Learning Objectives

Module Objectives: Explain the importance of methodological ethical hacking and penetration testing.

• Understanding Ethical Hacking and Penetration Testing: Explain the importance of ethical hacking and penetration testing.
• Exploring Penetration Testing Methodologies: Explain different types of penetration testing methodologies and frameworks
• Building Your Own Lab:Configure a virtual machine for your penetration testing learning experience.

1.0.1 Why Should I Take This Module?

Welcome to the Hackherway Ethical Hacker tutorial. This tutorial will help prepare you for a role as an entry-level penetration tester. We will be talking about ways that you can prepare for participating in our customer engagements and there are a number of activities for you to complete that are built to quickly enhance your skills.

Further, we will talk about some important big ideas in penetration testing and then get your practice lab environment up and running.

Before we jump into how to perform ethical hacking, you first need to understand some core concepts about the "art of hacking" that will help you to better understand the other concepts discussed throughout this tutorial. For example, you need to understand the differences between ethical hacking and unethical hacking. The tools and techniques used in this field change rapidly and what might be current today can be obsolete tomorrow so understanding the most current threats and attacker TTPs and motivations is also critical to your growth as an ethical hacker. Some consider penetration testing an art; however, this art needs to start out with a methodology if it is to be anywhere near effective. Furthermore, you need to also spend some time understanding the different types of penetration tests and the different types of testing and methods the industry uses. Finally, this is a hands-on concept, and you need to know how to get your hands dirty by properly building a lab environment for isolated testing.

1.1 Understanding Ethical Hacking and Penetration Testing

1.1.1 Overview

You will be working as a newly hired penetration tester for a fictitious company called Vitriol Security Solutions. You will need to understand what the business does, why they do it, and who they're enemies are. Once you have a strong foundation there, we can move on to understanding how we accomplish our purpose for filling this role.

As a refresher, the term ethical hacker describes a person who acts as an attacker and evaluates the security posture of a computer network for the purpose of reducing and minimizing risk thresholds. The NIST Computer Security Resource Center (CSRC) defines a hacker as an "unauthorized user who attempts to or gains access to an information system." Now, we all know that the term hacker has been used in many different ways, manners, and contexts, and has many definitions depending on whom you speak with. Most people in a computer technology field would consider themselves hackers based on the simple fact that they like to tinker. This is obviously not a malicious thing. So, the key factor here in defining ethical versus unethical hacking is that the latter involves malicious intent. The permission to attack or permission to test is crucia and what will keep you out of jail and trouble. This permission to attack is often referred to as "the scope" of the test (basically, what you are allowed to test and what you are not allowed to test). More on this later in this module.

A security researcher looking for vulnerabilities in products, applications, or web services is considered an ethical hacker if he or she responsibly discloses those vulnerabilities to the vendors or owners of the targeted research; however, the same type of "research" performed by someone who then uses the same vulnerability to gain unauthorized access to a targeted network or system would be considered an unethical hacker, or a black-hat hacker. We could even go so far as to say that someone who finds a vulnerability and discloses it publicly without first working with the vendor is considered an unethical hacker - because in doing this, could lead to the compromise of networks/systems by others who use this information in a malicious manner.

The truth is that as an ethical hacker, you use the same tools to find vulnerabilities and exploit targets the same way black-hats, nations-states, and APTs do; however, as an ethical hacker, you would typically report your findings to the vendor or customer you are helping to ake the network more secure. You would also try to avoid performing any tests or exploits that might be destructive in nature. Testing of that nature is only acceptable on systems or networks with which you personally own.

An ethical hacker's goal is to analyze the security posture of a network or information system, or its infrastructure in an effort to identify and possibly exploit (as proof of concept) any security weaknesses found and then determine if a compromise is possible. This process is called security penetration testing, or ethical hacking.

1.1.2 Why We Need Penetration Testing

So, why do we need penetration testing? Well, first of all, as someone who is responsible for securing and defending networks and systems, you want to find any possible paths of compromise before the bad guys do. For years we have developed and implemented many different defensive techniques (for instance, antivirus, firewalls, intrusion prevention systems (IPS), antimalware). We have deployed defense in depth as a method to secure and defend our networks. But how do we know if those defenses are really working as they are intended to? How do we know or not whether the defenses and layered security controls we have implemented are actually effective at keeping the bad guys out? On the frontend, security controls may look like their doing their job, but what about on the backend? These are some of the questions that should be answered by a penetration test. If you build a fence around your yard with the intent of keeping your dog from getting out, maybe it only needs to be 4 feet tall; however, if your concerns is not the dog escaping, but an intruder getting in, then you need a different fence - one that would need to be much taller than 4 feet. Depending on what you are protecting, you might also want razor wire on the top of the fence to deter bad entities even more so. When it comes to information security, we need to do the same type of assessments on our networks and systems. We need to determine what it is we are protecting exactly and whether our defnses can hold up tthe threat that are imposed upon them. This is where penetration testing comes in to play. Simply implementing a firewall, an IPS, antimalware, a VPN, a web application firewall (WAF), and other modern security defenses are not enough by today's security standards. You also need to test their validity. And you need to do this on a recurring basis. As you know, networks and systems change constantly. This means the attack surface can change and shift as well, and when it does, you need to consider reevaluating the security posture by way of a penetration test.

1.1.3 Lab - Researching Pentesting Careers

It's important for you to understand the employment landscape and the different roles and responsibilities that cybersecurity professions include. A good general reference to explore for thorough descriptions of different job roles is the National Initiative for Cybersecurity Careers and Solutions (NICCS) Cyber Career Pathways Tool. It offers a visual way to discover and compare different job roles in our profession.

In this activity, you discover and compare ethical hacking jobs that are listed on various job boards and will complete the following objectives:

1. Conduct a Penetration Tester Job Search

2. Analyze Penetration Tester Job Requirements

3. Discover Resources to Further Your Career

Digital marketing encompasses all marketing efforts that use electronic devices or the internet. It leverages digital channels such as search engines, social media, email, and websites to connect with current and prospective customers.

1.1 What is Digital Marketing?

Digital marketing encompasses all marketing efforts that use electronic devices or the internet. It leverages digital channels such as search engines, social media, email, and websites to connect with current and prospective customers.

1.2 Key Components

Learning Objectives

• Understand how search engines work
• Learn on-page and off-page SEO techniques
• Implement keyword research strategies

2.1 How Search Engines Work

Search engines use complex algorithms to crawl, index, and rank web pages. Understanding this process is crucial for effective SEO strategy.

2.2 Keyword Research

Keywords are the foundation of SEO. They represent the terms and phrases that users type into search engines when looking for information, products, or services.

Learning Objectives

• Identify key social media platforms and their audiences
• Develop effective social media content strategies
• Understand social media analytics and metrics

3.1 Platform Overview

Different social media platforms serve different purposes and audiences. Understanding these differences is crucial for effective social media marketing.

Learning Objectives

• Build and segment email lists effectively
• Create compelling email campaigns
• Analyze email performance metrics

4.1 Email List Building

Building a quality email list is the foundation of successful email marketing. Focus on attracting subscribers who are genuinely interested in your content or products.

Learning Objectives

• Set up and interpret Google Analytics
• Define and track key performance indicators (KPIs)
• Create actionable reports and insights

5.1 Key Performance Indicators

KPIs are measurable values that demonstrate how effectively a company is achieving key business objectives.

Additional Resources