5 Phases of Hacking
Note: This is not to motivate you to hack and shut down websites but to provide a general idea of how the daily hacks are performed and to protect yourself from such incidents at least take some precautions.
This article explains the 5 steps of Hacking taking an example of a Hacker trying to hack a company’s server and gaining access to all the data.
The process of legal and authorized attempts to discover and successfully exploiting the computer system in an attempt to make the computer system more secure is called Ethical Hacking. This process includes a probe for vulnerability and providing proof of concept (POC) attacks to visualize that vulnerabilities are actually present in the system. A Good Penetration tester always provides a specific recommendation to remove the flaws in the system discovered during the penetration test. Penetration testing is also known by some other terms like
- Penetration testing
- Pen Testing
- White Hat Hacking
There is a term called Vulnerability Assessment which is quite similar to Penetration Testing. Vulnerability Assessment means reviewing services and systems for security issues. Many people use pen testing and vulnerability assessment interchangeably for each other but they are not the same. The penetration testing process is a step ahead of vulnerability assessment. Vulnerability Assessment only discovers flaws in the system but PT provides a way to remove those flaws as well.
1. Reconnaissance: This is the first phase where the Hacker tries to collect information about the target. It may include Identifying the Target, finding out the target’s IP Address Range, Network, DNS records, etc. Let’s assume that an attacker is about to hack a websites’ contacts.
He may do so by using a search engine like maltego, researching the target say a website (checking links, jobs, job titles, email, news, etc.), or a tool like HTTPTrack to download the entire website for later enumeration, the hacker is able to determine the following: Staff names, positions, and email addresses.
2. Scanning: This phase includes the usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data. Hackers are now probably seeking any information that can help them perpetrate attacks such as computer names, IP addresses, and user accounts. Now that the hacker has some basic information, the hacker now moves to the next phase and begins to test the network for other avenues of attacks. The hacker decides to use a couple of methods for this end to help map the network (i.e. Kali Linux, Maltego and find an email to contact to see what email server is being used). The hacker looks for an automated email if possible or based on the information gathered he may decide to email HR with an inquiry about a job posting.
3. Gaining Access: In this phase, the hacker designs the blueprint of the network of the target with the help of data collected during Phase 1 and Phase 2. The hacker has finished enumerating and scanning the network and now decides that they have some options to gain access to the network.
For example, say a hacker chooses a Phishing Attack. The hacker decides to play it safe and use a simple phishing attack to gain access. The hacker decides to infiltrate the IT department. They see that there have been some recent hires and they are likely not up to speed on the procedures yet. A phishing email will be sent using the CTO’s actual email address using a program and sent out to the techs. The email contains a phishing website that will collect their login and passwords. Using any number of options (phone app, website email spoofing, Zmail, etc) the hacker sends an email asking the users to log in to a new Google portal with their credentials. They already have the Social Engineering Toolkit running and have sent an email with the server address to the users masking it with a bitly or tinyurl.
Other options include creating a reverse TCP/IP shell in a PDF using Metasploit ( may be caught by spam filter). Looking at the event calendar they can set up an Evil Twin router and try to Man in the Middle attack users to gain access. A variant of Denial of Service attack, stack-based buffer overflows, and session hijacking may also prove to be great.
4. Maintaining Access: Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Once the hacker owns the system, they can use it as a base to launch additional attacks.
In this case, the owned system is sometimes referred to as a zombie system. Now that the hacker has multiple e-mail accounts, the hacker begins to test the accounts on the domain. The hacker from this point creates a new administrator account for themselves based on the naming structure and tries and blends in. As a precaution, the hacker begins to look for and identify accounts that have not been used for a long time. The hacker assumes that these accounts are likely either forgotten or not used so they change the password and elevate privileges to an administrator as a secondary account in order to maintain access to the network. The hacker may also send out emails to other users with an exploited file such as a PDF with a reverse shell in order to extend their possible access. No overt exploitation or attacks will occur at this time. If there is no evidence of detection, a waiting game is played letting the victim think that nothing was disturbed. With access to an IT account, the hacker begins to make copies of all emails, appointments, contacts, instant messages and files to be sorted through and used later.
5. Clearing Tracks (so no one can reach them): Prior to the attack, the attacker would change their MAC address and run the attacking machine through at least one VPN to help cover their identity. They will not deliver a direct attack or any scanning technique that would be deemed “noisy”.
Once access is gained and privileges have been escalated, the hacker seeks to cover their tracks. This includes clearing out Sent emails, clearing server logs, temp files, etc. The hacker will also look for indications of the email provider alerting the user or possible unauthorized logins under their account.
Most of the time is spent on the Reconnaissance process. Time spend gets reduced in upcoming phases. The inverted triangle in the diagram represents a time to spend in subsequent phases that get reduced.
Protect Yourself: What and what not to do?
- Do not post information on social media that can be related to challenging questions
- Use passwords that cannot be broken by brute force or guessing.
- Consider 2-factor authentication when possible.
- Be careful of password requests emails. Services like Heroku, Gmail, and others will not request to type in passwords for additional promotion or service.
- Verify the source of contact.
- Before clicking a link, investigate it.
- Always scan a file and never click on batch files.
- Always see the background services that are running on your device and never rely on others’ devices.
- Be sure to have an antivirus installed and set root passwords for installation.
- Log out of sessions and clean the cache.
If you think you are compromised, inform the service providers and if you are confirmed then you must report it to the cybercrime department. These days such incidents are being taken seriously. Be safe and refrain from becoming the target!!