Ethical Hacking
Authorized testing of IT systems by security experts using the same methods as real attackers—with the goal of identifying and addressing vulnerabilities before criminal hackers can exploit them.
Ethical hacking refers to the authorized, controlled testing of IT systems, networks, and applications by security experts. These "white hat hackers" use the same methods, techniques, and tools as real attackers—but with explicit permission and the goal of improving security.
Ethical Hacking vs. Cybercrime
The single, yet crucial difference:
| Ethical Hacker | Criminal Hacker | |
|---|---|---|
| Authorization | Explicit written authorization | None |
| Goal | Improve security | Damage, theft, extortion |
| Methods | Identical | Identical |
| Disclosure | All findings are reported | Findings are exploited |
| Legal Status | Legal within the scope | Criminal offense (§§ 202a ff. StGB) |
Hacker Classifications
White Hat (Ethical Hacker): Works with authorization to ensure system security.
Black Hat: Criminal hackers, without authorization, with malicious intent.
Grey Hat: Testing without authorization, but without direct intent to cause harm—still punishable in Germany (§ 202a StGB).
Bug Bounty Hunter: Ethical hackers working within the framework of public bug bounty programs (often without direct prior authorization, but subject to program rules).
What Do Ethical Hackers Do?
Reconnaissance (OSINT)
Gathering publicly available information about the target system: domains, subdomains, email addresses, technologies, employees.
Scanning and Enumeration
Active discovery of systems, open ports, services, and software versions:
nmap -sV -sC -p- target.com
nikto -h https://webapp.target.comVulnerability Analysis
Systematic search for known vulnerabilities in identified software and configurations. CVE databases, vulnerability scanners (Nessus, OpenVAS).
Exploitation
Exploitation of vulnerabilities—always within a defined scope and with the goal of verification (not exploitation):
- Web App Attacks: SQLi, XSS, IDOR, SSRF
- Network Attacks: Man-in-the-Middle, ARP Spoofing
- Privilege Escalation: Expanding local privileges
- Lateral Movement: Moving within the network
Post-Exploitation
What is possible after initial access? What data would be accessible? What other systems are reachable?
Reporting
Detailed report with all findings, CVSS scores, and prioritized recommendations for action.
Key Certifications
OSCP (Offensive Security Certified Professional):
- Gold standard for penetration testers
- 24-hour practical exam
- Hands-on exploitation in a network of ~50 machines
- From Offensive Security (OffSec)
CEH (Certified Ethical Hacker):
- EC-Council certification
- Theory-focused, widely recognized
- Recognized in compliance contexts (ANSI-accredited)
GPEN (GIAC Penetration Tester):
- SANS Institute certification
- Strong practical focus
- Highly recognized in the security community
CRTE / CRTO: Advanced Active Directory and Red Team certifications.
Methodology Frameworks
PTES (Penetration Testing Execution Standard): Industry standard for penetration testing methodology with 7 phases: Pre-Engagement, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, Reporting.
OWASP Testing Guide: Specifically for web application security testing.
OWASP WSTG (Web Security Testing Guide) v4.2: Comprehensive guide with over 100 testing techniques for web apps.
Ethical Hacking Tools
Reconnaissance:
- Maltego, theHarvester, Shodan, Recon-ng
Scanning:
- Nmap, Masscan, Nikto, Gobuster
Exploitation:
- Metasploit Framework, Burp Suite Pro, SQLMap, Impacket
Post-Exploitation:
- Cobalt Strike, BloodHound, Mimikatz, PowerView
Password Attacks:
- Hashcat, John the Ripper, CrackMapExec
Wireless:
- Aircrack-ng, Kismet
Legal Framework in Germany
§ 202a StGB (Interception of Data): Anyone who accesses secured data without authorization is liable to prosecution—even if no data is extracted.
§ 202c StGB (Preparation): The procurement, creation, or distribution of tools for § 202a may also be punishable ("Hacker Paragraph").
Protection through Written Authorization: A detailed penetration testing contract with an explicit scope protects the ethical hacker. Without written authorization, even “well-intentioned” testing is a criminal offense.
Bug Bounty Programs: Public programs (e.g., on HackerOne, Bugcrowd) include legal safe harbor provisions—but only for the defined scope.
Ethical Hacking as a Service
Professional ethical hacking—in the form of penetration tests, red team assessments, or bug bounty management—is not a luxury, but a necessary investment for any company that takes its security seriously. The BSI recommends regular penetration tests as part of an ISMS.
