Introduction to Ethical Hacking
Ethical Hacking & Types of Hackers
What is Ethical Hacking?
Ethical hacking is the authorized practice of testing systems, networks, or applications to identify security weaknesses before malicious attackers exploit them. Ethical hacking is performed with written permission, defined scope, and responsible reporting.
What is Hacking?
Hacking is the process of identifying, analyzing, and exploiting vulnerabilities or weaknesses in systems, networks, applications, or devices to gain access, manipulate operations, or extract information.
Types of Hackers
Different hacker categories are defined by their intent, authorization, and methods.
White Hat Hacker
A White Hat Hacker is a cybersecurity professional who performs authorized security testing with written permission from the organization. Their goal is to identify and fix vulnerabilities before malicious attackers can exploit them. They follow defined scopes, ethical guidelines, and responsible disclosure practices. White Hats commonly work as penetration testers, security analysts, or consultants.
Black Hat Hacker
A Black Hat Hacker uses hacking techniques illegally for personal gain, financial profit, or disruption. They exploit vulnerabilities without authorization and often hide their identity to avoid detection. Common activities include ransomware attacks, phishing, data theft, and fraud. Their actions violate cyber laws and ethical standards.
Grey Hat Hacker
A Grey Hat Hacker operates between ethical and illegal boundaries by finding vulnerabilities without permission but usually without malicious intent. They may disclose security flaws publicly or report them directly to organizations. Although their intentions may not be harmful, their actions are still unauthorized. Grey Hat activities are not considered fully ethical.
Script Kiddie
A Script Kiddie is an inexperienced hacker who uses pre-made tools and scripts created by others. They usually lack deep technical knowledge and rely on automated software to perform attacks. Their motives often include curiosity, fun, ego, or peer recognition. Script kiddies commonly perform low-level attacks.
Hacktivist
A Hacktivist uses hacking skills to promote political, social, or ideological causes. Their attacks may include website defacement, data leaks, or DDoS attacks against governments or organizations. They are motivated by activism rather than financial gain. Despite their intentions, their actions are generally illegal.
State-Sponsored Hacker
A State-Sponsored Hacker is a highly skilled cyber operator supported by a government for espionage, sabotage, or intelligence gathering. These attackers target critical infrastructure, military systems, and organizations of national interest. They use advanced tools, malware, and long-term attack strategies. Such groups are often referred to as APTs (Advanced Persistent Threats).
Suicide Hacker
A Suicide Hacker performs cyber attacks without attempting to hide their identity or avoid consequences. They are often motivated by revenge, ideology, or the desire to cause maximum disruption. Unlike most attackers, they do not fear arrest or punishment. Their reckless behavior can make them highly dangerous.
Cybercriminal
A Cybercriminal is a professional attacker who conducts illegal cyber activities mainly for financial gain. They may operate individually or within organized crime groups. Common crimes include ransomware, banking fraud, identity theft, and selling stolen data. Cybercriminals often treat hacking as a business operation.
Insider Threat
An Insider Threat is a trusted individual such as an employee, contractor, or partner who misuses legitimate access to harm an organization. Insider threats may be intentional or accidental. Because insiders already have authorized access, they are difficult to detect. They can cause data leaks, sabotage, or financial loss.
What is the complete full form of the cybersecurity certification abbreviation CEH?
Which type of hacker commonly uses pre-made tools without understanding their internal working?
Can ethical hackers legally exploit vulnerabilities during authorized penetration testing engagements?
Which hacker type performs cyber attacks mainly for political or social causes?
Most cybercriminal organizations perform illegal activities primarily to generate financial profit online.
Which hacker category frequently deploys ransomware attacks mainly for financial gain purposes?
Can Black Hat hackers legally perform unauthorized attacks against company systems worldwide?
Which hacker type usually performs attacks without fearing punishment or legal consequences?
Scenario: A trusted employee intentionally leaks confidential company files to external attackers.
Can Grey Hat hackers legally perform testing activities without obtaining proper authorization beforehand?
Which hacker category performs authorized security testing with official written permission?
Which hacker type operates between ethical and illegal boundaries without malicious intentions?
CIA Triad & Internet Layers
The CIA Triad
The three foundational principles of information security.
- Confidentiality — Ensures only authorized users can access information.
- Integrity —Ensures data remains accurate and unmodified.
- Availability — Ensures resources remain accessible when needed.
Internet Layers
These layers differ based on accessibility, indexing, and anonymity.
Surface Web
The Surface Web is the publicly accessible part of the internet that can be indexed and displayed by standard search engines like Google or Microsoft Bing.
Deep Web
The Deep Web refers to all online content that is not indexed by search engines and requires authentication, authorization, or direct access links.
Dark Web
The Dark Web is a small portion of the Deep Web that is intentionally hidden and accessible only through specialized software such as Tor Browser.
Which CIA Triad principle ensures that information remains accurate and unmodified?
Which CIA Triad principle ensures unauthorized users cannot access sensitive information illegally?
Within the CIA Triad, availability ensures authorized resources remain accessible when needed.
Which internet layer contains publicly accessible websites indexed by major search engines?
The Surface Web can be indexed and accessed using traditional search engines.
The Deep Web usually requires authorization, credentials, or direct access links.
Which internet layer commonly requires Tor Browser for anonymous user access?
What is the official full form of the VPN?
What cybersecurity term describes a weakness that attackers can potentially exploit successfully?
Attacks & CEH Methodology
Classification of Attacks
Cyber attacks are commonly divided into passive and active categories based on attacker behavior.
Passive Attack
A passive attack is a type of cyber attack in which an attacker monitors, collects, or observes information from a system or network without modifying the data or affecting system operations.
Active Attack
An active attack is a type of cyber attack in which an attacker attempts to alter, disrupt, damage, or gain unauthorized access to a system, network, or data.
CEH Hacking Methodology
The 5 phases of ethical hacking used in the CEH framework.
| Phase | Description |
|---|---|
| 1. Reconnaissance | Gathering information about a target prior to launching an attack. |
| 2. Scanning | Using tools to detect live hosts, open ports, services, and vulnerabilities. |
| 3. Gaining Access | Exploiting vulnerabilities to enter a system or application. |
| 4. Maintaining Access | Ensuring continued access even after reboots or logoffs. |
| 5. Covering Tracks | Removing logs, tools, and artifacts to avoid detection. |
AI Integration in CEH v13
With CEH v13, AI integration enhances each phase—automating data analysis, accelerating scanning, and adapting exploitation techniques in real-time
Which type of cyber attack attempts to modify or damage system operations?
Passive cyber attacks usually modify data and directly affect system operations significantly.
Which attack type secretly monitors network traffic without changing transmitted information contents?
Which ethical hacking phase mainly focuses on gathering information about the target?
Which CEH phase focuses mainly on exploiting vulnerabilities to enter target systems?
Which CEH phase focuses on maintaining persistence and continued access after successful exploitation?
Which CEH hacking phase involves removing logs and traces from compromised systems?
Scenario: Performing penetration testing against systems without written permission from the organization.
Video Task:
Watch CEH v13 – 5 Phases of Ethical Hacking
Question: Which phase scans ports and services on target systems?
Can ethical hacking activities be performed legally without obtaining proper written authorization?
Reconnaissance mainly involves collecting information before launching attacks against targets.
What common cyber attack method is mainly used to steal user credentials online?
Which network attack technique involves capturing and analyzing transmitted data packets silently?
CYBER KILL CHAIN,TTP AND CYBER LAWS
Cyber Kill Chain
A framework used to understand and defend against cyber attacks.
The Cyber Kill Chain is a cybersecurity framework used to describe the different stages of a cyber attack, from the attacker’s initial planning to the final objective.
Why Security Teams Use It
- Understand attacker behavior
- Detect attacks early
- Prevent damage before execution
Definition of Cyber Kill Chain
The Cyber Kill Chain is a structured model that identifies the sequential phases of a cyber attack, helping organizations detect, prevent, and respond to threats at different stages.
Who Invented the Cyber Kill Chain?
The Cyber Kill Chain was developed by Lockheed Martin in 2011, as part of their intelligence-driven security approach.
The concept was inspired by the military term “kill chain”, which describes the stages of a military attack.
7 Stages of the Cyber Kill Chain
The attacker gathers information about the target.
The attacker creates or prepares the malicious payload.
The attacker sends the malicious payload to the target.
The malicious code is executed by exploiting a vulnerability.
The attacker installs malware or backdoors on the target system.
The infected system connects back to the attacker’s server.
The attacker performs the intended objective.
Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions
Cyber Laws Followed Globally by Ethical Hackers
Key cybersecurity laws and ethical principles followed worldwide.
Accessing a computer, network, or account without permission is a cyber offense.
Stealing, copying, or leaking confidential digital information is illegal.
Using another person’s identity, credentials, or digital information fraudulently is a crime.
Creating or spreading malicious software is prohibited.
Deceiving users to steal credentials or money through digital means is illegal.
Threatening, harassing, or abusing people online may violate cyber laws.
Accessing, monitoring, or sharing personal data without authorization is prohibited.
Intentionally disrupting online services or networks is a cyber offense.
Copying or distributing copyrighted software, data, or digital content without permission violates cyber law.
Security testing is legal only when proper permission and scope are defined.
Tactics, Techniques, and Procedures (TTPs)
What Are TTPs?
In cybersecurity, Tactics, Techniques, and Procedures (TTPs) refer to the patterns of activities, methods, and behaviors associated with specific threat actors or groups of threat actors .
Core Formula: Attack = Motive (Goal) + Method (TTP) + Vulnerability
TTPs describe how attackers operate—from initial reconnaissance to final objectives. Understanding TTPs allows ethical hackers to think and act like real adversaries, which is the core philosophy of CEH: "To defeat a hacker, you must think like a hacker"
Breaking Down TTP
| Component | Definition | CEH v13 Focus |
|---|---|---|
| Tactic | The high-level strategic goal an attacker wants to achieve at each stage of an attack | Understanding why an attacker performs specific actions |
| Technique | The technical method used to achieve a tactical goal | Learning how specific attacks are executed |
| Procedure | The specific step-by-step implementation of a technique by a particular threat actor | Studying how real APT groups operate |
Tactic - The "Why"
A tactic is the strategic objective an attacker aims to accomplish during a phase of the attack lifecycle .
Examples of tactics (from MITRE ATT&CK):
| Tactic | What Attacker Wants to Achieve |
|---|---|
| Reconnaissance | Gather information about the target. |
| Initial Access | Get a foothold into the target environment |
| Execution | Run malicious code on the target system |
| Persistence | Maintain access even after reboots |
| Privilege Escalation | Gain higher-level permissions |
| Defense Evasion | Avoid detection by security tools. |
| Credential Access | Steal usernames/passwords |
| Discovery | Learn about the target environment |
| Lateral Movement | Move to other systems in the network |
| Collection | Gather data of interest |
| Command & Control (C2) | Establish communication with compromised systems |
| Exfiltration | Exfiltration |
Technique - The "How"
A technique is a specific technical method used to achieve a tactical goal.
Examples:
| Tactic | Technique (Method) |
|---|---|
| Reconnaissance | OSINT gathering, Google dorking, Shodan searching. |
| Initial Access | Phishing email, drive-by compromise, exploiting public-facing apps |
| Persistence | Scheduled tasks, registry run keys, backdoor creation |
| Privilege Escalation | DLL side-loading, token manipulation, sudo abuse |
| Defense Evasion | Obfuscated files, removing indicators, masquerading. |
| Credential Access | Brute force, keylogging, credential dumping (LSASS) |
Procedure - The "Specific Implementation"
A procedure is the detailed, step-by-step approach a specific threat actor follows when executing a technique .
Different attackers may use the same technique but with different procedures.
Example: Phishing (Technique)
| Threat Actor | Procedure (Specific Implementation) |
|---|---|
| Lazarus Group | Uses fake job offers with malicious Word documents embedded with macros |
| Fancy Bear (APT28) | Uses spear-phishing emails with shortened URLs leading to credential-harvesting pages |
| Common Criminal | Uses mass email with fake invoice attachment containing malware |
Understanding procedures helps defenders recognize specific indicators of compromise (IOCs) unique to different attacker groups.
Which organization originally developed the Cyber Kill Chain cybersecurity framework model?
Within the Cyber Kill Chain, what does the abbreviation C2 represent?
Which Cyber Kill Chain stage focuses on sending malicious payloads toward victims?
Which Cyber Kill Chain phase involves installing malware onto the compromised target system?
In cybersecurity, what is the full form of the abbreviation TTP?
Which MITRE ATT&CK tactic specifically focuses on stealing usernames and passwords?
The MITRE ATT&CK framework is commonly used to map attacker TTP behaviors.
In cybersecurity investigations, what does the abbreviation OSINT officially stand for?
Which tactic focuses on avoiding detection from security monitoring solutions?
Scenario: A hacker publicly discloses vulnerabilities without obtaining organizational permission beforehand.
Scenario: Malware repeatedly connects back to a remote attacker-controlled server every hour.
Scenario: A fake invoice attachment is emailed to company employees to spread malware.
Scenario: A government-backed cyber espionage group targets critical infrastructure networks.
Scenario: Monitoring network traffic silently without changing transmitted data or system operations.
Video Task:
Watch Cyber Kill Chain Explained
Question: Which Cyber Kill Chain stage occurs before Weaponization?
Video Task:
Watch White Hat vs Black Hat vs Grey Hat Hackers
Question: Which hacker lacks authorization but usually has no malicious intentions?
Video Task:
Watch Cybersecurity CIA Triad Explained
Question: Which CIA Triad principle protects information accuracy and consistency?
Which cyber attack type floods servers or systems using excessive traffic requests?
Most cyber laws globally consider unauthorized system access a criminal offense.
Can malware distribution legally occur without proper authorization or legitimate purpose?