, , ,
Ethical hacking methodology

Day 078 #FromZeroToHacker – The hacker methodology

Professional hackers don’t do whatever they want, they need to follow an established process, or methodology, to understand the target system first, and then exploit it later.

Let’s learn their methods in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What have I learnt today?
Stats
Resources

Introduction to the hacker methodology

Professional hackers don’t do whatever they want, they need to follow an established process, or methodology, to understand the target system first, and then exploit it later.:

  1. Reconnaissance
  2. Enumeration/Scanning
  3. Gaining access
  4. Privilege escalation
  5. Covering tracks
  6. Reporting

What have I learnt today?

Reconnaissance

The first phase is Reconnaissance: Collecting information about your target without no interaction with the target or its systems.

To do so, we can use specialized tools:

Enumeration/Scanning

The second phase is Enumeration/Scanning, where we will try to find vulnerabilities on the target. We can use tools such as:

By scanning, we determine the target’s attack surface: What the target might be vulnerable to in the Exploitation phase.

For example, if we use Nmap, it will tell us:

  • What ports are open.
  • The operating system of the target.
  • What services are running and what version are using.

Like Nmap, we can use other tools that can help us, such as:

  • Dirb: Used to find commonly-named directories on a website.
  • Dirbuster: Similar to Dirb, with a user interface.
  • enum4linux: Specific tool to find vulnerabilities.
  • Metasploit: Used for exploitation mainly, but it has some built-in enumeration tools.
  • Burp suite: The king. We can scan a website for subdirectories, intercept and modify network traffic, etc.

Exploitation

The cool phase: The hacking bit.

One common tool used for exploitation is Metasploit, which has built-in scripts to exploit a target.

Metasploit logo

You can also use tools such as Burp Suite and SQLMap to exploit web applications. You can create custom payloads with msfvenom too.

Now that you know what exploitation means, remember that a professional never jumps into the exploitation phase without adequate reconnaissance and enumeration.

Privilege escalation

Cool. We have gained access to the victim machine via a bind or reverse shell, or just by finding out a pair of one username and a password. Now what?

We escalate privileges.

Moving vertically from a user with limited privileges in the machine, we aim to access a higher user account. The target is to become root (in Linux) or administrator (in Windows).

We can escalate with many techniques, such as:

  • Cracking password hashes found on the target.
  • Finding a vulnerable service or version of a service which allows you to escalate privilege THROUGH the service.
  • Password spraying of previously discovered credentials (password re-use).
  • Using default credentials (user: admin, password: admin).
  • Finding secret keys or SSH keys stored on a device that will allow pivoting to another machine.
  • Running scripts or commands to enumerate system settings like ifconfig to find network settings, or the command find / -perm -4000 -type f 2>/dev/null to see if the user has access to any commands they can run as root (SUID files).

Covering tracks

A load of text explaining that ethical penetration testers don’t need to have to cover their tracks because they are doing ethical hacking.

In reality, there is a struggle between the hacker that has to perform log tampering and the tools at the disposal of a forensic person or team. The attacker also has to delete any malware uploaded, hiding malicious processes and the files needed to perform them, etc.

Reporting

The final phase of the pentesting methodology is the reporting phase, where we outline everything that we found, including:

  • The vulnerabilities found.
  • The criticality of the vulnerabilities.
  • A description or brief overview of how the vulnerability was discovered.
  • How to fix the vulnerability.

A report generally has three formats:

  • Vulnerability scan results (a simple list of vulnerabilities).
  • Vulnerabilities summary (list of the findings outlined above).
  • Full format report.

A vulnerability report normally looks like this:

The hacker methodology: Vulnerability report

A vulnerability summary usually has the following:

  • Vulnerability: SQL injection in ID parameter of Cats page.
  • Critically: Critical.
  • Description: Placing a payload of 1′ OR ‘1’=’1 into the ID parameter of the website allowed the viewing of all cat names in the cat Table of the database. Furthermore, a UNION SELECT SQL statement allowed the attacker to view all usernames and passwords stored in the Accounts table.
  • Remediation recommendation: Use a Prepared SQL statement to prevent SQL injection attacks.

A full-format report sample can be found in the link.

Summary

Today we learn the hacker methodology and its steps:

  1. Reconnaissance
  2. Enumeration/Scanning
  3. Gaining access
  4. Privilege escalation
  5. Covering tracks
  6. Reporting

Stats

From 53.647th to 52.873th.

Here is also the Skill Matrix:

Skills Matrix

Resources

Random Room

TryHackMe: The hacker methodology

Other resources

Google Dorking
Nmap for beginners
Burp Suite basics
Metasploit Introduction
Wikipedia
PeopleFinder.com
who.is
sublist3r
builtwith.com
Wappalyzer
Full format report sample