**Disclaimer: This post is for people who are looking to get into network ethical hacking specifically. This specific part of cybersecurity is not generally an entry level/beginner level position and there are many things you are expected to know prior to working in this area.
What is Ethical Hacking?
Ethical hacking is a proactive approach to cybersecurity that focuses on identifying and addressing vulnerabilities in systems, networks, and applications through simulated attacks and penetration testing. The goal of ethical hacking is to discover weaknesses before malicious actors discover and exploit them, thereby improving the overall security posture of an individual or organization.
The Prereqs:
Computer Networking – In order to exploit a system, you need to know how computers work and communicate with each other. The main things you to be familiar with network ports and services, and IP address subnetting.
Common Ports and Services
- HTTP – port 80. is the backbone of any data exchange on the Web
- HTTPS – port 443 – the more secure version of HTTP
- DNS – Port 53 – turns IP addresses into a more readable URL.
- SSH – port 22 – Secure Shell. Allows for remote login via command line (no GUI)
- Telnet – port 23 – old version of SSH. Not encrypted. Someone can use a network sniffer (like Wireshark) and view the network traffic(communication)
- FTP (File Transfer Protocol) – port 21. How computers and servers transfer files but it is unsecure.
- SMB – port 445 – lets users transfer files over the network
- RDP (Remote Desktop Protocol) – port 3389. Can connect to a computer/server like SSH but you get a GUI
- SMTP (Simple Mail Transfer Protocol) – port 25. It is a TCP port for sending and receiving mail. It can be vulnerable to a SMTP relay attack when not well-secured.
- NFS (Network File System) – port 2049. used for storing files on a network.
These are just some common services and the ports they typically work on. There are thousands of services and 65,535 total ports. You do not need to know all ports and services but is beneficial to be familiar with the most commonly used.
IP Addresses and Subnetting
An Internet Protocol (IP) Address is a numerical value that is assigned to devices connected to the internet. IPv4 Addresses consists of 32 bits which is represented in dotted-decimal notation (such as 192.168.1.1). IP addresses are split into two different categories of external (public) and internal (private).
External IPs
External IP addresses are assigned to devices that are directly connected to the internet. Internet Service Providers (ISPs) assign external IP addresses to devices like home routers, business servers, or other network devices that need to communicate over the internet. External IP addresses can be dynamic (changing periodically) or static (unchanging). Many ISPs assign dynamic IP addresses to residential customers, while businesses often have static IP addresses for servers and other network infrastructure.
Internal IPs
Internal IP addresses are used within a private network, such as a home network or a corporate intranet and are not directly accessible from the internet. There are different classes of IP addresses (for both external and internal) and below are the classes of IP ranges reserved for internal networks.
- Class A: 10.0.0.0 to 10.255.255.255
- Class B: 172.16.0.0 to 172.31.255.255
- Class C: 192.168.0.0 to 192.168.255.255
Subnetting
Subnetting is a huge topic, and I will not be able to go into all of the details of bits and binary. To try and keep it as possible simple you should know just a few things.
Subnetting is the process of breaking down a larger network into smaller, more manageable sub-networks, called subnets, which help to optimize network performance and manageability. For subnetting you should be familiar with subnet masks and CIDR notation and be able to know how many hosts are in a subnet based on the given subnet mask or CIDR notation.
A subnet mask is a 32-bit number used to divide an IP address into network and host portions. It is represented using the same format as an IP address (e.g., 255.255.255.0 for IPv4).
CIDR (Classless Inter-Domain Routing) notation is used to represent subnet masks and network prefixes compactly. It consists of an IP address followed by a slash (“/”) and the number of significant bits in the subnet mask. For example, “192.168.1.0/24” represents a subnet with a subnet mask of 255.255.255.0.
Subnet masks can go from /32 (255.255.255.255, which is a single host) to /0 (0.0.0.0, which is the entire internet). Something that you will see that is very common on LANS is a /24 subnet (255.255.255.0) which provides 254 usable addresses.
The link provided here is a great subnetting ‘cheat sheet’ that breaks down all of the possible subnet masks and CIDR notation. IPv4_Subnetting.pdf (packetlife.net)
Essential Tools
Once you are familiar with computer networking and how it works, there are things more specific to ethical hacking that you want to know and be familiar with.
Kali Linux – although it is not a tool on it’s own, it is very common for organizations to utilized Kali for engagements. Kali is a Debian based Linux operating system just like Windows or MacOS, however, it comes preinstalled with offensive security tools. Most of the tools on Kali can be used with a GUI (Graphical User Interface) but using terminal commands is often more efficient and flexible. Due to this you will want to know some Linux commands to do a bit more with your system and targets.
Nmap – short for network mapper is the quintessential hacking CLI tool that comes installed on Kali. As the name implies it, users can run nmap to scan a network to see the ports and services running on a target network. You do not need to know all, but you will want to become familiar with some of the switches used when running nmap and know what they do. Below is a sample of a few common switches.
- -sV, is a version scan
- -sS, Syn or ‘Stealth Scan’
- -A; an aggressive scan
Metasploit
Responder
Password Crackers
Nessus
Study Material
tryhackme – can do the free or paid version. There are beginner paths to help cover the basics of cybersecurity.
HackTheBox –
Youtube –
Certification Route
Certifications are a great way to learn about different cybersecurity topics while also helping stand out in the job market. In cybersecurity, it can become overwhelming to decide which cert to go for as there are hundreds of options. The link below (Security Certification Roadmap by Paul Jerimy) is a great resource showing the different certifications available. For ethical hacking purposes, the Security Operations -> Penetration testing section of the roadmap would be the most relevant. However, when considering certifications, it is important to consider the cost and relevancy to the job market.
Foundational Certifications
CompTIA Network+ – As mentioned previously, you will want to be comfortable with computer networking. The CompTIA Network+ is a great way to gain that knowledge as it not vendor specific and in terms of pricing, is on the lower to middle end of costs for certifications. Additionally, there are tons of free study resources available for the Net+. There are also other networking certs like the CCNA but unlike the Net+, the CCNA is Cisco specific so you will need to be familiar with Cisco technologies and products.
CompTIA Security+ – a very common entry level cert for all cybersecurity jobs. This certification is not ethical hacking specific, but it lays a great foundation and can help get a job in the cybersecurity field. The Sec+ builds on the Net+ and it assumes that you have foundational the foundational networking knowledge.
Ethical Hacking/Penetration Testing Certifications
CompTIA Pentest+
TCM PJPT
TCM PNPT
CEH – expensive and not very technical or hands on but HR managers love it.
OSCP – the big kahuna. created by OffSec, the people who created and maintain Kali Linux
This is also a cert route to follow to become a senior pentester. All up to you.