Chapter 1: Exercises — Introduction to Ethical Hacking

These exercises progress from foundational knowledge to applied analysis. They are designed to reinforce the concepts from Chapter 1 and begin building the mindset of an ethical hacker. Work through them in order — later exercises build on earlier ones.

Beginner Exercises

Exercise 1.1: Defining Ethical Hacking

Write a one-paragraph definition of ethical hacking that you could use to explain the profession to a non-technical family member. Your definition should address what ethical hackers do, why they do it, and how they differ from criminal hackers. Avoid jargon. Then write a second paragraph explaining it to a CTO. Compare the two — what changes and what stays the same?

Exercise 1.2: Authorization Scenarios

For each of the following scenarios, determine whether the person is acting as a white hat, black hat, or gray hat hacker. Justify your answer in 2-3 sentences each.

a) A security consultant runs a vulnerability scan against a client's web application as specified in a signed Statement of Work.

b) A university student discovers a SQL injection vulnerability in their school's registration system while filling out a course enrollment form. They exploit it to access the database, confirm it contains student records, and then email the IT department about the vulnerability.

c) A former employee uses credentials that were never revoked to access the company's internal wiki and download proprietary documentation after being terminated.

d) A bug bounty hunter finds a critical vulnerability in a company's API. The company has a published bug bounty program. The hunter reports the finding through the program and receives a $5,000 bounty.

e) A security researcher discovers a zero-day vulnerability in a popular open-source library. They privately notify the maintainer and give them 90 days to patch before publishing details.

f) A hacktivist group defaces the website of a company they accuse of environmental destruction, replacing the homepage with evidence of pollution.

Research the primary computer crime law in your country (e.g., CFAA in the U.S., Computer Misuse Act in the UK, or equivalent). Write a one-page summary that includes: - The name and year of the law - What activities it criminalizes - Potential penalties for violations - Any exemptions or safe harbors for security research - At least one notable case where the law was applied

Exercise 1.4: Penetration Testing Lifecycle Matching

Match each activity to the correct phase of the penetration testing lifecycle (Planning/Recon, Scanning/Enumeration, Exploitation, Post-Exploitation, Reporting):

a) Running Nmap to discover open ports on a target server b) Signing a Non-Disclosure Agreement with the client c) Using Mimikatz to extract passwords from memory on a compromised Windows server d) Writing an executive summary that explains findings to the CEO e) Searching LinkedIn for employees of the target company f) Exploiting a SQL injection vulnerability to gain access to a database g) Moving from a compromised web server to an internal database server h) Defining which IP addresses are in scope for testing i) Running Nessus to identify known vulnerabilities j) Creating a CVSS score for each finding

Intermediate Exercises

Exercise 1.5: The Business Case Presentation

You are a security consultant meeting with the CFO of a mid-sized manufacturing company. The CFO has expressed skepticism about spending $75,000 on an annual penetration test. Prepare a one-page briefing (bullet points are fine) that makes the business case for penetration testing. Include: - At least three specific financial risks of not testing - Relevant statistics from industry reports - Regulatory or compliance drivers - A comparison of pentest cost vs. potential breach cost - A non-financial benefit that might resonate with the CFO

Exercise 1.6: Scope Document Analysis

A client has provided the following pentest scope:

"We authorize XYZ Security to test our patient portal at https://portal.medsecure-example.com and the associated API at https://api.medsecure-example.com. Testing may include authentication testing, injection testing, and business logic testing. Social engineering is not authorized. Testing should occur between 10 PM and 6 AM EST to minimize impact on users. The database server at 10.0.1.50 is explicitly out of scope. Findings rated Critical or High should be reported immediately to security@medsecure-example.com."

Identify: a) What is in scope? b) What is explicitly out of scope? c) What is ambiguous or missing from this scope document? d) What questions would you ask the client before beginning the engagement? e) If during testing you discover a SQL injection in the API that leads to the database server at 10.0.1.50, what should you do?

Exercise 1.7: Ethical Dilemma Analysis

During a penetration test of a financial services company, you discover evidence that the company's CEO is embezzling funds. The evidence is in a file on a server that was within your authorized scope. What do you do? Consider: - Your contractual obligations (NDA, scope document) - Legal obligations (duty to report crimes?) - Ethical obligations - Professional consequences of different choices

Write a 500-word analysis presenting at least two possible courses of action with their pros and cons.

Exercise 1.8: MedSecure Attack Surface Mapping

Using the description of MedSecure Health Systems from Section 1.7, create an attack surface map. List every potential entry point an attacker could use, organized by: - External (Internet-facing) attack surface - Internal (requires network access) attack surface - Human (social engineering) attack surface - Physical attack surface

For each entry point, briefly note what an attacker might target and what type of threat actor would be most likely to exploit it.

Exercise 1.9: Career Path Exploration

Research three specific job postings for penetration testing or ethical hacking roles (use job boards like LinkedIn, Indeed, or specialized security job boards). For each posting, document: - Job title and company - Required certifications - Required experience level - Technical skills listed - Salary range (if provided) - What the job description tells you about the company's security maturity

Compare the three postings. What skills and certifications appear most frequently? What surprised you?

Advanced Exercises

Exercise 1.10: Historical Case Comparison

Research two historical hacking incidents: Kevin Mitnick's activities in the 1990s and Marcus Hutchins (MalwareTech) and the WannaCry incident. Write a comparative analysis (750-1000 words) examining: - What each person did - The legal consequences they faced - How public perception of their actions differed - What their stories tell us about the evolving relationship between hacking and the law - Whether you believe justice was served in each case, and why

Exercise 1.11: Rules of Engagement Design

You have been hired to conduct a penetration test of MedSecure Health Systems. Draft a complete Rules of Engagement document (1-2 pages) that covers: - Scope (systems in and out of scope) - Authorized testing techniques - Testing windows and blackout periods - Communication protocols (including emergency contact procedures) - Data handling procedures (especially for PHI) - Reporting requirements - Legal and compliance considerations

Exercise 1.12: Ethical Framework Application

Apply the six-question ethical decision framework from Section 1.10.3 to the following scenario:

You are a bug bounty hunter. You discover a critical vulnerability in a hospital's patient portal that could expose 500,000 patient records. The hospital does not have a bug bounty program or a published responsible disclosure policy. You have tried to contact the hospital's IT department by email and phone, but received no response after two weeks. The vulnerability is easily exploitable and you believe it is likely that others have already discovered it. What do you do?

Work through each of the six questions systematically, then present your recommended course of action.

Exercise 1.13: Pentest Report Executive Summary

Based on the MedSecure environment described in Section 1.7, write a fictional executive summary for a penetration test report. Assume the test found the following: - Three critical findings (you invent them based on the described environment) - Five high-severity findings - Eight medium-severity findings - Twelve low/informational findings

Write the executive summary (500-750 words) targeting the CEO and Board of Directors. Include an overall risk assessment, key findings in non-technical language, and strategic recommendations. Remember: the executive summary may be the only part of the report that senior leadership reads.

Exercise 1.14: Comparing Security Testing Approaches

Create a comparison table that evaluates the following security testing approaches across at least six criteria of your choosing (e.g., cost, coverage, frequency, skill required, compliance value, realism): - Automated vulnerability scanning - Penetration testing - Red team engagement - Bug bounty program - Code review / SAST

Then write a 300-word recommendation for MedSecure on which combination of approaches they should implement, given their size, budget, and regulatory requirements.

Exercise 1.15: Debate Preparation

Prepare arguments for BOTH sides of the following debate: "Gray hat hacking — unauthorized access with the intent to help — should be legally protected."

For each side, prepare: - Three main arguments - Supporting evidence or examples - Anticipated counterarguments and rebuttals

This exercise develops your ability to see security ethics from multiple perspectives.

Practical Application

Exercise 1.16: Professional Development Plan

Based on the career paths described in Section 1.6 and your own research, create a 12-month professional development plan for breaking into ethical hacking. Include: - Certifications to pursue (with timeline) - Skills to develop (technical and non-technical) - Platforms to practice on - Communities to join - Budget estimate - Milestones and checkpoints

Exercise 1.17: Security News Analysis

For one week, follow cybersecurity news from at least two sources (e.g., KrebsOnSecurity, The Record, BleepingComputer, Dark Reading). At the end of the week, write a brief analysis of the most significant incident reported. Map it to the penetration testing lifecycle — at which phase could a pentest have identified the vulnerability that was exploited?

Solutions to selected exercises are available in the appendix. Exercises marked with an asterisk () have model answers provided.*