The Ethical Hacker’s Skillset

Ethical Hacking

Looking at what it takes to be an ethical hacker by Perspective Risk’s cyber security pro and successful social engineer Marius Cociorba.

In part one, we discussed the ethical hacker’s mindset in a security scenario. Here, we look at the fundamental skills an ethical hacker should develop and maintain to excel at finding security flaws.

This is not intended as an exhaustive list. Instead, I have hand-picked a variety of good resources to get you started.

To kick off, here’s CREST’s syllabus for their CPSA/CRT exam which you can use to structure your own study: CREST Practitioner Security Analyst & CREST Registered Tester Technical Syllabus.

For structure, I’ve used the five basic phases of penetration testing and the skills you will need to build on.

Phase 1 – Reconnaissance/Information Gathering

Every test starts with gathering preliminary data on your target. The aim is to learn as much as possible about the target system and how it operates. For an external target (think web application or an Internet accessible service), a wealth of information can be found online. Here is some of the data you should look for:

IPs, Network ranges, DNS records, Whois details, Autonomous System (AS) numbers and more. Try Robtex.com.
Potential running services: Shodan.io – make to register a free account in order to use query filters.
Interesting files and potentially sensitive documents by querying search engines. For Google, queries used to find sensitive data are known as Google Dorks. Pick up a copy of Google Hacking for Penetration Testers (3^rd Edition) by Johnny Long and see Exploit Database’s Google Hacking Database for more examples.
Staff profiles – LinkedIn and social media sites.
Web archives. Check out Internet archive Wayback Machine

Phase 2 – Scanning

Once you’ve built an initial picture from open sources, it’s time to engage with the target to see what’s running and whether it can be used to gain access. Areas to understand:

Network architectures and protocols. Do you remember the OSI model? Can you explain the differences between TCP and UDP? How do VLANs work? The more understanding you acquire, the easier you will cope with complex network topologies.
Scanning. How does scanning work? What are the main techniques used? Can firewalls block scan probes? How can you be stealthier? Are the results accurate? We’ll discuss some of the tools used to probe remote services in our next post. It’s helpful to know some of the theory behind this, and not simply rely on a tool to get the job done.
Identifying vulnerabilities. Once you’ve mapped any running services and their version numbers, it’s time to search for known issues which you can leverage to obtain a level of access to the target. Start by using a vulnerability scanner such as Nessus, or OpenVAS, to quickly identify potential issues. False positives do happen though, so it’s important to validate each reported issue.

Phase 3 – Gaining Access

This is arguably the most satisfying part of ethical hacking. Seeing a shell pop up for the first time – and allowing you access to your target, is a sight to remember. Legend has it that some spontaneously burst into a celebratory dance when they’ve obtained root or admin privileges. (Editor’s note: we have the video…)

Here are some areas to consider and develop:

Common web vulnerabilities: OWASP Top 10 is a good start. Some of the vulnerabilities, such as SQL injection or poorly restricted file uploads, can result in a compromise of the underlying web server
Common Windows vulnerabilities: MS08-067. For bonus points, check out:
- Microsoft Security Bulletin MS08-067 – Critical
- Video explanation by John Degruyter under the hood MS 08-067 – it’s a classic.
- Microsoft Security Bulletin MS17-010 – Critical and;
- Rapid7Community -The Shadow Brokers Leaked Exploits Explained for context about other leaked exploits.
Common Linux/ *nix vulnerabilities. Grab copies of:
- Hacking Exposed: Linux Security Secrets and Solutions Third Edition
- Hacking Exposed: Linux Security Secrets & Solutions Second Edition

Hacking Exposed books are a good starting point for other topics, such as Wireless vulnerabilities. (Other good booksellers are available).

In addition to knowing how to identify vulnerabilities and exploit them using available code and published techniques, it’s useful to understand how the issues were discovered and leveraged in the first place. Exploit development is a complex endeavour. These are some basics as a starting point and to lead you to further study. The main skill areas are:

Fuzzing. Both art and science, fuzzing is a technique used to discover potential security flaws by sending specially crafted input (random or following a pattern) to software to generate crashes that can be turned into working exploits.
Reverse engineering. Once a crash has been triggered, the next step is to identify where it is happening and why. Once software is compiled to machine language, you can’t read the original code. That’s where decompilers and a good understanding of assembly language let you take a peek into the inner logic of software. Check out:
- Reversing: Secrets of Reverse Engineering (oldie but goldie by Eldad Eilam)
- Practical Reverse Engineering, authors various and;
- The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler
Exploit writing. You’ve found a bug, but how do you go from crash to shell? There are many techniques that allow you to take control over program execution, bypass inbuilt protections, and execute code of your own. The state of exploit development has made leaps over the years, and protection measures have increased in complexity. It’s a good idea to know your fundamentals, i.e. basic buffer overflows. See:
- Fuzzy Security’s famous tutorials
- OWASP reference guide to fuzzing with further links and tools to look at
- The Corelan Team website

Phase 4 – Escalating and Maintaining Access

The planets don’t always align and, after much effort, you have only compromised a low-level account. Gaining access is just the beginning. Most of the time you have to move up, and sideways, to get Domain Admin. Elevating privileges is all about good detective work: finding passwords (in automation scripts, config files, text files and spreadsheets), misconfigurations – e.g. services with weak permissions that happen to be running under privileged accounts, and vulnerabilities that you can exploit locally. Check out the fundamentals:

Phase 5 – Covering Tracks

While this won’t come up much in standard pentests, it’s a useful skill to have for longer engagements and red teaming. This stage is all about clearing logs, the command history and removing leftover files used in exploits or other tools to stay undetected.

Here’s a quick introduction:

NULL BYTE – How to Cover Your Tracks & Leave No Trace Behind on the Target System You can look up more advanced topics such as executing payloads in memory;
WCE and Mimikatz in memory over meterpreter by justineelze

I would also argue that being stealthy during the engagement also comes under this stage. Knowledge of traffic tunnelling and encapsulation, and using pivots/intermediate systems to mask and diffuse the source of an attack, are useful.

The Ethical Hacker’s Skillset – Conclusion

Discussing the entire skillset of an ethical hacker is probably best left to a book rather than a blog. It’s been my aim to provide a starting point for readers who have asked themselves “I want to be an ethical hacker – now what?” and include plenty of references for further study.

I’ve come to realise that being an ethical hacker is first about being a competent generalist in a wide range of areas including apps, infrastructure, wireless, configuration reviews – you name it. It is this variety that makes ethical hacking fun and challenging.

If you would like to appoint Marius or any of team PR to assist with your information security, click here to contact us.