Ethical Hacking Roadmap: The Skills Every Beginner Should Learn First

One of the most consistent patterns in how people fail at learning ethical hacking is this: they start with techniques instead of foundations. They download Kali, run a Metasploit module from a tutorial, and hit a wall the moment the output doesn’t match the expected result. That wall isn’t a skill gap — it’s a context gap. The technique worked. It’s just they don’t know what’s gone on.

Ethical hacking is a multi-layered subject. The order of the skills is more important than most learning materials realize, and each skill is related to the preceding skill. This is the sequence that will work when you are not doing a walkthrough.

Stage 1: Understand What You’re Looking At

Reconnaissance is the beginning of all penetration tests, and without understanding how to interpret the output it provides, it will not yield any useful information.

All services that are accessed by the network use a port. These are not random numbers, but rather they are a reflection of what is running on the system and, therefore, what attack paths might be available. Port 22 is SSH. SMB is a critical port in a Windows environment (port 445). The port number 88 is Kerberos, and that’s a good indication that it’s Active Directory. Port 3389 is RDP. WinRM is on port 5985, so remote PowerShell sessions might be possible. Port 1433 is MSSQL. Port 389, along with 88, is a sure sign of a domain controller.

This knowledge translates into real-world applications “now. The newbie who executes Nmap and is given a list of open ports doesn’t know his way around. What each service means operationally is written into the person who reads it, and he/she has a direction even before he/she writes the next command. It’s not that they are smart; it’s just that they have been taught what the numbers represent.

This is also the place where much of the tutorial-based learning is broken. Most learning materials are available that tell you how to do the scan. Only a few take time to think about how one should use the results, and why some services are more important than others in different contexts.

An exercise that helps this: after each Nmap scan in a lab, for each open port, write down the name of the service you would expect to see, and what you would do to begin your investigation (before researching anything). Then verify. The difference between what you expected and what you did find is where the learning will take place.

A basic starting scan that most pentesters run first:

nmap -sV -sC -oA scan_results <target>

`-sV` fingerprints service versions. `-sC` runs default scripts. `-oA` saves output in all formats so you can reference it later without re-scanning. Simple, but the habit of saving output from the start matters more than most beginners realize.

In the early stages of building this foundation, keeping a reliable port and service reference close by is genuinely useful — not to avoid learning, but to build the pattern recognition faster. Cross-referencing what you encounter in the lab with what’s documented operationally is how the knowledge becomes intuitive rather than something you have to look up every time.

Stage 2: Enumerate Before You Exploit

There is one thing that professional penetration testers do that makes them stand out from the many people who have followed numerous tutorials, and that’s enumerating. Thoroughly. Before coming into contact with any material that appears to be vulnerable.

It’s human nature to want to rush the exploitation part; it’s what the videos demonstrate, it’s a part that leads to impressive results, and it’s understandable. However, when evaluating in actual situations, the practice of rushing through the numbers will fail to capture the context that would have impacted the way the approach would be taken. You may discover one vulnerability and exploit it, and leave three others that would’ve been more impactful, stealthier,r or more applicable to your client’s real-world threat.

Enumeration is not just a methodology; it’s a methodological commitment. Systematic assessments are not opportunistic because they involve building a full picture of the environment before taking action on any of the parts.

The set of tools used in this phase has to be learned purposefully. Nmap is used to determine open ports and service versions. Amass and the Harvester add passive collection of subdomains and exposed infrastructure. Burp Suite captures and alters the HTTP traffic. BloodHound transforms Active Directory information into a visually rendered attack graph. Impacket is a collection of Python implementations of Windows network protocols.

Before running any exploit, a disciplined enumeration pass might look like this:

# SMB enumeration — first thing worth checking on Windows targets
crackmapexec smb <target> --shares --users

# Web directory discovery — run in parallel, save output
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -o dirs.txt

Neither of these touches the target aggressively. Both return information that shapes every decision that follows.

A frequent error is to run each tool in turn without taking into account the output from the other tools. BloodHound should not be started if Nmap only reports a single port: 80. If Nmap reports only port 80, there is no point spinning up BloodHound. If you see SMB open at that time with guest access, then the priority changes. Use the output as input to the next step.

Understanding how they connect in practice — rather than treating them as a toolkit to run in any order — is what makes the individual commands make sense. Technique follows methodology, not the other way around.

Stage 3: Learn Why Vulnerabilities Work, Not Just What They Are

After you’re able to map an environment systematically, the next step is to understand how applications fail in adverse situations. Not as a classification to be learned by rote, but as mistaken expectations of developers.

SQL Injection exists because applications concatenate user input directly into database queries. A single quote is often enough to confirm it:

curl "http://<target>/page?id=1'"

LFI (Local File Inclusion) works because the application trusts a user-controlled path parameter:

curl "http://<target>/page?file=../../../../etc/passwd"

IDOR is even simpler — change an object identifier in a request and see what comes back:

curl "http://<target>/api/user/1337" -H "Cookie: session=<your_token>"

Each vulnerability is a mismatch between the developer’s expectations of how the user would use the application and what the attacker actually does. Realizing that it is not payloads that make testing systematic, it’s framing. Classes always work in the same way, with some type of broken trust assumption—it isn’t some magic bug.

Stage 4: Practice in Legal Environments

At some point in all of the self-directed learning paths, reading and watching videos will not help you make meaningful progress. Like any other skill, the conceptual knowledge of a technique does not fully transfer to the practical application until repeated in the real world.

This is one thing that comes in handy: treat all lab machines as real engagements! Write in a structured manner, including: what they found, what they tried, what was successful, what was unsuccessful, and why.

Start by creating a dedicated folder for the machine:

mkdir study

Move into it and keep everything organized by phase:

cd study

Over time, the folder fills up with findings:

ls
# notes  recon  loot  files

Open the notes,s and you find what matters:

cat notes
# admin:admin

A credential in an SMB share, a misconfigured service, plaintext password in a config file, le etc. Documented and reusable. In most cases theses beginners would skip this process since it seems to move slowly. It’s what actually makes a finished machine into transferable knowledge and a not forgotten walkthrough. Patterns begin to emerge after 6 months of structured notes, patterns which you would never learn firsthand from a tutorial, across various machines and environments.

The typical first places to start are HackTheBox and TryHackMe, virtual labs with deliberately exposed machines that suitably mimic realistic assessment scenarios, to a degree that is sufficient to develop real skill. A HackTheBox ProLabs (Dante and Offshore), which emulates enterprise Active Directory environments with realistic attack paths that involve chaining multiple techniques between multiple machines. Actually, they’re the best representation of an internal network assessment you can have outside of a real client environment.

DVWA is a locally deployable application that includes all of the most significant classes of web vulnerabilities in an isolated environment. It will enable you to use the tool to exploit, then immediately review the code that made it possible to exploit, and thus gain understanding much faster.

OSCP is still the standard for certification. The test is a 24-hour ‘hands-on’ on a real network where there are no multiple-choice or theory questions; just a practical test under pressure. It assesses a method rather than memorization.

Stage 5: Find the Area You Want to Go Deep In

After the basics are acquired, there are many specializations in the field. Penetration testing of web applications. An internal network and Active Directory evaluation. Security for clouds on AWS, Azure, and GCP. Red team operations. Exploit writing, Vulnerability research.

The big error most new players make is specializing prematurely. If you don’t know what Active Directory is and how Kerberos authentication works, then Active Directory exploitation doesn’t make much sense. The discussion on cloud security would not make much sense if one cannot comprehend the behavior of network services and the places where credentials are exposed.

The basic skills are applicable to all specializations. The more time that is devoted to them before moving on, the less time that will be wasted and the more material that will be learned rather than overwhelmed.

Most people who have reached a plateau in ethical hacking do not lack in advanced knowledge. They lack the bedrock for applying their knowledge to an advanced level. Network basics will give you a clue as to what you’re seeing. Enumeration methodology is the way to systematically investigate it. Knowing what causes vulnerabilities to exist gives you the clues as to how to find them, even if they’re not the textbook case.

Build that foundation first, and the rest of the field opens up considerably faster.

Canio Campaniello is an offensive security researcher focused on Active Directory exploitation, web application security, and penetration testing methodology.