Sécurité

Dive into Ethical Hacking Fundamentals: Your First Concrete Step Today

Ethical Hacking Fundamentals: the essentials in one article — real code, diagrams and concrete steps, extracts from a 42-lesson course.

REHOUMA Haythem

15 min read
Dive into Ethical Hacking Fundamentals: Your First Concrete Step Today

The best way to learn Ethical Hacking Fundamentals is by doing. This article gives you a head start with practical excerpts from a 42-lesson course — enough to get your first results today.

tl;dr
  • Prepare your lab
  • Discover Ethical Hacking
  • Reconnaissance and OSINT
  • Scanning and enumeration
  • Exploiting vulnerabilities
~$ cat ./parcours.md # Ethical Hacking Fundamentals — 11 chapters
01
Prepare your laboratory
→ Download Kali Linux and VirtualBox→ Create the Kali VM and target machines+ 1 more lessons
02
Discover Ethical Hacking
→ What is ethical hacking and why learn it?→ Legal framework, certifications and methodologies+ 1 more lessons
03
Reconnaissance and OSINT
→ Passive reconnaissance — WHOIS, DNS, Google Dorks→ Advanced OSINT — Shodan, theHarvester and Maltego+ 1 more lessons
04
Scanning and enumeration
→ Nmap — Port scans and service detection→ Service enumeration (SMB, FTP, SSH, HTTP)+ 2 more lessons
05
Vulnerability exploitation
→ Introduction to Metasploit Framework→ Exploiting Metasploitable: vsftpd and EternalBlue+ 1 more lessons
06
Post-exploitation and persistence
→ Linux and Windows privilege escalation→ Pivoting, port forwarding and lateral movement+ 1 more lessons
07
Attacks on web applications
→ OWASP Top 10: the most critical web vulnerabilities→ SQL Injection: detection and exploitation+ 2 more lessons
08
Network attacks and Man-in-the-Middle
→ ARP Spoofing and ARP cache poisoning→ Sniffing network traffic with Wireshark+ 1 more lessons
🏁
Final project (+ 3 chapters along the way)
→ You leave with a concrete and demonstrable project

Service Enumeration (SMB, FTP, SSH, HTTP)

NOTEObjective — Master in-depth enumeration of the most common network services — SMB, FTP, SSH, HTTP and SNMP — to extract the maximum amount of actionable information before the exploitation phase.

Learning objectives

TIPAt the end of this module — You will be able to enumerate every service discovered by Nmap to extract users, shares, versions and configurations — the foundation of any successful exploitation phase.

1. Why enumerate services?

After scanning (Nmap), we know which ports are open and which services are listening. Enumeration goes further: it queries each service to extract structured information useful for exploitation.

🔍 What we are looking for

🎯 What we do next

🛠 Tools by service

2. SMB Enumeration — The most vulnerable service

SMB (Server Message Block) is Windows' file and printer sharing protocol. It is at the root of some of the most devastating vulnerabilities in history (EternalBlue, WannaCry). Its enumeration very often reveals valuable information.

2.1 enum4linux — The all-in-one tool

bash
# Complete enumeration with enum4linux
enum4linux -a 192.168.1.20

# Detailed options:
# -a : all - equivalent to -U -S -G -P -r -o -n -i
# -U : list users
# -S : list shares
# -G : list groups
# -P : password policies
# -r : RID enumeration (identifiers)
# -o : OS information
# -n : NetBIOS lookup
# -i : printer information

# With authentication (if credentials are known)
enum4linux -u "user" -p "password" -a 192.168.1.20

# Improved version (enum4linux-ng)
enum4linux-ng -A 192.168.1.20
enum4linux-ng -A -oJ report 192.168.1.20  # JSON output

2.2 Interpreting enum4linux results

output
Example of enum4linux output on Metasploitable2:

[*] Getting domain SID for 192.168.1.20
[+] Host is part of a workgroup (not a domain)

[*] Enumerating Workgroup/Domain on 192.168.1.20
[+] Got domain/workgroup name: WORKGROUP

[*] Getting OS information for 192.168.1.20
[+] Got OS info for 192.168.1.20 from smbclient:
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
    <-- Samba 3.0.20 = CVE-2007-2447 (username map script) !

[+] Enumerating users using SID S-1-5-21-... and logon username '', password ''
S-1-5-21-...-500 METASPLOITABLE\Administrator (Local User)
S-1-5-21-...-501 METASPLOITABLE\nobody (Local User)
S-1-5-21-...-1000 METASPLOITABLE\msfadmin (Local User)  <-- Target user!

[+] Enumerating shares on 192.168.1.20
//192.168.1.20/print$    Printer Drivers
//192.168.1.20/tmp       oh noes!          <-- tmp share, probably accessible!
//192.168.1.20/opt       opt
//192.168.1.20/IPC$      IPC Service (metasploitable server)
//192.168.1.20/ADMIN$    IPC Service

[+] Password Info for Domain: METASPLOITABLE
[+] Minimum password length: 5   <-- Weak policy!
[+] Password history length: None
[+] Account lockout threshold: None  <-- No lockout = brute force possible!

2.3 smbclient — Accessing shares

bash
# List available shares (anonymous access)
smbclient -L //192.168.1.20 -N
# -L : list shares
# -N : no password (anonymous access)

# List shares with a user
smbclient -L //192.168.1.20 -U "user"

# Connect to a specific share
smbclient //192.168.1.20/tmp -N

# Useful commands inside smbclient:
smbclient //192.168.1.20/tmp -N -c "ls"              # List contents
smbclient //192.168.1.20/tmp -N -c "get file.txt" # Download a file
smbclient //192.168.1.20/tmp -N -c "put local.txt"   # Upload a file
smbclient //192.168.1.20/tmp -N -c "dir"             # List directory

# Download all content from a share
smbclient //192.168.1.20/tmp -N \
  -c "prompt OFF; recurse ON; mget *"

2.4 smbmap — Permission mapping

bash
# Check permissions on all shares (anonymous)
smbmap -H 192.168.1.20

# With authentication
smbmap -H 192.168.1.20 -u "msfadmin" -p "msfadmin"

# List the contents of a specific share
smbmap -H 192.168.1.20 -r "tmp"

# Search for specific files
smbmap -H 192.168.1.20 -u "msfadmin" -p "msfadmin" \
  -R --depth 5

# Example smbmap output:
# [+] Guest session       IP: 192.168.1.20:445
# Disk         Permissions    Comment
# ----         -----------    -------
# print$       NO ACCESS      Printer Drivers
# tmp          READ, WRITE    oh noes!  <-- Full access!
# opt          NO ACCESS
# IPC$         NO ACCESS      IPC Service

2.5 Nmap scripts for SMB

bash
# Detect Samba/SMB version
nmap --script smb-os-discovery -p 139,445 192.168.1.20

# Enumerate users
nmap --script smb-enum-users -p 445 192.168.1.20

# Enumerate shares
nmap --script smb-enum-shares -p 445 192.168.1.20

# Security policies
nmap --script smb-security-mode -p 445 192.168.1.20

# Detect EternalBlue (MS17-010)
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.20

# Detect MS08-067 (Conficker)
nmap --script smb-vuln-ms08-067 -p 445 192.168.1.20

# All in one command
nmap --script "smb-*" -p 139,445 192.168.1.20

3. FTP Enumeration

FTP (File Transfer Protocol) is a very common file transfer protocol, unfortunately often misconfigured and unencrypted. Anonymous access and vulnerable versions make it a prime target.

3.1 Anonymous FTP connection

bash
# Check if anonymous access is possible
nmap --script ftp-anon -p 21 192.168.1.20

# Manual connection with the FTP client
ftp 192.168.1.20
# User: anonymous (or ftp)
# Password: (any email address or empty)

# If anonymous access is allowed, useful FTP commands:
ftp> ls -la             # List all files (including hidden)
ftp> pwd                # Current directory
ftp> cd /               # Go to root
ftp> get file.txt    # Download a file
ftp> mget *.txt         # Download multiple files
ftp> put local.txt      # Upload (if write permission)
ftp> binary             # Binary mode (for non-text files)
ftp> passive            # Passive mode (if direct connection impossible)
ftp> quit               # Disconnect

# Anonymous access with wget (download all content)
wget -r --no-passive ftp://anonymous@192.168.1.20/

ARP Spoofing and ARP cache poisoning

NOTE🔎 Learning objectives
At the end of this lesson, you will be able to: understand the ARP protocol and its weaknesses, perform an ARP spoofing attack in the lab, use arpspoof, ettercap and Bettercap, and implement effective countermeasures.

1. The ARP protocol: how it works

ARP (Address Resolution Protocol) is a layer 2 (data link) protocol that resolves an IP address to a MAC address on a local network. Without ARP, machines could not communicate directly even on the same network segment.

📡 ARP Request

A machine sends a broadcast message across the entire network:
"Who has IP 192.168.1.1? Tell 192.168.1.10"

This message is sent to the broadcast MAC address: FF:FF:FF:FF:FF:FF

📢 ARP Reply

The target machine replies in unicast:
"It's me! My MAC address is AA:BB:CC:DD:EE:FF"

The sending machine stores this association in its ARP cache.

NOTE⚠️ Fundamental ARP weakness
ARP is a stateless and unauthenticated protocol. Any machine can send an ARP reply, even without having received a request. This is called a "Gratuitous ARP".

2. The ARP cache

Each machine maintains an ARP cache: a table that associates IP addresses with MAC addresses. This table has a limited lifetime (generally 2 minutes on Linux, 10 minutes on Windows).

View the ARP cache

bash
# On Linux
arp -a

# Detailed view
arp -n

# With ip neigh (more modern)
ip neigh show

# On Windows
arp -a

Example output on Linux:

output
? (192.168.1.1) at aa:bb:cc:dd:ee:ff [ether] on eth0
? (192.168.1.20) at 11:22:33:44:55:66 [ether] on eth0
? (192.168.1.30) at de:ad:be:ef:ca:fe [ether] on eth0
TIP💡 Tip
On Kali Linux, use ip neigh show instead of arp -a: the ip command is part of the iproute2 package and is more modern and complete.

3. The ARP Spoofing attack: principle

ARP Spoofing (or ARP Poisoning) consists of sending fake ARP packets on the local network in order to associate the attacker's MAC address with the IP address of another machine (usually the gateway).

WARNING🚨 Warning – Lab only
This attack is illegal on any network without explicit authorization. Practice only in your virtual lab with Kali Linux and Metasploitable.

Typical MITM attack scenario via ARP Spoofing

🆕 Step 1: Normal state

The victim (192.168.1.10) communicates normally with the gateway (192.168.1.1).

Victim ARP cache:
192.168.1.1 → aa:bb:cc:11:22:33

⚡ Step 2: Poisoning

The attacker sends fake ARP Replies:
— To the victim: "192.168.1.1 = my MAC"
— To the gateway: "192.168.1.10 = my MAC"

Passive Reconnaissance — WHOIS, DNS, Google Dorks

NOTEObjective — Master passive reconnaissance techniques to collect the maximum amount of information about a target without ever establishing direct contact with its systems. These techniques are legal, discreet and constitute the first step of any professional penetration test.

Learning objectives

TIPAt the end of this module — You will be able to perform a complete passive reconnaissance on any domain, analyze WHOIS data, query DNS and use Google Dorks to find sensitive information exposed publicly.

1. Passive vs active reconnaissance

The reconnaissance phase is the first step of the pentest methodology. It consists of collecting information about the target before any exploitation attempt. There are two fundamental types:

🔐 Passive reconnaissance

Definition: Information gathering without direct interaction with the target's systems. Publicly available sources (OSINT) are used.

🔹 Active reconnaissance

Definition: Direct interaction with the target's systems to gather information in real time.

WARNING⚠ Legal reminder — Even passive reconnaissance can become illegal if used with malicious intent. Always perform these operations within the scope of a written mandate or on your own systems. In this course we use demonstration domains such as example.com.

2. WHOIS — Domain information

The WHOIS protocol allows querying public databases containing registration information for domain names and IP addresses. It is often the first command executed during reconnaissance.

2.1 Essential WHOIS commands

bash
# Basic WHOIS lookup on a domain
whois example.com

# WHOIS on an IP address (reveals the owning organization)
whois 93.184.216.34

# WHOIS using a specific server
whois -h whois.arin.net 8.8.8.8

# Filter important results with grep
whois example.com | grep -i "registrar\|name server\|creation\|expir\|email"

# Command-line WHOIS on Windows (via Sysinternals)
whois.exe example.com

2.2 Important data in a WHOIS result

WHOIS fieldMeaningInterest for the pentester
RegistrarRegistrar usedIdentify the DNS provider, social engineering possibilities
Registrant Name / OrgName and organization of the ownerReal name, parent organization, contacts
Admin EmailAdministrator emailPotential phishing target, internal email format
Name ServersAuthoritative DNS serversIdentify DNS for zone transfer attacks
Creation DateDomain creation dateOrganization age, history
Expiration DateExpiration datePossibility of buying an expired domain
Updated DateLast updateRecent activity on the domain
DNSSECDNS security enabled or notPresence or absence of protection against cache poisoning
NOTE💡 WHOIS Privacy — Many registrars offer a WHOIS protection service (privacy shield) that replaces the real owner information with proxy data. This does not mean the target is unreachable — other OSINT techniques can bypass this protection.

2.3 Alternative web WHOIS tools

🌎 who.is

Complete web interface with WHOIS history and additional hosting information.

🌐 DomainTools

WHOIS history, reverse WHOIS (find all domains of a person), data correlation.

🔍 ViewDNS.info

Multiple DNS and WHOIS tools, reverse IP lookup, DNS history.

3. DNS — Querying the Domain Name System

The DNS (Domain Name System) is a distributed system that translates domain names into IP addresses. For a pentester, it is a goldmine of information about the target infrastructure.

go-further

This article covers the most useful excerpts — the complete Ethical Hacking Fundamentals course (12 chapters, 42 lessons, corrected exercises and final project) takes you all the way.

./access-the-full-course free course: Mastering Claude Code

FAQ

How long does it take to learn Ethical Hacking Fundamentals?
With a structured progression (12 chapters, 42 short and practical lessons), you reach an operational level in a few weeks at 30 to 60 minutes per day. The key is to practice each concept immediately.
Are there any prerequisites?
It is best to be comfortable with the fundamentals of the domain: this content goes in depth, with real-world cases.
Where to start concretely?
Reproduce the commands from this article, then follow the full Ethical Hacking Fundamentals course: it chains the 42 lessons in order, with exercises and a final project.
./read-also
→ Advanced Penetration Testing in practice: the code and commands that really matter→ Web Application Security: the 9 key steps to go from zero to operational→ Network Security Red Team explained simply (with diagrams and real code)

📬 Want to receive this type of guide every week? Subscribe for free — real code, zero fluff.

Stay up to date

Enter your email
Subscribe