Introduction to Ethical Hacking: Essential Steps and Tools You Must Know

Introduction to Ethical Hacking: Essential Steps and Tools You Must Know

Ever wondered how "good" hackers work? Or curious about how to protect systems from cyber attacks? The answer lies in Ethical Hacking or what's often called Penetration Testing.

This guide will take you through the world of ethical hacking from the ground up, covering the essential steps, must-know tools, and hands-on practice with Nmap.

---

What is Ethical Hacking?

Ethical Hacking is the practice of using hacking techniques to test and improve computer system security. Unlike malicious hackers (black hats), ethical hackers perform their activities with official authorization and aim to protect, not destroy.

Why is Ethical Hacking Important?

• Proactive Security → Find vulnerabilities before malicious hackers do
• Cost Savings → Prevent expensive data breaches
• Regulatory Compliance → Meet industry security standards
• System Validation → Ensure security controls are working

Note: According to IBM, the average cost of a data breach in 2023 reached $4.45 million USD. Ethical hacking can prevent losses of this magnitude.

---

Five Phases of Ethical Hacking

Ethical hacking follows a structured methodology:

1. Reconnaissance (Information Gathering)

Definition: Gathering public information about the target without directly interacting with the system.

Types of Reconnaissance:

Passive Reconnaissance:

• Google Dorking to find sensitive information
• WHOIS lookup for domain data
• Social media intelligence (SOCMINT)
• DNS enumeration

Active Reconnaissance:

• Limited network scanning
• Website crawling
• Light port scanning

Reconnaissance Tools:

2. Scanning & Enumeration

Definition: Active scanning to discover live systems, open ports, and running services.

Scanning Phases:

1. Host Discovery → Find active hosts
2. Port Scanning → Identify open ports
3. Service Detection → Determine services & versions
4. OS Fingerprinting → Detect operating systems

Scanning & Enumeration Tools:

3. Gaining Access

Definition: Exploiting discovered vulnerabilities to gain access to the target system.

Gaining Access Methods:

• Exploitation → Leveraging known CVEs
• Brute Force → Automated credential guessing
• Social Engineering → Manipulating human factors
• Web Application Attacks → SQL Injection, XSS, etc.

Gaining Access Tools:

# Popular tools examples
Metasploit Framework  # Exploitation framework
Hydra                 # Brute force tool
SQLMap               # SQL injection automation
Burp Suite           # Web application testing

4. Maintaining Access

Definition: Ensuring access to the system can be maintained for future use.

Maintaining Access Techniques:

• Backdoor Installation → Backdoors for re-entry
• Rootkit Deployment → Hidden tools at kernel level
• User Account Creation → Creating hidden accounts
• Service Modification → Modifying services for persistence

Ethical Considerations:

IMPORTANT: In ethical hacking, this phase is only for
documentation and demonstration. Backdoors must be
removed after testing is complete!

5. Clearing Tracks

Definition: Removing or hiding evidence of hacking activities.

Clearing Tracks Activities:

• Log Deletion → Remove entries from log files
• Timestamp Modification → Change file access times
• File Deletion → Remove tools and scripts used
• Registry Cleaning → Clean Windows registry

Clearing Tracks Tools:

# Linux
rm -rf /var/log/auth.log     # Delete authentication logs
history -c                   # Clear command history

# Windows
wevtutil cl Security        # Clear Security event log
cipher /w:C:\               # Secure file deletion

---

Why Authorization and Ethics Matter

Legal & Ethical Aspects

1. Legal Compliance

Ethical hacking MUST be performed with written authorization from the system owner. Without authorization:

• Violates cybercrime laws
• Can result in imprisonment up to 6 years
• Fines up to $1 million

2. Scope Limitations

Authorization ensures testing only on:

• Approved systems
• Specified timeframes
• Agreed methodologies

3. Professional Trust

With authorization, clients can:

• Prepare system backups
• Monitor testing processes
• Ensure no damage occurs

Most Risky Phase

Gaining Access is the riskiest phase because:

1. Direct System Interaction → Direct interaction with target
2. Exploitation Attempts → Attempting to exploit security vulnerabilities
3. Potential System Damage → Risk of damaging systems if not careful
4. Legal Implications → Without authorization, it's immediately illegal

WARNING: Performing gaining access without authorization
is CYBERCRIME and can result in imprisonment!

---

Tools Mapping for Each Phase

Commonly used tools for each phase:

---

Deep Dive: Mastering Nmap

Nmap (Network Mapper) is an essential tool for every ethical hacker.

Why is Nmap Important?

• Free & Open Source → Free and customizable
• Cross Platform → Runs on Windows, Linux, macOS
• Powerful Features → From basic scanning to advanced scripting
• Industry Standard → Used by professionals worldwide

Installing Nmap

Windows:

# Download from https://nmap.org/download.html
# Or via Chocolatey
choco install nmap

Linux (Debian/Ubuntu):

sudo apt update
sudo apt install nmap

Installation Verification:

nmap --version

Basic Nmap Commands

1. Host Discovery (Ping Sweep)

# Scan network for active hosts
nmap -sn 192.168.1.0/24

# Example output:
# Nmap scan report for 192.168.1.1
# Host is up (0.001s latency).
# Nmap scan report for 192.168.1.100
# Host is up (0.002s latency).

Parameter Explanation:

• -sn → No port scan, ping only
• /24 → CIDR notation for subnet mask

2. Basic Port Scan

# Scan top 1000 ports
nmap 192.168.1.100

# Scan specific ports
nmap -p 22,80,443 192.168.1.100

# Scan port range
nmap -p 1-1000 192.168.1.100

3. Service & Version Detection

# Detect services and versions
nmap -sV 192.168.1.100

# Example output:
# PORT   STATE SERVICE VERSION
# 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu
# 80/tcp open  http    nginx 1.18.0

4. OS Detection

# Detect operating system
nmap -O 192.168.1.100

# Combined service + OS detection
nmap -sV -O 192.168.1.100

Advanced Nmap Techniques

1. Stealth Scanning

# SYN scan (stealth)
nmap -sS 192.168.1.100

# TCP connect scan
nmap -sT 192.168.1.100

# UDP scan
nmap -sU 192.168.1.100

2. Aggressive Scanning

# Aggressive scan (service, OS, scripts, traceroute)
nmap -A 192.168.1.100

# Fast scan (top 100 ports)
nmap -F 192.168.1.100

3. Nmap Scripts (NSE)

# Vulnerability scanning
nmap --script vuln 192.168.1.100

# HTTP enumeration
nmap --script http-enum 192.168.1.100

# SMB enumeration
nmap --script smb-enum-shares 192.168.1.100

Practical Exercise: VM Lab Scanning

Practice with a real scenario from the worksheet:

Scenario Setup:

• Target VM: Ubuntu Server with SSH, HTTP, DNS services
• Network: 10.20.11.0/24
• Target IP: 10.20.11.109

Step 1: Network Discovery

# Scan network for active hosts
nmap -sn 10.20.11.0/24

# Output analysis:
# - 58 active hosts found
# - Target VM (10.20.11.109) detected
# - Low latency (0.0020s) = within LAN

Step 2: Service Detection

# Detailed service scan
nmap -sV 10.20.11.109

# Analysis results:
# PORT   STATE SERVICE    VERSION
# 22/tcp open  ssh        OpenSSH 9.6p1 Ubuntu
# 53/tcp open  tcpwrapped (likely DNS)
# 80/tcp open  http       nginx 1.24.0 (Ubuntu)

Step 3: Risk Assessment

SSH (Port 22) - MEDIUM RISK

Potential Threats:
- Brute force attacks if weak passwords
- SSH key compromise
- Version-specific exploits

Mitigations:
- Use key-based authentication
- Disable root login
- Change default port
- Implement fail2ban

HTTP (Port 80) - HIGH RISK

Potential Threats:
- Web application vulnerabilities
- No encryption (HTTP vs HTTPS)
- Information disclosure
- Server-side attacks

Mitigations:
- Implement HTTPS/TLS
- Regular security updates
- Web Application Firewall (WAF)
- Input validation & sanitization

Advanced Nmap Scripts for Ethical Hacking

1. Web Application Testing

# HTTP methods enumeration
nmap --script http-methods 192.168.1.100

# Directory busting
nmap --script http-enum 192.168.1.100

# SQL injection detection
nmap --script http-sql-injection 192.168.1.100

2. Network Services Testing

# SMB vulnerability scan
nmap --script smb-vuln-* 192.168.1.100

# FTP anonymous login check
nmap --script ftp-anon 192.168.1.100

# DNS enumeration
nmap --script dns-brute domain.com

3. Custom NSE Scripts

-- Example custom script for HTTP header analysis
local http = require "http"
local shortport = require "shortport"

portrule = shortport.http

action = function(host, port)
  local response = http.get(host, port, "/")
  if response and response.header then
    return response.header["server"]
  end
end

---

Security and Ethics in Practice

Legal Framework

Internationally:

• Computer Fraud and Abuse Act (CFAA) → US cybercrime law
• General Data Protection Regulation (GDPR) → EU data protection
• ISO 27001 → Information security standards

Best Practices:

# Always document:
1. Written authorization letter
2. Scope of testing
3. Timeline & methodology
4. Incident response plan
5. Data handling procedures

Responsible Disclosure

If you discover vulnerabilities:

1. Don't exploit for personal gain
2. Report to system owner first
3. Allow time for patching (90 days standard)
4. Document discovery process
5. Publish after patch is available (if permitted)

---

Lab Challenge: Mini Penetration Test

Challenge Scenario

Target: VM Lab Server (10.200.36.171) Objective: Identify services and potential vulnerabilities Rules: Information gathering only (no exploitation)

Lab Setup Requirements

# VM Configuration:
OS: Ubuntu Server 20.04 LTS
Services:
- FTP (vsftpd)
- DNS (BIND9)
- HTTP (Apache/Nginx)
Network: Bridge mode
Firewall: Minimal rules

Execution Steps

Phase 1: Reconnaissance

# 1. Basic connectivity test
ping -c 4 10.200.36.171

# 2. Network discovery
nmap -sn 10.200.36.0/24 | grep 10.200.36.171

Phase 2: Service Enumeration

# 1. Quick port scan
nmap -F 10.200.36.171

# 2. Detailed service detection
nmap -sV -sC 10.200.36.171

# 3. Full TCP scan
nmap -p- 10.200.36.171

Phase 3: Vulnerability Assessment

# 1. Vulnerability scripts
nmap --script vuln 10.200.36.171

# 2. Service-specific tests
nmap --script ftp-* 10.200.36.171
nmap --script http-* 10.200.36.171
nmap --script dns-* 10.200.36.171

Expected Results Analysis

Port 21 (FTP):

Potential Issues:
- Anonymous login enabled?
- Weak authentication?
- Version vulnerabilities?
- Directory traversal?

Port 53 (DNS):

Potential Issues:
- Zone transfer allowed?
- DNS amplification possible?
- Version information disclosure?
- Cache poisoning vulnerable?

Port 80 (HTTP):

Potential Issues:
- Default pages/configs?
- Directory listing enabled?
- Outdated web server?
- Missing security headers?

---

Tools Arsenal for Ethical Hackers

Linux Distributions for Ethical Hacking

Kali Linux - Industry Standard

# Pre-installed tools:
- Nmap, Metasploit, Burp Suite
- Wireshark, Aircrack-ng, John the Ripper
- OWASP ZAP, SQLMap, Nikto
- Social Engineering Toolkit (SET)

Parrot Security OS - Privacy-Focused

# Key features:
- Anonymous browsing tools
- Built-in crypto tools
- Lighter than Kali
- AnonSurf for anonymity

BlackArch Linux - Extensive Repository

# Highlights:
- 2800+ security tools
- Arch Linux based
- Minimal base installation
- Package manager: pacman

Mobile Ethical Hacking

Android Tools:

• NetHunter → Kali Linux for Android
• Termux → Terminal emulator with tools
• WiFi Analyzer → Network reconnaissance
• Network Scanner → Port scanning

iPhone Tools:

• iSH → Linux shell for iOS
• Network Analyzer → Basic network tools
• Fing → Network discovery
• Wireshark → Via SSH to remote machine

---

Learning Path for Ethical Hackers

Beginner Level (0-6 months)

Fundamental Knowledge:

- Networking basics (TCP/IP, OSI Model)
- Linux command line proficiency
- Basic programming (Python/Bash)
- Web technologies (HTTP/HTTPS, HTML, JavaScript)
- Database fundamentals (SQL)

Tools to Master:

• Nmap → Network scanning
• Wireshark → Traffic analysis
• Burp Suite Community → Web app testing
• Metasploit → Basic exploitation
• John the Ripper → Password cracking

Recommended Courses:

• CompTIA Security+
• CEH (Certified Ethical Hacker) v12
• eJPT (eLearnSecurity Junior Penetration Tester)

Intermediate Level (6-18 months)

Advanced Skills:

- Advanced networking & protocols
- Scripting & automation (Python, PowerShell)
- Active Directory pentesting
- Web application security (OWASP Top 10)
- Wireless security testing

Professional Tools:

• Cobalt Strike → Advanced red teaming
• Empire/Covenant → Post-exploitation
• BloodHound → AD enumeration
• Responder → Network poisoning
• Custom tools development

Certifications:

• OSCP (Offensive Security Certified Professional)
• GPEN (GIAC Penetration Tester)
• eCPPT (eLearnSecurity Certified Professional Penetration Tester)

Expert Level (18+ months)

Specialized Areas:

- Red team operations & MITRE ATT&CK
- Advanced persistent threats (APT) simulation
- Zero-day research & exploit development
- Mobile application security (iOS/Android)
- IoT & embedded systems security
- Cloud security (AWS/Azure/GCP)

Expert Certifications:

• OSEE (Offensive Security Exploitation Expert)
• GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
• CISSP (Certified Information Systems Security Professional)

---

Ethical Hacking in Modern Context

Bug Bounty Programs

Popular Platforms:

• HackerOne → Enterprise bug bounty platform
• Bugcrowd → Crowdsourced security testing
• Synack → Invitation-only platform
• YesWeHack → European-focused platform

Bug Bounty Success Tips:

1. Choose targets matching your skill level
2. Focus on specific vulnerability types
3. Read scope & rules carefully
4. Document findings well
5. Network with bug bounty community

Red Team vs Blue Team

Red Team (Offensive Security):

Role: Simulate real-world attacks
Skills: Penetration testing, social engineering
Tools: Metasploit, Cobalt Strike, custom exploits
Goal: Find vulnerabilities & demonstrate impact

Blue Team (Defensive Security):

Role: Detect & respond to threats
Skills: SIEM, incident response, forensics
Tools: Splunk, QRadar, CrowdStrike, Wireshark
Goal: Protect systems & minimize damage

Purple Team (Collaborative):

Role: Bridge red & blue team activities
Skills: Both offensive & defensive knowledge
Tools: Combined toolset from both teams
Goal: Improve overall security posture

---

Cybersecurity Career Path

Job Roles & Salary Ranges (US)

Most In-Demand Skills:

Technical Skills:

• Cloud Security (AWS, Azure, GCP)
• DevSecOps & CI/CD Security
• API Security Testing
• Kubernetes & Container Security
• Mobile Application Security

Soft Skills:

• Communication & Report Writing
• Project Management
• Business Risk Assessment
• Team Leadership
• Continuous Learning Mindset

---

Best Practices

Do's in Ethical Hacking:

- Always get written authorization before testing
- Document all activities in detail
- Follow agreed scope
- Report vulnerability findings responsibly
- Update knowledge with latest trends
- Backup data before testing
- Use test environments when possible
- Communicate regularly with clients/stakeholders

Don'ts in Ethical Hacking:

- Never test without authorization (illegal!)
- Don't damage or alter target data
- Don't use findings for personal gain
- Don't ignore privacy & confidentiality
- Don't skip documentation and reporting
- Don't test production without approval
- Don't share vulnerabilities before patching
- Don't forget to remove tools/backdoors after testing

---

Future Trends in Ethical Hacking

AI & Machine Learning in Security

AI-Powered Attacks:

• Automated vulnerability discovery
• AI-generated phishing campaigns
• Deepfake social engineering
• ML-based password cracking

AI-Powered Defense:

• Behavioral anomaly detection
• Automated threat hunting
• Predictive vulnerability assessment
• AI-assisted incident response

Cloud & Container Security

# New focus areas:
- Kubernetes security testing
- Serverless function vulnerabilities
- Cloud misconfigurations
- Container escape techniques
- Multi-cloud security assessment

IoT & Embedded Security

# Emerging challenges:
- Smart home device hacking
- Industrial IoT (IIoT) security
- Automotive cybersecurity
- Medical device vulnerabilities
- 5G network security

---

Conclusion & Reflection

After learning about the world of ethical hacking, there are several important points to remember:

Key Takeaways:

1. Ethical hacking is a structured methodology → Each phase has specific goals and tools
2. Authorization and legality are top priorities → Without authorization = cybercrime
3. Reconnaissance and scanning are the foundation → Good information = proper attack vectors
4. Tools are means, not the end → Understanding concepts is more important than memorizing commands
5. Continuous learning is key → Cybersecurity landscape changes very rapidly

Benefits of Reconnaissance & Scanning Phases:

From hands-on experience with Nmap and VM scanning, we can see that:

• Reconnaissance provides the big picture without "touching" the system
• Scanning & Enumeration provides actionable technical details
• The combination allows for effective attack vector planning
• Minimizes risk while maximizing information gathering

Next Steps:

If you're interested in diving deeper into ethical hacking:

1. Practice in lab environments → Never test on production systems
2. Join cybersecurity communities → Networking and knowledge sharing
3. Follow bug bounty programs → Real-world experience with legal frameworks
4. Get certifications → CEH, OSCP, or those matching your career path
5. Stay updated → Follow security blogs, podcasts, and conferences

---

Remember: With great power comes great responsibility. Ethical hacking is about protecting, not destroying. Use your skills wisely!

If you have questions or want to discuss ethical hacking further, feel free to reach out!

---

This article was written by Rejaka Abimanyu Susanto, a Full-Stack Developer and Cybersecurity Enthusiast residing in Yogyakarta, Indonesia. To learn more about me, you can visit rejaka.id.