An answer to the age old question: How do I hack?

Introduction

First and foremost, I’d like to note that this is not an all encompassing article. You WILL have to use your creativity and think out of the box when hacking.

What will this article entail?
It will not have any code whatsoever, and is not meant to teach you how to hack anything specific, but instead will provide the steps you should take and things you should consider or reflect upon when hacking.

Why exactly are you writing this?
Quite frankly, I’m tired of people asking “How to hack x” or “How do I hack” without any context or prior information. More often than not, they haven’t even done any research on the topic. I’m aiming to if not end, then at least put a dent in the amount of times those questions are asked. Now don’t get me wrong, I’m always super stoked to help people learn, but when someone just outright asks those two questions without even attempting to research the topic themselves then it begins to become quite infuriating.

Now then without further ado, let’s get right into it!

---

First things first…You’ve probably heard the phrase “Practice makes perfect”, correct? While not wrong, people commonly mistake this to mean “Put in the hours and you’ll get there eventually”. That is what’s wrong. Practice is so much more than just putting in time and mindlessly going away with doing whatever. In order to practice correctly, you must put in hours, reflect on what you’re doing, try new things with what you’ve learned, come up with your own solutions, and activley make an attempt at getting better.

Now, we will discuss what I feel to be the steps for a successful hack:

1.) Reconnaissance - It all starts with this.

• Fuzz the url either by hand or with a program like wfuz
  • Do they have an ftp server?
  • Admin page?
  • ANY pages of interest?
  • Look at the robots.txt file. Try those URLs. Anything interesting?
  • Are there text fields that you can type into?
  • Unsecure pages that should be private /protected?
• Learn everything you can about the company
  • Read their website
  • What does the company do?
  • Look for info on people that work for them.
    • Do those people have LinkedIn?
    • Facebook?
    • Instagram?
    • Twitter?
      * What is their email?
      * Google their name.
      * Do they have pictures of their workspace?
      * Pics of a server room?
      * Pics of their personal computer?
      * How “high up” in the company is this person?
  • Look for partners, affiliates, and suppliers they do business with.
    * What are these companies about? i.e what are their products, what do they do?
    * Where are these companies in relation to your target? (Google maps)
    * Do these companies have any info on their site that pertains to your target that you can use?
    * Don’t completely recon these unless absolutely necessary. Just look for info on your target.
• If you’re red teaming
  • What time do they close?
  • What do the people going inside look like?
  • How do they handle people at their front desk /lobby?
  • Who do they source their computer repair to? Is it internal, or an external company?
    • Can you go in posing as a computer repair person from said external company?
    • Look for any company they outsource to. See if you can pose as a worker from that company.
    • Look for job openings.
      • Could you get hired on part-time or full-time? This may be the easiest way in.
      • What are they looking for in an employee of any kind?
      • This could allure to what tech they use, and what tech they don’t.
      • It could also help you know what the company may be lacking in.
    • Is one of their employees especially talkative or verbal?
      • Can you social engineer him /her at the bar? A party? e-mail even? (maybe you could pose as a news reporter or something of that nature.)
        • If you manage to SE him /her at a bar, do they invite you back to their place?
        • Could you implant malware into their phone, PC, or any other electronic device they own?
        • When does this person sleep?
          • Can you get into their house without breaking anything?
          • Again, could you install malware on a device?
    • Could you fly a drone and do some recon of the property that way? If not, how about a telescope or binoculars?
      • What times do shifts change?
      • License plate numbers of employees?
      • If you can see through the windows, what kind of things do the employees do?

REMEMBER TO DOCUMENT THE THINGS YOU FIND!!! Without documentation, all of the work you just did is useless. What if you forget something or maybe your employer requires a report of some sort?

---

2.) Scanning - You need to enumerate & define your target.

• Convert the URLs of the company(ies) you found into IP addresses.
  • Use a tool to find the approximate location of the address. (although you should know this from the recon you did)
  • Grab the sites HTTP(S) header. It can give you a whole plethora of information. (Be careful though…The header CAN be spoofed.)
  • Use a tool like Nmap to map your primary targets network.
    • Try to use a scan that hardly touches the network. You don’t want to be caught by an IPS (Intrusion Prevention System) or an IDS (Intrusion Decection System) before you even infiltrate their network, do you???
  • How many systems are there?
    • What are the names of the systems?
    • What operating systems are in use?
    • What ports are open?
    • What services are running?
    • Document IP addresses of systems
    • Put system names with the corresponding system IP addresses.
    • Do the same for ports, services, and OSs.
  • Look up vulnerabilities for each OS, port, and service.
    • What can you do with the vuln?
      • Can you make the system run code?
      • Can you retrieve information with it?
      • Can you gain access with the vuln?
      • Can you add a payload to the vuln and setup a listener or rootkit on the target system such as Meterpreter or STELF?
    • Add each vulnerability you find to your documentation of each system.
  • Can you create your own exploit for the OS, port, or Service?

AGAIN, I cannot stress this enough, but you NEED to document things. If you don’t like to document then I’ve got some news for you…You’re gonna’ have a bad time. There are programs that can help you like Paterva’s Maltego or Casefile.

---

3.) Breaking in - The art of exploitation

• What machine do you plan to attack?
  • Using what vulnerability?
  • If the vulnerability fails, what can you do to get in anyway?
    • Perhaps you could set up a DNS server close to the property and serve it false information, therefore Man in the middling it?
    • Possibily MiTm their WiFi network and gain access that way?
    • Sniff their network traffic and find the info you needed like that?
    • Could you exfiltrate the data you needed by using memory leaks?
    • Use a LAN Turtle? How about a Bash Bunny?
    • I heard there is a “new” method to capture data from watching HDD lights and listening to the sound of the PC. Perhaps you could try this? (Note, I’d leave this as a last resort because I have no idea how to do it and I also don’t know how effective it truly is.)
    • If you’re just wanting to view what they’re viewing /speaking, could you set up a retroreflector or a wiretap?

You must be getting tired of reading this, but D O C U M E N T. What vulnerabilities /methods worked and what didn’t work? Document them both in case you need to pass the project along or put a halt on it for some time.

---

4.) Getting root - Privilege escalation

• You will have to be quite creative with this one.
  • You will have to use external resources for this. Namely: Google, Exploit-DB, and the CVE site.
  • Look for more vulnerabilities that do privilege escalation.
  • Again, can you make your own exploit for this?

You know what I’m going to say, so do it!! DOCUMENT YOUR STUFF

---

5.) Achieving your goal

• Think back to what your original motive was for hacking your target.
  • Did you achieve what you set out to do?
    • If not, reflect upon it and write down what you can do to improve upon it next time.

(Remember; It’s not a mans success that makes him who he is, but rather his ability to learn from and improve upon his failures no matter how numerous they may be.)

---

6.) Maintain access (Rootkit, Persistent listener)

• You may wish to maintain access to your target in case you need to exfil. data again, or maybe you are constantly pulling data from your target.
• Perhaps you’re setting up a botnet and need to connect it to your C&C (Command and Control) server.
• Whatever your reasons, you will want to set up a persistent back door. I will not be covering that in this article, but here is a resource that may help you through it: The Art of Creating Backdoors and Exploits with Metasploit

---

7.) Cover your tracks

• Here comes the part that you ABSOLUTELY 100% MUST do if you don’t wish to be caught.
  • Do take note, because if you pull anything away from this, at least let it be this section.
    • Find and delete logs.
      • You can either delete /clear the entirety of the log files, or go through and pick out which lines in the logfile were caused by you.
        • The first method will more than likely alert a sysadmin or computer security consultant to your presence. It will be investigated if you just outright delete the file. However if you simply clear it, you will have a far greater chance of making a clean getaway.
        • The second method takes much more time, but I believe the time is worth it. You are essentially removing any records of you being there at all. It’s as if you were a ghost.
        • Be smart with this and use your brain. Using the documentation you gathered during the recon stage should help you to know which method you can safely use. If it’s a lazy sysadmin /security consultant that’s managing the place then you’re in luck.

REMEMBER, don’t get cocky or comfortable with this. Just because you’ve completed multiple hacks without being caught DOES NOT MEAN that you will never be caught. You must be just as meticilous with covering your tracks as the first time you hacked…maybe even moreso.

---

In conclusion…

Document, document, document!
I absolutely cannot stress enough how critical it is for you do document things in some way. If you ever need to go back to it at any point in time then it will be far easier than just hacking your target again. You may also need to file a report for your employer. Documentation makes both of these a hell of a lot easier.

Don’t get comfortable.
Once you get comfortable you start missing or skipping over things. You will be caught, simple as that.

And remember…
This is not meant to be a complete step by step guide. It’s simply the steps I take when preforming a hack. You need to use your imagination and think up your own solutions to problems. Think outside of the box!

---

Questions for the community:

1.) Do you believe I missed anything? Would you like to add anything to the article? Put it in the comments and I will gladly add it! (So long as I deem it necessacary of course)

2.) Did this by chance help you out any? I know when I was starting out, I had some trouble organizing my thoughts and processes because I was attempting to do everything at once.

---

Note, for those that may not know what those arrows are, they’re drop down arrows. If you click them then more text is revealed.

YES! This is such a great post. Im so glad you took the time to write this, I bookmarked and saved it. im gonna use this guide and run some trials! I will Get back to ya!

Awesome!!! I’ll be looking forward to hearing from you!

Nice guide! Overall, a good introduction to the thought processes and phases of a penetration test or red team engagement. However, I hope you don’t mind me coming up with some notes, and explaining some of the things I see a bit differently.

For the covering your tracks section, might want to add a blurb about learning DFIR techniques so that you can do anti-forensics on your hacks. Sure, deleting a few logs goes a long way when your up against the average sysadmin, but if it’s a larger organization that can pay for DFIR ppl to come in, learning how to cover things more thoroughly is invaluable.

Also maybe add a section about remembering your opsec and keeping attribution (Which is a whole 'nother post entirely) in mind.

Ayy, of course I don’t mind at all! Feel free to share

@Sirius Yea, I honestly thought about adding that in there, but I kinda felt as though it was out of the scope of the article and like you said, should go in a post all their own.

As promised, some of my notes on your article, @VVid0w:

Recon

I would say that wfuzz isn’t exactly “recon”, it would fall under the “scanning” phase more. It’s fairly loud, and does involve touching the target systems. I consider recon to be the phase of the engagement where you should focus entirely on OSINT collection. What does that mean?

OSINT: OSINT refers to information that you can gather through publicly available sources. This is information you can get without alerting the target that you are performing reconnaissance, which is why it’s such a valuable part of the recon phase of an engagement.

One of the best sources of OSINT as far as network attacks is Shodan. Basically a database of network scans across the entire internet, it gives you information on open ports, web applications, and other services. By searching for the target organization, or searching for IP ranges in scope, you can gather all of this information without actually touching those IPs. This should be one of the first steps for an engagement.

I do agree with the importance of gathering information on employees, and learning more about how the organization operates, and the roles of various people within the organization. Find employees on Twitter, see if they’re posting information, or pictures. If the organization posts pictures of employees in the workplace, can you see what their badges look like? Make your own badge!

Another tool that’s invaluable during this phase of the engagement is Maltego. It’s a tool for graphing and link analysis, which is useful for “connecting the dots” between various pieces of information gathered during the reconnaissance phase. There are other tools that can be used for this, but Maltego is the most popular.

However, some notes on what you can’t do, even if it is a red team engagement:

• You will probably not be able to approach employees off-hours. This is almost always out of scope.
• It follows from this that you will never be allowed to sleep with an employee as a part of a red team exercise. That would be highly illegal.
• You also cannot attack devices that are owned by the employees themselves, or break into an employee’s house. The organization cannot legally give you permission to do this.

Exploitation

It may seem odd, but most of what we do during our engagements doesn’t involve “exploits” in the classical sense. Most organizations keep their systems patched, so you’re unlikely to come across the type of vulnerabilities that you would have found a few years ago. The days of MS08-067 and MS09-050 are dwindling, and attackers have had to adapt.

So what do we use? We tend to exploit misconfigurations, or to use native functionality to attack systems. In many cases, default Windows behavior will make it easy to attack an environment. Tools like Responder demonstrate this very well; it’s quite easy to use default behaviors to gain access to systems, and you don’t need Metasploit to do it. In fact, we rarely use Metasploit for our engagements.

Privesc

Depending on the environment, Exploit-DB and other such sites are not going to help much. As with the exploitation phase, you’ll have more luck with misconfigurations, or default behavior that is exploitable. Tools like BloodHound can analyze trust relationships in Windows domains, and show privilege escalation paths.

---

Those are the primary notes that I have on your article. However, there’s one thing that I’d like to address about this model of the “killchain”, as the attack process is called. This model of the killchain has been the standard taught for quite a while, but it’s not the whole story for modern attacks. I highly recommend checking out these slides: https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf

• Good Ideias. Keep it Up, every1 who would like to know how Hack need to read it. Thanks

Solid article @VVid0w!
It sheds some light into the mysterious underground we are operating from haha

i came across a youtube video recently which i didn’t watch yet as its nearly 16 hours long. its called “the complete ethical hacking course - beginner to advanced”.
They added a time stamp to bring you to the various topics you want as reaver, sslstrip, sql injection, metasploit

the video was usefull for you??

Interesting article indeed, and thanks for your kind efforts to put it all in one place and attempt to answer the question “how do I hack” of which I can’t resist but to answer “42” – “hitchhiker guide to the galaxy”, ironically even Google used to give this answer.

Well, I would like to point out one important thing here, how to hack? you don’t! as simple as that

Edit:
You may want to add: “Reason” and “Project scope”, also at the end “Documentation/Reporting”, remember that there must be a reason why to hack something, and no reason at all why you should hack “someone”, confusing? allow me to explain my point of view.

We (the community) hack stuff for a reason, you may noticed already, we do security research that some people refer to this as white hat, or Pentesting, I call it what it is… hacking!

So, we attempts to enhance security of things and protect others (mainly end-users) by providing a report (hence why you should document your actions), also let’s not forget about the responsible disclosure (a topic which I would like to see discussed here on this forum).

Conclusion, there must be a reason (idea genesis), and a document/proof so that people can refer to and fix that security hole/vulnerability you discovered, otherwise, it is all useless, and it is important to point out here that we (the hacking community) are not just a “bunch of kids” who are presenting a threat to the society, “hacker” is a title… a true honor, given to respectful men and women for their powerful message and efforts to help people, think of Linus Travers and Richard Stallman.

This is what I stand for, and what I teach to young and new comers, what’s in between, is just a technicality and lots of “RTFM”.

Do you agree with me on this?

Peace

this article is going straight in my bookmarks

@VVid0w you’re pushing out a lot of useful content, keep up the good work!

While I do agree with you on many things in your comment, I’d also like to point out that this was never meant to be an all encompassing article with sources, real world examples, etc. People need to do their own research on things and hopefully this will put them a step ahead of the game in getting them ready to learn and face challenges that we face nearly every day.

People will always have their own reasons for hacking - be it good or bad - and that’s something they have to figure out for themselves as it’s not something that can be learned or even taught which is one of the reasons as to why I didn’t put any of that in the post.

Again, I do agree with you on many things and by no way do I mean to be an ass or just “write off” what you’re saying. It’s just that the post isn’t exactly a point to point guide. It’s more of a prompt for self-learning and understanding. Great reference by the way, that’s one of my favorite movies!

As I said earlier, I think you did a great job compiling all this information in one place as a good reference to all of us, it is comprehensive for sure.

My comment was nothing but a confirmation to what you said, lots of people are asking this question, and I think you nailed it in your post