First and foremost, I’d like to note that this is not an all encompassing article. You WILL have to use your creativity and think out of the box when hacking.

What will this article entail?
It will not have any code whatsoever, and is not meant to teach you how to hack anything specific, but instead will provide the steps you should take and things you should consider or reflect upon when hacking.

Why exactly are you writing this?
Quite frankly, I’m tired of people asking “How to hack x” or “How do I hack” without any context or prior information. More often than not, they haven’t even done any research on the topic. I’m aiming to if not end, then at least put a dent in the amount of times those questions are asked. Now don’t get me wrong, I’m always super stoked to help people learn, but when someone just outright asks those two questions without even attempting to research the topic themselves then it begins to become quite infuriating.

Now then without further ado, let’s get right into it!


First things first…You’ve probably heard the phrase “Practice makes perfect”, correct? While not wrong, people commonly mistake this to mean “Put in the hours and you’ll get there eventually”. That is what’s wrong. Practice is so much more than just putting in time and mindlessly going away with doing whatever. In order to practice correctly, you must put in hours, reflect on what you’re doing, try new things with what you’ve learned, come up with your own solutions, and activley make an attempt at getting better.

Now, we will discuss what I feel to be the steps for a successful hack:

1.) Reconnaissance - It all starts with this-->

Fuzz the url either by hand or with a program like http://www.edge-security.com/wfuzz.php

Do they have an ftp server?

Admin page?

ANY pages of interest?

Look at the robots.txt file. Try those URLs. Anything interesting?

Are there text fields that you can type into?

Unsecure pages that should be private /protected?

Learn everything you can about the company

Read their website

What does the company do?

Look for info on people that work for them.

Do those people have LinkedIn?

Facebook?

Instagram?

Twitter?

* What is their email?

* Google their name.

* Do they have pictures of their workspace?

* Pics of a server room?

* Pics of their personal computer?

* How “high up” in the company is this person?
Look for partners, affiliates, and suppliers they do business with.

* What are these companies about? i.e what are their products, what do they do?

* Where are these companies in relation to your target? (Google maps)

* Do these companies have any info on their site that pertains to your target that you can use?

* Don’t completely recon these unless absolutely necessary. Just look for info on your target.

If you’re red teaming-->

What time do they close?

What do the people going inside look like?

How do they handle people at their front desk /lobby?

Who do they source their computer repair to? Is it internal, or an external company?

Can you go in posing as a computer repair person from said external company?

Look for any company they outsource to. See if you can pose as a worker from that company.

Look for job openings.

Could you get hired on part-time or full-time? This may be the easiest way in.

What are they looking for in an employee of any kind?

This could allure to what tech they use, and what tech they don’t.

It could also help you know what the company may be lacking in.

Is one of their employees especially talkative or verbal?

Can you social engineer him /her at the bar? A party? e-mail even? (maybe you could pose as a news reporter or something of that nature.)

If you manage to SE him /her at a bar, do they invite you back to their place?

Could you implant malware into their phone, PC, or any other electronic device they own?

When does this person sleep?

Can you get into their house without breaking anything?

Again, could you install malware on a device?

Could you fly a drone and do some recon of the property that way? If not, how about a telescope or binoculars?

What times do shifts change?

License plate numbers of employees?

If you can see through the windows, what kind of things do the employees do?

REMEMBER TO DOCUMENT THE THINGS YOU FIND!!! Without documentation, all of the work you just did is useless. What if you forget something or maybe your employer requires a report of some sort?

 2.) Scanning - You need to enumerate & define your target.

Convert the URLs of the company(ies) you found into IP addresses.

Use a tool to find the approximate location of the address. (although you should know this from the recon you did)

Grab the sites HTTP(S) header. It can give you a whole plethora of information. (Be careful though…The header CAN be spoofed.)

Use a tool like Nmap (https://nmap.org/) to map your primary targets network.

Try to use a scan that hardly touches the network. You don’t want to be caught by an IPS (Intrusion Prevention System) or an IDS (Intrusion Decection System) before you even infiltrate their network, do you???

How many systems are there?

What are the names of the systems?

What operating systems are in use?

What ports are open?

What services are running?

Document IP addresses of systems

Put system names with the corresponding system IP addresses.

Do the same for ports, services, and OSs.

Look up vulnerabilities for each OS, port, and service.

What can you do with the vuln?

Can you make the system run code?

Can you retrieve information with it?

Can you gain access with the vuln?

Can you add a payload to the vuln and setup a listener or rootkit on the target system such as Meterpreter or STELF?

Add each vulnerability you find to your documentation of each system.

Can you create your own exploit for the OS, port, or Service?

AGAIN, I cannot stress this enough, but you NEED to document things. If you don’t like to document then I’ve got some news for you…You’re gonna’ have a bad time. There are programs that can help you like Paterva’s Maltego or Casefile.

 3.) Breaking in - The art of exploitation

What machine do you plan to attack?

Using what vulnerability?

If the vulnerability fails, what can you do to get in anyway?

Perhaps you could set up a DNS server close to the property and serve it false information, therefore Man in the middling it?

Possibily MiTm their WiFi network and gain access that way?

Sniff their network traffic and find the info you needed like that?

Could you exfiltrate the data you needed by using memory leaks?

Use a LAN Turtle? How about a Bash Bunny?

I heard there is a “new” method to capture data from watching HDD lights and listening to the sound of the PC. Perhaps you could try this? (Note, I’d leave this as a last resort because I have no idea how to do it and I also don’t know how effective it truly is.)

If you’re just wanting to view what they’re viewing /speaking, could you set up a retroreflector or a wiretap?

You must be getting tired of reading this, but D O C U M E N T. What vulnerabilities /methods worked and what didn’t work? Document them both in case you need to pass the project along or put a halt on it for some time.

4.) Getting root - Privilege escalation

You will have to be quite creative with this one.

You will have to use external resources for this. Namely: Google, Exploit-DB (https://www.exploit-db.com/), and the CVE site (https://cve.mitre.org/).

Look for more vulnerabilities that do privilege escalation.

Again, can you make your own exploit for this?

You know what I’m going to say, so do it!! DOCUMENT YOUR STUFF

5.) Achieving your goal

Think back to what your original motive was for hacking your target.

Did you achieve what you set out to do?

If not, reflect upon it and write down what you can do to improve upon it next time.

(Remember; It’s not a mans success that makes him who he is, but rather his ability to learn from and improve upon his failures no matter how numerous they may be.)

6.) Maintain access (Rootkit, Persistent listener)

You may wish to maintain access to your target in case you need to exfil. data again, or maybe you are constantly pulling data from your target.

Perhaps you’re setting up a botnet and need to connect it to your C&C (Command and Control) server.

Whatever your reasons, you will want to set up a persistent back door. I will not be covering that in this article, but here is a resource that may help you through it: The Art of Creating Backdoors and Exploits with Metasploit (http://www.drchaos.com/the-art-of-creating-backdoors-and-exploits-with-metasploit/)

7.) Cover your tracks

Here comes the part that you ABSOLUTELY 100% MUST do if you don’t wish to be caught.

Do take note, because if you pull anything away from this, at least let it be this section.

Find and delete logs.

You can either delete /clear the entirety of the log files, or go through and pick out which lines in the logfile were caused by you.

The first method will more than likely alert a sysadmin or computer security consultant to your presence. It will be investigated if you just outright delete the file. However if you simply clear it, you will have a far greater chance of making a clean getaway.

The second method takes much more time, but I believe the time is worth it. You are essentially removing any records of you being there at all. It’s as if you were a ghost.

Be smart with this and use your brain. Using the documentation you gathered during the recon stage should help you to know which method you can safely use. If it’s a lazy sysadmin /security consultant that’s managing the place then you’re in luck.

REMEMBER, don’t get cocky or comfortable with this. Just because you’ve completed multiple hacks without being caught DOES NOT MEAN that you will never be caught. You must be just as meticilous with covering your tracks as the first time you hacked…maybe even moreso.

In conclusion…

Document, document, document!

I absolutely cannot stress enough how critical it is for you do document things in some way. If you ever need to go back to it at any point in time then it will be far easier than just hacking your target again. You may also need to file a report for your employer. Documentation makes both of these a hell of a lot easier.

Don’t get comfortable.

Once you get comfortable you start missing or skipping over things. You will be caught, simple as that.

And remember…

This is not meant to be a complete step by step guide. It’s simply the steps I take when preforming a hack. You need to use your imagination and think up your own solutions to problems. Think outside of the box!





Credit: VVid0w