Ethical Hacking Vs Penetration Testing

Recently a reader posted a comment on our previous post "jSQL Injection - Java GUI for Database Injection.", where he asked about the difference between Ethical hacking And Penetration testing, As i said in the reply of that comment that it has been highly debatable topic among security researchers and hackers. According to some people "Hacking" cannot be Ethical in any way and lots of people do not like to associate the term "Ethical hacker" with them. According to some people both of them have same meaning and the term "hacker" is used to attract people for their courses and training programs.


However, the opinion of the people on the other side is that "Ethical hacking" should not be confused with Penetration testing and both of them are different terminologies and have different goals.

According to Ec-Council:

Penetration Testing: 
A goal-oriented project of which the goal is the trophy and includes gaining privileged access by pre-conditional means. 

Ethical Hacking: 
A penetration test of which the goal is to discover trophies throughout the network within the predetermined project time limit.

I found a more better explanations for both of these terms on likedln group discussion:

A penetration test is a formal set of procedures that measure an organizations security, are sanctioned by the organizations business and seek to improve the organizations security. 

Hacking is a very broad term. It's original meaning was simply to program or create devices as creative outleta and for pleasure. It has now acquired a darker meaning though among practioners, both meanings are used and context defines the sense of it. 

A hacking approach, to Pen testing can be useful because it would seek to find novel means of penetration before an attacker does. It still needs to be sanctioned and it should be done with a view to maintaining the clients operational reliability. In short, the person doing the hacking should have real professional mastery and control of what they are doing. 

According to Pen-test.com:

Penetration testing is a more narrowly focused phrase, it deals with the process of finding flaws in a target environment with the goal of penetration systems, taking control of them. Penetration testing, as the name implies, is focused on penetration the target organization’s defenses, compromising systems and getting access to information.

Ethical hacking is an expansive term encompassing all hacking techniques, and computer attack techniques to find security flaws with the permission of the target owner and the goal of improving the target’s security while penetration testing is more focused on the process of finding vulnerabilities in a target environment. In short, penetration testing is a subset of ethical hacking.



I hope the above clears the difference between Ethical hacking and Penetration Testing.