Most Important Ethical Hacking Domains And Tools

The world of Ethical Hacking and Penetration Testing is huge. It covers many areas and a lot of different topics. In this article I give a brief overview on the major topics of Ethical Hacking and the most relevant tools and techniques for each topic. A topic is one specific domain like wireless hacking or infrastructure hacking. It goes without saying that all of these topics are entangled with each other. I point out relevant resources and tools which should be looked into and known in order to master one of the domains. This article targets beginners who just started their journey into Ethical Hacking and want to get an overview on the main topics of Ethical Hacking and Penetration Testing.

Wireless

• Aircrack-Suite for cracking WEP
• WPA/WPA2 Pre-Shared-Key brute forcing with rainbow tables and precompiled lists, pyrit
• Macchanger for mac-spoofing and mac-whitelisting
• WPS hacking with reaver
• Alfa Wireless Cards for great hardware support (I'm an example!)
• For war driving / walking / swimming: Kismet, InSSIDer and NetStumbler (for Windows users out there)
• Putting it all together with the automated WiFi-cracking tool wifite
• Karmetasploit for fun with evil access points
• WiFi Pineapple / Jasager for a malicious, automated hardware access point
• Nuking your neighbor's (nah, be nice!) wireless with MDK3

Infrastructure

• Nmap, the almighty port scanning tool
• Metasploit, face it, you won't get around using this one or another exploitation framework if you want to be efficient as a Pentester
• Armitage, the GUI for Metasploit has some decent features which make it easy to search for exploits and to manage multiple targets
• Netcat, your network Swiss Army knife
• Telnet, in case you grew up with it or you have no netcat at hand
• Wireshark and tcpdump for capturing and analyzing network traffic
• ARPspoof for man-in-the-middle attacks
• Knowing how to use SSH and tunneling technology
• Know how firewalls work and know the difference between paket-filtering and stateful-inspection firewalls (and how to bypass them)
• Know how Intrusion Detection Systems and Intrusion Prevention Systems operate
• The mechanics of VPNs and proxies
• Network technology, meaning the OSI layer and how pakets flow inside a network
• Be knowledgeable about how mounting remote drives works in different environments and Operating Systems
• Pivoting and passing sessions between machines

Web Applications

• Get to know common vulnerability lists like OWASP Top 10, Sans or CWE
• Master the exploration phase and find those nasty hidden directories with dirb, dirbuster or Burp Suite's intruder tool
• Try different local proxies like Burp Suite, WebScarab or Zed Attack Proxy
• Medusa, Hydra or Burp Suite's intruder for authentication brute forcing
• Pre-compiled distribution with web application testing focus: SamuraiWTF
• SQL injection testing tools like sqlmap or sqlninja for MS SQL backend
• Training grounds like Gruyere, WebGoat, Mutillida, DVWA or the HacMe series
• Web application vulnerability scanners like Burp Suite's Pro version, HP's WebInspect, w3af or Wapiti

Mobile

• Android vs. iOS Operating Systems
• Know how different Android and iOS versions work and differ
• Look at different offensive mobile security tools like
• dSploit
• USB Cleaver to recover passwords and hashes from an owned phone
• Install and run Kali (with all its tools) on your Android
• Popular apps and their weaknesses (e.g. WhatsApp or Snapchat)
• How to root your device (be careful, you may lose all warranty on this device!)

Social Engineering & Physical Security

I decided to put social engineering and physical security together. Looking from a Red Team perspective this makes sense because both domains are often targeted at breaking the parameter defenses and getting into an enterprise.

• Social Engineering Toolkit (SET), among others used for spear phishing
• Sending spoofed e-mails 
• BeEF, the Browser Exploitation Framwork for browser-based attacks
• Lock picking!
• Open Source Intelligence (OSINT) tools like
• Maltego for harvesting those juicy data on the social web
• FOCA for collecting meta data
• theHarvester which offers passive and active recon
• Shodan ('Hello' from Systemshock!) is a search engine for computers and their network information
• EXIF image meta data viewer, online versions available
• The Proxmark3 for copying badges and access cards and replaying them to bypass security gates

Programming

There are some Pentesters who do their jobs very well without ever writing a line of code. However, I prefer to be able to throw together some lines of code to automate smaller tasks or to twitch an exploit here or there. If you think about which languages to learn to become a better penetration tester, consider the following ones:

• Python. Great language to write small scripts and works like a charm on Linux. It has a very powerful command line utility that can come in very handy when working with batch jobs like appending a certain suffix to each file within a folder. A lot of ethical hacking tools and scripts are written in python which makes it even more attractive to learn this language.
• Bash-Scripting. Don't throw a tomato at me, I know that Bash-Scripting isn't a real programming language. Nevertheless, it is essential for a lot of things, for example editing exploits on Linux, automating tasks or using some programming power on systems where no other languages are available.
• Java / C#. Get a little object-orientation into the mix. Although Python can also be used in an object-oriented manner, I suggest to take a look into Java and / or C#. Knowledge of these languages will also be beneficial when it comes to analyzing web application constructed with .jsp (Java) or .asp(x) (.NET = C#) technology.
• HTML, Javascript, CSS. If you think about getting into web application testing, you definitely have to have a good understanding of how the web works. Welcome to the world of the Hypertext Transfer Protocol and its friends HTML, Javascript, AJAX and CSS! 

Of course there are other useful languages such as Perl,  Ruby and Batch-Scripting. Which one is picked up by a Pentester heavily depends on his previous knowledge, personal preference and focus area.

Operating Systems

• On Linux you should know how to...
• create, copy, download and delete files
• find your way around on the filesystem
• work with the filesystem's permissions (e.g. chmod)
• create, add, delete and manage users and groups
• work with different packet management systems
• examine and delete different log files
• change the color's for the command line ;p
• find weak file permissions
• find "interesting" files (find command, location of interesting files like etc/shadow)
• examine cron jobs
• use different text editors like nano or vi
• do some bash scripting

• On Windows you should know ...
• how a Window's server differs from a Window's desktop
• the filesystem
• how the registry works
• where and how hashes are stored
• how to work with command line / powershell
• how to do some batch scripting
• how to start, stop and examine services
• examine and delete different log files
• different versions of Windows and the major changes between the versions

TL;DR: Get to know the different domains of ethical hacking. The most common ones are wireless, infrastructure, web applications, mobile, social engineering, programming and Operating Systems. Of course there are others out there. Get to know the tools and techniques of the different domains and build up your knowledge within the domains.