Phases of Ethical hacking

9 min readNov 21, 2020


Phase 1: Reconnaissance:

This is the first step of ethical hacking before launching an attack and exploiting the vulnerabilities. Reconnaissance is the process of gathering or collecting the available information about the target. Usually the hacker will collect the initial information from web surfing then identifying the active machines, network range, running services, open ports available, operating system used by the host server, etc,.
There are two types of reconnaissance:
(a) Active reconnaissance: In this process, the attacker will be directly interacting with the target server using the technical tools to discover information on the hosts that are active on your target network. The results are effective, but time intensive and do not always produce the most accurate results. But since we are directly interacting, there is a great chance of getting detected (means our digital footprints are recorded in the server logs). Performing this without the permission of the concerned authorities may results in strict actions against the attacker.
Commonly used tools are:
Nslookup/whois lookup”
Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive. Interactive mode( ‘-’ is used) allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain. And reverse DNS lookup can also be done by providing the IP address of the target.
Same type of commands can be used in Linux as well as windows.
$nslookup [-option] [name|-] [server]
$nslookup -type=[any|soa|mx|ns] <target_address>

“dig(Domain Information Groper)”
It’s a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. If no usable server addresses are found, dig will send the query to the local host.
$dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [ [-4] | [-6] ]
[name] [type] [class] [queryopt…]
$dig +short (this will print only the ip’s available)
$dig [mx|ns|soa|any] +short (this will print the required server names without the comments)

It's a meta data collection tool. Meta data means data about data. For instance, when you create word document in Microsoft word, some additional information are added to this word file such as file size, date of creation, the user name of the creator etc.-all these additional information is called meta data. MetaGoogle scours the Internet for metadata of your target. You can use it with both Linux (built in Kali Linux) and Windows.
$metagoofil [-h] -d <domain> [-e delay] [-f] [-i url_timeout] [-l search_max] [-n download_file_format] [-o save_directory] [-r number_of_threads] -t <file_type> [-u [user_agent]] [-w]
$metagoofil -d -e 10 -l 200 -n 10 -t [pdf|docx|xml|txt]

theHarvester is used to gather open source intelligence (OSINT) on a company or domain. you can use it to catalogue email address and subdomains. It works with all the major search engines including Bing and Google. This is a build in tool of Kali Linux.
$theHarvester [-h] -d <domain>[-l limit] [-S start] [-g] [-p] [-s] [ — screenshot <screenshot>] [-v] [-e dns_server] [-t dns_tld] [-r] [-n] [-c] [-f filename] [-b source]
available sources are: baidu, bing, bingapi, bufferoverun, certspotter, crtsh, dnsdumpster, duckduckgo, exalead, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, netcraft, otx, pentesttools, projectdiscovery, qwant, rapiddns, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo
$theHarvester -d -l 100 -b

“nmap(Network mapper)”
It’s an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks
such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
This tool can also be used in the Scanning and enumeration phases.
$nmap [Scan Type…] [Options] {target specification}
target specification can be -> host address, ip address, network subnets, etc,.

(b) Passive reconnaissance: In this process, the attacker will not directly interact with the target server. Like searching the essential data from googling out or web surfing. Most commonly searched parameters in this process are IP address, mail servers, name servers, DNS system.
Use the advanced Google search to gather information about the target’s website, web servers and vulnerable information. Sometimes, jobs posted in the companies websites reveal valuable information about the type of information technologies used in the target company. Google hacking can also be done.
Netcraft is a free online tool to gather information about web servers including both the client and server side technologies.
To view the site report visit:

And other website to discover the information are:
* whois domain tools
* whois

Phase 2: Scanning and Enumeration

In this phase, the hacker identifies a quick way to gain access to the network or to the target host and look for accurate and valuable information. There are three methods of scanning: pre-attack, port scanning/sniffing, and information extraction.
Each of these phases demonstrates a specific set of vulnerabilities that the hacker can utilize to exploit the system’s weaknesses.

The most and best popular tool used in this phase is Nmap(Network Mapper). This tool can be used to gather information, scanning and even for gaining and maintaining access.
(i) pre-attack: where the hacker scans the network for specific information based on the information gathered during reconnaissance.
(ii) port scanner or sniffing: where scanning includes the use of dialers, port scanners, vulnerability scanners, and other data-gathering equipment.
(iii) information extraction: where the attackers collect information about ports, live machines and OS details to launch an attack.
Commonly used tools are:
{ read more about this tool in the reconnaissance phase}

Nikto tool is used to examine a web server to find potential problems and security vulnerabilities, including:
• Server and software misconfigurations
• Default files and programs
• Insecure files and programs
• Outdated servers and programs
Nikto is built on LibWhisker (by RFP) and can run on any platform which has a Perl environment. It supports SSL, proxies, host authentication, IDS evasion
and more. It performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.
$nikto -host <target_address> -Format [txt|csv|msf+|nbe|xml] -o output_file.txt (this will save the results in output_file.txt)

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
Dirbuster comes pre-installed in Kali Linux and many other Penetration Testing distros. There is an alternative tool called ‘dirb’ which works same as dirbuster.
$dirbuster -u <target_url> [options]

Supported operations: nslookup, zone-transfer, google scraping, domain brute force (support also recursion), whois ip and reverse lookups.
1) Get the host’s address (A record).
2) Get the name servers (threaded).
3) Get the MX record (threaded).
4) Perform AXFR queries on name servers (threaded).
5) Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
6) Brute force subdomains from (REQUIRED), can also perform recursion on subdomain that have NS records (all threaded).
7) Calculate Class C IP network ranges from the results and perform whois queries on them (threaded).
8) Perform reverse lookups on netranges (class C or/and whois netranges)(threaded).
9) Write to domain_ips.txt file non-contiguous ip-blocks results.
$dnsenum -w <target_address> {-w is used to fetch the whois records}
$dnsenum -o domains.xml {-o stores the output in specified filename}

Phase 3: Gaining Access

The hacker gains access to the system, applications, and network, and escalates their user privileges to control the systems connected to it. This can be achieved only from the information collected from the above phases. The main focusing areas are privilege escalation and security control bypassing.
Popular method used to gain access is:-
“Password cracking”
The goal here is to gain the access via logging into the application/system. To achieve this cracking the password is main task. But if the targeted injection point(login pages) is vulnerable to SQL injection then, authentication bypass can be done using simple SQL query payloads. There are several methods to crack the password:
Brute-force attack: trying all possible combinations until the password is cracked.
Dictionary attack: This is a compiled list of meaningful words, compared against the password field till a match is found.
Rule based attack: If some details about the target are known, we can create rules based on the information we know like using the regular expressions.
Rainbow table: Instead of comparing the passwords directly, taking the hash value of the password, comparing them with a list of pre-computed hash values until a match is found.
Rainbow table method gives an advantage to the attacker since no account lockout is enabled for wrong hashes against the password. To prevent rainbow table attack, salting can be used. Salting is a process of adding random numbers to the password so the attacker will not be able to crack the hash without that salt added.
There are various tools used to crack password which comes pre installed in Kali linux:
“John The Ripper”

Phase 4: Maintaining access

Here, the hacker secures access to the organization via Rootkits and Trojans and uses it to launch additional attacks on the network. Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as a zombie system.
Common backdoor used to maintain access are:
“Trojan Horses”

Phase 5: Covering tracks

Once the hacker gains access, they cover their tracks to escape the security personnel. They do this by clearing the cache and cookies, tampering the log files, and closing all the open ports. This step is important because it clears the system information making hacking a great deal harder to track.