Essential Q&A on White‑Hat Hacking and Core Information Security Concepts

White‑hat hacker

A white‑hat hacker is a security professional who receives explicit permission from the system owner to probe, discover vulnerabilities, and remediate them.

IP address vs. MAC address

IP address : Logical identifier assigned to each host to enable routing on a network.

MAC address : Fixed hardware identifier burned into each network interface controller (NIC) and used for link‑layer communication.

Common penetration‑testing tools

Kali Linux – a Debian‑based distribution that bundles dozens of security utilities.

Metasploit Framework – a modular exploit development and execution platform.

Wireshark – a packet capture and analysis GUI.

Nmap – network mapper for host discovery, port scanning, and service fingerprinting.

John the Ripper – password‑cracking utility supporting dictionary, brute‑force, and hybrid attacks.

Maltego – visual link‑analysis tool for open‑source intelligence (OSINT).

Hacker classifications

Grey‑hat (or cyber‑warrior) – operates between ethical and malicious boundaries.

Black‑hat – conducts illegal attacks for personal gain.

White‑hat – performs authorized security testing.

Certified white‑hat – holds formal security certifications (e.g., OSCP, CEH).

Red‑hat – focuses on offensive security research.

Hacktivist – attacks driven by political or social motives.

Footprinting techniques

Footprinting is the pre‑engagement phase of gathering information about a target network.

Open‑source intelligence (OSINT) : Collect publicly available data such as domain registrations, employee emails, and social‑media profiles.

Network enumeration : Identify domain names, IP ranges, and autonomous system numbers.

Scanning : Use tools like Nmap or Masscan to discover live hosts, open ports, and services.

Stack fingerprinting : Send crafted probes (e.g., TCP/IP stack signatures) to infer operating system and middleware versions.

Brute‑force attacks

Brute‑force attacks systematically try every possible password or key combination until a correct one is found. Tools such as hydra, medusa, or hashcat automate credential guessing against services like SSH, FTP, HTTP, and RDP.

Denial‑of‑Service (DoS) attacks

A DoS attack overwhelms a target’s resources with excessive traffic or malformed packets, rendering the service unavailable.

Buffer‑overflow‑based DoS – exploits memory‑corruption bugs to crash applications.

SYN flood – sends a flood of TCP SYN packets with spoofed source addresses, exhausting the server’s half‑open connection table.

Teardrop – transmits overlapping IP fragments that cannot be reassembled.

Smurf – uses ICMP echo‑request amplification to flood a network.

Malware‑based DoS – deploys botnets that generate massive traffic volumes.

SQL injection

SQL injection injects malicious SQL statements into an application’s input fields (e.g., form fields, URL parameters). When the backend concatenates user input into a query without proper sanitisation, the attacker can manipulate the query to read, modify, or delete data, or even execute administrative commands.

Network sniffing

Network sniffing captures packets traversing a network segment. Tools like Wireshark, tcpdump, or tshark allow analysts to inspect protocol headers and payloads for troubleshooting, while attackers can harvest credentials, session cookies, or other sensitive data.

ARP spoofing (ARP poisoning) and mitigation

ARP spoofing sends forged ARP reply packets, causing a victim’s ARP cache to associate the attacker’s MAC address with the IP address of a legitimate host (e.g., the default gateway). This enables man‑in‑the‑middle attacks.

Mitigation strategies:

Enable dynamic ARP inspection or static ARP entries on managed switches.

Deploy packet‑filtering rules that drop ARP replies with conflicting MAC/IP pairs.

Use ARP‑spoof detection tools (e.g., arpwatch, XArp).

Encrypt traffic with TLS/SSH/HTTPS to protect confidentiality even if ARP is compromised.

MAC flooding

MAC flooding floods a switch with a large number of fake source MAC addresses, exhausting the CAM table. Once the table overflows, the switch reverts to broadcasting frames to all ports, allowing the attacker to capture traffic.

Rogue DHCP server

A rogue DHCP server operates without administrative control, responding to DHCPDISCOVER requests and assigning malicious IP configuration (e.g., wrong DNS servers or default gateway). This can redirect client traffic for interception or denial of service.

Cross‑site scripting (XSS)

XSS injects malicious client‑side scripts into trusted web pages, enabling theft of cookies, session tokens, or execution of arbitrary actions in the victim’s browser.

Reflected (non‑persistent) XSS : Malicious script is returned in the HTTP response immediately after being supplied via a request parameter.

Stored XSS : Script is permanently stored on the server (e.g., in a database) and served to any user viewing the affected page.

DOM‑based XSS : The vulnerability resides in client‑side JavaScript that processes untrusted data and writes it to the DOM without proper sanitisation.

Burp Suite components

Burp Suite is an integrated platform for web‑application security testing. Core tools include:

Proxy – intercepts and modifies HTTP/S traffic between browser and server.

Spider – crawls the target application to map its structure.

Scanner – automated vulnerability scanner for common web flaws.

Intruder – performs customizable automated attacks (e.g., fuzzing, credential stuffing).

Repeater – manual request editing and replay.

Decoder – encodes/decodes data in various formats (Base64, URL, HTML).

Comparer – visual diff of two pieces of data.

Sequencer – analyses the randomness of session tokens.

Pharming and defacement

Pharming compromises DNS infrastructure or client hosts to redirect legitimate domain requests to malicious sites, often by altering DNS records or poisoning resolver caches.

Defacement replaces or modifies a website’s content with attacker‑controlled pages, typically to display propaganda, claim credit, or spread malware.

Web‑application hardening measures

Sanitise and validate all user inputs; employ prepared statements or ORM layers to prevent SQL injection.

Deploy a Web Application Firewall (WAF) and network firewalls to filter malicious traffic.

Set the Secure and HttpOnly flags on cookies; bind session identifiers to client IP when appropriate.

Validate input length, type, and format before processing.

Implement Content‑Security‑Policy (CSP) and output‑encoding to mitigate XSS.

Keylogger trojan

A keylogger trojan runs stealthily on a compromised host, captures keystrokes, stores them locally, and periodically exfiltrates the logs to a command‑and‑control server, exposing credentials and personal data.

Enumeration

Enumeration extracts detailed system information such as hostnames, user accounts, shared resources, and running services. Techniques include SMB enumeration (e.g., enum4linux), LDAP queries, and SNMP walks.

Network Time Protocol (NTP)

NTP synchronises clocks of networked devices using UDP port 123. Accurate timekeeping (typically within ±10 ms on public networks) is essential for log correlation, Kerberos authentication, and intrusion‑detection timestamps.

Management Information Base (MIB)

MIB is a hierarchical virtual database used by SNMP to describe managed objects. Each object is identified by an Object Identifier (OID) and defines its data type, access rights, and semantics.

Password‑cracking techniques

Brute‑force – tries every possible character combination.

Hybrid – combines dictionary words with brute‑force mutations (e.g., appending numbers).

Dictionary – uses a pre‑compiled list of common passwords or leaked credential sets.

Rule‑based – applies transformation rules (e.g., leet‑speak, capitalization) to a base wordlist.

Attack lifecycle

Initial access – gaining a foothold via phishing, exploitation, or credential theft.

Privilege escalation – elevating rights to administrator or root.

Persistence – installing backdoors, scheduled tasks, or rootkits to maintain access.

Covering tracks – clearing logs, modifying timestamps, and removing artifacts.

Cross‑site request forgery (CSRF) mitigation

CSRF tricks an authenticated user’s browser into sending unintended state‑changing requests. Mitigation includes:

Embedding unpredictable, per‑session CSRF tokens in HTML forms and AJAX requests.

Validating the Referer or Origin header on state‑changing endpoints.

Enforcing SameSite cookie attribute to restrict cross‑origin transmission.