Hacking is the act of probing a computer system, network, or application to make it do something it was not designed to do. That definition covers a teenager exploiting a video game save file, a criminal stealing 50 million credit card numbers, and a paid security professional finding the same bug before either of them. The difference is intent, authorization, and the law. This guide explains what hacking actually is in 2026, the five phases real attackers use, and how to learn the skill legally. Follow along in HackerDNA's Learn 101 lab as you read, where you will run your first commands against a sandboxed target in your browser.
Most articles you find on hacking are either dry corporate definitions or sensationalized news pieces. This one is written for the person who wants to actually do the thing. You will learn the categories of hackers, the methodology professionals follow, the tools that matter, and the legal lines that separate a job offer from a federal charge.
TL;DR: Hacking means finding and using unintended behavior in software, hardware, or systems. Ethical (white hat) hackers do this with permission to improve security. Real attackers follow a five-phase methodology: reconnaissance, scanning, exploitation, privilege escalation, and persistence. Learning hacking legally requires sandboxed labs, not production targets.
In this guide:
What Is Hacking?
What is hacking? Hacking is the practice of identifying weaknesses in computer systems and using them to gain access, control, or information that the system was not designed to provide. The act itself is morally neutral. Whether a specific instance of hacking is criminal, legal, or beneficial depends entirely on authorization and intent.
The word originally described any creative or unorthodox solution to a technical problem. Over decades, popular usage narrowed it to mean breaking into computers. Both definitions still apply in practice. A developer who writes a clever one-line shell pipeline to parse a log file is "hacking" in the original sense. A criminal who exploits a SQL injection bug to steal a customer database is "hacking" in the modern sense. Cybersecurity professionals use the term for both, and context makes the meaning clear.
The 2024 Verizon Data Breach Investigations Report attributed 68% of breaches to a non-malicious human element, but the remaining 32% involved deliberate hacking activity by external attackers, insiders, or organized crime groups. The same report found that web applications and email phishing accounted for the majority of initial access vectors. Hacking, as a practice, is responsible for a measurable share of business disruption, financial loss, and regulatory action every year.
Three things distinguish hacking from regular software use. First, the target system is not behaving the way an attacker wants, so the attacker manipulates input or environment to change that behavior. Second, the techniques involve understanding how a system was implemented, not just how it was documented. Third, hackers test their assumptions against the system and adapt based on what the system does. That last part, the iterative loop of hypothesis and verification, is what separates a skilled hacker from someone who just runs automated tools.
A Brief History of Hacking
The word "hacker" was first used in its modern technical sense at MIT in the late 1950s, inside the Tech Model Railroad Club. Members described elegant solutions to wiring problems as "hacks". When MIT students gained access to early time-sharing computers in the 1960s, they brought the word with them. A "hack" became any clever, unauthorized, or unorthodox use of a system.
The first widely reported computer crime under this label happened in 1971, when John Draper used a toy whistle from a Cap'n Crunch cereal box to produce a 2600 Hz tone that bypassed AT&T's long-distance billing system. The phone phreaking era introduced the world to the idea that a determined amateur could outmaneuver a corporate system by understanding how it worked at a deeper level than the people who built it.
The 1980s and 1990s saw hacking move from telephone systems to internet-connected computers. The 1988 Morris Worm infected roughly 10% of all internet-connected machines at the time, prompting the creation of the first Computer Emergency Response Team (CERT) at Carnegie Mellon. The 1990s introduced public-facing exploits, hacker conventions like DEF CON (founded 1993), and the first commercial penetration testing services.
By the 2000s, hacking had bifurcated. On one side, organized criminal groups and state actors industrialized attacks against banks, retailers, and government agencies. On the other, an ecosystem of legitimate security work grew up around bug bounty programs, certifications, and consulting firms. Today, the global cybersecurity workforce exceeds 5 million professionals, and the industry is projected to face a shortage of roughly 4 million more by 2030 according to ISC2's 2024 Cybersecurity Workforce Study.
Types of Hackers: White, Black, and Gray Hat
The cybersecurity industry uses a color-coded shorthand for hacker ethics. The categories matter because they map directly to legality, employment, and how the rest of the world treats your work. For a deeper breakdown of each role, read our companion article on white hat vs. black hat hackers.
White Hat Hackers
White hat hackers, also called ethical hackers or penetration testers, work with explicit permission from system owners to find vulnerabilities before criminals do. They sign contracts, follow defined scopes, and report findings privately. Their work is fully legal. Most white hats are employed as penetration testers, application security engineers, or bug bounty researchers.
A typical day for a white hat might involve testing a banking application for authentication flaws, writing a report explaining what was found, and meeting with developers to walk through remediation. The pay reflects the skill required. Senior penetration testers in the United States earn between $130,000 and $200,000 annually according to multiple 2025 salary surveys.
Black Hat Hackers
Black hat hackers attack systems without authorization, for personal gain, political motive, or sabotage. They are the criminals. Their tools are often identical to those used by white hats, but their lack of permission turns the same actions into felonies under laws like the US Computer Fraud and Abuse Act.
Black hat operations range from individual fraudsters running phishing kits to ransomware-as-a-service groups with corporate structures. The 2024 IBM Cost of a Data Breach Report put the average breach at $4.88 million globally, with a meaningful share of that cost tied to criminal hacking activity.
Gray Hat Hackers
Gray hat hackers occupy the legally murky middle ground. They often access systems without permission but disclose what they find rather than exploiting it. Some publish vulnerabilities publicly without coordinating with the affected vendor. Others quietly notify the owner and walk away.
Gray hat activity is still illegal in most jurisdictions, even when the intent is benevolent. Several well-known cases have ended in prosecutions where the hacker thought they were doing the right thing. If you find yourself in this category, structured bug bounty programs offer the same satisfaction with legal cover.
Other Color Codes You Will Hear
Red team, blue team, and purple team describe roles inside organizations rather than ethical alignment. Red teams simulate adversaries against their own employer's systems. Blue teams defend. Purple teams coordinate between the two. Green hat refers to beginners learning the craft. Script kiddies, a less flattering term, are people who run pre-built attack tools without understanding the underlying mechanics.
The 5 Phases of a Hacker's Methodology
Every professional engagement follows a methodology. The order matters because each phase produces information that feeds the next. The five-phase model below is the standard taught in EC-Council's Certified Ethical Hacker curriculum and aligned with the MITRE ATT&CK framework.
Phase 1: Reconnaissance
Reconnaissance is the information-gathering phase. The attacker, or the authorized tester acting as one, learns as much as possible about the target before sending a single probe. Passive reconnaissance uses public sources: WHOIS records, DNS data, GitHub repositories, employee LinkedIn profiles, leaked credentials from past breaches. Active reconnaissance touches the target directly with low-noise probes like DNS queries and basic port scans.
In practice, recon often determines whether the engagement succeeds. An attacker who finds a forgotten staging server with default credentials in the recon phase has already won, before any exploit code runs.
Phase 2: Scanning and Enumeration
Scanning maps the target's attack surface. Nmap and similar tools identify open ports, running services, software versions, and operating systems. A command like nmap -sV -p- target.com enumerates every TCP port and attempts to identify the service running on each. Enumeration goes deeper, querying each service for usernames, share names, and configuration details.
For a web application, enumeration includes content discovery (finding hidden directories and endpoints), parameter discovery, and API mapping. Tools like Gobuster, ffuf, and Burp Suite's site map do the heavy lifting.
Phase 3: Exploitation
Exploitation is the moment the attacker uses a discovered vulnerability to gain access or perform unauthorized actions. The exploit can be a public CVE with available proof-of-concept code, a custom payload for an unpatched application, or a logic flaw chained from multiple smaller bugs. Successful exploitation usually produces some form of access: a shell on the system, an authenticated session in the application, or readable data that should have been protected.
Modern exploitation rarely relies on novel zero-days. Most real intrusions begin with known vulnerabilities that were not patched, weak credentials, or social engineering. The 2024 CISA Top Routinely Exploited Vulnerabilities list was dominated by bugs at least 18 months old.
Phase 4: Privilege Escalation
Initial access is rarely enough. A web shell running as the www-data user can read web files but cannot dump the database. The attacker escalates privileges to gain root, administrator, or domain-admin level access. Linux privilege escalation often exploits misconfigured SUID binaries, sudo permissions, or kernel vulnerabilities. Windows privilege escalation targets unquoted service paths, token impersonation, or Active Directory misconfigurations.
This phase is where careful enumeration in earlier phases pays off. Knowing exactly what binaries are installed, which scheduled tasks run as root, and what credentials are stored in environment variables turns a low-privilege foothold into full system control.
Phase 5: Persistence and Covering Tracks
The final phase ensures continued access and evades incident response. Persistence mechanisms include scheduled tasks, registry run keys, modified startup scripts, and backdoored authentication modules. Covering tracks means clearing log entries, modifying timestamps, and removing telemetry artifacts.
In legal engagements, white hat testers stop at the proof-of-concept stage. They document that persistence and log cleanup were possible without actually deploying them. The goal of an authorized test is to demonstrate impact, not to leave the client with a real compromise to clean up.
Categories of Hacking by Target
Hacking specializations diverge sharply by what is being attacked. The five categories below cover the vast majority of professional security work, and each maps to a distinct learning path.
Web Application Hacking
Web hacking targets web-facing applications, APIs, and the infrastructure behind them. The OWASP Top 10 catalogs the most common vulnerability classes: broken access control, injection (including SQL injection and command injection), cryptographic failures, insecure design, and security misconfiguration. Web hacking is the highest-value entry point into modern organizations because most companies expose web applications to the internet.
Working web hackers spend their days inside Burp Suite. Start with our SQL injection tutorial to see the methodology in action, then move into the structured lessons in HackerDNA's Web Attacks course.
Network Hacking
Network hacking targets the protocols, services, and infrastructure that connect systems. The work covers port scanning, service exploitation, lateral movement between machines, and Active Directory attacks in enterprise environments. Network hackers need fluency with Nmap, Wireshark, Metasploit, and an understanding of how protocols like SMB, LDAP, Kerberos, and NTLM actually work.
The career path here often leads into internal penetration testing or red team operations. Our Network Penetration Testing course covers the foundation, and our web application penetration testing guide shows how the methodology overlaps with web work.
System Hacking and Privilege Escalation
System hacking focuses on individual hosts after initial access has been obtained. The work is largely about understanding the target operating system in depth: how processes run, where credentials are cached, what services are misconfigured, and how to chain those misconfigurations into root or administrator access.
Most CTF (Capture The Flag) challenges focus heavily on this phase because it teaches deep Linux and Windows internals.
Wireless and Mobile Hacking
Wireless hacking targets Wi-Fi, Bluetooth, and other radio protocols. WPA2 and WPA3 cracking with tools like aircrack-ng and hashcat is one specialty. Bluetooth attacks against IoT devices is another. Mobile hacking covers Android and iOS application analysis, runtime instrumentation with Frida, and reverse engineering of native libraries.
These specialties pay well but require significant tooling investment (radio equipment, rooted test devices) compared to web hacking, which only needs a browser.
Social Engineering
Social engineering hacks people rather than software. The category covers phishing, pretexting, vishing (voice phishing), and physical entry techniques. The 2024 Verizon DBIR found that social engineering was involved in roughly 25% of confirmed breaches, with phishing the single most common technique.
Pure social engineering is a niche specialty. Most penetration testers integrate basic phishing scenarios into broader engagements rather than focusing exclusively on the discipline.
Common Hacking Tools
The tools below are the ones working hackers actually use. You do not need 40 tools to be effective. You need five or six and deep familiarity with each. For a longer list with use cases, see our roundup of penetration testing tools.
Nmap
Nmap is the default network scanner. It identifies open ports, fingerprints services and operating systems, and runs scripts that probe for specific vulnerabilities. Almost every engagement starts with an Nmap scan, even when the rest of the toolchain differs. Our Nmap cheat sheet covers the flags worth memorizing.
Burp Suite
Burp Suite is the intercepting proxy at the center of every web app engagement. Community Edition is free and handles 80% of typical workflow. Professional Edition adds an automated scanner and full-speed Intruder. New to Burp? Work through our Burp Suite tutorial first.
Metasploit and Msfvenom
Metasploit Framework provides hundreds of pre-built exploits, post-exploitation modules, and payload generators. Msfvenom, the standalone payload generator, creates custom shellcode for delivering reverse shells across platforms. Our Msfvenom cheat sheet documents the syntax patterns you will actually use.
Hashcat and John the Ripper
Password cracking happens after a hash is obtained, either from a database dump, a captured network handshake, or local credential storage. Hashcat uses GPU acceleration for speed against modern hash formats. John the Ripper remains useful for smaller jobs and CPU-only environments. HackerDNA's Password Cracking course and our hash cracking guide walk through both.
Tools to Avoid
Skip DirBuster. The Java GUI is painfully slow next to Gobuster or ffuf, and the project has not seen serious maintenance in years. Skip Nikto for anything beyond a quick first pass. The output is noisy and modern web apps trigger thousands of false positives. Stick with Burp Suite's built-in scanner or commercial alternatives if you need automated web scanning.
Is Hacking Legal? Authorization and the CFAA
Critical reminder: Hacking without explicit written authorization from the system owner is a criminal offense in every developed country. In the United States, the Computer Fraud and Abuse Act (CFAA, 18 USC 1030) carries penalties of up to 10 years in federal prison per violation. The United Kingdom uses the Computer Misuse Act 1990. The European Union enforces Directive 2013/40/EU on attacks against information systems. Verbal permission is not sufficient evidence in court. Get the authorization in writing, signed by someone with authority to grant it.
The legality of any specific act depends on three factors: who owns the target, what authorization you have, and what you do with what you find. Testing your own laptop is legal. Testing a friend's laptop with their verbal permission might still expose you to charges if they later change their mind. Testing a company's production system, even one with obvious flaws, without a signed scope document is almost always a felony.
Authorized hacking happens in three legal venues. The first is paid penetration testing under a signed Statement of Work that defines scope, timing, and methodology. The second is bug bounty programs run by companies like HackerOne, Bugcrowd, and Intigriti, where participants agree to platform terms of service that authorize testing within defined rules. The third is sandboxed practice environments, like CTF platforms and lab providers, where the targets are owned by the platform and explicitly available for attack.
Responsible disclosure is the principle that guides white hat reporting. When you find a vulnerability in a system you are authorized to test, document it, notify the owner privately, and give them reasonable time to fix the issue before disclosing publicly. Most coordinated disclosure timelines run 90 days. For vulnerabilities found outside an active engagement, check the target's /.well-known/security.txt file for their disclosure policy.
Two practical safeguards keep you legal. First, never test anything you do not own or have written permission to access. Second, when you have permission, stay strictly within the documented scope. The fastest way to lose a security career is to discover something interesting outside your scope and decide to "just check" whether it is exploitable.
How to Learn Hacking
Hacking is a craft. It is learned through structured practice, not through reading alone. The roadmap below is the one most working pentesters followed in some variation. For more depth on the learning journey, see our companion piece on how hackers learn to hack.
Build the Foundation
You need working knowledge of three things before you can hack effectively: networking (TCP/IP, DNS, HTTP), operating systems (Linux command line and Windows fundamentals), and at least one scripting language (Python is the standard). The Network+ certification curriculum covers the networking piece adequately if you prefer structured study. For Linux, the THM Linux Fundamentals rooms or any introductory Linux course works.
Pick a Specialty and Drill It
Hacking is too broad to learn evenly. Most working pentesters specialize in either web applications or network and Active Directory. Web is faster to get into because you only need a browser and Burp Suite. Network and AD require more tooling and benefit from a home lab setup.
Whichever direction you pick, the learning pattern is the same: read about a vulnerability class, then exploit it in a lab, then write up what you learned, then move on. Theory without hands-on lab time does not produce competent hackers.
Practice on Sandboxed Targets
You cannot legally practice on production systems. You need targets that are explicitly authorized for attack. Three categories work well. CTF challenges are time-limited competitions with curated puzzles, useful for building specific skills, see our guide to CTF challenges for beginners. Always-on training labs like HackerDNA provide hundreds of vulnerable applications and machines available 24/7. Bug bounty programs let you test real production systems within strict rules of engagement.
Get a Certification When You Are Ready
Certifications are not the goal, but they help with hiring. The Offensive Security Certified Professional (OSCP) is the most respected entry-level offensive security certification. The exam is a 24-hour practical hacking test where you compromise five machines in a sandboxed network. Our OSCP preparation guide covers the prep approach.
Frequently Asked Questions
Can I learn hacking on my own?
Yes. Most working penetration testers are self-taught with structured help from online courses, lab platforms, and CTF events. Formal degrees are useful but not required. The hiring path values demonstrated skill (CTF rankings, bug bounty disclosures, lab completions) more than diplomas in security roles.
How long does it take to learn hacking?
Reaching a junior penetration tester level typically takes 12 to 18 months of consistent study and practice, assuming five to ten hours per week. Reaching senior level takes another three to five years of professional engagements. The skill ceiling is effectively infinite, which is part of the appeal.
What is the difference between hacking and ethical hacking?
Ethical hacking is hacking performed with explicit written authorization, within a defined scope, for the purpose of improving security. The techniques are identical to malicious hacking. The legal and ethical status differs entirely based on permission and intent.
Do I need to know how to code to hack?
You need to read code fluently. You do not need to be a strong programmer in the software-engineering sense. Most working pentesters can write small scripts in Python or Bash to automate repetitive tasks, modify public exploit code, and understand application source code well enough to find vulnerabilities. The bar is "comfortable reading any language, able to write simple scripts in one or two."
What programming language should I learn first for hacking?
Python. The ecosystem of security tooling is heavily Python-based, and the language is approachable for beginners. JavaScript becomes important for web hacking. Bash scripting is essential for Linux work. C is useful for binary exploitation and reverse engineering but is rarely needed for web or network testing.
Is hacking a good career in 2026?
Yes. The cybersecurity workforce gap is currently around 4 million unfilled positions globally per ISC2 estimates, and penetration testing is one of the highest-demand specialties within security. For more detail, see our breakdown of whether cybersecurity is a good career.
Is it illegal to look at a website's source code?
No. Viewing client-side source code (HTML, CSS, JavaScript) sent to your browser by a public website is legal in every jurisdiction. The legal line is crossed when you actively probe the server, attempt authentication bypasses, or send malicious payloads. Reading the source code your browser already received is not hacking.
What is the easiest way to start hacking today?
Open a free account on a sandboxed learning platform, pick a beginner lab, and follow the guided steps. HackerDNA's Learn 101 lab runs in your browser with no setup. You will run your first scans and exploit your first vulnerability within an hour.
Your Next Steps
Hacking, the actual skill, is a long apprenticeship in how systems break. Reading a guide like this one is the easy part. The work happens in labs, where you read about a vulnerability, exploit it yourself, fail a few times, and finally understand why the bug exists and how to find others like it. There is no shortcut to that part. There is also no substitute for it.
Start with Learn 101 if you have never done a single lab. Move into the Ethical Hacking course once you are comfortable with the basics. From there, specialize: web applications, network and Active Directory, or one of the other categories covered above. Each specialty has its own pillar courses on HackerDNA and its own community of practitioners to learn from.
HackerDNA's free tier gives you access to browser-based labs with no credit card and no local setup. Open a browser, pick a lab, and start hacking, the legal kind.
