Part 1: Staying Anonymous
1.) Install Whonix - "Whonix is a Debian GNU/Linux based security-focused Linux distribution. It aims to provide privacy, security and anonymity on the internet. The operating system consists of two virtual machines, a "Workstation" and a Tor "Gateway", running Debian GNU/Linux." Basically: Whonix will send all your requests through Tor.
2.) That step is for testing. Do not actually hack over Tor! You could use a virtual private server based in Sweden or something, or you could also seize a tor node and make it your own. There are always multiple options for something. Using a virtual private server is usually the best way to go. I recommend that myself.
3.) Once you have rooted the server, remember to remove all the logs. Keep that in mind.
4.) Use realistic user-agents. You can use this one for example: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
5.) This step is common sense. Do not tell anyone about your hacks. You could, I guess, tell them to online people while using a virtual private network, but not to in real life people. This is what will get you caught, eventually.
Part 2: Mapping out the target
1.) Mapping out a target is a crucial step! We must always remember that to hack your target, you must find a vulnerability. To find one, you must know your target, entirely!
2.) Use a DNS Domain Scanner - You could use Fierce to find subdomains in a target. If you're using Kali Linux, just type in fierce.pl -dns website.com
3.) Check out all those websites. You might find something good. A login vulnerable to SQL Injection, possibly.
Part 3: Vulnerability finding
1.) Scan the services with nmap
2.) Maybe they have an FTP server that allows anonymous read/write access to something quite important. Believe it or not, some do.
3.) Maybe it has an old software. You could most probably find an exploit for it online. :)
4.) REMEMBER TO LOOK AT ALL THE SUBDOMAINS!
5.) You can run Nikto (A vulnerability scanner). Nikto will do automated requests and find a vulnerability in the system.
6.) Once you know what software the website is running, e.g Wordpress, use WPScan.
I will show you how to get r00t in the next episode.
For a treat, I'll give you guys this:
Multiple and advanced XSS requests:
<IMG SRC=/ onerror="alert('NULLBYTE')"></img>
<svg onload="alert('nullbyte')" />
";alert(/null/);a =" \' nullbyte
#!"><img src=1 onerror=prompt(null)>//
x" autofocus onfocus="alert('null')