Ethical hacking Introduction

 Ethical hacking involves authorized penetration testing. They also

known as white-hat hackers, use the same tools and techniques as
cybercriminals but with permission and for defensive purposes.

 Ethical hacking is a process of detecting vulnerabilities in an

application, system, or organization's infrastructure that an attacker
can use to exploit an individual or organization.

Key Principles of Ethical Hacking

1. Legality & Authorization

 Always operate within the boundaries of the law.

 Obtain explicit authorization or written consent from the
system owner before conducting any tests.
 Comply with global data protection laws such as:
o GDPR (General Data Protection Regulation)
o CCPA (California Consumer Privacy Act)

2. Scope Definition

 Clearly define the boundaries of engagement with the client

before starting.
 Set expectations on:
o What systems can be tested
o What methods are allowed
o Timelines and deliverables

3. Confidentiality

 Protect all sensitive information encountered during testing.

 Use Non-Disclosure Agreements (NDAs) to formalize trust and
data protection.
 Never misuse or share data outside the agreed scope.

4. Responsible Reporting

 Document all findings accurately and in detail.

 Communicate vulnerabilities only to authorized stakeholders.
 Offer remediation advice and support to fix the discovered issues.

The Five Phases of Ethical Hacking

Each phase plays a critical role in identifying and addressing security
vulnerabilities ethically and effectively.

1. Reconnaissance (Information Gathering)

The first step where the hacker collects as much information as possible
about the target system.

 Types: Passive (e.g., public sources) and Active (e.g., ping sweeps)
 Goal: Identify IP addresses, domain details, employee info,
technologies in use

2. Scanning

Actively probing the target system to identify live hosts, open ports,
services, and vulnerabilities.

 Techniques: Port scanning, network mapping, vulnerability

scanning
 Tools: Nmap, Nessus, OpenVAS

3. Gaining Access (Exploitation)

Attempt to exploit identified vulnerabilities to gain unauthorized access.

 Methods: Password cracking, exploiting software bugs, social

engineering
 Goal: Gain control over systems or accounts

4. Maintaining Access

Establishing a persistent presence in the system to continue access if

needed.

 Techniques: Installing backdoors, rootkits, Trojans

 Ethical hackers do this to simulate real-world threats and assess
detection

5. Covering Tracks & Reporting

Clearing signs of the hacking activity and compiling a detailed report of

findings.

 Covering Tracks: In real attacks, attackers erase logs; ethical

hackers simulate this step.
 Reporting: Ethical hackers document all activities,
vulnerabilities found, and provide remediation suggestions.
Phase 1: Reconnaissance — Gathering Intelligence

Reconnaissance is the initial phase of ethical hacking where information

about the target is collected to prepare for deeper testing. It helps
understand the target’s environment, assets, and vulnerabilities.

Types of Reconnaissance

Active Reconnaissance

Involves direct interaction with the target system.

 Purpose: To gather detailed and real-time information

 Tools:
o Nmap (for port scanning and network mapping)
o Nessus (for vulnerability scanning)

Can be detected by intrusion detection systems (IDS).

Passive Reconnaissance

Involves no direct interaction with the target system.

 Purpose: To gather information stealthily without alerting the

target
 Techniques:
o OSINT (Open Source Intelligence)
o Monitoring social media, WHOIS, job postings, public code
repos

Undetectable by IDS; safer for stealth analysis.

Phase 2: Scanning & Enumeration

This phase involves actively probing the target to discover open ports,
running services, and potential vulnerabilities, followed
by extracting specific system and user-level details.

1. Port Scanning

Identifies open ports and active services on the target system.

 Objective: Discover entry points for exploitation

 Tools: Nmap, Angry IP Scanner, Masscan
 Example: Checking if port 22 (SSH) or port 80 (HTTP) is open

2. Vulnerability Scanning
Detects known security flaws in operating systems, applications, and
services.

 Tools: Nessus, OpenVAS, Qualys

 Helps prioritize which vulnerabilities to exploit based on severity
(CVSS scores)

3. Enumeration

Extracts detailed information from the system such as:

 Usernames
 Group names
 Network shares
 System banners
 Active directories
 Tools: Netcat, SNMPWalk, Enum4linux, Nbtstat
 Goal: Build a map of the system to facilitate privilege escalation or
lateral movement

Phase 3: Exploitation — Gaining Access

In this phase, the ethical hacker actively attempts to exploit

vulnerabilities identified during scanning to gain unauthorized
access to systems, applications, or data — strictly under authorized
scope.

1. Vulnerability Exploitation

Using known flaws in software, services, or configurations to gain

access or escalate privileges.

 Targets: Operating systems, databases, web servers, applications

 Outcome: Access to systems, credentials, or sensitive data

2. Exploitation Frameworks

Powerful tools that automate exploitation and post-exploitation activities.

 Most Common:
o Metasploit Framework (widely used in penetration testing)
o BeEF (Browser Exploitation Framework)
o Canvas, Core Impact

3. Types of Exploits

These can vary depending on the system's exposure and security flaws.
  SQL Injection (SQLi) – Inject malicious queries into database-
driven applications
 Cross-Site Scripting (XSS) – Inject scripts into webpages viewed
by others
 Buffer Overflow – Overwrite memory to gain control of a system
 Remote Code Execution (RCE) – Run malicious code remotely on
a target machine

This phase is where the real "attack" simulation happens — but it must be
done ethically, legally, and within defined scope.

Phase 4: Post-Exploitation — Maintaining Access

After gaining access, the ethical hacker focuses on staying connected to

the target environment and evaluating the depth of potential
damage a real attacker could cause.

1. Maintain Access

Set up ways to return to the system without repeating the full

exploitation process.

 Techniques:
o Installing backdoors
o Deploying remote access tools (RATs)
o Adding hidden user accounts
 Goal: Simulate what a real attacker would do to remain undetected
and persistent

2. Privilege Escalation

Upgrade from a low-privileged user to administrator or root-level

access.

 Methods:
o Exploiting OS or software flaws
o Misconfigured services
o Credential harvesting
 Purpose: Gain full control and access sensitive resources

3. Lateral Movement

Navigate across the network to access other devices, servers, or

domains.

 Techniques:
o Pass-the-Hash
 o Token impersonation
o Exploiting shared drives or trust relationships
 Goal: Map the internal network and identify high-value targets

Phase 5: Reporting & Remediation

This is the most critical phase from a business and security

improvement standpoint. All findings are documented, communicated,
and followed up with actionable steps to strengthen the system.

1. Document

Provide a clear, structured report of all activities and discoveries

during the engagement.

 Contents:
o List of identified vulnerabilities
o Methods and tools used
o Risk levels and potential impacts
o Screenshots or logs as evidence
 Purpose: Help stakeholders understand what was tested and why it
matters

2. Remediate

Recommend concrete, practical steps to fix the vulnerabilities.

 Suggestions may include:

o Software updates/patches
o Configuration changes
o Password policy improvements
o Network segmentation
 Tailored for both technical teams and non-technical decision-
makers

3. Follow-Up

Conduct re-testing to confirm vulnerabilities have been properly fixed.

 Verify:
o All issues are resolved
o No new vulnerabilities were introduced during fixes
 May involve a second round of penetration testing or validation

This phase ensures the ethical hacking effort results in real security
improvements, not just theoretical knowledge.
The Ethical Hacker: A Digital Guardian

An ethical hacker is a cybersecurity professional who uses their skills

to identify and fix vulnerabilities before malicious hackers can exploit
them. Acting as a trusted protector, they simulate real-world
cyberattacks—legally and responsibly—to strengthen digital defenses.

Core Skills & Qualifications

 Networking Expertise
Deep understanding of TCP/IP, firewalls, routing, DNS, and VPNs.
 Operating System Knowledge
Proficient in both Windows and Linux environments.
 Security Tool Proficiency
Hands-on experience with tools
like Nmap, Wireshark, Metasploit, Burp Suite, and John the
Ripper.
 Scripting & Automation Skills
Familiar with Python, Bash, PowerShell for automating tasks and
writing custom exploits.

Top Industry Certifications

 Certified Ethical Hacker (CEH) – EC-Council

 Offensive Security Certified Professional (OSCP) – Offensive
Security
 CompTIA Security+ – Entry-level but foundational certification

Professional Ethics & Principles

An ethical hacker must strictly follow:

 Legality – Always work with proper authorization

 Transparency – Report findings honestly and clearly
 Confidentiality – Protect all sensitive data under NDAs and trust

Basic Terms and Methodology in Cybersecurity

1. Threat

A threat is any potential cause of an unwanted incident that may result in

harm to a system or organization. It can be intentional (e.g., hacking) or
unintentional (e.g., natural disasters or human error).
2. Vulnerability

A vulnerability is a weakness or flaw in a system's design,

implementation, operation, or internal controls that can be exploited by a
threat to gain unauthorized access or cause harm.

3. Asset

An asset is anything of value to an organization, including hardware,

software, data, personnel, and reputation, that must be protected from
threats and vulnerabilities.

4. Risk

Risk is the potential for loss or damage when a threat exploits a

vulnerability. It is typically assessed as a function of the likelihood of the
threat occurring and the impact it would have on the organization.

5. Risk Management (RM)

Risk Management is the systematic process of identifying, analyzing,

evaluating, and addressing risks to minimize their impact on
organizational assets. It involves selecting appropriate security measures
to reduce risk to an acceptable level.

Unified Kill Chain: The 18 Phases of a Cyber Attack

The Unified Kill Chain (UKC) is a comprehensive model that maps the
full lifecycle of sophisticated cyberattacks. It is used by cybersecurity
professionals to understand, detect, and respond to adversary behavior at
every stage of an intrusion.

1. Reconnaissance

Researching, identifying, and selecting targets using active (e.g.,

scanning) or passive (e.g., public data) techniques to gather intelligence
about systems and people.

2. Weaponization

Preparing the attack by creating or configuring tools, payloads, and

infrastructure needed to exploit the identified target.

3. Delivery
Transmitting the weaponized payload to the target through methods such
as email attachments, malicious websites, infected USBs, or drive-by
downloads.

4. Social Engineering

Manipulating individuals to perform unsafe actions or divulge confidential

information. This includes phishing, pretexting, baiting, and
impersonation.

5. Exploitation

Using malicious code or techniques to exploit vulnerabilities in systems or

user behavior to execute unauthorized actions.

6. Persistence

Establishing a foothold by creating mechanisms (e.g., backdoors or

startup scripts) that allow the attacker to maintain access across reboots
and sessions.

7. Defense Evasion

Avoiding detection by obfuscating code, disabling security tools,

modifying logs, or using stealth techniques to bypass intrusion detection
systems.

8. Command and Control (C2)

Establishing communication with compromised systems to remotely issue

commands, control actions, and extract data.

9. Pivoting

Using a compromised system as a bridge to access other systems within

the internal network that are otherwise unreachable from outside.

10. Discovery

Gathering information about the network, systems, users, and

configurations to inform next steps and identify valuable targets.

11. Privilege Escalation

Gaining higher levels of access (e.g., admin or root) by exploiting system

vulnerabilities, misconfigurations, or reused credentials.

12. Execution
Running malicious code on a system to take control, perform unauthorized
operations, or advance the attack’s objectives.

13. Credential Access

Obtaining usernames, passwords, tokens, or other authentication data to

deepen access and move further through the network.

14. Lateral Movement

Moving from one system to another within the target environment to

reach additional assets, expand control, or collect data.

15. Collection

Identifying and gathering sensitive data such as documents, database

records, emails, or credentials in preparation for exfiltration.

16. Exfiltration

Transferring the collected data out of the target network to a location

controlled by the attacker.

17. Impact

Executing actions intended to disrupt, destroy, or manipulate data or

systems, such as data wiping, ransomware deployment, or denial-of-
service.

18. Objectives

Achieving the final strategic goals of the attack, which may include
financial theft, political disruption, espionage, or reputational harm.

Security Principles – The CIA Triad

The CIA Triad represents the three fundamental principles of information

security: Confidentiality, Integrity, and Availability. Together, they
form the basis of secure system design, risk assessment, and
cybersecurity policies.

1. Confidentiality

Confidentiality ensures that information is accessible only to

authorized individuals and is protected from unauthorized disclosure.

 Prevents data breaches and leaks

  Techniques include encryption, access control, and authentication

2. Integrity

Integrity ensures that data is accurate, complete, and

unaltered during storage, processing, and transmission. It also ensures
that unauthorized modifications can be detected.

 Prevents data tampering and corruption

 Techniques include hashing, digital signatures, and version control

3. Availability

Availability ensures that authorized users have reliable and timely

access to information and systemswhen needed.

 Prevents downtime and service disruption

 Techniques include redundancy, failover systems, backups, and DoS
protecti

These principles guide the development and implementation of secure

information systems and are critical for maintaining trust,
functionality, and resilience in any digital environment.

General Data Protection Regulation (GDPR)

The GDPR is a comprehensive data protection law enforced by

the European Union (EU) that governs how organizations collect, store,
process, and transfer personal data of individuals within the EU.

It aims to protect individual privacy and provide people with greater

control over their personal information.

Key Components of GDPR

1. Data Subject Rights

Individuals (data subjects) have rights such as access, rectification,
erasure (right to be forgotten), and data portability.
2. Lawful Processing
Data must be processed only under valid legal grounds (e.g.,
 consent, contract, legal obligation, vital interest, public task,
legitimate interest).
3. Personal Data Breaches
Organizations must notify the supervisory authority within 72
hours of detecting a data breach.
4. Limitation of Purpose, Data, and Storage
Personal data must be collected for specified, explicit, and
legitimate purposes, and retained only as long as necessary.
5. Data Protection Impact Assessment (DPIA)
Required when data processing is likely to result in a high risk to
individuals' rights and freedoms.
6. Consent
Must be freely given, specific, informed, and unambiguous.
Pre-ticked boxes and silence do not constitute valid consent.
7. Data Protection Officer (DPO)
Certain organizations must appoint a DPO to oversee GDPR
compliance.
8. Privacy by Design and by Default
Data protection should be embedded into systems and
processes from the start, not added later.
9. Awareness and Training
Staff handling personal data must receive regular training to ensure
GDPR compliance.
10. Data Transfer
Transfers of personal data outside the EU must ensure adequate
levels of protection, often through Standard Contractual Clauses
or adequacy decisions.

In-Depth Discussion: Data Subject Rights

One of the most empowering rules of GDPR is the provision of rights to

individuals over their personal data. These include:

 Right to Access – Individuals can request a copy of their personal

data being processed.
 Right to Rectification – Allows correction of inaccurate or
incomplete data.
 Right to Erasure (Right to be Forgotten) – Individuals can request
deletion of their data under certain conditions.
 Right to Restrict Processing – Individuals can limit how their data
is used.
 Right to Data Portability – Allows users to obtain and reuse their
data across different services.
 Right to Object – Individuals can object to processing, especially in
direct marketing.
 Rights Related to Automated Decision-Making and Profiling –
Individuals can challenge and seek human intervention.
Impact: These rights significantly enhance transparency and
trust between users and data controllers. Organizations must have
processes in place to respond to such requests within one month, free
of charge.

India’s Digital Personal Data Protection Act (DPDPA), 2023

The Digital Personal Data Protection Act, 2023 is India’s landmark

data privacy law that governs the collection, storage, processing, and
transfer of digital personal data. It seeks to protect the rights of
individuals while ensuring that organizations handle data responsibly
and transparently.

Who Must Comply?

Any business that processes the personal data of Indian citizens,

whether located in India or abroad, must comply. This includes:

 E-commerce companies (e.g., Amazon, Flipkart)

 Social media platforms (e.g., Instagram, Facebook)
 Financial institutions (e.g., banks, NBFCs)
 Healthcare providers (e.g., hospitals, insurance companies)
 Tech firms (e.g., app developers, analytics platforms)

Key Principles of the DPDPA

The DPDPA is guided by seven foundational principles:

1. Lawful and Transparent Use

Personal data must be used legally and with transparency.
2. Purpose Limitation
Data should only be used for purposes that were clearly stated
when it was collected.
3. Data Minimization
Only the minimum necessary personal data should be collected.
4. Accuracy
Personal data must be accurate and up-to-date.
5. Storage Limitation
Data should be stored only for as long as necessary.
6. Reasonable Security Safeguards
Organizations must protect personal data using adequate security
measures.
7. Accountability
Data fiduciaries (i.e., organizations processing data) are responsible
for complying with the Act.

Data Subject Rights under DPDPA

Just like GDPR, individuals (referred to as Data Principals) are granted
specific rights:

 Right to Access Information

 Right to Correction and Erasure
 Right to Nominate (for managing data posthumously)
 Right to Grievance Redressal

Governance Structure in India

1. Data Protection Board (DPB) of India

A central body set up to:

 Adjudicate complaints and violations

 Impose penalties for non-compliance
 Direct investigations or audits

2. Data Fiduciaries

Entities (companies or organizations) that collect and process personal

data are referred to as Data Fiduciaries.

There’s also a classification:

 Significant Data Fiduciaries (SDFs) – Large-scale processors

with additional obligations such as appointing a Data Protection
Officer (DPO) and conducting regular Data Protection Impact
Assessments (DPIAs).

Consent Management

 Consent must be free, specific, informed, and unambiguous.

 Individuals must be able to withdraw consent at any time.
 Data should be processed only for purposes consented to by the
Data Principal.

Cross-Border Data Transfer

The government may permit data transfer to specific countries,

based on adequacy and safeguards. However, data can’t be transferred to
jurisdictions banned by the government.

Penalties for Non-Compliance

The DPDPA prescribes monetary penalties up to ₹250 crore for

violations like:

 Data breach
  Failure to protect data
 Non-compliance with data subject requests
 Processing without valid consent

Awareness and Capacity Building

Organizations are encouraged to:

 Conduct regular staff training

 Implement privacy-by-design practices
 Develop internal data governance frameworks

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a

globally recognized set of security standards designed to ensure the safe
handling of credit and debit card information. It focuses
on securing card-based transactions and protecting against data
breaches, fraud, and unauthorized access.

Key Highlights

 Established by major credit card companies: Visa, MasterCard,

American Express, Discover, and JCB.
 Applies to all businesses and organizations that store, process,
or transmit cardholder data, especially in online and e-
commerce environments.

Core Objectives

1. Ensure secure card transactions

2. Prevent theft of cardholder information
3. Detect and respond to unauthorized access

Security Requirements Include

 Strict access control to sensitive cardholder data

 Encryption of data during storage and transmission
 Use of Web Application Firewalls (WAFs) to block malicious
traffic
 Regular monitoring and logging of network activity
 Security patches and system updates to fix vulnerabilities
 Security awareness training for employees

Network Fundamentals
Understanding how devices communicate in a network is foundational to
cybersecurity, ethical hacking, and general IT knowledge. Two of the most
important identifiers are IP addresses and MAC addresses.

IP Address (Internet Protocol Address)

An IP address is a unique identifier assigned to each device on a

network, allowing it to send and receive data.

There are two versions:

 IPv4 (e.g., 192.168.1.1) – Most commonly used, 32-bit address (4

sets of numbers).
 IPv6 (e.g., 2a00:224:531:500:425f:cce6:c36b:f64d) – 128-bit
address, created to replace IPv4 due to limited address space.

Purpose of IP Address:

 Identifies where a device is on the network.

 Used by routers to send data to the correct destination.
 Can change based on network (dynamic) or stay fixed (static).

Example:

IPv4: 86.157.52.21
IPv6: 2a00:224:531:500:425f:cce6:c36b:f64d

MAC Address (Media Access Control Address)

A MAC address is a hardware identifier assigned to the network

interface card (NIC) of a device by the manufacturer.

Format:

 Usually shown as: A4:C3:F0:85:AC:2D

 First half identifies the vendor (e.g., Intel), second half is unique to
the device.

MAC vs IP – Key Differences

Feature MAC Address IP Address

Type Hardware Address Logical Address
Used for Device identification in Device location across
LAN networks
Assigned Manufacturer Network (ISP or manually)
by
Can it No Yes (unless static)
change?
Example A4:C3:F0:85:AC:2D 192.168.0.1 /
2a00::1234:abcd

Ping

Ping is a basic network diagnostic tool that uses ICMP (Internet Control
Message Protocol) to test the reachability and responsiveness of a
device over a network. It helps determine whether a device is online, how
quickly it responds, and whether there are any delays or packet losses in
communication.

ARP (Address Resolution Protocol)

The Address Resolution Protocol (ARP) is used to map an IP address

to a physical MAC address within a local network. It works by
sending ARP Requests to find out which device owns a particular IP
address and receiving ARP Replies that provide the corresponding MAC
address.

DHCP (Dynamic Host Configuration Protocol)

DHCP is a protocol that automatically assigns IP addresses and other

network configuration details (like DNS and gateway info) to devices
on a network. This eliminates the need for manual IP configuration,
making it easier to manage large networks efficiently

Administrative, Technical, Physical, and Strategic. This breakdown helps in

understanding how different controls work together to secure information
systems.

NIST SP 800-53 Control Families by Type

1. Administrative Controls

Focus on policy, procedures, training, and risk management.

Control Family Description

Awareness and Training Ensures users are aware of security risks
(AT) and trained appropriately.
Planning (PL) Establishes plans for security and system
operations.
Risk Assessment (RA) Identifies threats, vulnerabilities, and
potential impacts.
Program Management Coordinates overall security program at
(PM) the organization level.
Security Assessment and Manages security assessments and formal
Authorization (CA) system authorization.
Contingency Planning Prepares for system disruptions and
(CP) ensures recovery.
Personnel Security (PS) Ensures personnel are trustworthy and
understand their responsibilities.
System and Services Manages security considerations in
Acquisition (SA) system procurement.

2. Technical Controls

Focus on software and hardware mechanisms that enforce security.

Control Family Description

Access Control (AC) Restricts access to authorized users and
processes.
Identification and Verifies users’ identities before granting
Authentication (IA) access.
System and Protects data in transit and at rest;
Communications includes encryption.
Protection (SC)
System and Information Ensures data accuracy and protects
Integrity (SI) against malware or unauthorized
changes.
Audit and Accountability Tracks user activities and system events
(AU) for accountability.
Configuration Manages security settings and changes to
Management (CM) system configurations.
Maintenance (MA) Ensures systems are maintained securely
(e.g., updates, repairs).

3. Physical Controls

Concerned with protecting physical assets and environments.

Control Family Description

Physical and Controls physical access and protects
Environmental facilities from environmental hazards.
Protection (PE)
Media Protection (MP) Protects physical and digital media during
storage and transit.

4. Strategic (Enterprise-Level) Controls

Focus on long-term governance, investments, and organizational

alignment.
 Control Family Description
Program Management Aligns information security with
(PM) organizational mission and strategy.
System and Services Ensures secure development practices are
Development (SD) followed.

Summary

Control Example Control

Type Families
Administrati AT, PL, RA, CP, PS, CA,
ve PM, SA
Technical AC, IA, SC, SI, AU, CM, MA
Physical PE, MP
Strategic PM, SD, SA

https://osintframework.com
https://www.emailhippo.com
https://haveibeenpwned.com
https://builtwith.com
https://yandex.com
https://iplogger.org/#google_vignette

1. OSINT Framework

A collection of open-source intelligence (OSINT) tools and

resources, organized by category. It helps researchers, ethical hackers,
and investigators find publicly available data across domains like
usernames, emails, IPs, and more.

2. Email Hippo

A professional email verification tool that checks whether an email

address is valid, deliverable, and safe to contact. Often used in fraud
detection, lead generation, and marketing.

3. Have I Been Pwned

A public service that allows users to check if their email or password

has been exposed in data breaches. Created by security expert Troy
Hunt, it's widely used to raise data breach awareness.

4. BuiltWith

A web technology profiler that reveals what technologies a website is

using, including CMS, frameworks, analytics, and hosting providers.
Useful for market research, competitive analysis, and security
assessments.

5. Yandex.com

A Russian search engine and technology company, similar to

Google. It offers web search, maps, translation, and email services. Often
used in OSINT investigations for region-specific searches and reverse
image lookup.

6. IPLogger

A tool used to track IP addresses and geolocation data via custom

links. Can also monitor click-throughs and device types. Commonly used
for link tracking, but must be used ethically and legally.

Nmap

Nmap scans networks to detect active hosts, open ports, services

running, and potential vulnerabilities. It helps ethical hackers,
penetration testers, and system administrators understand what devices
are on a network and how they’re exposed.

Key Uses in Cybersecurity:

 Host discovery (who is online)

 Port scanning (which services are open)
 OS and version detection
 Vulnerability assessment with scripts (NSE – Nmap Scripting Engine)

Common Nmap Commands for Cybersecurity

Command Purpose
nmap 192.168.1.1 Scan a single IP to find open ports and active
status.
nmap 192.168.1.1-50 Scan a range of IP addresses.
nmap 192.168.1.0/24 Scan an entire subnet (e.g., 256 hosts).
nmap -sV 192.168.1.1 Detect versions of services running on open ports.
nmap -O 192.168.1.1 Attempt to detect the target operating system.
nmap -A 192.168.1.1 Aggressive scan: OS, version, scripts, traceroute.
nmap -p 22,80,443 192.168.1.1 Scan specific ports (SSH, HTTP, HTTPS).
nmap -Pn 192.168.1.1 Skip host discovery (treat host as online).
nmap -T4 192.168.1.1 Speed up scan (T4 = faster timing template).
nmap --script vuln Run vulnerability scanning scripts from NSE.
192.168.1.1
What is Wireshark?

Wireshark is a free and open-source network protocol

analyzer used to capture and inspect packets of datatraveling across
a network in real-time. It provides a deep view into each packet, allowing
users to analyze network traffic at a granular level.

Use in Cybersecurity

Wireshark is a powerful tool for cybersecurity professionals, ethical

hackers, and network administrators. It helps in:

Key Uses:

1. Traffic Analysis
o Examine network behavior and identify unusual or malicious
traffic patterns.
2. Troubleshooting Network Issues
o Diagnose problems like latency, packet loss, or failed
connections.
3. Intrusion Detection
o Detect signs of attacks such as malware communication, port
scanning, or DDoS activity.
4. Protocol Analysis
o Understand how different protocols (HTTP, DNS, TCP, etc.)
operate and interact.
5. Security Auditing
o Monitor sensitive data leaks (e.g., unencrypted passwords or
personal info).
6. Forensics Investigation
o Reconstruct events after a breach by analyzing historical
packet captures.

Exploit DB : https://www.exploit-db.com
Rapid7 : https://www.rapid7.com
zphisher : https://github.com/htr-tech/zphisher
hping3 :
Mitre attack : https://attack.mitre.org

Exploit DB

🌐 exploit-db.com
What it is:
A huge public archive of known software vulnerabilities and exploits — maintained by
Offensive Security.
Use:

 Find real-world exploits for software vulnerabilities (CVE-based).

 Learn exploit development and vulnerability analysis.
 Often used with Metasploit for proof-of-concept testing.

Best for: Ethical hackers, pentesters, security researchers.

Rapid7

🌐 rapid7.com
What it is:
A cybersecurity company that makes tools like Metasploit, Nexpose, and InsightVM.

Use:

 Vulnerability management and penetration testing.

 Use Metasploit Framework (open-source) for exploit development.
 Use Rapid7 blogs & knowledge base for threat intel and best practices.

Best for: Companies and professionals doing large-scale assessments.

Zphisher

GitHub: htr-tech/zphisher
What it is:
An open-source phishing tool that automates social engineering site creation (Facebook,
Instagram, etc.)

Use:

 Simulate phishing attacks only in a legal, ethical environment (e.g., labs, security
awareness training).
 Supports tunneling tools like Ngrok to host phishing pages.

⚠️Warning:
Never use on real targets — phishing is illegal without proper authorization.

hping3

CLI tool (not a website)

What it is:
A powerful network packet crafting tool — used for:

 Sending custom TCP/IP packets.

 Firewall testing, port scanning, spoofing, and DoS simulations.

Command example:
hping3 -S -p 22 192.168.1.100

➡ Sends SYN packets to port 22 to check if SSH is open.

Best for: Advanced testing, traffic manipulation, teaching network protocol behavior.

MITRE ATT&CK Framework

🌐 attack.mitre.org
What it is:
A detailed knowledge base of adversary tactics, techniques, and procedures (TTPs) based
on real-world cyberattacks.

Use:

 Map attacks in red teaming or threat modeling.

 Align detection and defense strategies (used by blue teams).
 Reference attacker behavior across enterprise, mobile, ICS.

Best for: Security analysts, SOC teams, threat hunters, red/blue teams.

VirusTotal

🌐 virustotal.com

What it is:
A free online service that analyzes suspicious files, URLs, IPs, and domains using 70+
antivirus engines and threat detection tools.

Use:
• Scan files or links for malware, trojans, phishing, and other threats.
• Investigate suspicious IP addresses, hashes, or domains.
• See community insights, detection history, and detailed threat intelligence.
• Automate threat hunting using VirusTotal Intelligence (paid) or API.

Best for: SOC analysts, threat hunters, malware researchers, cybersecurity students.

Abuse.ch

🌐 abuse.ch

What it is:
Abuse.ch is a project dedicated to tracking and sharing threat intelligence on malware,
botnets, ransomware, and malicious network indicators.

Use:
• Get real-time threat intel: IPs, domains, hashes linked to malware campaigns.
• Access feeds for MalwareBazaar, ThreatFox, and URLhaus.
• Download IOCs (Indicators of Compromise) for integration into SIEM, firewalls, or
detection rules.
• Ideal for studying current attack infrastructure (e.g., Emotet, Qakbot, C2s).

Best for:
Cyber threat researchers, blue teams, SOCs, malware analysts, and ethical hackers learning
about real-world threats.

YARAify

🌐 yaraify.abuse.ch

What it is:
YARAify is a free service by Abuse.ch that scans files using YARA rules — helping detect
malware families, behaviors, and traits based on patterns rather than signatures.

Use:
• Upload files to scan them against a large set of community-submitted and curated YARA
rules.
• Detect and classify malware samples based on code characteristics.
• Get detailed output showing which rules matched and why.
• Use with MalwareBazaar for faster triage and analysis of suspicious samples.

Best for:
Malware analysts, reverse engineers, threat hunters, and researchers learning YARA-based
detection.

URLhaus

🌐 urlhaus.abuse.ch

What it is:
URLhaus is a project by Abuse.ch aimed at collecting, tracking, and sharing malicious
URLs, particularly those hosting malware.

Use:
• Search and analyze malicious URLs associated with malware campaigns.
• Download updated lists of harmful domains, IPs, and payload URLs for integration into
firewalls, proxies, and security tools.
• Visualize trends like active malware-hosting countries and types of threats.
• Collaborate by submitting suspicious URLs to improve public threat intelligence.

Best for:
SOC teams, malware researchers, threat hunters, cybersecurity students — anyone who
wants real-world, real-time URL threat intel.

John the Ripper

🌐 openwall.com/john
What it is:
John the Ripper (JtR) is a powerful, open-source password-cracking tool used to identify
weak passwords in system files or protected archives by breaking password hashes.

Use:
• Crack password-protected ZIP, RAR, PDF, and system files using wordlists or brute force.
• Extract hash values from ZIP files using tools like zip2john and feed them into John for
cracking.
• Test password strength and demonstrate risks of using weak or reused credentials.
• Use popular wordlists like rockyou.txt to simulate real-world attack scenarios.

Example:

1. Extract the password hash from a .zip file using:

zip2john secret.zip > zip.hash
2. Crack the password using a wordlist:
john --wordlist=rockyou.txt zip.hash
3. View the cracked password:
john --show zip.hash

Best for:
Ethical hackers, red teams, penetration testers, cybersecurity students — anyone learning or
testing password vulnerabilities in a legal, controlled environment.

Ethical Hacking Assessment Report

Client Name: XYZ Corp
Tested By: Arun (Certified Ethical Hacker)
Date of Assessment: March 28, 2025
Scope: Internal & External Network, Web Application
Testing Methodology: Black Box & Grey Box Testing

📌 Finding #1: Outdated Apache Server

 Vulnerability Type: Remote Code Execution (RCE)
 Severity: ⚠️Medium
 CVE ID: CVE-2022-4203
 Affected Asset: Apache/2.4.29 running on 192.168.1.10
 Impact: Successful exploitation allows attackers to execute arbitrary commands on
the target server, potentially gaining full control.
🔎 Steps to Reproduce:

1. Service & Version Detection (Nmap):

Scan the host to identify the Apache server version:

nmap -sV -p 80 192.168.1.10

2. Exploit Execution (Metasploit Framework):

Launch Metasploit and use a module targeting the CGI Bash exploit:

use exploit/unix/webapp/apache_mod_cgi_bash_env_exec
set RHOSTS 192.168.1.10
exploit

➤ Result: Reverse shell gained with command execution privileges.

✅ Recommended Remediation:

 Upgrade Apache to the latest stable version to eliminate known vulnerabilities.

 Disable unused Apache modules and ensure only necessary services are running.
 Deploy an Intrusion Detection System (IDS) to monitor for abnormal traffic and
potential exploit patterns.
 Regularly apply vendor-released security patches and audit exposed services.

Security Note:

This vulnerability highlights the importance of routine software maintenance and patching.
Attackers frequently exploit outdated systems, especially web-facing services with known
CVEs.

Questions for this assignment

Answer these questions for assignment

What is the first phase of ethical hacking?

Which tool is commonly used for network scanning?
What does SQL injection target in a web application?
Which programming language is most commonly used in exploit
development?
What is the primary purpose of penetration testing?
What does the term "zero-day vulnerability" refer to?
Which Linux distribution is most commonly used for ethical hacking?
What is the main goal of social engineering attacks?
Which protocol is used to encrypt web traffic securely?
What is the function of a honeypot in cybersecurity?
Which command is used to perform a basic ping sweep in networking?
What is the primary purpose of a firewall?
What does the term "footprinting" refer to in ethical hacking?
Which hashing algorithm is considered more secure: MD5 or SHA-256?
What is the role of Metasploit in penetration testing?
What is the purpose of using a VPN in ethical hacking?
What is the main function of a keylogger?
Which attack exploits a weakness in the ARP protocol?
What type of attack is a brute force attack?
What is the purpose of privilege escalation in ethical hacking?

🔐 Ethical Hacking Assignment — Technical Q&A

1. What is the first phase of ethical hacking?

→ Reconnaissance (Information Gathering)
This phase involves open-source intelligence (OSINT) collection and active/passive
scanning to identify target systems, technologies, IP ranges, and personnel.
Tools: Nmap, Whois, Shodan, Google Dorking.

2. Which tool is commonly used for network scanning?

→ Nmap (Network Mapper)
Nmap is an advanced open-source utility used for port scanning, host discovery,
service enumeration, OS fingerprinting, and vulnerability detection via the Nmap
Scripting Engine (NSE).

3. What does SQL injection target in a web application?

→ Backend Relational Database Management System (RDBMS)
SQLi exploits poor input validation to inject arbitrary SQL commands into
application queries, allowing unauthorized data access, data manipulation,
or admin privilege elevation.

4. Which programming language is most commonly used in exploit development?

→ Python
Python is preferred due to its extensive libraries (Scapy, Pwntools, Requests), ease of
writing custom payloads, automation scripts, and compatibility with security
frameworks like Metasploit and Impacket.

5. What is the primary purpose of penetration testing?

→ To simulate real-world cyberattacks on a system or network to identify and
remediate security weaknesses before adversaries exploit them. It validates
the effectiveness of security controls.

6. What does the term "zero-day vulnerability" refer to?

→ A software vulnerability that is unknown to the vendor and has no available
patch. It's called "zero-day" because defenders have zero days to fix or mitigate the
flaw before it's exploited.

7. Which Linux distribution is most commonly used for ethical hacking?

→ Kali Linux
Maintained by Offensive Security, Kali comes preloaded with over 600 cybersecurity
tools such as Wireshark, Burp Suite, Metasploit, John the Ripper, Aircrack-ng,
and more.
8. What is the main goal of social engineering attacks?
→ To exploit human psychology to bypass technical security by manipulating
users into revealing confidential information or performing unsafe actions (e.g.,
clicking a malicious link).

9. Which protocol is used to encrypt web traffic securely?

→ HTTPS (HTTP Secure)
HTTPS uses SSL/TLS protocols to provide confidentiality, integrity, and
authenticity for web traffic. It prevents eavesdropping and man-in-the-middle
(MITM) attacks.

10. What is the function of a honeypot in cybersecurity?

→ A decoy system deployed to lure attackers, monitor their behavior, and detect
threats. It mimics real assets but isolates the attack vector to prevent damage to
production systems.

11. Which command is used to perform a basic ping sweep in networking?

→

 Linux/Bash (for loop):

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip | grep "64 bytes";
done
 Nmap:
nmap -sn 192.168.1.0/24 — performs a host discovery (ping sweep) across the
subnet.

12. What is the primary purpose of a firewall?

→ To filter incoming and outgoing traffic based on security rules. Firewalls enforce
network segmentation and act as the first line of defense against external threats.

13. What does the term "footprinting" refer to in ethical hacking?

→ Preliminary mapping of the target’s digital footprint — involves collecting
information like IP addresses, domain names, DNS records, and employee emails to
plan further attacks.

14. Which hashing algorithm is considered more secure: MD5 or SHA-256?

→ SHA-256
Unlike MD5, which is prone to collisions and rainbow table attacks, SHA-256
offers 256-bit encryption and is used in secure applications such as digital signatures
and blockchain.

15. What is the role of Metasploit in penetration testing?

→ Metasploit is a powerful penetration testing framework used to develop, test,
and execute exploits against vulnerable targets. It includes payloads, scanners, and
post-exploitation modules.

16. What is the purpose of using a VPN in ethical hacking?

→ A VPN (Virtual Private Network) encrypts all traffic and masks the hacker’s IP
address, providing anonymity and safe access to targets across public networks
without exposing personal identity.
17. What is the main function of a keylogger?
→ A keylogger captures all keystrokes made on a keyboard — often used
in credential harvesting, session hijacking, and monitoring activities during red team
exercises or malware analysis.

18. Which attack exploits a weakness in the ARP protocol?

→ ARP Spoofing (or ARP Poisoning)
This attack manipulates the Address Resolution Protocol (ARP) table to redirect
network traffic to a malicious device, enabling MITM attacks, sniffing, and session
hijacking.

19. What type of attack is a brute force attack?

→ Credential guessing attack where the attacker tries all possible combinations of
passwords or encryption keys until the correct one is found. It's computationally
expensive but effective against weak credentials.

20. What is the purpose of privilege escalation in ethical hacking?

→ To gain elevated access rights (admin/root) after an initial foothold is
established. This allows an attacker to bypass access controls, exfiltrate data, or
deploy persistence mechanisms.