Introduction

This article presents detailed practical steps for ethical hacking penetration testing. The goal is to guide beginners on how to start in the field of ethical hacking and understand the essential tools.

It is recommended to practice Capture The Flag (CTF) challenges, as they are the primary way to develop skills.

Basic Tools for Penetration Testing

Kali Linux: An open-source operating system that includes penetration testing tools such as Metasploit, Nmap, and DirBuster.

Nmap: A powerful tool for scanning open ports and active services on targeted servers.

GoBuster & DirBuster: Used to search for hidden directories and unprotected folders on websites.

Wireshark: Captures and analyzes network packets.

Key Phases of Penetration Testing

1. Information Gathering (Reconnaissance)

Collecting available information about the target, such as IP addresses, domains, and open ports.

Using Whois and Nslookup to gather data about target domains and websites.

Checking the robots.txt file to discover hidden pages on websites.

2. Scanning

Identifying open ports using Nmap and analyzing the associated services.

Searching for outdated software versions that may contain known vulnerabilities.

Analyzing system responses using TTL Values to determine the target system type (Windows, Linux).

3. Exploitation

Once vulnerabilities are identified, they are exploited using tools like Metasploit or by writing custom scripts.

Searching for vulnerabilities in Exploit-DB and CVE Details for software versions running on the target system.

Attempting password cracking using Brute Force Attacks with tools like Hydra.

Understanding Protocols and Ports

Each online service operates on a specific port. The most important ones include:

  • HTTP – Port 80 (Unencrypted web service).
  • HTTPS – Port 443 (Encrypted web service).
  • SSH – Port 22 (Remote server access).
  • FTP – Port 21 (File transfer).
  • DNS – Port 53 (Domain name resolution).

Nmap is used to analyze open ports and identify potential vulnerabilities.

Vulnerability Discovery and Exploitation

Once the service type and operating system are identified, pre-existing exploits can be searched for on platforms such as:

  • Exploit-DB
  • CVE Details
  • GitHub Security Repos

Tools like Searchsploit within Kali Linux can also be used to find vulnerabilities.

Website Data Analysis

  • Analyzing robots.txt may reveal hidden pages that contain useful information.
  • Using Inspect Element to analyze the source code, checking for hidden comments that might expose sensitive data.
  • Inspecting Cookies and Session Tokens to determine if any exploitable data is present.
  • Testing for security weaknesses through SQL Injection and Cross-Site Scripting (XSS) attacks.

Tools for Hidden Directory Enumeration

  • Some websites contain restricted pages that are not well-protected. The following tools help discover hidden files and directories:
    • GoBusterDirBusterFFUF

  • These tools scan for specific file extensions such as .php, .asp, .bak, which may contain sensitive information.

Simulating Cyber Attacks

  • Brute Force Attacks – Attempting numerous password combinations to break into accounts.
  • Man-in-the-Middle (MITM) Attacks – Intercepting communication between the user and the server.
  • Session Hijacking – Stealing active session data from users.

Validating Exploits

  • No exploit should be executed before ensuring it is legal and safe.
  • Understanding the exploit code instead of copying it blindly helps avoid errors.
  • Testing exploits in a virtual environment before trying them on real systems is best practice.

Recommendations and Tips for Beginners

  • Master Linux commands, as they form the foundation of cybersecurity tools.
  • Regularly practice CTF challenges to refine hacking skills.
  • Stay updated with open-source security resources to track the latest vulnerabilities.
  • Adhere to ethical hacking principles and never engage in illegal activities.

How to Improve Information Gathering Before Penetration Testing?

Information gathering is the first and most critical step in penetration testing. The data collected can determine the overall success of an attack. To enhance this process, the following strategies can be applied:

1️⃣ Passive Information Gathering

This involves collecting data without direct interaction with the target to avoid detection.

Tools and Commands:

🔹 Archive.org (Wayback Machine): Allows access to older versions of a website and helps analyze past changes.

🔹 WHOIS Lookup: Provides details about the domain owner, IP address, and server information.

Tool Name: whois

🔹 Nslookup / Dig:

  • Retrieves DNS record details.

Commands:

  • nslookup example.com
  • dig example.com ANY

🔹 Google Dorking:

  • Uses search engines to uncover sensitive data.

Examples:

"filetype:log" site:example.com → Finds log files.

"intitle:index of" site:example.com → Finds directory listings.

🔹 Shodan.io & Censys.io:

Scans the internet for exposed servers, CCTV cameras, IoT devices, and more.

🔹 TheHarvester:

  • Collects emails, subdomains, and other intelligence.

Command: theHarvester -d example.com -b google

🔹 GitHub Recon: Searches for leaked credentials and secret keys in public repositories.

Tool: gitrob

Active Information Gathering

This method directly interacts with the target, which increases the risk of detection.

Tools and Commands:

  • 🔹 Nmap (Port and Service Scanning):

    • Identifies open ports and running services.
    • Command: nmap -sV -A -T4 example.com

  • 🔹 Netcat (nc):

    • Manually scans ports for responses.
    • Command: nc -v example.com 80
  • 🔹 WAF Detection (Web Application Firewall):
      • Detects firewall protection on websites.
      • Tool: Wafw00f
    • Command: wafw00f -a example.com
  • 🔹 Directory and File Enumeration:
      • Finds hidden files and directories on websites.
      • Commands:
        • dirb http://example.com /usr/share/wordlists/dirb/common.txt
    • gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/big.txt

  • 🔹 Nikto (Web Vulnerability Scanner):

    • Scans websites for common vulnerabilities.

    • Command: nikto -h http://example.com

  • 🔹 Subdomain Enumeration:

    • Discovers hidden subdomains.
    • Commands:
      • sublist3r -d example.com
    • amass enum -d example.com

Email and Personal Data Analysis

Corporate email accounts are often targeted in phishing attacks. Identifying leaked or publicly available emails can help assess an organization’s exposure.

Tools for Email Investigation:
  • 🔹 OSINT Framework – Collects open-source intelligence on individuals and organizations.
  • 🔹 Have I Been Pwned – Checks if an email has been leaked in data breaches.
  • 🔹 Hunter.io / EmailPermutator – Extracts and generates possible employee email addresses.

Website Files and Hidden Directories Analysis

Some websites store sensitive files that can be accessed easily if they are not properly secured.

Tools for Hidden File Detection:
  • 🔹 robots.txt – May list restricted pages that an attacker can explore.
  • 🔹 Backup Files – Websites may store unprotected backups (.bak, .zip, .old) that contain sensitive data.
  • 🔹 Fuzzing Tools – Used to discover hidden files and directories.
    • Command: ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

Network and Infrastructure Analysis

A target network may contain exploitable devices that can be leveraged in an attack.

Network Analysis Tools:
  • 🔹 Traceroute – Identifies the path that data takes to reach the target server.
    • Command: traceroute example.com
  • 🔹 ARP Spoofing – Intercepts internal network traffic.
    • Command: arpspoof -i eth0 -t 192.168.1.1 192.168.1.100
  • 🔹 Wireshark – Captures and analyzes network packets to detect security vulnerabilities.

Difference Between Network Scanning and System Enumeration in Penetration Testing

When conducting penetration testing, it is essential to distinguish between Network Scanning and System Enumeration. Both are crucial in the information-gathering phase, but each serves a different purpose and requires specific tools.

Network Scanning

Purpose:

  • ✅ Identifies devices connected to a network.
  • ✅ Determines open ports and active services.
  • ✅ Detects potential vulnerabilities within the network.
How It Works?

  • Uses network scanning tools to examine IP addresses, ports, and protocols.
  • Can perform scans using TCP, UDP, ICMP, and other protocols.
  • Identifies the operating system based on network responses.

Tools for Network Scanning:
  1. 🔹 Nmap – The most popular tool for scanning networks and ports.
    • Command: nmap -sV -O -T4 example.com
    • Scans for open ports, detects the operating system, and identifies running services.
  2. 🔹 Masscan – High-speed network scanner for large-scale scanning.
    • Command: masscan -p1-65535 192.168.1.0/24 –rate=10000 Scans all 65,535 ports across an IP range at high speed.
  3. 🔹 Angry IP Scanner – A simple tool for discovering network-connected devices.
  4. 🔹 Netdiscover – Scans local networks to identify connected devices.
    • Command: netdiscover -r 192.168.1.0/24
  5. 🔹 Wireshark – Captures network packets for traffic analysis.

Challenges & Responsibilities of Network Scanning

  • Firewalls and security systems may detect scanning attempts.
  • Excessive scanning can trigger IP bans on the network.
  • It is recommended to use a VPN or an anonymous network while performing scans.

System Enumeration

Purpose:

  • ✅ Extract detailed information about the operating system, running services, and active users.
  • ✅ Identify hidden files and shared folders.
  • ✅ Leverage gathered information to exploit the system.
How It Works?

  • Identifies open ports and the services running on them.
  • Extracts active users, shared folders, and security policies.
  • Analyzes vulnerabilities in services and applications.

Tools for System Enumeration:

  1. Enum4linux – Extracts user lists, shared folders, and other details from Windows SMB servers.

    • Command:
    • enum4linux -a 192.168.1.10
  2. 🔹 NetBIOS Enumeration (nbtscan) – Retrieves NetBIOS information from systems.
    • nbtscan -r 192.168.1.0/24
  3. 🔹 RPC Enumeration – Scans Remote Procedure Call (RPC) services on target machines.
    • rpcclient -U “” 192.168.1.10
  4. LDAP Enumeration – Extracts users and groups from Active Directory networks.
    • ldapsearch -x -h example.com -b “dc=example,dc=com”
  5. 🔹 SNMP Enumeration – Retrieves device details via the SNMP protocol.
    • snmpwalk -v 2c -c public 192.168.1.10
Challenges & Responsibilities of System Enumeration:
  • Some systems block unauthorized queries, requiring exploitation of vulnerabilities.
  • Scanning must not disrupt services or cause system failures.
  • Legal permission is required, as scanning attempts may be logged as malicious activity.

Key Differences Between Network Scanning and System Enumeration

FeatureNetwork ScanningSystem Enumeration
ObjectiveIdentify connected devices and open portsGather detailed information about the system and services
ResultList of open ports and active servicesList of users, shared folders, and potential vulnerabilities
Interaction with TargetLow interaction (Passive/Active)Direct interaction (Active)
Common ToolsNmap, Masscan, WiresharkEnum4linux, SNMPwalk, LDAPsearch
Risk of DetectionCan be detected by firewallsMay require privileged access to retrieve data
Target SystemsAny network-connected deviceDevices running specific operating systems (Windows, Linux)

🔹 When to Use Each Method?

Starting a penetration test → Perform network scanning first to identify target systems.
Finding an open-port device → Use system enumeration to gather more details about services and users.
Targeting a local network → Utilize NetBIOS, LDAP, and SNMP enumeration for deeper insights.
Targeting a website → Use Gobuster or DirBuster to discover hidden directories.

💡 Pro Tips for Professionals

  • Start with network scanning to identify suitable targets, then proceed with system enumeration for deeper analysis.
  • Use a VPN or ProxyChains to mask your IP address during scanning.
  • Save extracted data in text files for later use in exploitation.
  • Avoid excessive scanning to prevent IP bans.
  • Don’t rely on a single tool—use multiple tools for more accurate results.

Learn Cybersecurity from Scratch!

Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles