Module 05 · Cyberspace Tech Solutions Cybersecurity Curriculum
Ethical Hacking & Penetration Testing
~60 minutes of structured prep covering the 5 pentest phases, tools, OSINT, vulnerability assessment, and exploitation techniques.
⚠️ Legal Notice: All techniques covered here are for authorized security testing only. Performing these activities without explicit written permission is illegal. Always operate within defined scope and rules of engagement.
20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes
Learning Outcomes
- Conduct penetration tests ethically and methodically
- Utilise tools like Metasploit, Nmap, and Burp Suite
- Report and remediate vulnerabilities professionally
Topics Covered
| # | Topic | Time | Type |
|---|---|---|---|
| 1 | Core Concepts (5 Phases, Tools, Recon, Assessment Types) | 10 min | Reading |
| 2 | Interview Q&A (20 questions) | 20 min | Q&A |
| 3 | MCQ Quiz (25 questions) | 15 min | Quiz |
| 4 | Pentest Phase Sequencer | 5 min | Simulation |
| 5 | Tool Purpose Matcher | 4 min | Simulation |
| 6 | Recon Type Classifier | 3 min | Simulation |
| 7 | CVSS Severity Picker | 3 min | Simulation |
Core Concepts · ~10 min
Ethical Hacking Fundamentals
The 5 Phases of Penetration Testing
1
Reconnaissance
Information gathering about the target. Passive (OSINT, WHOIS, Google Dorking, Shodan) and Active (DNS enumeration, port scanning).
2
Scanning & Enumeration
Identify open ports, services, OS fingerprinting, vulnerability scanning. Tools: Nmap, Nessus, OpenVAS, Nikto.
3
Gaining Access
Exploiting discovered vulnerabilities. Tools: Metasploit, manual exploits, SQLmap, credential attacks. Document everything.
4
Maintaining Access / Post-Exploitation
Lateral movement, privilege escalation, persistence mechanisms. Demonstrates real-world attacker dwell time impact.
5
Covering Tracks / Reporting
Restore system to pre-test state. Write comprehensive report: executive summary, findings, CVSS scores, evidence, remediation steps.
Types of Testing
| Type | Knowledge | Best for |
|---|---|---|
| Black Box | No knowledge of target system | Simulating external attacker perspective |
| White Box | Full knowledge (source code, architecture, credentials) | Comprehensive code/config review, most thorough |
| Grey Box | Partial knowledge (some credentials, network info) | Simulating insider threat or partner access |
| Assessment | Scope | Depth |
|---|---|---|
| Vulnerability Assessment | Scan and identify weaknesses (no exploitation) | Wide but shallow |
| Penetration Test | Exploit vulnerabilities to prove impact | Focused and deep |
| Red Team Exercise | Full adversary simulation (phishing, physical, etc.) | Broadest — tests people, process, technology |
Key Tools Reference
| Tool | Category | Purpose |
|---|---|---|
| Nmap | Scanning | Network/port scanner, OS detection, service version detection |
| Metasploit | Exploitation | Exploitation framework with 1500+ modules, payloads, post-exploitation |
| Burp Suite | Web App | HTTP proxy, web scanner, vulnerability testing, fuzzer |
| Wireshark | Network Analysis | Packet capture and analysis (PCAP) |
| Nessus / OpenVAS | Vuln Scanning | Automated vulnerability scanner with CVE detection |
| John the Ripper | Password | Password hash cracker (dictionary, brute-force, rules) |
| Hydra | Password | Online brute-force/dictionary attack for login forms |
| Nikto | Web | Web server scanner for dangerous files/CGIs, outdated software |
| SQLmap | Web App | Automated SQL injection detection and exploitation |
| Shodan | OSINT | Internet-wide device search engine — finds exposed services |
CVSS Scoring (Common Vulnerability Scoring System)
| Severity | Score Range | Example |
|---|---|---|
| Critical | 9.0–10.0 | Unauthenticated RCE (Log4Shell, EternalBlue) |
| High | 7.0–8.9 | SQL injection with authenticated access, privilege escalation |
| Medium | 4.0–6.9 | Stored XSS, CSRF, information disclosure |
| Low | 0.1–3.9 | Missing headers, version disclosure, verbose errors |
Interview Q&A · ~20 min · 20 Questions
Interview Questions & Model Answers
Click to expand. Difficulty: Easy Medium Hard
1What is the difference between ethical hacking and malicious hacking?Easy▼
| Feature | Ethical Hacking | Malicious Hacking |
|---|---|---|
| Permission | Explicit written authorization | No permission — illegal |
| Intent | Find and fix vulnerabilities | Exploit for personal gain/damage |
| Scope | Defined and agreed upon | No limits |
| Reporting | Full disclosure to the client | Concealment |
| Legality | Legal (with authorization) | Criminal offence |
💡 The key distinction is authorization. The same techniques used without permission constitute a crime under India's IT Act, USA's CFAA, UK's CMA, etc.
2What are the five phases of penetration testing?Easy▼
- Reconnaissance: Passive and active information gathering (OSINT, port scanning)
- Scanning & Enumeration: Deep analysis of discovered services, versions, vulnerabilities
- Gaining Access: Exploiting vulnerabilities using tools like Metasploit or custom exploits
- Maintaining Access / Post-Exploitation: Lateral movement, privilege escalation, persistence, pivoting
- Covering Tracks / Reporting: Restore to pre-test state; write detailed report with evidence and remediation
💡 Different methodologies use slightly different names: OWASP, PTES (Penetration Testing Execution Standard), and OSSTMM all describe similar phases. Know them all by concept.
3What is the difference between a vulnerability assessment and a penetration test?Medium▼
| Feature | Vulnerability Assessment | Penetration Test |
|---|---|---|
| Goal | Identify and classify weaknesses | Exploit weaknesses to prove impact |
| Exploitation? | No — discovery only | Yes — controlled exploitation |
| Depth | Broad but shallow | Focused and deep |
| Tools | Nessus, OpenVAS (automated) | Metasploit, manual techniques |
| Output | List of vulnerabilities with CVSS scores | Proof of exploitation, business impact |
| Frequency | Monthly / quarterly scans | Annual / after major changes |
💡 A VA is like a doctor listing your health risks; a pentest is like actually demonstrating that a risk can kill you. Both are needed for a complete security programme.
4What is OSINT? Give examples of OSINT tools.Medium▼
OSINT (Open Source Intelligence) is the collection and analysis of information from publicly available sources to gather intelligence about a target.
- People/Org: LinkedIn (employees, org structure), company website, news articles
- Domain/DNS: WHOIS, DIG, DNSDumpster, Sublist3r (subdomains)
- Technology: Shodan (exposed services), Censys, BuiltWith (web tech stack), Wappalyzer
- Search engines: Google Dorking (
site:example.com filetype:pdf), Bing, Yandex - Code: GitHub (leaked credentials in public repos), GitLeaks
- Dark web: Breached credential dumps (Have I Been Pwned)
- Social media: Twitter/X, Facebook — phishing target profiling
5What is Nmap and what is it used for?Easy▼
Nmap (Network Mapper) is an open-source network scanning tool used to discover hosts and services on a network. Key capabilities:
- Host discovery:
nmap -sn 192.168.1.0/24— ping sweep - Port scanning: TCP SYN scan
-sS(stealth), full connect-sT, UDP-sU - Service/version detection:
-sV— identifies running service and version - OS detection:
-O— fingerprints operating system - Script scanning:
-sC— runs default NSE (Nmap Scripting Engine) scripts - Aggressive scan:
-A— OS + version + scripts + traceroute
💡 Common pentest first step:
nmap -sV -sC -p- -oN output.txt target.com — scan all 65535 ports with service detection and default scripts.6What is Metasploit and how is it used?Medium▼
Metasploit Framework is the world's most widely used penetration testing framework. It provides a unified platform for exploit development, payload delivery, and post-exploitation.
- Exploits: 1500+ pre-built exploit modules for known CVEs
- Payloads: Code executed on the target (reverse shells, Meterpreter)
- Meterpreter: Advanced in-memory payload — file system access, privilege escalation, pivoting, screenshot, keylogging
- Post-exploitation modules: hashdump, mimikatz (credential theft), persistence
- Auxiliary modules: Scanners, fuzzers, DoS modules (non-exploiting)
use exploit/windows/smb/ms17_010_eternalblue → set RHOSTS target → set payload windows/x64/meterpreter/reverse_tcp → run
7What is the difference between black box, white box, and grey box testing?Easy▼
- Black box: Tester has no prior knowledge of the target. Simulates an external attacker. Most realistic but most time-consuming. Misses internal flaws that require code knowledge.
- White box: Tester has full knowledge — source code, architecture diagrams, credentials, network maps. Most thorough and efficient. Best for finding deep code-level vulnerabilities.
- Grey box: Tester has some knowledge — e.g., valid user credentials, network topology. Simulates an insider threat or a partner with partial access. Good balance of realism and efficiency.
💡 Most real-world engagements are grey box — it's cost-effective while still finding meaningful vulnerabilities. Pure black box can waste time on recon that the client could provide.
8What is privilege escalation?Medium▼
Privilege escalation is the process of gaining higher-level permissions than originally granted, moving from a limited user account to admin/root/SYSTEM privileges.
- Vertical escalation: Low-privilege user → admin/root (most impactful)
- Horizontal escalation: One user account → another user's account at the same privilege level
- Exploiting SUID binaries (Linux) —
find / -perm -u=s -type f - Misconfigured sudo rights (
sudo -l) - DLL hijacking / PATH manipulation (Windows)
- Kernel exploits (Dirty COW, PrintNightmare)
- Token impersonation (Windows — Juicy Potato, Rogue Potato)
- Credential harvesting from config files, environment variables
9What is lateral movement?Hard▼
Lateral movement is the technique attackers use to progressively move through a network after gaining initial access, seeking higher-value targets or data. The goal is to expand access while remaining undetected.
Common techniques:
Common techniques:
- Pass-the-Hash (PtH): Use captured NTLM password hash to authenticate without knowing the plaintext password
- Pass-the-Ticket (PtT): Steal and reuse Kerberos tickets
- Remote services: WMI, PSExec, WinRM, RDP, SSH for remote command execution
- Pivoting: Use a compromised host as a relay to reach otherwise inaccessible network segments
- Credential reuse: Try captured credentials on other systems
💡 Lateral movement is why network segmentation is critical. If an attacker compromises one endpoint, flat networks allow them to reach every other system. Segmentation limits the blast radius.
10What is a CVE and CVSS score?Easy▼
- CVE (Common Vulnerabilities and Exposures): A unique identifier assigned to a publicly disclosed vulnerability. Format: CVE-YEAR-NUMBER (e.g., CVE-2021-44228 = Log4Shell). Maintained by MITRE, published in the NVD (National Vulnerability Database).
- CVSS (Common Vulnerability Scoring System): A standardised numerical score (0–10) measuring the severity of a vulnerability based on exploitability, impact, and scope.
Scores: 0.0 = None | 0.1–3.9 = Low | 4.0–6.9 = Medium | 7.0–8.9 = High | 9.0–10.0 = Critical
11What is a buffer overflow vulnerability?Hard▼
A buffer overflow occurs when a program writes more data into a buffer than it can hold, overflowing into adjacent memory. This can corrupt data, crash the program, or allow an attacker to inject and execute arbitrary code.
Types:
Types:
- Stack-based: Overflows the call stack — classic attack. Can overwrite the return address to redirect execution.
- Heap-based: Overflows heap memory — more complex to exploit but more impactful.
💡 Classic example: Morris Worm (1988) used a buffer overflow in sendmail. Many CVEs today are still buffer overflows in legacy C/C++ code.
12What is SQL injection and how do you test for it?Medium▼
SQL injection is an attack that inserts malicious SQL code into input fields that are then executed by the database, allowing attackers to read, modify, or delete database data, or bypass authentication.
Testing techniques:
Prevention: Parameterised queries/Prepared statements, ORMs, input validation, WAF.
Testing techniques:
- Submit
'in input fields — look for database error messages - Try
' OR '1'='1in login fields to bypass authentication - Use
' OR SLEEP(5)--to detect blind SQLi (time-based) - Use SQLmap for automated detection:
sqlmap -u "http://target.com/page?id=1" --dbs - Burp Suite Intruder for fuzzing parameters
Prevention: Parameterised queries/Prepared statements, ORMs, input validation, WAF.
13What are the rules of engagement in a penetration test?Medium▼
Rules of Engagement (RoE) is the formal document agreed between the pentester and client before testing begins. It defines:
- Scope: Which systems/IPs/URLs are in-scope and explicitly out-of-scope
- Timeline: Testing start/end dates and times (e.g., off-hours only)
- Permitted techniques: What types of attacks are allowed (DoS? Social engineering? Physical?)
- Emergency contacts: Who to call if a critical system is accidentally disrupted
- Data handling: How sensitive data discovered during testing must be handled
- Notification: Whether the security team will be notified (covert vs overt)
- Legal protection: Written authorization protecting the tester from prosecution
💡 NEVER start a pentest without signed written authorization. Without it, you are committing a crime regardless of intention.
14What is the difference between active and passive reconnaissance?Easy▼
| Feature | Passive Recon | Active Recon |
|---|---|---|
| Target interaction | No direct contact with target | Direct interaction with target systems |
| Detection risk | Very low — target unaware | Higher — traffic hits target logs |
| Examples | WHOIS, Google Dorking, Shodan, LinkedIn, OSINT | Nmap scanning, DNS zone transfer, ping sweep |
| Tools | Maltego, Shodan, theHarvester, WHOIS | Nmap, Nessus, Nikto, DNS tools |
💡 Passive recon comes first — gather as much as possible without alerting the target. Active recon is noisier and may trigger IDS/firewall alerts.
15What is Burp Suite and what is it used for?Medium▼
Burp Suite is an integrated platform for web application security testing. Key features:
- Proxy: Intercept and modify HTTP/HTTPS traffic between browser and web app
- Scanner (Pro): Automated discovery of SQL injection, XSS, CSRF, and other OWASP Top 10 vulnerabilities
- Intruder: Automated fuzzing and brute-force attacks against parameters
- Repeater: Manually replay and modify individual requests
- Decoder: Encode/decode Base64, URL encoding, HTML, hex
- Collaborator (Pro): Out-of-band interaction server for detecting blind SSRF, XXE
- Sequencer: Analyse randomness of session tokens
16What is a payload in the context of Metasploit?Medium▼
In Metasploit, a payload is the code that runs on the target system after a successful exploit. It defines what happens post-exploitation.
- Singles: Self-contained — do one thing (e.g., add a user, execute a command)
- Stagers: Small code that establishes a connection, then downloads a larger Stage
- Stages: Downloaded by stager — e.g., Meterpreter shell
windows/x64/meterpreter/reverse_tcp— target connects back to attacker (firewall-friendly)linux/x86/shell_bind_tcp— opens a listening port on targetwindows/x64/exec— execute a command (single, no stager)
💡 Reverse shells are preferred because most firewalls block inbound but allow outbound connections. The target initiates the connection back to the attacker.
17What is pivoting in penetration testing?Hard▼
Pivoting is using a compromised machine (the "pivot") as a relay to reach network segments that are otherwise inaccessible from the attacker's machine. It simulates how attackers move deeper into a network after initial compromise.
Techniques:
Techniques:
- Port forwarding: Forward a specific port through the pivot (SSH -L, Metasploit portfwd)
- SOCKS proxy: Route all traffic through the pivot using a SOCKS proxy (Metasploit's socks module + proxychains)
- VPN tunnel: Create a VPN-like tunnel through the pivot for full network access
18How do you document and report findings after a penetration test?Hard▼
A professional pentest report has two main sections:
1. Executive Summary:
1. Executive Summary:
- High-level overview for non-technical management
- Overall risk rating, most critical findings summary
- Business impact in plain language
- Methodology used (PTES, OWASP, etc.)
- Each finding: Title, CVSS score, Description, Evidence (screenshots, logs), Proof of Concept steps, Business Impact, Remediation recommendation
- Risk matrix / heat map
19What is a bug bounty program?Easy▼
A bug bounty program is a crowdsourced security initiative where organisations invite external security researchers to find and responsibly disclose vulnerabilities in exchange for monetary rewards.
Key platforms: HackerOne, Bugcrowd, Intigriti, Synack.
How it works:
Key platforms: HackerOne, Bugcrowd, Intigriti, Synack.
How it works:
- Organisation defines scope (which systems are in scope), rules, and reward tiers
- Researcher finds a vulnerability
- Researcher submits a detailed report with proof of concept
- Organisation validates the finding
- Researcher receives bounty based on severity (Low: $50–$500, Critical: $10,000–$1,000,000+)
20What is Google Dorking?Medium▼
Google Dorking (also called Google Hacking) uses advanced Google search operators to find sensitive information that is publicly indexed but not intended to be public.
site:example.com filetype:pdf— find PDFs on a specific siteintitle:"index of" "passwords"— find open directory listings with password filessite:example.com inurl:admin— find admin panelsfiletype:sql "insert into" password— find SQL dump filessite:github.com "api_key" "example.com"— find leaked API keysinurl:"/wp-admin"— find WordPress admin pages
💡 Google Dorking is passive reconnaissance — you're not touching the target, only querying Google's index. It's legal to search, but acting on findings without authorization is not.
MCQ Quiz · ~15 min · 25 Questions
Multiple Choice Questions
Select an answer then click Check. Explanations shown after each submission.
Progress:
0 / 25
Simulation 1 · ~5 min
Pentest Phase Sequencer
Click a phase to select it (highlighted in blue), then click another to swap positions. Arrange all 5 phases in the correct order.
?
Gaining Access / Exploitation?
Reconnaissance (Information Gathering)?
Covering Tracks & Reporting?
Scanning & Enumeration?
Maintaining Access / Post-ExploitationSimulation 2 · ~4 min
Tool Purpose Matcher
Match each pentest tool to its correct purpose using the dropdown.
Nmap
Metasploit
Burp Suite
Wireshark
Nessus
John the Ripper
Hydra
Nikto
Simulation 3 · ~3 min
Reconnaissance Type Classifier
Classify each action as Passive Recon or Active Recon.
Using Shodan to find exposed devices and services from your browser
Running Nmap -sV against the target IP address range
Reading through a company's LinkedIn page to identify employees and their roles
Attempting a DNS zone transfer against the target's nameserver
Googling the target organisation's CEO name and corporate address
Sending ICMP ping sweeps to identify live hosts on the target network
Simulation 4 · ~3 min
CVSS Severity Picker
Select the correct CVSS severity rating for each vulnerability description.
Unauthenticated Remote Code Execution (RCE) vulnerability in the web server — attacker can run any command as root without any login credentials.
SQL injection vulnerability in the admin portal — requires valid admin credentials to exploit; can dump the entire user database.
Missing X-Frame-Options and Content-Security-Policy HTTP security headers on the marketing website.
Stored Cross-Site Scripting (XSS) in a comment field accessible only to authenticated admin users.
Web server discloses its version number (Apache 2.4.51) in HTTP response headers.
🎉
Module 05 Complete!
Ethical Hacking & Penetration Testing complete. Review any section via the sidebar.