The Ethical Hacking Roadmap repository offers a comprehensive, step-by-step guide for aspiring ethical hackers and penetration testers — from complete beginners to advanced learners. It features a structured learning path, essential tools, carefully curated resources, and trusted references to help you practice hacking legally, ethically, and effectively.
- Step-by-step learning roadmap (theory + hands-on practice)
- Essential tools for each stage of penetration testing
- Links to labs, books, CTFs, and cheatsheets
- Content tailored for both beginners and those looking to go deeper
⚠️ This project is intended for educational and ethical purposes only. Use responsibly.
This project is constantly being updated. Some content may be out of date. (Last revision: April 10, 2025)
- If you're new to information security, forget everything you know about hacking.
- Don't start using tools without reading about pen testing and how it works (see Additional resources section).
- Don't download or use tools without auditing their code.
- Don't use these tools to do stupid things like investigating/hacking without consent on your friends, or worse, your recruiter.
- Read books, manuals, and articles, be curious, and do not just be a script kiddie.
- I wish you wouldn't use these tools for illegal purposes, but if you do, I sure hope you know what you're doing.
- Practice using challenges, not real targets!
- Introduction
- Some Ethical Hacking Terms
- Difference Between Hacking and Ethical Hacking
- Languages
- Content Management Systems
- Basic Steps of Penetration Testing
- Tools by Category
- Additional Resources
- License
TOC made with: nGitHubTOC
Penetration testing is a type of security testing that is used to test the security of an application. It is conducted to find a security risk that might be present in a system.
If a system is not secure, then an attacker may be able to disrupt or take unauthorized control of that system. A security risk is normally an accidental error that occurs while developing and implementing software. For example, configuration errors, design errors, and software bugs etc. Learn more
- Purpose: To find security weaknesses before a real attacker does.
- Method: Ethical hackers (also called white-hat hackers or pen testers) mimic the tactics and techniques of malicious hackers.
- Scope: It can include testing web applications, internal/external networks, wireless networks, mobile apps, or physical security.
- Black Box: Tester has no prior knowledge of the system.
- White Box: Tester has full knowledge, including source code and infrastructure.
- Gray Box: Tester has partial knowledge (like a user with some access).
- Reconnaissance – Gather information about the target.
- Scanning – Identify open ports, services, and vulnerabilities.
- Exploitation – Try to break in using identified weaknesses.
- Post-exploitation – Assess the impact (e.g., can data be stolen or systems controlled?).
- Reporting – Document findings and provide remediation recommendations.
- Prevents data breaches
- Helps meet compliance requirements (e.g., PCI-DSS, HIPAA)
- Builds trust with customers and stakeholders
Knowing about risks on the internet and how they can be prevented is very useful, especially as a developer. Web hacking and penetration testing is the v2.0 of self-defense! But is knowing about tools and how to use them all you need to become a pen tester? Surely not. A real penetration tester must be able to proceed rigorously and detect the weaknesses of an application. They must be able to identify the technology behind and test every single door that might be open to hackers.
This repository aims first to establish a reflection method on penetration testing and explain how to proceed to secure an application. And secondly, to regroup all kinds of tools or resources that pen testers need. Be sure to know the basics of programming languages and internet security before learning pen testing.
Also, this is important to inform yourself about the law and what you are allowed to do or not. According to your country, the computer laws are not the same. First, check laws about privacy and surveillance: Nine eyes countries, Five eyes, and Fourteen Eyes. Always check if what you're doing is legal. Even when it's not offensive, information gathering can also be illegal!
-
Infosec: Information security, which is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of information. The information or data may take any form, e.g., electronic or physical. Infosec can also be a person who practices ethical security. Wikipedia
-
Opsec: Operations security, which is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information. Wikipedia
-
Black/grey/white hat hacker: Someone who uses bugs or exploits to break into systems or applications. The goal and the method differ depending on whether they're a black, grey, or white hat hacker. A black hat is just someone malicious who does not wait for permission to break into a system or application. A white hat is usually a security researcher who practices ethical hacking. A grey hat is just in the middle of these two kinds of hackers, they might want to be malicious if it can be beneficial (data breach, money, whistleblowing...).
-
Red team: According to Wikipedia, a red team or the red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view. It is particularly effective in organizations with strong cultures and fixed ways of approaching problems. The United States intelligence community (military and civilian) has red teams that explore alternative futures and write articles as if they were foreign world leaders. Little formal doctrine or publications about Red Teaming in the military exist. In infosec exercises, Red teamers are playing the role of attackers. Wikipedia
-
Blue team: A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and ensure certain all security measures will continue to be effective after implementation. As a result, blue teams were developed to design defensive measures against red team activities. In infosec exercises, Blue teamers are playing the role of defenders. Wikipedia
-
Penetration tester: An ethical hacker who practices security, tests applications and systems to prevent intrusions or find vulnerabilities. Wikipedia
-
Security researcher: Someone who practices pen testing and browses the web to find phishing/fake websites, infected servers, bugs, or vulnerabilities. They can work for a company as a security consultant and are most likely a Blue teamer. Wikipedia
-
Reverse engineering: Reverse engineering, also called back engineering, is the process by which a man-made object is deconstructed to reveal its designs, architecture, or to extract knowledge from the object. Similar to scientific research, the only difference is that scientific research is about a natural phenomenon. Wikipedia
-
Social engineering: In the context of information security, it refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. The term "social engineering" as an act of psychological manipulation of a human is also associated with the social sciences, but its usage has caught on among computer and information security professionals. Wikipedia
-
Threat analyst: A threat hunter, also called a cybersecurity threat analyst, is a security professional or managed service provider (MSP) that proactively uses manual or machine-assisted techniques to detect security incidents that may elude the grasp of automated systems. Threat hunters aim to uncover incidents that an enterprise would otherwise not find out about, providing chief information security officers (CISOs) and chief information officers (CIOs) with an additional line of defense against advanced persistent threats (APTs). SearchCIO
➡️ Read: Complete Hacker & Cybersecurity Glossary
While both hackers and ethical hackers use similar techniques and skills, their intentions and goals are fundamentally different.
A black hat hacker engages in hacking for malicious purposes—stealing data, damaging systems, or gaining unauthorized access. In contrast, a white hat hacker, also known as an ethical hacker, uses the same knowledge to help organizations strengthen their security.
Ethical hacking involves identifying vulnerabilities in systems, networks, or applications and helping fix them before they can be exploited by attackers. It is a legal and authorized activity carried out with the goal of improving cybersecurity.
An ethical hacker is essentially a security expert who thinks like a hacker—but acts with permission and integrity. They simulate real-world attacks to test defenses and ensure that systems are as secure as possible.
Learning programming is one of the best ways to begin your journey into cybersecurity. Understanding how code works helps you spot vulnerabilities, write tools, and automate tasks.
Many beginners start with Python—it’s widely used, beginner-friendly, and powerful for scripting, automation, and building security tools. Other languages like PHP and Go are less commonly used in security, but they still have their place depending on the context and goals.
Scripting languages like Bash (for Linux) and PowerShell (for Windows) are essential for writing automation scripts and command-line utilities, especially in system administration and penetration testing tasks.
It’s also important to understand how different languages operate:
- Compiled languages (e.g., C++, Java) are converted into machine code before execution. They’re typically faster and used for performance-critical applications.
- Interpreted languages (e.g., Python, PHP) run line by line via an interpreter, which can make development and debugging faster and easier.
Each language also comes with its own design patterns and best practices. Choosing the right language depends on what you're trying to build or learn—whether it's automation scripts, exploits, web tools, or system-level programming.
- Bash
- Powershell
- Java
- Swift
- C / C++ / C#
- Python
- Ruby
- Perl
- PHP
- Go
Content Management Systems (CMS) are platforms that allow users to create, manage, and modify digital content with ease — often without needing to code.
- WordPress – The most widely used CMS in the world, known for its flexibility, ease of use, and a vast ecosystem of plugins and themes.
- Joomla! – A powerful CMS that offers more built-in features than WordPress, ideal for users with some technical experience.
- Drupal – A highly customizable and secure CMS preferred by developers and large-scale websites needing complex data structures.
- SPIP – A French-language-oriented CMS designed for collaborative publishing, often used by academic and cultural organizations.
These are the most used Content Management Systems (CMS). See a complete list here.
-
Planning & Reconnaissance
- Define scope, goals, and rules of engagement
- Gather information (open-source intelligence, DNS info, IPs, etc.)
-
Scanning & Enumeration
- Identify live hosts, open ports, and services
- Use tools like Nmap, Nessus, or Nikto to gather details about systems
- Enumerate users, shares, and system banners
-
Gaining Access
- Exploit vulnerabilities to gain initial access
- Techniques: SQL injection, password cracking, buffer overflows, etc.
- Tools: Metasploit, SQLmap, Hydra, etc.
-
Maintaining Access
- Install backdoors or create persistent accounts
- Simulate APT (Advanced Persistent Threat) behavior
- Optional based on test type and agreement
-
Privilege Escalation
- Elevate access from user-level to admin/root
- Techniques: Exploiting weak configs, misconfigurations, or kernel vulnerabilities
-
Post-Exploitation & Data Extraction
- Assess the value of the compromised system
- Extract sensitive data, test lateral movement to other systems
- Understand the potential impact of a real breach
-
Covering Tracks (optional)
- Clear logs and remove artifacts (used to simulate real attackers)
- Only done if explicitly permitted in the rules of engagement
-
Reporting & Remediation
- Document findings, exploited vulnerabilities, and recommendations
- Provide technical and non-technical reports for different stakeholders
- May include proof of concept (PoC) and fix suggestions
Image source: How to Perform Network Penetration Testing in 2025.
➡️ Read more about Penetration Testing here!
A more complete list of tools can be found on the Kali Linux official website.
Information Gathering tools allow you to collect host metadata about services and users. Check informations about a domain, IP address, phone number or an email address.
| Tool | Language | Support | Description |
|---|---|---|---|
| theHarvester | Python | Linux/Windows/macOS |
E-mails, subdomains and names Harvester. |
| CTFR | Python | Linux/Windows/macOS |
Abusing Certificate Transparency logs for getting HTTPS websites subdomains. |
| Sn1per | bash | Linux/macOS |
Automated Pentest Recon Scanner. |
| RED Hawk | PHP | Linux/Windows/macOS |
All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must-have tool for all penetration testers. |
| Infoga | Python | Linux/Windows/macOS |
Email Information Gathering. |
| KnockMail | Python | Linux/Windows/macOS |
Check if email address exists. |
| a2sv | Python | Linux/Windows/macOS |
Auto Scanning to SSL Vulnerability. |
| Wfuzz | Python | Linux/Windows/macOS |
Web application fuzzer. |
| Nmap | C/C++ | Linux/Windows/macOS |
A very common tool. Network host, vuln, and port detector. |
| PhoneInfoga | Go | Linux/macOS |
An OSINT framework for phone numbers. |
Crack passwords and create wordlists.
| Tool | Language | Support | Description |
|---|---|---|---|
| John the Ripper | C | Linux/Windows/macOS |
John the Ripper is a fast password cracker. |
| hashcat | C | Linux/Windows/macOS |
World's fastest and most advanced password recovery utility. |
| Hydra | C | Linux/Windows/macOS |
Parallelized login cracker which supports numerous protocols to attack. |
| ophcrack | C++ | Linux/Windows/macOS |
Windows password cracker based on rainbow tables. |
| Ncrack | C | Linux/Windows/macOS |
High-speed network authentication cracking tool. |
| WGen | Python | Linux/Windows/macOS |
Create awesome wordlists with Python. |
| SSH Auditor | Go | Linux/macOS |
The best way to scan for weak SSH passwords on your network. |
| Tool | Description |
|---|---|
| Probable Wordlist | Wordlists sorted by probability created for password generation and testing. Probable-Wordlists is a GitHub repository by user 'berzerk0' that offers wordlists sorted by probability, designed for password generation and testing. The project aims to help users ensure their passwords are not commonly used, thereby enhancing security. The repository includes various lists compiled from real password data, organized to reflect the likelihood of occurrence, making it a valuable resource for security professionals and researchers. |
Used for intrusion detection and wifi attacks.
| Tool | Language | Support | Description |
|---|---|---|---|
| Aircrack | C | Linux/Windows/macOS |
WiFi security auditing tools suite. |
| bettercap | Go | Linux/Windows/macOS/Android |
bettercap is the Swiss army knife for network attacks and monitoring. |
| WiFi Pumpkin | Python | Linux/Windows/macOS/Android |
Framework for Rogue Wi-Fi Access Point Attack. |
| Airgeddon | Shell | Linux/Windows/macOS |
This is a multi-use bash script for Linux systems to audit wireless networks. |
| Airbash | C | Linux/Windows/macOS |
A POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. |
Access systems and data with service-oriented exploits.
| Tool | Language | Support | Description |
|---|---|---|---|
| SQLmap | Python | Linux/Windows/macOS |
Automatic SQL injection and database takeover tool. |
| XSStrike | Python | Linux/Windows/macOS |
Advanced XSS detection and exploitation suite. |
| Commix | Python | Linux/Windows/macOS |
Automated All-in-One OS command injection and exploitation tool. |
| Nuclei | Go | Linux/Windows/macOS |
Fast and customisable vulnerability scanner based on simple YAML-based DSL. |
Listen to network traffic or fake a network entity.
| Tool | Language | Support | Description |
|---|---|---|---|
| Wireshark | C/C++ | Linux/Windows/macOS |
Wireshark is a network protocol analyzer. |
| WiFi Pumpkin | Python | Linux/Windows/macOS/Android |
Framework for Rogue Wi-Fi Access Point Attack. |
| Zarp | Python | Linux/Windows/macOS |
A free network attack framework. |
Exploit popular CMSs that are hosted online.
| Tool | Language | Support | Description |
|---|---|---|---|
| WPScan | Ruby | Linux/Windows/macOS |
WPScan is a black box WordPress vulnerability scanner. |
| Droopescan | Python | Linux/Windows/macOS |
A plugin-based scanner to identify issues with several CMSs, mainly Drupal & Silverstripe. |
| Joomscan | Perl | Linux/Windows/macOS |
Joomla Vulnerability Scanner. |
| Drupwn | Python | Linux/Windows/macOS |
Drupal Security Scanner to perform enumerations on Drupal-based web applications. |
| CMSeek | Python | Linux/Windows/macOS |
CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal, and 130 other CMSs. |
Exploits for after you have already gained access.
| Tool | Language | Support | Description |
|---|---|---|---|
| TheFatRat | C | Linux/Windows/macOS |
Easy tool to generate backdoor and easy tool to post exploitation attack like browser attack, dll. |
Frameworks are packs of pen testing tools with custom shell navigation and documentation.
| Tool | Language | Support | Description |
|---|---|---|---|
| Operative Framework | Python | Linux/Windows/macOS |
Framework based on fingerprint action, this tool is used to get information on a website or an enterprise target with multiple modules. |
| Metasploit | Ruby | Linux/Windows/macOS |
A penetration testing framework for ethical hackers. |
| cSploit | Java | Android |
The most complete and advanced IT security professional toolkit on Android. |
| radare2 | C | Linux/Windows/macOS/Android |
Unix-like reverse engineering framework and commandline tools. |
| Wifiphisher | Python | Linux |
The Rogue Access Point Framework. |
| Beef | Javascript | Linux/Windows/macOS |
The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. |
| Mobile Security Framework (MobSF) | Python | Linux/Windows/macOS |
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. |
| Burp Suite | Java | Linux/Windows/macOS |
Burp Suite is a leading range of cybersecurity tools, brought to you by PortSwigger. This tool is not free and open source |
- Awesome-Hacking Lists
- The Life of a Security Researcher
- Complete Hacker & Cybersecurity Glossary
- Find awesome hacking spots in your country
- Don't use VPN services
- How to Avoid Becoming a Script Kiddie
- OWASP Top 10 Non-Human Identities Risks - 2025
- Starting in cybersecurity?
- Crack Station
- Exploit Database
- Hackavision
- Hackmethod
- Smash the Stack
- SecLists
- SecTools
- Security (Awesome List)
- Cyber Security Expert (Roadmap.sh)
- Cyber Security Tutorial
- Ethical Hacking in 12 Hours - Full Course - Learn to Hack! (The Cyber Mentor)
- Awesome Cyber Security University (Awesome List)
- Full Ethical Hacking Course - Network Penetration Testing for Beginners (2019) (freeCodeCamp.org)
- Complete Hacker & Cybersecurity Glossary
- Developer Roadmaps (Roadmap.sh)
- Ryan Montgomery - The YouTube channel "@0dayCTF" is operated by Ryan Montgomery, also known as 0day. The channel focuses on cybersecurity topics, including Capture The Flag (CTF) challenges, ethical hacking, and penetration testing techniques. It serves as a resource for individuals interested in enhancing their cybersecurity skills and knowledge.
- The hacker’s roadmap (how to get started in IT in 2025) (NetworkChuck) - The video provides practical advice on how to start a career in Information Technology, covering key steps, certifications, and strategies to break into the IT industry. It's designed to guide beginners through the evolving tech landscape with clear and actionable insights.
- 2025 Ethical Hacker Roadmap with lots of free training (David Bombal) - The video titled "How to get a job in IT (2025)" offers guidance on starting a career in Information Technology. It covers key steps, certifications, and strategies to enter the IT industry, providing actionable insights for beginners navigating the evolving tech landscape.
- Kali Docs
- Cybersecurity - Attack and Defense Strategies (2018)
- Kali Linux Revealed (2017)
- Blue Team Field Manual (BTFM) (2017)
- Penetration Testing: A Hands-On Introduction to Hacking (2014)
- Incognito Toolkit: Tools, Apps, and Creative Methods for Remaining Anonymous (2013)
- Social Engineering: The Art of Human Hacking (2010)
- NMAP Network Scanning: Official Discovery (2009)
- Reddit/HowToHack - Learn and ask about hacking, security, and pen testing.
- Reddit/hacking - Discuss about hacking and web security.
- Reddit/AskNetsec - Discuss network security, ask professionals for advice about jobs and stuff.
- Reddit/cybersecurity - Discuss cybersecurity news, research, threats, etc.
- The Hacker News - The Hacker News is a leading cybersecurity news portal, globally recognized for providing daily updates on digital threats, vulnerabilities, cyberattacks, and trends in information security.
- WeLiveSecurity - WeLiveSecurity is an award-winning cybersecurity blog by ESET, offering expert insights, the latest security news, in-depth analyses, and practical advice to help users and businesses navigate the evolving digital landscape.
- Hacker News - Hacker News is a social news website focusing on computer science and entrepreneurship. It is run by the investment fund and startup incubator Y Combinator. Content that can be submitted is defined as "anything that gratifies one's intellectual curiosity."
- Hackerday - Hackaday is an online magazine founded in 2004 that publishes daily articles on hardware and software hacks, DIY projects, and engineering innovations. It serves as a platform for engineers and enthusiasts to share creative modifications and original inventions. In addition to its blog, Hackaday hosts Hackaday.io, a collaborative community for documenting and sharing open-source hardware projects.
- HackerOne - The HackerOne blog provides insights into cybersecurity, ethical hacking, and vulnerability management, featuring articles on industry trends, best practices, and community stories.
- Latest Hacking News - Latest Hacking News is a cybersecurity platform offering up-to-date news, penetration testing tools, and courses for ethical hackers, penetration testers, IT security experts, and enthusiasts.
- Hackread - HackRead is a UK-based cybersecurity news platform founded in November 2011. It focuses on topics such as technology, security, privacy, surveillance, cyberwarfare, and cybercrime, offering in-depth reviews of social media platforms and technology trends. The platform aims to educate and protect users by providing timely news and insights into online threats.
- 70 Best Hacker Blogs and Websites in 2025 - Feedspot's "70 Best Hacker Blogs and Websites in 2025" is a curated list of top hacker blogs, ranked based on relevancy, authority, social media followers, and freshness. It serves as a comprehensive resource for cybersecurity professionals and enthusiasts to stay updated on the latest in hacking and information security.
- CVE - Official portal of the CVE program, which catalogs publicly known cybersecurity vulnerabilities by assigning unique identifiers (CVE IDs) to facilitate management and communication among security organizations.
- CWE - Official portal of the CWE program, which categorizes common software and hardware weaknesses to help organizations identify, understand, and mitigate security flaws using a standardized framework.
- NVD - Official portal of the National Vulnerability Database (NVD), a U.S. government repository managed by NIST that catalogs publicly known cybersecurity vulnerabilities, providing standardized data to support automated vulnerability management, security measurement, and compliance.
- Vulnhub - Has a lot of VMs to play with. Some are beginner-friendly, some aren't.
- Itsecgames - bWAPP or buggy web app is a deliberately insecure web application.
- Hackthissite - A site which provides challenges, CTFs, and more to improve your hacking skills.
- Defend the Web - Defend the Web is an interactive security platform where you can learn and challenge your skills.
- Root-me - Another website that hosts challenges to test your hacking skills.
- HackTheBox - An online platform to test and advance your skills in penetration testing and cybersecurity.
- Overthewire - Learn and practice security concepts in the form of fun-filled games.
- Ctftime - The de facto website for everything CTF related.
- TryHackMe - TryHackMe is a free online platform for learning cybersecurity, using hands-on exercises and labs.
- PicoCTF - Provides you with fun CTF challenges of varying levels of difficulty to practice on.
If this resource was helpful to you, consider giving the repo a ⭐ and sharing it with others in the security community!
This repository is under the MIT license.