standardised(and thus outdated, due to version release cycles) audits and how actual creative attackers use the latest methods to try gain access.

The description below[unreliable source?] seems to be using a mix between pen-testing and vuln-testing(which is not the same as automated vuln-scanning). Penetration tests are often not a component of a full security audit, but requested by IT managers who just want to make a clear point to C-level management that the subject 'Security' needs some budget allocation to give it the needed attention. C-level most often doesn't understand why all those endless vulnerabilities need to be fixed, but do get the message when a report shows how some attacker can actually gain control over systems and data.

Please correct the article below to prevent further protection degradation, due to a false sense of security, by misuse of terminology..

kind regards, — Preceding unsigned comment added by 2001:980:6C7D:4:95FB:81F4:FB26:6A26 (talk) 09:03, 7 September 2015 (UTC)

Re-structure of Tools & Automated Testing Tools[edit]

I am new to this so if I have this process wrong please point me to the correct document.

I believe these two sections should be merged into one taking the reader through the different steps of testing:

  1. Scan the network for hosts
  2. Scan each host for services that are running and could be vulnerable
  3. Attempt to exploit the services
  4. Pivot and start again

Then discussing the tools that are available within each section finishing up with the Specialised OS distributions.

I suggest the removal of the discussion on vulnerabilities, but when discussing step 2 add references to Cross site scripting, SQL Injection, Buffer Overflow etc.

Add the “Payload” discussion into step 3, exploitation.

Matludlam (talk) 19:43, 30 December 2016 (UTC)

I have no problems merging the sections, but is the list of tools required?
Also, it doesn't sound like you're adding references to those articles, you're hoping to link (wiklink) to them. Walter Görlitz (talk) 08:04, 31 December 2016 (UTC)

As a potential reader of this item I think I would want a list of tools. To know that NMAP can be used to work out what machines are on a network and the ports that they have open is of interest to me, as is the fact that Metasploit is a tool to actually do the exploitation and so on. Virtually all of these tools have references on Wikipedia anyway so my intention was to reference those existing items.

Do you agree?

Can you either tell me or point me to the page that describes how this text should be developed. I am assuming I don't just edit the live item; that there is some discussion before?

Thanks Matludlam (talk) 10:51, 2 January 2017 (UTC)

No. Wikipedia is not a how to site (see WP:NOTHOWTO). It would be acceptable to indicate that there are tools that can do this sort of activity, but not indicate what it does. It goes beyond the scope of pen testing to describe how to discover vulnerabilities. When you do that, you place Wikipedia in a position of being sued. Imagine a defendant in a case by a large corporation that was hacked indicating that all that he or she was doing was following the publicly available information on how to do x or y and pointed to this article. That is why on this specific topic we should remain vague and do a lot of hand waving. Walter Görlitz (talk) 19:29, 2 January 2017 (UTC)


The text currently shown in the History section appears to be a direct copy and paste from the Book The Most Indepth Hackers Guide (Dawood Khan).[1] I have flagged the section with the copypaste cleanup tag & would recommend that the section be rewritten and referenced appropriately. Laatu (talk) 02:21, 3 December 2017 (UTC)

The book was published 2 December 2015, but I have tracked down the edit to the History section to 4 December 2013. Since the Wikipedia publication predates the publication of the book by almost 2 years, I assert that Mr. Khan copied from this article, and not the other way around. In light of that, I suggest removing the copypaste cleanup tag. For ease of verification, here is a link to the diff: Gordon Cook (talk) 15:20, 12 October 2018 (UTC)


  1. ^ Dawood Khan (2 December 2015). The Most Indepth Hacker's Guide. pp. 135–. ISBN 978-1-329-72751-9.