One of the things that fascinated me a lot when I was much younger was the idea of hacking into a system. I had no idea what networking, Ip addresses, ports or anything of that nature meant. As such, it did not make sense to me that you could just control somebody else’s device remotely. Movies did not help matters either. Sidebar, I’m a sucker for tech movies so I’ve watched a lot of movies where hacking is involved but it was easy to realize that the way hacking is portrayed in most movies is bogus. No real explanation for what they were doing and why it worked, just a couple of keystrokes and boom, the actor shouts “I’m in”. Sorry, you’re where??
After five years of being an ethical hacker myself, I now know exactly how hacking works and I thought I’d give a look into the mind of hackers. What’s our process like? How do we think? And what exactly are we looking at when we start poking around?
I should mention that different hackers have different methods and approaches but on average, the methodology is similar across board, and I’d explain below what it is. Grab your popcorn, stay tuned.
The first process of hacking is Reconnaissance. As you can probably guess, it means information gathering. You see, the beautiful thing about hacking is that it is very analogous to practical real-life scenarios and the way a predator would stalk its prey for a while before attacking is exactly how a hacker gathers as much information about the victim as he can. The more information you have, the more ammunition you can work with and the more you keep searching for information, the likelier you are to find your eureka moment. At this stage, the attacker is not doing much. It could be a simple google search about the target. Do they like posting pictures on social media? How much about them do they reveal online? It could also be finding out information about IP address ranges to make sure you don’t attack the wrong person. It really is nothing serious yet just basic information gathering.
The next phase of hacking is Scanning and Enumeration. This is frankly the most boring part of the job but it is also arguably the most important because it forms the foundation of everything else the hacker is about to do. There are generally two types of scanning: Passive and Active scanning. Passive scanning is more like reconnaissance. It’s basically checking out basic stuff to see if anything falls off. It could be as basic as looking through LinkedIn or twitter pictures to see if anything useful stands out in the background or even some physical recon like observing the building layout of the target.
In active scanning, the attacker gets way more direct. This is where he starts to use vulnerability scanners and network scanners like Nmap, Nessus, WPScan, Nikto and some other tools. At the stage of enumeration, the attacker starts to look for points of attack into the target system and he starts to find answers to some of his questions. What ports are open? What services are running on the front end and back end? What version of these services is running? Are there exploits available for the services or version? If port 80, 443 or 8080 is open, that represent a web page, so is there a login page? Or an upload drop box? If port 445 or 139 is open, that represents SMB which means he might be able to remotely connect to fileshares using smbclient or even bruteforce SMB to find valid login credentials.
A lot of times, there is a lot of trial and error that goes into enumeration especially when there are a number of different ports open. It can be a needle in a haystack situation very quickly which means a lot of meticulousness and die-hard attitude is needed sometimes to find that single point of failure. Enumeration is often what differentiates average hackers from great hackers. It is stressful and potentially frustrating especially when you cannot find a headway but more times than not, there is always a solution and if an attacker probes long enough, an apple will fall from the tree.
Next phase of the attack is the Exploitation stage. This is the juiciest stage of hacking. At this point, the attacker has found his likeliest point of attack from the enumeration phase, and he has made a decision on his plan of attack which means it is time to actually run the attack.
There are a lot of ways to go about this. If his target is a login page, an SQL injection attack could get him in or even uploading a malicious payload in the form of a php file generated using msfvenom and connecting remotely to the shell using his machine. Metasploit is also a great tool for creating meterpreter shells using reverse TCP. If the attacker found any credential in the enumeration phase, he could ssh his way into the system provided Port 22 is open. There are a lot more ways to attack than what I just mentioned but the end goal is, this is the stage where he gets into the victim’s system.
After successfully hacking into the system, we move to the post-exploitation stage. Sometimes, getting into a system does not make you god or more accurately, root. Hence, you could hack successfully into a system, and you still won’t be able to do any damages simply because you don’t have the privileges to do that. As such, the priority of any attacker once he gets into a system is to check what privileges he has. What can he do in the system? It’s a bit like finding a way through the gates of a person’s house. If the main door is locked, you still cannot do anything because you have no access through the main door so you can't get into the house. Remember the rooms could be locked too which means even if you get access to the main door, you can’t access the rooms. But this won’t be a problem if you had a master key which could open all doors, right? Yeah, this is called privilege escalation. This is a method in which attackers raise their privileges into that of a system owner to allow them to do whatever they want in the system. Different tools such as Winpeas (For Windows) and Linpeas (For Linux) can be used to do this. There are other tricks like using GTFOBins (Great website for privilege escalation programs), running specific attacks like Golden ticket Attacks (In the case of Active Directory) to gain Domain Admin and many other tricks like that. The point is in a matter of minutes, you can go from a low-level user to the overall owner of the entire system.
Next stage is Maintaining Access. Once an attacker gains a shell in a victim’s computer, the next line of action is to keep that access for future use. Hence, attackers usually install backdoors or use their elevated privileges to create administrator accounts so they can leverage the account for consistent access to the hacked network at a later time. Since this account is intended to mimic a valid account, the attacker could even use this attack to send emails with malicious links or files to other users in a bid to further increase privilege.
The last stage of the process is clean up by the hacker. This is the phase where the attacker tries to hide his tracks. From the start, the attacker would have changed his MAC Address or use proxy chains when performing the attack. Another approach is deleting files in the temp folder and server logs throughout the attack. Essentially, he tries to delete all his digital footprints. Part of this is also being as stealthy as possible when performing scans or attacks.
In conclusion, hacking and cyber defending is a cat and mouse game. Cyber defending is constantly improving but so are hackers. As such, it is important to always be on high alert, taking precautions and investing in proactive defenses to prevent you from getting hacked and losing valuable properties to cyber criminals. It’s not always all fun and games…