Unit 8: Introduction to Ethical Hacking

Lesson at a glance

| Item | Detail | | --------------------- | ----------------------------------------------------------------------------------------------------- | | Suggested length | 4 × 60 minutes | | Recommended placement | Weeks 13–14 of Cybersecurity I | | Prerequisite | Units 1–7 complete; signed Lab Safety Agreement on file | | Materials | Kali, lab target VM (e.g., Metasploitable 2 or a stripped Ubuntu target), printed Rules of Engagement |

Safety: This is the first unit where students run reconnaissance and scanning tools. Every command runs against the lab target VM only. Anyone running nmap, whois, dig, or nikto against any IP outside the lab range is removed from the program pending review. Sign the Rules of Engagement on Day 1 before any tool is touched.

Standards & credential alignment

• EHE Domain 6: Penetration testing fundamentals.
• VA CTE: Demonstrate ethical hacking methodology and written authorization.
• OffSec PEN-100 alignment: enumeration and scoping fundamentals.

Learning objectives

By the end of this unit, students can:

1. Articulate the 7 phases of the ethical hacking methodology.
2. Write a Rules of Engagement (RoE) document for a fictional engagement.
3. Perform passive recon against an authorized target.
4. Run nmap against the lab target and read the output.
5. Identify services and versions from scan output.
6. Look up a CVE by name and explain its CVSS score.
7. Produce a one-page finding write-up with severity, evidence, and recommendation.

Vocabulary

• Reconnaissance - Information gathering. Passive (no contact) vs. active (touches target).
• Scanning - Network-level probing for hosts and ports.
• Enumeration - Pulling detailed info about identified services (versions, users, shares).
• Exploitation - Using a vulnerability to gain access (we discuss; we don't run yet - that's Cyber II).
• Post-exploitation - What happens after access (we discuss conceptually).
• Cleanup - Removing artifacts and restoring systems to their pre-test state.
• Reporting - The deliverable. The whole job.
• Rules of Engagement (RoE) - Written scope, schedule, restrictions, and contacts for a test.
• CVE - Common Vulnerabilities and Exposures - a vulnerability ID.
• CVSS - Common Vulnerability Scoring System - severity 0–10.

Teacher background

The most important pedagogical move in this unit is the report is the product. Students will want to fixate on running the tool. Real pen testers spend 60–70% of an engagement writing. If a student leaves Cyber I able to write a clean one-page finding, they're employable as a junior right now.

The 7-phase methodology (PTES-style):

1. Pre-engagement - RoE, scope, authorization.
2. Reconnaissance - passive and active info gathering.
3. Scanning / enumeration - what's there?
4. Vulnerability identification - what's broken?
5. Exploitation - proving impact (Cyber II for hands-on).
6. Post-exploitation - proving worse impact (Cyber II).
7. Reporting - what we found, how to fix, who pays.

Materials checklist

• [ ] Kali VM
• [ ] Vulnerable lab target (Metasploitable 2 in host-only network)
• [ ] Printed Rules of Engagement template (one per student)
• [ ] Worksheet PDF
• [ ] Wall poster: 7-phase methodology

Pacing - Day 1 (60 min): Methodology + RoE

| Time | Segment | Notes | | ----------- | ----------------------------------------- | ---------------------------------------------- | | 0:00 – 0:25 | Mini-lesson - 7 phases of ethical hacking | Walk the wall poster. | | 0:25 – 0:55 | Activity - write your own RoE | Pairs draft an RoE for a fictional engagement. | | 0:55 – 1:00 | Sign the classroom RoE | Ceremony. |

Day 1 - The classroom Rules of Engagement (sign before Day 2)

Authorized targets: the host-only lab range, specifically 192.168.56.0/24. No other IP, hostname, or service may be probed.

Authorized tools: nmap, whois, dig, nslookup, nikto (read-only), browser-based recon. Any other tool requires teacher approval.

Authorized hours: during scheduled class time, in this room.

Prohibited actions: denial-of-service, brute-force authentication attempts, exploitation, data exfiltration, persistence, modification of any data on the target.

Reporting requirement: every action runs in a notebook (engagement-notes.md) with timestamp, command, and observation.

Out-of-scope discovery: if you discover something outside scope by accident, stop, document, notify the teacher.

Students sign and date. File with the Lab Safety Agreement.

Pacing - Day 2 (60 min): Passive reconnaissance

| Time | Segment | Notes | | ----------- | --------------------------------------------------- | -------------------------------------- | | 0:00 – 0:15 | Mini-lesson - passive vs. active recon | What touches the target, what doesn't. | | 0:15 – 0:50 | Lab - passive recon on a fictional company | Use a teacher-prepared target dossier. | | 0:50 – 1:00 | Discussion - what's an attacker's first 30 minutes? | Recon, recon, recon. |

Day 2 - Passive recon lab

We use a teacher-prepared fictional company "AcmeWidgets" with a curated set of public artifacts (provided). Students gather:

• Domain registration data (the WHOIS-style printout).
• DNS records (A, MX, TXT, NS).
• Public job postings - what tech stack do they hire for? (Real intel.)
• Social media - who is the IT director? Who just posted a server-room photo with a sticky note in frame?
• Code repositories - any AcmeWidgets repos? Any secrets in commits?
• Breach data - are there leaked credentials in public dumps? (Conceptual only - we don't pull breach data into class.)

Students fill the recon worksheet. Land the line: "You can build a remarkably complete picture of a target without ever sending them a packet."

Pacing - Day 3 (60 min): Active scanning with nmap

| Time | Segment | Notes | | ----------- | --------------------------------------------- | --------------------------- | | 0:00 – 0:15 | Mini-lesson - what nmap is and how to read it | TCP, SYN, service, script. | | 0:15 – 0:55 | Lab - scan the lab target | Run-by-run, escalate flags. | | 0:55 – 1:00 | Exit ticket | "Which port surprised you?" |

Day 3 - Nmap walkthrough (against 192.168.56.10 lab target only)

# 1. Is the host alive?
nmap -sn 192.168.56.0/24

# 2. What ports are open? (TCP SYN scan, fast scan = top 100 ports)
nmap -sS -F 192.168.56.10

# 3. Top 1000 ports + service detection
nmap -sS -sV 192.168.56.10

# 4. Aggressive - service/version + default scripts + OS detection
nmap -A 192.168.56.10

# 5. Targeted - what version of SSH is running?
nmap -p 22 -sV 192.168.56.10

# 6. Save output for the report
nmap -sS -sV -oN scan-results.txt 192.168.56.10

For each scan, students annotate: what was the question, what was the answer, what's the next question?

Pacing - Day 4 (60 min): CVE research + write-up

| Time | Segment | Notes | | ----------- | --------------------------------------- | ----------------------------------- | | 0:00 – 0:15 | Mini-lesson - CVE, CVSS, exploitability | What the numbers mean. | | 0:15 – 0:40 | Lab - research one CVE from the scan | NVD, vendor advisory. | | 0:40 – 0:55 | Activity - write the one-page finding | Use the template. | | 0:55 – 1:00 | Share-out | Two strong findings on the doc cam. |

Day 4 - CVE research

Pick one service from your scan (e.g., the FTP server on Metasploitable runs vsftpd 2.3.4). Look it up:

• NVD search: https://nvd.nist.gov/vuln/search
• Read the CVE description, the CVSS vector (AV:N/AC:L/Au:N/C:C/I:C/A:C), the affected versions, the references.

Translate the CVSS vector into English: "Network attacker, low complexity, no auth, complete compromise of confidentiality, integrity, availability." Write that down.

Day 4 - One-page finding template

Finding: <one-line title>
Severity: <Critical / High / Medium / Low / Informational>
Affected asset: <IP, hostname, service>
CVE / reference: <CVE-YYYY-NNNN, vendor advisory link>

Description:
  Two to four sentences explaining what the issue is in plain English.

Evidence:
  Command run, output snippet, screenshot (or path to one).

Impact:
  What can a real attacker do with this? What does the customer lose?

Recommendation:
  Specific, actionable, prioritized. Patch to vX.Y.Z, restrict to
  internal networks, disable the service if not needed, etc.

Next steps:
  Who owns the fix. By when. How we'll verify.

A complete, honest one-page finding is the deliverable for this unit. Grade it like an English paper, because that's what it is.

Common misconceptions

• "Recon doesn't matter - just run the scanner." - Recon decides which scanner, where, when, and what's actually in scope.
• "A high CVSS means I should panic." - A high CVSS on a non-internet-facing, well-monitored service may be lower priority than a medium CVSS on the perimeter. Context matters.
• "The scan is the deliverable." - The report is the deliverable. Scans without context are noise.

Differentiation

• Students who finish early: have them write a second finding, or run a second scan with different flags and compare.
• Reading support: nmap output is dense; pre-print one annotated example for reference.

Assessment

• Day 1 RoE - graded for completeness and clarity.
• Day 3 scan output - saved with -oN, submitted.
• Day 4 finding write-up - rubric scored: clarity (3), accuracy (3), severity justification (2), recommendation specificity (2). 10 points.

Career connection

This unit is literally the first week of a junior pen tester's life. Salary range $70K–$95K starting; $120K+ within five years; $200K+ as a principal consultant. The work product is the report - same as today.

Homework / next class

Find one public CVE published in the last 30 days that affects a product you've heard of. Translate the CVSS vector into plain English. Bring to class.