Ethical hacking is sometimes also referred to as penetration testing or security evaluation, and is performed on a variety of systems and networks.

The idea is to simulate an attack by malicious crackers, but instead of using any weaknesses you find to steal money from bank accounts or leave a rude message on a website, you tell your client about the weaknesses and suggest ways in which they should go and fix their systems. This is what differentiates it from normal hacking or cracking and indeed, makes it possible to do legally.

What you will need

Firstly, it really helps if you have signed, written permission to do this kind of work. You need this permission from somebody who owns or maintains the systems you're going to be breaking into, or else you could fall foul of cybercrime laws in several nations, such as the Computer Misuse Act (1990) in the United Kingdom. It is also quite normal to have a non-disclosure agreement with your client, stating that you won't be telling anyone else about any security problems you find in their infrastructure.

You will also need a reasonable knowledge of whatever platform your target system is running on. This may not always be possible, as quite often, you won't know what you're up against until you probe the system yourself.

You need a computer. A laptop is handy, and if you can dual-boot Windows and Linux, then great - it will increase the amount of script kiddy¹ tools available to you. If you have to plug your computer into another network in order to do your testing, make sure you have a suitable network card. No point turning up with state of the art gigabit ethernet capabilities if the network is based on token ring.

Initial Information

Firstly, you need to scan the systems or networks which you're going to try to break into. The first step of this is to perform a portscan. There are plenty of portscanners available for free, and commercial tools such as ISS include a portscanner as part of the software. A portscan will probe every port on every system, in order to find out what's running. For example, if the portscanner finds TCP port 80 to be open, it means the machine is a webserver, because port 80 is what the http protocol is found on. If you have a good portscanner, it may even be able to tell you what kind of webserver it has found.

Don't stop at just a simple portscan. Have a look at the targets yourself, try to use whatever services they appear to be running. In the example of a webserver, you might find some files ending in .CFM, meaning that the webserver is also running Cold Fusion on top of whatever webservice it appears to have. This is useful information. You may also want to look through usenet to find postings from your client's staff. Sometimes, staff will post technical questions to groups which give away much information about their infrastructure, and possibly weaknesses within it.

Also, you might want to try to traceroute² to some of your targets as you will want to know what stands in the way of you getting to your target.

More to come

Until I've finished writing the thing, I'm just going to point you towards these fine sites:

Resources

The SANS Institute
Security Focus
Fyodor's Playhouse
Astalavista
COTSE