Hour 6 of 8

Ethical Hacking Methodology

Recon · Scanning · Gaining · Maintaining · Covering · Reporting

~60 min3 interactive labs

CEH Objectives ▸ List the 5 CEH phases of ethical hacking and the Reporting deliverable · Differentiate passive vs active reconnaissance · Explain which phase produces which client deliverable · Apply the methodology to a scoped engagement without scope creep

OP. LANTERN

Mission Brief

ShadowX Labs hands you your first solo pentest: a 5-day external + internal engagement for Glasshouse Bank's new mobile-banking API. You must walk the team through your methodology in tomorrow's kick-off — and prove you won't go out of scope.

▸Place 12 pentest activities into the correct CEH phase

▸Distinguish passive vs active recon decisions

▸Make the right ethical call when scope ambiguity appears mid-engagement

Story · Five days, six phases, one signed scope

Last quarter another vendor lost their PCI accreditation because a junior consultant ran a full nmap -sS against the entire /16 — including a /24 that belonged to the bank's payment processor, not the bank. The processor's IDS lit up, lawyers got involved, and the engagement was terminated.

Methodology isn't bureaucracy. It's how ethical hackers stay ethical when adrenaline kicks in. The CEH phases give you a checklist you can defend in a deposition: 'I was in Scanning. The target was in scope. The technique was authorised. Here's the timestamp.'

Today you learn the spine: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Covering Tracks → Reporting. Six words. Memorise them. Every CEH module from here forward lives inside one of these phases.

Trainer · Core Concepts

Phase 1 — Reconnaissance

Information gathering. Passive (WHOIS, Google, LinkedIn, Shodan, certificate transparency, leaked credentials — no packets to target) vs Active (DNS zone transfers, banner grabbing, light probing — packets touch target infra). Passive recon is almost always in scope by default; active recon requires explicit RoE approval.

Phase 2 — Scanning

Identify live hosts, open ports, services, versions, and vulnerabilities. Tools: nmap, masscan, nessus, nuclei. This phase produces noisy traffic — schedule windows, notify SOC, stay inside agreed IP ranges. Output: target-service inventory + ranked vulnerability list.

Phase 3 — Gaining Access

Exploit vulnerabilities to obtain a foothold: password attacks, public exploits, web app flaws (OWASP Top 10), social engineering if authorised. Document every command. Stop at the agreed depth (e.g. 'prove RCE, don't pivot').

Phase 4 — Maintaining Access

Persistence: backdoors, scheduled tasks, additional users, C2 beacons. In a pentest this is usually time-boxed and reversed at the end of the engagement. In Red Team ops it's stealthy and longer-lived. Every artefact must be inventoried for cleanup.

Phase 5 — Covering Tracks

Clearing logs, disabling auditing, timestomping. In ethical hacking we DEMONSTRATE the technique to prove the gap, but we PRESERVE logs (the client needs them for forensics) and document everything we touched. Real attackers destroy evidence; ethical hackers create it.

Phase 6 — Reporting (the deliverable)

The phase that pays the invoice. Executive summary, methodology, findings (with CVSS + business impact), reproduction steps, evidence, remediation guidance, and a cleanup checklist. Without a report, the engagement never happened — and the client can't fix anything.

Knowledge Map · drag to explore

phase

Reconnaissance

Passive + Active info gathering

phase

Scanning

Hosts, ports, services, vulns

phase

Gaining Access

Exploit to foothold

phase

Maintaining Access

Persistence (time-boxed)

phase

Covering Tracks

Demonstrate but preserve evidence

phase

Reporting

The deliverable that fixes things

sub

Passive Recon

No packets to target — OSINT, WHOIS, CT logs

sub

Active Recon

Probes touch target — DNS, banners, light scans

gov

Rules of Engagement

Written scope, timing, contacts — gates every phase

Micro Labs

CLASSIFY

Lab 16 · Place the Activity in the Right Phase

Twelve activities from your Glasshouse pentest. Drop each into the CEH phase where it belongs.

Items · drag to a bucket

Querying crt.sh for subdomains of glasshouse.bank

nmap -sV -p- against an authorised /24

Running nuclei templates against discovered web apps

Exploiting Log4Shell to obtain a reverse shell on an app server

Adding a low-privilege scheduled task as 'backup-test'

Demonstrating timestomp on a test file (originals preserved)

Writing the executive summary and CVSS-rated findings

Reading the CISO's LinkedIn for org-chart clues

Bruteforcing the VPN portal with a 10-password list (RoE-approved)

Dropping a Cobalt Strike beacon that auto-expires end-of-engagement

Banner-grabbing HTTPS services on the in-scope range

Producing a cleanup checklist of every artefact created

0/12 placed

CLASSIFY

Lab 17 · Passive vs Active Reconnaissance

Same engagement, finer call. Which recon activities are passive (no packets to target) vs active (probes touch target)?

Items · drag to a bucket

Searching haveibeenpwned for glasshouse.bank breaches

Querying public WHOIS for glasshouse.bank

Reading Glasshouse engineers' GitHub commits

DNS zone transfer attempt (AXFR) against ns1.glasshouse.bank

Banner grab on port 443 of api.glasshouse.bank

Shodan search for 'org:Glasshouse'

Sending one ICMP echo to the gateway to confirm liveness

Pulling certificate transparency logs from crt.sh

0/8 placed

DECISION

Lab 18 · Will You Run It? (Authorisation Decision)

Three live calls during the engagement. Pick the answer that keeps you ethical AND useful.

SCENARIO 1

Day 2: your scan finds an open RDP on 203.0.113.42. Reverse DNS resolves to 'shared-host.payment-co.net'. RoE lists 203.0.113.0/26 in scope.

SCENARIO 2

Day 3: you have RCE on an in-scope app server. RoE says 'prove impact, do not pivot to internal networks'. You can see a path to the domain controller.

SCENARIO 3

Day 5: time to clean up. You created a scheduled task, a local user, and dropped a beacon binary. The client's SOC kept full logs.

0/3 decided

Knowledge Check

1. Correct CEH phase order?

2. Which is PASSIVE reconnaissance?

3. During Covering Tracks in a pentest, you should…

4. Which deliverable proves the engagement happened?

0/4 answered

Challenge · The 60-second Kickoff Walk

You have 60 seconds in tomorrow's kickoff. Walk the client from Phase 1 to Phase 6 naming, for each phase, ONE activity, ONE tool, and ONE deliverable. Bonus: name the phase where scope creep most often happens (it's Gaining Access).

CEH v13 Exam Focus

★★★★☆

Frequently tested

·Five hacking phases (six with Reporting)
·Passive vs active recon — sources and tools
·When written authorisation is required
·What 'Covering Tracks' means in an ETHICAL context
·Deliverables per phase

Memory tricks

·RSGMCR — Recon · Scan · Gain · Maintain · Cover · Report
·'Real Spies Generally Move Carefully, Reporting' — the 6 phases
·Passive = 'no packets to target'. Active = 'packets land on target'.

Common traps

⚠Forgetting Reporting as a phase (CEH counts it)
⚠Calling nmap passive recon — it's ACTIVE
⚠Thinking 'Covering Tracks' means deleting client logs in a pentest
⚠Conflating Pentest (time-boxed, noisy, reversed) with Red Team (stealth, longer, simulates real adversary)

Rapid revision

▸WHOIS / crt.sh / Shodan = passive
▸nmap / nessus / nuclei = active
▸Burp = scanning + gaining access (web)
▸Mimikatz = gaining-access / credential phase
▸Cleanup checklist = reporting phase artefact

Interview Prep

Hour 5: Cyber Kill Chain & MITRE ATT&CK Hour 7: Footprinting & Reconnaissance