Chapter 1

Introduction to Ethical Hacking, Ethics, and

Legality
Defining Ethical Hacking, Understanding the Purpose of Ethical
Hacking, An Ethical Hacker’s Skill Set, Ethical Hacking
Terminology, The Phases of Ethical Hacking, Identifying Types of
Hacking Technologies, Types of Ethical Hacks, Understanding
Testing Types, How to Be Ethical and Performing a Penetration Test
Ethical hacking
● Ethical hacking is an authorized practice of detecting vulnerabilities in an
application, system, or organization’s infrastructure and bypassing system security
to identify potential data breaches and threats in a network.
● Ethical hackers aim to investigate the system or network for weak points that
malicious hackers can exploit or destroy. They can improve the security footprint
to withstand attacks better or divert them.
They check for key vulnerabilities that include:

● Injection attacks
● Changes in security settings
● Exposure of sensitive data
● Breach in authentication protocols
● Components used in the system or network that may be used as access points
Which one is Correct? a or b
The Roles and Responsibilities of an Ethical Hacker

Ethical Hackers must follow certain guidelines in order to perform hacking legally. A good
hacker knows his or her responsibility and adheres to all of the ethical guidelines. Here are
the most important rules of Ethical Hacking:
● An ethical hacker must seek authorization from the organization that owns the
system. Hackers should obtain complete approval before performing any security
assessment on the system or network.
● Determine the scope of their assessment and make known their plan to the
organization.
● Report any security breaches and vulnerabilities found in the system or network.
● Keep their discoveries confidential. As their purpose is to secure the system or
network, ethical hackers should agree to and respect their non-disclosure agreement.
● Erase all traces of the hack after checking the system for any vulnerability. It
prevents malicious hackers from entering the system through the identified
loopholes.
Skills Required to Become an Ethical Hacker
An ethical hacker should have in-depth knowledge about all the systems, networks,
program codes, security measures, etc. to perform hacking efficiently. Some of these skills
include:
● Knowledge of programming - It is required for security professionals working in the
field of application security and Software Development Life Cycle (SDLC).
● Scripting knowledge - This is required for professionals dealing with network-based
attacks and host-based attacks.
● Networking skills - This skill is important because threats mostly originate from
networks. You should know about all of the devices present in the network, how they
are connected, and how to identify if they are compromised.
● Understanding of databases - Attacks are mostly targeted at databases. Knowledge of
database management systems such as SQL will help you to effectively inspect
operations carried out in databases.
● Knowledge of multiple platforms like Windows, Linux, Unix, etc.
● The ability to work with different hacking tools available in the market.
● Knowledge of search engines and servers.
Difference between hacking and ethical hacking
Parameter Hacking Ethical Hacking
INTENTION A hacker targets a network, system, or app to An ethical hacker would strike a company's
collect personal information from users and network for all the right reasons, such as
may delete, change, or remove a corporation's detecting and repairing security flaws to
records. They intend to steal your data. protect the system, evaluating a company's
security procedures and quality standards,
and ensuring the data protection policies of
an organization. In short, they protect your
data.

LEGALITY Hacking is when you access a Ethical hacking is authorized and

company's network or technology permitted by the firm, and it is fully
without their knowledge or approval. It legal. Ethical hackers are covered by
is entirely illegal, and anyone found an agreement. This, in fact, is one of
guilty faces serious legal consequences. the highest-paying careers today.
Difference between hacking and ethical hacking - Continued…
COMPENSATION A hacker or cyber attacker might Although an ethical hacker may
be a single person, a operate alone or as part of the cyber
community, or a security team of a company, they are a
government-sponsored cyber full-time employee. In return for his
hacking squad. In either case, a efforts in safeguarding the firm's data,
hacker is looking to make they are guaranteed pay and all
money by unlawfully obtaining incentives.
confidential material and
marketing it or simply using
your credit card information.
TOOLS They use the same tools as They use the same tools as hackers to
ethical hackers to exploit the penetrate the system and seal the
vulnerabilities explored flaws.
Difference between hacking and ethical hacking - Continued…
TRAINING Deep knowledge of networking, a Ethical hackers receive the same
thorough understanding of fundamental training as hackers. After
operating systems, a firm grip gaining some practical experience, you
over network security control, and can pursue certifications such as the
knowledge of programming Certified Ethical Hacker (CEH) and
languages such as Python, work as an ethical hacker.
JavaScript, C, and C are some of
the skills needed to be a hacker.
PROFESSIONAL A black hat hacker has no legit Unlike black hat hacking, ethical
DEVELOPMENT professional development. hacking is a highly sought-after career
Instead, the individual is always at with excellent pay. After acquiring
risk of being caught by the law. your entry-level job, you can put
yourself up for even more
sophisticated computer security tasks
like senior penetration tester or
network administrator in a business.
Vulnerability
Vulnerability can be defined as:
1. A security weakness in a target of evaluation (e.g., due to failures in analysis, design,
implementation, or operation).
2. Weakness in an information system or components (e.g., system security procedures,
hardware design, or internal controls) that could be exploited to produce an
information-related misfortune.
3. The presence of a weakness, design error, or implementation error that can lead to an
unexpected and undesirable event compromising the security of the system, network,
application, or protocol involved.
The difference between threat and vulnerability
A vulnerability is a weakness in a defined asset that could be taken advantage of or
exploited by some threat. A threat is an action or event that might compromise security.
As a simple example, paper is vulnerable to being burned or destroyed by fire. The fact that
something might catch on fire and burn those paper documents is a possible threat to document
preservation. Installing a fire suppressant system would mitigate the risk of that threat exploiting
the paper’s vulnerability.
Attack Vector
● An attack vector is a path or means by which an attacker or hacker can gain access
to a computer or network server in order to deliver a payload or malicious outcome.
Attack vectors enable hackers to exploit system vulnerabilities.
● The most common attack vectors include malware, viruses, email attachments,
web pages, pop-ups, instant messages, text messages, and social engineering.
● The most common malicious payloads are viruses, which can function as their
own attack vectors, Trojan horses, worms and spyware. Third-party vendors
and service providers can also be considered attack vectors, as they are a risk to an
organization if they have access to its sensitive data.
● To some extent, firewalls and antivirus software can block attack vectors. But no
protection method is totally attack-proof.
● A defense method can quickly become obsolete, as hackers are constantly
updating attack vectors and seeking new ones in their quest to gain unauthorized
access to computers and servers.
The Difference Between an Attack Vector, Attack Surface and Threat Vector
An attack vector is a method of gaining unauthorized access to a network or computer
system.
An attack surface is the total number of attack vectors an attacker can use to
manipulate a network or computer system or extract data.
Threat vector can be used interchangeably with attack vector and generally describes
the potential ways a hacker can gain access to data or other confidential information.
In general, attack vectors can be categorized into passive or active attacks:
Passive Attack Vector Exploits
Passive attack vector exploits are attempts to gain access or make use of information from the
system without affecting system resources, such as typosquatting, phishing, and other social
engineering-based attacks.
Active Attack Vector Exploits
Active cyber attack vector exploits are attempts to alter a system or affect its operation such as
malware, exploiting unpatched vulnerabilities, email spoofing, man-in-the-middle attacks,
domain hijacking, and ransomware.
The Common Types of Attack Vectors
1. Compromised Credentials
Usernames and passwords are still the most common type of access credential and continue to be
exposed in data leaks, phishing scams, and malware. When lost, stolen, or exposed, credentials
give attackers unfettered access. This is why organizations are now investing in tools to
continuously monitor for data exposures and leaked credentials. Password managers, two-factor
authentication (2FA), multi-factor authentication (MFA), and biometrics can reduce the risk of
leak credentials resulting in a security incident too.

2. Weak Credentials
Weak passwords and reused passwords mean one data breach can result in many more. Teach
your organization how to create a secure password, invest in a password manager or a single
sign-on tool, and educate staff on their benefits.

3. Insider Threats
Disgruntled employees or malicious insiders can expose private information or provide
information about company-specific vulnerabilities.
4. Software vulnerabilities. If a network, OS, computer system or application has an unpatched
security vulnerability, an attacker can use a threat vector, such as malware, to gain unauthorized
access.
5. Missing or Poor Encryption
Common data encryption methods like SSL certificates and DNSSEC can prevent
man-in-the-middle attacks and protect the confidentiality of data being transmitted. Missing or
poor encryption for data at rest can mean that sensitive data or credentials are exposed in the
event of a data breach or data leak.
6. Ransomware
Ransomware is a form of extortion where data is deleted or encrypted unless a ransom is paid,
such as WannaCry. Minimize the impact of ransomware attacks by maintaining a defense plan,
including keeping your systems patched and backing up important data.
7. Phishing
Phishing attacks are social engineering attacks where the target is contacted by email, telephone,
or text message by someone who is posing to be a legitimate colleague or institution to trick
them into providing sensitive data, credentials, or personally identifiable information (PII). Fake
messages can send users to malicious websites with viruses or malware payloads.
8. Brute Force
Brute force attacks are based on trial and error. Attackers may continuously try to gain access to
your organization until one attack works. This could be by attacking weak passwords or
encryption, phishing emails, or sending infected email attachments containing a type of
malware. Read our full post on brute force attacks.

9. Distributed Denial of Service (DDoS)

DDoS attacks are cyber attacks against networked resources like data centers, servers, websites,
or web applications and can limit the availability of a computer system. The attacker floods the
network resource with messages which cause it to slow down or even crash, making it
inaccessible to users. Potential mitigations include CDNs and proxies.

10. SQL Injections

SQL stands for a structured query language, a programming language used to communicate with
databases. Many of the servers that store sensitive data use SQL to manage the data in their
database. An SQL injection uses malicious SQL to get the server to expose information it
otherwise wouldn't. This is a huge cyber risk if the database stores customer information, credit
card numbers, credentials, or other personally identifiable information (PII).
11. Trojans
Trojan horses are malware that misleads users by pretending to be a legitimate program and are
often spread via infected email attachments or fake malicious software.

12. Cross-Site Scripting (XSS)

XSS attacks involve injecting malicious code into a website but the website itself is not being
attacked, rather it aims to impact the website's visitors. A common way attackers can deploy
cross-site scripting attacks is by injecting malicious code into a comment e.g. embedding a link
to malicious JavaScript in a blog post's comment section.

13. Session Hijacking

When you log into a service, it generally provides your computer with a session key or cookie so
you don't need to log in again. This cookie can be hijacked by an attacker who uses it to gain
access to sensitive information.

14. Man-in-the-Middle Attacks

Public Wi-Fi networks can be exploited to perform man-in-the-middle attacks and intercept
traffic that was supposed to go elsewhere, such as when you log into a secure system.
Defend Against Common Attack Vectors
● Create secure IoT credentials - Most IoT devices still use their predictable factory login
credentials, making them prime targets for DDoS attacks.
● Use a password manager - Password managers ensure login credentials are strong and resilient
to brute force attacks.
● Educate employees - To prevent staff from falling common for social engineering and phishing
tactics, they need to be trained on how to identify and report potential cybercriminal activity.
Humans will always be the weakest points in every security program.
● Identify and shut down data leaks - Most businesses are unknowingly leaking sensitive data
that could facilitate data breaches. A data leak detection solution will solve this critical security
issue.
● Detect and remediate all system vulnerabilities - This should be done for both the internal and
external vendor networks. An attack surface monitoring solution can help you do this.
● Keep antivirus software updated - Updates keep antivirus software informed of the latest cyber
threats roaming the internet.
● Keep third-party software regularly updated - Software updates contain critical patches for
newly discovered attack vectors. Many cyber attackers have achieved success by abusing known
vulnerabilities in out-of-date software.
Ethical Hacking Terminology
● Threat – An action or event that might prejudice security. A threat is a potential
violation of security.
● Vulnerability – Existence of a weakness, design, or implementation error that can
lead to an unexpected, undesirable event compromising the security of the system.
● Target of Evaluation – An IT system, product, or component that is
identified/subjected as requiring security evaluation.
● Attack – An assault on system security that derives from an intelligent threat. An
attack is any action that violates security.
● Exploit – A defined way to breach
● Hacking - showing computer expertise.
● Cracking - breaching security on software or systems.
● Spoofing - faking the originating IP address in a datagram.
● Denial of Service (DoS) - flooding a host with sufficient network traffic so that
it cannot respond anymore.
● Port Scanning - searching for vulnerabilities.
The Phases of Ethical Hacking
● Ethical hacking is a process of detecting vulnerabilities in an application, system, or
organization’s infrastructure that an attacker can use to exploit an individual or
organization.

● They use this process to prevent cyber attacks and security breaches by lawfully hacking
into the systems and looking for weak points.

● An ethical hacker follows the steps and thought process of a malicious attacker to gain
authorized access and test the organization’s strategies and network.

● An attacker or an ethical hacker follows the same five-step hacking process to breach the
network or system.

● The ethical hacking process begins with looking for various ways to hack into the system,
exploiting vulnerabilities, maintaining steady access to the system, and lastly, clearing
one’s tracks.
 Scanning Maintaining Access

Reconnaissance Gaining Access Covering Tracks

Five stages of hacking
In general, there are five phases that make up an attack:
1. Reconnaissance: The attacker gathers information about a target using active or
passive means.

2. Scanning: The attacker begins to actively probe the target for vulnerabilities that
can be exploited.

3. Gaining Access: If a vulnerability is detected, the attacker exploits it to gain access

to the system.

4. Maintaining Access: Once access is gained, the attacker usually maintains access to
fulfill the goal of the attack.

5. Covering Tracks: The attacker tries to destroy all evidence of the attack.
1. Reconnaissance
Reconnaissance is the first step in ethical hacking. It’s often referred to as
footprinting.
Here, a hacker tries collecting various kinds of data, such as employee information,
IP addresses, network topology, and domain names, using active and passive
approaches. The purpose is to create a diagram of the target’s digital and physical
assets.
Active Reconnaissance: This method involves direct interaction with the target
system, which may warn the target about possible scans.
Passive Reconnaissance: This implies collecting data without direct contact with the
target, making it untraceable.
Popular Tools Used are:
● Nmap
● Whois
● Maltego
Reconnaissance Techniques Commonly Used:
● Google Dorking: Utilizing sophisticated search operators to find sensitive
information online.
● Whois Lookup: Collecting information on who owns the domain, IP addresses,
etc.
● Social Engineering: Mupulating people into revealing private information
regarding targets; this can be done through phishing messages, for instance.
● DNS Enumeration: To create a topology of the target’s infrastructure by
finding all DNS entries linked with the domain name concerned.
● Network Scanning: One can learn about active systems and running services
using tools like Nmap.
2. Scanning
At that point, the hacker goes to the scanning stage after having enough
information.
Scanning recognizes open ports, active devices, and services in the targeted
network. It also helps to identify areas of vulnerability that can be targeted.
Scanning is usually divided into three categories:
● Port Scanning: Finding open ports or services with Nmap or Angry IP Scanner.
● Vulnerability Scanning: Detecting known weaknesses in systems and
applications using Nessus.
● Network Mapping: Creating a blueprint of network topology with tools such as
SolarWinds.
Popular Tools Used:
● Nessus
● OpenVAS
● Angry IP Scanner
Commonly used techniques for Scanning

● Port Scanning: Using tools like Nmap or Angry IP Scanner to find

open ports or services.
● Vulnerability Scanning: Using tools like Nessus to detect known
weaknesses in systems and applications.
● Network Mapping: Generating a visual map that shows the network
topology with applications like SolarWinds.
● Banner Grabbing: This involves collecting software version
information from open services to help determine any weaknesses.
● Ping Sweeps: This entails sending ICMP requests to identify active
hosts on a particular network.
3. Gaining Access
During this crucial stage, the intruder utilizes the weaknesses identified during
scanning for unauthorized entry into the target system. This may involve
leveraging applications, operating systems, or network flaws. The objective is
establishing access at different privilege levels, from user accounts to
administrative control.

Exploitation Methods comprise buffer overflows, SQL injection, and cross-site

scripting (XSS).

Popular Tools Used:

● Metasploit
● SQLmap
● Hydra
Commonly used techniques for Gaining Access:
● Password Cracking: Using brute force and dictionary attacks or to crack
passwords, rainbow tables are used.
● Exploration of Vulnerabilities: Unauthorized access can be obtained by
exploiting known vulnerabilities such as SQL Injection or buffer overflows.
● Privilege Escalation: Higher-level privileges are acquired within a system
through exploitation or misconfiguration.
● Session Hijacking: Taking over a valid session between a user and a system
gives entrance without permission.
● Man-in-the-Middle (MITM) Attacks: By intercepting communication between
two parties, sensitive data can be accessed, violating confidentiality principles.
4. Maintaining Access
Once inside, the intruder must maintain a presence on the target machine
for further actions such as gathering or monitoring sensitive data.
Therefore, backdoors, rootkits, or Trojan horses can be installed at this
point to ensure continued access to the device even after it has been
rebooted or patched.
Persistence Techniques: Employing malicious programs, establishing
concealed user accounts, or exploiting cron jobs.
Tools Used:
● Netcat
● Ngrok
● Empire
Standard Methods of Maintaining Access:
● Installing Backdoors: Creating permanent ways of accessing the
system later, like backdoors or rootkits.
● Creating Hidden User Accounts: Adding unauthorized users
with administrative privileges that are hard to discover.
● Tunneling: Employing strategies such as SSH tunneling for
secure communication with an infected machine.
● Keystroke Logging: Capturing user’s keystroke entries to acquire
confidential details such as passwords or private information.
● Trojan Horses: Integrating applications that look real but permit
unlawful entry.
5. Clearing Track

The finale of ethical hacking revolves around ensuring the hacker

remains under the radar. This implies wiping logs, concealing files, and
manipulating timestamps to eliminate evidence or proof of any attack.
The intention is to ensure that attackers can never be detected or traced
via their attack methodology.

Tools Used:

● CCleaner
● Stealth Rootkit
● Timestomp
Standard Methods For Covering Tracks:
● Log Tampering: Deleting or modifying logs to erase evidence of
hacking activities.
● Steganography: Hiding malicious files or data within legitimate
files to avoid detection.
● File Timestamp Alteration: Changing the timestamps of modified
files to mislead investigators.
● Clearing Command Histories: Deleting or altering shell
command histories to prevent detection.
● Encryption: Encrypting communication and files to obscure
activities makes forensic analysis more difficult.
Types of Hackers
1. White hat hacker—This kind of hacker is often referred to as a security
professional or security researcher. Such hackers are employed by an organization and
are permitted to attack an organization to find vulnerabilities that an attacker might be
able to exploit.

2. Black hat hacker—Also known as a cracker, this kind of hacker is referred to as a

bad guy, who uses his or her knowledge for negative purposes. They are often referred
to by the media as hackers.

3. Gray hat hacker—This kind of hacker is an intermediate between a white hat and a
black hat hacker. For instance, a gray hat hacker would work as a security professional
for an organization and responsibly disclose everything to them; however, he or she
might leave a backdoor to access it later and might also sell the confidential
information, obtained after the compromise of a company’s target server, to
competitors.
Similarly, some other categories of hackers are as follows:
Script kiddie—Also known as skid, this kind of hacker is someone who lacks knowledge
on how an exploit works and relies upon using exploits that someone else created. A script
kiddie may be able to compromise a target but certainly cannot debug or modify an exploit
in case it does not work.

Elite hacker—An elite hacker is someone who has deep knowledge on how an exploit
works; he or she is able to create exploits, but also modify codes that someone else wrote.
He or she is someone with elite skills of hacking.

Hacktivist—Hacktivists are defined as group of hackers that hack into computer systems
for a cause or purpose. The purpose may be political gain, freedom of speech, human rights,
and so on.
Ethical hacker—An ethical hacker is as a person who is hired and permitted by an
organization to attack its systems for the purpose of identifying vulnerabilities, which an
attacker might take advantage of. The sole difference between the terms “hacking” and
“ethical hacking” is the permission.
Types of Ethical Hacks
1. Web Application Hacking
It involves testing web applications for vulnerabilities like SQL injection, cross-site
scripting (XSS), and security misconfigurations. Ethical hackers focus on identifying
flaws that could allow unauthorized access or data breaches.

2. Network Hacking
It focuses on identifying weaknesses in a network's security. This includes scanning for
open ports, identifying vulnerable services, and exploiting weaknesses in network
protocols to gain unauthorized access or disrupt services.

3. Wireless Network Hacking

It targets wireless networks to find and exploit Wi-Fi security protocols like WEP,
WPA, and WPA2 vulnerabilities. The goal is to gain unauthorized access to the wireless
network or intercept data.
4. System Hacking
It involves hacking into individual systems to gain unauthorized access, escalate
privileges, or execute malicious actions. Techniques include password cracking,
exploiting system vulnerabilities, and installing malicious software.

5. Social Engineering
It exploits human psychology to gain unauthorized access to systems or information.
Ethical hackers use phishing, baiting, or pretexting to trick users into revealing
sensitive information or performing actions that compromise security.

6. Ethical Hacking of Mobile Platforms

It focuses on identifying vulnerabilities in mobile operating systems (iOS, Android)
and applications. This includes testing for insecure data storage, insufficient transport
layer protection, and weak authentication mechanisms.
7. Physical Hacking
It involves gaining unauthorized physical access to facilities or devices. Ethical
hackers may test the security of physical entry points, such as doors, locks, and
biometric systems, to identify vulnerabilities that could allow unauthorized access.
8. Cloud Security Testing
It involves assessing the security of cloud infrastructure, applications, and services.
Ethical hackers test for misconfigurations, insecure APIs, and other vulnerabilities that
could be exploited in a cloud environment.
9. IoT (Internet of Things) Hacking
It focuses on identifying security flaws in IoT devices and networks. This includes
testing the security of smart devices, wearable technology, and other connected devices
to prevent unauthorized access and data breaches.
10. Reverse Engineering
It involves analyzing software or hardware to discover vulnerabilities, understand how
it works, or develop exploits. Ethical hackers use reverse engineering to uncover
hidden flaws or malicious code within applications or firmware.
Types of Ethical Hacking Techniques
Ethical hacking involves finding and fixing security issues in systems. Ethical hackers
use various techniques to test the security of networks, applications, and devices. These
techniques help prevent cyber attacks and protect data. Let’s dive into some key ethical
hacking techniques.
Vulnerability Assessment
- identifies weaknesses in a system. This technique involves scanning networks,
applications, and devices for known vulnerabilities. Ethical hackers use automated
tools and manual methods to find these issues. Once identified, they document the
findings and suggest fixes.
Common tools for vulnerability assessment include:
● Nessus
● OpenVAS
● QualysGuard
Vulnerability assessments help organizations prioritize and address security flaws. This
proactive approach reduces the risk of cyber attacks.
Penetration Testing
What Is Penetration Testing?
Penetration testing is a technique used in cybersecurity to identify
vulnerabilities in applications or networks.
Penetration testers are also often responsible for assessing an
organization’s security policies, compliance, and employee awareness of
security protocols.
Clients can use the findings from a penetration test to fix vulnerabilities
before a security breach occurs. Many organizations also conduct
penetration tests of new products before release.
Penetration Testing, or pen testing, simulates cyber attacks to test system
defenses. Ethical hackers try to exploit vulnerabilities in a controlled
manner. This helps organizations understand how attackers could breach
their security.
Why Conduct a Penetration Test?
Organizations need to keep their sensitive data safe from cyberattacks. Penetration
testers are trained to assess the vulnerability of an organization’s systems and networks
by examining them for design flaws, technical vulnerabilities, and more. After
performing these assessments, penetration testers can recommend actions the
organization can take to rectify any issues discovered during the tests.

Penetration testing includes:

1. Planning and reconnaissance
2. Scanning
3. Gaining access
4. Maintaining access
5. Analysis and reporting
Penetration tests provide real-world insights into the effectiveness of security
measures. They highlight areas that need improvement to strengthen defenses.
Social Engineering
Social Engineering targets human behavior to bypass security controls.
Hackers use deception to trick individuals into revealing sensitive
information. Common tactics include phishing, pretexting, and baiting.

Examples of social engineering attacks:

● Phishing emails that mimic legitimate sources
● Phone calls pretending to be tech support
● Leaving infected USB drives in public places
Social engineering exploits trust and human error. Training and
awareness programs are essential to combat these types of attacks.
Understanding Testing Types, How to Be Ethical and Performing a
Penetration Test

Understanding Testing Types

Key testing types, including
● Network Pentesting (external/internal),
● Web App Pentesting,
● Cloud Pentesting,
● Wireless Pentesting,
● Social Engineering, and
● Mobile App Testing, focusing on identifying vulnerabilities through simulated
attacks
Network Penetration Testing (Internal, External, and Perimeter Devices)

Here, the penetration tester audits a network environment for security vulnerabilities.
Network penetration tests can be further subdivided into two categories: external
tests and internal tests.
Here, the penetration tester audits a network environment for security vulnerabilities.
Network penetration tests can be further subdivided into two categories: external
tests and internal tests.
Even though the rise in adoption of cloud and IoT technologies has blurred the lines
of the network perimeter, it is still the first line of defense. Regular penetration
testing of perimeter devices such as remote servers, routers, desktops, and firewalls
can help identify breaches and weaknesses.
Penetration testers focus on the following areas in network penetration
tests:
● Firewall configuration
● Firewall bypass testing
● Stateful inspection analysis
● Intrusion prevention system deception
● DNS-level attacks
Web Application Penetration Testing

Web application penetration testing is performed to identify

vulnerabilities in web applications, websites, and web services. Pen
testers assess the security of the code, weaknesses in the application’s
security protocol, and the design.

This method of pen testing allows companies to meet compliance

requirements and test exposed components like firewalls, DNS servers,
and routers. Because web applications are constantly updated, checking
apps for new vulnerabilities and developing strategies to mitigate
potential threats is crucial.
Wireless Penetration Testing
With wireless technology becoming nearly omnipresent, businesses
must identify, evaluate, assess, and defend their wireless
infrastructures. Wireless penetration testing identifies security gaps
within wireless access points, such as WiFi networks and wireless
devices. Assessors look for vulnerabilities like weak encryption,
Bluetooth exploits, authentication attacks, and malicious wireless
devices to prevent data breaches.
Cloud Penetration Testing
With cloud computing becoming crucial for businesses’ scalability,
organizations must bolster the security of cloud technologies to stay
ahead of cyberattacks. Cloud penetration testing is performed to find
vulnerabilities in a cloud-based environment. Cloud pen tests provide
valuable insights into the strengths and weaknesses of cloud-based
solutions, enhance incident response programs, and prevent any
outward incidents.
Social Engineering Penetration Testing
In a social engineering test, testers attempt to trick employees into
giving up sensitive information or allowing the tester access to the
organization’s systems. This enables penetration testers to understand
the organization’s vulnerability to scams or other social engineering
cyberattacks.
Mobile Device Penetration Testing
Given the staggering number of mobile applications available in the
market, they are a lucrative target for malicious actors. A recent report
that analyzed 3,335 mobile apps discovered that 63% of the apps
contained known security vulnerabilities (Synopsys, 2021). Mobile
device penetration testing is essential to the overall security posture. It
helps assess the security of a mobile device and its applications,
discover vulnerabilities, and find flaws in application code.
Penetration Testing Steps

There are five penetration testing steps: reconnaissance, scanning, vulnerability

assessment, exploitation, and reporting. Let’s take a closer look at each of these phases.
1. Reconnaissance
The first penetration testing phase is reconnaissance. In this phase, the tester gathers as
much information about the target system as they can, including information about the
network topology, operating systems and applications, user accounts, and other relevant
information. The goal is to gather as much data as possible so that the tester can plan an
effective attack strategy.
Reconnaissance can be categorized as either active or passive depending on what
methods are used to gather information (Braithwaite, 2022). Passive reconnaissance
pulls information from resources that are already publicly available, whereas active
reconnaissance involves directly interacting with the target system to gain information.
Typically, both methods are necessary to form a full picture of the target’s
vulnerabilities.
2. Scanning
Once all the relevant data has been gathered in the reconnaissance phase, it’s
time to move on to scanning. In this penetration testing phase, the tester uses
various tools to identify open ports and check network traffic on the target
system. Because open ports are potential entry points for attackers, penetration
testers need to identify as many open ports as possible for the next penetration
testing phase.
This step can also be performed outside of penetration testing; in those cases,
it’s referred to simply as vulnerability scanning and is usually an automated
process. However, there are drawbacks to only performing a scan without a
full penetration test—namely, scanning can identify a potential threat but
cannot determine the level at which hackers can gain access. So, while
scanning is essential for cybersecurity, it also needs human intervention in the
form of penetration testers to reach its full potential.
3. Vulnerability Assessment
The third penetration testing phase is vulnerability assessment, in which the
tester uses all the data gathered in the reconnaissance and scanning phases to
identify potential vulnerabilities and determine whether they can be exploited.
Much like scanning, vulnerability assessment is a useful tool on its own but is
more powerful when combined with the other penetration testing phases.
When determining the risk of discovered vulnerabilities during this stage,
penetration testers have many resources to turn to. One is the National
Vulnerability Database (NVD), a repository of vulnerability management data
created and maintained by the U.S. government that analyzes the software
vulnerabilities published in the Common Vulnerabilities and Exposures (CVE)
database. The NVD rates the severity of known vulnerabilities using the
Common Vulnerability Scoring System (CVSS).
4. Exploitation
Once vulnerabilities have been identified, it’s time for exploitation. In
this penetration testing phase, the penetration tester attempts to access
the target system and exploit the identified vulnerabilities, typically by
using a tool like Metasploit to simulate real-world attacks.
This is perhaps the most delicate penetration testing phase because
accessing the target system requires bypassing security restrictions.
Though system crashes during penetration testing are rare, testers must
still be cautious to ensure that the system isn’t compromised or
damaged.
5. Reporting
Once the exploitation phase is complete, the tester prepares a report
documenting the penetration test’s findings. The report generated in this
final penetration testing phase can be used to fix any vulnerabilities
found in the system and improve the organization’s security posture.
Building a penetration testing report requires clearly documenting
vulnerabilities and putting them into context so that the organization can
remediate its security risks. The most useful reports include sections for
a detailed outline of uncovered vulnerabilities (including CVSS scores),
a business impact assessment, an explanation of the exploitation phase’s
difficulty, a technical risk briefing, remediation advice, and strategic
recommendations.
Popular Penetration Testing Tools
There are many different penetration testing tools available, and each has its strengths
and weaknesses. Some of the most popular include:
● Nmap. Nmap is a powerful network scanning tool that can scan for open ports
and services. It also includes features for identifying vulnerable applications.
● Metasploit. Metasploit is a vulnerability exploitation tool. It includes a library
of exploits for a variety of programs and operating systems, as well as a wizard
that can assist penetration testers in capitalizing on known vulnerabilities.
● Wireshark. Wireshark is a network analysis tool that can capture packet data
from a network and decode it into readable form. This can be useful for
identifying malicious traffic or sensitive information being transmitted over a
network.
● Burp Suite. Burp Suite is an all-in-one web application security testing tool. It
can scan websites for vulnerabilities, manipulate requests and responses, and
intercept traffic between the client and server.
Strategic Approaches to Penetration Testing
There are three main strategic approaches to penetration testing, each of
which involves different steps and tools. The key differences in these
approaches involve the extent of the theoretical attacker’s knowledge of
the target system or network.
1. Gray-Box Penetration Testing
In a gray-box penetration test, the penetration tester has basic
knowledge of the target system, such as initial access credentials, a
network infrastructure map, or application logic flowcharts. Gray-box
penetration tests therefore create a realistic attack scenario, since
malicious hackers don’t normally attack without first collecting
information about their target.
2. Closed-Box Penetration Testing
In contrast, in a closed-box penetration test (also known as a black-box penetration test),
the penetration tester has no prior knowledge of the target network or system. Since the
tester has no access to information such as internal code, software, credentials, or sensitive
data, closed-box penetration tests force testers to think like a potential hacker when
searching for vulnerabilities. Unlike an actual malicious hacker, however, a closed-box
penetration tester only has limited time in which to access and test the system.
3. Open-Box Penetration Testing
Open-box penetration tests (also known as white-box penetration tests) are less like a
cyberattack and more like a complete scan of a system at the source code level. In an
open-box penetration test, the tester has the highest possible level of access to the target
system. The goal is to allow the tester to break through the system’s security measures so
that they can locate logic vulnerabilities, misconfigurations, poorly written code, and
inadequate security measures. While open-box penetration tests are comprehensive, they
still may fail to identify vulnerabilities that an attacker would exploit. Therefore, it’s
generally best to combine open-box testing with closed-box or gray-box testing.
How to be Ethical during Pen Test
Ethical Considerations
Penetration testing can have ethical implications, and it is important for organizations
to consider the following ethical considerations:
Authorization:
● This refers to the need for explicit permission from the organization or individual
who owns the system or network being tested.
● Without proper authorization, a penetration tester is effectively engaging in
unethical hacking.
● Therefore, obtaining authorization is a crucial step to ensure that penetration
testing is conducted ethically and legally.
● Clear documentation of the testing scope is essential to avoid misunderstandings
and ensure that the testing is conducted in a controlled and ethical manner.
End of Module 1
Transparency:

Ethical hackers must be transparent to their clients about their methodology,

tools, and techniques.

This means that they should not keep any aspect of their testing methodology a
secret and must fully disclose their methods to their clients.

This transparency is necessary to ensure that clients understand how the testing
is being conducted and can provide feedback if necessary.

By being open about their testing process, ethical hackers can also build trust
with their clients, who will have a better understanding of the work being done
and the potential implications of the results.
Confidentiality:
● Organizations and penetration testers must ensure that the data collected during
the penetration testing exercise is kept confidential and not shared with
unauthorized parties.
● This includes the use of secure data storage and destruction methods.
Additionally, ethical hackers have a responsibility to maintain the confidentiality
of their findings. They should not publicly disclose any information about a
vulnerability that could lead to an attack against the client.
● Instead, they should only share the findings with authorized personnel and ensure
that the information is protected from unauthorized access.
● Ethical hackers must balance the need to disclose vulnerabilities with the need to
maintain the security of their clients.
● This requires careful consideration and collaboration with the client to determine
the appropriate level of disclosure and the best way to remediate any
vulnerabilities that are discovered.
Responsibility:
● Organizations must ensure that their penetration testing exercise is
conducted in a responsible and professional manner, and that no harm
is caused to their employees, customers, or stakeholders during the
process.
● This includes implementing appropriate safeguards to prevent
damage to systems or networks and ensuring that the testing does not
disrupt critical business operations.
● In addition, organizations must take responsibility for addressing any
vulnerabilities discovered during the penetration testing exercise
promptly.
● This includes prioritizing and addressing the vulnerabilities in a
timely and effective manner to minimize the risk of exploitation.