When most people picture hacking, they imagine someone furiously typing until a green "ACCESS GRANTED" flashes on screen. The reality is far more methodical — and far more interesting. Real attackers, and the ethical hackers who defend against them, follow a repeatable process. Learn that process, and you stop guessing; you start hunting with purpose.
In this post, I'll walk through the five classic stages of ethical hacking, why each one matters, and the kinds of tools you'll meet along the way.
A quick but important note: Everything below is meant for systems you own or have written permission to test. Doing any of this without authorization is illegal. Ethical hacking is defined by that permission — not by the techniques.
What Is Ethical Hacking, Really?
Ethical hacking is the practice of legally probing systems, networks, and applications to find weaknesses before a malicious attacker does. The ethical hacker thinks like the adversary but plays for the other team: they operate within an agreed scope and, crucially, they report what they find so it can be fixed.
To stay organized, the industry breaks an engagement into five stages. They aren't a rigid checklist so much as a way of thinking — and once you internalize them, they start to feel like second nature.
Stage 1 — Reconnaissance: Knowledge Is Leverage
Every good attack starts with homework. Reconnaissance is about gathering as much information as possible about the target to map out its attack surface.
There are two flavors:
Passive recon never touches the target directly, so it leaves no trace. You're mining public sources — WHOIS records, DNS data, social media, job postings, leaked credentials, Google dorking. Tools like the Harvester, Maltego, and Shodan shine here.
Active recon does interact with the target — ping sweeps, light probing, direct DNS queries — which means it can be logged and detected. It's noisier, but it confirms what's actually live.
The lesson every beginner eventually learns: the engagement is usually won or lost right here. The more you know now, the easier everything that follows becomes.
Stage 2 — Scanning & Enumeration: From Picture to Blueprint
Recon gives you a broad picture. Scanning and enumeration turn it into a detailed blueprint.
Scanning actively probes the target to discover live hosts, open ports, running services, software versions, and the underlying OS. This is Nmap territory — plus tools like Masscan, Nessus, and OpenVAS for heavier vulnerability checks.
Enumeration goes deeper, pulling specific details out of the services you found: SMB shares and usernames, web directories and technologies, SNMP and LDAP data, FTP banners. Each finding gets matched against vulnerability databases like CVE and Exploit-DB to spot known, exploitable weaknesses.
If recon is scouting the building from the street, enumeration is reading the names on every door.
Stage 3 — Gaining Access: The Foothold
This is the stage everyone thinks of as "hacking." Using what you've learned, you exploit a vulnerability to get a foothold — through a public exploit, a custom payload, a password attack, a web flaw like SQL injection, or a well-crafted phishing email.
But the first foothold is rarely the finish line. You usually land as a low-privilege user and then work on privilege escalation to reach administrator or root. From there, post-exploitation kicks in: you run recon and enumeration again, but now from inside the network, hunting for credentials and new targets so you can pivot laterally. Tools like Metasploit, Hashcat, sqlmap, BloodHound, and Mimikatz live in this stage.
Stage 4 — Maintaining Access: Staying In
Getting in once is good. Being able to return whenever you want is what demonstrates real impact.
Persistence means setting up a reliable way back in that survives reboots and logoffs — backdoors, web shells, reverse shells phoning home to a C2 server, scheduled tasks, or a planted SSH key. In a real attack this is how adversaries dig in for the long haul. In an ethical engagement, every one of these mechanisms is documented and then cleanly removed when the test is done.
Stage 5 — Covering Tracks: Testing the Defenders
Finally, an attacker tries to erase their footprints — clearing logs, deleting tools, timestomping files, and disabling auditing. For an ethical hacker, this stage has a defensive purpose: it tests whether the organization's monitoring, SIEM alerts, and incident response would actually catch the tampering.
The ethical twist is that while a real attacker hides for good, the tester keeps a meticulous private record of every action — so the client can understand exactly what happened and harden against it.
It's a Loop, Not a Line
Here's the part diagrams often get wrong: these stages don't run once, top to bottom. The moment you gain access to a new system, you loop right back to recon and scanning from that new vantage point. An engagement is really a series of these cycles, each one pushing deeper into the environment.
Why This Matters
You can only defend against an attack chain you understand. Studying these five stages isn't about learning to break things — it's about learning to see the way an attacker sees, so you can close the gaps before someone with bad intentions finds them.
Master the mindset, respect the rules, and remember the real goal: not just to break in, but to leave every system stronger than you found it.
Part of my PNPT study notes. Got feedback or a war story? I'd love to hear it.
