Penetration Testing

Uncovering Vulnerabilities Before They're Exploited.

Proactive Vulnerability Validation

A penetration test, or "pen test," is a controlled, simulated cyberattack designed to identify and safely exploit vulnerabilities, demonstrating the real-world impact of security weaknesses before malicious actors can. At Code 0, our penetration testing services provide a hands-on, expert-driven assessment that uncovers complex, chained vulnerabilities and provides actionable insights for a robust defense. Our methodologies are aligned with international standards like the Penetration Testing Execution Standard (PTES), ensuring a comprehensive and verifiable assessment.

A Glimpse into the Workflow

/bin/bash

kali@code0:~$ subfinder -d target.com -silent | httpx -t 100 -tech-detect -status-code | tee hosts.txt

https://www.target.com [200] [Go,Cloudflare,Recaptcha]
https://app.target.com [200] [React,Nginx,AWS,Vite]
https://api.target.com [403] [Nginx]
https://internal.target.com [401] [IIS,ASP.NET]
https://dev.target.com [200] [Apache]
https://status.target.com [200] [Statuspage]

kali@code0:~$ naabu -l hosts.txt -top-ports 1000 -silent | httpx -tech-detect -title

https://app.target.com:8443 [403] [Forbidden] [Nginx]
https://app.target.com:443 [200] [Target App Login] [React,Nginx,AWS,Vite]
http://dev.target.com:8080 [200] [Old Jenkins Server - Build #342] [Jenkins]
https://internal.target.com:443 [401] [Unauthorized] [IIS,ASP.NET]

kali@code0:~$ # Jenkins server on dev looks promising for initial access...

kali@code0:~$ _

The PTES Standard: A Structured Approach

A network diagram showing structured connections and data flows, representing a methodical approach.

We structure our engagements around the seven phases of the Penetration Testing Execution Standard (PTES). This is not just a checklist, but a comprehensive framework that ensures quality, consistency, and a clear roadmap for both our testers and our clients. It guarantees that every critical aspect of an assessment is covered methodically, from initial planning to final remediation guidance.

1. Pre-engagement Interactions: The foundational phase where we collaboratively define the scope, objectives, and legal boundaries of the test to ensure perfect alignment with business goals.

2. Intelligence Gathering: We map the target's digital footprint using both passive (OSINT) and active reconnaissance techniques to identify potential attack vectors across infrastructure and applications.

3. Threat Modeling: Business assets are mapped to potential threat actors and attack scenarios. This strategic analysis prioritizes testing efforts on the most critical systems and data.

4. Vulnerability Analysis: We combine automated scanning with deep manual analysis to discover flaws and weaknesses in systems, applications, and configurations.

5. Exploitation: This phase moves from theory to practice. We actively exploit identified vulnerabilities to demonstrate tangible risk and gain access, escalating privileges to achieve defined objectives.

6. Post-Exploitation: Once a foothold is gained, we determine the value of compromised systems, establish persistence, and move laterally to simulate the full impact of a breach.

7. Reporting: We deliver a comprehensive report detailing the attack narrative, technical findings with proof-of-concept evidence, and actionable, prioritized recommendations for remediation.

Modern Network Discovery: From Nmap to a Specialized Toolchain

Abstract representation of data packets moving quickly through a network, symbolizing speed and efficiency.

While nmap remains the undisputed standard for deep, accurate network interrogation, modern engagements demand a "fail-fast" approach for initial reconnaissance. The shift is from a single, monolithic tool to a modular, high-speed toolchain where each component is optimized for a specific task.

Our workflow leverages Project Discovery's tool suite for unparalleled efficiency. We start with naabu for rapid, SYN-scan-based port discovery, which is significantly faster than a traditional nmap TCP connect scan. The output of live ports is then piped directly into httpx, a multi-purpose HTTP toolkit that probes for web servers, detects technologies, and extracts titles. This combination allows us to build a comprehensive map of an organization's web attack surface in minutes, not hours, focusing our manual efforts where they matter most.

The Foundation: Nmap

nmap_scan.sh 
# Classic Nmap scan: Deep service versioning, default scripts, and OS detection.
nmap -sV -sC -O -T4 target.com

The Modern Standard: Naabu + Httpx

discovery_workflow.sh 
# Modern workflow: Fast port scan piped directly into web service enumeration.
naabu -host target.com -top-ports 1000 -silent | httpx -tech-detect -title -status-code

Web & API Pentesting: Exploiting Broken Object Level Authorization

A visualization of an API endpoint with a broken lock, indicating a security flaw.

APIs are the backbone of modern applications but are also a primary attack vector. We focus on the OWASP API Security Top 10, particularly critical flaws like Broken Object Level Authorization (BOLA). This vulnerability arises when an API endpoint fails to verify that the requesting user has legitimate permissions to access the specific object they are requesting. An attacker can simply manipulate an object ID in the request to access or modify another user's data.

The Flaw: Insecure Direct Object Reference

Consider this Node.js/Express endpoint. It verifies that a user is authenticated but fails to check if the requested orderId actually belongs to that user.

routes/orders.js (Vulnerable) 
// VULNERABLE: The API endpoint retrieves an order by its ID without checking ownership.
app.get('/api/orders/:orderId', (req, res) => {
  // Assume user is authenticated via a valid JWT.
  Order.findById(req.params.orderId).then(order => res.json(order));
});

The Exploit: Parameter Manipulation

An attacker, logged in as User A, can use a simple curl command to cycle through numeric IDs and request an order belonging to User B.

exploit.sh 
# Attacker (authenticated as User A) requests an order ID (123) belonging to User B.
curl -H "Authorization: Bearer " https://api.example.com/api/orders/123

The Fix: Enforcing Ownership in Middleware

The secure implementation adds a server-side check. Before executing the logic, a middleware function verifies that the requested object's owner matches the authenticated user's ID from their session.

routes/orders.js (Fixed) 
// FIXED: The endpoint now verifies that the requested object belongs to the authenticated user.
app.get('/api/orders/:orderId', (req, res) => {
  // req.user.id is populated from the JWT after authentication.
  Order.findOne({ _id: req.params.orderId, ownerId: req.user.id }).then(order => {
    if (!order) {
      return res.status(403).send('Forbidden: Access is denied.');
    }
    res.json(order);
  });
});

Tool Showcase for a Modern Pentest

A professional penetration tester leverages a diverse toolkit, selecting the right tool for each phase of the engagement. While classic tools remain relevant, modern workflows incorporate newer, often more specialized, alternatives for enhanced speed and capability.

Phase Description Core Tools
Discovery Rapidly identifying the external attack surface, including subdomains and cloud assets. subfinder, amass, uncover
Enumeration Scanning for open ports, identifying web technologies, and finding vulnerabilities with templates. nmap, naabu, httpx, Nuclei
Exploitation Manual and semi-automated exploitation of web, network, and application vulnerabilities. Burp Suite, Metasploit, sqlmap
C2 / Post-Exploitation Maintaining access, escalating privileges, and moving laterally within the network. Sliver, Havoc, BloodHound

Further Learning & Resources

Continuous learning is paramount in cybersecurity. The following resources are invaluable for staying current with modern penetration testing tools, techniques, and procedures.

  • HackTricks - An essential, comprehensive resource for a wide range of TTPs, from privilege escalation to web application attacks.
  • Project Discovery - The home of the modern offensive security toolchain, including Nuclei, Subfinder, Httpx, and Naabu.
  • OWASP Top 10 - The industry-standard awareness document for the most critical web application security risks.
  • Offensive Security Blog - Insights and research from the creators of Kali Linux and the OSCP, promoting the "Try Harder" mindset.
  • PayloadsAllTheThings - A massive collection of useful payloads, commands, and cheat sheets for a variety of attack vectors.
  • IppSec on YouTube - In-depth video walkthroughs of retired Hack The Box machines, demonstrating practical application of tools and techniques.