Successful hack attacks and especially Penetration Testing ('Pentesting') follows an orderly sequence of steps or phases.
Pentesting describes the activity of Ethical Hacking. Pentesters are hired to test the security of IT systems within a company and thier aim is to uncover flaws or loop holes which could be exploited by hackers.
Rules of Engagement
Before any kind of ethical hack or pen-testing starts, meetings are held to decide the 'Rules of Engagement'. These rules set out:
- What the pen-tester will do. Will they do:
- 'Black box' testing where the pen-tester starts from scratch as a hacker would, trying to map the network, discover the types of firewalls in use, names of key employees etc
- 'Grey box testing' where the pen-tester is provided with publicly available information to give them a head start and agreement is reached over what tests are done.
- How sensitive data uncovered in the testing will be handled.
- When the testing is to be done: at less critical times or quieter periods to reduce the effect of things going wrong e.g. DDoS attack.
- A recovery plan if things go wrong at the time of testing.
- How the test and the result of successful breaches or detections be recorded.
Reconnaissance is also known as 'foot-printing'. It is a technique for gathering information about computer systems and the organisations they belong to. There are a range of tools that can help hackers with this.
Scanning involves taking the information discovered during reconnaissance and using it to examine the network. Tools that a hacker may use in this phase can include diallers, port scanners, network mappers, sweepers, and vulnerability scanners.
Hackers are looking for information that can help them perpetrate attack such as computer names, IP addresses, and user accounts.
3. Gaining Access
Scanning, helps the hacker to create a design of the target system helping to create an attack plan where actual hacking takes place. Vulnerabilities discovered during the reconnaissance and scanning phase are exploited to gain access. The method of connection the hacker uses for an exploit can be a local area network (LAN, either wired or wireless), local access to a PC, the Internet, or offline. Examples include stack based buffer overflows, denial of service (DoS), and session hijacking.
4. Maintaining Access
With successful entry, hackers generally want to keep access for future exploitation and attacks. One approach is to harden the system against other hackers or security personnel and keep their exclusive access with back-doors, root-kits, and Trojans.
With 'owned' systems, hackers can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as a zombie system.
5. Covering Tacks
This phase involves the hacker covering their tracks to avoid detection by security personnel, to either continue to use the owned system, to remove evidence of hacking, or to avoid legal action.
Hackers will attempt to remove all traces of the attack, such as log files or intrusion detection system (IDS) alarms. Examples of activities during this phase of the attack include stenography, the use of tunnelling protocols, and altering log files.
Ethical ('White Hat') Hacker
White Hat hackers tend to be ethical hackers who are professionals who work to identify loopholes and vulnerabilities on systems. They report them to the vendor or owner of the system, and can, at times, help them fix it. The tools and techniques used by an ethical hacker are similar to the ones used by a cracker or a Black Hat hacker. Occasionally White Hat hackers, can be called Grey Hat Hackers. These are hackers who may sometimes break the law or ethical standards, but mean no harm. They tend to hack as they see that getting into a secure system is a challenge.
Cracker ('Black Hat Hacker')
Also known as 'Crackers', Black Hat hackers try to break in and 'own' systems. What distinguishes them from Grey Hay hackers is that they do this with malicious intent, either to steal data or damage a system through the introduction of malware.
- Passive: This is where information is gathered quietly. The aim is to get information without alerting the target. It is the equivalent to sitting on the internet watch all the traffic go by and noting what might be relevant to the target.
- Active: The hacker is more proactive in this case, going out and looking for information to enable to hack the target. The aim is still not to alert the target but there is more risk of them finding out that someone is looking for a way in.
Typically a hacker will start with passive reconnaissance and move to an active phase once they have a particular focus.