Ethical hacking, also known as white-hat hacking, is the authorized practice of bypassing system security to identify potential data breaches and threats in a network. Unlike malicious (black-hat) hackers, ethical hackers use their skills to improve security by finding vulnerabilities before they can be exploited. The “ethical” component is the most important part of the definition. It signifies that the hacking is performed with express permission, for the purpose of defense, and with a commitment to report all findings to the organization. The ultimate goal is not to cause harm but to prevent it.
White, Black, and Grey Hats: A Spectrum of Motives
In the cybersecurity world, hackers are often categorized by their motives, using a “hat” analogy. White-hat hackers are the good guys. They are the ethical hackers, security professionals, and researchers who have permission to test systems and help secure them. Black-hat hackers are the criminals. They act with malicious intent, seeking to steal data, disrupt services, or extort money. They operate illegally and are the adversaries that ethical hackers work to defend against. Grey-hat hackers fall somewhere in the middle. A grey-hat hacker might find a vulnerability without permission, but instead of exploiting it for personal gain, they might report it to the company, sometimes requesting a fee. Their actions are not sanctioned, so they operate in a legal and ethical grey area.
The ‘Ethical’ Mandate: Permission is Everything
The single most important distinction between an ethical hacker and a criminal is a single, non-negotiable document: a contract. Before any test is performed, a formal agreement, often called a “scope of engagement,” must be signed between the ethical hacker and the organization. This document explicitly outlines what systems are to be tested, what methods are allowed, and what is strictly off-limits. It provides the legal protection that makes the activity professional security testing instead of a crime. Hacking any system without this explicit, written permission is illegal, regardless of your intent.
Why Companies Need Ethical Hackers
In today’s digital world, data is one of the most valuable assets a company has. A single data breach can result in devastating financial losses, regulatory fines, and irreparable damage to a company’s reputation. Cybercrime is a multi-trillion-dollar industry, and attackers are constantly evolving their techniques. Organizations hire ethical hackers to adopt an offensive mindset and simulate a real-world attack. This proactive approach, often called “offensive security,” is the most effective way to find and fix security weaknesses. It answers the question, “Could a real attacker get in, and if so, how?” This practice is no longer a luxury but a necessity for businesses, especially in sectors like finance, healthcare, and e-commerce, which handle sensitive customer data. They rely on ethical hackers to safeguard their digital infrastructure from the inside out.
The Five Phases of the Hacking Lifecycle
Professional ethical hacking is a structured process, not a random act of technical magic. It is methodical and follows a professional engagement lifecycle, which is typically broken down into five distinct phases. These phases ensure that the testing is comprehensive and that all findings are properly documented. The five phases are: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and finally, Covering Tracks and Reporting. Each phase has its own unique set of goals, techniques, and tools. A skilled ethical hacker must be proficient in all five phases to successfully simulate a sophisticated attack. The rest of this series will be structured around exploring the tools and techniques used in each of these critical stages, moving from information gathering all the way to the final report.
Phase 1: Reconnaissance – Casing the Joint
Reconnaissance, or “recon,” is the information-gathering phase. It is the first and arguably most important step. The goal is to learn as much as possible about the target organization before launching an attack. This is where the hacker identifies potential targets, maps out their digital footprint, and finds potential weak spots. Reconnaissance is split into two categories: passive and active. Passive recon involves gathering information from publicly available sources without directly interacting with the target’s systems. This is a “no-touch” approach that is stealthy and difficult to detect. Active recon involves directly probing the target’s systems to gather information. This is noisier and can be logged by the target’s security systems, but it often yields more detailed technical data.
Phase 2: Scanning – Finding the Open Doors
Once reconnaissance has identified potential targets, the scanning phase begins. This is a more active, technical approach to probing the target for vulnerabilities. The goal is to find open “doors” (ports) and identify the specific services running on them, along with their version numbers. Common techniques include port scanning, vulnerability scanning, and network mapping. A port scanner, for example, will systematically ping every port on a target’s IP address to see which ones respond. An open port, such as port 80 (web) or port 22 (SSH), indicates a running service. The hacker will then use other tools to “fingerprint” that service to find its exact software version, which they can cross-reference with public databases of known vulnerabilities.
Phase 3: Gaining Access – The Breach
This is the “hacking” phase that most people think of. After identifying a vulnerability in the scanning phase, the hacker now attempts to exploit it to gain unauthorized access to the system. This is where the actual breach occurs. The method of exploitation depends entirely on the vulnerability found. It could involve using a tool to exploit a software flaw, guessing a weak password, or crafting a malicious payload that a user clicks on. Access could be gained to a web application, a server, a database, or a user’s computer. The goal is to get an initial “foothold” on the target network, which can be used as a starting point to move deeper into the system.
Phase 4: Maintaining Access – Setting Up Camp
Gaining access is one thing, but keeping it is another. A sophisticated attacker does not want to lose their hard-won access if the server reboots or the vulnerability is patched. In this phase, the hacker installs tools to ensure they can return to the system later. This is often called establishing “persistence.” This could involve creating a “backdoor” account, installing a “rootkit” (a tool to hide their presence), or setting up a “reverse shell” that connects back to their own server, giving them on-demand command and control. From this persistent foothold, the attacker can also begin “pivoting”—using the compromised machine to launch attacks deeper inside the private network, reaching systems that are not accessible from the public internet.
Phase 5: Clearing Tracks and Reporting
The final phase has two different goals. For a black-hat hacker, this phase is about “covering tracks.” They will attempt to delete or alter system logs, hide their files, and remove any evidence of their presence to avoid detection and prosecution. For an ethical hacker, this phase is the complete opposite and is the most important part of their job: Reporting. The ethical hacker meticulously documents every step of their attack, every vulnerability they found, and every piece of data they were able to access. They then compile this information into a professional report for the organization. This report includes an executive summary for management and detailed technical findings and, most importantly, concrete recommendations on how to fix each vulnerability.
The Bedrock Skill: Networking Fluency
Before you can use any hacking tool, you must understand what you are hacking. The foundation of all modern systems is the network. Without a deep and fluent understanding of networking principles, hacking tools are just magic boxes that you do not know how to control. You must understand the TCP/IP suite, the five-layer model (or the seven-layer OSI model) that governs all digital communication. You need to know what an IP address is, what a subnet mask does, and how a DNS server translates a name into an address. This knowledge is non-negotiable. It is the difference between a “script kiddie” who just runs tools and a professional penetration tester who understands how the tools work and can adapt when they fail.
Understanding the OSI Model
The Open Systems Interconnection (OSI) model is a conceptual framework that standardizes the functions of a telecommunication or computing system into seven abstract layers. Hackers love this model because it provides a map for troubleshooting and exploitation. For example, Layer 7 is the Application layer, where protocols like HTTP (web) and FTP (file transfer) live. Web application attacks target this layer. Layer 4 is the Transport layer, which handles data flow using TCP and UDP. Port scanning tools operate at this layer. Layer 3 is the Network layer, where IP addresses live and routing happens. Network-level attacks like “IP spoofing” target this layer. Understanding this model helps you categorize attacks.
TCP vs. UDP: The Two-Way Street and the Postcard
At Layer 4, you have two primary protocols: TCP and UDP. TCP, or Transmission Control Protocol, is connection-oriented. It establishes a reliable, three-way “handshake” (SYN, SYN-ACK, ACK) before sending data. It ensures all data arrives in order, making it perfect for web browsing and file transfers. UDP, or User Datagram Protocol, is connectionless. It is a “fire-and-forget” protocol, like sending a postcard. It is much faster than TCP but offers no guarantee that the data will arrive. It is used for services where speed is more important than perfect accuracy, such as video streaming or online gaming. Many hacking tools, especially scanners, manipulate these protocols. For example, a “SYN scan” is a stealthy scan that only sends the first part of the TCP handshake, gathering information without fully opening a connection.
Common Ports and Services: The Front Doors
In networking, a “port” is a numbered endpoint on a computer that is designated for a specific service. Think of the computer’s IP address as the street address of an apartment building, and the ports as the individual apartment numbers. By default, standard services listen on specific, well-known ports. Port 80 is for HTTP (unencrypted web traffic), and port 443 is for HTTPS (encrypted web traffic). Port 22 is for SSH (Secure Shell), and port 21 is for FTP (File Transfer Protocol). When an ethical hacker performs a port scan, they are checking to see which of these “doors” are open. An open port 80 tells them a web server is running. An open port 22 tells them they might be able to log in remotely.
The Bedrock Skill: Operating System Command
The second foundational skill is deep proficiency with operating systems, primarily Linux and Windows. When you gain access to a server, you will not be presented with a friendly graphical interface. You will be given a command-line terminal. You must be able to navigate the filesystem, manage processes, edit text files, and check network configurations using only your keyboard. You must understand file permissions, user accounts, and system services. This fluency is essential for both navigating a compromised system and securing your own.
Why Linux is the Hacker’s Choice
The vast majority of ethical hackers and security professionals use a Linux-based operating system. This is because Linux is open-source, giving you complete and granular control over your environment. You can modify every aspect of the system to suit your needs. Furthermore, Linux is a command-line-centric environment, which makes it perfect for scripting and automation, two core activities in hacking. You can “chain” multiple tools together, feeding the output of one program directly into the input of another, to create powerful, custom workflows.
Introduction to Kali Linux
For ethical hackers, the most popular Linux distribution is Kali Linux. Kali is a specialized, Debian-based distribution that comes pre-installed with hundreds of the top ethical hacking and penetration testing tools. This saves a massive amount of time on setup. Tools for reconnaissance, scanning, web hacking, wireless attacks, and password cracking are all organized and ready to use. However, Kali is not a magic wand. A common beginner mistake is to think that simply using Kali makes you a hacker. It is just a toolbox. Without a deep understanding of the underlying networking and OS fundamentals, it is a toolbox full of complex instruments that you do not know how to play.
Understanding the Windows Environment
While hackers use Linux, their targets are very often Windows. The corporate world runs on Windows. Therefore, a professional ethical hacker must be an expert in the Windows environment as well. This means understanding the Windows command line (CMD and the more powerful PowerShell), the Windows Registry (a central database for system configuration), and how permissions work (ACLs, or Access Control Lists). A huge part of corporate hacking involves understanding Active Directory, the centralized identity management service used in nearly all large organizations. Exploiting weaknesses in Active Directory is a common way for an attacker to escalate their privileges from a regular user to a full domain administrator.
Building Your Lab: The Power of Virtualization
You cannot—and must not—practice hacking on real, live systems on the internet. This is illegal and will get you into serious trouble. To practice safely, you must build your own isolated laboratory. This is done using virtualization software, such as VirtualBox or VMware. These applications allow you to run multiple “virtual machines” (VMs) on your one physical computer. A VM is a complete, self-contained operating system running in a window. Your lab will consist of your “attacker” machine (like Kali Linux) and one or more “victim” machines (like an old, unpatched version of Windows or a deliberately vulnerable application). These VMs are networked together in an “internal-only” network, isolating them from the real internet and creating a safe sandbox for you to practice your attacks.
The Goal of Reconnaissance
As introduced in Part 1, reconnaissance is the “information gathering” phase of the hacking lifecycle. The primary goal is to build a comprehensive profile of the target organization. This is a patient, meticulous process that can be the most time-consuming part of an engagement, often taking up the majority of the allotted time. A well-executed reconnaissance phase provides the attacker with a map of the target’s digital and physical landscape. This map includes IP address ranges, domain names, employee information, and the technologies they use. The more thorough the recon, the higher the likelihood of a successful attack.
Passive Reconnaissance: The Invisible Investigator
Passive reconnaissance involves gathering intelligence without directly interacting with the target’s servers or infrastructure. The goal is to be a ghost. The target should have no record or log of your activities. This is achieved by leveraging publicly available information. This type of recon is also known as OSINT, or Open-Source Intelligence. It is the art of finding and connecting seemingly disparate pieces of public data to build a cohesive picture. This can include searching for information on search engines, social media, public records, and job boards.
OSINT Technique: Advanced Google Dorking
One of the most powerful passive recon tools is a search engine. “Google dorking” is the practice of using advanced search operators to find information that is not intended to be public but has been accidentally indexed. Operators like site: restrict a search to a specific domain. For example, site:target-company.com will only show results from that company. The filetype: operator can find specific files, such as filetype:pdf or filetype:xls, which might reveal sensitive internal reports or spreadsheets. Other operators can find login pages (intitle:”Login”), directory listings (intitle:”index of”), or error messages that reveal underlying technology. This technique can quickly uncover exposed files, sensitive documents, and technical information about a target’s web servers.
OSINT Technique: Social Media and Job Boards
People are often the weakest link in security. Hackers can learn a vast amount from what employees post publicly. By browsing social media platforms, an attacker can find employee names, job titles, and even details about their work projects. This information is gold for a “social engineering” attack. For example, knowing the name of the IT manager allows an attacker to send a highly convincing “phishing” email. Job boards are another goldmine. A job posting for a “Senior React Developer” or a “Network Admin with Cisco ASA experience” tells the attacker exactly what technologies the company uses internally. They can then search for known vulnerabilities in those specific technologies.
OSINT Tool: Maltego
Maltego is a powerful, professional tool for open-source intelligence and data mining. It specializes in finding relationships between disparate pieces of information and visualizing them in an easy-to-understand graph. A user can start with a single piece of information, like a domain name. Maltego will then run automated “transforms” to find related information, such as DNS records, IP addresses, and email addresses associated with that domain. It can then pivot off that new information, finding the social media profiles for those email addresses, and so on. This creates a large, interconnected map of a target’s digital footprint, revealing connections that would be difficult to find manually.
Active Reconnaissance: Knocking on the Door
After exhausting passive sources, the ethical hacker moves to active reconnaissance. This is where they begin to directly interact with the target’s infrastructure. These actions can be logged by the target, so they are done with more caution, but they provide much more accurate technical data. The goal of active recon is to confirm the information found in the passive phase and discover new, technical details. The primary techniques in this phase are port scanning and network mapping, which directly probe the target’s live servers.
Tool Deep Dive: Nmap (Network Mapper)
Nmap is the most famous and widely used port scanner in the world. It is an indispensable tool for any ethical hacker. Its core function is to discover hosts on a network and determine which ports are open on those hosts. But its capabilities go far beyond that. Nmap can perform a wide variety of scan types. A simple “TCP connect” scan is reliable but noisy, as it completes the full TCP handshake. A “SYN scan” is stealthier, as it only sends the first packet of the handshake and is less likely to be logged by basic firewalls. It is a command-line tool, but its syntax is intuitive. A simple nmap target-ip will run a default scan. More advanced scans use “flags” to specify the type of scan, the ports to check, and the speed of the scan.
Nmap for OS and Version Detection
Knowing a port is open is useful, but knowing what is running on that port is critical. This is where Nmap’s version detection feature shines. By using the -sV flag, Nmap will send a series of probes to an open port to try and “fingerprint” the service. It will attempt to determine the exact software and version number, for example, “Apache httpd 2.4.41” or “OpenSSH 7.6p1”. This information is the key to the next phase, as the hacker can now search for known exploits for that specific version. Nmap also has a powerful OS detection feature (-O), which analyzes TCP/IP stack differences to make an educated guess about the target’s operating system, such as “Windows Server 2019” or “Linux Kernel 5.4”.
The Nmap Scripting Engine (NSE)
What makes Nmap truly powerful is the Nmap Scripting Engine (NSE). This is a feature that allows Nmap to run small scripts, written in the Lua language, to perform more advanced tasks than a simple port scan. There are hundreds of scripts built into Nmap, categorized as vuln (vulnerability), discovery, exploit, and more. A hacker can run a script to automatically check if a web server is vulnerable to a specific, well-known exploit. For example, nmap –script=http-sql-injection would test a web server on port 80 for basic SQL injection vulnerabilities. This blurs the line between scanning and exploitation, making Nmap an incredibly versatile tool.
Tool Deep Dive: Angry IP Scanner
While Nmap is the comprehensive, all-in-one “Swiss Army knife” of scanning, it can sometimes be complex. Angry IP Scanner is a different kind of tool. It is a cross-platform, lightweight, and incredibly fast IP address and port scanner. Its primary use is to quickly scan a large range of IP addresses to see which ones are “live” or online. It is multithreaded, meaning it scans many hosts at once, which makes it much faster than a default Nmap scan for simple host discovery. It does not have the advanced version detection or scripting capabilities of Nmap, but it excels at its one job: quickly building a list of active targets on a large network. Many hackers will use Angry IP Scanner first to find live hosts, then feed that list to Nmap for a deeper, more detailed scan.
Tool Deep Dive: Wireshark
Wireshark is not a scanner, but it is a critical tool used during the scanning and reconnaissance phase. It is a network protocol analyzer, or “packet sniffer.” It captures all the raw network traffic traveling to and from your computer and displays it in a readable format. For an ethical hacker, Wireshark is an invaluable tool for “looking under the hood” of the network. You can use it to see exactly how your scanning tools, like Nmap, are constructing their packets. This helps you understand what the scan really looks like on the wire. It is also a powerful passive reconnaissance tool. By simply listening to network traffic (for example, on a public Wi-Fi network), you can capture data, discover hosts, and even find unencrypted credentials being sent in plain text.
Wireshark for Analysis and Filtering
A raw packet capture can be overwhelming, containing thousands of packets per minute. The real power of Wireshark is in its display filtering. You can write simple filters to narrow down the traffic to exactly what you are interested in. For example, a filter of ip.addr == 1.2.3.4 will show only packets going to or from that specific IP address. A filter of tcp.port == 80 will show only HTTP web traffic. You can then “follow” a TCP stream, which reconstructs the conversation between a client and a server. This can allow you to see the exact data being exchanged, such as a username and password being sent in a login form.
Tool Deep Dive: Traceroute NG and LiveAction
Understanding the path your data takes to a target is another key piece of reconnaissance. Traceroute is a network diagnostic tool that maps the “hops” your packets take as they travel from your computer to a target server. Each “hop” is a router. By looking at the names of these routers, you can often learn about the target’s network infrastructure and which internet service providers they use. Traceroute NG (from the article) is a modern evolution of this tool. LiveAction, a broader network performance company, provides tools that build on this, offering sophisticated network path analysis and visualization to diagnose issues and understand network architecture. For a hacker, this maps the “roads” leading to the target’s castle.
Tool Deep Dive: NetStumbler and Kismet
These tools are specialized for wireless reconnaissance. Before you can hack a Wi-Fi network, you must first discover it. This is a practice known as “wardriving” or “warwalking”—moving through an area to map all the wireless networks. NetStumbler is a classic tool for Windows that detects IEEE 802.11 (Wi-Fi) networks. It can identify a network’s name (SSID), its security protocol (WEP, WPA), and its signal strength. Kismet is a more powerful, modern, and passive tool. It is a sniffer, wardriving tool, and wireless intrusion detection system all in one. Kismet can passively detect all wireless networks in an area, including “hidden” networks that do not broadcast their name. It is a foundational tool for any wireless hacking engagement.
Vulnerability Scanning: The Next Step
After port scanning identifies open ports and services, the next logical step is vulnerability scanning. A vulnerability scanner is an automated tool that checks a target system against a massive database of known vulnerabilities. While Nmap’s scripting engine can do some basic vulnerability checks, dedicated scanners are far more comprehensive. They are designed to safely test for thousands of misconfigurations and flaws. This phase is critical for finding the “low-hanging fruit”—common, well-known vulnerabilities that the target organization has failed to patch or configure correctly.
Tool Deep Dive: Nessus
Nessus is one of the most popular and well-respected vulnerability scanners in the world. It was originally open-source but is now a commercial product, though it still offers a free “Essentials” version for home use. Nessus works by running a series of “plugins” against a target. Each plugin is a small test for a specific vulnerability, such as an unpatched service, a weak default password, or a dangerous misconfiguration. Nessus can perform “unauthenticated” scans (acting as an external attacker with no credentials) or “authenticated” scans. An authenticated scan, where you provide Nessus with a user login, is far more accurate, as it can log into the system and check for missing software patches and local misconfigurations.
Tool Deep Dive: OpenVAS
OpenVAS (Open Vulnerability Assessment System) is the open-source fork of Nessus, which was created after Nessus became a closed-source product. It is completely free and is a powerful, comprehensive vulnerability scanner. Like Nessus, it is a framework that includes a scanner, a database of vulnerability tests (called Network Vulnerability Tests or NVTs), and a management interface. OpenVAS is a popular choice for individuals and companies who want a powerful vulnerability scanning solution without the high cost of a commercial product. It is a core component of many security toolkits and provides detailed, professional reports that identify vulnerabilities, rank them by severity, and often suggest the exact steps for remediation.
Finalizing the Attack Plan
The reconnaissance and scanning phases culminate in a wealth of information. The ethical hacker now has a detailed map of the target’s network, a list of live hosts, and a list of open ports and services on those hosts. Most importantly, they have a list of potential vulnerabilities from tools like Nmap, Nessus, and OpenVAS. They can see that a specific server is running an old version of a web server that is vulnerable to a known exploit. This information is used to finalize the attack plan. The hacker will prioritize the most promising vulnerabilities and select the appropriate tools to exploit them. This leads directly into the next phase: Gaining Access.
The Web as the Primary Attack Vector
In the modern digital landscape, web applications are the front door to an organization. Nearly every company has a website, a customer portal, or an internal application that is accessible via a web browser. These applications are complex, custom-built, and, as a result, often full of security holes. For a hacker, attacking a web application is often the path of least resistance. It is easier to find a flaw in a million lines of custom application code than it is to bypass a hardened, modern network firewall. This is why web application hacking is one of the most critical skills for an ethical hacker.
The OWASP Top 10
To bring order to the world of web vulnerabilities, the security community relies on the OWASP Top 10. OWASP stands for the Open Web Application Security Project, a non-profit foundation dedicated to improving software security. Every few years, OWASP publishes a list of the “Top 10” most critical web application security risks. This list is based on real-world data from security professionals and serves as the definitive guide for developers and ethical hackers. When an ethical hacker tests a web application, they are often, at a minimum, testing for every vulnerability category on this list. We will explore several of these categories and the tools used to find and exploit them.
Tool Deep Dive: Burp Suite
It is impossible to discuss web application hacking without mentioning Burp Suite. This is the single most important tool for any web security professional. It is an integrated platform for testing web application security, and it functions primarily as an “intercepting proxy.” This means Burp Suite sits between your web browser and the application’s server. It “intercepts” every single HTTP request your browser sends and every response the server sends back. This allows you to pause, view, and modify the raw data in transit before it reaches its destination. This capability is a superpower. You can change a form submission, modify a user ID in a cookie, or tamper with a URL parameter to see how the server responds. The free “Community” edition is incredibly powerful, while the “Professional” version adds automated scanning features.
Burp Suite’s Core Components: Proxy, Repeater, and Intruder
Burp Suite is a collection of tools. The “Proxy” is the core intercepting engine. This is where you view and modify traffic in real-time. The “Repeater” tool is where you send an interesting request you have captured. You can then modify the request over and over—for example, changing a user ID in the request—and send it repeatedly to analyze the server’s response for each change. This is perfect for manually testing for flaws. The “Intruder” tool is for automating attacks. You can take a request, mark a position (like the password field), and load a “payload list” (like a wordlist of 10,000 common passwords). Intruder will then send 10,000 requests, one for each password, and report the results, allowing you to brute-force a login.
Vulnerability: SQL Injection (SQLi)
SQL Injection is a classic and devastating vulnerability. It occurs when an application includes untrusted user data in a database query without properly “sanitizing” it first. Imagine a login form that builds a query like this: SELECT * FROM users WHERE username = ‘USER_INPUT’ AND password = ‘PASSWORD_INPUT’;. A hacker might enter ‘ OR ‘1’=’1 as the username. The resulting query becomes SELECT * FROM users WHERE username = ” OR ‘1’=’1′ AND password = ‘…’;. Because ‘1’=’1′ is always true, the WHERE clause is always satisfied, and the database logs the hacker in as the first user in the table (often the admin) without needing a password.
Tool Deep Dive: SQLMap
SQLMap is the most powerful and popular open-source tool for automating the process of finding and exploiting SQL injection vulnerabilities. Once you find a potentially vulnerable URL (perhaps using Burp Suite), you can point SQLMap at it. SQLMap will send hundreds of different, specially crafted payloads to the URL to confirm the vulnerability. It can identify the type of vulnerability (e.g., error-based, time-based, blind) and the backend database (e.g., MySQL, PostgreSQL, Oracle). Once it confirms the flaw, SQLMap can exploit it. It can automatically “dump” the entire contents of the database, including user tables, passwords, and other sensitive data. It can even, in some cases, escalate this to gain a full command-line shell on the database server itself.
Vulnerability: Cross-Site Scripting (XSS)
Cross-Site Scripting, or XSS, is a vulnerability where an attacker manages to inject malicious client-side script (usually JavaScript) into a web page that is then viewed by other users. The victim’s browser, trusting the website, will execute this malicious script. This script can do anything the user can do. It can steal the user’s “session cookie,” allowing the attacker to hijack their logged-in session. It can redirect the user to a malicious website, or even rewrite the content of the page to show a fake login form to steal credentials. There are two main types: “Stored XSS,” where the malicious script is permanently saved in the database (like in a user comment), and “Reflected XSS,” where the script is part of a URL or other request and is “reflected” back by the server.
Automated Web Vulnerability Scanners
While manual testing with Burp Suite is essential for finding complex flaws, automated scanners are invaluable for quickly finding “low-hanging fruit.” These scanners will crawl an entire web application, testing every link and form for a massive database of known vulnerabilities, including XSS, SQLi, and more. These tools are great for getting a quick baseline of an application’s security posture. They are very fast and can test thousands of pages, a task that would take a human tester weeks. However, they are prone to “false positives” (reporting a flaw that is not real) and can miss complex, logic-based vulnerabilities.
Tool Deep Dive: Nikto
Nikto is a classic, open-source web server scanner. It is not a “smart” scanner like some modern tools; it is a “dumb” but fast utility that checks for over 6,700 potentially dangerous files and outdated software versions on a web server. Nikto will check for things like default installation files, misconfigured directories, and old versions of server software (like Apache or Nginx) that have known vulnerabilities. It is a command-line tool that is very easy to run: nikto -h http://target-site.com. It provides a quick way to find obvious misconfigurations that a system administrator may have overlooked.
Tool Deep Dive: Acunetix
Acunetix is a leading commercial, fully automated web vulnerability scanner. It is designed to be fast, accurate, and easy to use, providing a comprehensive audit of a web application’s security. It is particularly strong at detecting a wide range of vulnerabilities, including advanced XSS and SQL Injection variants. It can scan modern, complex applications that rely heavily on JavaScript and single-page application (SPA) frameworks like React and Angular. A key feature of Acunetix is its “AcuSensor” technology, which can be installed on the server to combine dynamic scanning (from the outside) with interactive testing (from the inside), leading to higher accuracy and fewer false positives.
Tool Deep Dive: Invicti (formerly Netsparker)
Invicti, which was formerly known as Netsparker, is another top-tier commercial web scanner. Its most famous feature is its “Proof-Based Scanning” technology. The biggest problem with automated scanners is false positives. A developer can waste days chasing down a “critical” vulnerability that does not actually exist. Invicti attempts to solve this by not just finding a potential vulnerability but also safely exploiting it to prove that it is real. For example, upon finding a potential SQL Injection, it will safely extract a piece of data (like the database name) to confirm the exploit is real. This gives security teams high confidence in its findings, allowing them to prioritize and fix real issues.
Tool Deep Dive: Fortify WebInspect
Fortify WebInspect is another major player in the commercial scanner space, often found in large enterprise environments. It is a dynamic application security testing (DAST) tool that provides comprehensive scanning for complex web applications and services. Like its competitors, it identifies known vulnerabilities and misconfigurations. It is known for its ability to test the dynamic behavior of running web applications and for its deep integration with the broader “Software Development Life Cycle” (SDLC). This means its results can be fed directly into bug-tracking systems, and it can be integrated into a CI/CD pipeline (see Part 5) to automate security testing every time new code is written.
Vulnerability: Insecure Direct Object Reference (IDOR)
This is a type of access control vulnerability that automated scanners often miss, making manual testing with Burp Suite essential. IDOR occurs when an application exposes a direct reference to an internal object, like a database key, in a URL or form. Imagine you log in and your profile page is at https://example.com/profile?user_id=123. A curious attacker would try changing that URL to https://example.com/profile?user_id=124. If the application is vulnerable, it will fail to check who is making the request. It will simply fetch the profile for user 124, allowing the attacker to cycle through all user IDs and steal their private information. This is a simple but incredibly common and dangerous flaw.
Password Attacks: Brute Force and Dictionary Attacks
Automated tools are also used to attack login pages directly. A “brute-force” attack involves trying every single possible combination of characters for a password. This is extremely slow and rarely effective against modern passwords. A “dictionary attack” is much more efficient. This involves using a “wordlist,” which is a large text file containing thousands or millions of common passwords (like 123456, password, qwerty), or words from a dictionary. As mentioned earlier, a tool like Burp Suite’s “Intruder” can automate this. You capture a login request, load your wordlist, and fire it at the server. If the server does not have “rate limiting” (which locks an account after a few bad attempts), this attack can be very effective at finding weak passwords.
Tool Deep Dive: Cain & Abel
Cain & Abel is an older, Windows-only password recovery tool that is conceptually very important. While some of its features are outdated, it demonstrated the power of an all-in-one tool for password-related attacks. It could perform network sniffing to capture password “hashes” (encrypted passwords) as they crossed the network. It also included a powerful password cracking module. This module could take captured hashes and run dictionary attacks, brute-force attacks, and “cryptanalysis” attacks against them. It was a famous tool for demonstrating how easily unencrypted or poorly encrypted passwords could be recovered from a network.
Tool Deep Dive: John the Ripper
John the Ripper, often just called “John,” is a fast, powerful, and very popular password cracker. It is an offline tool, meaning you must first obtain the password hashes (perhaps from an SQL injection attack that dumped the user table). Once you have the file of hashes, you feed it to John. John will use its built-in wordlists and highly optimized “rules” to try and crack them. For example, it will try a word like “password” and also variations like “Password123” or “p@ssw0rd”. It is a command-line tool that is cross-platform and highly customizable. It is a standard tool for testing the strength of password hashes found during a penetration test.
Shifting Focus from Web to Infrastructure
While web applications are a primary target, they are not the only way into a network. The underlying infrastructure—the servers, workstations, and network devices—provides another vast “attack surface.” This branch of hacking focuses on exploiting flaws in operating systems, network services, and misconfigured protocols. These attacks often target services that are exposed to the internet, such as remote login portals (SSH or RDP), mail servers, or FTP servers. An ethical hacker will use the results from their scanning phase to identify these services and hunt for weaknesses in them.
The Role of the Vulnerability Scanner
As discussed in Part 2, vulnerability scanners like Nessus and OpenVAS are critical in this phase. After Nmap identifies an open port, a vulnerability scanner will probe that service to see if it is a version with a known, published vulnerability. For example, the scan might reveal that a company’s FTP server is running “vsftpd 2.3.4.” A quick search of the internet would show that this specific version is famously vulnerable to a “backdoor” command execution exploit. The scanner’s report provides the ethical hacker with a direct, actionable “hit list” of systems to target. The next step is to move from finding the vulnerability to exploiting it.
Tool Deep Dive: The Metasploit Framework
The Metasploit Framework is the most powerful and widely used exploitation framework in the world. It is an open-source platform that comes pre-installed with Kali Linux and serves as a massive database of “exploits”—small pieces of code written to take advantage of a specific vulnerability. Metasploit standardizes the process of exploitation. Instead of trying to find and run messy, unreliable scripts from the internet, a hacker can simply search the framework for the target service (like “vsftpd 2.3.4”). Metasploit will provide them with the exploit module, allow them to configure it with the target’s IP address, and then “launch” it. It is a reliable, professional, and comprehensive toolkit for gaining access.
Metasploit Concepts: Exploits, Payloads, and Listeners
To use Metasploit, you must understand its core terms. An “exploit” is the code that takes advantage of the vulnerability. It is the “key” that unlocks the door. A “payload” is the code you want to run on the target after the exploit is successful. This is what you are “delivering.” The most common payload is a “shell,” which gives you command-line control of the target machine. A “listener” is a process you run on your own (attacker) machine. The payload will connect back to this listener, establishing the connection. This is called a “reverse shell” and is very effective at bypassing firewalls, as the connection is initiated from the target out to the attacker.
The Power of Meterpreter
The most advanced payload in the Metasploit ecosystem is called “Meterpreter.” It is a sophisticated, in-memory “stager” that provides the attacker with a huge range of post-exploitation capabilities, all without writing any new files to the target’s disk, making it very stealthy. Once a Meterpreter session is active, the attacker has an extendable command prompt on the victim machine. They can browse the file system, take screenshots, log keystrokes, dump password hashes from memory, and even “pivot” to attack other machines on the internal network. Meterpreter is a “Swiss Army knife” for post-exploitation and is a major reason why Metasploit is such a dominant tool in the field.
Tool Deep Dive: Aircrack-Ng
Not all networks are wired. Wireless (Wi-Fi) networks are another common vector for gaining access to an organization’s internal infrastructure. If a company’s Wi-Fi network is poorly secured, an attacker can bypass the external firewall completely and gain access from the parking lot. Aircrack-Ng is not a single tool, but a suite of command-line tools for testing Wi-Fi security. It is the industry standard for wireless hacking and comes pre-installed on Kali Linux. The suite includes tools for capturing network packets, de-authenticating users to capture handshakes, and cracking the network password. It requires a wireless adapter that supports “monitor mode,” allowing it to sniff all airborne traffic.
Components of the Aircrack-Ng Suite
The Aircrack-Ng suite is primarily composed of a few key tools. airodump-ng is used to capture wireless packets. You run it to scan the air for all nearby Wi-Fi networks, showing you their SSID, security type (WEP, WPA2), and a list of connected “clients” (users). aireplay-ng is used to perform attacks. Its most common use is to send “de-authentication” packets to a connected client. This forcibly disconnects the user from the network. The user’s device will then immediately try to reconnect, and in doing so, it will perform a “WPA handshake,” which airodump-ng can capture. aircrack-ng is the offline cracking tool. You feed it the captured “handshake” file and a wordlist (a list of potential passwords). It will then perform a dictionary attack to try and find the password.
Tool Deep Dive: Kismet
While Aircrack-Ng is used for active attacks, Kismet is the premier tool for passive wireless reconnaissance. It is a wireless network detector, sniffer, and intrusion detection system. Unlike other tools that just scan for networks, Kismet passively “listens” to all traffic, allowing it to detect access points and clients. It can even detect “hidden” networks that do not broadcast their SSID (network name). Kismet is excellent for “wardriving,” which is the act of driving or walking around an area to map its wireless landscape. It can log the GPS coordinates of all networks it finds, creating a detailed map of a target’s wireless footprint.
Tool Deep Dive: NetStumbler
NetStumbler is one of the original and most famous Windows-based tools for wardriving. It is much simpler than Kismet and less feature-rich, but it was instrumental in popularizing the concept of wireless network discovery. It actively probes for wireless networks and displays key information like their SSID, channel, and security status. While Kismet is a more powerful, passive, and modern tool, NetStumbler is still known for its simplicity and effectiveness on Windows platforms for basic network discovery.
Man-in-the-Middle (MITM) Attacks
Another way to gain access is not to break into the system, but to place yourself “in the middle” of a connection. A Man-in-the-Middle (MITM) attack is a form of sniffing where the attacker secretly intercepts and relays communication between two parties who believe they are communicating directly. This allows the attacker to read, and even modify, all traffic passing between them. For example, an attacker on a public Wi-Fi network could intercept a user’s connection to their bank. They could redirect the user to a fake, clone website or capture their login credentials in plain text if the connection is not properly encrypted.
Tool Deep Dive: Ettercap
Ettercap is a classic, open-source tool for performing MITM attacks on a local area network (LAN). It is a comprehensive suite for network analysis and “content filtering.” Ettercap works by using a technique called “ARP poisoning” or “ARP spoofing.” It sends forged network messages to the victim’s computer and the network router, tricking them both. The victim’s computer is tricked into thinking the attacker’s machine is the router, and the router is tricked into thinking the attacker’s machine is the victim. All traffic now flows through the attacker’s machine. Ettercap’s interface allows the attacker to sniff this traffic, capture passwords, and even inject malicious code into websites as they are being loaded by the victim.
Tool Deep Dive: Wireshark (for MITM)
Wireshark, the packet sniffer from Part 2, is the perfect companion to a tool like Ettercap. Once Ettercap has established the MITM attack and all the traffic is flowing through your machine, you can use Wireshark to capture and analyze it. This is where you will find the “plunder.” You can filter the captured traffic for unencrypted protocols like HTTP, FTP, or POP3 and directly read passwords and session cookies from the “Follow TCP Stream” window. This demonstrates how different tools are “chained” together: Ettercap for the attack, Wireshark for the analysis.
Password Cracking in Depth
We have discussed password attacks against live services (online) and against hashes (offline). Offline cracking, using tools like John the Ripper, is a critical part of system hacking. When an attacker gains access to a system, one of their first goals is “privilege escalation.” They may have access as a low-privilege user, but they want to be the system administrator (or “root” in Linux). A common way to do this is to find and dump the file that stores all the user’s password hashes (on Linux, this is the /etc/shadow file, which is normally only readable by root). If they can get this file, they can take it offline and use a password cracker to find a weak administrator password.
Tool Deep Dive: John the Ripper
John the Ripper (JTR) is a fast, powerful, and highly customizable offline password cracker. It can detect dozens of different hash types, from standard Linux and Windows hashes to database and web application hashes. JTR has several modes. “Wordlist” mode is a standard dictionary attack. “Single crack” mode is very clever; it uses the username itself as a basis for password guesses (e.g., for user ‘bob’, it tries ‘bob’, ‘bob1’, ‘bob123’, ‘bobert’). Its most powerful feature is its “rules” engine. You can apply a set of rules to a wordlist to create millions of variations, such as l33tsp3ak (leetspeak) rules, prefixing/suffixing rules, and capitalization rules. This is far more effective than a simple wordlist.
Tool Deep Dive: Cain & Abel
As mentioned in Part 3, Cain & Abel is a Windows-based password recovery tool. In the context of system hacking, its key features are its sniffer and its hash cracker. Its sniffer can listen on the local network and passively pick up password hashes from older, insecure protocols. Its built-in cracker can then take these hashes and attempt to crack them using dictionary and brute-force attacks. It also specialized in “Rainbow Table” attacks, which use large, precomputed tables to find the matching password for a hash, a method that is much faster than brute-forcing. While rainbow tables are less effective against modern “salted” hashes, they are historically very important.
You’re In. Now What? The Post-Exploitation Phase
Gaining access to a single system is a major victory, but for a professional ethical hacker, it is just the beginning. The “Gaining Access” phase (Parts 3 and 4) gets you a foothold. The “Maintaining Access” and “Pivoting” phases are where the real work begins. Post-exploitation is the set of actions a hacker takes after compromising a system. The goals are to determine the system’s value, escalate privileges, find more sensitive data, and use the compromised system as a “pivot” point to attack other systems on the internal network.
Privilege Escalation: From User to Administrator
When you first exploit a system, you will often gain access as a low-privilege user, such as the “www-data” user that a web server runs as. This user has very limited permissions and cannot read sensitive files or change system configurations. “Privilege Escalation” is the process of exploiting a second vulnerability on the local machine to elevate your permissions to the highest level: “Administrator” on Windows or “root” on Linux. This can be done by finding a misconfigured service, an unpatched kernel vulnerability, or a password stored in a script file. Once you are “root” or “Admin,” you own the entire machine and can do anything, including dumping all user passwords.
Persistence: Ensuring You Can Always Get Back In
After gaining high-level access, the next step is to ensure that access is “persistent.” This means you can survive a system reboot or a service restart. A simple “shell” from an exploit will disappear if the system is restarted. An ethical hacker will establish persistence to simulate what a real attacker would do. This could involve creating a new, hidden user account, or, more commonly, setting up a “reverse shell” that is triggered to run automatically when the system boots up. This ensures that the compromised machine will always “call home” to the attacker’s server, providing a stable, long-term command and control (C2) channel.
Pivoting: Using the First Victim to Attack Others
In a real corporate network, the most valuable assets—like the human resources database or the domain controller—are not on the public internet. They are on a private, internal network. You cannot attack them directly. “Pivoting” is the technique of using a compromised machine as a “beachhead” to attack these internal systems. The hacker “pivots” all their attack traffic through the first victim. Tools within Metasploit make this easy. You can add a route in Metasploit that tells it to send all traffic for the internal network (e.g., 10.0.0.0/8) through your active Meterpreter session. You can then run Nmap or other exploits through that session, as if you were physically inside their network.
Clearing Tracks: The Art of Invisibility
This phase, for a criminal, is about evading detection. They will alter system logs to remove any entries that show their IP address or the exploit they used. They will use “rootkits” to hide their files, processes, and network connections from the system administrator. For an ethical hacker, this phase is different. You typically do not clear the logs, because you want the organization to see the evidence of your attack. This helps their “blue team” (the defenders) learn to detect real attacks. However, you must be able to demonstrate how an attacker would clear their tracks. You must be able to identify the key log files (/var/log/auth.log in Linux, or the Windows Event Logs) and show how they could be modified or deleted.
The Most Important Phase: Reporting
This is the single most important part of an ethical hack. This is what you are paid for. The final report is the deliverable that provides value to the organization. A 300-page report full of automated scanner output is useless. A good report is clear, concise, and actionable. A professional report is typically split into two main sections: an “Executive Summary” and a “Technical Report.” The Executive Summary is a one-to-two-page, high-level overview written for management. It uses no technical jargon and explains the business risk. For example, “A flaw in the customer portal allowed us to access all customer records, which could lead to massive regulatory fines.” The Technical Report is for the IT and development teams. It details every single vulnerability, providing a step-by-step, repeatable guide on how to exploit it. It includes screenshots and, most importantly, clear recommendations on how to fix the vulnerability, often providing code examples or configuration changes.
Vulnerability Management and Remediation
The job is not over after the report is delivered. Often, the security team will “re-test” the organization after they claim to have fixed the flaws. This “remediation verification” is a critical part of the cycle, ensuring that the fixes are effective and have not introduced new, different vulnerabilities. This entire process is part of a larger concept called “vulnerability management,” which is the ongoing, cyclical process of identifying, classifying, remediating, and mitigating vulnerabilities.
The Defensive Side: Security Auditing
Ethical hacking is the “offensive” side. The “defensive” side is security auditing and management. This is the work of the “blue team,” which tries to prevent and detect attacks. Many tools are designed specifically for this purpose. The goal of a defender is to reduce the “attack surface” by patching systems, and to increase “visibility” by monitoring logs, so they can spot an attack in progress.
Tool Deep Dive: SolarWinds Security Event Manager (SIEM)
A Security Information and Event Management (SIEM) tool is a foundational piece of modern defense. A large network generates millions of logs per day from firewalls, servers, and applications. It is impossible for a human to read them all. A SIEM, like SolarWinds Security Event Manager, aggregates all of these logs into one central dashboard. It then “correlates” them to find patterns. A single failed login is not suspicious. But 10,000 failed logins from the same IP in one minute? That is a brute-force attack, and the SIEM will automatically create a high-priority alert. These tools help defenders detect threats in real-time, monitor for policy violations, and provide the log integrity needed for forensic investigations after a breach.
Tool Deep Dive: QualysGuard
QualysGuard is a major enterprise-grade platform for vulnerability management. While tools like Nessus are used to run a scan, platforms like Qualys are used to manage a continuous vulnerability program. QualysGuard is a cloud-based solution that allows a large organization to deploy “scanners” all over their global network, all reporting back to a central dashboard. It provides a comprehensive, real-time view of the organization’s security posture. It tracks vulnerabilities over time, manages remediation tickets, and ensures the organization is “compliant” with security standards like PCI-DSS (for credit cards) or HIPAA (for healthcare).
Tool Deep Dive: Intruder
Intruder is a modern, cloud-based vulnerability scanner that is designed to be much simpler and more “proactive” than traditional scanners. It focuses on finding the “low-hanging fruit” and “edge” vulnerabilities that are exposed to the internet. Its key features are simplicity and automation. It integrates with cloud providers (like AWS or Google Cloud) to automatically discover your assets as they are spun up. It runs “proactive” scans, meaning it is constantly monitoring the internet for newly disclosed vulnerabilities. When a new major flaw is announced, Intruder will automatically check your systems to see if you are vulnerable, providing a critical time-saving advantage.
Conclusion
In this phase, its reports would be a key part of the overall “vulnerability management” program, feeding data into a SIEM. LiveAction is a network performance and security platform. Its role on the defensive side is to provide deep “packet intelligence.” It analyzes network traffic to provide visibility, help diagnose issues, and detect anomalies. For example, if a compromised server suddenly starts sending large amounts of data to an unknown IP address in another country (data “exfiltration”), a tool like LiveAction could detect this unusual traffic pattern and alert the security team.