Penetration Testing for System Security: Methods and

Practical Approaches
WEI ZHANG∗ , Hainan University, China
JU XING∗ , Hainan University, China
XIAOQI LI, Hainan University, China
Penetration testing refers to the process of simulating hacker attacks to evaluate the security of information
systems . In this context, the paper introduces the fundamental concepts and overall procedures involved in
arXiv:2505.19174v1 [[Link]] 25 May 2025

penetration testing, while also analyzing the commonly used techniques and tools. Furthermore, it discusses
the critical role and significance of penetration testing in the broader field of network security. The research
aims not only to clarify the theoretical foundations of penetration testing but also to explain and demonstrate
the complete testing process, including how network system administrators may simulate attacks using
various penetration testing methods. Methodologically, the paper outlines the five basic stages of a typical
penetration test: intelligence gathering, vulnerability scanning, vulnerability exploitation, privilege escalation,
and post-exploitation activities. In each phase, specific tools and techniques—such as Nmap and Metasploit—are
examined in detail, along with practical guidance on their use. To enhance the practical relevance of the study,
the paper also presents a real-life case study, illustrating how a complete penetration test is conducted in a
real-world environment. Through this case, readers can gain insights into the detailed procedures and applied
techniques, thereby deepening their understanding of the practical value of penetration testing. In addition,
the study analyzes common challenges and corresponding solutions encountered during testing, and provides
guidance on how to effectively interpret and report test results. Finally, the paper summarizes the importance
and necessity of penetration testing in securing information systems and maintaining network integrity, and
it explores future trends and development directions for the field. Overall, the findings of this paper offer
valuable references for both researchers and practitioners, contributing meaningfully to the improvement of
penetration testing practices and the advancement of cybersecurity as a whole.
Additional Key Words and Phrases: System Security; Penetration Testing; Network Security; Information
Security

1 INTRODUCTION
With the continuous development of technology, computer communication and network infor-
mation technology have rapidly advanced, bringing significant convenience to people’s lives and
work. The progress of computer communication technology has enabled faster and more efficient
information exchange among individuals. According to the 43rd "China Internet Development
Statistics Report" released by the China Internet Network Information Center (CNNIC) in December
2022, the number of Internet users in China had reached 829 million by the end of 2022, with a
penetration rate of 59.6%, marking an increase of 3.8% compared to the end of 2019[3][2]. However,
alongside these advancements, network security incidents have occurred with increasing frequency
in recent years.[17] These issues are primarily caused by security vulnerabilities, outdated security
equipment, and improper usage behaviors. Moreover, as the volume of information transmitted
through the network continues to grow, the demand for robust network security protection is also
rising. Even a minor error can trigger serious consequences, such as unauthorized data modification,
information theft or loss, system misauthentication, or denial of service. In addition, some individ-
uals or organizations driven by illegal intentions exploit various malicious attack techniques to
destroy, compromise, or steal information[21] , resulting in significant damage to the state, society,
∗ These authors contributed equally to this work.

Authors’ addresses: Wei Zhang, Hainan University, Haikou, China; Ju Xing, Hainan University, Haikou, China; Xiaoqi Li,
Hainan University, Haikou, China, csxqli@[Link].

, Vol. 1, No. 1, Article . Publication date: June 2025.

and targeted entities, sometimes even extending to political interference [27]. It is essential to
recognize that the development of applications on the internet requires the collective participation
of society and is becoming an irreversible trend. However, due to different user purposes and
perceptions, information usage methods vary, adding complexity to information security and often
leading to inadequate protection or mismanagement [24].These shortcomings contribute to the
frequent occurrence of security incidents and instability in social network environments, which
pose serious threats to social progress[23] . In response, the field of information security has seen
substantial progress, with a well-established body of knowledge and the development of numerous
online tools and application software. This paper seeks to offer penetration testers a practical and
intuitive approach to penetration testing. Specifically, it introduces an experimental testing platform
and tool framework that can serve as a valuable reference for practitioners. Through this research,
our objective is to improve the capabilities and efficiency of penetration testers, thus improving the
protection of enterprise information systems. Furthermore, we explore the latest trends and future
directions in penetration testing, helping testers remain agile and innovative amid the evolving cy-
bersecurity landscape[31]. As a crucial component of network security, penetration testing enables
organizations to evaluate their security posture, uncover hidden threats, and raise awareness about
security best practices. With the continuous evolution of network technologies and the increasing
sophistication of cyberattacks[20], penetration testing methods are also advancing. Ultimately, the
objective of penetration testing research is to develop new techniques to confront emerging threats,
thereby increasing the accuracy and effectiveness of testing efforts and contributing to stronger
network defense[8]. Globally, the development of the network and information security industry
has been dominated by developed countries, particularly the United States, which, with its advanced
technologies, a complete industrial ecosystem, and national network security policies, hold 80% of
the global market share. The ongoing battle between defense and attack in the field of network
information security has evolved into monitoring and real-time interception of unknown attacks,
countering based on data and intelligence, large-scale real-time services, emergency responses, and
online sharing of security expert resources.[18][6]
With the continuous advancement of information technology and the constant updating of
information processing technologies, the scope of network information security issues continues
to expand, and the volume of information requiring processing is steadily increasing. To ensure
network availability, it is essential to constantly monitor both known and unknown attacks, which
includes signature-based detection and anomaly detection. To identify or block an attack, one
must first analyze the network connections, data transmissions, and requests made. For smaller
networks, security monitoring is relatively straightforward, but for large networks, real-time data
analysis is required to detect vulnerabilities and attack patterns, avoiding the impact of zero-day
vulnerabilities.
With the widespread application of cognitive computing, particularly in mobile and social
cloud computing environments, enterprises need to seek new security solutions to tackle these
emerging security challenges. Currently, major enterprises are integrating AI technologies into
next-generation network security solutions. However, it is foreseeable that AI will not replace
human security teams in the short term. Most cybersecurity vendors in developed countries, such
as Europe and the United States, are primarily cloud-based, building rapid response teams driven by
threat intelligence, with information sharing as the foundation and intelligence-guided operations
to swiftly counter unknown attacks. [5]
In response to the growing challenges posed by cybersecurity threats, Cisco has proposed a
comprehensive security model based on security information. By integrating Cisco’s extensive
security information ecosystem with the expertise of Tabs’ security information and research teams,
as well as the advanced threat intelligence capabilities of AMP ThreatGrid, this model delivers users

2
timely and actionable threat information and detailed analysis reports. It continuously analyzes
and tracks vulnerabilities and their sources, thereby helping users effectively identify, understand,
and counter potential threats. In parallel with such advancements in enterprise security models, the
application of penetration testing has become increasingly widespread across organizations and is
now regarded as an essential measure to protect information security[1]. As part of ongoing efforts
to strengthen cybersecurity, the following content summarizes the current status of penetration
testing research, highlighting its development trends, practical significance, and future directions.
• Research on Penetration Testing Methods and Processes: Studies focus on using different
methods and processes for penetration testing to provide better testing services and recom-
mendations to enterprises.
• Research on Penetration Testing Tools: Research on the use of various tools to identify
vulnerabilities and weaknesses in systems or applications. Many penetration testing tools
are available on the market, such as Metasploit, Nmap, and Burp Suite.
• Research on Social Engineering: Social engineering is a technique used in penetration testing
that exploits human vulnerabilities, such as trust and curiosity, to attack systems. Research
on social engineering helps companies understand and protect themselves from such attacks.
• Vulnerability Discovery Research: Research on identifying vulnerabilities in systems or
applications to improve the efficiency and precision of penetration testing.
• Cloud Security Research: As enterprises increasingly adopt cloud services, the research on
performing penetration testing in cloud environments becomes more important. This includes
evaluating cloud security and using penetration testing tools and methods in the cloud.

2 BACKGROUND
2.1 Security of Network Information
Information is a complex and abstract concept that can be expressed in various forms such as charts,
data, symbols, numbers, programs, videos, etc. Different forms of information have different formats,
encoding, syntax, and other structural types. Information refers to the content transmitted during
the conversion process from one form or state to another. To ensure the security of information, it
is essential to first understand its characteristics and then implement targeted security precautions.
In computer science, information is typically represented in the form of numbers or symbols and
is communicated and processed through computer networks, storage media, or other transmission
methods. Information can be used to describe the state, attributes, relationships, and behaviors
of things and can support decision-making, communication, control, and other activities[7]. The
concept of information has significant meaning in many fields, including communication, statistics,
information theory, computer science, artificial intelligence, philosophy, and others. Therefore,
it is necessary to summarize the characteristics of various types of information and take corre-
sponding security measures to prevent the destruction of the form, type, and other aspects of the
information[19].
The reliability and integrity of information security require multiple control measures and
protective systems to maintain the original quality of the information. To prevent information from
being destroyed, appropriate camouflage measures must be taken, or special permissions should be
granted to security personnel or devices. This is an important step to ensure the integrity of the
information[33][32].
Network Information Security is a security mechanism established to ensure that information
is not illegally invaded, destroyed, or stolen during transmission over the network. Through
various security protection methods and management measures, network devices, programs, and
information are protected to prevent malicious attacks and ensure the safe operation of network

3
information systems. In addition, information security also protects information and data in
computer systems, networks, mobile devices, and other digital devices, preventing unauthorized
access, use, destruction, tampering, disclosure, and cracking[34] . Information security is the product
of the development of computer technology and is an essential part of modern society. The scope of
information security includes aspects such as computer network security, data security, application
security, operating system security, and physical security.
The goal of information security is to ensure the confidentiality, integrity, and availability of
information. Confidentiality means that information can only be accessed by authorized users or
systems, and not by unauthorized users or systems. Integrity means that information cannot be
altered or destroyed by unauthorized users, ensuring the accuracy and reliability of the information.
Availability means that information must be accessible when needed and cannot be illegally
intercepted or blocked, ensuring the timeliness and reliability of the information. The protection
of these three aspects is the core of information security and helps organizations and individuals
protect their critical information from threats and attacks. To achieve information security, various
security measures need to be taken, including authentication, access control, encryption, firewalls,
intrusion detection and prevention, etc. In addition, security training and education are necessary
to raise user awareness of security, preventing information leaks and security incidents caused by
human error.
Information security is a constantly developing and changing field. With the emergence and
continuous improvement of new technologies, information security faces new challenges and
threats. Therefore, maintaining information security requires continuous research and improvement
to cope with ever-changing threats.
Network information system security refers to the use of technical and management measures
to protect computer networks and information systems from various threats such as unauthorized
access, use, disclosure, destruction, interference, and tampering. It is a critical safeguard for the
reliability, confidentiality, integrity, availability, and controllability of network and information
systems, involving significant interests such as national security, economic security, social sta-
bility, and personal privacy. Network information security requires the joint participation and
maintenance of technology, management, law, and policy. Security is an essential guarantee for
network information systems, and any vulnerability in one part can threaten the security of the
entire system. Therefore, network information system security requires the implementation of
comprehensive security strategies and measures at all stages, including system design, development,
deployment, and maintenance. At the same time, advanced technical measures, such as security
firewalls, intrusion detection systems, and encryption technologies, can improve system security.

2.2 Penetration Testing

Currently, there is no standard definition for penetration testing. It is generally described as a
simulated real-world attack on a specific network or application, involving various variants and
functions. Penetration testing is typically performed by a professional penetration tester or a
security auditor. From a technical perspective, penetration testing is a comprehensive security
examination of a system, both internally and externally, to identify potential vulnerabilities that
attackers could exploit. In other words, it involves evaluating the components of a network security
architecture, including operating systems, communication media, applications, network devices,
physical security, and human psychology.
A simple example of penetration testing is using search engines for testing. In his book *Google
Hacking for Penetration Testers*, Johnny Long shares many tips, such as how to use Google’s vast
database to obtain useful information for cybersecurity professionals and penetration testers; how
to use clues to find target-related information (such as employee contact details, email addresses,

4
etc.); how to identify vulnerable software, how to create a webpage map, and so on. Moreover,
Google can quickly generate a list of the most vulnerable servers worldwide, providing useful
intelligence for trained hackers.
To ensure network security, penetration testing requires both practical operation and overall
planning and design. The typical penetration testing process involves several steps: scanning IP
addresses, identifying vulnerable servers, detecting unpatched operating systems, recording test
results, and writing reports for submission. Throughout the penetration testing process, various
manual and automated methods are used to perform a comprehensive analysis of the system,
increase its vulnerability, and provide useful information to users. If not performed correctly, it can
lead to network congestion, system crashes, intrusion detection alerts, or even device shutdowns.
In the worst-case scenario, penetration testing could result in outcomes we aim to avoid.

3 STANDARD FRAMEWORK OF PENETRATION TESTING

3.1 Open Source Security Testing Methodology Manual
Open Source Security Testing Methodology Manual(OSSTMM) is a tool used for conducting
penetration testing and measuring the security of networks. Based on this, specific tasks are
proposed for the entire testing process across three stages: pre-test, during the test, and post-test,
along with methods for measuring test results. OSSTMM is both a penetration testing method and
one of the best approaches. Technically, it can be divided into “domains,” “channels,” “indexes,” and
“vectors.” “Scope” is a program used to collect all available assets of a target; “channel” refers to the
way information is exchanged and interacted with these assets, indicating the methods for testing
security components during evaluation, including: information, data control, personnel security
awareness, fraud levels, social engineering levels, computers, telecommunication networks, wireless
devices, mobile devices, physical security access control, program security, physical security, and
more. “Index” is a way of categorizing object resources with specific identity information, such
as IP addresses and MAC addresses; “Vector” indicates the direction for auditors to evaluate and
analyze all functional assets.
Professional security technology management focuses on improving security quality within the
targeted organization, ensuring the consistency and repeatability of penetration testing. Therefore,
OSSTMM divides the process into four relevant stages: specification, definition, information, and
interaction control stages. These stages are repeatable and can be used for channels determined
by OSSTMM. OSSTMM is also known for its Rules of Engagement (RoE). Proper network testing
requires various security measures, including defining the test scope, ensuring confidentiality,
providing emergency contact information, and establishing work change procedures. Additionally,
the testing plan, progress, and client reports are essential parts of the testing project. OSSTMM is a
very effective method for classifying testing projects, and it can be implemented without specific
commands or tools. Moreover, OSSTMM is an auditing method that complies with regulations
and industry requirements for organizational assets, providing comprehensive security for testing
projects. Its functions and advantages include:
• OSSTMM provides a standard approach, helping testers conduct more systematic security
testing, ensuring the comprehensiveness and accuracy of tests.
• OSSTMM covers a range of security testing scenarios, including network security, application
security, and physical security, meeting different security testing needs.
• OSSTMM offers detailed instructions, including testing steps, tools, and data, helping testers
improve efficiency and accuracy.
• OSSTMM helps testers identify security vulnerabilities and risks, enabling them to address
potential security issues during testing.

5
3.1.1 Information System Security Assessment Framework. Information System Security Assessment
Framework (ISSAF) is another peer review method. ISSAF combines penetration testing with
penetration testing tools. ISSAF is a security check method for networks, systems, and applications,
focusing on technical objectives, including firewalls, intrusion detection systems, routers, switches,
storage area networks, virtual private networks, operating systems, web application servers, and
databases. The method includes three phases: planning and preparation, evaluation, and reporting
and remediation. These phases allow for a comprehensive security assessment of networks, systems,
and applications, identifying potential security vulnerabilities and taking appropriate measures
for remediation. Each phase has common guidelines that can be applied to the context of any
organization. Its functions and advantages include the following:

• ISSAF is a standardized security assessment framework, It provides a consistent assessment

method, enhancing comparability and repeatability.
• The developers of ISSAF have summarized a complete assessment framework from years of
security evaluation practice, catering to diverse security evaluation needs.
• ISSAF has undergone multiple practical validations, ensuring highly reliable and accurate
assessment results.
• ISSAF offers detailed guidance, reducing the difficulty and complexity of the assessment
process.

3.1.2 Techniques Guide of Information Security Testing and Evaluation . NIST 800-115 is an advanced
and comprehensive network penetration testing methodology developed and published by the
National Institute of Standards and Technology (NIST). It was designed to replace the previous
NIST 800-42, offering more up-to-date and refined guidelines for conducting penetration tests in a
variety of network environments. This publication provides detailed frameworks for penetration
testing, emphasizing the importance of structured testing approaches and comprehensive security
assessments.
The document covers a wide range of essential topics, including specific security tools, rules
of engagement (RoE), and ethical guidelines that must be followed during testing. It outlines the
necessary steps for security testing strategies, ensuring that testers have a clear roadmap for
identifying vulnerabilities and assessing potential threats to a system. The framework also includes
a detailed approach to role management, clarifying the responsibilities of different individuals
involved in the penetration testing process.

3.1.3 Open Web Application Security Project. Open Web Application Security Project(OWASP)
aims to address the security testing issues of web application software. It is a test architecture
based on HTTP applications. Its scope is much smaller than other standards, but the information it
provides is more detailed. OWASP provides more details for the security testing process of web
applications. OWASP offers a complete project risk assessment system and lists the top ten projects
to enhance security awareness among businesses. OWASP does not focus on the security of the
entire program, but uses secure coding principles to achieve the required security. This method
categorizes security risks of application systems through analysis of attack vectors, business,
and technical vulnerabilities. OWASP’s content includes information gathering, configuration
management, authentication and authorization testing, business logic and data validity testing,
denial of service attacks and session management testing, web services and AJAX testing, and it
also provides risk severity assessment tools and standards.

6
3.2 Standard of Penetration Testing Execution
In 2009, six information security consultants jointly initiated the "Penetration Testing Execution
Standard" (PTES) with the aim of establishing a standard for general penetration testing pro-
cesses, including tools, techniques, and principles. PTES is comprehensive and divided into six
main sections: tool requirements, intelligence gathering, vulnerability analysis, exploitation, post-
exploitation, and reporting. Additionally, five appendices are provided for further reference, and
each chapter deeply explores specific steps such as radio frequency monitoring, physical monitoring,
phishing attacks, and social engineering. PTES also lists the tools and resources used in each step,
such as links to national corporate registration query sites for background checks. However, PTES
descriptions are sometimes too general and may be outdated compared to real-time information.
While it introduces some penetration testing techniques, the technical details lack timeliness. The
penetration testing execution standard typically follows the steps below:
(1) Requirement Analysis: Define the objectives, scope, targets, methods, timeline, and location
of the test. Develop a comprehensive testing plan.
(2) Information Gathering: Collect information about the target organization using search en-
gines, social media, WHOIS lookups, and other tools. This includes IP addresses, domain
names, network topology, employee details, and more.
(3) Vulnerability Scanning: Use scanning tools to identify potential vulnerabilities in the target
system, including application flaws, system vulnerabilities, and configuration errors.
(4) Penetration Attack: Exploit identified vulnerabilities to conduct penetration attacks, aiming
to gain access to sensitive information or control over the target system.
(5) Vulnerability Exploitation: Leverage the access obtained through exploited vulnerabilities to
further investigate system weaknesses and extract sensitive data.
(6) Data Analysis: Analyze data related to attack paths, effectiveness, and cost during the testing
process, and compile findings into a structured format.
(7) Report Writing: Document the test results, including identified vulnerabilities and recom-
mended countermeasures, in a penetration testing report for the target organization’s refer-
ence and remediation.
(8) Remediation Verification: Collaborate with the target organization to verify the effectiveness
of the fixes and provide ongoing technical support as needed.

4 PLATFORMS AND TOOLS OF PENETRATION TESTING

4.1 Kali Linux
Kali Linux is a Debian-based Linux distribution primarily intended for security professionals and
penetration testers. Developed and maintained by Offensive Security Ltd, it is a free and open-
source project that comes preloaded with a comprehensive array of security tools. These tools span
multiple domains, including network penetration testing, vulnerability analysis, reverse engineering,
wireless attacks, password cracking, and digital forensics. Its accessibility and flexibility make it
a go-to platform for security practitioners worldwide, as it can be freely downloaded and used
without any restrictions.
A key strength of Kali Linux lies in its extensive collection of built-in security tools. Notable
examples include Metasploit, Nmap, Wireshark, John the Ripper, Aircrack-ng, Hydra, and Burp
Suite. These tools allow security professionals to efficiently identify and exploit vulnerabilities,
facilitating deeper penetration testing and more comprehensive assessments. Designed specifically
for advanced penetration testing and security auditing, Kali Linux provides a complete toolkit that
serves the needs of security researchers, penetration testers, digital forensic analysts, and reverse
engineers. This broad and powerful toolset is one of the main reasons Kali Linux was selected as

7
the foundation for this research. Its latest release already includes the majority of tools discussed
in this paper. Built in accordance with Debian Linux development standards, Kali Linux ensures
high stability and compatibility, and it minimizes common bugs that users might encounter during
installation or tool usage.
In addition to its technical capabilities, Kali Linux is highly customizable, allowing users to
tailor the environment by adding or removing tools based on specific testing requirements. It
also supports multiple desktop environments such as GNOME, KDE, and Xfce, offering flexibility
in user interface preferences. While it is an indispensable platform for security professionals
and penetration testers, Kali Linux is equally well-suited for students and researchers engaged
in cybersecurity education, academic studies, and hands-on lab experiments. In summary, Kali
Linux is a robust, security-focused operating system that offers a wide range of tools and strong
adaptability, enabling users to conduct penetration testing tasks more efficiently. The key features
of Kali Linux can be summarized as follows:
• More than 600 Penetration Testing Tools and totally free to user: All tools from BackTrack
were reviewed; redundant or non-functional ones were remoOpen Sourceved.
• Open Source: Kali follows an open development model. Its development tree is publicly
accessible, and all source code can be modified and rebuilt based on specific needs.
• Secure Development Environment: Only trusted developers under strict security protocols
are authorized to interact with core libraries and submit updates.
• ARMEL and ARMHF Support: With the rising popularity and affordability of ARM-based
systems like Raspberry Pi and BeagleBone Black, Kali Linux offers strong ARM support. ARM
builds are released alongside standard versions and include a dedicated ARM repository,
ensuring excellent performance on both ARMEL and ARMHF platforms.

4.2 Metaploit
Metasploit is an open-source penetration testing framework that assists security researchers,
penetration testers, and vulnerability analysts in identifying and exploiting vulnerabilities, as well
as assessing the effectiveness of network security defenses. Created by Rapid7 in 2003, Metasploit
has become one of the most popular and widely used frameworks in the field of penetration testing.
The Metasploit framework consists of three core components: Metasploit Framework, Metasploit
Pro, and Metasploit Community Edition. The Metasploit Framework is the foundational and
most widely used component, offering a comprehensive suite of tools and modules for tasks
such as vulnerability scanning, exploitation, payload generation, shellcode development, and
post-exploitation.
Core Components of Metasploit Framework are concluded as follows:
• Module Library: A rich repository that includes modules for vulnerability scanning, exploita-
tion, payload generation, shellcode writing, and post-exploitation.
• Interfaces: Supports various interfaces including command-line interface (CLI), graphical
user interface (GUI) through Armitage, and web-based interfaces.
• Database Integration: Compatible with databases such as PostgreSQL, MySQL, and SQLite
for storing and managing data.
• Payloads: Offers a variety of payloads for executing actions on target systems, such as gaining
shell access, uploading/downloading files, and executing commands.
• Exploits: Provides numerous exploit modules for leveraging system vulnerabilities to gain
shell access.
• Auxiliary Modules: Includes modules for auxiliary tasks such as port scanning, service
identification, and vulnerability verification.

8
 The Metasploit Framework is highly flexible, allowing users to select and configure different
modules and exploits tailored to specific targets. Additionally, users can develop custom mod-
ules and exploits to suit particular testing scenarios, enhancing the tool’s adaptability to diverse
environments and security challenges.
Before launching an attack using Metasploit, penetration testers must first gather detailed
information about the target. Metasploit contains a vast database of vulnerabilities related to
applications, protocols, services, and operating systems. Once a vulnerability is identified, testers
select an appropriate exploit module. If successful, the exploit allows the tester to execute a payload
module on the target machine. These payloads can return a shell or establish a connection between
the target and the tester’s machine, thereby enabling remote command execution and further
system interaction.
Before executing an exploit, the payload must be pre-configured properly. To avoid detection
by intrusion prevention and detection systems, payloads can be encoded. Metasploit supports
automation of the entire exploitation process through appropriate scripting and configuration,
streamlining workflows and improving testing efficiency. In summary, Metasploit Framework
is a powerful, user-friendly, and extensible penetration testing tool—an essential platform for
vulnerability research, exploitation, and security testing. Fig. 1 illustrates the Metasploit architecture.

User Plugins Library Protocol Tool

REX

Framework: core

Framework: base

Interface Module
Security Tool

msfweb exploits

msfconsole Web Services payloads

msfgui encoders

msfapi nops
Intergre Sevices

auxiliary

Fig. 1. Metasploit Architecture

Metasploit includes various subdirectories for interacting with the core framework, which are
categorized into interfaces, modules, libraries, plugins, and tools. REX is an extended Ruby library
that integrates classes and methods within the Metasploit base files. The interfaces provide five

9
main options: msfweb, msfcli, msfconsole, msfgui, and msfapi, among which msfconsole is the most
powerful, granting users full access to all Metasploit features. Additionally, the plugin interface
allows for extending the framework’s architecture and capabilities. The true power of Metasploit
lies heavily in its modularity, as each module serves a distinct and specific purpose within the
penetration testing process.

4.3 Nmap
Nmap is a free software tool developed by Fyodor and released under the GPL 2.0 license. Due to its
open-source nature, it has gained widespread popularity, particularly within the penetration testing
community. Its flexibility, stability, compatibility, and scalability distinguish it from other scanning
tools. Furthermore, thanks to its excellent maintenance and strong host support capabilities, Nmap
serves as an effective tool for network scanning and host monitoring.
Nmap’s core functions include scanning hosts, services, operating systems, packet filters, and
firewalls. It features advanced capabilities that allow it to bypass firewalls and intrusion detection
systems. In addition, Nmap offers numerous hidden functions that can be integrated into scripts
and other programs. Alongside these, it also comes with a suite of auxiliary tools, for example, Ncat
for debugging, Ndiff for comparing scan results, and Nping for packet generation and response
analysis, among others.
Regarding output, Nmap presents scan results in a list format based on the selected options. For
example, the port list displays the port number, protocol, service name, and status, with statuses that
include open, filtered, closed, unfiltered, and undefined. Specifically, "open" indicates that Nmap
has detected a service on the target host, while "filtered" suggests that a firewall or other network
barrier is blocking the port, preventing Nmap from receiving a response. Moreover, the Nmap
Scripting Engine (NSE) is a powerful framework designed to perform a wide range of network-
related tasks, including network discovery, advanced version detection, vulnerability scanning,
backdoor detection, and even vulnerability exploitation. Users can leverage NSE to automate various
operations, which are executed in parallel while optimizing performance and speed. In addition
to the built-in scripts, users can develop custom scripts tailored to specific requirements. These
custom scripts are particularly valuable in penetration testing, enabling more targeted and efficient
assessments.

4.4 OpenVAS
OpenVAS, also known as GNessUs, is developed based on Nessus and serves as a comprehensive
and powerful framework for vulnerability scanning and management. As part of the Greenbone
Vulnerability Management (GVM) solution, OpenVAS has achieved significant milestones in the
open-source community since 2009. The OpenVAS scanner is regularly updated with Network
Vulnerability Tests (NVTs) from publicly available sources. The number of NVTs has surpassed
50,000 and continues to grow. All OpenVAS components are freely available, with most of them
licensed under the GNU General Public License (GPL).
A key feature of OpenVAS is its ability to use plugins to match and identify vulnerabilities
effectively.
The architecture of OpenVAS can be divided into three main layers: the client layer, the service
layer, and the data layer. The essential components and modules within these layers are illustrated
in Fig. 2
VirtualBox is a hypervisor that enables the operation of a virtual operating system within an
existing host OS. It has continuously evolved, offering new features and improvements. Its user
interface is based on QtGUI, and it includes a command-line management tool to operate VBoxSDL.
To integrate the host system’s capabilities into the virtual environment, VirtualBox provides an

10
 OpenVAS Applicaiton
GSA GSD
CLI Layer

Scan target

OpenVAS OpenVAS OpenVAS

Service
Manager Administrator
Engine Layer

NVTs Data
Layer
Configuration

Fig. 2. The Three Layers of OpeVAS

additional software package that includes shared folders and clipboard support, video acceleration,
and a seamless window experience.
VirtualBox supports a wide range of operating systems, including x86 and AMD64/Intel64
architectures. It is currently the only open-source virtual machine software licensed under the
GNU General Public License (GPL) version 2.0. It runs smoothly on multiple host systems such as
Linux, Windows, macOS, and Solaris, and supports a variety of guest operating systems including
Windows, Linux, Solaris, and OpenBSD. With continued development, VirtualBox is expected to
support more features and a broader range of operating systems and platforms.
Funded by Oracle, VirtualBox is a community-driven open-source project to which anyone can
contribute. Oracle ensures that the product maintains professional quality at all times.
Compared to VMware, VirtualBox is arguably a better choice for general users. For cybersecurity
researchers, setting up a targeted, isolated network is an effective strategy. In this project, VirtualBox
is used to build a small-scale test network entirely independent of real-world applications, ensuring
that penetration tests can be conducted without affecting any actual networks. VirtualBox offers
four distinct networking modes to accommodate different user networking requirements.

5 EXPERIMENTS
5.1 Experimental Platform Design
Due to legal and time constraints, it is essential to separate the experimental environment from
any real production systems. To achieve this, two standalone computers were used for testing. The
system was designed to be entirely independent of any external network devices, allowing full
control by the user. One machine served as the attacker running the penetration tests, with Kali
Linux installed as the operating system. The other machine used VirtualBox to create a virtual
LAN, which served as the target environment for testing. This virtual LAN simulates an organized
network comprising multiple servers and clients, reflecting the structure of a real-world network
to a certain scale, and the platform enviroment is illustrated in Fig. 3
The machine used for penetration testing runs exclusively on Kali Linux. Selecting an appropriate
ISO image during installation is crucial. Since malicious software such as viruses or trojans may
be embedded in downloads from the internet, verifying the integrity of the image is an important
step to ensure it has not been tampered with or corrupted. For instance, in Windows, the certutil

11
 Fig. 3. Enviroment of Platform

-hashfile command can be used, while in Linux, tools like md5sum or sha256sum serve the same
purpose. This verification helps avoid installation failures caused by packet loss during download
and minimizes potential security risks. Once the image is confirmed to be intact, the operating
system can be installed with confidence.
The target network simulates the internal network of a small organization. Within VirtualBox, a
DHCP server, FTP server, web server, and client PCs were created, each installed with different
operating systems: Debian, Ubuntu, Windows Server 2012 R2, and Windows 7 Enterprise. These
systems were organized into a virtual local network. This setup helps penetration testers understand
the security differences across various platforms.
A well-structured hardware configuration significantly enhances the efficiency of penetration
testing. However, due to the differing scopes of experimental and production environments—as well
as limitations imposed by legal and financial factors—moderate-performance hardware was selected.
Kali Linux offers broad hardware compatibility through its well-developed drivers, eliminating the
need for high-end hardware on the attacking host. In contrast, the target system is required to
simulate multiple virtual devices, necessitating the use of a multi-core processor and large-capacity
memory to ensure smooth execution of penetration tests.

5.2 Design of the Experimental Process

In practical applications, penetration testing plays a critical role. However, it also carries considerable
risk, potentially leading to system or network failures and even economic loss. To better understand
penetration testing techniques and methodologies, this study proposes an experimental process
tailored for penetration testing.
Based on this, a scenario-oriented penetration testing method is introduced, with the detailed
steps illustrated in Fig. 4
In the information collection phase, Nmap was used for network reconnaissance, port scanning,
OS detection, and service enumeration. In practice, information gathering can consume over 60%
of the total testing time, highlighting its critical role in the overall process. The quality of the
collected data significantly influences the effectiveness of subsequent stages. Specifically, data such
as network coverage, host IP addresses, operating system versions, and service ports serve as key
indicators in the following vulnerability assessment phase.
Moving on to the vulnerability scanning and evaluation phase, the collected data is carefully
reviewed and refined. This process can be performed manually or with the assistance of automated

12
 Information Scan and Exploitation of Post-
Collecting Evaluation Report
Vulnerability Exploitation

Fig. 4. Steps of Penetration Test

tools. However, manual efforts tend to be time-consuming and inefficient, especially in large-scale
networks consisting of hundreds of subsystems. In this study, the open-source tool OpenVAS was
employed to detect vulnerabilities by leveraging its constantly updated vulnerability database,
which helps identify issues caused by misconfigurations or other factors.
The exploitation phase follows, involving the verification and exploitation of vulnerabilities
identified by OpenVAS. While often regarded as the most exciting part of penetration testing, it
also carries the highest implementation risk. Many security vulnerabilities in real-world scenarios
are difficult to exploit and may adversely affect system stability. Nevertheless, within a controlled
testing environment, tools such as the Metasploit Framework can be safely used without concerns
about damaging the target system.
Finally, post-exploitation refers to actions taken after successfully breaching a target network
system, including deeper exploration and the installation of rootkits or backdoors to ensure per-
sistent access. Kali Linux, combined with the Metasploit Framework, provides a variety of tools
to support this process. Generally, penetration tests do not directly improve an organization’s
security posture but instead provide recommendations through a detailed report. It is then the
responsibility of the target organization to develop and implement specific security measures,
balancing effectiveness and practicality based on the report’s findings. After completing all test
steps, a comprehensive written report must be prepared and submitted, encompassing test results,
recommended improvements, a list of tools used, and a summary of all procedures executed. This
penetration testing report encapsulates the entire testing process and serves as a crucial guide for
future security enhancements.

5.3 Penetration Testing

The information gathering phase is critical for analyzing and identifying weaknesses within an
organizational network [26]. This phase is typically divided into three main categories: passive
reconnaissance, active reconnaissance, and network/system scanning. Based on these approaches,
tasks such as host discovery, port scanning, service version detection, and OS fingerprinting are
conducted and analyzed[10] . Notably, host discovery is rarely performed in isolation; it is generally
used as a preparatory step for subsequent tasks such as port scanning, version detection, and
OS identification. Only in specific scenarios—such as counting active switches in a large-scale
network—does host discovery become a standalone operation. In this experiment, Nmap was used to
scan a segment of a test network. The scan revealed the number of active hosts in the target subnet,

13
along with details such as their IP addresses, MAC addresses, and associated network interface
card (NIC) information[25][9] . In practical network environments, ICMP traffic is often filtered by
firewalls. To overcome the limitations of ICMP-based scanning, a combination of TCP and UDP
scanning is typically recommended. However, because this combined approach is time-consuming,
time constraints must be considered during penetration testing to avoid unnecessary delays and to
ensure the efficiency of the overall testing process.
To address this, Nmap offers a wide range of command-line options to support various scanning
techniques. In this experiment, the TCP ACK scan mode was used to simulate a gray-box testing
scenario. Four VirtualBox hosts identified during the host discovery phase were selected as the
targets. By performing TCP ACK scans on their IP addresses, we were able to infer their firewall
configurations. The scan results indicated that one of the hosts ([Link]) was in a "filtered"
state, suggesting the presence of a firewall, whereas the remaining hosts were "unfiltered." While
TCP ACK scans are effective for detecting firewall activity, they do not provide definitive information
about whether specific ports are open or closed. Therefore, additional scans using TCP SYN and
UDP are necessary to obtain a more comprehensive understanding. Since UDP scanning is generally
slower and more resource-intensive than TCP scanning, TCP SYN scanning was selected for this
experiment.
In the subsequent vulnerability detection and assessment phase, OpenVAS was used to evaluate
the target network. Although OpenVAS is a fork of Nessus, it includes significantly more CVE-
related vulnerabilities in its database and, being open-source, is a strong choice for bug detection.
OpenVAS is a reliable and effective vulnerability scanner, though its installation and configuration
can be somewhat complex, as discussed earlier. This section provides a deeper exploration of
OpenVAS and an analysis of the results produced during the experiment. To create a scan task with
OpenVAS, configuration must be based on the information gathered in the previous phase. This
involves specifying key parameters such as the IP address of the scan target, scan intensity, and
task details. The number of hosts in the target network, the network’s condition, the breadth of
the vulnerability database, and the intensity of the scan all significantly influence both scanning
efficiency and duration. In experimental scenarios, it is advisable to reduce the scan intensity
and scope appropriately based on test conditions, thereby minimizing execution time. OpenVAS
scan results provide valuable insights into the vulnerabilities and overall security posture of the
target network. It generates detailed scan reports containing information such as IP addresses, user
identities, scan time, scope, and types of detected vulnerabilities. These reports can be categorized
according to various criteria, including operating system, IP address, or scan task. Penetration testers
can also review detailed attack-related information based on the report format selected. During
the scanning of the test network, two high-risk and two low-risk vulnerabilities were identified.
These could potentially pose serious security threats. To enhance the accuracy of its detection,
OpenVAS first determines the target system’s operating system and IP address before initiating a
scan. The consistency of OpenVAS results with earlier reconnaissance findings further validates
the effectiveness of the information gathering phase. Based on the analysis of scan outcomes,
appropriate security measures can then be developed to improve system protection. In a test
environment, it is possible to exploit high-risk zones for further analysis. However, in real-world
penetration testing, exploiting critical vulnerabilities may interfere with normal system operations.
For this reason, such actions should only be taken after thorough evaluation and approval by the
penetration testing team. As part of the test, one of the identified vulnerabilities—MS17-010—was
examined in detail for its potential impact. [22]

14
6 CONCLUSION
Penetration testing refers to the practice of assessing the security of network systems by simulating
real-world attacks [28][11]. This paper presents an overview of the methods and practices of pene-
tration testing and highlights its significance in the field of cybersecurity. It begins by introducing
the fundamental concepts and classifications of penetration testing, with each type tailored to spe-
cific application scenarios and corresponding methodologies. To support practical implementation,
the paper also discusses widely used tools and techniques—such as Nmap, Metasploit, and Burp
Suite—that form the foundation of many penetration testing workflows[29][4]. Building upon this
theoretical basis, the paper then outlines the typical procedures involved in a penetration test,
including information gathering, vulnerability scanning, exploitation, privilege escalation, data
extraction, and post-test cleanup[30]. Each of these stages requires the use of different tools and
technical approaches. The importance of penetration testing is subsequently analyzed in the broader
context of network security, as it enables organizations to identify and remediate vulnerabilities,
enhance system defenses, and reduce the risk of cyberattacks[16]. Moreover, it assists in evaluating
an organization’s current security posture, thereby facilitating the development of more effective
security policies and strategic planning.
Expanding upon these foundational concepts, the study constructs a controlled test environ-
ment isolated from real-world production systems, allowing for experimentation without risk to
operational networks. From the perspective of a penetration tester, the research utilizes multiple
tools available on the Kali Linux platform to conduct in-depth testing on a simulated network. This
includes comprehensive analysis of systems, network infrastructure, virtualization software, and
specialized penetration testing tools. Based on the experimental results, the study proposes a set
of practical implementation strategies aimed at addressing specific vulnerabilities and structural
weaknesses within the tested network system[14]. In addition, corresponding defensive measures
are recommended to improve overall system security and resilience [13]. Throughout the testing
process, several issues were identified—ranging from software vulnerabilities to broader secu-
rity configuration risks. By appropriately applying established penetration testing methodologies
and leveraging suitable tools, these problems were successfully diagnosed and resolved. The pro-
posed solutions serve to assist network administrators in better protecting their environments and
proactively mitigating potential threats.
The results of this research demonstrate that, when systematically and effectively applied,
penetration testing is a powerful means of identifying security flaws and implementing appropriate
countermeasures[15] . The findings contribute to both the theoretical understanding and practical
advancement of cybersecurity, thereby reinforcing the reliability of networked systems. As cyber
threats continue to evolve, penetration testing tools and techniques must also adapt to address
emerging vulnerabilities and increasingly complex attack vectors[12]. In conclusion, penetration
testing has become an indispensable component of modern network security. It plays a vital role
in enhancing system protection and safeguarding sensitive information. Looking ahead, future
work should prioritize the refinement of penetration testing methodologies to keep pace with the
dynamic cybersecurity landscape. However, while penetration testing can inform the design of
robust security architectures, it is also important to acknowledge that overly stringent security
measures may interfere with the normal operation of systems. Therefore, a scientific and balanced
approach is required—one that ensures both effective security assurance and the maintenance of
operational efficiency.

REFERENCES
[1] Farah Abu-Dabaseh and Esraa Alshammari. 2018. Automated penetration testing: An overview. In The 4th international
conference on natural language computing, Copenhagen, Denmark. 121–129.

15
 [2] Hessa Mohammed Zaher Al Shebli and Babak D Beheshti. 2018. A study on penetration testing process and tools. In
2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT). IEEE, 1–7.
[3] Aileen G Bacudio, Xiaohong Yuan, Bei-Tseng Bill Chu, and Monique Jones. 2011. An overview of penetration testing.
International Journal of Network Security & Its Applications 3, 6 (2011), 19.
[4] Rafay Baloch. 2017. Ethical hacking and penetration testing guide. Auerbach Publications.
[5] Matt Bishop. 2007. About penetration testing. IEEE Security & Privacy 5, 6 (2007), 84–87.
[6] Jiuyang Bu, Wenkai Li, Zongwei Li, Zeng Zhang, and Xiaoqi Li. 2025. Enhancing Smart Contract Vulnerability
Detection in DApps Leveraging Fine-Tuned LLM. arXiv:2504.05006 [[Link]]
[7] Jiuyang Bu, Wenkai Li, Zongwei Li, Zeng Zhang, and Xiaoqi Li. 2025. SmartBugBert: BERT-Enhanced Vulnerability
Detection for Smart Contract Bytecode. arXiv:2504.05002 [[Link]]
[8] Ting Chen, Xiaoqi Li, Xiapu Luo, and Xiaosong Zhang. 2018. System-level attacks against android by exploiting
asynchronous programming. Software Quality Journal 26 (2018).
[9] Ankur Chowdhary, Dijiang Huang, Jayasurya Sevalur Mahendran, Daniel Romo, Yuli Deng, and Abdulhakim Sabur.
2020. Autonomous security analysis and penetration testing. In 2020 16th International Conference on Mobility, Sensing
and Networking (MSN). IEEE, 508–515.
[10] Gelei Deng, Yi Liu, Víctor Mayoral-Vilches, Peng Liu, Yuekang Li, Yuan Xu, Tianwei Zhang, Yang Liu, Martin Pinzger,
and Stefan Rass. 2023. Pentestgpt: An llm-empowered automatic penetration testing tool. arXiv preprint arXiv:2308.06782
(2023).
[11] Matthew Denis, Carlos Zena, and Thaier Hayajneh. 2016. Penetration testing: Concepts, attack methods, and defense
strategies. In 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT). IEEE, 1–6.
[12] Bernhard Dieber, Ruffin White, Sebastian Taurer, Benjamin Breiling, Gianluca Caiazza, Henrik Christensen, and
Agostino Cortesi. 2020. Penetration testing ROS. Robot Operating System (ROS) The Complete Reference (Volume 4)
(2020), 183–225.
[13] Mohamed C Ghanem and Thomas M Chen. 2019. Reinforcement learning for efficient network penetration testing.
Information 11, 1 (2019), 6.
[14] Jai Narayan Goel and Babu M Mehtre. 2015. Vulnerability assessment & penetration testing as a cyber defence
technology. Procedia Computer Science 57 (2015), 710–715.
[15] Andreas Happe and Jürgen Cito. 2023. Getting pwn’d by ai: Penetration testing with large language models. In
Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of
Software Engineering. 2082–2086.
[16] Fredrik Heiding, Emre Süren, Johannes Olegård, and Robert Lagerström. 2023. Penetration testing of connected
households. Computers & Security 126 (2023), 103067.
[17] Wenkai Li, Xiaoqi Li, Yuqing Zhang, and Zongwei Li. 2024. DeFiTail: DeFi Protocol Inspection through Cross-Contract
Execution Analysis. In Companion Proceedings of the ACM Web Conference 2024. 786–789.
[18] Wenkai Li, Zhijie Liu, Xiaoqi Li, and Sen Nie. 2024. Detecting Malicious Accounts in Web3 through Transaction Graph.
In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering. 2482–2483.
[19] Xiaoqi Li et al. 2021. Hybrid analysis of smart contracts and malicious behaviors in ethereum. (2021).
[20] Xiaoqi Li, Le Yu, and Xiapu Luo. 2017. On Discovering Vulnerabilities in Android Applications. In Mobile Security and
Privacy. [Link]
[21] Zongwei Li, Xiaoqi Li, Wenkai Li, and Xin Wang. 2025. SCALM: Detecting Bad Practices in Smart Contracts Through
LLMs. arXiv preprint arXiv:2502.04347 (2025).
[22] Zekai Liu and Xiaoqi Li. 2025. SoK: Security Analysis of Blockchain-based Cryptocurrency. arXiv:2503.22156 [[Link]]
[Link]
[23] Zekai Liu, Xiaoqi Li, Hongli Peng, and Wenkai Li. 2024. GasTrace: Detecting Sandwich Attack Malicious Accounts in
Ethereum. In 2024 IEEE International Conference on Web Services (ICWS). IEEE, 1409–1411.
[24] Yingjie Mao, Xiaoqi Li, Wenkai Li, Xin Wang, and Lei Xie. 2024. SCLA: Automated Smart Contract Summarization via
LLMs and Semantic Augmentation. arXiv preprint arXiv:2402.04863 (2024).
[25] Sheetal Temara. 2023. Maximizing penetration testing success with effective reconnaissance techniques using chatgpt.
arXiv preprint arXiv:2307.06391 (2023).
[26] Vasaka Visoottiviseth, Phuripat Akarasiriwong, Siravitch Chaiyasart, and Siravit Chotivatunyu. 2017. PENTOS:
Penetration testing tool for Internet of Thing devices. In TENCON 2017-2017 IEEE Region 10 Conference. IEEE, 2279–
2284.
[27] Yishun Wang, Xiaoqi Li, Wenkai Li, and Xin Wang. 2024. Smart Contracts in the Real World: A Statistical Exploration
of External Data Dependencies. arXiv preprint arXiv:2406.13253 (2024).
[28] Georgia Weidman. 2014. Penetration testing: a hands-on introduction to hacking. No starch press.
[29] Andrew Whitaker and Daniel P Newman. 2005. Penetration testing and network defense. Cisco Press.
[30] Thomas Wilhelm. 2025. Professional penetration testing: Creating and learning in a hacking lab. Elsevier.

16
[31] Jiayuan Zhang, Yao Yao, Xiaoqi Li, Jian Xie, and Gaofei Wu. 2017. An Android Vulnerability Detection System. In
Network and System Security. Springer International Publishing.
[32] Yongchao Zhong, Haonan Yang, Ying Li, Bo Yang, Xiaoqi Li, Qiuling Yue, Jinglu Hu, and Yuqing Zhang. 2023. Sybil
Attack Detection in VANETs: An LSTM-Based BiGAN Approach. In 2023 International Conference on Data Security and
Privacy Protection (DSPP).
[33] Yaling Zhu, Jia Zeng, Fangchen Weng, Dan Han, Yiyu Yang, Xiaoqi Li, and Yuqing Zhang. 2024. Sybil Attacks Detection
and Traceability Mechanism Based on Beacon Packets in Connected Automobile Vehicles. Sensors 24 (2024).
[34] Huanhuan Zou, Zongwei Li, and Xiaoqi Li. 2025. Malicious code detection in smart contracts via opcode vectorization.
arXiv preprint arXiv:2504.12720 (2025).

17