Time to learn the basics of the splendid art of hacking 👨💻👩💻. In this article, you will learn what the hacking process really looks like. And hopefully one day, get to say those famous words: “I’m in”.
Disclaimer: This is for educational purposes only. Please (with a cherry on top), do not use this knowledge to perform illegal activities. I might be one of the white hats to put you in jail someday 🙃. Thank you.
I’ll take an educated guess and say you already know what hacking is since you are reading this article so lets jump right in. There really is no general agreed upon process of hacking due to the fact that there are different types of hackers. However, I will tell you the steps majority of hackers and I myself follow. They are:
- Privilege Escalation
- Post Exploitation
- Covering Tracks
- Report Writing
Recon (aka footprinting) is the first, longest and most important step. This entails getting as much information as you can about the target without interacting directly with the target. Basic OSINT (Open Source Intelligence) skills are a hackers best friend here.
Quick lesson: OSINT is the collection and analysis of information from public sources in order to gain actionable intelligence. National security agencies, investigative journalists and hackers legally gather such information in order to create measures, stories, and dossiers respectively about targets. The OSINT framework guide can be found here.
The greatest resource for recon is the Internet, and the greatest tool is the search engine, Google. To make this a lot easier, Google dorking would be advised. Dorking in this sense means the use of advanced search techniques to find out more information about a target that you normally wouldn’t using normal methods.
Other resources for recon include:
1. Wikipedia (The biggest encyclopedia till date)
2. Social Media such as Instagram, Twitter, and Facebook (Best resource for social engineers)
3. who.is (To get information about a website)
3. sublist3r (Lists subdomains publicly available)
4. Media such as newspapers, radio, and television
This is like reconnaissance, except you gain information about the target by interacting with it. However, do note that things can get a lot riskier as the target could discover that you are trying to find out information about them, and could put countermeasures in place to hinder you.
Network enumeration involves port scanning and network mapping. This helps you know the target’s operating system, open ports, and services being run, along with their version. Nmap (network mapper),burp suite and exploit-db/searchsploit are common tools used for network enumeration.
Tip: Knowing the version of services is a great way to find a vulnerability. Old versions of software may have a known vulnerability which could be on the exploit-db site. This could be used to then perform an exploit.
Physical enumeration involves gaining information through physical means. This could be done via dumpster diving (getting credentials and confidential information from the trash) and social engineering. Social engineering is quite a broad topic and will get an article of its own later. However, a simplification of the concept is hacking humans using manipulative social skills.
This is gaining access to the target successfully with a vulnerability discovered from enumeration. A common technique for exploitation is to deliver a payload after taking advantage of the vulnerability. In simple terms, this is finding a hole in the target , and then running a code or software for you to manipulate the system such as a bash shell. Infamous vulnerabilities that are commonly exploited are EternalBlue (Windows) and the Apache log4j (web servers) vulnerabilities.
Common tools used for exploitation include:
1. Metasploit (The big gun)
2. Burpsuite (For web applications)
3. Sqlmap (For databases)
4. Msfvenom (Used to create custom payloads)
Quick lesson: A payload is software run after a vulnerability has been exploited. Once exploited, the target computer doesn’t have anything to give you access with. And so a payload is needed to give you access and allow you to manipulate the target. A very common payload used by hackers is meterpreter. It is a payload by metasploit that allows for easy transversal of the hacked computer.
In order to understand privilege escalation, you need to grasp two concepts:
1. User Accounts
A User Account is a profile on a computer or network that contains information accessed via a username and password. There are two kinds of user accounts: Administrator account and Standard account. Home computer users usually only have one user account, which is the administrator. In contrast, organisations have multiple accounts on a network or computer with a system administrator having the administrator account and the basic employees having various standard accounts.
Privileges are the permissions to write, read and execute files and applications. A standard user doesn’t have privileges (permissions) to critical files and applications which we want. However, an administrative account will have privileges for everything.
Escalation is the movement from one user account to another. This could either be vertical or horizontal. Vertical escalation is when a hacker moves from an account with less privileges (standard account) to an account with more privileges (administrative account). Horizontal escalation is when a hacker moves from one user account to a similar account of the same privilege level in hopes of performing vertical escalation with the new compromised account (standard account to standard account).
The administrative user accounts you would want to target are root (Linux) or Administrator/System (Windows). These accounts have ALL the privileges and are practically a goldmine if access is obtained to them as you can take absolute control of the computer.
Techniques to perform privilege escalation include:
1. Password spraying (Reusing passwords)
2. Cracking password hashes (Finding passwords of other users)
3. Finding ssh keys (Used for horizontal escalation)
4. Abusing SUID binaries in Linux (Taking advantage of misconfigured privileges)
5. Running tools scripts to look for escalation routes (enum4linux is nice and PEASS-ng have a great suite)
Usually, white hats skip over to the very last step. However, I will include this and the next for knowledge sake. Post exploitation is the use of tools with the aim of gaining persistence and obtaining sensitive information from the target computer.
This could be done in a number of ways including:
1. Installing a permanent backdoor, listener or rootkit
2. Installing malware such as viruses and trojans
3. Downloading intellectual property, sensitive information, and Personal Identifiable Information (PII)
This is as simple as it gets but can be incriminating if there is even a slight mistake. You have to be careful to not leave behind files, scripts or anything that can be used by a digital forensics expert to track the hacking back to you. Some basic things to do would be to delete log files and the history file in Linux. The meterpreter payload even has a feature to delete all logs on the Windows Event Manager.
This is the final step of the methodology. This is writing down a basic rundown of the entire process done above. There are various formats but a basic one will include:
1. Vulnerabilities found and their risk level
2. A brief description of how the vulnerabilities were discovered
3. Recommendations on how to remediate the vulnerabilities
Tip: Note taking when hacking is very important. I personally learned this the hard way when doing CTFs (Capture The Flag). Not only does it make it easier when writing reports but allows you to avoid repeating failed attempts, sort through information easily and allows you to look back on what you’ve done later on. Taking screenshots is also a great idea.
And with that ladies and gentlemen, we come to the end of this article. If you enjoyed it, clap, follow, or leave a comment on topics you want me to cover. And as I always say, Happy hacking! 🙃