Hacking an information system which can be a computer network, server or a web site collection can be, and it is, very complex procedure and different procedure for every information system. But in it’s essence follows the basic seven steps of hacking into some kind of information system. From basic scouting to full takeover these seven steps are executed consciously or unconsciously by the attacker.
_ ___| |_ ___ ___ ___ ___ ___ |_ -| _| -_| . | | . | | -_| |___|_| |___| _| |___|_|_|___| |_|
The first step to hacking an information system is to gather as much information as one can. From domain name, IP address to open ports, operation system running that system, applications running that system to versions of software used to run that system. For example, some websites contain lists of users. As most of the companies use standardized usernames, for example John Doe’s username most likely will be “john.doe” or “jdoe” and half of work is done! Attacker doesn’t have to guess username but can focus it’s time and resources for guessing passwords. Some might go that far to collect phone numbers and email of people working in targeted system and contact them directly via phone or email representing themselves as support staff, sales agent and so on to acquire usernames and passwords.
_ _ ___| |_ ___ ___ | |_ _ _ _ ___ |_ -| _| -_| . | | _| | | | . | |___|_| |___| _| |_| |_____|___| |_|
Information gathered in the first step, reconnaissance, is used in this step to detect weaknesses of the targeted system in order to deploy hacking tools. It is most likely that attacker will use in this step automated or semi-automated tools to conduct security surveys and to generate reports of security-related vulnerabilities. For example, attacker can detect that some website is running on web, FTP or email server which is unpatched with ports 80, 21, 25 or 110 open. Detecting (fingerprinting) those ports most likely will reveal which version of server is running and prepare specific exploit for that versions of server.
Tools used for this step are numerous and the list is never finalized. From desktop applications like NMAP to web services like Whois to piece of paper on which one can draw logical structure of targeted website (sitemap) and information what can be found and used later on specific pages of that website.
_ _ _ ___| |_ ___ ___ | |_| |_ ___ ___ ___ |_ -| _| -_| . | | _| | _| -_| -_| |___|_| |___| _| |_| |_|_|_| |___|___| |_|
Exploiting security weaknesses detected while probing and gaining entry to the system is called toehold. Once the attacker has found which versions of applications or services are running on targeted system and which vulnerabilities are still active for that specific version of services, the attacker will exploit one or more of those vulnerabilities to gain access to the system. Most of the vulnerabilities found in web services applications, like FTP server, can be exploited to create an terminal connection to the server. Once the connection has been made, the attacker can search for more information. If the current user identification is for a privileged user, the intruder will jump to the stealth step, otherwise he will get into the advancement phase.
_ ___ ___| |_ ___ ___ | _|___ _ _ ___ |_ -| _| -_| . | | _| . | | | _| |___|_| |___| _| |_| |___|___|_| |_|
Advancement is a step when the attacker is trying to advance from an unprivileged (non-administrator) user to highest level user like root, sa, administrator and so on. This step is possible using tools to detect and exploit weak system configuration, vulnerabilities in operating system, weak passwords and so on. Once the vulnerability has been found the attacker can advance to high-privileged user level and can fully control attacked system.
_ ___ _ ___| |_ ___ ___ | _|_|_ _ ___ |_ -| _| -_| . | | _| | | | -_| |___|_| |___| _| |_| |_|\_/|___| |_|
Hacking into information system leaves traces and for the attacker it is absolutely necessary to hide that traces. All the previous steps leave some kind of traces in various log files like system logs (events in Windows operating system) or database logs in Microsoft SQL Server, IIS logs and so on. Deleting those logs is one way to go but missing logs can immediately draw attention. Time holes in logs also can draw attention because fro the past logs an pattern can be made of how is system functioning. More experienced attacker will modify those logs to cover his tracks but not in a way just to delete his steps but to modify them so they look like an legitimate usage of the attacked system.
_ _ ___| |_ ___ ___ ___|_|_ _ |_ -| _| -_| . | |_ -| |_'_| |___|_| |___| _| |___|_|_,_| |_|
Once the attacker has gained fully privileged access to the system and has hidden his tracks, he will deploy some kind of backdoor software that will create a listening post. In this step the attacker will deploy backdoor tool, stealth tool or a sniffer that will enable him to gather important information (sniffer), to fully control the system (backdoor remote administration utilities) and to hide his activities (stealth tools). Gathered information is then used in the next step.
_ ___| |_ ___ ___ ___ ___ _ _ ___ ___ |_ -| _| -_| . | |_ -| -_| | | -_| | |___|_| |___| _| |___|___|\_/|___|_|_| |_|
Spreading the control from one host to multiple hosts in the attacked information system is called takeover. From the listening post step, the attacker might have collected some important information either by sniffing the network data or by examining specific configuration files like SAM files on Windows hosts and so on. With this kind of information the attacker can retake the previous steps to gain access to other host and to expand his control to the entire information system.