Content (update 2025.12)
- | Request for PenTest Quote | PenTest 報價咨詢
- | What is PenTest? I 滲透測試是什麽?
- | PenTest is for what & when? | 滲透測試是針對什麽?何時進行?
- | How to Conduct PenTest | 滲透測試怎麼做 ?
- | Further Reading | 延伸閱讀
Quote For Penetration Testing (PenTest)
Please use the following form to provide us your requirements for quote; Or you may go CONTACT US page to reach us if you need assistance.
請填寫以下表格提供您的項目需求,我們將爲您准備報價;如需幫助,請點擊聯繫我們。
What is PenTest ?
- Penetration testers mimic the activities of cyberattackers, but in a controlled manner.
- Like attackers, penetration testers use tools to gain additional information about the characteristics of the network, systems and applications; and to exploit vulnerabilities.
- Penetration testing can be technical or it can include social engineering and similar methods.
– Ron Hale, Ph.D., CISM (former chief knowledge officer of ISACA)
Penetration testing is a kind of security assessment that encompasses the vulnerability assessment and verifies if vulnerabilities of a system can be exploited by attackers. Penetration testing is a manual process which requires expert knowledge to design test cases and select appropriate techniques or tools to identify logical vulnerability that cannot be identified through automated tools.
source: section 2.1, Practice Guide for Penetration Testing, version 1.3
PenTest is for what & when ?
| WHAT | WHEN |
|---|---|
| (i) for all Internet facing websites and web applications | – before production – before major enhancements and changes – conducting periodic checking (once every two years) |
| (ii) for all servers and devices deployed in systems containing or handling classified information | – conducting periodic checking (once a year) |
| (iii) according to the result to security risk assessment | – conducting security risk assessment |
source: section 1, Practice Guide for Penetration Testing, version 1.3
How to Conduct PenTest
Our Penetration Testing services fully adhere to the Hong Kong Government’s Practice Guide for Penetration Testing, ensuring compliance with official security standards.
In spite of different types of penetration testing, there are some common activities that should be performed before and after penetration testing. Typically, they can be divided into the following steps:
Further Reading
Test Cases
The Definition of Test Case
In Penetration Testing, test cases refer to a set of structured, detailed steps and procedures designed to systematically validate the existence of specific security vulnerabilities or weaknesses in a target system, network, or application.
The Importance of Test Case
- Ensure Comprehensive Coverage: It is help to avoid missing critical test areas, ensuring the test is systematic and complete.
- Guarantee Consistent Results: Different testers following the same steps can achieve repeatable and verifiable outcomes.
- Improve Efficiency: They provide a clear framework that guides the testing process in an organized manner, saving time.
- Facilitate Reporting: The detailed records from test cases serve as direct evidence and source material for writing the final penetration test report.
PenTest Techniques
A variety of techniques are being used during penetration testing. The most common techniques are listed as follows:
- Passive research: Gather system configuration information of an organisation from public domain sources such as domain name server (DNS) record and name registries;
- Operating system fingering and network mapping: Identify the entire network configuration being tested;
- Network sniffing: Capture data as the data traffic flowing through a network;
- Spoofing: Use one machine to pretend to be a legitimate machine to capture information;
- Trojan attack: Install a Trojan, malicious software onto the victim’s system through a variety of ways, such as email attachment, to access useful information;
- Brute-force attack: Crack passwords to gain access to systems or applications. It is the commonly known password cracking method or an attack being used to overload a system to prevent it from responding to legitimate requests;
- Vulnerability scanning: Discover weakness of a security system or application for further attack;
- Social engineering: Gather important information of an organisation. An attacker usually targets employees within an organisation in an attempt to gain sensitive information; and
- Dumpster diving: Find information about an organisation just by examining the trash and can be a part of the physical penetration testing.
PenTest Tools
Penetration testing tools can assist penetration testers to improve the efficiency of penetration testing process. In general, the penetration testing tools mainly serve two purposes:
- Gathering target system/application information; and
- Performing attacks based on specific vulnerabilities.
- Some penetration testing tools can be used for identifying existing vulnerabilities and launching attacks.
- Whilst some tools are designed to perform vulnerability scanning, they would not perform real attacks.
The choice of penetration testing tools depends on:
- Type of penetration testing, e.g. network penetration testing or application penetration testing; and
- Preference or professional judgement of the penetration tester.
You must be logged in to post a comment.