Ethical Hacking Lesson 44 – Tools Summary | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Web Hacking & Real World · Lesson 44

Tools Summary

Forty-three lessons. Dozens of tools. This lesson organises everything into a single reference — structured by engagement phase so you always know which tool to reach for, when to reach for it, and what it does that the alternatives cannot.

The engagement workflow — tools in context

Tools are not the point. The methodology is the point. Tools are what you use to execute the methodology efficiently. A pen tester who knows every flag in every tool but does not have a structured approach to an engagement will miss findings consistently. A tester who understands the methodology deeply — what to look for at each phase, how phases connect — will find significant issues even with minimal tooling.

The phases of an engagement are not strict sequential steps. Reconnaissance informs exploitation. Exploitation informs post-exploitation targets. Post-exploitation surfaces new reconnaissance leads. The workflow is iterative — each phase feeds back into the others. The tools below are organised by phase not because they are used in strict order but because that structure makes it easy to identify what to use at each stage of the work.

Phase 1 — Reconnaissance

RECONNAISSANCE TOOLS — passive and active information gathering
Tool Primary use Lesson Active?
whois Domain registration data — registrant, nameservers, creation date, expiry L12 Passive
dig / nslookup DNS records — A, MX, NS, TXT, CNAME. Zone transfer attempts with AXFR L11 Passive
theHarvester Email addresses, subdomains, names, and IPs from public sources — Google, LinkedIn, Shodan L8 Passive
Shodan Internet-wide scanning database — find exposed services, banners, and known vulnerabilities by IP or domain L8 Passive
Google Dorking Targeted search operators to find exposed files, admin panels, login pages, and sensitive information indexed by Google L13 Passive
Nmap Port scanning, service detection, OS fingerprinting, NSE vulnerability scripts. The primary active scanning tool for network-layer reconnaissance L14, L15 Active
netcat / curl Banner grabbing — manual connection to a service port to read its version announcement before any authentication L19 Active
Nessus / OpenVAS Automated vulnerability scanning — identifying known CVEs across all discovered services with severity ratings and remediation guidance L18 Active

Phase 2 — Credential attacks

CREDENTIAL ATTACK TOOLS — offline cracking and online brute force
Tool Primary use Lesson Mode
hashcat GPU-accelerated offline hash cracking. Supports MD5, NTLM, bcrypt, WPA2, and hundreds of other formats. Fastest option for raw cracking speed L21, L33 Offline
John the Ripper CPU-based offline hash cracking. Auto-detects hash format. Excellent for /etc/shadow (sha512crypt) where GPU gains are minimal. Maintains a potfile for session resumption L21 Offline
Hydra Online brute force against live services — SSH, FTP, HTTP forms, SMTP, RDP, MySQL. Use -p for spraying (one password, many users) and -P for wordlist attack L22 Online
Burp Intruder Web application brute force — credential testing against login forms, API endpoints, and parameter fuzzing. Identifies rate limiting and lockout gaps through response analysis L40 Online

Phase 3 — Exploitation

EXPLOITATION TOOLS — gaining and maintaining access
Tool Primary use Lesson
Metasploit The exploitation framework. Known CVE exploits, payload delivery, post-exploitation modules, and multi/handler for catching reverse shells. msfconsole is the interactive interface L29
msfvenom Standalone payload generator — produces reverse shell executables, web shells, APKs, and PowerShell payloads without requiring a full Metasploit session L29
netcat Bind shells and reverse shells. Listening for incoming connections with -lvp. File transfer between attacker and target. Banner grabbing and service interaction L19, L29
sqlmap Automated SQL injection — detects injection points, identifies the database type and version, enumerates tables and columns, and extracts data. Supports all injection techniques including blind and time-based L38
Burp Suite The central tool for web and API testing — Proxy for interception, Repeater for manual testing, Intruder for fuzzing, Sequencer for token analysis, Decoder for encoding transformations. The PortSwigger Web Security Academy is the best free training for web security L36–L43

Phase 4 — Post-exploitation and privilege escalation

POST-EXPLOITATION TOOLS — escalation, persistence, and lateral movement
Tool Primary use Lesson
LinPEAS Linux privilege escalation enumeration — SUID binaries, sudo rules, cron jobs, world-writable files, stored credentials, and running software versions. Colour-coded by exploitability L25, L27
WinPEAS Windows privilege escalation enumeration — unquoted service paths, modifiable services, registry autoruns, AlwaysInstallElevated, stored credentials, and scheduled tasks L26, L27
accesschk.exe Sysinternals tool for checking Windows object permissions — services, registry keys, files. Used to confirm modifiable services before attempting sc config binary path hijacking L26
GTFOBins Reference for Unix binary abuse — look up any binary found in sudo -l or SUID enumeration to find privilege escalation, file read, or shell escape techniques. Free at gtfobins.github.io L24, L25
find / grep Credential harvesting on Linux — searching for files containing passwords, config files with database credentials, world-readable sensitive files, and shell history analysis L23

Phase 5 — Network attacks

NETWORK ATTACK TOOLS — sniffing, MITM, and wireless
Tool Primary use Lesson
Wireshark GUI packet analyser — capture and read live traffic, apply display filters, follow TCP streams to reassemble full sessions. Most powerful for visual analysis of captures L30
tcpdump CLI packet capture — works on headless servers over SSH. Save to pcap for Wireshark analysis. Pipe through strings/grep for fast plaintext credential extraction from live captures L30
arpspoof / bettercap ARP spoofing for MITM positioning. bettercap combines ARP poisoning, SSL stripping, credential sniffing, and DNS spoofing in one interactive framework L31
aircrack-ng suite Wireless attack toolkit — airodump-ng for capture, aireplay-ng for deauthentication, aircrack-ng for WPA2 handshake cracking. hcxdumptool and hcxtools for PMKID attacks L33
Reaver WPS PIN brute force — exploits the split-validation design flaw to recover WPA2 passwords directly. Run only when WPS is confirmed enabled on the target AP L33

The tool-selection decision — a practical framework

Three questions drive tool selection at any point in an engagement. Getting these right removes uncertainty about what to reach for.

1

Passive or active?

Passive reconnaissance leaves no logs on the target — whois, Shodan, Google Dorking, theHarvester. Always exhaust passive methods first before generating active traffic. Active testing — Nmap, Hydra, Burp — is visible and logged. On engagements where stealth matters, passive-first is not optional.

2

Automated or manual?

Automated tools provide coverage and speed. Manual techniques provide depth and understanding. Neither alone is sufficient. Use automated tools — LinPEAS, sqlmap, Nessus — to surface candidates quickly. Use manual techniques — Burp Repeater, direct SQL payloads, hands-on privilege escalation steps — to confirm, understand, and document findings that automated tools flag. A finding that only an automated scanner identified without a human confirming it is not ready for a report.

3

Is this within scope and authorised?

Every tool in every phase must be deployed only within the boundaries of the engagement scope. The right tool for an out-of-scope target is no tool at all. This is not a technical question — it is a professional and legal one. If scope is ambiguous, stop and ask before running anything. The scope document protects both the pen tester and the client. Violating it exposes both.

External resources — the reference library

The tools covered in this course are the foundation. These external resources extend that foundation into specialisations, keep knowledge current as the field evolves, and provide the hands-on practice needed to build genuine proficiency.

PortSwigger Web Security Academy

Free, hands-on web security labs covering every OWASP category, Burp Suite usage, and advanced web techniques. The best free training for Section IV topics. portswigger.net/web-security

SQL injection, XSS, CSRF, SSRF, access control, authentication — all with interactive lab environments.

MITRE ATT&CK

Comprehensive knowledge base of attacker techniques — every persistence mechanism, lateral movement method, and evasion technique documented from real intrusions. attack.mitre.org

Use ATT&CK Navigator to map detection coverage gaps and map report findings to technique IDs.

GTFOBins

Unix binary abuse reference — privilege escalation, file read, reverse shells, and SUID exploitation for every common Linux binary. gtfobins.github.io

Check here first when sudo -l reveals an unexpected binary.

HackTricks

Comprehensive pen testing wiki — checklists, payloads, and techniques for every topic covered in this course and hundreds beyond it. book.hacktricks.xyz

The go-to reference when you encounter an unfamiliar service, protocol, or scenario mid-engagement.

CIS Benchmarks

Free hardening guides for every major OS, cloud platform, and application server. cisecurity.org/cis-benchmarks — the standard reference for remediation recommendations in pen test reports.

Point clients here when recommending systematic hardening rather than individual fixes.

Exploit-DB

Public exploit archive — searchable by CVE, software name, and version. The searchsploit command-line tool searches it offline. exploit-db.com

Use after version enumeration to check whether a discovered service version has a public exploit available.

Certifications — structuring continued development

The knowledge in this course maps directly to the content of the most widely recognised entry and mid-level offensive security certifications. Each certification has a different emphasis — understanding what each tests helps choose the right next step.

eJPT

eLearnSecurity

Entry-level. Network enumeration, basic exploitation with Metasploit, web application basics. The first certification to aim for — practical exam format, no prior certification required. Directly mapped to Sections I–III of this course.

CompTIA PenTest+

CompTIA

Mid-level. Comprehensive coverage of all pen test phases including planning, scoping, reporting, and professional ethics. Multiple-choice plus performance-based questions. Strong coverage of compliance and governance topics that this course does not cover in depth.

CEH

EC-Council

Certified Ethical Hacker. Theory-heavy, multiple choice. Highly recognised by employers — particularly in enterprise and government sectors — even though the practical depth is lower than OSCP. Good first certification for roles where employer recognition matters more than technical depth.

OSCP

Offensive Security

Offensive Security Certified Professional. The most technically respected offensive security certification. 24-hour practical exam — exploit real machines, write a professional report. Requires strong Linux fundamentals, network understanding, and manual exploitation proficiency. This course builds the foundation needed to begin the PEN-200 training that leads to OSCP.

Teacher's Note: The most common mistake after finishing a course like this is moving straight to another course. Stop. Build a lab. Break things. Fix them. The gap between understanding a technique conceptually and being able to execute it under time pressure on an unfamiliar system only closes with hands-on practice. HackTheBox and TryHackMe both offer free tiers with real machines. Spend a month in the lab before considering a certification exam — the exam will be significantly easier for it.

Quiz

Scenario:

A pen tester begins an external engagement for a large financial institution. The scope covers the organisation's internet-facing infrastructure. The engagement is a black-box test — the client's SOC is not aware the test is underway and will be monitoring for anomalous activity. Before generating any active traffic the pen tester wants to build an intelligence picture of the target. Which phase and tools should they use and what makes these appropriate for the black-box opening stage?

Scenario:

A junior pen tester runs Nessus against a web server and receives a critical finding flagged as "SQL Injection Possible" with a CVSS score of 9.8. They include it in the report as a critical finding without further testing. Their team lead returns the report for revision. What is the correct relationship between automated scanner findings and manual confirmation, and why does this matter for report quality?

Scenario:

During an internal network engagement, a pen tester discovers an IP address in bash_history that was not included in the original scope document. The credential they have would likely work on it. The scope document authorises testing of "all internal systems on the 10.10.0.0/16 range" — and this IP falls within that range. The tester is uncertain whether the new system is intended to be in scope. What should they do?

Up Next · Lesson 45

Mini Project — Ethical Hacking Lab

End-to-end engagement simulation — reconnaissance through post-exploitation against Metasploitable, a complete professional report, and the full methodology in one final walkthrough.

← Previous Course Index Next →