Penetration testing(渗透测试)是对系统的授权模拟攻击,用于在真实攻击者发现漏洞之前找到可利用的漏洞——伦理黑客主动尝试入侵。它提供比自动化扫描更逼真的安全评估。
渗透测试是什么
PENETRATION TESTING = AUTHORIZED simulated attacks on a system to find real, exploitable
vulnerabilities:
→ ethical hackers / security pros actively try to BREAK IN (think and act like attackers)
→ goes beyond automated scanning → finds complex, chained, and logic vulnerabilities
→ AUTHORIZED and scoped (legal, agreed boundaries) — unlike real attacks
→ "How would a real attacker compromise this, and what could they reach?"
类型和方法
By KNOWLEDGE:
BLACK-BOX → no internal knowledge (like an outside attacker)
WHITE-BOX → full knowledge/access (thorough, internal view)
GRAY-BOX → partial knowledge (e.g. a regular user's access)
SCOPE → web apps, networks, APIs, mobile, cloud, social engineering, physical, etc.
PHASES → reconnaissance → scanning → exploitation → post-exploitation → reporting
