Hack Like a Pro: The Hacker Methodology

The Hacker Methodology

Hack Like a Pro: The Hacker Methodology

Welcome back, my neophyte hackers!

Many newbie hackers seem to be confused regarding the process or methodology to employ a successful hack. Most want to simply go straight to the exploit without doing the due diligence to make certain that the hack will work and you won't get caught.

Here, I want to lay out for you the proper methodology, with example tools and techniques for a hack, from start to finish.

Step 1: Performing Reconnaissance

Good reconnaissance is critical to great hacking. In general, a good hacker will recon for about 2 to 3 times longer than he/she would performing the actual hack. It's not unusual to spend weeks or months gathering information before even beginning to attempt an exploit.

Most exploits are dependent on operating systems, applications, ports, and services, so you need to gather this information before you start hacking. If you don't, you will likely fail, get caught, or both. I can't emphasize this enough. Newbie hackers are always so anxious to get to the exploit that they often ignore this phase of the attack.

Recon can be broken into at least two categories, passive and active.

Passive Reconnaissance

Passive reconnaissance can be defined as gathering information about the target without actually "touching" the target, or in a way that looks like normal traffic.

I have already shown you how to use Netcraft to gather info about websites, such as the web server, operating system, last reboot, and other technologies. All of this information is critical before starting the hack. Most recently, I gave a lesson on how to use FOCA to gather metadata from documents on a website.

In addition, passive reconnaissance can include DNS and SNMP mining, dumpster diving, social engineering, using social media such as Facebook and LinkedIn, and of course, Google hacking, among other techniques.

Active Reconnaissance

Active reconnaissance is information gathered about the target by actually sending packets to the target and evaluating the response. The results of active recon are much more specific and reliable, but also much riskier. Anytime we send a packet to a site, our IP address is left behind.

Nmap, Hping, Netdiscover, P0f, and Xprobe2 are among the many tools we can use to gather info on remote targets that can be useful in revealing open ports, running services, and operating systems.

Active recon can also include enumeration of the network. Techniques such as banner grabbing and the use of vulnerability assessment tools such as Nessus, Nikto, and Retina are also often a part of this phase.

Step 2: Gaining Access (Exploitation)

Exploitation can take many, many forms, and the successful hacker will use their imagination to come up with multiple attack vectors. Metasploit is an excellent tool for exploitation, but don't fall in love with it. As soon as Metasploit develops new exploits, the AV software manufacturers immediately begin developing a new signature for it.

Once you have done thorough recon and know all the ports, services and apps, try looking into the vulnerability databases such as SecurityFocus, TechNet, and others for known vulnerabilities and exploits.

Be creative and think about all of the protocols that the system or network uses and how they might be abused. Always consider the possibility of a man-in-the middle attack and never overlook the good ol' social engineering attack.

Obviously, your attack methodology will differ based upon whether you have remote access or local access. If you can physically enter the network, your options are almost unlimited. Remote access has more limited possibilities for attack vectors, but can be much more malicious.

Step 3: Privilege Escalation

Very often, we can get access to the system or network, but only with the privileges of an ordinary user. This happens often when we use a client-side attack, where we are attacking an ordinary user's vulnerable applications, such as the web browser, Adobe Flash, Adobe Reader, etc.

Ultimately, we want root or sysadmin privileges that will give us unfettered access to the entire network. This is where we need to escalate privileges. Furthermore, if we have a legitimate account on a website or LAN, we may be able to escalate its privileges to gain root or sysadmin.

In some cases, if we have been able to compromise one system with user privileges on the network, we can pivot from that single system to compromise another system with system privileges.

If you can get the Metasploit Meterpreter on the system, the meterpreter has a command "getsystem" that iterates through 15 known privilege escalation methods to gain system admin privileges.

Once again, do not downplay or ignore the possibility of using social engineering techniques to gain system admin privileges by, in many cases, asking for the password under the proper context.

Step 4: Leaving Behind a Backdoor or Listener

Once we have successfully exploited the system and then escalated our privileges to sysadmin or root, it will be necessary to leave behind a listener or rootkit. This listener, ideally, will persist beyond when the system is rebooted and will be there when we want to come back to the system and continue to use/exploit/extract.

This listener can take many forms, such as Netcat, a command shell, VNC, Meterpreter, etc.

Step 5: Extracting Data

Ultimately, the primary reason for exploiting/hacking a machine is to gain access and extract or exfiltrate data. This can be credit card data, personally identifiable information (PII), intellectual property, or other valuable information.

To do so, we need a way to remove the data in a way that is not readily noticeable by the sysadmin, and ideally, encrypted. Recub and Cryptcat are two tools that can remove data stealthily.

Metasploit's Meterpreter also has an upload and download command for uploading malicious software and downloading critical and valuable data.

Step 6: Covering Your Tracks

To make certain that our exploits don't lead back to us, we need to cover our tracks. This can take many forms such clearing log files, removing any software we uploaded, removing our command history, etc. Metasploit's Meterpreter has a killav script to disable antivirus software, as well as a clearev command that removes the event logs on Windows systems.

I hope that this simple outline of the hacker methodology helps many of my neophyte hackers to better understand the hacker process.

Cover image via Shutterstock

13 Comments

if you can physically enter the network, your options are almost unlimited!! really?...give a list of general options...i know only a couple or two or five :D

perfect guide man!!
it's important to know how and why do anythings during an hacking attack..
i've just one question:
can you tell me more about the step 6?
if you can link some guide that explain in particular this step?

i ask this because for me it's the most important step and there are lot of things to do, if i want to do it well and i don't want to be caught..

there are lot of system (personal computer or server) in wich the step 6 is different right?
can you help us with this important step?
thanks!

Soul:

I'll try to do a tutorial covering this subject soon.

OTW

OTW
Thanks i'll be waiting for your tutorial..

Is it possible for hackers to hack without using tools or software? Or how do hackers make software? And if they can make software for hacking, why should they make one? The fact that they know how to make hacking software means they can hack without it? Am I on the same page?

Greenlemon:

Anything is possible, but generally hackers use software/tools. The best make their own tools.

I don't understand the rest of what you are asking.

OTW

Oh. my bad. ok forget those questions. thanks by the way

based on step 2 , meaning metaploit is not reliable for exploitation since AV software manufacturers write new signature for the exploit thus making it difficult to exploit using that specific exploit, is there any other tool that can be used which is more secure.

Hackers get Metasploit exploits past AV all the time by re-encode it with Shellter or Veil-Evasion.

There are many other tools for exploitation, but the AV developers monitor all of them such as Canvas or Core Impact.

ok thanks very much for the quick response, do have any article on how to re-encode it with shelter or Veil-Evasion..

Yes. Have you tried the search function on this page?

i tried searching using the search function but it says server error when trying to process your request

Share Your Thoughts

  • Hot
  • Latest