Phases of Ethical Hacking (Revisited)

As we've discussed, ethical hacking follows a structured approach:

1. Reconnaissance (Footprinting): Initial information gathering.
2. Scanning: Identifying active hosts, open ports, and vulnerabilities.
3. Gaining Access (System Hacking): Exploiting vulnerabilities to enter the system. This is our focus!
4. Maintaining Access: Ensuring persistent access.
5. Clearing Tracks: Removing evidence of the hack.
6. Reporting: Documenting findings and recommendations.

Gaining Access: Initial Entry Points

Attackers aim to gain initial access through various vectors:

1. Password Attacks

Attempting to discover valid credentials.

• Brute-Force: Trying every possible combination of characters.
• Dictionary Attack: Using lists of common words and phrases.
• Rainbow Table Attack: Pre-computed hashes for faster cracking.
• Hybrid Attack: Combination of dictionary and brute-force.

2. Exploiting Vulnerabilities

Leveraging flaws in operating systems, applications, or services.

• Software Exploits: Using known bugs in installed software.
• Misconfigurations: Exploiting default or weak configurations.
• Zero-Day Exploits: Exploiting unknown vulnerabilities (highly prized).

3. Social Engineering

Manipulating individuals to reveal sensitive information or perform actions that grant access.

• Phishing: Deceptive emails/messages.
• Pretexting: Creating a fabricated scenario.
• Baiting: Luring victims with tempting offers.

Password Cracking Tools & Techniques

Ethical hackers use specialized tools to test password strength and identify weak credentials:

1. John the Ripper (JtR)

A fast password cracker, often used to crack Unix/Linux passwords, but supports many hash types.

# Crack passwords from a file (e.g., /etc/shadow or a dumped hash)
john --wordlist=rockyou.txt hashes.txt

# Show cracked passwords
john --show hashes.txt
            

2. Hydra

A versatile network login cracker that supports numerous protocols (SSH, FTP, HTTP, SMB, etc.).

# Brute-force SSH login
hydra -l username -P passwords.txt ssh://target_ip

# Dictionary attack HTTP Basic Auth
hydra -L users.txt -P passwords.txt target.com http-get /admin/
            

3. Hashcat

The world's fastest password cracker, supporting a vast array of hashing algorithms and attack modes, often leveraging GPU acceleration.

# Dictionary attack MD5 hash
hashcat -m 0 hashes.txt wordlist.txt

# Brute-force WPA/WPA2 handshake
hashcat -m 2500 wpa_handshake.hccapx ?a?a?a?a?a?a?a?a
            

Privilege Escalation

Once initial access is gained (often as a low-privileged user), the next step is to elevate privileges, typically to administrator (Windows) or root (Linux).

1. Kernel Exploits

Exploiting vulnerabilities in the operating system kernel itself to gain higher privileges.

# Example (conceptual) of finding a kernel exploit
# searchsploit linux kernel 4.x.x local privilege escalation
            

2. Misconfigurations

Leveraging insecure configurations, such as:

• Weak File Permissions: Executables or scripts writable by low-privileged users.
• Unquoted Service Paths: Allows injection of malicious executables.
• Sudo/Suid Misconfigurations: Commands that can be run with elevated privileges without proper checks.

# Example: Finding SUID binaries (Linux)
find / -perm -4000 -type f 2>/dev/null
            

3. DLL Hijacking (Windows)

Placing a malicious DLL in a location where a legitimate application will load it instead of the intended DLL, leading to code execution with higher privileges.

4. Stored Credentials

Finding passwords or API keys stored insecurely on the system.

Executing Applications & Maintaining Access

After gaining privileges, attackers execute malicious applications and establish persistence.

1. Backdoors & Trojans

Installing hidden programs that allow future unauthorized access.

• Backdoor: A hidden method of bypassing security.
• Trojan: Malicious software disguised as legitimate software.

2. Remote Access Trojans (RATs)

Tools that provide remote control over a compromised system, often with features for file management, keylogging, and webcam access.

3. Rootkits

A collection of tools designed to conceal the existence of malware and enable persistent privileged access to a computer.

• User-mode Rootkits: Modify user-level applications.
• Kernel-mode Rootkits: Modify the operating system kernel (harder to detect).

4. Scheduled Tasks / Cron Jobs

Creating scheduled tasks (Windows) or cron jobs (Linux) to execute malicious code periodically or at system startup, ensuring persistence.

# Example: Adding a malicious cron job (Linux)
echo "* * * * * /tmp/malicious_script.sh" | crontab -

# Example: Creating a scheduled task (Windows - conceptual)
# schtasks /create /tn "Updater" /tr "C:\ProgramData\malware.exe" /sc ONSTART /ru SYSTEM
            

Hiding Files & Covering Tracks

To avoid detection, attackers hide their tools and remove evidence of their presence.

1. Hiding Files

• Steganography: Hiding data within other files (e.g., images, audio).
• Alternate Data Streams (ADS) - Windows: Hiding data within existing files on NTFS file systems without affecting the primary file size.
• Hidden Attributes: Setting file attributes to hidden.

# Example: Creating an ADS (Windows CMD)
echo "Hidden data" > secret.txt:hidden_stream
            

2. Covering Tracks (Anti-Forensics)

• Clearing Logs: Deleting or modifying system logs (e.g., Windows Event Logs, Linux syslog) to remove traces of activity.

# Example: Clearing Windows Event Logs (PowerShell)
Clear-EventLog -LogName "System", "Application", "Security"

# Example: Deleting bash history (Linux)
history -c && rm ~/.bash_history
                

• Time Stomping: Modifying file timestamps to match legitimate files.
• Rootkits: As mentioned, used to hide processes, files, and network connections.
• Anti-Forensic Tools: Specialized tools to shred data, encrypt evidence, or manipulate system artifacts.

Countermeasures Against System Hacking

Defending against system hacking requires a robust and layered security approach:

1. Strong Password Policies & Multi-Factor Authentication (MFA)

Enforce complex passwords, regular changes, and mandatory MFA to significantly reduce the risk of password attacks.

2. Patch Management & Vulnerability Management

Regularly update and patch all operating systems, applications, and firmware to fix known vulnerabilities. Use vulnerability scanners to identify and prioritize weaknesses.

3. Principle of Least Privilege

Grant users and applications only the minimum necessary permissions to perform their tasks. This limits the impact of a compromised account.

4. Endpoint Detection and Response (EDR) / Antivirus

Deploy EDR solutions and up-to-date antivirus software to detect and prevent malware, Trojans, and rootkits.

5. System Hardening

Disable unnecessary services, remove default accounts, configure firewalls, and secure configurations according to best practices (e.g., CIS benchmarks).

6. Log Monitoring & Centralized Logging

Implement comprehensive logging and centralize logs to a Secure Information and Event Management (SIEM) system. Monitor logs for suspicious activity and unauthorized changes.

7. Regular Backups & Disaster Recovery

Maintain regular, offsite backups of critical data and have a tested disaster recovery plan to restore systems quickly after an attack.

8. User Awareness Training

Educate employees about social engineering tactics, phishing, and safe computing practices.

Conclusion

System hacking is a complex and multifaceted phase of cyberattacks. Understanding the techniques involved is crucial for both offensive (ethical hacking) and defensive (security professional) roles.

Key takeaways:

• Access is the Goal: Attackers use various methods to gain initial entry.
• Privilege is Power: Escalating privileges is often necessary for full control.
• Persistence is Key: Attackers aim to maintain access and hide their presence.
• Layered Defense: Strong passwords, patching, hardening, and monitoring are essential for defense.

Protect your systems, understand the threat!