Cyber Security For Beginners - Part 12: Phases of Ethical Hacking
Hi folks! I am back with another blog after a break.In this blog, we are going to discuss the 5 phases or stages of ethical hacking. The ethical hacking process refers to the act of breaking into a system and performing the malicious actions on the target system. Generally speaking, there are 5 main phases for this attack process:
- Reconnaissance
- Scanning
- Gaining Access
- Maintaining Access
- Covering tracks
We will go through each of these topics in detail.
Reconnaissance
The first step in any penetration testing process is Reconnaissance or recon for short. In this step, the hacker attempts to gain as much information about the target as possible. This would enable them to perform a more in-depth attack and would also result in increasing the chances of a successful hack. The recon process can be conducted in 2 different ways:
a. Passive recon
b. Active recon
In passive recon, the hacker does not directly interact with the target for collecting information about it. Rather, publicly available sources would be leveraged for collecting the required information. This method is discreet and is preferable when there is a need for the target to be unaware of the hacking process.
Active reconnaissance, on the other hand, involves direct interaction with the target. This means that the hacker may send requests or find other means to collect information from the target. The target, in this case, can be aware of the hacker’s attempts.
To understand more about these 2 different methods, let’s look at an example. Suppose that a hacker would like to perform a penetration test on a particular target. As the first step to this, he would like to gather some information so that he can effectively carry out the attack. He may decide to go online and search for some publicly available information about the target using some popular search engines such as Google, Bing, etc. In this way, he might discover some pieces of information like websites, images, articles, etc. which may contain more information about the target. After performing passive reconnaissance, the hacker may require more data and might directly interact with the target for gaining more information. Both active and passive recon are required to successfully perform an attack because they will help collect more information about the target.
Scanning
In the scanning phase, an attacker actively scans the network or other attack vectors related to the target to identify potential entry points or vulnerabilities on the target. An example of the scanning technique would be port scanning, where the objective is to identify the ports that are open on the target and then identify the various services running on them. Some of the most common scanning techniques used involves:
a. Port scanning
b. Network mapping
c. Vulnerability scanning
As mentioned earlier, port scanning is used to identify the open ports and services running on each port on a target system. Network mapping involves sending out ping requests to every IP address in a network to identify live hosts in it. This will enable the attacker to increase the potential attack surface. In Vulnerability scanning, the objective is to identify vulnerabilities within the identified hosts so that they can be exploited.
Gaining Access
After gathering all required information about the target and identifying the vulnerable entry points, an attacker would now try to gain access to the target system. This simply means that the attacker would use certain techniques to place themselves in the target system or network. Some examples of how this may be achieved are as follows:
a. By gaining access to ssh service using weak passwords
b. If a web server is hosted on target network, various web application vulnerabilities such as SQL injection, Brute forcing, XSS, etc., can be used to gain access to the server.
c. Phishing, etc.
Please note that the techniques are not limited to the above techniques. After successfully gaining access to a target network/system, there are multiple potential attack vectors an attacker could exploit to further carry out their objectives.
Maintaining Access
Just gaining access is not sufficient to carry out a successful cyber attack. It is important to maintain the access. This would be of great help if the target identifies the malicious actor in their network and decides to eradicate them. So, persistent access to the target needs to be established immediately after accessing the target systems. Some of the most common techniques used for maintaining access are discussed below:
a. Backdoors: these refer to a computer code that is placed into the target system or network and which enables the attacker to gain access to the target in case they are kicked out.
b. Credential dumping: an attacker can dump the credentials used within the target system/network so that they can reuse them to get back in using the normal authentication mechanisms.
c. Rootkits: this is a program that modifies the OS of a system and can be used to provide external access to the attacker. Since they operate at the OS level, it is difficult to detect them and they are pretty persistent.
d. Web shells: if a web server is running on the target network, attackers could potentionally upload web shells which enable them to execute commands on the web server. These web shells could be triggered even if the attacker’s access is removed from the system, given that the web shell program itself remains on the target system.
There are many more techniques which could be employed by an attacker to persist their access, but they would be a bit too much for this blog. We will discuss everything in detail in the upcoming blogs.
After the attacker has established a persistent access to the target, they would be executing their objectives which may include Data Exfiltration, Privilege Escalation, any sabotage activities, or simply just stay in the network to monitor the target.
Covering Tracks
After executing the required actions, it is necessary to remove any evidence of the activities performed by the attacker on the target network. This process is referred to as “Covering your tracks”. This includes a variety of activities to make sure that the target is not able to trace them back to the attacker. Following are some of the actions that may be performed by an attacker in this stage:
a. Removing all log entries
b. Removing the malware files or any backdoors/rootkits used in the attack
c. Deleting the credentials the attacker may have used
d. Clearing command histories
e. Removing all artifacts used by the attacker such as tools, files, etc.
This step is of prime importance since the above actions make sure that the target is not able to trace back the actions performed to the attacker. Even the slightest negligence can lead to the attacker leaving back valuable clues in the target system which can later be found by Digital Forensics teams.
I hope this blog has been helpful to everyone. Some additional resources can be found at the end of this blog which you can utilize for further learning. I will continue the series and aim to cover as many topics as possible, making it easier for beginners interested in the cybersecurity domain to get started. See you all in the next blog!
References
- https://www.varonis.com/blog/port-scanning-techniques
- https://graylog.org/post/cyber-security-understanding-the-5-phases-of-intrusion/
- https://www.hackercoolmagazine.com/covering-tracks-in-ethical-hacking/#:~:text=Covering%20tracks%20or%20clearing%20tracks,tracks%2C%20hackers%20perform%20various%20actions.
- https://www.geeksforgeeks.org/maintaining-access-tools-in-kali-linux/
- https://www.imperva.com/learn/data-security/cybersecurity-reconnaissance/#:~:text=Cybersecurity%20reconnaissance%20is%20the%20preliminary,vulnerabilities%20that%20can%20be%20exploited.
