The 5-Step Process To Ethical Hacking

The global cost of cybercrime was estimated at around 7 trillion dollars in 2022 and rose to $13.8 trillion by the end of 2023.

That's right, trillion with a t, which is absolutely mind-blowing. To put that into perspective, that's 100 million, million dollars…

And if that's not already bad enough, a recent study by IBM Security found that the average cost of a data breach for a company is $4.45 million 🙁.

As you can probably guess, with this growing increase in cyber threats, companies are looking for new and innovative ways to protect themselves and their data (Gone are the days when a firewall and an antivirus are all you need).

One way companies are doing this is to hire ‘ethical hackers’.

Ethical hackers are people who will attempt to hack into your systems and networks for you, so that they can then uncover any weaknesses or potential issues. This way you can then fix them before a ‘black hat’ hacker (aka... the bad guys) can exploit them.

Pretty cool right?

If you’ve ever thought of becoming an ethical hacker, or simply want to know how this process works so you can assess your own system, then keep reading, because I’m going to walk you through the exact 5-step process to ethical hacking.

Sidenote: I actually teach a complete course on Ethical Hacking, so that you can go from absolutely zero experience to full-on ethical hacker, and get paid to do this as a full-time job.

This is an incredibly lucrative career. In fact, at the time of writing this post, the average Ethical Hacker salary is around $133k and can scale as high as $241k per year.

That's a lot of money to do cool stuff but it gets better. Well, kind of...

You see, as the crime rates go up (not good), the demand for cyber security professionals (like ethical hackers) is rising just as fast to meet it, which means more job opportunities than ever before (which could be good for you).

So if this type of career sounds interesting to you, then you can check out the course here or watch the first few videos for free.

With that out of the way, let's get into the actual processes of ethical hacking, aka ‘penetration testing’.

What is a penetration test?

The act of hacking into an organization with the permission of its owners in order to test its security is referred to as a penetration or pen test, and it has 5 clear stages:

1. Reconnaissance
2. Scanning
3. Exploitation
4. Post-Exploitation / Gain further access
5. Reporting your findings

So let’s break them down.

The 5-step process of a penetration test

Step #1: Reconnaissance

This first stage is all about gathering as much information as possible about our target, and we can do this either ‘actively’, or ‘passively’.

So what do I mean by that?

Active reconnaissance explained

Active reconnaissance is where we extract information by directly interacting with the target. An example of this could be social engineering, where we anonymously contact the company's staff and trick them into giving privileged information.

“And what was your first pet’s name? Hmm interesting… and the street you grew up on?”

Passive reconnaissance explained

Alternatively, passive reconnaissance is where we gather information without directly interacting with the target. This involves gathering information from publicly available sources such as websites, social media, search engines, and databases.

No joke, you would be amazed how many people have their address, email, and other information just on their social media pages.

However, you can go even further than this, and use OSINT sources.

What is OSINT?

OSINT stands for ‘Open-Source Intelligence’. It sounds complex but it's simply looking for further shared information on other publicly available sources such as news articles, reports, and forums.

Did the CEO do an interview and talk about his pet dog? Knowing this information can lead to password security question access later on.

Step #2: Scanning

Scanning is the second phase of a penetration test, and involves using hacking tools to get technical information about our target's infrastructure.

We can actually do most of this with a single tool, called Nmap, otherwise known as ‘Network Mapper’.

Nmap is a complex command line tool that can provide technical information about the device or server that is being scanned, such as:

• What operating system the target is running to
• Which ports are open
• What version of the software is being run on those ports

Sidenote I put together an entire cheat sheet on NMAP, that you can go check out here for free!

Once we have this information, we can then run something called a ‘vulnerability analysis’. Basically, this is figuring out whether any of the information that we gathered is vulnerable to some type of attack.

This can be done by either researching online for currently known exploits or by using automated tools, such as Nessus.

Heck, you might even find current vulnerabilities that are already being exploited!

Step #3: Exploitation / Gaining access

OK, so now that we have that personal and technical information from the last 2 stages, we can now conduct an attack on the target.

Obviously, the type of attack can vary based on what information, tech, and vulnerabilities were found. That being said, the primary target should be the technical vulnerabilities first.

Important: Always test technical vulnerabilities first!

Why? Well for 2 reasons:

Reason #1. Critical threats

If you found a vulnerability that has the potential to be critical, it should immediately be reported and patched, before you even finish the test.

Seriously, don’t wait, because critical vulnerabilities often allow for Remote Code Execution on the target system and complete takeover of the device or its data.

That’s why you check these vulnerabilities first, but also?

Reason #2. Tech exploits are fast access

If there are flaws in any of the applications or devices that were scanned, then these are the easiest and fastest ways to gain access to the system, and you can start working your way through to the next stage right away.

However, if no technical vulnerabilities are found that doesn't mean this is the end of the exploitation phase. Once you've tested the tech, its time to test the people.

Then check for personal vulnerabilities

Although the tech might be sound, it doesn't mean the system is completely safe. In fact, social engineering is the number 1 threat to all organizations.

As an ethical hacker, you also need to assess if there is a vulnerability from team members, as this is exactly what a black hat would do.

• Try to gather employee credentials with a fake phishing link in an anonymous or spoofed email
• Try to make the employee download a program such as a trojan or a keylogger

Ideally, their employees are up to date on their security awareness training, and have systems in place, such as VPNs, 2FA, and know not to click dodgy looking links!

Step #4: Post-Exploitation for deeper access

In this phase, the tester focuses on expanding their access to the targeted systems, elevating their privileges, and gathering as much information as possible about the target's infrastructure.

The goal of this phase is to maximize the impact of the initial compromise and to gain a better understanding of the target's security posture.

This can involve installing backdoors for repeat access, pivoting to other systems within the target's network, and collecting sensitive data such as passwords, confidential documents, and other sensitive information, before covering your tracks.

This way it gives a truly accurate experience of what it's like to be hacked. Also, it helps show gaps in their detection, if you can hack without them even knowing it happened.

Fun fact: It’s almost never the most secure system that’s hacked. But rather access from a smaller system gives a backdoor to the more secure option.

For example

There was a state of robberies in 2021, where hackers would gain access to users' smart devices (usually their fridge), and then backdoor onto the secure wi-fi network, and turn off the home security systems.

This is why the recon and scanning are so important so that you can find any way onto the system.

Step #5: Reporting your findings

Finally, the tester collects all the data obtained from the previous phases and generates a comprehensive report.

This generally summarizes:

• Any interesting findings (such as open source data that could be removed)
• Any vulnerabilities that were uncovered
• The techniques used to exploit them
• The potential impact of a successful attack
• As well as any recommendations on how to enhance the target's security posture and address the identified vulnerabilities

This phase of the penetration test is crucial as it offers significant information to the client to enhance their security posture and make informed security decisions.

Is your system safe? Go check now!

As you can see, ethical hacking can be a lot of fun, and it's a really interesting process to work with. You get to play at being a bad guy, a detective, a spy, and much more - all while being paid well for it!

And although I’ve simplified this process for the purposes of this post, these are the exact broad steps that you take:

• Recon
• Scan
• Exploit
• Gain further access, and
• Report

You might try a few other things but this is the general path you would take, so why not give it a go for yourself? You could run the same tests to find vulnerabilities in your current systems, or even dive deeper and make this your new career.