Learning Path
ETHICAL HACKING
ROADMAPBeginner → Elite
A complete, structured path from IT fundamentals to full-scale red team operations and zero-day research. Click any level to explore topics, tools, and techniques.
🟢 BEGINNER
🟡 INTERMEDIATE
🔴 ADVANCED
🟣 ELITE
YOUR PROGRESS
0 / 0 topics completed
🟢
5
CATEGORIES
15
TOPICS
IT & Computing Fundamentals3 topics
How computers work at the hardware and OS level — the bedrock of security.
✓
How Computers, CPU & Memory Work
Understand CPU execution cycles, registers, RAM vs storage, and how data moves between components. Essential for understanding buffer overflows and memory exploitation later.
✓
Operating Systems (Windows / Linux Basics)
Learn how OSes manage processes, memory, and files. Understand kernel vs userland, system calls, and why OS knowledge is critical for privilege escalation.
✓
File Systems, Processes & System Architecture
Understand filesystem structure (/etc, /var, /home on Linux; C:\Windows on Windows), process trees, and how attackers target configuration files and process injection.
Networking Fundamentals3 topics
TCP/IP, OSI model, and protocols — the foundation of all network attacks.
✓
OSI & TCP/IP Models (Layer-by-Layer)
Master all 7 OSI layers and their TCP/IP counterparts. Attacks target specific layers — ARP at Layer 2, IP spoofing at Layer 3, TCP SYN floods at Layer 4, HTTP attacks at Layer 7.
✓
IP Addressing, MAC, DNS, DHCP
IPv4/v6 subnetting, MAC address structure, DNS resolution chain, and DHCP lease process. Critical for understanding ARP spoofing, DNS poisoning, and rogue DHCP attacks.
✓
TCP vs UDP + Common Protocols
TCP three-way handshake, UDP stateless communication, and protocols: HTTP/S, FTP, SSH, SMTP, SMB, LDAP. Know default ports — every pentest starts with port enumeration.
Linux Essentials3 topics
Linux is the hacker's OS — master the command line before everything else.
✓
Linux Command Line (Beginner → Pro)
Navigation, file operations, piping, grep/awk/sed, find, netstat, ps, cron — all essential for post-exploitation enumeration and scripting automation.
✓
File Permissions & Ownership
rwx bits, octal notation, SUID/SGID/sticky bit — SUID binaries are one of the most common Linux privilege escalation vectors. Understand chmod, chown, and find for SUID discovery.
✓
Package Management (APT / YUM)
Installing, updating, and managing software on Debian/Ubuntu and RHEL-based systems. Critical for setting up Kali tools and managing lab environments.
Cybersecurity Basics3 topics
Core security concepts, threat landscape, and ethical hacking principles.
✓
CIA Triad (Confidentiality, Integrity, Availability)
The three pillars of information security. Every attack can be mapped to breaking one or more: data theft = confidentiality, tampering = integrity, DDoS = availability.
✓
Types of Hackers (White / Grey / Black)
Legal and ethical distinctions between penetration testers, bug bounty hunters, security researchers, and malicious actors. Know the law before you touch anything.
✓
Common Cyber Attacks & Threat Landscape
Phishing, ransomware, supply chain attacks, zero-days, social engineering. Understanding attacker motivation and TTPs before you learn the technical execution.
Beginner Tools & Labs3 topics
Set up your first hacking lab and learn the essential first tools.
✓
VirtualBox / VMware (Lab Environment)
Build an isolated virtual lab with attacker (Kali) and target (Metasploitable, DVWA) VMs on a host-only network. Never practice on live systems without written permission.
✓
Kali Linux (Introduction)
The industry-standard penetration testing distribution. Learn to navigate the toolset, understand the purpose of major categories (recon, exploitation, forensics), and customize your environment.
✓
Nmap Basics (Scanning & Enumeration)
Port scanning, service version detection, OS fingerprinting, and NSE scripts. Every pentest starts with Nmap. Master -sV, -sC, -O, -A, and stealth scan options.
🟡
5
CATEGORIES
15
TOPICS
Networking Attacks3 topics
Layer 2/3 attacks — ARP, DNS spoofing, and man-in-the-middle techniques.
✓
ARP Spoofing
Sending forged ARP replies to associate your MAC with another host's IP, redirecting their traffic through your machine. Foundation of LAN-based MITM attacks.
✓
DNS Spoofing
Injecting false DNS responses to redirect victims to malicious servers. Used for credential harvesting and phishing infrastructure. Requires MITM position first.
✓
Man-in-the-Middle (MITM) Attacks
Full MITM chain: ARP poison → intercept → SSL strip → credential capture. Practice in lab with Wireshark to see the full packet flow.
Web Application Security4 topics
The most common attack surface — OWASP Top 10, SQLi, XSS, and auth flaws.
✓
OWASP Top 10 (In-Depth)
Deep-dive into all 10 categories: Broken Access Control, Crypto Failures, Injection, Insecure Design, Misconfiguration, Vulnerable Components, Auth Failures, Integrity Failures, Logging Failures, SSRF.
✓
SQL Injection (SQLi)
Union-based, error-based, blind, and time-based SQLi. From basic auth bypass (`' OR '1'='1`) to full DB dump and sometimes OS-level command execution via INTO OUTFILE.
✓
XSS & CSRF
Stored, reflected, and DOM-based XSS. CSRF token bypass. XSS can lead to session hijacking, credential theft, and DOM manipulation. Critical for bug bounty.
✓
Authentication & Authorization Flaws
JWT attacks (algorithm confusion, none alg), IDOR, broken object-level auth, session fixation, password reset poisoning. Highest-value findings in bug bounty.
System Exploitation3 topics
Password attacks, privilege escalation, and misconfiguration exploitation.
✓
Password Cracking Techniques
Dictionary attacks, brute-force, rule-based attacks, and rainbow tables. Understanding hash types (MD5, SHA1, bcrypt, NTLM) and where to find them (shadow files, SAM database).
✓
Privilege Escalation (Linux / Windows)
Linux: SUID/SGID binaries, sudo -l misconfiguration, writable cron jobs, /etc/passwd writable. Windows: unquoted service paths, AlwaysInstallElevated, token impersonation, DLL hijacking.
✓
Security Misconfiguration Exploits
Default credentials on services, open admin panels (Tomcat, phpMyAdmin), S3 bucket misconfigs, exposed .git directories, and debug mode endpoints leaking secrets.
Wireless Attacks3 topics
Wi-Fi security — WPA cracking, evil twin attacks, and rogue access points.
✓
Wi-Fi Hacking Fundamentals
802.11 frame types, monitor mode, packet injection, and the 4-way WPA handshake. Requires a wireless adapter that supports monitor mode and packet injection.
✓
WPA / WPA2 Attacks
Capture the 4-way handshake via deauth attack, then offline brute-force with Hashcat. PMKID attack for capturing without a connected client. WPS PIN attacks via Reaver.
✓
Evil Twin & Rogue AP Attacks
Clone a legitimate AP's SSID and BSSID, deauth clients from the real AP, capture credentials via captive portal on the fake AP. Advanced social engineering at Layer 2.
Intermediate Tools3 topics
Burp Suite, Metasploit, and password cracking — the core professional toolkit.
✓
Burp Suite
The industry-standard web app testing proxy. Master Proxy, Repeater, Intruder, Scanner, Collaborator. Every serious web pentester lives in Burp Suite daily.
✓
Metasploit Framework
msfconsole, modules (auxiliary/exploit/post), msfvenom payload generation, Meterpreter sessions. The most-used exploitation framework in professional pentesting engagements.
✓
Hydra / John the Ripper
Hydra for online service brute-force (SSH, FTP, HTTP forms, RDP). John for offline hash cracking with wordlists and custom rules. Essential for credential attacks.
🔴
5
CATEGORIES
15
TOPICS
Advanced Exploitation3 topics
Buffer overflows, custom exploits, and post-exploitation techniques.
✓
Buffer Overflow (Basic → Advanced)
Stack-based buffer overflow: fuzzing, finding EIP offset, controlling EIP, finding bad characters, locating JMP ESP, generating shellcode. OSCP-level skill — mandatory for the certification.
✓
Custom Exploit Development
Adapting and writing exploits in Python. Understanding ASLR, DEP/NX, and basic ROP chain concepts. Moving beyond public PoCs to target-specific exploitation.
✓
Post-Exploitation Techniques
What to do after getting a shell: situational awareness, local enumeration, credential harvesting, pivoting setup, C2 establishment, and evidence-based impact demonstration.
Active Directory Attacks3 topics
AD is in 90% of enterprises — mastering it is essential for pentesters.
✓
Kerberoasting
Request TGS tickets for service accounts as any authenticated domain user, then crack them offline. Highly effective when service accounts have weak passwords — common in real environments.
✓
Pass-the-Hash / Pass-the-Ticket
Using captured NTLM hashes or Kerberos tickets without cracking them. PtH works against services using NTLM authentication. PtT impersonates users by injecting TGTs/TGS tickets.
✓
Domain Privilege Escalation
ACL abuse, DCSync attack, Golden/Silver ticket attacks, AS-REP Roasting, BloodHound attack path analysis to domain admin. The ultimate goal in AD environments.
Red Team Techniques3 topics
Lateral movement, persistence, and evasion — operating like a real threat actor.
✓
Lateral Movement
Moving from compromised host to other systems using PtH, PsExec, WMI, WinRM, SMB. Pivoting through networks using port forwarding and SOCKS proxies via chisel or SSH tunneling.
✓
Persistence Mechanisms
Maintaining access across reboots and credential rotations: cron jobs, registry Run keys, scheduled tasks, SSH key injection, web shells, DLL hijacking for service persistence.
✓
AV / EDR Evasion Techniques
Payload obfuscation, AMSI bypass, process injection (DLL injection, process hollowing), living-off-the-land binaries (LOLBAS), and custom C2 profiles to evade signature detection.
Scripting & Automation3 topics
Automate attacks and build custom tools to scale your capabilities.
✓
Bash Scripting
Automating recon pipelines: parallel subdomain enumeration, auto-screenshotting, log parsing, and chaining Nmap → Nikto → ffuf into single-command workflows.
✓
Python for Ethical Hackers
Building custom exploit PoCs, HTTP fuzzing scripts, packet crafting with Scapy, async recon automation, and parsing tool output programmatically for reporting.
✓
Tool Development & Customization
Writing custom Nuclei templates for target-specific vulnerability detection, building Burp Suite extensions in Python/Java, and developing specialized recon or exploitation tools.
Reporting & Ethics3 topics
Professional pentest reports, CVSS scoring, and legal boundaries.
✓
Professional Pentest Report Writing
Executive summary, technical findings, reproduction steps, evidence (screenshots/request-response captures), and remediation recommendations. A strong report is what clients actually pay for.
✓
Risk, Impact & Mitigation Analysis
CVSS v3.1 scoring, OWASP Risk Rating methodology, business context adjustment for asset criticality, and writing actionable remediation advice developers can actually implement.
✓
Legal Boundaries & Ethical Hacking Laws
Computer Fraud and Abuse Act (USA), Computer Misuse Act (UK), rules of engagement, written authorization requirements, responsible disclosure processes, and bug bounty program rules.
🟣
5
DOMAINS
∞
DEPTH
Full-Scale Red Team Ops
Multi-phase operations simulating nation-state or APT-level adversaries — initial access, persistence, lateral movement, data exfiltration, and full impact reporting across enterprise environments.
Zero-Day Research
Original vulnerability discovery through fuzzing, code auditing, and static/dynamic analysis. CVE assignment, coordinated disclosure, and working with vendor security teams.
Advanced Malware & Reverse Engineering
Full malware analysis pipelines, writing custom implants in C/C++/Go, rootkit development, kernel-level exploitation, and defeating advanced anti-analysis techniques.
Nation-State Attack Simulations
APT-level threat emulation using MITRE ATT&CK for Enterprise. Simulating Lazarus Group, APT29, and FIN7 TTPs in controlled red team exercises with full OPSEC considerations.
Teaching & Research
Writing CVEs, publishing research papers, speaking at DEF CON / Black Hat, building open-source tools used by the community, and mentoring the next generation of security professionals.
Guidance
HOW TO USE
THIS ROADMAP
Don't skip levels. Each one builds on the last. Check off topics as you complete them — progress saves automatically in your browser.
01
BUILD THE BASE
Complete every Beginner topic before moving on. Weak foundations create dangerous knowledge gaps at advanced levels.
02
PRACTICE DAILY
30–60 minutes on TryHackMe, HackTheBox, or DVWA every day beats weekend cramming. Consistency is everything.
03
GET CERTIFIED
CompTIA Security+ → eJPT → OSCP is the proven path to a hired security professional. Certs open doors, skills keep them open.
04
DOCUMENT EVERYTHING
Build a portfolio of writeups, lab notes, and custom tools. Employers hire people who can prove they know it — not just claim it.
READY TO START
YOUR JOURNEY?
See Prakash's active projects, lab environments, and skill progression built on this exact roadmap.