Penetration Testing is a process wherein you simulate the actions of a real hacker. A series of activities, aimed at various parts of a IT infrastructure, are performed to gain access to the data and network devices that one should not be having access to.
The activities conducted during a penetration testing could assume the following and try to exploit them
- Un-hardened or wrongly configured IT components exposing vulnerabilities like error logs sharing infrastructure information, passwords etc or open ports that allow unfettered access.
- Unprotected access points, like logins, desktops.
- Unsophisticated application code that allows buffer scans, SQL Injection, URL rewrites.
- Easy to guess passwords and not so robust password management.
- Unchanged out-of-the-box settings that are public knowledge.
With the aid of sophisticated algorithms and heuristics companies that specialize in performing penetration testing identify potential vulnerabilities and prove that they can be exploited. If, in fact, it is successful in gaining access, and the IDS/IPS systems in place can trace it, that also in a way establishes usefulness of those systems.