A Malicious Hacker’s Methodology

In this video, we’re going to be talking about a malicious hacker’s methodology. Now it doesn’t matter whether you’re a white hat, black hat, or grey hat hacker, hackers almost always use what’s called the five phases of hacking. Now this is a really critical set of instructions to actually follow. That’s why all hackers tend to follow this methodology.

So the five phases of hacking are simply this. Phase one is reconnaissance, phase two, scanning, phase three, gaining access, phase four, maintaining access, and phase five is covering tracks. So let’s break this down. Phase one, reconnaissance. Phase one is the most important phase. And in this phase, the hacker will tend to spend the most time going over this. Attacker will attempt to learn as much as possible about the target, the network, person, et cetera, diving into your website, and social media, phone numbers, emails, and things of that nature. No attack is going to take place during this phase. Reconnaissance is a largely hands off phase. Again, this is going to be data collection, information gathering phase.

Hackers is simply going to gather information that they could use later. This phase is also referred to as OSINT or open source intelligence. But this is not to be entirely confused with the legitimate use for investigations. Phase two, scanning. So in phase two, scanning, the attacker will begin to scan your network in this phase. These type of scans can include things like Nmap, Nessus, Spiderfoot, Metagoofil, OpenVas, and other scanning tools. The attacker is essentially mapping your network, IP addresses, subnets, subdomains, et cetera. And what they’re looking for are things like vulnerabilities and things that they could exploit. Also, they’re using this phase to discover what you’re running on your network. Phase three. Phase three is gaining access.

So this is the actual phase when a hacker is going to launch their attack and begin to assault your network. Now there’s a variety of ways to go about this. Phishing and spear phishing are pretty popular methods. So in this type of attack, they’ll send a phishing email, or spear phishing email. They’ll tend to have some sort of payload in there, whether it’s click this link and you enter your credentials in, or if it has a infected say PDF file, Word document, or it could even be a executable file, saying, hey, please run this update. USB drops. Bad USB drops are pretty common.

So you could simply take a very cheap USB drive, create a virus payload, drop it somewhere, and have someone pick it up and plug it in your computer. Other bad USB drops and USB devices could be things like the Ninja USB device which is essentially it looks like a charging cable for a iPhone or Android device. You plug it in, it sits dormant, it’ll charge your phone even. But the attacker could send a remote command, and have a trigger, and then it’ll start typing a payload. Vulnerability. Attackers are also looking for vulnerabilities in this phase that they discovered earlier. And they’re going to use those vulnerabilities to exploit it and gain access to your network.

Phase one and two, this is why phase one and two are so important and why hackers tend to spend a lot of time on this because they want to gather that information that they could use to gain access to your network later. Phase four is maintaining access. So once a hacker gets access to your network, they want to be able to maintain it. They want to be able to keep hold of your network, get on your network later, persistent access, anything like that.

So things like creating an admin or root account is going to be essential for a hacker because they want to have that admin account to be able to access everything on the network, create more accounts and whatnot. Securing your credentials of existing user is also going to be a big goal for a hacker, especially if you’re a admin or have a desirable account. Even if it’s a low security account, hacker might potentially be able to use that account to send emails out, a phishing email, spear phishing emails to other people in the organisation to gain leverage. Persistence, creating that persistent connection will allow a hacker to reconnect even if the computer or server is rebooted.

And this is again going to be a pretty vital thing for a hacker to do. Hidden accounts. Hiding unauthorised accounts is also important. Hacker is oftentimes going to hide a account in an attempt to blend in with other accounts or bury accounts so really far into a switch, onto a server, so it’s going to be hard to find. And essentially they’re trying to avoid detection. After all, if that suspicious account’s found, then it’s not going to do a hacker much good to be able to have that account anymore. So phase five is covering tracks. Now in this phase, a hacker is going to start erasing logs. Now it depends on what type of hacker you’re dealing with.

While hackers will often time erase the logs, a careful hacker is just going to erase the entries that they left behind, whatever footprints they left behind. They’re going to trace those. Erasing the logs is intended not only to hide their activities, where they’ve been, but also the fact they’ve been on the network. But also it’s going to make it harder to find their identities. Now if you’re not careful, you might have a reckless hacker or someone in a rush and they wipe out all your logs. So backup logs.

Viewing your logs often, having a intrusion detection system or IDS backup of your log can help if a attacker modifies a log in some way and you’re able to find that out. And worst case scenario, if a hacker erases all your logs, you could try to do a file recovery to see if you can retrieve those logs. Now wrapping up, hacking is typically done in five phases. Hackers would typically work using the five phases of hacking. Understanding these phases can help us understand a hacker’s methodology and knowing the hackers methodology means we could help develop a strategy to combat this. So this was about hacking methodology.

In the next video, we’re going to go over what we can learn from a malicious hacker. Thank you for watching. I’ll see you in the next video.