Ethical Hacking Smart

Master the complete penetration testing lifecycle from reconnaissance through reporting. This skill covers the five phases of ethical hacking methodology, essential tools and techniques for each phase, rules of engagement, legal frameworks, and professional reporting standards for authorized security assessments.

When to Use This Skill

Choose Ethical Hacking Smart when you need to:

• Plan and execute a structured penetration testing engagement
• Understand the methodology and phases of professional security assessments
• Select appropriate tools and techniques for each testing phase
• Write professional penetration test reports with actionable findings

Consider alternatives when:

• You need specific attack techniques (use domain-specific skills like AD Attacks, API Fuzzing)
• You need vulnerability scanning only (use Nessus, OpenVAS, or Qualys)
• You need security awareness training content (use security education resources)

Quick Start

Copy
# Penetration Testing Engagement Tracker
from dataclasses import dataclass, field
from typing import List, Dict
from datetime import date
from enum import Enum

class Phase(Enum):
    RECONNAISSANCE = "1. Reconnaissance"
    SCANNING = "2. Scanning & Enumeration"
    EXPLOITATION = "3. Exploitation"
    POST_EXPLOITATION = "4. Post-Exploitation"
    REPORTING = "5. Reporting"

class Severity(Enum):
    CRITICAL = "Critical"
    HIGH = "High"
    MEDIUM = "Medium"
    LOW = "Low"
    INFO = "Informational"

@dataclass
class Finding:
    title: str
    severity: Severity
    description: str
    evidence: str
    impact: str
    remediation: str
    cvss_score: float = 0.0
    cve: str = ""

@dataclass
class Engagement:
    client: str
    scope: List[str]
    start_date: date
    end_date: date
    tester: str
    current_phase: Phase = Phase.RECONNAISSANCE
    findings: List[Finding] = field(default_factory=list)
    activity_log: List[Dict] = field(default_factory=list)

    def log_activity(self, phase: Phase, action: str, result: str):
        self.activity_log.append({
            'timestamp': str(date.today()),
            'phase': phase.value,
            'action': action,
            'result': result,
        })

    def add_finding(self, finding: Finding):
        self.findings.append(finding)
        print(f"[{finding.severity.value}] {finding.title}")

    def generate_executive_summary(self) -> str:
        severity_counts = {}
        for f in self.findings:
            severity_counts[f.severity.value] = severity_counts.get(
                f.severity.value, 0) + 1

        summary = f"""
EXECUTIVE SUMMARY
=================
Client: {self.client}
Assessment Period: {self.start_date} to {self.end_date}
Scope: {', '.join(self.scope)}

Total Findings: {len(self.findings)}
"""
        for sev in ['Critical', 'High', 'Medium', 'Low', 'Informational']:
            count = severity_counts.get(sev, 0)
            if count:
                summary += f"  {sev}: {count}\n"

        return summary

# Example
engagement = Engagement(
    client="Acme Corp",
    scope=["10.0.0.0/24", "*.acme.com"],
    start_date=date(2025, 3, 10),
    end_date=date(2025, 3, 14),
    tester="Security Consultant"
)

engagement.add_finding(Finding(
    title="SQL Injection in Login Form",
    severity=Severity.CRITICAL,
    description="The login form at /api/auth/login is vulnerable to SQL injection",
    evidence="Payload: ' OR '1'='1 returns HTTP 200 with admin session",
    impact="Complete database access, authentication bypass",
    remediation="Use parameterized queries for all database operations",
    cvss_score=9.8
))

print(engagement.generate_executive_summary())

Core Concepts

Penetration Testing Phases

Phase	Objective	Key Activities
1. Reconnaissance	Gather intelligence	OSINT, DNS enum, social engineering recon
2. Scanning	Map attack surface	Port scanning, service detection, vulnerability scanning
3. Exploitation	Gain access	Exploit vulnerabilities, bypass authentication
4. Post-Exploitation	Assess impact	Privilege escalation, lateral movement, data access
5. Reporting	Communicate findings	Executive summary, technical details, remediation

Reconnaissance Toolkit

Copy
# Passive Reconnaissance (no direct target contact)

# DNS enumeration
dig +short target.com ANY
dig +short -x 93.184.216.34
host -t mx target.com

# Subdomain enumeration
# subfinder -d target.com -silent
# amass enum -passive -d target.com

# Certificate transparency logs
curl -s "https://crt.sh/?q=%.target.com&output=json" | \
    python3 -c "import json,sys; [print(x['name_value']) for x in json.load(sys.stdin)]" | \
    sort -u

# WHOIS information
whois target.com

# Active Scanning (requires authorization)
# nmap -sC -sV -oA scan_results target.com
# nmap -p- --min-rate 1000 target.com

Configuration

Parameter	Description	Default
scope	Authorized targets (IPs, domains, applications)	Required
rules_of_engagement	Testing boundaries and restrictions	Required
testing_window	Authorized testing hours	Business hours
emergency_contact	Client contact for incidents	Required
methodology	Testing framework (PTES, OWASP, NIST)	"PTES"
report_format	Final report format	"PDF"
evidence_retention	How long to keep evidence	90 days
tools_allowed	Approved testing tools	Engagement-specific

Best Practices

1. Get written authorization before any testing begins — A formal scope document (rules of engagement) signed by an authorized representative of the target organization is legally required. It should specify: target systems, testing window, allowed techniques, emergency contacts, and data handling requirements.

2. Follow a structured methodology throughout the engagement — Use PTES (Penetration Testing Execution Standard), OWASP Testing Guide, or NIST SP 800-115. A methodology ensures comprehensive coverage, consistent quality, and defensibility of your testing approach. Don't skip phases even if you find critical issues early.

3. Maintain a detailed activity log with timestamps — Log every command, tool, and technique used with timestamps and source/destination IPs. This log protects you legally, helps correlate your testing with the client's security monitoring, and provides evidence for the final report.

4. Prioritize findings by business impact, not just technical severity — A medium-severity vulnerability in a payment processing system may be more impactful than a high-severity vulnerability in a development server. Map technical findings to business risk in your report.

5. Deliver actionable remediation guidance, not just vulnerability descriptions — For each finding, provide: specific remediation steps, code examples where applicable, references to security standards, and a recommended priority for fixing. Findings without remediation guidance are incomplete.

Common Issues

Scope creep during the engagement — Testing reveals connected systems outside the defined scope. Never test out-of-scope systems regardless of their apparent vulnerability. Document the out-of-scope observation and recommend the client include these systems in a future assessment.

Client's security team blocks your testing — Coordinate with the SOC/security team before testing. Share your source IPs and testing windows. Provide a point of contact who can whitelist your activity if needed. Some engagements intentionally don't notify the security team to test detection capabilities.

Report findings are disputed by the development team — Include clear evidence (screenshots, request/response pairs, reproduction steps) for every finding. Use industry-standard severity ratings (CVSS) and reference authoritative sources (OWASP, NIST, CWE). Offer to demonstrate the vulnerability in a live session.