In his book Hacking For Dummies (Wiley), Kevin discussed the hacker genre
and ethos. In Chapter 1, he enumerated the Ethical Hacking Commandments.
In that book, Kevin listed three commandments. But (as with everything in
networking) the list has grown to fill the available space. Now these com-
mandments were not brought down from Mount Sinai, but thou shalt follow
these commandments shouldst thou decide to become a believer in the doc-
trine of ethical hacking.
The Ten Commandments are :
1. Thou shalt set thy goals.
How does ethical hacking relate to penetration testing? Ethical hacking is a
form of penetration testing originally used as a marketing ploy but has come
to mean a penetration test of all systems — where there is more than one goal
In either case, you have a goal. Your evaluation of the security of a wireless
network should seek answers to three basic questions:
What can an intruder see on the target access points or networks?
What can an intruder do with that information?
Does anyone at the target notice the intruder’s attempts — or successes?
You might set a simplistic goal, such as finding unauthorized wireless access
points. Or you might set a goal that requires you to obtain information from a
system on the wired network. Whatever you choose, you must articulate
your goal and communicate it to your sponsors.
2. Thou shalt plan thy work, lest thou go off course.
With respect to your plan, you should do the following:
1. Identify the networks you intend to test.
2. Specify the testing interval.
3. Specify the testing process.
4. Develop a plan and share it with all stakeholders.
5. Obtain approval of the plan.
Share your plan. Socialize it with as many people as you can. Don’t worry
that lots of people will know that you are going to hack into the wireless net-
work. If your organization is like most others, then it’s unlikely they can
combat the organizational inertia to do anything to block your efforts. It is
important, though, to remember that you do want to do your testing under
3. Thou shalt obtain permission.
When it comes to asking for permission, remember the case of the Internal
Auditor who, when caught cashing a payroll check he didn’t earn, replied, “I
wasn’t stealing. I was just testing the controls of the system.” When doing ethi-
cal hacking, don’t follow the old saw that “asking forgiveness is easier than
asking for permission.” Not asking for permission may land you in prison!
You must get your permission in writing. This permission may represent the
only thing standing between you and an ill-fitting black-and-white-striped suit
and a lengthy stay in the Heartbreak Hotel.
4. Thou shalt work ethically.
The term ethical in this context means working professionally and with good
conscience. You must do nothing that is not in the approved plan or that has
been authorized after the approval of the plan.
As an ethical hacker, you are bound to confidentiality and non-disclosure of
information you uncover, and that includes the security-testing results. You
cannot divulge anything to individuals who do not “need-to-know.” What you
learn during your work is extremely sensitive — you must not openly share it.
Everything you do as an ethical hacker must be aboveboard, and must sup-
port the goals of the organization. You should notify the organization when-
ever you change the testing plan, change the source test venue, or detect
high-risk conditions — and before you run any new high-risk or high-traffic
tests, as well as when any testing problems occur.
You must also ensure you are compliant with your organization’s governance
and local laws. Do not perform an ethical hack when your policy expressly
forbids it — or when the law does.
5. Thou shalt work diligently.
In the previous commandment we talked about acting professionally. One
hallmark of professionalism is keeping adequate records to support your
findings. When keeping paper or electronic notes, do the following:
Log all work performed.
Record all information directly into your log.
Keep a duplicate of your log.
Document — and date — every test.
Keep factual records and record all work, even when you think you were
This record of your test design, outcome, and analysis is an important aspect
of your work. Your records will allow you to compile the information needed
for a written or oral report. You should take care in compiling your records.
Be diligent in your work and your documentation.
6. Thou shalt respect the privacy of others.
Treat the information you gather with the utmost respect. You must protect
the secrecy of confidential or personal information. All information you obtain
during your testing — for example, encryption keys or clear text passwords —
must be kept private. Don’t abuse your authority; use it responsibly. This
means you won’t (for example) snoop into confidential corporate records or
private lives. Treat the information with the same care you would give to
your own personal information.
7. Thou shalt do no harm.
The prime directive for ethical hacking is, “Do no harm.” Remember that the
actions you take may have unplanned repercussions. It’s easy to get caught
up in the gratifying work of ethical hacking. You try something, and it works,
so you keep going. Unfortunately, by doing this you may easily cause an
outage of some sort, or trample on someone else’s rights. Resist the urge to
go too far — and stick to your original plan.
Also, you must understand the nature of your tools. Far too often, people jump
in and start using the tools shown in this book without truly understanding the
full implications of the tool. They do not understand that setting up a monkey-
in-the-middle attack, for example, creates a denial of service. Relax, take a deep
breath, set your goals, plan your work, select your tools, and (oh yeah) read
8. Thou shalt use a scientific process.
For our purposes, the scientific process has three steps:
1. Select a goal and develop your plan.
2. Test your networks and systems to address your goals.
3. Persuade your organization to acknowledge your work.
We address the first two steps in previous commandments, so let’s look at the
third step here. Your work should garner greater acceptance when you adopt
an empirical method. An empirical method has the following attributes:
Set quantifiable goals: The essence of selecting a goal (such as captur-
ing the flag) is that you know when you’ve reached it. You either possess
the flag or you don’t. Pick a goal that you can quantify: associating with
ten access points, broken encryption keys or a file from an internal server.
Time-quantifiable goals, such as testing your systems to see how they
stand up to three days of concerted attack, are also good.
Tests are consistent and repeatable: If you scan your network twice and
get different results each time, this is not consistent. You must provide
an explanation for the inconsistency, or the test is invalid. If we repeat
your test, will we get the same results? When a test is repeatable or
replicable, you can conclude confidently that the same result will occur
no matter how many times you replicate it.
Tests are valid beyond the “now” time frame: When your results are
true, your organization will receive your tests with more enthusiasm if
you’ve addressed a persistent or permanent problem, rather than a tem-
porary or transitory problem.
9. Thou shalt not covet thy neighbor’s tools.
No matter how many tools you may have, you will discover new ones. Wireless
hacking tools are rife on the Internet — and more are coming out all the time.
The temptation to grab them all is fierce.
10. Thou shalt report all thy findings.
You should plan to report any high-risk vulnerabilities discovered during test-
ing as soon as they are found. These include
vulnerabilities with known — and high — exploitation rates
vulnerabilities that are exploitable for full, unmonitored, or untraceable
vulnerabilities that may put immediate lives at risk
You don’t want someone to exploit a weakness that you knew about and
intended to report. This will not make you popular with anyone.
Your report is one way for your organization to determine the completeness
and veracity of your work. Your peers can review your method, your findings,
your analysis, and your conclusions, and offer constructive criticism or sug-
gestions for improvement.
If you find that your report is unjustly criticized, following the Ten
Commandments of Ethical Hacking, should easily allow you to defend it.
One last thing: When you find 50 things, report on 50 things. You need not
include all 50 findings in the summary but you must include them in the
detailed narrative. Withholding such information conveys an impression
of laziness, incompetence, or an attempted manipulation of test results.
Don’t do it.
reference : O-Reily , Hacking Wireless Network for Dummies , p 19-25.