“How do I become an ethical hacker?”
I hold myself to high standards. I likely won’t consider myself a real ethical hacker until a) I’m either paid to be one, or b) I can confidently say I’m at the expert level. Despite how open I am about my own abilities, and despite how many times I tell others to seek elsewhere for ethical hacking assistance, this is still (by far) the most common question I receive. In fact, I get this question daily on Instagram. It’s also pretty unfair that I get asked such a complex question that cannot be answered so simply.
It instead requires a blueprint…
Learn the Basics
If you’re beginning at ground-zero and have no experience in cybersecurity or ethical hacking, then begin your journey by studying the top-3 popular operating systems. They include Microsoft Windows, Mac OS, and Linux. Each operating system has different versions and/or distributions. But, for now, narrow your concentration to these few modern operating systems. In particular, you should familiarize yourself with the following:
- The Command line or terminal interface,
- The file structure for that operating system,
- Their security features for the operating system, and
- Their administrative tools.
You should primarily focus on Windows and Linux for the following reasons I’m about to cover:
Focus on Windows
Here’s a central piece of intel:
The Microsoft Windows OS currently holds over 85% of the global operating system market share; and therefore, has the greatest attack surface. Due to its popularity, this means Windows systems should statistically make up the majority of targets for hackers. Accordingly, knowing the ins-and-outs of the Windows OS will eventually become beneficial to any prospective ethical hacker. A few significant areas to focus on include:
- Commandline tools,
- Administrative tools,
- Windows Defender,
- Windows firewall,
- Security Center,
- Control Panel,
- Event Viewer,
- Task Scheduler,
- Important files/locations, and
- Any system utilities and features.
Focus on Linux
By the same token, if you’re interested in becoming an ethical hacker, then the Linux OS will eventually by your tool of the trade.
Despite sharing only 1% of the global OS market share, Linux is exceedingly popular amongst hackers. Likewise, I don’t know of any penetration testing platform that isn’t a Linux distribution. For example, Kali Linux, which is a Debian Linux distribution, is hands-down the most popular penetration testing framework. With that being said, the KLCP exam objectives may be one of the suitable stepping stones to becoming a bonafide ethical hacker. The objectives of Offensive Security’s KLCP exam are NOT designed to teach you how to be a hacker, but it’ll certainly familiarize you with the Kali Linux platform, which gives you a solid base in your professional security career.
How do I start?
If you’re confused about where to start, I’d suggest reviewing the objectives of the CompTIA A+ 220-902 exam objectives. This exam is centered around operating systems, features, and troubleshooting. YouTube’s Professor Messer covers these objectives quite well, and it’s free! There is also a 220-901 exam; however, it concentrates more on hardware instead of software. If you want to study that too, then that’s great. And, as I mentioned above, Offensive Security’s KLCP exam objectives will help familiarize you with Kali Linux.
Build a Foundation in Networking
Once you’re comfortable with the aforementioned operating systems, start diving into networking.
The OSI model
It’s time to understand how data traverses a network from application-to-application, and this can accomplished via a respectable attempt at understanding all 7 layers of the Open Systems Interconnection (OSI) model:
- Data Link,
- Presentation, and
This OSI model is a conceptual representation of how network communication occurs and is therefore highly relevant in creating an initial foundation in networking.
Note: there’s also another model called the TCP/IP Model. I suggest learning the OSI Model first, and then comparing and contrasting it with the latter.
Network Design and Architecture
When you feel confident that you understand the OSI model, then learn how to build networks from the ground-up. Aside from just wired and wireless networks, there are numerous network designs and architectures to review. For now, just stick with the tried-and-true implementations. For example, you don’t have to waste your time learning about network topologies that we were using decades ago; however, it is nice to see just how much this field has evolved. One of the next big changes in networking are Software-Defined Networks (SDNs). You’ll come to find that what you learn today may not be the standard a few years from now, and these changes are just an inevitable aspect of networking and cybersecurity.
Of course, it helps know the modern networking components/devices and what they do, for example:
- Cable Connectors,
- Wireless Access Points,
- Servers (e.g., Web, DNS, DHCP, proxy, etc.),
These devices are essentially the connective tissue of any network, and many of these devices, especially servers and routers, serve as targets to hackers, either as sources for sensitive data exfiltration or simply just entry points into the network.
TCP/IP and Various Protocols
By the end of your networking studies, you should be able to explain the properties of TCP/IP in addition to TCP & UDP Ports, protocols, and each of their purposes. You don’t need to know all 65,536 ports, but you have to know the common ones. It’s also necessary to know the specifications of the following protocols:
Why all these protocols? Because, as a hacker, you’ll eventually be leveraging or exploiting these services and protocols. Therefore, a good background knowledge in these areas will assist you later down the road when you’re attempting to discover known vulnerabilities and zero days. Fortunately, the details of each are discussed in their own RFC publications, which are available for free online for you to study.
And finally, learn about daily network operations. What I mean by that is what does it take to manage a modern network? Aside from setting up and configuring a network, ask yourself how network technicians and administrators manage, monitor, and troubleshoot their networks?
How do I start?
This is very broad, but the CompTIA Network+ N10-007 exam objectives cover this area quite well. Good ol’ Professor Messer covers these objectives for free too. The RFC publications are highly detailed, but they will likely include the answers you need. If you’re looking for a little more in-depth knowledge, then Cisco’s CCENT 100-105 ICND1 and CCNA 200-105 ICND2 exam objectives should be more than enough to build the foundation that you need.
Start learning a programming language.
A Hacker’s Tongue Speaks Python
As of right now, python is arguably the most popular language amongst the whitehat/blackhat hacker community. Additionally, a lot of popular hacking programs were built using python. Creating your own programs is really the best way to practice, but not everybody agrees.
If you are looking for guidance on how to start, then I suggest: Python Crash Course: A Hands-On Project-Based Introduction to Programming by Eric Mathes as well as Black Hat Python: Programming for Hackers and Pentesters by Justin Seitz. I personally don’t like learning programming languages from a book, so if you prefer online visual training, then take a look at Tim Buchalka’s Python Programming Masterclass on Udemy. I recently took this course as a refresher. To be honest, I haven’t completed this yet, but so far, it’s fantastic.
A really important thing to get into when you first start programming are secure coding concepts. Established best practices do exist in coding, in fact, there’s a whole software development life cycle. If you can recognize the mistakes other programmers are making in their insecure code (e.g., lack of input sanitization, validation, error codes, etc.), then that’s more power to you.
How Do I Start?
Aside from the books I already mentioned, there are tons of books on Amazon and training courses on Udemy that will teach you any of the languages you are interested in. You just need to stretch your fingers and find them.
By now, you should be familiar with operating systems and networking topics. It’s time to switch gears to security. Why do you need to know security before penetration testing? Because network defenders are an ethical hacker’s adversary (sort of). But, it’s true that you will have to bypass security controls…so wouldn’t it make a lot of sense to know about the current, best practice security controls that are being used against you?
What advanced threats and attacks are our endpoints and networks facing on a day-to-day basis? Malware, APTs, script-kiddies, phishing, XSS, SQLi, Web browser attacks, DNS-based attacks, DDoS attacks, and zero days just nearly scratch the surface.
Accordingly, you should study how these attacks are performed, the vulnerabilities they exploit, and what detection and preventative actions security analysts are currently doing to defend against them. Again, it’s a very broad topic; however, it might help to know that most security controls are going to fit into one or more of the following 3 categories: technical, management, and operational. Many of these are discussed in NIST SP 800-53.
Secure System and Network Designs
I also recommend studying up on secure system design and secure network architecture. For example, think about firewall placement, DMZs, and IDS sensor placement. Think about how network defenders are going to fend you off. What endpoint hardening process are they using? Are they using any segmentation/compartmentalization implementations? What types of access controls are in place? Are they using any monitoring tools that you should be aware of? How about detection systems? For example, security professionals use research-honeypot systems to gather evidence on the TTPs you use to hack their systems, which could be even be applied as evidence to be used against you.
By now, you should be able to recognize the point I’m trying to make here, which is that by gaining initial insight into exactly HOW your adversaries are detecting and defending against your attacks, the more likely you are to succeed, evade detection, and escape any attempts of forensic analysis. This is why I suggest a strong foundation in defensive skills before developing offensive skills.
Risk and Vulnerability Management
Don’t neglect risk and vulnerability management either. Both of these complex processes, which in some cases are even federally mandated, are essential to a defender’s security posture. Most enterprise organizations or companies are implementing some form of risk and vulnerability management. Knowing both of these topics educates you on the processes surrounding how risk and vulnerabilities are identified, mitigated, or patched. And as a benefit to you, it will also help you quickly identify common weaknesses.
And lastly, know a bit about cryptography. You don’t have to know the exact mathematics, but at least know PKI and the common encryption algorithms.
How Do I Start?
If you’re stuck knowing where to start, then CompTIA’s Security+ SY0-501 objectives are really going to help you in this aspect. And yes, Professor Messer covers these topcis for free too. These objectives are what I would consider to be “basic” security concepts.
Now, take all you’ve learned from basic security and step it up a notch.
Begin familiarizing yourself with modern, advanced-level to intermediate-level security practices used in threat management:
- Day-to-day security -related tasks,
- data correlation and analytic methods, and
- Appropriate threat response actions
As a quick example, security analysts often look for threats by reviewing syslog data through a SIEM solution, packet captures and analysis on network segments, endpoint monitoring or baseline comparisons, router/firewall log reviewing, IDS/IPS alerts/logs, and so forth and so on. If you lack a background in networking and security, then this will take longer to learn.
Answer the following questions: How are security analysts performing threat hunting? What are some of the best ways to secure a network from advanced threats? How are security analysts and incident-responders appropriately responding to these threats and what countermeasures are they implementing? How are these threats classified and how do they contribute to the severity and prioritization of the incident? What are the proper IR procedures in these situations? When you can start to answer these questions up to this point, you’re teeter-tottering between intermediate and advanced-level knowledge.
It would also be good to know what tool sets network defenders are using to detect and prevent your attacks.
- Preventative tools,
- Collective tools,
- Detection tools,
- Analytical tools,
- Exploitation tools, and
- Forensic tools
For example, many network devices and applications will send their logging information over the network to a collective, central log server where analysts can use SIEM software to easily identify any evidence you might have negligently left behind.
How Do I Start?
Everything discussed above is covered in CompTIA’s CySA+ CS0-001 exam objectives. This is a relatively new certification and is not even a year old yet, but there are resources out there.
Now that you have what I consider a really good foundation in security, let’s switch to offensive skills. Fortunately, some of you are already familiar with Kali Linux and many of its pre-installed penetration testing programs.
Practice, Practice, Practice
There are plenty of websites where you can legally practice your hacking skills. A very popular one right now seems to be Hack the Box, an online platform that contains numerous challenges for all experience-levels. If you don’t want to do that, then build your own physical or virtual network in your home. Do you currently have any systems on your home network that you can test? If you own them, it’s likely legal to practice hacking them. You could also consider downloading intentionally vulnerable VMs, such as Rapid7’s Metasploitable 2. Or, another popular option is to practice hacking the Damn Vulnerable Web Application (DVWA). These can all be set to varying difficulty levels depending on your own abilities and the level of realism that you prefer.
There’s tons of bug bounty programs and communities that you can participate in. I’d also suggest checking out hackerone. Facebook, Google, Yahoo, Tesla, even the U.S. Department of Defense participate in bug bounties. These are great ways to legally test your skills and even get a monetary reward for it. If you’re not sure where to begin, check out Joseph Marshall’s Hands-On: Bug Hunting for Penetration Testers as well as Jon Erikson’s Hacking: The Art of Exploitation.
The Ethical Hacker’s Methodology
With a new familiarity in hacking, you should start learning the hacker’s methodology. There are several different methodologies, and most hackers are familiar with the Ethical Hacker’s methodology, which is covered in the EC Council’s CEH exam objectives. However, there are a few others, such as the PenTest methodology and the NIST SP 800-115 methodology. Anyway, the Ethical Hacker’s methodology is as follows:
- Performing Reconnaissance
- Scanning and Enumerating
- Gaining Access
- Escalation of Privilege
- Maintaining Access
- Covering Tracks and Placing Backdoors
I won’t be covering any of these for you. Your job is to look into each of the steps above on your own. Keep in mind that as an ethical hacker, you must learn to carefully define the scope of your penetration assessments and any rules of engagement. It’s all too easy to accidentally break something or touch a system that you were not supposed to.
How Do I Start?
If you’re looking for a nice outline that might define your study structure, then take a look at CompTIA’s PenTest+ PT0-001 or the EC Council’s CEH exam objectives. The EC Council’s ECSA exam objectives cover this area as well, but it’s definitely more advanced than the CEH exam. Similarly, I would say Offensive Security’s OSCP exam objectives fit here too.
If you’re looking for some resources to help guide you, then I would definitely suggest Peter Kim’s The Hacker Playbook 3: Practical Guide to Penetration Testing. I haven’t read it yet, but if it’s any good as The Hacker Playbook 2, then I’d highly recommend it. I also recommend Allen Harper and Daniel Regalado’s Grey Hat Hacking: The Ethical Hacker’s Handbook, 5th Edition.
There are also plenty of penetration testing courses on Udemy. Although they are pretty basic, they should be a very valuable resource to any beginner.
Advanced Penetration Testing
This section separates script kiddies from true hackers. The true hacker’s expert-level knowledge can only be attained after patiently hammering away and honing your skills year-after-year.
Unfortunately, many young, aspiring hackers attempt to shoot for the top too quickly. But, in order to strengthen your own skills to this level of status, your repeated efforts must challenge your current abilities. You cannot grow if you never challenge yourself. Ethical hackers love a challenge.
Through repeated efforts of trial and error, and through hardships that both exhibit qualities of determination and perseverance, you can reach this level. It just takes constant practice and continual education.
How Do I Start?
Hackers at this level usually acquire a GIAC certification, such as GPEN, GWAPT, or GXPN certifications. And, although I don’t know much about it, I’m willing to bet EC Council’s LPT certification is included here as well. SANS.org has training courses that will prepare you for these certifications, but unfortunately, they are not cheap. A reduction in price may be worked out with your employer. Or, if you ever served in the military, you can potentially get veterans preference benefits.
The Hacker’s Mindset
I don’t really buy into the whole “lifestyle” thing.
Some people will fool you into believing it’s something you’re born with, which is more than likely just their alter-ego talking. I say you can be anything you want to be if you put in the work.
However, I would agree that there’s a certain “mindset” to being a hacker. When dissecting that further, I guess it just boils down to one thing: You just have to enjoy breaking things…Just kidding.
I would describe an ethical hacker as possessing a certain level of “innovation,” meaning they are creative and inventive in most regards. Being an ethical hacker isn’t easy either. Since you’re burdened with the task of bypassing tight controls or tediously finding vulnerabilities, ethical hacking can sometimes be rather difficult. With that being said, it’s a requirement to enjoy a good challenge.
Here’s something that’s pretty interesting. Pop culture would likely describe a hacker as a socially awkward recluse. However, I think any good ethical hacker is a “people” person. As we all know, humans are the weakest link in security; the lowest of the hanging fruit. Therefore, a good ethical hacker should be able understand and manipulate human behavior.
It also goes without saying: Being an “ethical” hacker means you follow a code of ethics, that is, your behavior should be governed by moral principles.