Many newbie hackers seem to be confused regarding the process or methodology to employ a successful hack. Most want to simply go straight to the exploit without doing the due diligence to make certain that the hack will work and you won’t get caught.
Here, I want to lay out for you the proper methodology, with example tools and techniques for a hack, from start to finish.
Step 1: Performing Reconnaissance
Good reconnaissance is critical to great hacking. In general, a good hacker will recon for about 2 to 3 times longer than he/she would performing the actual hack. It’s not unusual to spend weeks or months gathering information before even beginning to attempt an exploit.
Most exploits are dependent on operating systems, applications, ports, and services, so you need to gather this information before you start hacking. If you don’t, you will likely fail, get caught, or both. I can’t emphasize this enough. Newbie hackers are always so anxious to get to the exploit that they often ignore this phase of the attack.
Recon can be broken into at least two categories, passive and active.
Passive Reconnaissance
Passive reconnaissance can be defined as gathering information about the target without actually “touching” the target, or in a way that looks like normal traffic.
I have already shown you how to use Netcraft to gather info about websites, such as the web server, operating system, last reboot, and other technologies. All of this information is critical before starting the hack. Most recently, I gave a lesson on how to use FOCA to gather metadata from documents on a website.
In addition, passive reconnaissance can include DNS and SNMP mining, dumpster diving, social engineering, using social media such as Facebook and LinkedIn, and of course, Google hacking, among other techniques.
Active Reconnaissance
Active reconnaissance is information gathered about the target by actually sending packets to the target and evaluating the response. The results of active recon are much more specific and reliable, but also much riskier. Anytime we send a packet to a site, our IP address is left behind.
Nmap, Hping3, Netdiscover, p0F, and Xprobe2 are among the many tools we can use to gather info on remote targets that can be useful in revealing open ports, running services, and operating systems.
Active recon can also include enumeration of the network. Techniques such as banner grabbing and the use of vulnerability assessment tools such as Nexpose, Nikto, and Retina are also often a part of this phase.
Step 2: Gaining Access (Exploitation)
Exploitation can take many, many forms, and the successful hacker will use their imagination to come up with multiple attack vectors. Metasploit is an excellent tool for exploitation, but don’t fall in love with it. As soon as Metasploit develops new exploits, the AV software manufacturers immediately begin developing a new signature for it.
Once you have done thorough recon and know all the ports, services and apps, try looking into the vulnerability databases such as SecurityFocus, TechNet, and others for known vulnerabilities and exploits.
Be creative and think about all of the protocols that the system or network uses and how they might be abused. Always consider the possibility of a man-in-the middle attack and never overlook the good ol’ social engineering attack.
Obviously, your attack methodology will differ based upon whether you have remote access or local access. If you can physically enter the network, your options are almost unlimited. Remote access has more limited possibilities for attack vectors, but can be much more malicious.
Step 3: Privilege Escalation
Very often, we can get access to the system or network, but only with the privileges of an ordinary user. This happens often when we use a client-side attack, where we are attacking an ordinary user’s vulnerable applications, such as the web browser, Adobe Flash, Adobe Reader, etc.
Ultimately, we want root or sysadmin privileges that will give us unfettered access to the entire network. This is where we need to escalate privileges. Furthermore, if we have a legitimate account on a website or LAN, we may be able to escalate its privileges to gain root or sysadmin.
In some cases, if we have been able to compromise one system with user privileges on the network, we can pivot from that single system to compromise another system with system privileges.
If you can get the Metasploit Meterpreter on the system, the meterpreter has a command “getsystem” that iterates through 15 known privilege escalation methods to gain system admin privileges.
Once again, do not downplay or ignore the possibility of using social engineering techniques to gain system admin privileges by, in many cases, asking for the password under the proper context.
Step 4: Leaving Behind a Backdoor or Listener
Once we have successfully exploited the system and then escalated our privileges to sysadmin or root, it will be necessary to leave behind a listener or rootkit. This listener, ideally, will persist beyond when the system is rebooted and will be there when we want to come back to the system and continue to use/exploit/extract.
This listener can take many forms, such as Netcat, a command shell, VNC, Meterpreter, etc.
Step 5: Extracting Data
Ultimately, the primary reason for exploiting/hacking a machine is to gain access and extract or exfiltrate data. This can be credit card data, personally identifiable information (PII), intellectual property, or other valuable information.
To do so, we need a way to remove the data in a way that is not readily noticeable by the sysadmin, and ideally, encrypted. Recub and Cryptcat are two tools that can remove data stealthily.
Metasploit’s Meterpreter also has an upload and download command for uploading malicious software and downloading critical and valuable data.
Step 6: Covering Your Tracks
To make certain that our exploits don’t lead back to us, we need to cover our tracks. This can take many forms such clearing log files, removing any software we uploaded, removing our command history, etc. Metasploit’s Meterpreter has a killav script to disable antivirus software, as well as a clearev command that removes the event logs on Windows systems.
I hope that this simple outline of the hacker methodology helps many of my neophyte hackers to better understand the hacker process.