Ethical Hacking

2. Phases of an Ethical Cyber Attack

Phases of an Attack

Successful hack attacks and especially Penetration Testing ('Pentesting') follows an orderly sequence of steps or phases.

Pentesting describes the activity of Ethical Hacking. Pentesters are hired to test the security of IT systems within a company and thier aim is to uncover flaws or loop holes which could be exploited by hackers.

Rules of Engagement

Before any kind of ethical hack or pen-testing starts, meetings are held to decide the 'Rules of Engagement'. These rules set out:

  • What the pen-tester will do. Will they do:
    • 'Black box' testing where the pen-tester starts from scratch as a hacker would, trying to map the network, discover the types of firewalls in use, names of key employees etc
    • 'Grey box testing' where the pen-tester is provided with publicly available information to give them a head start and agreement is reached over what tests are done.
  • How sensitive data uncovered in the testing will be handled.
  • When the testing is to be done: at less critical times or quieter periods to reduce the effect of things going wrong e.g. DDoS attack.
  • A recovery plan if things go wrong at the time of testing.
  • How the test and the result of successful breaches or detections be recorded.
Cyber Attacks
1. Reconnaissance

Reconnaissance is also known as 'foot-printing'. It is a technique for gathering information about computer systems and the organisations they belong to. There are a range of tools that can help hackers with this.

2. Scanning

Scanning involves taking the information discovered during reconnaissance and using it to examine the network. Tools that a hacker may use in this phase can include diallers, port scanners, network mappers, sweepers, and vulnerability scanners.

Hackers are looking for information that can help them perpetrate attack such as computer names, IP addresses, and user accounts.

3. Gaining Access

Scanning, helps the hacker to create a design of the target system helping to create an attack plan where actual hacking takes place. Vulnerabilities discovered during the reconnaissance and scanning phase are exploited to gain access. The method of connection the hacker uses for an exploit can be a local area network (LAN, either wired or wireless), local access to a PC, the Internet, or offline. Examples include stack based buffer overflows, denial of service (DoS), and session hijacking.

4. Maintaining Access

With successful entry, hackers generally want to keep access for future exploitation and attacks. One approach is to harden the system against other hackers or security personnel and keep their exclusive access with back-doors, root-kits, and Trojans.

With 'owned' systems, hackers can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as a zombie system.

5. Covering Tacks

This phase involves the hacker covering their tracks to avoid detection by security personnel, to either continue to use the owned system, to remove evidence of hacking, or to avoid legal action.

Hackers will attempt to remove all traces of the attack, such as log files or intrusion detection system (IDS) alarms. Examples of activities during this phase of the attack include stenography, the use of tunnelling protocols, and altering log files.

Ethical Attack

Ethical ('White Hat') Hacker

White Hat

White Hat hackers tend to be ethical hackers who are professionals who work to identify loopholes and vulnerabilities on systems. They report them to the vendor or owner of the system, and can, at times, help them fix it. The tools and techniques used by an ethical hacker are similar to the ones used by a cracker or a Black Hat hacker. Occasionally White Hat hackers, can be called Grey Hat Hackers. These are hackers who may sometimes break the law or ethical standards, but mean no harm. They tend to hack as they see that getting into a secure system is a challenge.

Cracker ('Black Hat Hacker')

Black Hat

Also known as 'Crackers', Black Hat hackers try to break in and 'own' systems. What distinguishes them from Grey Hay hackers is that they do this with malicious intent, either to steal data or damage a system through the introduction of malware.


Foot-printing can be done in either of two ways.
  1. Passive: This is where information is gathered quietly. The aim is to get information without alerting the target. It is the equivalent to sitting on the internet watch all the traffic go by and noting what might be relevant to the target.
  2. Active: The hacker is more proactive in this case, going out and looking for information to enable to hack the target. The aim is still not to alert the target but there is more risk of them finding out that someone is looking for a way in.

Typically a hacker will start with passive reconnaissance and move to an active phase once they have a particular focus.


Create a new page in your notebook and title it Phases of Attack.

  1. List the five phases and identify the purpose of each phase.
  2. Distinguishing between White Hat, Grey Hat and Black Hat hackers is easy. But what are 'Red Hat' and 'Blue Hat' hackers?
  3. Explain the difference between Passive and Active reconnaissance.
Hacking Phases
1. Learning Maltego

Maltego is a very useful passive information gathering tool. It comes in various versions. The one used in school is Maltego ce (Maltego Community Edition). It is found in the Information Gathering category of Kali Linux.

The video may appear very long, but in actual fact, is a collection of 5 short videos

To use Maltego Community Edition, you have to apply for a key which only lasts for a few days. After it expires, a new application has to be made to get another key.

  1. Watch and work along with the video to learn how to use the program.
  2. The video finishes with a good example of how Maltego can be used to gather information on a number of different entities (people, email addresses, organisations, websites etc)
2. Using Maltego CE

In the version of Kali Linux used in school Maltego CE is the free version. But because it's free, its limited in the number of different entities it finds. It is still very useful though.

  1. Watch and work along with the video which shows ......
  2. Use Maltego to investigate the domain name of [the school cyber security site]: Get a screen shot and include it within your notebook.

Dmitry is a well established tool used for reconnaissance. Although, getting on a bit now, it still popular because it's so easy to use and reveals a lot of essential information to get hackers started.

Watch and work along with the video. Try using a web address of a site that you visit a lot.

  1. Some of the scans worked by Dmitry are passive and others are active scans which may trigger intrusion detection systems. Find out which are passive and which are active.
  2. Who is the registrant of the site found at Renfrewshire? The registrant is the person or organisation to whom the site is registered.
  3. What's the email address of the registrant of
  4. When was the domain name first registered?

This is a very versatile useful tool for information gathering. It does all the work of Dmitry and more. It can be used for finding contacts, harvesting emails, a geo locator and vulnerability finder.

Recon-ng works by gathering information from a variety of sources accessed through 'modules'. Some of these modules require API Keys to work (codes that identify the calling program) and these can be expensive. Others though are free.

Watch and work with the video below. It only scratches the surface of what Recon-ng can do - there are over 70 modules to use. It does however provide a good introduction to how quickly you can build up information with only a few simple starting facts.

  • Practice using your new skills on
  • Try to capture email addresses of those associated with the organisation
  • Get a screen shot and include in in your notebook.
You should be able to:-
  • Explain each of phases of the Pen-testing framework.
  • Explain the term Rules’s of Engagement'
  • Tell the difference between an Ethical Hack and an illegal cyber attack.
  • Be able to use reconnaissance tools to gather information as part of OSINT.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee