{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,16]],"date-time":"2026-03-16T01:02:18Z","timestamp":1773622938043,"version":"3.50.1"},"reference-count":92,"publisher":"IGI Global","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014,10,1]]},"abstract":"<p>Penetration testing is an effort to attack a system using similar techniques and tools adopted by real hackers. The ultimate goal of penetration testing is to call to light as many existing vulnerabilities as possible, then come up with practical solutions to remediate the problems; thus, enhance the system security as a whole. The paper introduces concepts and definitions related to penetration testing, together with different models and methodologies to conduct a penetration test. A wide range of penetration testing state-of-the-art, as well as related tools (both commercial and free open source available on the market) are also presented in relatively rich details.<\/p>","DOI":"10.4018\/ijdcf.2014100104","type":"journal-article","created":{"date-parts":[[2015,2,13]],"date-time":"2015-02-13T13:06:50Z","timestamp":1423832810000},"page":"50-74","source":"Crossref","is-referenced-by-count":7,"title":["An Overview of Penetration Testing"],"prefix":"10.4018","volume":"6","author":[{"given":"Chiem Trieu","family":"Phong","sequence":"first","affiliation":[{"name":"Auckland University of Technology, Auckland, New Zealand"}]},{"given":"Wei Qi","family":"Yan","sequence":"additional","affiliation":[{"name":"Auckland University of Technology, Auckland, New Zealand"}]}],"member":"2432","reference":[{"key":"ijdcf.2014100104-0","author":"V.Alder","year":"2007","journal-title":"How to cheat at configuring open source security tools"},{"key":"ijdcf.2014100104-1","unstructured":"Allen, L. (2012). Advanced Penetration Testing for Highly-Secured Environments The Ultimate Security Guide (1 ed.). Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=946941"},{"key":"ijdcf.2014100104-2","unstructured":"Allsopp, W. (2009). Unauthorised Access: Physical Penetration Testing For IT Security Teams (1 ed.). Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=470412"},{"issue":"12","key":"ijdcf.2014100104-3","first-page":"48","article-title":"Penetration testing: Core Security.","volume":"20","author":"Anonymous","year":"2009","journal-title":"SC Magazine"},{"key":"ijdcf.2014100104-4","author":"Anonymous","year":"2009","journal-title":"Core Security Adds Wireless Capabilities to Automated Penetration Testing Solution"},{"key":"ijdcf.2014100104-5","unstructured":"Anonymous. (2010a). Rapid7 Introduces Metasploit Pro - The World's First Penetration Testing Solution That Achieves Unrestricted Remote Network Access Through Firewalls. Business Wire. Retrieved from http:\/\/ezproxy.aut.ac.nz\/login?url=http:\/\/search.proquest.com\/docview\/759069295?accountid=8440"},{"issue":"12","key":"ijdcf.2014100104-6","first-page":"40","article-title":"Penetration testing: SAINT.","volume":"21","author":"Anonymous","year":"2010","journal-title":"SC Magazine"},{"key":"ijdcf.2014100104-7","author":"Anonymous","year":"2010","journal-title":"Core Security Adds Network Device Assessment, Web App Scanner Integration to Automated Penetration Testing Solution"},{"key":"ijdcf.2014100104-8","unstructured":"Anonymous. (2010d). Codenomicon Automates Penetration Testing. Business Wire. Retrieved from http:\/\/ezproxy.aut.ac.nz\/login?url=http:\/\/search.proquest.com\/docview\/89211727?accountid=8440"},{"key":"ijdcf.2014100104-9","author":"Anonymous","year":"2012","journal-title":"How to hack your own Wi-Fi network. Network World"},{"key":"ijdcf.2014100104-10","unstructured":"Anonymous. (n.d.). Security Test Tools. Retrieved 09 Oct, 2013, from http:\/\/www.opensourcetesting.org\/security.php"},{"key":"ijdcf.2014100104-11","author":"N.Antunes","year":"2011","journal-title":"Penetration Testing in Web Services."},{"key":"ijdcf.2014100104-12","doi-asserted-by":"publisher","DOI":"10.1109\/PRDC.2009.54"},{"key":"ijdcf.2014100104-13","unstructured":"Antunes, N., & Vieira, M. (2013). Defending against Web Application Vulnerabilities. Retrieved 09 Oct, 2013, from http:\/\/www.infoq.com\/articles\/defending-against-web-application-vulnerabilities"},{"key":"ijdcf.2014100104-14","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.23"},{"key":"ijdcf.2014100104-15","unstructured":"Asadoorian, P., & Pesce, L. (2011). Linksys WRT54G Ultimate Hacking. Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=328626"},{"key":"ijdcf.2014100104-16","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2012.11.007"},{"key":"ijdcf.2014100104-17","doi-asserted-by":"publisher","DOI":"10.5121\/ijnsa.2011.3602"},{"key":"ijdcf.2014100104-18","doi-asserted-by":"publisher","DOI":"10.1016\/S1363-4127(03)00007-4"},{"key":"ijdcf.2014100104-19","unstructured":"Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (n.d.). State of the Art: Automated Black-Box Web Application Vulnerability Testing. Retrieved from http:\/\/theory.stanford.edu\/people\/jcm\/papers\/pci_oakland10.pdf"},{"key":"ijdcf.2014100104-20","unstructured":"Bhattacharyya, D., & Alisherov, F. A. (2009). Penetration testing for hire. International Journal of Advanced Science and Technology, 8."},{"key":"ijdcf.2014100104-21","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.159"},{"key":"ijdcf.2014100104-22","unstructured":"Boteanu, D. (2011). Penetration testing: Hacking made ethical to test system security. The Canadian Manager, 36(3), 10-11, 12."},{"key":"ijdcf.2014100104-23","doi-asserted-by":"crossref","unstructured":"Budiarto, R., Ramadass, S., Samsudin, A., & Noor, S. (2004). Development of Penetration Testing Model for Increasing Network Security. Retrieved from http:\/\/eprints.usm.my\/6868\/1\/Development_of_Penetration_testing_model_for_increasing_network_security.pdf","DOI":"10.1109\/ICTTA.2004.1307886"},{"key":"ijdcf.2014100104-24","year":"2006","journal-title":"Commercially available penetration testing"},{"issue":"8","key":"ijdcf.2014100104-25","first-page":"44","article-title":"Penetration Testing: Why Franchise Systems Need Information Security.","volume":"40","author":"H.Chan","year":"2008","journal-title":"Franchising World"},{"key":"ijdcf.2014100104-26","unstructured":"Chevalier, P. (2002). Search engines as penetration testing tools. Retrieved from http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.201.9443&rep=rep1&type=pdf"},{"key":"ijdcf.2014100104-27","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/S1353-4858(97)83240-0","article-title":"Managing Network Security \u2013 Part 9: Penetration Testing?","volume":"8","author":"F.Cohen","year":"1997","journal-title":"Network Security"},{"issue":"10","key":"ijdcf.2014100104-28","first-page":"18","article-title":"Penetration Testing.","volume":"59","author":"B.Cook","year":"2009","journal-title":"Independent Banker"},{"key":"ijdcf.2014100104-29","unstructured":"Core SDI, Incorporated. (2013). Patent issued for system and method for providing network penetration testing. Computer Weekly News, 981."},{"key":"ijdcf.2014100104-30","unstructured":"Corothers, N. N. (2002). Vulnerability assessments: Methodologies to Perform a Self-Assessment. Retrieved from http:\/\/www.giac.org\/paper\/gsec\/2022\/vulnerability-assessments-methodologies-perform-self-assessment\/103498"},{"key":"ijdcf.2014100104-31","doi-asserted-by":"publisher","DOI":"10.1145\/1953163.1953175"},{"key":"ijdcf.2014100104-32","doi-asserted-by":"crossref","unstructured":"Engebretson, P. (2011). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy. Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=730200","DOI":"10.1016\/B978-1-59749-655-1.00001-5"},{"key":"ijdcf.2014100104-33","unstructured":"Fahmida, Y. R. (2011). Proactive, Aggressive Network Penetration Testing Lacking in Organization. Retrieved Aug 14, 2013, from http:\/\/www.eweek.com\/c\/a\/Security\/Proactive-Aggressive-Network-Penetration-Testing-Lacking-in-Organizations-390888\/"},{"key":"ijdcf.2014100104-34","unstructured":"Faircloth, J. (2011). Penetration Tester's Open Source Toolkit (3 ed.). Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=740483"},{"issue":"15","key":"ijdcf.2014100104-35","first-page":"44","article-title":"Put an end to manual penetration testing.","volume":"20","author":"E.Greer","year":"2006","journal-title":"Federal Computer Week"},{"key":"ijdcf.2014100104-36","unstructured":"Haeni, R. E. (1997). Firewall Penetration Testing. Retrieved from http:\/\/66.14.166.45\/whitepapers\/netforensics\/penetration\/Firewall%20Penetration%20Testing.pdf"},{"key":"ijdcf.2014100104-37","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.450"},{"key":"ijdcf.2014100104-38","doi-asserted-by":"publisher","DOI":"10.1016\/S1363-4127(97)89713-0"},{"key":"ijdcf.2014100104-39","unstructured":"Herzog, P. (2003). Open-source Security Testing Methodology Manual. Retrieved from http:\/\/cdn.preterhuman.net\/texts\/other\/osstmm.pdf"},{"key":"ijdcf.2014100104-40","unstructured":"Hoppe, J. (n.d.). Passive Web Reconnaissance using Google and Other Tools. Retrieved from http:\/\/php.uat.edu\/~jefhoppe\/doc\/Passive_Recon.pdf"},{"key":"ijdcf.2014100104-41","author":"C.Hurley","year":"2007","journal-title":"WarDriving & Wireless Penetration Testing"},{"key":"ijdcf.2014100104-42","doi-asserted-by":"crossref","unstructured":"Jajodia, S., Noel, S., & O\u2019Berry, B. (2005). Topological Analysis of Network Attack Vulnerability. Managing Cyber Threats, 247-266.","DOI":"10.1007\/0-387-24230-9_9"},{"key":"ijdcf.2014100104-43","unstructured":"Kali.org. (Feb 25, 2013). What is Kali Linux? Retrieved May 11, 2013, from http:\/\/docs.kali.org\/introduction\/what-is-kali-linux"},{"key":"ijdcf.2014100104-44","doi-asserted-by":"publisher","DOI":"10.1145\/1644993.1645078"},{"key":"ijdcf.2014100104-45","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30582-8_68"},{"key":"ijdcf.2014100104-46","doi-asserted-by":"crossref","unstructured":"Lebeau, F., Legeard, B., Peureux, F., & Vernotte, A. (2012). Model-Based Vulnerability Testing for Web Application. Retrieved from http:\/\/www.spacios.eu\/sectest2013\/pdfs\/sectest2013_submission_8.pdf","DOI":"10.1109\/ICSTW.2013.58"},{"key":"ijdcf.2014100104-47","doi-asserted-by":"crossref","unstructured":"Lipner, S. (2004). The Trustworthy Computing Security Development Lifecycle. Retrieved from https:\/\/www.acsac.org\/2004\/papers\/Lipner.pdf","DOI":"10.1109\/CSAC.2004.41"},{"key":"ijdcf.2014100104-48","doi-asserted-by":"crossref","unstructured":"Liu, M. R., & Lau, K. Y. (2000). Firewall Security: Policies, Testing and Performance Evaluation. Retrieved from http:\/\/pdf.aminer.org\/000\/112\/436\/firewall_security_policies_testing_and_performance_evaluation.pdf","DOI":"10.1109\/CMPSAC.2000.884700"},{"key":"ijdcf.2014100104-49","unstructured":"Long, J. (2011). Google Hacking for Penetration Testers. Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=344652"},{"key":"ijdcf.2014100104-50","author":"D.Maynor","year":"2007","journal-title":"Metasploit Toolkit for Penetration Tesing"},{"key":"ijdcf.2014100104-51","doi-asserted-by":"publisher","DOI":"10.1145\/366173.366183"},{"issue":"7","key":"ijdcf.2014100104-52","first-page":"59","article-title":"Is Penetration Testing a Good Idea?","volume":"20","author":"G.McGraw","year":"2005","journal-title":"Network Magazine"},{"key":"ijdcf.2014100104-53","unstructured":"Melbourne, J., & Jorm, D. (2010a). Penetration Testing for Web Application (Part One). Retrieved August 27, 2013, from http:\/\/www.symantec.com\/connect\/articles\/penetration-testing-web-applications-part-one"},{"key":"ijdcf.2014100104-54","unstructured":"Melbourne, J., & Jorm, D. (2010b). Penetration Testing for Web Applications (Part Two). Retrieved August 28, 2013, from http:\/\/www.symantec.com\/connect\/articles\/penetration-testing-web-applications-part-two"},{"key":"ijdcf.2014100104-55","unstructured":"Melbourne, J., & Jorm, D. (2010c). Penetration Testing for Web Applications (Part Three). Retrieved August 29, 2013, from http:\/\/www.symantec.com\/connect\/articles\/penetration-testing-web-applications-part-three"},{"key":"ijdcf.2014100104-56","unstructured":"Michael, C. C., Wyk, K. V., & Radosevich, W. (2005). Black Box Security Testing. Retrieved 10 Oct, 2013, from https:\/\/buildsecurityin.us-cert.gov\/articles\/tools\/black-box-testing\/black-box-security-testing-tools"},{"key":"ijdcf.2014100104-57","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(02)00612-7"},{"key":"ijdcf.2014100104-58","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(02)11009-9"},{"key":"ijdcf.2014100104-59","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(02)07007-1"},{"key":"ijdcf.2014100104-60","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(00)90006-0"},{"issue":"1","key":"ijdcf.2014100104-61","first-page":"187","article-title":"Penetration Testing: A Roadmap to Network Security.","volume":"1","author":"N. A.Naik","year":"2009","journal-title":"Journal of Computing"},{"key":"ijdcf.2014100104-62","unstructured":"Nicola, C. U. (n.d.). Tools for penetration tests 1. Retrieved from http%3A%2F%2Fweb.fhnw.ch%2Fplattformen%2Fns%2Fvorlesungsunterlagen-1%2Fnetwork-analysis-tools%2Fnetworktools.pdf&ei=4dO_VLmDNsmxggSS2YL4BQ&usg=AFQjCNGSCv_UOAxyEXwmAvHj4JcA4VcXSA&sig2=v-VaAt_8IhaUHqruQBoiRw&cad=rja"},{"key":"ijdcf.2014100104-63","unstructured":"Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R., & Mancini, S. (2006). Penetration Testing: Assessing Your Overall Security Before Attackers Do. Retrieved from http:\/\/www.sans.org\/reading-room\/analysts-program\/PenetrationTesting-June06"},{"key":"ijdcf.2014100104-64","unstructured":"Osborne, M. (2006). How to cheat at managing information security. Scitech Book News, 30(4). Retrieved from http:\/\/ezproxy.aut.ac.nz\/login?url=http:\/\/search.proquest.com\/docview\/200176483?accountid=8440"},{"issue":"48","key":"ijdcf.2014100104-65","first-page":"44","article-title":"FACE-OFF: Is penetration testing more effective than vulnerability scanning?","volume":"22","author":"P.Paget","year":"2005","journal-title":"New World (New Orleans, La.)"},{"key":"ijdcf.2014100104-66","doi-asserted-by":"publisher","DOI":"10.1016\/0167-4048(89)90054-0"},{"key":"ijdcf.2014100104-67","unstructured":"Piotrowski, M. (2005). Dangerous Google \u2013 Searching for Secrets. Retrieved from http:\/\/hackbbs.org\/article\/book\/DangerousGoogle-SearchingForSecrets.pdf"},{"key":"ijdcf.2014100104-68","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.84"},{"key":"ijdcf.2014100104-69","unstructured":"Prowell, S., Kraus, R., & Borkin, M. (2010). Seven Deadliest Network Attacks. Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=566706"},{"key":"ijdcf.2014100104-70","unstructured":"Ramachandran, V. (2011). BackTrack 5 Wireless Penetration Testing Beginner\u2019s Guide (1 ed.). Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=948547"},{"key":"ijdcf.2014100104-71","unstructured":"SAINTexploit Provides Means to Verify Network Security. SAINT Introduces the First Integrated Vulnerability and Penetration Testing Tool. (2006, Feb 23). Business Wire, p. 1. Retrieved from http:\/\/ezproxy.aut.ac.nz\/login?url=http:\/\/search.proquest.com\/docview\/445278511?accountid=8440"},{"key":"ijdcf.2014100104-72","doi-asserted-by":"crossref","unstructured":"Salter, C., Saydjari, O., Schneier, B., & Wallner, J. (1998). Toward a Secure System Engineering Methodology. In proceedings of New Security Paradigms Workshop, Charlottesville, Virginia.","DOI":"10.1145\/310889.310900"},{"key":"ijdcf.2014100104-73","year":"2002","journal-title":"Penetration 101 \u2013 Introduction to becoming a penetration tester"},{"key":"ijdcf.2014100104-74","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(97)85736-4"},{"key":"ijdcf.2014100104-75","unstructured":"Shetty, D. (n.d.). Penetration Testing with Metasploit Framework. Retrieved from http:\/\/dl.packetstormsecurity.net\/papers\/general\/pentesting-with-metasploit.pdf"},{"key":"ijdcf.2014100104-76","unstructured":"Shewmaker, J. 2008. Introduction to Network Penetration Testing. Retrieved from http:\/\/www.dts.ca.gov\/pdf\/news_events\/SANS_Institute-Introduction_to_Network_Penetration_Testing.pdf"},{"key":"ijdcf.2014100104-77","unstructured":"Singh, A. (2012). Metasploit Penetration Testing Cookbook (1 ed.). Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=952079"},{"key":"ijdcf.2014100104-78","author":"J. S.Stiller","year":"2005","journal-title":"The ethical hack: A framework for business value penetration testing"},{"key":"ijdcf.2014100104-79","author":"D.Stuttard","year":"2007","journal-title":"The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws"},{"key":"ijdcf.2014100104-80","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.3"},{"key":"ijdcf.2014100104-81","unstructured":"Tibble, I. (2011). Security De-Engineering: Solving the Problems in Information Risk Management (1 ed.). Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=840396"},{"key":"ijdcf.2014100104-82","unstructured":"Tiller, J. S. (2011). CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits (1 ed.). Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=826967"},{"issue":"1","key":"ijdcf.2014100104-83","first-page":"72","article-title":"Towards Side-Effect-free Database Penetration Testing.","volume":"1","author":"Q. N. T.Tran","year":"2010","journal-title":"Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications"},{"key":"ijdcf.2014100104-84","author":"M.Utting","year":"2006","journal-title":"Practical Model-Based Testing \u2013 A Tools approach"},{"key":"ijdcf.2014100104-85","unstructured":"Vacca, J. R. (2010). Managing Information Security. Retrieved from http:\/\/AUT.eblib.com.au\/patron\/FullRecord.aspx?p=535284"},{"key":"ijdcf.2014100104-86","doi-asserted-by":"crossref","unstructured":"Vieira, M., Antunes, N., & Madeira, H. (2009). Using Web Security Scanners to Detect Vulnerabilities in Web Services. Retrieved from http:\/\/eden.dei.uc.pt\/~mvieira\/dsn_ws.pdf","DOI":"10.1109\/DSN.2009.5270294"},{"key":"ijdcf.2014100104-87","unstructured":"Villegas, G. (2008). Analysis of tools for conducting Wireless Penetration Testing. Retrieved from http:\/\/sci.tamucc.edu\/~cams\/projects\/311.pdf"},{"key":"ijdcf.2014100104-88","first-page":"42","article-title":"Guideline on network security testing.","volume":"800","author":"J.Wack","year":"2003","journal-title":"NIST Special Publication"},{"key":"ijdcf.2014100104-89","unstructured":"Watters, P. A. (1999). Penetration testing and intrusion detection. Inside Solaris, 5(11), 9-11. Retrieved from http:\/\/ezproxy.aut.ac.nz\/login?url=http:\/\/search.proquest.com\/docview\/191080065?accountid=8440"},{"key":"ijdcf.2014100104-90","author":"C.Weissman","year":"1973","journal-title":"System Security Analysis\/Certification Methodology and Results"},{"key":"ijdcf.2014100104-91","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(13)70039-3"}],"container-title":["International Journal of Digital Crime and Forensics"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=123388","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T23:02:59Z","timestamp":1654124579000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/ijdcf.2014100104"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2014,10,1]]},"references-count":92,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2014,10]]}},"URL":"https:\/\/doi.org\/10.4018\/ijdcf.2014100104","relation":{},"ISSN":["1941-6210","1941-6229"],"issn-type":[{"value":"1941-6210","type":"print"},{"value":"1941-6229","type":"electronic"}],"subject":[],"published":{"date-parts":[[2014,10,1]]}}}