Scribd
Upload
18 views

HAHA

The document outlines the typical methodology used by hackers, consisting of 6 steps: 1) performing reconnaissance through passive and active means to gather target information; 2) gaining access through exploitation of vulnerabilities; 3) escalating privileges to obtain higher levels of access; 4) leaving behind backdoors for future access; 5) extracting valuable data; and 6) covering tracks to avoid detection. Reconnaissance is emphasized as critical for a successful hack, while creativity and multiple attack vectors are recommended over relying on any single tool.

Uploaded by

nutwo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
18 views

HAHA

The document outlines the typical methodology used by hackers, consisting of 6 steps: 1) performing reconnaissance through passive and active means to gather target information; 2) gaining access through exploitation of vulnerabilities; 3) escalating privileges to obtain higher levels of access; 4) leaving behind backdoors for future access; 5) extracting valuable data; and 6) covering tracks to avoid detection. Reconnaissance is emphasized as critical for a successful hack, while creativity and multiple attack vectors are recommended over relying on any single tool.

Uploaded by

nutwo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

The Hacker Methodology

Many newbie hackers seem to be confused regarding the process or methodology to


employ a successful hack. Most want to simply go straight to the exploit without
doing the due diligence to make certain that the hack will work and you won't get
caught.

Here, I want to lay out for you the proper methodology, with example tools and
techniques for a hack, from start to finish.

Step 1: Performing Reconnaissance

Good reconnaissance is critical to great hacking. In general, a good hacker will


recon for about 2 to 3 times longer than he/she would performing the actual hack.
It's not unusual to spend weeks or months gathering information before even
beginning to attempt an exploit.

Most exploits are dependent on operating systems, applications, ports, and


services, so you need to gather this information before you start hacking. If you
don't, you will likely fail, get caught, or both. I can't emphasize this enough.
Newbie hackers are always so anxious to get to the exploit that they often ignore
this phase of the attack.

Recon can be broken into at least two categories, passive and active.

Passive Reconnaissance

Passive reconnaissance can be defined as gathering information about the target


without actually "touching" the target, or in a way that looks like normal traffic.

I have already shown you how to use Netcraft to gather info about websites, such as
the web server, operating system, last reboot, and other technologies. All of this
information is critical before starting the hack. Most recently, I gave a lesson on
how to use FOCA to gather metadata from documents on a website.

In addition, passive reconnaissance can include DNS and SNMP mining, dumpster
diving, social engineering, using social media such as Facebook and LinkedIn, and
of course, Google hacking, among other techniques.

Active Reconnaissance
Active reconnaissance is information gathered about the target by actually sending
packets to the target and evaluating the response. The results of active recon are
much more specific and reliable, but also much riskier. Anytime we send a packet to
a site, our IP address is left behind.

Nmap, Hping3, Netdiscover, p0F, and Xprobe2 are among the many tools we can use to
gather info on remote targets that can be useful in revealing open ports, running
services, and operating systems.

Active recon can also include enumeration of the network. Techniques such as banner
grabbing and the use of vulnerability assessment tools such as Nexpose, Nikto, and
Retina are also often a part of this phase.

Step 2: Gaining Access (Exploitation)

Exploitation can take many, many forms, and the successful hacker will use their
imagination to come up with multiple attack vectors. Metasploit is an excellent
tool for exploitation, but don't fall in love with it. As soon as Metasploit
develops new exploits, the AV software manufacturers immediately begin developing a
new signature for it.

Once you have done thorough recon and know all the ports, services and apps, try
looking into the vulnerability databases such as SecurityFocus, TechNet, and others
for known vulnerabilities and exploits.

Be creative and think about all of the protocols that the system or network uses
and how they might be abused. Always consider the possibility of a man-in-the
middle attack and never overlook the good ol' social engineering attack.

Obviously, your attack methodology will differ based upon whether you have remote
access or local access. If you can physically enter the network, your options are
almost unlimited. Remote access has more limited possibilities for attack vectors,
but can be much more malicious.

Step 3: Privilege Escalation

Very often, we can get access to the system or network, but only with the
privileges of an ordinary user. This happens often when we use a client-side
attack, where we are attacking an ordinary user's vulnerable applications, such as
the web browser, Adobe Flash, Adobe Reader, etc.

Ultimately, we want root or sysadmin privileges that will give us unfettered access
to the entire network. This is where we need to escalate privileges. Furthermore,
if we have a legitimate account on a website or LAN, we may be able to escalate its
privileges to gain root or sysadmin.

In some cases, if we have been able to compromise one system with user privileges
on the network, we can pivot from that single system to compromise another system
with system privileges.

If you can get the Metasploit Meterpreter on the system, the meterpreter has a
command "getsystem" that iterates through 15 known privilege escalation methods to
gain system admin privileges.

Once again, do not downplay or ignore the possibility of using social engineering
techniques to gain system admin privileges by, in many cases, asking for the
password under the proper context.

Step 4: Leaving Behind a Backdoor or Listener

Once we have successfully exploited the system and then escalated our privileges to
sysadmin or root, it will be necessary to leave behind a listener or rootkit. This
listener, ideally, will persist beyond when the system is rebooted and will be
there when we want to come back to the system and continue to use/exploit/extract.

This listener can take many forms, such as Netcat, a command shell, VNC,
Meterpreter, etc.

Step 5: Extracting Data

Ultimately, the primary reason for exploiting/hacking a machine is to gain access


and extract or exfiltrate data. This can be credit card data, personally
identifiable information (PII), intellectual property, or other valuable
information.

To do so, we need a way to remove the data in a way that is not readily noticeable
by the sysadmin, and ideally, encrypted. Recub and Cryptcat are two tools that can
remove data stealthily.

Metasploit's Meterpreter also has an upload and download command for uploading
malicious software and downloading critical and valuable data.

Step 6: Covering Your Tracks

To make certain that our exploits don't lead back to us, we need to cover our
tracks. This can take many forms such clearing log files, removing any software we
uploaded, removing our command history, etc. Metasploit's Meterpreter has a killav
script to disable antivirus software, as well as a clearev command that removes the
event logs on Windows systems.

I hope that this simple outline of the hacker methodology helps many of my neophyte
hackers to better understand the hacker process.

MalwareAnalysisForHedgehogs

You might also like