Ethical Hacking and Penetration-Testing Study Guide

  • Core Team Structures:

    * Red Team: Offensive operations focusing on authorized attacks (active penetration testing).

    * Blue Team: Defensive operations focusing on protection and mitigation against unauthorized or simulated attacks.

    * White Team: Acts as the facilitator and coordinator of the exercise to ensure security posture is strengthened.

  • Indicative Content:
    * Introduction to ethical hacking.
    * Footprinting and reconnaissance.
    * Scanning and Enumeration.
    * Web application hacking.
    * System hacking.
    * Network and perimeter hacking.
    * Wireless Network hacking.
    * Mobile hacking.
    * Social Engineering.

Fundamentals of Ethical Hacking

  • Definition: Ethical hacking is the authorized and proactive practice of employing malicious hacking techniques (such as penetration testing and vulnerability assessments) to identify and rectify security flaws in systems, networks, and applications.

  • Objective: White-hat hackers perform these actions with express permission to strengthen overall security and prevent data breaches rather than causing damage.

  • White-Hat Hackers: These professionals are typically organized into Red and Blue Teams. They collaborate, often guided by a White Team, to improve an organization’s security posture.

Methodological Frameworks: Ethical Hacking Phases vs. Cyber Kill Chain

  • Ethical Hacking Lifecycle: Focuses on a structured, legal, and comprehensive assessment.

    1- Planning/Scoping: Defining the extent, rules of engagement, and goals.
    2- Reconnaissance/Scanning: Gathering data and identifying potential vulnerabilities.
    3- Gaining Access: Exploiting identified vulnerabilities.
    4- Maintaining Access: Ensuring continued control over the system for further testing.
    5- Analysis/Reporting: Documenting findings and outlining remediation steps.

  • Cyber Kill Chain (Lockheed Martin Framework):
    Specifically focuses on mapping stages of a malicious attack to detect and disrupt adversaries in real-time.


  • 1. Reconnaissance: Researching, identifying, and selecting targets. 2. Weaponization: Coupling an exploit with a backdoor into a deliverable payload.
    3. Delivery: Transmitting the weaponized payload to the target (e.g., via email, web, or USB).
    4. Exploitation: Triggering the malicious code to take advantage of vulnerabilities.
    5. Installation: Installing malware or a backdoor to establish persistence.
    6. Command and Control (C2): Establishing a remote communication channel to manage the asset.
    7. Actions on Objectives: Achieving the final goal, such as data exfiltration or system destruction.

Detailed Breakdown of the Cyber Kill Chain and Defensive Strategies

  • Reconnaissance:

  • * Passive Reconnaissance: Gathering info without direct interaction. Tools/Sources: OSINT, public records, WHOIS, ARIN, Google, Shodan, Job listings, Company websites, Social Media (LinkedIn).

  • * Active Reconnaissance: Direct probing of the target. Tools: Nmap, Port scanning, Banner grabbing, Vulnerability scanners.

  • * Defensive Measures (Protect): Limit public information on social media/job postings, modify server error messages, disable unused ports/services, implement honeypots, firewalls, IPS, and use Tor or 3rd party VPNs for inbound blocking.

  • Weaponization:  * The process of converting non-military tools, information, or systems into weapons (e.g., creating malware or using dependencies for economic leverage).

  • Delivery:     * The bridge between preparation and action. Common vectors include phishing, compromised websites, or software vulnerabilities.     * Defensive Measures: Disabling USB ports, implementing DKIM and SPF for email verification, removing administrative rights, and conducting user awareness training.

  • Exploitation:     * Attackers execute code to exploit software flaws, misconfigurations, or human error. This is the pivotal step where the payload becomes active.

  • Installation:     * Focuses on persistence. Tools like backdoors ensure access remains despite reboots, password changes, or network interruptions.

  • Command and Control (C2):     * Attackers manage compromised systems via secure remote channels to send instructions, move laterally, or download further tools.

  • Actions on Objectives:     * The final realization of the attack: stealing data, deploying ransomware, or launching Distributed Denial of Service (DDoS) attacks.

Vulnerability Analysis and the CVSS Framework

  • Common Vulnerability Scoring System (CVSS): A standard method for assessing the severity of security vulnerabilities.

  • CVSS Metric Groups:

  • * Base Metrics: Represents intrinsic qualities of the vulnerability. It includes:

  • * Exploitability Metrics: Characteristics of the vulnerable system. Assumes the attacker has advanced knowledge of configuration and default defenses.

  • * Impact Metrics: Direct consequences on the vulnerable or subsequent systems (e.g., safety, data confidentiality).

  • * Temporal Metrics (Threat): Reflects the current state of exploit techniques or code availability.

  • * Environmental Metrics: Tailors the score to a specific organizational environment.

  • * Supplemental Metrics: Additional data points like Automatable, Recovery, Safety, or Provider Urgency.

  • Mathematical Concept (CVSS Functionality):

  • f(x1,x2,,xn)f(x_1, x_2, \dots, x_n)     * f(y1,y2,z)f(y_1, y_2, z)     * f(z1,z3,,zn)f(z_1, z_3, \dots, z_n)

  • Base Metric: Attack Vector (AV) Classifications:

  • * Network (N): Exploitable across a wide area network (e.g., CVE-2004-0230 DoS via TCP packet).

  • * Adjacent (A): Attack limited to logically or physically adjacent topologies (e.g., Bluetooth, NFC, same local IP subnet).

  • * Local (L): Attacker accesses the system via keyboard/console, SSH, or relies on user interaction (social engineering).

  • * Physical (P): Requires physical access to the hardware (e.g., a cold boot attack to retrieve disk encryption keys).

Reporting and Professional Communication

  • Executive Class: Targeted at CEOs. Focuses on the executive summary and remediation reports. Content is high-level due to limited time and technical knowledge.

  • Management Class: Targeted at security policymakers. Focuses on overall strengths/weaknesses and vulnerability assessment reports.

  • Technical Class: Targeted at security managers and developers. Requires thorough technical details to implement specific patches and mitigate identified weaknesses.