Many beginners don’t understand that hacking or penetration testing follows a very logical process and when broken down can really clarify tasks and goals. During this write-up I will use a fake company as an example and use very general examples of how each step is completed. Our target will be a fake company called SillyVictim and all we know is that they have a webpage and they have an internal company network. Our goal is infiltrate this company and obtain admin privileges. I’ll be using my metasploitable and Kali VM’s from my previous lesson as examples on how to apply this methodology.
Step 1. Recon
Reconnaissance is the most important step of the process and can be broken down into two sub-phases, active and passive. During this phase our primary goal is obtaining as much information about SillyVictim as possible. We are searching for vulnerabilities or weaknesses that we can use in later steps to gain access to the internal corporate network.
Phase 1: Passive
- Passive reconnaissance is what occurs when you don’t interact with the target. This is done by viewing the webpage, searching google, looking at social media for information on employees. In short you’re looking for any information that can be used to leverage against your target. This is the only step that is not illegal. Anything past this step can be considered a crime.
- Active reconnaissance is the step you use when you actively are probing your target. Lets hypothetically say that SillyVictim is hosting their own DNS server and that when we did our whois lookup we discovered the IP address to that server. So now we’re going to take information from our passive recon, and use that to feed into our active recon. Because we know the IP address of one server inside of our targets network we could scan against it using nmap, zenmap or any other scanning tool you wish. Scanning this server will reveal open ports and services (server applications) that the server uses to communicate. I’ve scanned my vulnerable *nix server using the Hack Lab that I built in previous tutorials to give you an example of what this may look like.
Step 2. Exploitation
Exploitation is defined as using a vulnerability identified during by our recon phase and using it to gain access to the intended machine. As you can see from the above example machine we have a TON of ports and services available. Each of these services are potential entry ways into our victims network because they are open lines of communication to the outside world. A popular framework for exploitation is metasploit. Metasploit is too large of a topic to cover here and will be covered in future lessons. If you’re interested in looking further now I suggest reading Metasploit: The Penetration Tester’s Guide. Another method would be sending a phishing email to one of your targets identified during the recon phase that had a call back to a listener you had running on your attack box. For now I chose the service vsftpd running on port 21 and leveraged it through a pre-written exploit found in metasploit. You can see my options in metasploit below.
Step 3. Privilege Elevation
Great so we now have access through our box after searching for vulnerabilities, and exploiting one of them to give us a shell. From here we could skip to data extraction and poke around on whatever user account our vulnerability has given us. But that’s not the point, we want super user, we want the ability to do whatever we want in this environment. So we figure out a way to elevate our privileges. This could include a wide variety of things, we could create new user accounts or we could even do this during the exploitation phase by using an exploit that would drop us into the machine with elevated rights.
Step 4. Establish Persistence
At this point we would drop in a backdoor or Remote Access tool. This allows us persistence in the machine, or the ability for us to come and go as we please in the event we get disconnected from our victim. A common and easy to use backdoor can be created using netcat. Persistence also allows us something else. It allows us to tunnel our traffic through the machine deeper into the victims network and serve as a lifeline to pass information through back to our attacker box. This way we can exploit the inherent trust that all machines on the same network share, while sending commands from our attack box.
Step 5. Extract Data
Now that we have established persistence lets get to the real stuff, data ex filtration. This is the point where you set up some kind of tunnel to your attack platform or to a dead-drop on some server that you will be using as an intermediary. You pull off any data that you may consider important. Usually in a *nix system this will comprise of at LEAST the /etc/shadow and /etc/passwd files, in Windows it will be the SAM file and registry. E-mails are often good to go for as people send out lots of information such as passwords, phone numbers etc.
Step 6. Cover Your Tracks
The big one, how not to get caught. We could spend forever talking about covering your tracks and ways to do this but for the purpose of this lesson it means system log and tool clean-up. You need to restore the machine back to the way you found it. If you exploit a vulnerability in a machine you want that vulnerability to stay there so you may use it again later. If a savvy system admin finds presence of a breach he/she is likely to go into panic mode and either pull the server offline or begin going through vulnerability remediation. As a hacker or penetration tester you do not want this to happen. Its important to note that the absence of logs is just a fishy as the presence of odd things in them. The trick is to adjust the logs so that normal events are listed and your actions are not.
We’ve gone over the high points of hacker methodology process. Its important to note that each phase of this methodology is much much deeper than described here. The recon phase could take weeks or even months. Exploitation could require custom tools to be developed, or physical access to the system it requires DEEP knowledge of how computers and the internet works. Data extraction could take days get out the information that you want to trickle out. I’ve over simplified this process to get your brain thinking logically and systematically.
If you want to dive deeper into these topics I recommend the following books. I personally use the Rtfm: Red Team Field Manual as a reference quite often as it helps serve as a reminder for all the tools I have at my disposal. Nmap is an insanely powerful tool and it deserves its entire encylopeida as far as I’m concerned. A very good resource for further learning Nmap is Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. For overall penetration testing for beginners you can’t go wrong with this book The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy. Happy hacking!