Phase 1 Reconnaissance
Reconnaissance is the process of information gathering regarding the potential target without the individual or companies’ knowledge. For example, researching information about a company, their clients, operations, and employees, through websites, social media, networks, and systems. This process can be extremely lengthy, and requires gathering a significant amount of information. On the other-hand, using this phase in combination with others can be rewarding and provide significant benefits. Although, the reconnaissance process is the most overlooked, underutilized, and misunderstood step in penetration testing (Engebreston, 2011).
Phase 2 Scanning
The next process, scanning, utilises the depth of information gained through the reconnaissance phase to examine the network for vulnerabilities. There is an extensive range of tools which can be adopted by a hacker to identify weaknesses and vulnerabilities in a network. For example; Port scanners, ping packets, network mappers, Internet Control Message Protocol (ICMP) scanners, Simple Network Management Protocol (SNMP) sweepers, and vulnerability scanners. Hackers will utilise vital information to their advantage to support them to perpetrate attacks, such as, IP addresses, Operating system (OS), computer names, and user accounts (Engebreston, 2011).
Phase 3 Gaining Access
Gaining Access is where the vulnerabilities discovered in the reconnaissance and scanning phase are merged to exploit, and to gain access to the network or system. An exploit is used to override the targets system to take control and deploy the hacker’s commands and carry out the hacker’s intentions, and actions. The hacking attack can either be delivered to a targets system via a local area network (LAN), or through a wired or wireless connection. Some attack methods used to gain access include; abusing a username/password, hacking a weakly secured network, or sending malware to an employee via USB stick, email, or social media (Tiller, 2004).
Phase 4 Maintaining Access
Once access is gained the attacker must maintain, and ensure continued access to the exploited remote system to allow for future exploitation and attacks. Although the attacker is at the stage where by they have successfully circumvented the security controls, they are now at the most vulnerable of being detected. As a result, the hacker must protect the system from other hackers or security administrators by securing their access with rootkits, backdoors, and trojans. Now the hacker has possession of the system it can be used to launch attacks as required. Owned systems are referred to as zombie systems (EC-Council, 2016).
Phase 5 Covering Tracks
The final phase is where the hacker must ensure their identity is not detected by security personnel and to ensure continued access to the system to support future attacks, known as ‘covering tracks’. To avoid legal action the hacker must remove any evidence of the hacking. This involves removing intrusion detection system (IDS) alarms, and log files. Examples of these activities during the covering tracks phase of attack are; altering log files, steganography, and using a tunnelling protocol (Graves, 2007).