Introduction - Practical foundations in ethical hacking

This chapter helps students develop a practical and professional understanding of who are ethical hackers and what they do, and the benefits and risks of ethical hacking

Chapter 6: Practical foundations in ethical hacking

Ethical hacking is the cornerstone of security verification within organizations. This chapter helps students develop a practical and professional understanding of who are ethical hackers and what they do. This chapter frames penetration testing as professional ethical hacking, a process involving authorized/contractual vulnerability discovery, exploitation, and mitigation.

This chapter will help students:

• Contrast professional ethical hacking (authorized/contract-based) with gray hat hacking (unauthorized, but essentially apolitical) and hacktivism (politically motivated).

• Become familiar with the professional ethics of ethical hackers.

• Appreciate the ethical and legal consequences (e.g., CFAA violations) of unethical hacking.

• Evaluate organizational benefits of ethical hacking (risk reduction) vs. risks (e.g., system disruption and privacy concerns).

• Describe types of penetration testing: network, wireless, web application, physical, social engineering, and cloud.

• Describe phases of penetration testing (reconnaissance to reporting).

• Become familiar with key penetration testing methodologies (e.g., OSSTMM, NIST SP 800-115, ISSAF, PTES), frameworks (e.g., OWASP Testing Guide and MITRE ATT&CK/cyber kill chain), and technologies (e.g., Nmap, OpenVAS, Metasploit, and Burp Suite).

• Identify common attack targets - OS, shrink-wrap code attacks, device misconfiguration, OWASP Top 10 vulnerabilities like cross-site scripting (XSS) and SQL injection (SQLi) attacks.

Topics covered in this chapter

What differentiates between white hat hacking (professional ethical hacking), gray hat hacking, and hacktivism.

Ethical and legal consequences of unauthorized hacking.

Defensive security and offensive security approaches.

Black box penetration testing vs white box penetration testing.

Defensive cybersecurity technologies such as packet analyzers (e.g., Wireshark), IDS/IPS (e.g., Suricata, Snort), network security monitoring/SIEM (e.g., Wazuh), and host/network firewalls (e.g., OPNsense, pfilter, nftables).

Introduction to penetration testing technologies (e.g., Nmap, OpenVAS, Metasploit, and Burp Suite), methodologies (e.g., OSSTMM, NIST SP 800-115, ISSAF, PTES), and frameworks (e.g., OWASP Testing Guide, MITRE ATT&CK).

Phases of the penetration testing process (planning and reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting).

Types of penetration tests (network, wireless, web application, physical, social engineering, and cloud).

Common infrastructure targets: OS vulnerabilities/unpatched services, default credentials; and web app targets: SQL injection (database manipulation), XSS (client-side script execution).

PreviousIntroduction - Wireless security and cryptography NextEthical assessment of teaching ethical hacking

Last updated 10 days ago

Introduction - Practical foundations in ethical hacking

This chapter helps students develop a practical and professional understanding of who are ethical hackers and what they do, and the benefits and risks of ethical hacking

Chapter 6: Practical foundations in ethical hacking

This chapter will help students:

• Contrast professional ethical hacking (authorized/contract-based) with gray hat hacking (unauthorized, but essentially apolitical) and hacktivism (politically motivated).

• Become familiar with the professional ethics of ethical hackers.

• Appreciate the ethical and legal consequences (e.g., CFAA violations) of unethical hacking.

• Evaluate organizational benefits of ethical hacking (risk reduction) vs. risks (e.g., system disruption and privacy concerns).

• Describe types of penetration testing: network, wireless, web application, physical, social engineering, and cloud.

• Describe phases of penetration testing (reconnaissance to reporting).

• Identify common attack targets - OS, shrink-wrap code attacks, device misconfiguration, OWASP Top 10 vulnerabilities like cross-site scripting (XSS) and SQL injection (SQLi) attacks.

Topics covered in this chapter

What differentiates between white hat hacking (professional ethical hacking), gray hat hacking, and hacktivism.

Ethical and legal consequences of unauthorized hacking.

Defensive security and offensive security approaches.

Black box penetration testing vs white box penetration testing.

Phases of the penetration testing process (planning and reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting).

Types of penetration tests (network, wireless, web application, physical, social engineering, and cloud).

Common infrastructure targets: OS vulnerabilities/unpatched services, default credentials; and web app targets: SQL injection (database manipulation), XSS (client-side script execution).

PreviousIntroduction - Wireless security and cryptography NextEthical assessment of teaching ethical hacking

Last updated 10 days ago