Attack phases

1 - Explain each phase of a system attack according to CEH.

1. RECONNAISSANCE

This is the first step of Hacking. It is also called as Footprinting and information
gathering Phase. This stage involves obtaining information (Information Gathering)
regarding a potential victim that may be a person or organization. Reconnaissance
is probably the longest phase, sometimes lasting weeks or months. This is the
preparatory phase where we collect as much information as possible about the
target. We usually collect information about:

• Internet searches
• Social engineering
• Dumpster diving
• Domain name management/search services
• Non-intrusive network scanning

There are two types of Footprinting:

• Active: Directly interacting with the target to gather information about the
target. Eg Using Nmap tool to scan the target.
 • Passive: Trying to collect the information about the target without directly
accessing the target. This involves collecting information from social media,
public websites etc.

2. SCANNING

In this second stage, the information obtained in phase 1 is used to probe the target
and try to obtain information about the victim system such as IP addresses, host
names, authentication data, among others.

Among the tools that an attacker can use during the scan is the network mappers,
port mappers, network scanners, port scanners, and vulnerability scanners.

Port scanning:

• Open ports
• Open services

Vulnerability Scanning:

• Vulnerable applications, including operating systems.

• Weak protection of data in transit

Network Mapping:

• Make and model of each piece of LAN/WAN equipment.

3. GAINING ACCESS

This phase is where an attacker breaks into the system/network using various tools
or methods. After entering into a system, he has to increase his privilege to
administrator level, the attacker must gain some level of access to one or more
network devices, so he can install an application he needs or modify data or hide
data.

Some of the techniques that the attacker can use are attacks by Buffer Overflow,
Denial of Service (DoS), Distributed Denial of Service (DDos), Password filtering
and Session hijacking.
4. MAINTAINING ACCESS

Once the attacker has gained access to the system, he will seek to implement tools
that will allow him to re-access in the future from any place where he has access to
the Internet. To do this, they usually use backdoors, rootkits and Trojans.

5. CLEARING TRACKS

Because of no thief wants to get caught, an intruser always clears all evidence, so
that in the later point of time, no one will find any traces leading to him. This can be
done modifying/corrupting/deleting the values of Logs, modifying registry values
and uninstalling all applications he used and deleting all folders he created.

2 - Match the following examples with the phase they are related to:

a) Backdoors, rootkits, and trojans.

• MAINTAINING ACCESS

b) Social engineering, dumpster diving, and sniffing.

• RECONNAISSANCE

c) Deleting traces in registry files (logs) or removing IDS alarms.

• CLEARING TRACKS

d) Network mappers, port mappers, network scanners, port scanners,

and vulnerability scanners.

• SCANNING

e) Buffer overflow, DoS, password filtering, and session hijacking.

• GAINING ACCESS