Unit I: Introduction to Basics of Ethical Hacking and Penetration Testing

1. Introduction to Ethical Hacking:

Ethical hacking refers to the practice of intentionally probing systems, applications, and
networks for security vulnerabilities to enhance their security. Ethical hackers, also known as
white-hat hackers, use the same techniques as malicious hackers but with legal and ethical
intentions to improve cybersecurity. They help organizations identify and fix weaknesses
before cybercriminals can exploit them.

Basic Terminologies in Ethical Hacking

 Vulnerability: Think of a vulnerability as a crack in your system's armor. It's a weakness that
can be exploited. Examples include outdated software, misconfigured firewalls, or weak
passwords.
 Exploit: An exploit is the tool or technique used to take advantage of a vulnerability. It's like
the key that unlocks the crack in the armor. Exploits can be code, scripts, or even social
engineering tricks.
 Threat: A threat is anything that could exploit a vulnerability. It's the potential danger. This
could be a malicious hacker, a virus, or even a natural disaster.
 Risk: Risk is the potential for loss or damage if a threat exploits a vulnerability. It's the
combination of the likelihood of an attack and the impact it would have. A high-risk
vulnerability is one that's easy to exploit and would cause significant damage.
 Attack: An attack is an attempt to exploit a vulnerability. It's the actual action taken by a
threat actor. An attack might be successful or unsuccessful.
 Payload: The payload is the malicious code that's delivered by an exploit. It's what the
attacker wants to achieve, such as stealing data, installing malware, or disrupting services.

2. CIA Triad (Confidentiality, Integrity, Availability):

The CIA triad is the cornerstone of information security. It represents the three core
principles that should be protected:

Confidentiality: This ensures that sensitive information is only accessible to authorized

individuals. Think of it like a locked vault. Techniques used to ensure confidentiality include:
o Encryption: Scrambling data so it can only be read with a decryption key.
o Access Controls: Restricting access to information based on user roles and permissions.
o Data Masking: Hiding sensitive data by replacing it with dummy data.

Example: A bank encrypts customer transactions so only authorized users can view them.

Integrity: This guarantees that information is accurate and hasn't been tampered with. It's
like ensuring that the information hasn't been altered or corrupted. Techniques used to ensure
integrity include:
o Hashing Algorithms: Creating a unique fingerprint of the data that changes if the data is
modified.
o Digital Signatures: Using cryptography to verify the authenticity of data and its source.
o Version Control: Tracking changes to data and allowing for rollback to previous versions.

Example: A digital signature verifies that an email has not been tampered with.

Availability: This ensures that authorized users can access information and resources when
they need them. It's like making sure the information is always accessible. Techniques used
to ensure availability include:
o Redundancy: Having backup systems and data in case of failure.
o Failover Systems: Automatically switching to a backup system if the primary system fails.
o Disaster Recovery Plans: Procedures for restoring systems and data after a disaster.
Example: Cloud services use backup servers to prevent downtime during a failure.

3. Types of Hackers:

Hackers are categorized based on their motives and actions:

 White Hat Hackers (Ethical Hackers): These are the good guys. They use their skills to
find vulnerabilities with permission from the system owner. They report their findings so the
vulnerabilities can be fixed. Ethical hackers play a crucial role in improving cybersecurity.
 Black Hat Hackers (Crackers): These are the bad guys. They exploit vulnerabilities for
personal gain or to cause damage. Their motives can include financial gain, revenge, or
simply the thrill of the challenge.
 Grey Hat Hackers: These hackers operate in a grey area. They might find vulnerabilities
without permission, but they typically don't have malicious intent. They might publicly
disclose the vulnerability or inform the owner, sometimes demanding a reward.
 Script Kiddies: These are novice hackers who use pre-written hacking tools without
understanding how they work. They often lack the skills to develop their own exploits.

4. Ethical Hacking Process:

The ethical hacking process is a structured approach to identifying and mitigating

vulnerabilities:

1. Reconnaissance (Information Gathering): This is the first step, where the ethical hacker
gathers information about the target system. This can include network topology, operating
systems, applications, and even employee information. This is like a detective gathering
clues.
2. Scanning: In this phase, the ethical hacker uses tools to scan the target system for open ports,
services, and vulnerabilities. This is like checking the doors and windows of a building for
weaknesses.
3. Vulnerability Assessment: The identified vulnerabilities are analyzed to determine their
potential impact. This involves assessing the likelihood of exploitation and the potential
damage. This is like prioritizing the weaknesses found in the scanning phase.
4. Exploitation: The ethical hacker attempts to exploit the vulnerabilities to gain access to the
system. This is done in a controlled environment and with permission from the system owner.
This is like testing if the unlocked doors really lead inside.
5. Post-Exploitation: Once access is gained, the ethical hacker might try to maintain access and
gather further information about the compromised system. This is like exploring the inside of
the building after gaining access.
6. Reporting: The final step is to document all the findings and provide recommendations for
remediation. This report is crucial for the system owner to fix the vulnerabilities and improve
security. This is like the detective presenting their findings and recommendations.

5. Different Tools for Ethical Hacking:

Ethical hackers use a wide range of tools:

 Nmap (Network Mapper): A powerful network scanner used for port discovery, service
identification, and operating system detection. It's like a network Swiss Army knife.
 Wireshark: A network protocol analyzer used to capture and analyze network traffic. It's
like eavesdropping on network conversations to understand what's happening.
 Metasploit: A penetration testing framework that provides exploits, payloads, and other tools
for penetration testing. It's like a toolkit for ethical hackers.
 Burp Suite: A web application security testing tool used to identify vulnerabilities in web
applications. It's like a specialized tool for testing web apps.
 John the Ripper: A password cracking tool used to test the strength of passwords. It's like
trying to guess the combination of a lock.

6. Introduction to Kali Linux:

Kali Linux is a specialized Linux distribution designed specifically for penetration testing and
digital forensics. It comes pre-installed with hundreds of security tools, making it a popular
choice for ethical hackers. It's like a complete workshop for cybersecurity professionals.

Kali Linux is a Debian-based operating system designed for penetration testing and ethical
hacking. It includes over 600 pre-installed security tools for:

1. Penetration Testing – Testing system and network security.

2. Digital Forensics – Analyzing compromised systems and retrieving data.
3. Reverse Engineering – Understanding malware behavior and vulnerabilities.
4. Wireless Security Auditing – Testing Wi-Fi security and cracking passwords.
5. Web Application Testing – Identifying vulnerabilities in websites and applications.

Key Features of Kali Linux:

 Pre-installed Security Tools – Comes with Metasploit, Nmap, Burp Suite, and many
more.
 Customizable – Allows users to modify and optimize tools for specific needs.
 Live Boot and Persistent Mode – Can be run from a USB without installation, with
an option to save data.
 Regular Updates – Frequently updated with the latest security patches and tools.
 Open Source – Free to use and widely supported by the cybersecurity community.
Commonly Used Kali Linux Tools:

1. Nmap – Scans networks for vulnerabilities.

2. Metasploit Framework – Used for penetration testing.
3. John the Ripper – Password-cracking tool.
4. Wireshark – Network protocol analyzer.
5. Hydra – Brute force attack tool.
6. Aircrack-ng – Wireless security auditing tool.
7. SQLmap – Detects and exploits SQL injection vulnerabilities.

Why Use Kali Linux?

 Trusted by cybersecurity professionals for ethical hacking and penetration testing.

 Provides an extensive range of security tools in one package.
 Supports multiple platforms, including virtual machines and Raspberry Pi.
 Strong community support and continuous updates

Kali Linux commands:-

1. Basic Linux Commands

 pwd → Show current directory

 ls → List files and directories
 cd <directory> → Change directory
 mkdir <name> → Create a new directory
 rm -rf <name> → Remove files or directories
 cp <source> <destination> → Copy files
 mv <source> <destination> → Move or rename files

2. User Management

 whoami → Show current user

 who → Show logged-in users
 adduser <username> → Add a new user
 passwd <username> → Change user password
 sudo su → Switch to root user
 3. Package Management

 apt update → Update package list

 apt upgrade → Upgrade all installed packages
 apt install <package> → Install a package
 apt remove <package> → Uninstall a package

4. Networking Commands
 ifconfig / ip a → Show IP address
 ping <website> → Check network connectivity
 netstat -tulnp → Show active network connections
 nmap <IP> → Scan a network for open ports
 wget <URL> → Download a file

5. Ethical Hacking & Security Tools

 msfconsole → Launch Metasploit Framework

 airmon-ng → Enable monitor mode (used for WiFi hacking)
 aircrack-ng → Crack WiFi passwords
 sqlmap -u "<URL>" → Detect and exploit SQL injection
 hydra -l admin -P passwords.txt <IP> ssh → Brute-force SSH login

7. What Is a Penetration Test?

A penetration test (pentest) is a simulated cyberattack against a system to identify

vulnerabilities that could be exploited by malicious actors. It's a controlled and authorized
process designed to assess the security posture of a system. Think of it as a security audit that
goes beyond just checking for compliance and actively tries to break in.

8. Vulnerability Assessments versus Penetration Test:

 Vulnerability Assessment: Focuses on identifying and documenting vulnerabilities. It's like
creating a list of potential weaknesses.
 Penetration Test: Goes a step further by simulating a real-world attack to identify
vulnerabilities and assess their exploitability. It's like testing if the weaknesses can actually
be used to break in.

9. Types of Penetration Testing:

Penetration testing can be tailored to different targets:

1. Network Penetration Testing:

This type of pentest focuses on identifying vulnerabilities within a network's infrastructure. It

aims to discover weaknesses in devices and systems that connect to the network, such as
firewalls, routers, switches, servers, and workstations. The goal is to determine if an attacker
could gain unauthorized access to the network or its resources.

 Network penetration testing assesses the security of network devices, network

protocols, and network configurations. It checks for things like open ports, weak
passwords, misconfigured firewalls, outdated software, and vulnerabilities in network
protocols.
 Network pentests often involve port scanning, network mapping, vulnerability
scanning, and attempts to exploit identified vulnerabilities. They might also include
testing wireless security and VPNs.
 Example: A network pentest might try to exploit a vulnerability in a firewall to gain
access to an internal server. Or, it might try to crack the password of a wireless access
point to gain access to the network.

Network Penetration Testing: Tools & Technologies

 Network Scanners:

 Nmap: A powerful and versatile network scanner used for port discovery, service
identification, OS detection, and vulnerability scanning. It's a foundational tool for
network pentesting.
 Masscan: A fast, asynchronous network scanner designed for scanning large networks
quickly.
 ZMap: Another fast network scanner optimized for large-scale scans.
 Vulnerability Scanners:

 OpenVAS: An open-source vulnerability scanner that checks for known

vulnerabilities in systems and applications.
 Nessus Essentials (formerly Nessus Home): A popular commercial vulnerability
scanner with a free version for home use. Provides comprehensive vulnerability
assessments.
 QualysGuard: A cloud-based vulnerability management platform.

 Network Protocol Analyzers:

 Wireshark: A powerful and widely used network protocol analyzer for capturing and
analyzing network traffic. Essential for understanding network communications and
identifying potential issues.
 tcpdump: A command-line packet capture utility.

 Exploitation Frameworks:

 Metasploit Framework: A powerful penetration testing framework that provides

exploits, payloads, and other tools for exploiting vulnerabilities. A core tool for
penetration testers.

 Wireless Testing Tools:

 Aircrack-ng: A suite of tools for cracking WEP and WPA-PSK keys.

 Reaver: A tool for exploiting WPS vulnerabilities.

 VPN Testing Tools:

 OpenVPN: Used for testing VPN configurations and security.

 VPN Tracker: A commercial VPN client that can be used for testing VPN
connections.
2. Web Application Penetration Testing:

Web applications are a frequent target for attackers because they often handle sensitive data.
Web application penetration testing focuses specifically on identifying vulnerabilities in web
applications, such as websites, web portals, and web-based APIs.

 This type of pentest looks for vulnerabilities like SQL injection (where an attacker
can inject malicious SQL code to manipulate a database), cross-site scripting (XSS,
where an attacker can inject malicious scripts into a website), cross-site request
forgery (CSRF, where an attacker can trick a user into performing unwanted actions),
authentication bypasses, and insecure direct object references.
 Web application pentests use specialized tools and techniques to analyze the
application's code, functionality, and behavior. They might involve fuzzing (sending
unexpected input to the application), analyzing HTTP requests and responses, and
attempting to exploit known vulnerabilities.
 Example: A web application pentest might try to exploit an SQL injection
vulnerability to steal user data from a database. Or, it might try to exploit an XSS
vulnerability to inject malicious code that steals user cookies.

Web Application Penetration Testing: Tools & Technologies

 Web Proxies:
o Burp Suite: A comprehensive web application security testing platform. It acts
as a proxy, allowing you to intercept and modify HTTP requests and
responses. Essential for web app pentesting.
o OWASP ZAP (Zed Attack Proxy): An open-source web application security
scanner.
 Vulnerability Scanners:
o Acunetix: A commercial web vulnerability scanner.
o Netsparker: Another commercial web vulnerability scanner.
 Fuzzers:
o wfuzz: A web fuzzer used to discover vulnerabilities by sending unexpected
input to web applications.
 o ffuf: A fast web fuzzer written in Go.

 SQL Injection Tools:

o sqlmap: An open-source penetration testing tool that automates the process of
detecting and exploiting SQL injection vulnerabilities.

 Cross-Site Scripting (XSS) Tools:

XSStrike: A tool for detecting and exploiting XSS vulnerabilities.

 Browser Developer Tools: Built-in browser tools are crucial for inspecting web page
elements, network traffic, and JavaScript execution.

3. Mobile Application Penetration Testing:

With the increasing use of mobile devices, mobile application penetration testing has become
crucial. This type of pentest focuses on identifying vulnerabilities in mobile applications
running on platforms like Android and iOS.

 Mobile app pentests assess the security of the app's code, data storage,
communication protocols, and interactions with other systems. They check for
vulnerabilities like insecure data storage, insecure communication, improper
authorization, and vulnerabilities in third-party libraries.
 Mobile app pentests might involve static analysis (examining the app's code without
running it), dynamic analysis (analyzing the app's behavior while it's running), and
reverse engineering (disassembling the app's code to understand how it works).
 Example: A mobile app pentest might try to exploit an insecure data storage
vulnerability to access sensitive data stored on the device. Or, it might try to intercept
network traffic to identify insecure communication between the app and a server.

Mobile Application Penetration Testing: Tools & Technologies

 Mobile Security Framework (MobSF): An open-source framework for mobile app

penetration testing and analysis.
 Appium: An open-source tool for automating mobile app testing.
  Frida: A dynamic instrumentation toolkit for injecting scripts into running mobile
apps.
 Burp Suite (with mobile extensions): Can be used for intercepting and analyzing
mobile app traffic.
 OWASP Mobile Security Testing Guide (MSTG): A valuable resource for mobile app
security testing.
 Android Debug Bridge (ADB): A command-line tool for interacting with Android
devices.
 Xcode (for iOS): Used for debugging and analyzing iOS apps.

4. Social Engineering Penetration Testing:

Social engineering is a manipulation technique that exploits human psychology to trick

individuals into divulging sensitive information or performing actions that compromise
security. Social engineering penetration testing assesses the susceptibility of individuals to
these types of attacks.

 This type of pentest evaluates the effectiveness of security awareness training and the
ability of employees to resist social engineering tactics. It tests how easily employees
can be tricked into giving up passwords, clicking on malicious links, or revealing
confidential information.
 Social engineering pentests can involve phishing emails, pretexting (creating a
believable scenario to trick someone), baiting (offering something tempting to lure
someone), and quid pro quo (offering a service in exchange for information).
 Example: A social engineering pentest might involve sending phishing emails to
employees to see who clicks on the malicious link. Or, it might involve calling
employees and pretending to be from IT support to try to get their passwords.

Social Engineering Penetration Testing: Tools & Technologies

 Social-Engineer Toolkit (SET): A suite of tools for social engineering attacks,

including phishing, spear-phishing, and website cloning.
 Maltego: A tool for information gathering and visualization, used to gather
information about targets for social engineering attacks.
 Phishing Frameworks: Tools for creating and managing phishing campaigns.
  Email Spoofing Tools: Tools for sending emails that appear to come from a different
sender.
 OSINT Frameworks: Tools and techniques for gathering open-source intelligence
about targets.

5. Physical Penetration Testing:

Physical penetration testing simulates real-world attempts to gain physical access to a facility
or system. It tests the effectiveness of physical security controls, such as locks, fences,
security cameras, and access control systems.

 This type of pentest evaluates the security of physical barriers, access control systems,
surveillance systems, and the ability of security personnel to detect and respond to
unauthorized access attempts.
 Physical pentests might involve attempting to bypass physical security controls, such
as picking locks, climbing fences, or impersonating authorized personnel. They might
also involve social engineering tactics to gain access to restricted areas.
 Example: A physical pentest might involve trying to bypass a card reader to gain
access to a server room. Or, it might involve trying to tailgate (follow an authorized
person) through a security door.

Physical Penetration Testing: Tools & Technologies

 Lock Picking Tools: Sets of picks and tools for opening various types of locks.
 Bump Keys: Special keys designed to open certain types of locks.
 Master Keys: Keys that can open multiple locks within a system.
 RFID Cloning Tools: Tools for cloning RFID cards and fobs.
 Security Camera Jamming Devices: Devices that can disrupt the signals from
security cameras (use with extreme caution and only where legally permissible).
 Penetration Testing Kits: Kits containing a variety of tools for physical penetration
testing.
 Raspberry Pi/Arduino: Small, programmable devices that can be used for various
physical penetration testing tasks.