The Hacker’s Methodology – A Brief Guide

A hacking methodology is an essential step-by-step procedure that a hacker follows as they prepare for a penetration test. This methodology is critical to a hacker because it helps guide you from where you are now to where you want to go. Ethical hacking involves more than just penetrating and patching a system. A hacking methodology is what separates them real hacker from the kiddies, and saves you a lot of time and energy.

The hacker’s methodology, also known as the hacking methodology, is a systematic approach that a hacker uses to plan, execute, and report on a penetration test or a security assessment. The methodology typically includes the following steps:

Reconnaissance: Gathering information about the target system, network, or organization.
Scanning: Identifying live systems and open ports on a target network.
Enumeration: Attempting to gather more detailed information about the systems and services that are running on a target network.
Vulnerability Analysis: Identifying vulnerabilities in the target systems or network.
Exploitation: Attempting to exploit the identified vulnerabilities to gain access to the target systems or network.
Maintaining Access: Attempting to maintain access to the target systems or network in order to continue to gather sensitive information or to perform further actions.
Cleanup: Removing any traces of the hack and restoring the system to its original state.
Reporting: Documenting the entire process, including the steps taken, the results, and any recommendations for improving the security of the target systems or network.

It is important to note that the goal of the hacker’s methodology is not to cause harm or steal sensitive data but to identify and report vulnerabilities in the system to improve the security of the organization.

Prepping for the Test

There are particular scanners that you can use to automatically discover vulnerabilities in a system. Some of these tools can even be used to fix the vulnerabilities. The good thing about these tools is that they help you focus on the testing aspect without spending too much time on the steps involved. However, it is always advisable for every hacker to know the steps so that they can understand the hidden details, which will help in focusing on the stuff that actually matters.

Both an ethical and criminal hacker use the same process when testing a system. The only difference is the end goal and how it will be achieved. As an ethical hacker, you must test every potential entry point into the network. These may include customer networks, wireless networks, or mobile devices. Malicious hackers are able to use people, physical components, or computer systems to launch an attack, so you have to test everything.

Your primary job is to discover vulnerabilities and then figure out how a malicious hacker would go about exploiting the system. You can decide to simulate a restricted attack on a single computer or comprehensively attack the whole system.

You have to think like a criminal hacker as you prepare to test the network. Search for weaknesses, evaluate both internal and external processes, assess how the various systems are linked together, and check the level of protection of private systems. The techniques you use to accomplish all this are essentially the same for social engineering and physical security evaluation.

There are generally two ways that you can assess a system — a blind (covert) assessment and an overt assessment. An overt assessment is where you have some inside knowledge of the system you intend to test. With a blind assessment, the client doesn’t give you much information apart from the name of the company.

You have to search for information on your own, the same way a criminal hacker would have to do. The benefit is that you get to see exactly what a malicious hacker would see when they try to gain access publicly. The downside is that testing takes more time, and there is a higher chance of overlooking certain vulnerabilities.

Reconnaissance

This is the process of collecting information about the person or organization that you want to target. It is a passive approach that mainly involves using publicly available resources to find information about something. There is a lot of information on the Internet, so you will have to be patient as well as diligent.

Hackers are able to target individuals in an organization, specific departments, or the entire company. Once you have settled on a specific target, you can browse for information about your target by using any search engine available. The aim is to learn as much as possible about them.

There are a number of techniques that you can use to gather information:

a) Web searches

You can go to the target’s website and browse around as you try to collect as much useful information as possible. Use Google to look for information such as:

Names of employees and their contact information. You can proceed to find these people on Facebook or LinkedIn.
Relevant company dates and technical job openings. Most organizations usually specify the technology that potential recruits need to be familiar with. This will give you a heads up of the software and hardware the company is using.
SEC filings in case it is a public entity.
Incorporation filings in case it is a private entity.
Patents and trademarks.
Press releases discussing new products or changes in the organization.
Webinars, articles, or presentations.
Mergers and acquisitions.

If you are using Google, you can use keywords to get the most relevant information. It is unbelievable the kind of detailed information (phone numbers, addresses, etc.) that you can find on Google if you just know the right keywords to use.

You can also perform an advanced web search using Google’s advanced search feature. This will reveal websites that contain back-links into your target’s website. You are likely to find vendors, suppliers, and clients that are affiliated with your target.

You can also use switches to dive deeper and gain access to the files linked to a company. For example, if you want to discover a specific file or word on the website of company XYZ, type the lines below into Google:

Site: www.xyz.com keyword
Site: www.xyz.com filename

It is possible to download Flash .swf files that can be decompiled to uncover confidential data belonging to company XYZ. You can also obtain PDF files with sensitive data. Simply type the lines below into Google:

Filetype: swf XYZ
Filetype: pdf XYZ confidential

b) Web crawling

There are certain web crawling tools that are able to mirror a website and download all the publicly accessible files from the target website. This then allows you to scan the copy offline. You are likely to unearth information regarding the configuration and layout of the website, files, and directories, the source code for the web pages, names and email addresses of the IT employees, and comments about the workings of the code.

c) Websites

There are certain websites that contain information about different organizations and their employees. You can even do a people search if you just know which websites to use. For example:

finance.yahoo.com
sec.gov/edgar.shtml
uspto.g0v
zabasearch.com
choicepoint.com

The objective at this point isn’t to penetrate into the target’s system, but essentially to know what and who you are dealing with.

d) Network mapping

This is the process of searching public databases to discover the information available about a particular network. The best place to start is to use any Whois tool available online.

As an ethical hacker, Whois enables you to obtain information that will help you scan a network or prepare a social engineering attack. You will be able to get the names, phone numbers, and addresses linked to a specific Internet domain registration. Whois also provides the DNS servers of the target domain.

You would be surprised to discover the type of private information that is publicly available on Google Groups. You can find domain names, usernames and IP addresses. People tend to share a lot of information on Google Groups, some of it related to the system security. It is possible to request Google to remove such sensitive material posted on the site by going to their support page.

e) System scanning

Once you have begun actively collecting information about the network being tested, you will start to see the system through the eyes of a malicious hacker. The information gathered from external sources will be able to provide you with a map of the entire network, revealing how the systems are interconnected. You should be able to see the hostnames, IP addresses, open ports, running protocols and applications.

In some cases, the internal hosts are also included in the scope of your testing. Internal hosts are typically hidden from outsiders, but it is important to test them just in case a disgruntled employee decides to revenge against the company by trying to access confidential information. Remember, if you decide to test your own internal host system, first do so in a virtual environment such as Virtual Box or VMware Workstation.

Hosts

Scan and record those hosts that can be accessed externally via the Internet and internally by an insider. Begin by pinging the IP addresses or the hostnames. You can use either the standard ping tool that comes with your OS, or you can use a 3″ party tool that is able to ping several IP addresses at once, for example, NetScan Tools Pro, Supers can, or fping.

Open ports

There are a number of networking tools that can be used to scan for open ports. These include OmniPeek, Wireshark, Superscan, among others.

It is easier to perform a scan internally than externally. To scan internally, connect your computer to the local network, run the software, and off you go. To scan externally, just assign the computer you are using a public IP address and connect it to a hub that is not within the firewall.

Evaluating System Vulnerabilities

Once you have discovered potential gaps in security, it is time to start testing. However, before doing so, it is recommended that you confirm if these gaps are actual vulnerabilities in the system. There are several websites and hacker message boards that you can manually search to determine whether what you have discovered is on the list of classified vulnerabilities.

Websites like sans.org/top20, nvd.nist.gov, and cve.mitre.org/cve all document commonly exploited vulnerabilities.

In case you do not want to spend time manually researching potential vulnerabilities, you can start testing right away. You can either perform a manual evaluation or an automated one. In a manual evaluation, the potential vulnerabilities are assessed by linking to the ports that can be exploited by malicious hackers, and then poking around them,

Automated evaluations involve the use of tools that test for weaknesses on a platform or network. Though these tools make work easier and much faster, most of them only have the capability to test for specific and individual system vulnerabilities. Thankfully, new advances in vulnerability management systems are birthing tools that can correlate vulnerabilities across a whole network.

One really great tool is QualysGuard. It is a cloud-based tool that has port scanning and vulnerability assessment capabilities. It is not free, but it is worth the money if you want to build credibility for your business. If you are looking for a free vulnerability scanner, go for Rapid7’s Nexpose. It is capable of scanning a maximum of 32 hosts.

Penetration Testing

Once you have discovered the major security vulnerabilities, the next step is to penetrate the system. You should be able to use the available online tools to exploit the system, for example, Metasploit (www.metasploit.com/framework). Better yet, you should consider developing your very own tool. Of course, this will require creativity and utmost dedication.

Some of the things you will be able to do after penetrating the system include:

Gathering more information from the host system.

Accessing other interconnected systems in the network.
Starting and stopping specific services.
Getting a remote command prompt.
Launching a denial of service attack
Gaining access to confidential files.
Disabling inbuilt logging security checks.
Performing SQL injection attacks.
Taking screen shots.
Sending emails to people as the administrator.
Finally, and most importantly, uploading a file boasting about your success!

As an ethical hacker, your job is to expose the presence of system vulnerabilities, so there is no need to actually exploit them and mess around with people. Unless for some reason, it is necessary to show the management just how serious system flaws are.

You may also like: