Cybersecurity and
Ethical Hacking
From the CIA triad to active exploitation. A structured path through network security, web application hacking, penetration testing methodology, cryptography, digital forensics, and building a practice lab on bare-metal infrastructure.
This guide assumes no prior security knowledge. Each section builds on the previous one, progressing from foundational theory through hands-on techniques to professional methodology and career development. All examples use intentionally vulnerable targets in isolated lab environments.
Hands-On Security Lab
Experience offensive security firsthand. Fire up the terminal, exploit a SQL injection, or watch passwords crumble under cryptanalytic assault -- all within the safety of this simulated environment.
SELECT * FROM users WHERE username = '' AND password = '';
| User | Hash | Type | Method | Progress | Result |
|---|---|---|---|---|---|
| admin | 5f4dcc3b5aa765d61d83... | MD5 | Dictionary | -- | |
| jsmith | e99a18c428cb38d5f260... | MD5 | Dictionary | -- | |
| sarah.c | 5e884898da28047151d0... | SHA-256 | Rainbow | -- | |
| dbadmin | d8578edf8458ce06fbc5... | MD5 | Dictionary | -- | |
| sysop | $2b$12$EixZaYVK1fsb... | bcrypt | Brute Force | -- |
The CIA triad and threat landscape
All of cybersecurity reduces to three principles: confidentiality, integrity, and availability. Every attack targets at least one. Every defense protects at least one. Understanding this framework is the foundation for everything that follows.
The CIA triad is not academic abstraction. When you assess a vulnerability, you ask: does it compromise confidentiality (data leakage), integrity (data tampering), or availability (service disruption)? The answer determines severity, priority, and remediation.
Confidentiality
Information is accessible only to those authorized to have access. Prevents unauthorized disclosure of data.
Integrity
Information is accurate and complete and has not been modified by unauthorized parties. Ensures data trustworthiness.
Availability
Information and systems are accessible when needed. Systems must be resilient against disruption and downtime.
Attack Classification
Network Attacks
Web Application Attacks
System Attacks
Social Engineering
The OSI model and protocol analysis
Every network attack exploits a specific protocol at a specific OSI layer. Understanding the seven-layer model is not academic -- it is the framework for understanding where an attack operates, what defenses apply, and what tools to use for detection and exploitation.
As a penetration tester, you will analyze traffic at Layer 2 (ARP spoofing), craft packets at Layer 3-4 (port scanning), and exploit applications at Layer 7 (SQL injection). The table below maps each layer to its protocols, common attacks, and the tools used to test them.
OSI Reference Model -- Security Perspective
| Layer | Name | Protocols | Common Attacks | Tools |
|---|---|---|---|---|
| 7 | Application | HTTP, HTTPS, DNS, FTP, SMTP, SSH, SNMP | SQL injection, XSS, CSRF, directory traversal, API abuse | Burp Suite, sqlmap, Nikto, Gobuster |
| 6 | Presentation | SSL/TLS, MIME, JPEG, ASCII, encryption | SSL stripping, certificate forgery, encoding attacks | sslstrip, testssl.sh, SSLyze |
| 5 | Session | NetBIOS, PPTP, RPC, SOCKS | Session hijacking, session fixation, replay attacks | Wireshark, Ettercap, Bettercap |
| 4 | Transport | TCP, UDP, SCTP | SYN flood, UDP flood, port scanning, TCP reset | Nmap, hping3, Scapy |
| 3 | Network | IP, ICMP, IGMP, IPsec, BGP, OSPF | IP spoofing, ICMP redirect, route injection, fragmentation | traceroute, Scapy, Nmap |
| 2 | Data Link | Ethernet, ARP, PPP, 802.11 (Wi-Fi), VLAN | ARP spoofing, MAC flooding, VLAN hopping, rogue DHCP | arpspoof, macchanger, Yersinia |
| 1 | Physical | Cables, hubs, repeaters, radio frequencies | Wiretapping, jamming, cable cutting, keylogger hardware | HackRF, RTL-SDR, LAN Turtle |
TCP Three-Way Handshake
SYN, SYN-ACK, ACK. This is the foundation of port scanning. A SYN scan (half-open) sends SYN and analyzes the response: SYN-ACK means open, RST means closed, no response means filtered. Understanding this handshake is essential for interpreting Nmap results.
ARP (Address Resolution Protocol)
Maps IP addresses to MAC addresses on a local network. ARP has no authentication -- any device can claim to own any IP address. ARP spoofing exploits this to intercept traffic between two parties (man-in-the-middle) on the same network segment.
DNS (Domain Name System)
Translates domain names to IP addresses. DNS cache poisoning redirects users to malicious servers. DNS zone transfers can leak the entire domain structure. DNS tunneling can exfiltrate data through DNS queries, bypassing most firewalls.
Essential commands for security operations
Linux is the operating system of cybersecurity. Kali Linux, Parrot OS, and most server infrastructure run on Linux. Mastering the command line is not optional -- it is the primary interface for reconnaissance, exploitation, and forensics.
File System Navigation
Network Diagnostics
Process and Service Management
User and Permission Analysis
Information gathering and attack surface mapping
Reconnaissance is the most important phase of a penetration test. The quality of your enumeration directly determines your success in exploitation. Spend more time here than you think necessary. Most penetration tests succeed or fail based on the thoroughness of reconnaissance.
There are two categories: passive (no direct target interaction, undetectable) and active (direct interaction, detectable by IDS and logging). Professional testers always start passive before transitioning to active reconnaissance.
Passive Reconnaissance
Gathering information without directly interacting with the target. The target has no way to detect this activity because no packets are sent to their systems.
Active Reconnaissance
Directly interacting with the target to discover services, versions, and vulnerabilities. This activity can be detected by intrusion detection systems and is logged by firewalls.
Tools for vulnerability discovery
Scanning turns reconnaissance intelligence into actionable targets. These tools probe the target to identify open ports, running services, software versions, and known vulnerabilities. Each tool serves a specific purpose in the enumeration pipeline.
Nmap
Network MapperPort scanning, service detection, OS fingerprinting, NSE script scanning
Gobuster
Directory and DNS BruteforcerWeb content discovery, subdomain enumeration, virtual host detection
Nikto
Web Server ScannerWeb server vulnerability scanning, misconfigurations, default files, outdated software
Enum4linux
SMB/NetBIOS EnumeratorWindows/Samba share enumeration, user listing, group policy extraction
From vulnerability to system access
Exploitation is the controlled process of leveraging a vulnerability to gain unauthorized access. In ethical hacking, this is done with explicit authorization to demonstrate real-world risk. The goal is proof of impact, not destruction.
Professional penetration testers follow a disciplined process: identify the vulnerability, select the most reliable exploit, customize the payload for the target environment, and document every step for the final report.
Vulnerability Identification
Matching discovered services and versions against known vulnerability databases. This maps the attack surface to actionable exploits.
- 1.Cross-reference service versions from Nmap output against the National Vulnerability Database (NVD)
- 2.Search Exploit-DB (searchsploit) for public exploits matching the target's software stack
- 3.Check vendor advisories and security bulletins for recently patched vulnerabilities
- 4.Run automated scanners (OpenVAS, Nessus) for comprehensive vulnerability assessment
- 5.Analyze custom web applications for OWASP Top 10 vulnerabilities using Burp Suite
Exploit Selection and Customization
Choosing the most reliable exploit for the target's specific configuration. Reliability matters more than sophistication in professional penetration testing.
- 1.Evaluate exploit reliability: prefer exploits with known success rates and minimal side effects
- 2.Verify exploit compatibility with the target's exact version, architecture, and configuration
- 3.Modify shellcode or payload to match the target environment (IP, port, encoding)
- 4.Test the exploit in a controlled lab environment before deploying against the target
- 5.Prepare fallback exploits in case the primary vector fails or is detected
Payload Delivery and Execution
Delivering the exploit to the target and achieving code execution. The goal is initial access -- a foothold on the target system.
- 1.Stage the payload: generate reverse shell, meterpreter, or custom implant with msfvenom
- 2.Set up the listener: configure Metasploit multi/handler or Netcat to catch the callback
- 3.Deliver the exploit: direct network exploit, phishing email, malicious file upload, or client-side attack
- 4.Verify execution: confirm shell access, check user context (whoami), assess initial privileges
- 5.Establish persistence: create backdoor, add user, install cron job, or deploy web shell as backup access
Post-Exploitation
After gaining initial access, the objective shifts to understanding the compromised environment, escalating privileges, and expanding access to other systems.
- 1.Situational awareness: enumerate the local system, network, users, running processes, installed software
- 2.Credential harvesting: dump password hashes, search for stored credentials, capture tokens
- 3.Lateral movement: use harvested credentials to access other systems on the network
- 4.Data exfiltration: identify and extract sensitive data as proof of impact for the report
- 5.Clean up: remove artifacts, restore modified files, close backdoors (in authorized testing)
Metasploit Framework -- Core Commands
OWASP Top 10 and web exploitation
Web applications are the most common attack surface in modern organizations. The OWASP Top 10 is the industry-standard classification of the ten most critical web application security risks, updated periodically based on real-world breach data.
Burp Suite is the primary tool for web application testing. It acts as a proxy between your browser and the target, allowing you to intercept, inspect, and modify every HTTP request and response. PortSwigger Web Security Academy provides free, hands-on labs for every category below.
Broken Access Control
Restrictions on authenticated users are not properly enforced. Attackers can access unauthorized functions or data, modify other users' records, or escalate privileges.
Cryptographic Failures
Sensitive data is transmitted or stored without adequate cryptographic protection. Includes weak algorithms, poor key management, and missing encryption.
Injection
Untrusted data is sent to an interpreter as part of a command or query. SQL injection, NoSQL injection, OS command injection, and LDAP injection are all variants.
Insecure Design
Fundamental design flaws that cannot be fixed by perfect implementation. Missing threat modeling, insecure business logic, and absence of security requirements.
Security Misconfiguration
Insecure default configurations, incomplete configurations, open cloud storage, unnecessary features enabled, verbose error messages revealing stack traces.
Vulnerable and Outdated Components
Using libraries, frameworks, or software with known vulnerabilities. Includes not tracking component versions and not monitoring security advisories.
Identification and Authentication Failures
Weaknesses in authentication mechanisms: credential stuffing, brute force, weak passwords, improper session management, missing MFA.
Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations: unsigned updates, insecure CI/CD pipelines, unverified deserialization.
Security Logging and Monitoring Failures
Insufficient logging, missing alerting, and inadequate incident response. Attackers can operate undetected for extended periods.
Server-Side Request Forgery (SSRF)
The application fetches a remote resource based on user-supplied input without validating the destination. Allows access to internal services behind firewalls.
From user to root: escalation vectors
Initial exploitation typically provides low-privilege access. Privilege escalation is the process of leveraging misconfigurations, vulnerable software, or design flaws to gain administrative (root or SYSTEM) access. This is a core skill for penetration testing.
Linux Privilege Escalation
SUID Binaries
Binaries with the SUID bit run as their owner (often root) regardless of who executes them. If a SUID binary allows arbitrary command execution, it provides a direct path to root. GTFOBins documents exploitable SUID binaries.
Sudo Misconfigurations
Check what commands the current user can run with sudo. Common misconfigurations: sudo access to editors (vim, nano), scripting languages (python, perl), or file utilities (find, tar) that can spawn a shell.
Writable Cron Jobs
If a script executed by a cron job running as root is writable by the current user, replacing its contents with a reverse shell payload grants root access on the next cron execution.
Kernel Exploits
Older kernel versions have known privilege escalation exploits. Cross-reference the kernel version against exploit databases. Examples: DirtyCow (CVE-2016-5195), DirtyPipe (CVE-2022-0847).
Writable /etc/passwd
If /etc/passwd is writable, you can add a new user entry with UID 0 (root) and a known password hash, creating a backdoor root account.
Capabilities
Linux capabilities grant specific root privileges to binaries without full SUID. cap_setuid on Python or Perl allows privilege escalation. Less visible than SUID.
PATH Hijacking
If a privileged script calls a command without an absolute path, and the current user can write to a directory earlier in PATH, placing a malicious binary there hijacks execution.
Docker Group
Members of the docker group can mount the host filesystem into a container and gain root access: docker run -v /:/host -it ubuntu chroot /host.
Windows Privilege Escalation
Unquoted Service Paths
Services with unquoted paths containing spaces can be hijacked by placing a malicious executable at an earlier path component. Windows evaluates each space as a potential executable boundary.
AlwaysInstallElevated
If both HKLM and HKCU registry keys are set to 1, any user can install MSI packages with SYSTEM privileges. Create a malicious MSI with msfvenom.
Token Impersonation
SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege allows impersonation of privileged tokens. Tools: PrintSpoofer, JuicyPotato, GodPotato.
Stored Credentials
Windows Credential Manager may store plaintext or recoverable credentials. Also check: PowerShell history, IIS web.config files, unattend.xml, Groups.xml.
Service Binary Permissions
If the current user has write permission to a service binary, replacing it with a malicious executable runs code as the service account (often SYSTEM) when the service restarts.
Registry Autorun
Writable autorun registry entries execute commands at user login. If a privileged user logs in and the entry is writable, it provides privilege escalation.
Automated Enumeration Tools
Hash cracking and credential attacks
Passwords remain the most common authentication mechanism and the most frequently exploited. Understanding how passwords are stored (hashing), how hashes are cracked (offline attacks), and how credentials are brute-forced (online attacks) is fundamental.
John the Ripper
Offline password hash cracking with CPU-based attacks
Hashcat
GPU-accelerated password hash cracking -- significantly faster than CPU-based tools
Hydra
Online password brute-forcing against network services
Common Hash Types -- Identification
| Hash Type | Length | Example Pattern | Hashcat Mode |
|---|---|---|---|
| MD5 | 32 hex chars | 5d41402abc4b2a76b9719d911017c592 | -m 0 |
| SHA-1 | 40 hex chars | aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d | -m 100 |
| SHA-256 | 64 hex chars | 2cf24dba5fb0a30e26e83b2ac5b9e29... | -m 1400 |
| NTLM | 32 hex chars | a4f49c406510bdcab6824ee7c30fd852 | -m 1000 |
| bcrypt | $2b$ prefix | $2b$12$LJ3m4ys3Lk0TdIBgFepVNu... | -m 3200 |
| sha512crypt | $6$ prefix | $6$rounds=5000$salt$hash... | -m 1800 |
Wi-Fi protocols and wireless attacks
Wireless networks broadcast traffic through the air, making them inherently more exposed than wired networks. Understanding wireless protocols, encryption standards, and attack techniques is essential for both offensive testing and defensive hardening.
WEP (Wired Equivalent Privacy)
Uses RC4 stream cipher with a 24-bit initialization vector (IV). The IV space is too small, causing IV reuse that allows statistical key recovery. An attacker can crack WEP in minutes by capturing enough packets.
WPA/WPA2 (Wi-Fi Protected Access)
Uses AES-CCMP (WPA2) for encryption. PSK (Pre-Shared Key) mode is vulnerable to offline dictionary attacks by capturing the four-way handshake. Enterprise mode (802.1X/RADIUS) is significantly more secure.
WPA3 (Wi-Fi Protected Access 3)
Uses SAE (Simultaneous Authentication of Equals) replacing PSK, providing forward secrecy and resistance to offline dictionary attacks. Dragonblood vulnerabilities were discovered but are largely patched.
Rogue Access Points
An attacker creates a fake access point with the same SSID as a trusted network. Victims connect automatically, routing all traffic through the attacker's device for interception and credential capture.
Aircrack-ng Suite -- Core Commands
Encryption, hashing, and key management
Cryptography is the mathematical foundation of information security. Every secure communication, every password storage mechanism, every digital signature relies on cryptographic primitives. Understanding these concepts is essential for both attacking weak implementations and building secure systems.
Symmetric Encryption
The same key encrypts and decrypts data. Fast and efficient for bulk data encryption. The challenge is secure key distribution -- both parties must share the key over a secure channel.
Asymmetric Encryption
Uses a key pair: public key encrypts, private key decrypts. Solves the key distribution problem but is computationally expensive. Typically used for key exchange and digital signatures, not bulk data.
Hash Functions
One-way functions that produce a fixed-size output (digest) from arbitrary input. Any change to the input produces a completely different hash. Used for integrity verification and password storage.
Public Key Infrastructure (PKI)
The framework of policies, procedures, and technology for managing digital certificates and public-key encryption. Certificate Authorities (CAs) issue certificates that bind public keys to identities.
Evidence collection and incident analysis
Digital forensics is the discipline of collecting, preserving, and analyzing digital evidence following incidents. Whether investigating a breach, analyzing malware, or preparing evidence for legal proceedings, forensic methodology ensures findings are admissible and reproducible.
Disk Forensics
Acquiring and analyzing storage media to recover deleted files, examine file system artifacts, and reconstruct user activity timelines.
- 1.Create a forensic image (bit-for-bit copy) of the target drive before any analysis
- 2.Verify image integrity with cryptographic hashes (MD5 + SHA-256) to maintain chain of custody
- 3.Analyze file system metadata: timestamps (MACB), file allocation tables, journal entries
- 4.Recover deleted files from unallocated space and slack space
- 5.Extract and analyze browser history, email databases, and application artifacts
Memory Forensics
Analyzing volatile memory (RAM) dumps to identify running processes, network connections, loaded modules, and malware that exists only in memory.
- 1.Dump physical memory using LiME (Linux) or WinPmem (Windows) before system shutdown
- 2.List running processes and identify suspicious or hidden processes (process hollowing, injection)
- 3.Extract network connections and map them to processes for command-and-control identification
- 4.Dump process memory to extract encryption keys, passwords, and decrypted data
- 5.Identify loaded kernel modules and detect rootkit presence through anomaly analysis
Network Forensics
Capturing and analyzing network traffic to reconstruct communications, identify data exfiltration, and trace attack paths through the network.
- 1.Capture full packet data (PCAP) at network chokepoints during incident response
- 2.Reconstruct TCP streams to recover transmitted files, emails, and web sessions
- 3.Analyze DNS queries for domain generation algorithm (DGA) patterns indicating malware
- 4.Identify beaconing patterns in traffic that suggest command-and-control communications
- 5.Map lateral movement by correlating authentication events across multiple hosts
Log Analysis
Examining system, application, and security logs to reconstruct the timeline of an intrusion and identify the attacker's actions.
- 1.Correlate timestamps across multiple log sources to build a unified timeline
- 2.Search for indicators of compromise (IOCs): malicious IPs, file hashes, user agents
- 3.Analyze authentication logs for brute-force patterns, impossible travel, or anomalous access
- 4.Review web server access logs for injection attempts, directory traversal, and scanning patterns
- 5.Examine Windows Event Logs: Security (4624/4625 logon), System, and PowerShell logs
Defense in depth and security architecture
Understanding offense is incomplete without understanding defense. The defense-in-depth model layers multiple security controls so that the failure of any single control does not result in compromise. Each layer provides independent protection.
Network Defense
Host Defense
Application Defense
Monitoring and Response
Building a hacking lab on Proxmox infrastructure
A home lab is where theory becomes practice. The infrastructure below is live and running on our Proxmox bare-metal server — every VM, container, and network bridge described here is a real, deployed system that you can connect to via RDP or the Proxmox console.
The architecture uses a dedicated virtual bridge (vmbr2) completely isolated from the production network (vmbr1) and the internet (vmbr0). No traffic routes between the attack lab and production systems. This isolation is critical for safe practice.
Lab Status — Deployed & Running
Isolated Lab Network Architecture
Kali Linux (VM 300)
4 cores, 8 GB RAM, 60 GB disk (local-zfs), QXL + SPICE graphicsPrimary attack machine — Kali 2025.4 with full Xfce desktop via xRDP remote access, Metasploit with PostgreSQL database, 50+ pentesting tools, custom aliases and tmux pentest layout
DVWA (CT 310)
1 core, 1 GB RAM, 8 GB disk (local-zfs)Damn Vulnerable Web Application — Apache 2.4 + PHP 8.2 + MariaDB on Debian 12 LXC container. OWASP Top 10 practice: SQL injection, XSS, CSRF, command injection, file upload, brute force
OWASP Juice Shop (CT 311)
2 cores, 2 GB RAM, 10 GB disk (local-zfs), Ubuntu 24.04Modern intentionally insecure web app with 100+ hacking challenges. Covers the entire OWASP Top 10 plus authentication flaws, broken access control, and sensitive data exposure
Windows Server 2019 (Planned)
4 cores, 4 GB RAM, 60 GB disk (planned)Active Directory domain controller for practicing Kerberoasting, pass-the-hash, DCSync, BloodHound enumeration, and lateral movement techniques
Step-by-Step Installation Guide
Complete reproduction steps for building this lab from scratch on any Proxmox server. Every command below was tested and verified on our live infrastructure.
1. Create the isolated lab network
# On Proxmox — create vmbr2 bridge (10.0.1.1/24, no gateway, no NAT) pvesh create /nodes/$(hostname)/network -iface vmbr2 -type bridge -cidr 10.0.1.1/24 -autostart 1 ifreload -a
vmbr2 is completely isolated from production (vmbr1) and internet (vmbr0). No traffic routes between bridges unless you explicitly add iptables rules.
2. Create Kali VM from ISO
# Download Kali ISO and create VM 300 with QXL graphics for SPICE console qm create 300 --name kali-attack --cores 4 --memory 8192 --balloon 2048 \ --scsi0 local-zfs:60 --scsihw virtio-scsi-single --boot order=scsi0 \ --net0 virtio,bridge=vmbr2 --vga qxl --machine q35 \ --ide2 local:iso/kali-linux-2025.4-installer-amd64.iso,media=cdrom qm start 300 # Boot and install via Proxmox noVNC/SPICE console
During install: set user to simonadmin, set static IP 10.0.1.10/24, gateway 10.0.1.1. If network fails during install, skip — we fix it post-install.
3. Post-install configuration
# Run via Proxmox guest agent (qm guest exec 300 -- bash -c '...') # Add Kali repos if missing: echo 'deb http://http.kali.org/kali kali-rolling main contrib non-free non-free-firmware' > /etc/apt/sources.list apt-get update && apt-get full-upgrade -y # Configure /etc/hosts for lab targets: echo '10.0.1.30 dvwa.lab' >> /etc/hosts echo '10.0.1.40 juice.lab' >> /etc/hosts
Temporary NAT needed for downloads: iptables -I FORWARD 1 -s 10.0.1.0/24 -o vmbr0 -j ACCEPT (insert at position 1 — append won't work if DROP rules exist). Remove NAT after.
4. Install xRDP for remote desktop
apt-get install -y xrdp xorgxrdp kali-desktop-xfce # CRITICAL: startwm.sh must launch Xfce — GNOME crashes over xRDP cat > /etc/xrdp/startwm.sh << 'EOF' #!/bin/sh unset DBUS_SESSION_BUS_ADDRESS unset XDG_RUNTIME_DIR exec startxfce4 EOF chmod 755 /etc/xrdp/startwm.sh # Fix TLS key permissions: chmod 640 /etc/xrdp/key.pem && chown root:xrdp /etc/xrdp/key.pem systemctl enable --now xrdp
If system upgrade replaces Xfce with GNOME, reinstall kali-desktop-xfce. GNOME session exits with code 255/signal 5 over xRDP — this is a known incompatibility with xorgxrdp.
5. Connect via SSH tunnel + RDP
# From your local machine — create SSH tunnel through Proxmox: ssh -p 2222 -L 13389:10.0.1.10:3389 root@YOUR_PROXMOX_IP -N -f # Then connect with any RDP client (Remmina, xfreerdp, mstsc): remmina -c rdp://simonadmin@localhost:13389
The tunnel forwards localhost:13389 → Kali:3389 through the Proxmox host. Works from anywhere with SSH access. Session: Xorg, user: simonadmin.
6. Deploy vulnerable targets
# DVWA — Debian 12 LXC with Apache + PHP + MariaDB pct create 310 local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst \ --hostname dvwa --cores 1 --memory 1024 --net0 name=eth0,bridge=vmbr2,ip=10.0.1.30/24,gw=10.0.1.1 # Inside CT 310: apt install apache2 php mariadb-server php-mysqli php-gd # Clone DVWA: git clone https://github.com/digininja/DVWA /var/www/html/ # Juice Shop — Ubuntu 24.04 LXC with Node.js pct create 311 local:vztmpl/ubuntu-24.04-standard_24.04-2_amd64.tar.zst \ --hostname juice-shop --cores 2 --memory 2048 --net0 name=eth0,bridge=vmbr2,ip=10.0.1.40/24,gw=10.0.1.1 # Inside CT 311: curl -fsSL https://deb.nodesource.com/setup_20.x | bash - # npm install -g juice-shop && juice-shop # runs on port 3000
Ubuntu 24.04 needed for Juice Shop (requires GLIBC 2.39). Install as systemd service for auto-start. Both targets are accessible only from vmbr2.
7. Install pentesting tools
# Kali metapackages — install all at once: apt-get install -y kali-tools-web kali-tools-database kali-tools-passwords \ kali-tools-information-gathering kali-tools-vulnerability \ kali-tools-exploitation kali-tools-post-exploitation \ kali-tools-sniffing-spoofing kali-tools-forensics # Additional tools: apt-get install -y crackmapexec feroxbuster bloodhound neo4j seclists \ bettercap ettercap-common nuclei httpx-toolkit subfinder
After installing all tools, run apt autoremove && apt clean. Take a snapshot: qm snapshot 300 tools-complete. This gives you a safe restore point.
Professional penetration testing lifecycle
A penetration test is not random hacking. It is a structured engagement with defined scope, methodology, and deliverables. This six-phase lifecycle is based on PTES (Penetration Testing Execution Standard) and OWASP Testing Guide frameworks.
1. Pre-Engagement
1-2 daysDefine the scope, rules of engagement, and legal authorization before any testing begins. This is the most important phase -- it prevents legal issues and sets expectations.
- --Signed authorization and scope document listing all in-scope IP ranges, domains, and applications
- --Rules of engagement: testing hours, off-limits systems, emergency contacts, communication channels
- --Defined testing methodology: black box (no information), grey box (partial), or white box (full access)
- --Legal review: ensure compliance with local laws, contractual obligations, and regulatory requirements
2. Reconnaissance
2-3 daysGather intelligence about the target using passive and active techniques. Build a comprehensive map of the attack surface: domains, IP ranges, technologies, employees, and organizational structure.
- --Asset inventory: all discovered domains, subdomains, IP addresses, and network ranges
- --Technology stack identification: web servers, frameworks, databases, CDN providers
- --Employee information: email format, key personnel, organizational chart from LinkedIn
- --Attack surface map: exposed services, entry points, and potential vulnerability areas
3. Scanning and Enumeration
2-3 daysActively probe discovered assets to identify open ports, running services, software versions, and potential vulnerabilities. This phase transitions from information gathering to vulnerability identification.
- --Port scan results: all open TCP/UDP ports across in-scope IP ranges with service identification
- --Vulnerability scan output: matched CVEs, misconfigurations, and weak configurations
- --Web application mapping: discovered endpoints, parameters, authentication mechanisms, API schemas
- --Prioritized target list: ranked by likelihood of exploitation and potential impact
4. Exploitation
3-5 daysAttempt to exploit identified vulnerabilities to demonstrate real-world impact. Document each exploitation attempt with evidence: screenshots, command output, and data access proof.
- --Exploitation evidence: screenshots, shell access proof, data samples (redacted if sensitive)
- --Attack chains documented: step-by-step from initial access through privilege escalation
- --Impact assessment: what data was accessible, what systems were compromised, blast radius analysis
- --False positive validation: confirming that scanner findings are genuinely exploitable
5. Post-Exploitation
1-2 daysAssess the full impact of successful exploits: lateral movement potential, data access scope, persistence options, and business impact of the compromise.
- --Lateral movement map: systems reachable from compromised hosts with harvested credentials
- --Data access inventory: databases, file shares, and sensitive data accessible from compromised positions
- --Persistence assessment: methods an attacker could use to maintain long-term access
- --Business impact analysis: translate technical findings into business risk language
6. Reporting
2-3 daysProduce a comprehensive report with executive summary, technical findings, evidence, and remediation recommendations. The report is the primary deliverable of a penetration test.
- --Executive summary: high-level findings, risk ratings, and strategic recommendations for leadership
- --Technical findings: each vulnerability with CVSS score, evidence, reproduction steps, and remediation
- --Remediation priority matrix: vulnerabilities ranked by risk (likelihood x impact) with fix timelines
- --Retest guidance: specific verification steps to confirm each vulnerability has been remediated
Certifications and professional development
Cybersecurity certifications validate skills and open doors. The path below progresses from foundational knowledge through practical offensive skills to the industry gold standard. Each certification builds on the previous one.
CompTIA Security+
Vendor-neutral certification covering security fundamentals: threats, attacks, vulnerabilities, architecture, operations, and governance. Industry standard for entry-level security roles.
eJPT
Practical, hands-on certification focused on penetration testing fundamentals. The exam is a real-world pentest: you compromise machines in a network and answer questions about what you found.
OSCP
The gold standard for penetration testing. 24-hour hands-on exam where you must compromise multiple machines of varying difficulty and write a professional report. Proves real-world offensive capability.
HTB CPTS
Modern alternative to OSCP from HackTheBox. Covers the full penetration testing lifecycle with a practical exam. Strong emphasis on Active Directory, web applications, and modern attack techniques.
Recommended 12-Month Learning Path
Month 1-2
Networking and Linux fundamentalsTryHackMe Pre-Security and Complete Beginner paths. Set up home lab on Proxmox with Kali and vulnerable targets.
Study for CompTIA Security+
Month 3-4
Web application securityPortSwigger Web Security Academy (all free labs). Practice SQL injection, XSS, CSRF on DVWA and Juice Shop.
Take CompTIA Security+ exam
Month 5-6
Penetration testing fundamentalsHackTheBox Starting Point and easy machines. Practice full methodology: recon, scan, exploit, escalate, report.
Study for eJPT
Month 7-8
Active Directory and privilege escalationTryHackMe Offensive Pentesting path. Build AD lab on Proxmox. Practice Kerberoasting, pass-the-hash, DCSync.
Take eJPT exam
Month 9-10
Advanced exploitation and CTFHackTheBox medium machines. Participate in CTF competitions. Build custom tools in Python.
Begin OSCP/CPTS preparation
Month 11-12
OSCP or HTB CPTS preparationOffensive Security PEN-200 course or HTB Academy CPTS path. Practice exam-like scenarios. Write professional reports.
Schedule certification exam
Platforms, references, and essential reading
Interactive Platforms
Reference Documentation
Books
Essential Toolset
Explore more technical deep dives
This guide covers the foundational knowledge for cybersecurity and ethical hacking. See more technical writing on AI agents, infrastructure, and data engineering.