Penetration testing (pen testing) is the process of simulating cyberattacks to identify vulnerabilities in a system before malicious hackers can exploit them. For Account Academy learners managing bookkeeping data or WordPress sites, understanding pen testing is crucial to securing sensitive information and ensuring robust defenses. This step-by-step guide introduces beginners to penetration testing tools and methodologies, walking you through a safe, legal, and practical pen test on your own computer or a test environment. No prior hacking experience is required—just a willingness to learn and follow ethical guidelines.
Why This Matters
In 2025, cyberattacks on small businesses and websites are increasingly sophisticated, targeting vulnerabilities like weak passwords or unpatched software. Penetration testing helps you proactively find and fix these weaknesses, protecting your financial records or WordPress sites. This guide uses free, beginner-friendly tools and a controlled environment to teach you the basics of ethical hacking, aligning with Account Academy’s mission to empower learners with practical cybersecurity skills.
What You’ll Need
A computer (Windows, macOS, or Linux; Linux preferred for pen testing)
An internet connection
Administrative access to your computer
VirtualBox (free virtualization software)
Kali Linux (free pen testing distribution, downloadable as a virtual machine)
A test environment (e.g., a virtual machine or a WordPress site you own)
A notebook or text editor to document findings
Important: Legal permission to test (only test systems you own or have explicit authorization for)
Step-by-Step Guide
Set Up a Safe Testing Environment
Why: Pen testing on live systems or networks you don’t own is illegal. A virtual machine (VM) creates a safe, isolated environment to practice.
Steps:
Download and install VirtualBox:
Visit virtualbox.org, click Download, and choose the version for your OS (Windows, macOS, or Linux).
Follow the installation wizard, accepting default settings.
Download Kali Linux VM:
Go to kali.org, navigate to Downloads > Kali Linux Virtual Machines, and select the VirtualBox image (e.g., “Kali Linux VirtualBox 64-Bit”).
Extract the downloaded file and import it into VirtualBox:
Open VirtualBox, click File > Import Appliance, select the Kali .ova file, and follow prompts.
Start the Kali VM:
In VirtualBox, select the Kali VM and click Start.
Log in with default credentials (username: kali, password: kali).
Create a second VM for testing (e.g., a Windows or Ubuntu VM):
Download a free Windows 10 VM from developer.microsoft.com/en-us/microsoft-edge/tools/vms or an Ubuntu ISO from ubuntu.com.
Install it in VirtualBox as a new VM with default settings.
Tip: Ensure both VMs are set to “NAT Network” in VirtualBox (Settings > Network) to keep them isolated from your real network.
Understand Penetration Testing Methodology
Why: Pen testing follows a structured process to ensure thorough and ethical testing.
Steps:
Learn the five phases of pen testing:
Reconnaissance: Gather information about the target (e.g., open ports, services).
Scanning: Identify vulnerabilities using tools.
Gaining Access: Attempt to exploit vulnerabilities.
Maintaining Access: Check if persistent access is possible (not covered in this beginner guide).
Reporting: Document findings and suggest fixes.
For this guide, we’ll focus on reconnaissance, scanning, and basic exploitation in a safe VM environment.
Tip: Write down each phase in your notebook to track your progress.
Perform Reconnaissance with Nmap
Why: Nmap (Network Mapper) identifies open ports and services on a target, revealing potential entry points.
Steps:
Open Kali Linux and launch a terminal (click the terminal icon).
Update Kali: Run sudo apt update && sudo apt install nmap -y to ensure Nmap is installed.
Find the target VM’s IP address:
In your test VM (e.g., Ubuntu), open a terminal and type ifconfig (Linux) or ipconfig (Windows CMD) to note the IP (e.g., 192.168.1.100).
Run a basic Nmap scan:
In Kali’s terminal, type nmap 192.168.1.100 (replace with your test VM’s IP).
Review the output, which lists open ports (e.g., port 80 for HTTP, 22 for SSH).
Try an advanced scan: nmap -sV -O 192.168.1.100 to detect service versions and OS details.
Tip: Save the output to a file with nmap 192.168.1.100 > scan_results.txt for later reference.
Scan for Vulnerabilities with OpenVAS
Why: OpenVAS identifies specific vulnerabilities in the target system, such as outdated software.
Steps:
Install OpenVAS on Kali:
In the terminal, run sudo apt update && sudo apt install openvas -y.
Set up OpenVAS: Run sudo gvm-setup and follow prompts (this may take 10–15 minutes).
Start OpenVAS: Run sudo gvm-start and note the URL (e.g., https://127.0.0.1:9392).
Access OpenVAS:
Open Firefox in Kali, navigate to the OpenVAS URL, and log in with the credentials provided during setup (e.g., username: admin, password: generated during setup).
Create a scan:
In OpenVAS, go to Scans > Tasks > New Task.
Enter your test VM’s IP (e.g., 192.168.1.100) as the target.
Start the scan and wait for results (this may take 5–30 minutes).
Review the report for vulnerabilities (e.g., outdated Apache or weak SSH configurations).
Tip: Document high-severity vulnerabilities in your notebook for the next step.
Test a Simple Exploit (Safe and Legal)
Why: Exploiting a vulnerability demonstrates how attackers might gain access, helping you understand risks.
Steps:
Use Metasploit (pre-installed on Kali) to test a common vulnerability:
Open a terminal and type msfconsole to launch Metasploit.
Search for exploits: Type search smb to find exploits for SMB (a common Windows service).
Choose a safe exploit (e.g., exploit/windows/smb/ms17_010_eternalblue for unpatched Windows VMs):
Type use exploit/windows/smb/ms17_010_eternalblue.
Set the target: set RHOSTS 192.168.1.100 (replace with your test VM’s IP).
Run the exploit: Type exploit and observe if it succeeds (e.g., opens a session).
If the exploit fails, try another vulnerability from your OpenVAS report or adjust the test VM to be intentionally vulnerable (e.g., install an outdated Apache server).
Tip: Only test exploits in your VM environment. Unauthorized testing is illegal.
Document and Report Findings
Why: Reporting is a key part of ethical hacking, helping you or others fix vulnerabilities.
Steps:
Open a text editor (e.g., Leafpad on Kali or Notepad on Windows).
Write a report including:
Target: Test VM’s IP and OS.
Tools Used: Nmap, OpenVAS, Metasploit.
Findings: List open ports, vulnerabilities (e.g., “Port 80 open, running Apache 2.4.29, vulnerable to CVE-2023-XXXX”), and exploit results.
Recommendations: Suggest fixes (e.g., “Update Apache to the latest version” or “Close unused ports”).
Save the report as pen_test_report.txt.
Tip: Use your report to guide fixes on the test VM, then re-scan to confirm vulnerabilities are resolved.
Clean Up and Secure Your Environment
Why: Ensure no accidental vulnerabilities are left open after testing.
Steps:
Shut down both VMs in VirtualBox.
Delete the test VM if no longer needed: In VirtualBox, right-click the test VM and select Remove > Delete all files.
Update Kali: Run sudo apt update && sudo apt upgrade -y.
Secure your main computer with a firewall and antivirus (see Account Academy’s firewall guide).
Tip: Back up your Kali VM before deleting anything to reuse it for future practice.
Additional Tips
Stay Legal: Always obtain permission before testing any system. Practice only on VMs or systems you own.
Learn More: Visit accountacademy.co.uk for advanced pen testing courses or ethical hacking certifications like CEH.
Join Communities: Explore tryhackme.com or hackthebox.com for free beginner-friendly pen testing labs.
Practice Regularly: Set up new VMs with different OSes to practice diverse scenarios.
Visit AccountAcademy.co.uk to learn more, book free training, or enrol in hands-on practical courses tailored to your growth. Whether you’re just starting out or looking to sharpen your edge, we’ve got the tools and expertise to help you succeed.
Start learning today at AccountAcademy.co.uk — where skill meets opportunity.
