See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/354413171

Ethical Hacking Methodologies: A Comparative Analysis

Conference Paper · September 2021

DOI: 10.1109/MAJICC53071.2021.9526243

CITATIONS READS

2 776

5 authors, including:

Maneeba Ashraf Bhatti Ayima Zahra

Lahore Garrison university Lahore Garrison University
3 PUBLICATIONS 5 CITATIONS 3 PUBLICATIONS 9 CITATIONS

SEE PROFILE SEE PROFILE

Muhammad Mugees Asif Maaz Ahmad

Lahore Garrison University Karachi Institute of Economics and Technology
16 PUBLICATIONS 302 CITATIONS 51 PUBLICATIONS 654 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Ayima Zahra on 04 June 2024.

The user has requested enhancement of the downloaded file.

 Ethical Hacking Methodologies: A Comparative
Analysis
1
Maneeba Ashraf, 2 Ayima Zahra, 3 Muhammad Asif, 4 Maaz Bin Ahmed, 5 Sadia Zafar
1
Department of Computer Sciences, Lahore Garrison University, Lahore, Pakistan
2
Department of Computer Sciences, Lahore Garrison University, Lahore, Pakistan
3
Department of Computer Sciences, Lahore Garrison University, Lahore, Pakistan
4
College of Computing and Information Sciences, PAF Karachi Institute of Economics and Technology, Karachi, Pakistan
5
Department of Computer Sciences, Lahore Garrison University, Lahore, Pakistan
E-mail: [email protected], [email protected], [email protected], [email protected],
[email protected]

Abstract— As networks are expanding day by day, the need for

security is attaining more attention. Hackers have always been 250

Growth Rate in Billion U.S. Dollars

renowned as a severe security threat. Ethical hacking is an 231.94
important form of hacking. It is a type of hacking that doesn't 209.27
200
hurt any individual, association, or gathering. It is done with a 188.53
positive intent to find out the security loop-holes in the current 169.84
infrastructure of some organizations. The organization may 150 153.01
137.85
patch its security vulnerabilities accordingly as suggested by
ethical hackers. In this research work, a comparative analysis 100
has been conducted for ethical hacking techniques. It classifies
the existing techniques based on their working principles and 50
compares the working mechanisms of all techniques. Graphical
analysis of ethical hacking tools along with a score-based 0
comparison is also part of this research. Moreover, the research 2017 2018 2019 2020 2021 2022
can be useful in suggesting the most appropriate tool to be used
for a particular scenario. Year

Keywords— Hacking Tools, Penetration Testing, Cyber

Fig. 2. Ethical Hacking Stats
Security, Network Security, Ethical Hacker

I. INTRODUCTION To understand the pros and cons of ethical hacking, one

should understand the ethical hacking basics, benefits, and
Hackers having good intentions are called ethical hackers. drawbacks, as shown in Fig. 3.
They perform hacking to ensure system security. Ethical
hackers are hired by the companies as penetration testers where
the hackers try to figure out vulnerabilities in the organizations' Pros Cons
systems and provide a solution for the same. The mentality,
skills, and knowledge of a hacker play an important role here. • Battle against security breaches • May corrupt the records of an
In nutshell, the basic aim of hiring ethical hackers is to prevent • Execute preventive action organization
against hackers • Utilized information may be
the system from getting hacked by a more perilous hacker [1]. picked up for malicious use
• Construct a framework that
Companies having a large database of clients usually pay more avoids any kind of penetration • Hiring the experts increments
than the others for data security [2]. The process of hacking a by the potential hackers the cost
system comprises five stages [3] as is shown in Fig. 1. • May offers security to manage a • Can harm someone's privacy
banking account and budgetary •Loss of sensitive data may occur
establishments
•Recognizes and patch the open
gaps in a computer network

Fig. 3. Pros and Cons of Ethical Hacking

This paper presents a comparative analysis of ethical

hacking modes, techniques, and tools. It classifies the existing
techniques based on their working principles and compares the
working mechanisms of all techniques. Graphical analysis of
ethical hacking tools along with a score-based comparison is
also part of this research. Moreover, the research can be useful
in suggesting the most appropriate tool to be used for a
Fig. 1. Stages of Hacking Process particular scenario.
The rest of the paper is organized as follows. Section II exhibits
Behind ethical hacking, the motivation is to test and
related work. Section III presents ethical hacking modes. In
approve the security controls of an organization. It is a
section IV, techniques used for hacking are presented. Section
prerequisite to have trust in the hired ethical hacker and his
V exhibits a score-based analysis of ethical hacking tools.
abilities. Otherwise, the whole process may become
Section VI concludes the paper.
catastrophic [4]. Fig. 2. Shows the growth rate of ethical
hackers in billions of US dollars.

978-1-6654-2413-4/21/$31.00 ©2021 IEEE

 II. RELATED WORK  Outsider Attack: This attack targets HTTP, SMTP,
SQL, or any other available service.
Pandey et al. [5] highlighted that an ethical hacker poses
 Stolen Equipment Attack: This usually targets the
some hazard to the client and uses Nmap, Nessus, Nikto,
CEO’s laptop or the organization’s backup tapes —
Kismet, Metasploit, and Netstumbler tools for information
gathering, vulnerability scanning, exploitation, and test extract critical information like user names, and
analysis. S. Satapathy et al. [6] gives step by step process for passwords.
cleaning out and restoring a word press installation that has  Physical Entry: This simulation seeks to test the
been hacked. S. Begum et al. [7] highlighted that the security organization’s physical controls such as doors, gates,
issues would stay as long as producers stay committed to the locks, guards, CCTV, etc.
current framework structures. They also discussed techniques  Bypassed Authentication Attack: This attack
like phishing, FTP brute force hack, Denial of Service (DOS), involves the efforts done to bypass the wireless
footprinting, WHOIS, malware, etc. Yien et al. [8] designed access points or modems. It is used to check whether
hands-on labs in detail using the vulnerability scanning tool the system is secure or vulnerable.
openVAS and Nmap, and learning offensive techniques. Imran  Social Engineering Attack: This targets the
et al. [9] presented a tool that recursively iterates over HTML organization’s employees and seeks to gain
pages for detecting PHP vulnerability & proposed software to privileged information from them through social
analyze the PHP daemon configuration for recommended engineering.
settings. It notifies the user when these settings are incorrect.
Palmer et al. [10] talked about the ethical hacker’s skills, IV. ETHICAL HACKING TECHNIQUES
techniques, and attitudes in their work. It is also helpful for the
end-users in knowing how to search the security holes. Trabelsi Ethical hacking is the art of white-hat hacking where a
et al. [11] presented the implementation of repulsive hands-on person has the potential and competency to filter, test, hack,
lab exercises about three types of DoS (Denial of Service) and secure the system. Ethical hackers utilize the same
attacks. Baryan et al. [12] presented how to explore scanning strategies as being utilized by illicit hackers to breach corporate
techniques and tools, useful functionality, and vulnerability. security frameworks. This provides a glimpse of the
Vivek et al. [13] presented the survey report of IC3 on company’s capacity to anticipate an intrusion before it
cybersecurity and the importance of ethical hackers in a digital happens. To accomplish an idealized hack, hackers execute a
world to ensure safety. It also explains the security hurdles and wide assortment of strategies. TABLE I shows the core
the phases of hacking i.e. information gathering, scanning, mechanisms of the strategies utilized for hacking as well as
gaining control, maintaining access, and clearing logs. Rathore explains the prudent measures to keep an organization safe
[14] highlighted the role of ethical hacker and cybercrime and from hackers [20].
illustrated a proactive approach to minimize the threat of TABLE I. Ethical Hacking Techniques
hacking and cybercrimes. Michael et al. [15] presented the
Techniques Objectives Working Social
ideas related to the remedy of the found vulnerabilities in their Mechanism Awareness
work. It also demonstrated how to do secure coding and what Social Criminals Secretly install  Delete request
are its best practices. Amarendra et al. [16] emphasized that the Engineering manipulate malicious for financial
data that is crucial to the end-user is usually precious for the [21] people to trick software by information,
hacker. How can the users keep their data secure and what into giving sending a passwords or
them message which offers of help.
kinds of preventive measures the users should adopt. Bhawana passwords or will contain a  Set spam filters
et al. [17] presented a descriptive analysis of the ethical bank link or to high and
hacking, all types of ethical hacking, and about the phases of information, download file. Secure your
ethical hacking. or access to devices.
the computer.
III. ETHICAL HACKING MODES Phishing [22] Companies Three  Deploy a SPAM
face security mechanisms are and web filter.
Most of the used modes of ethical hacking to conduct challenges to used by  Conduct
security evaluation are shown in Fig. 4 [18, 19]. The basics of keep their criminals in training sessions
these modes are presented below: information phishing emails with mock
secure. to steal phishing
information: scenarios.
malicious web  Install Update,
Insider Attack links, malicious Antivirus and
attachments, Encrypt all
and fraudulent sensitive
Social data-entry forms
Engineering
Outsider company
Attack information.
Attack
Sniffing [23] Watch WWW Gathers the  Don’t visit
Ethical Hacking traffic in real- MAC address(s) unencrypted and
Modes time, catch the sites Install
data packets antivirus.
Bypassed Stolen when it flows Avoid public
Authentication Equipment via web Wi-Fi.
Attack Attack
Session Taking In TCP session,  Encrypt data
Hijacking [24] control of a the attacker uses traffic by using
Physical Entry user session IP packets to SSL/TLS.
after insert  Use long
successfully commands into random string as
generating an an active the session key
authentication communication and regenerate
Fig. 4. Modes of Ethical Hacking session ID. between two session ID after
nodes and spot a successful
 Insider Attack: Carried out by an authorized itself as login
individual with a legitimate connection to the authentic users.
organization’s network.
Hacking Vulnerability Using the  Update web Footprinting [29] Process of Attackers use  Restrict
Webservers [25] in Apps, gathered data, servers and do collecting as search engines employees.
database, OS, lead to not use the much to extract Configure
or in network determine default config information information web servers.
will lead to viable options and also scan
attack on the for attempting to
as possible about a target.  Educate
the Apps about a target Determine the
webserver. gain access to employees to
running on network. OS in use by the
data stored on use
webserver for Usually target
the server or pseudonyms.
all weaknesses. to organization. Do not
control over the  Block all find ways to Collect location
server itself reveal
unnecessary intrude into information as well critical
protocols and the as tracking email information
disable default environment communications in press
accounts,
releases,
 Follow strict annual
access control reports,
policy. Install product
Anti- virus. catalogs, etc.
Hacking Mobile The attacker  Be careful of  Enforce
Mobile devices are breaks into the what you security
Platforms used for most device and install and policies.
[26] sensitive redirects data to don’t leave
 Avoid
transactions, exploit the online services
domain-
including resources on it unlocked.
level cross-
email, before  Update your linking.
banking, and forwarding it to OS, Apps and Encrypt and
social media the original void public password
because they destination. Wi-Fi. protect
use wireless  Keep your sensitive
mediums and mobile phone information.
often public number private
Wi-Fi, which  Disable
and Use two- directory
can be factor
insecure listings.
authentication Honeypots Records Activities are To help
 Beware of [30] monitored using scale
spam and all the honeypot’s security
phishing the installed link to operations,
emails and actio the network. combine
Use built-in ns, The honeypots
device transactions, ho with other
protections. and neypot looks techniques.
SQL SQL injection After locating a  Do not use interactions like a real
Injection is a web target, attackers dynamic with computer
[27] security create malicious SQL. Do not user system,
vulnerability payloads and leave s. They are wit
that allows an send their input sensitive used to track h applications
attacker to content credentials the attackers and data,
interfere with to in plain text and defend foo
the queries execute format. ling
that an malicious  Filter out the cybercriminals
application commands. user- attacks. into thinking it's
makes to its provided a
database. It inputs. legi
generally  Provide timate target
allows an restriction or
attacker to limitation in
view data that database V. COMPARATIVE ANALYSIS OF ETHICAL
they are not permissions
normally able
HACKING TOOLS
as well as
to retrieve. privileges. Hacking tools are computer programs and scripts that
Enumerat Enumeration The attacker  Close help users to find and exploit weaknesses in systems, web
ion [28] is the process creates an active unnecessary apps, servers, and networks. TABLE 2 presents the
of extracting connection to services on
user the system and the targeted
comparative analysis of the existing ethical hacking tools.
name performs systems. The comparative analysis is made on the basis of following
s, machine directed queries Emplo features:
names, to gain more y TCP
network information wrapp  Reconnaissance
resources, about the target. ers.
shares, The gathered Utilize  Scanning
and information is port
services from used to identify sentry  Gain and Maintain Access
a system. the offered
vulnerabilities b  Security Testing
y
or weak points
in system psionic
 Password Cracker
security and
tries to exploit
the System
gaining phase.
The comparative results based on these features are represented
in this section to determine the most appropriate and efficient 6
ethical hacking tool. A score is assigned to each tool based on 5
the supported features. For example, we gave a sore 4 to a tool 5
that provide four features. Fig. 5 presents the score-based 4 4
comparison graph which shows that NMAP and Nikto are 4
comparatively good tools but SQLMAP is the best, having 333 3 3 3 3 3333 33
most of the info gathering as well as attacking capabilities. 3
Score 1 shows that the tool has only minimum features or is 22 2 2 22 2 22 2 2
less efficient. Score 2 also shows that the tool has few features 2
but more than those tools having score 1. Score 3 shows that 11 111 1 1 1 1
the tools have an average number of features. Score 4 presents 1
that the tools are comparatively good but less efficient as
0
compared to score 5, which is highlighted as the best.

Burp Suite

GFI LanGuard

QualysGuard

Rainbow Crack

Nessus

Canvas
Aircrack

WebInspect
Hashcat

SpiderFoot

Metaploit
Ettercap

SQLMap

Nikto

Maltego
Angry IP Scanner
Netsparker

Medusa

SQLNinja Cain

OpenVAS

Reaver
Acunetix

Savvius

L0phtCrack
Probely

IKECrack
SaferVPN

IronWASP

NetStumbler

Wireshark

IronWASP
Firebug
& Abel

Wapiti
John the Ripper
NMAP
TABLE II. Score based Comparison of Ethical
Hacking Tools
Fig. 5. Graphical Analysis of the Score Based Comparison
Gain and Maintain Access

Password Cracker
Security Testing
Reconnaissance

V. CONCLUSION
Scanning

This paper highlights the importance of ethical hacking along

Tools

with the discussion about its modes. It also presented

mechanisms of the strategies utilized for ethical hacking as
well as explains the prudent measures to keep an organization
safe from hackers. Moreover, a detailed comparative analysis
Netsparker ✘ ✓ ✘ ✓ ✘ of existing ethical hacking tools and techniques based on
Acunetix ✘ ✓ ✘ ✓ ✘ supported features is done. Scores are assigned to each tool
Probely ✘ ✓ ✘ ✘ ✘ based upon the features supported. It is evident from the
SaferVPN ✘ ✘ ✘ ✓ ✘ comparison that NMAP and Nikto are comparatively good
Burp Suite ✘ ✓ ✓ ✓ ✘ tools but SQLMAP is the best, having most of the info
Ettercap ✘ ✓ ✓ ✓ ✘ gathering as well as attacking capabilities.
Aircrack ✘ ✓ ✓ ✘ ✓
REFERENCES
Angry IP Scanner ✘ ✓ ✘ ✘ ✘ [1] What is Ethical Hacking: [Online]. Available:
GFI LanGuard ✘ ✓ ✓ ✓ ✘ https://www.eccouncil.org/ethical-hacking, Accessed 16 June, 2021.
Savvius ✘ ✘ ✘ ✓ ✘ [2] Simplilearn, Why Businesses Need Ethical Hackers: [Online]. Available:
QualysGuard ✘ ✓ ✓ ✓ ✘ https://www.simplilearn.com/ethical-hackers-for-businesses-article, Accessed
16 June, 2021.
WebInspect ✘ ✘ ✘ ✓ ✘ [3] Phases of Hacking: [Online]. Available:
Hashcat ✘ ✓ ✘ ✘ ✓ https://www.greycampus.com/opencampus/ethical-hacking/phases-of-
L0phtCrack ✘ ✘ ✓ ✓ ✓ hacking, Accessed 16 June, 2021.
[4] Thomas, Georg & Burmeister, Oliver & Low, Gregory. Issues of Implied
Rainbow Crack ✘ ✘ ✓ ✘ ✓
Trust in Ethical Hacking. ORBIT Journal. 2. 10.29297/orbit.v2i1.77, 2018.
IKECrack ✘ ✘ ✘ ✘ ✓ [5] Pandey, Brijesh & Singh, Alok & Balani, Lovely. “ETHICAL HACKING
IronWASP ✘ ✓ ✘ ✓ ✓ (Tools, Techniques and Approaches)”. 10.13140/2.1.4542.2884, 2015.
Medusa ✘ ✘ ✘ ✓ ✓ [6] Susidharthaka Satapathy, Dr.Rasmi Ranjan Patra. “Ethical Hacking -
NetStumbler ✘ ✓ ✘ ✘ ✓ published at” International Journal of Scientific and Research Publications
(IJSRP), Volume 5, Issue 6, June 2015 Edition, 2015.
SQLMap ✓ ✓ ✓ ✓ ✓ [7] Suriya Begum*, S. K. A. “A Comprehensive Study on Ethical Hacking”
SpiderFoot ✓ ✘ ✘ ✘ ✘ International Journal of Engineering Sciences & Research Technology, 5(8),
SQLNinja ✘ ✓ ✘ ✓ ✘ 214–219. http://doi.org/10.5281/zenodo.59534. 2016.
[8] Wang, Y., & Yang, J. “Ethical Hacking and Network Defense: Choose Your
Cain & Abel ✘ ✓ ✓ ✘ ✓
Best Network Vulnerability Scanning Tool” 2017 31st International
Nessus ✓ ✓ ✘ ✘ ✓ Conference on Advanced Information Networking and Applications
John the Ripper ✘ ✓ ✘ ✓ ✓ Workshops (WAINA), 110-113, 2017.
NMAP ✓ ✓ ✓ ✓ ✘ [9] M. Imran, M. Faisal and N. Islam, "Problems and Vulnerabilities of Ethical
Hacking in Pakistan," 2019 Second International Conference on Latest trends
Wireshark ✓ ✓ ✘ ✓ ✘
in Electrical Engineering and Computing Technologies (INTELLECT), 2019,
Firebug ✓ ✘ ✘ ✘ ✘ pp. 1-6, doi: 10.1109/INTELLECT47034.2019.8955459, 2019.
OpenVAS ✓ ✓ ✘ ✘ ✘ [10] C. C. Palmer, "Ethical hacking," in IBM Systems Journal, vol. 40, no. 3, pp.
IronWASP ✘ ✓ ✘ ✓ ✘ 769-780, doi: 10.1147/sj.403.0769, 2001.
[11] Trabelsi, Z., & Ibrahim, W. “Teaching ethical hacking in information
Nikto ✓ ✓ ✘ ✓ ✓
security curriculum: A case study” 2013 IEEE Global Engineering Education
Metaploit ✓ ✓ ✘ ✓ ✘ Conference (EDUCON), 130-137, 2013.
Wapiti ✘ ✓ ✘ ✓ ✘ [12] Smith, B., Yurcik, W., & Doss, D. “Ethical Hacking: The Security
Maltego ✓ ✓ ✘ ✓ ✘ Justification”, 2001.
[13] Monika Pangaria, Vivek Shrivastava, "Need of Ethical Hacking in Online
Reaver ✘ ✘ ✘ ✘ ✓
World", International Journal of Science and Research (IJSR),
Canvas ✘ ✓ ✘ ✓ ✘ https://www.ijsr.net/search_index_results_paperid.php?id=IJSRON2013859,
Volume 2 Issue 4, April 2013, 529 – 531, 2013.
[14] Rathore, N. “Ethical Hacking and Security against Cyber Crime”. Journal on
Information Technology, 5(1), 7-11, 2016.
[15] M. Lehrfeld and P. Guest, "Building an ethical hacking site for learning [23] Sniffing Attacks: [Online]. Available:
and student engagement," SoutheastCon 2016, pp. 1-6, doi: https://intellipaat.com/blog/tutorial/ethical-hacking-cyber-security-
10.1109/SECON.2016.7506746, 2016. tutorial/sniffing-attacks/, Accessed 16 June, 2021.
[16] Amarendra K., Mandhala V.N., Damecharla S., Gollapudi P., Ponuganti [24] What is Session Hijacking and how to prevent it: [Online]. Available:
P.K. “Modern Era Hacking”. International Journal of Scientific and https://www.interserver.net/tips/kb/session-hijacking-prevent/,Accessed 16
Technology Research, Volume 8 - Issue 12, December 2019 Edition, ISSN June, 2021.
2277-8616. https://www.ijstr.org/final-print/dec2019/Modern-Era- [25] Ethical Hacking: How to hack a web server: [Online]. Available: URL:
Hacking.pdf, 2019. https://securityboulevard.com/2020/01/ethical-hacking-how-to-hack-a-web-
[17] Bhawana Sahare, Ankit Naik, Shashikala Khandey. “Study of Ethical server/, Accessed 16 June, 2021.
Hacking”. International Journal of Computer Science Trends and [26] Mobile devices and Platforms: [Online]. Available:
Technology (IJCST) – Volume 2 Issue 4, Nov-Dec 2014. https://www.lynda.com/iOS-tutorials/Ethical-Hacking-Mobile-Devices-
[18] Modes of Ethical Hacking: Probes, Analysis & Attacks: [Online]. Platforms/512725-2.html, Accessed 16 June, 2021.
Available: https://study.com/academy/lesson/modes-of-ethical-hacking- [27] How to Protect Against SQL Injection Attacks: [Online]. Available: URL:
probes-analysis-attacks.html, Accessed 16 June, 2021. https://security.berkeley.edu/education-awareness/how-protect-against-sql-
[19] Modes of Ethical Hacking: [Online]. Available: http://an-ethical- injection-attacks, Accessed 16 June, 2021.
hacker.blogspot.com/2008/01/modes-of-ethical-hacking.html, Accessed 16 [28] Process: Scanning and Enumeration: [Online]. Available: URL:
June, 2021 https://resources.infosecinstitute.com/topic/process-scanning-and-
[20] What are the Ethical Hacking Techniques Used in the Field: [Online]. enumeration/#gref, Accessed 16 June, 2021.
Available: https://medium.com/@delhicourseshosting/what-are-the- [29] Footprinting: What Is It, Who Should Do It, and Why: [Online]. Available:
ethical-hacking-techniques-used-in-the-field-cb1c4fde85a4, Accessed 16 https://www.sans.org/reading-room/whitepapers/auditing/paper/62#,
June, 2021. Accessed 16 June, 2021
[21] What is Social Engineering? Examples & Prevention Tips: [Online]. [30] What are honeypots: [Online]. Available:
Available: https://www.webroot.com/us/en/resources/tips- articles/what-is- https://www.rapid7.com/fundamentals/honeypots/, Accessed 16 June, 2021.
social-engineering, Accessed 16 June, 2021.
[22] Phishing Attack Prevention: How to Identify & Avoid Phishing Scams in
2019”: [Online]. Available: https://digitalguardian.com/blog/phishing-
attack-prevention-how-identify-avoid-phishing-scams, Accessed 16 June,
2021.

View publication stats