Phases of Hacking

Hacking is divided into five stages. A hacker does not have to follow these 5 steps in any particular order. It's a step-by-step procedure that, when followed, produces a better outcome. Learning this process will help break down a Hacker's process to trace them.


Reconnaissance, also known as the preparatory phase. It is the most crucial and important phase as an attacker gathers as much information as possible about the target prior to launching the attack. In this phase, the attacker draws on competitive intelligence to learn more about the target. This phase allows attackers to plan the attack. and it could be the future point of return. The reconnaissance target range may include the target organization's client, employees, operations, network, and systems. Examples of Reconnaissance could be Social Engineering, Dumpster Diving, etc. 

The reconnaissance part has the most weightage in the phases of hacking almost above 50%, making it the most crucial and vital. Reconnaissance is of two types: Active and Passive. When an attacker does not interact with the target directly and relies on publicly available information, news releases, or another no-contact method it is called Passive Reconnaissance. On the other hand, when an attacker is involved in direct interactions with the target by using tools to detect open ports, router locations, and details of OS and application it is called Active Reconnaissance

It is important to be able to distinguish among the various reconnaissance methods and advocate preventive measures in light of potential threats.


  • Google Hacking Database, 
  • HTTrack,
  • eMailTrackerPro, 
  • Wireshark, 
  • MXToolBox, 
  • Social Media, 
  • nslookup, etc. 


In this phase, the hacker uses the details gathered during reconnaissance to scan the network for specific information. Some experts do not differentiate scanning from active recon and often they both overlap. The most commonly used tools are vulnerability scanners, which can search for thousands of known vulnerabilities. It is an attacker's advantage as they only need to find a single means of entry, while the security professionals have to secure as much vulnerability as possible. 

There are 3 methods: pre-attack, port scanning/sniffing, and information extraction. 

  • In the pre-attack method, the hacker scans the network for specific information based on the information gathered in the reconnaissance phase. 
  • In the port scanning/sniffing method the hacker scans for the ports opened on the machine using different network scanning tools. 
  • In the information extraction method, the hacker tries to get more information about the OS, and the services running on the system, system uptime. 


  • Nmap, 
  • Scapy, 
  • hping3, 
  • ping, 
  • telnet, 
  • netcat(nc), 
  • Nessus, 
  • nbstat, 
  • wpscan, etc.

Gaining Access

In this phase, the real hacking begins. Hacker uses the information gathered about the target from the reconnaissance and scanning phase to build an exploit/payload to gain access to the target system, applications, and networks, and escalate the privileges to control the systems connected to it. 

Examples include password cracking, stack-based buffer overflow, DoS, and session hijacking. An attacker can send a data packet containing a bug to the target to exploit a vulnerability via spoofing. Once an attacker gains access to the target system, they then try to escalate privileges to take full control. 


  • Metasploit,
  • Cain and Abel,
  • pwdump7,
  • rainbowcrack,
  • Ophcrack,
  • Yernesia, 
  • settoolkit, 
  • arpspoof, 
  • Hydra, 
  • BurpSuite, etc. 

Maintaining Access

Maintaining Access refers to when the hacker tries to retain ownership of the system.  Here the hacker tries to maintain his access even after a rebooting of the target machine by using Rootkits (helps gain access at the operating system level) and Trojans (helps gain access at the application level) and uses them to launch additional attacks on the network. Once an attacker gains access to the target system, they can either use the system as a launchpad to scan and exploit other systems or to keep a low profile and continue their exploitation. 

Hacker maintains control over the system for a long time by closing up the vulnerabilities to prevent other hackers from taking control, and sometimes, render some degree of protection to the system from other attacks. Hackers use the compromised system to launch further attacks. 

Covering Tracks

After the work is done, hackers cover their tracks to escape the security personnel and jail time. Continuing access to the victim's system and remaining unnoticed, uncaught, by deleting evidence. They do this by clearing the cache and tampering with the log files of the system which can be used to backtrack them. 

Hackers might use techniques like tunnelling. Tunnelling takes advantage of the transmission protocol by carrying one protocol over another. Attackers can use even a small amount of extra space in the data packet's TCP and IP header to hide information. 

System administrators can deploy host-based IDS and antivirus software to detect trojans. They must be aware of the tools and techniques that attackers deploy so that they can advocate and implement the countermeasures detailed in subsequent modules.


  • clearlogs.exe, 
  • Auditpol.exe,
  • PsTools,
  • Netcat, etc.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment