Many beginner hackers appear to be confused concerning the method or methodology to make use of a profitable hack. Most wish to merely go straight to the exploit with out doing the due diligence to make sure that the hack will work and you will not get caught.
Right here, I wish to lay out for you the correct methodology, with instance instruments and strategies for a hack, from begin to end.
Step 1: Performing Reconnaissance
Good reconnaissance is essential to nice hacking. Basically, a great hacker will recon for about 2 to three occasions longer than he/she would performing the precise hack. It is common to spend weeks or months gathering data earlier than even starting to aim an exploit.
Most exploits are depending on working methods, purposes, ports, and companies, so that you must collect this data earlier than you begin hacking. Should you do not, you’ll possible fail, get caught, or each. I can not emphasize this sufficient. Beginner hackers are all the time so anxious to get to the exploit that they usually ignore this part of the assault.
Recon might be damaged into at the least two classes, passive and energetic.
Passive Reconnaissance
Passive reconnaissance might be outlined as gathering details about the goal with out really “touching” the goal, or in a method that appears like regular site visitors.
I’ve already proven you the right way to use Netcraft to assemble data about web sites, equivalent to the net server, working system, final reboot, and different applied sciences. All of this data is essential earlier than beginning the hack. Most not too long ago, I gave a lesson on the right way to use FOCA to assemble metadata from paperwork on an internet site.
As well as, passive reconnaissance can embrace DNS and SNMP mining, dumpster diving, social engineering, utilizing social media equivalent to Fb and LinkedIn, and naturally, Google hacking, amongst different strategies.
Energetic Reconnaissance
Energetic reconnaissance is data gathered in regards to the goal by really sending packets to the goal and evaluating the response. The outcomes of energetic recon are rather more particular and dependable, but in addition a lot riskier. Anytime we ship a packet to a web site, our IP tackle is left behind.
Nmap, Hping3, Netdiscover, p0F, and Xprobe2 are among the many many instruments we are able to use to assemble data on distant targets that may be helpful in revealing open ports, operating companies, and working methods.
Energetic recon also can embrace enumeration of the community. Methods equivalent to banner grabbing and the usage of vulnerability evaluation instruments equivalent to Nexpose, Nikto, and Retina are additionally usually part of this part.
Step 2: Gaining Entry (Exploitation)
Exploitation can take many, many kinds, and the profitable hacker will use their creativeness to provide you with a number of assault vectors. Metasploit is a superb instrument for exploitation, however do not fall in love with it. As quickly as Metasploit develops new exploits, the AV software program producers instantly start creating a brand new signature for it.
After you have carried out thorough recon and know all of the ports, companies and apps, strive trying into the vulnerability databases equivalent to SecurityFocus, TechNet, and others for identified vulnerabilities and exploits.
Be inventive and take into consideration the entire protocols that the system or community makes use of and the way they may be abused. At all times take into account the opportunity of a man-in-the center assault and by no means overlook the great ol’ social engineering assault.
Clearly, your assault methodology will differ primarily based upon whether or not you’ve gotten distant entry or native entry. Should you can bodily enter the community, your choices are virtually limitless. Distant entry has extra restricted potentialities for assault vectors, however might be rather more malicious.
Step 3: Privilege Escalation
Fairly often, we are able to get entry to the system or community, however solely with the privileges of an odd consumer. This occurs usually once we use a client-side assault, the place we’re attacking an odd consumer’s susceptible purposes, equivalent to the net browser, Adobe Flash, Adobe Reader, and so on.
Finally, we wish root or sysadmin privileges that can give us unfettered entry to all the community. That is the place we have to escalate privileges. Moreover, if we now have a official account on an internet site or LAN, we might be able to escalate its privileges to achieve root or sysadmin.
In some circumstances, if we now have been in a position to compromise one system with consumer privileges on the community, we are able to pivot from that single system to compromise one other system with system privileges.
If you will get the Metasploit Meterpreter on the system, the meterpreter has a command “getsystem” that iterates via 15 identified privilege escalation strategies to achieve system admin privileges.
As soon as once more, don’t downplay or ignore the opportunity of utilizing social engineering strategies to achieve system admin privileges by, in lots of circumstances, asking for the password beneath the correct context.
Step 4: Leaving Behind a Backdoor or Listener
As soon as we now have efficiently exploited the system after which escalated our privileges to sysadmin or root, will probably be mandatory to depart behind a listener or rootkit. This listener, ideally, will persist past when the system is rebooted and will likely be there once we wish to come again to the system and proceed to make use of/exploit/extract.
This listener can take many kinds, equivalent to Netcat, a command shell, VNC, Meterpreter, and so on.
Step 5: Extracting Knowledge
Finally, the first cause for exploiting/hacking a machine is to achieve entry and extract or exfiltrate knowledge. This may be bank card knowledge, personally identifiable data (PII), mental property, or different beneficial data.
To take action, we’d like a approach to take away the information in a method that’s not readily noticeable by the sysadmin, and ideally, encrypted. Recub and Cryptcat are two instruments that may take away knowledge stealthily.
Metasploit’s Meterpreter additionally has an add and obtain command for importing malicious software program and downloading essential and beneficial knowledge.
Step 6: Protecting Your Tracks
To make sure that our exploits do not lead again to us, we have to cowl our tracks. This will take many kinds such clearing log recordsdata, eradicating any software program we uploaded, eradicating our command historical past, and so on. Metasploit’s Meterpreter has a killav script to disable antivirus software program, in addition to a clearev command that removes the occasion logs on Home windows methods.
I hope that this straightforward define of the hacker methodology helps a lot of my neophyte hackers to higher perceive the hacker course of.