So I mentioned earlier the goals of hacking or the expectation life cycle.
What we see here is these five steps. You start by doing some reconnaissance, trying to understand it enough detail about the target or the target organization to see what's possible. What can I find? What can I learn?
You might do some scanning, and this scanning typically means in this case, looking for computer systems that are within the address range of that organization. You might do with some who has look ups to get an address range, do some scanning, find some targets.
And when we When I do some of these labs, you'll see some of the tools
that can help you narrow that information down. To find something that's truly useful, try to get into a system
to get data. Once you gain access to a system. Typically, the next goal is to try to elevate your privileges so you can maintain that access. You install backdoors.
You install any kind of method or our technology like a root kit, for instance,
that allows you to return to that system in a later time
in order to do more work.
Generally. If someone hacks into a system. They don't do all their work in one sitting and then and then never go back again. They do a little bit.
They don't want to be detected, Remember, so they don't want to do too much at one time.
If they could mean 10 access, that can come back later, when it suits them and gather a little bit more of data.
And then the last step is clearing your tracks.
This is the idea that the the pen tester of the hacker, whoever is
in order to remain undetected, they will try to put things back the way they were. If that's relevant, try to erase log files or trying to disable, auditing or do some other things
in order to erase the fact that they were on that computer doing some activity which they shouldn't have been doing. All right. So starting off with reconnaissance and in the case of most social engineering efforts, you're going to gather information digitally, and I'll show a bunch of these tools as we as we go through those labs later.
But you're trying to do look up some of ah domain name trying to get address ranges,
trying to do things like a trace around to see what
what kind of systems are on a particular network. What can I see between my system and that target system? What are those hops, right? That's what a trace route can help you with that lets you enumerate that network.
And, of course, you could do some of this reconnaissance to social engineering techniques. You're not necessarily using
You might be friends, someone at the organization. You might try to build a trust relationship by becoming there buddy on LinkedIn or Facebook.
Or maybe you just see someone that's wearing a certain badge that indicates where they work. And now they are your target because that's the organization you want to get into. You wait for people to come out of the building.
These are all time honored techniques. This is basically classic spycraft if you think about it. So these air some techniques of many many that we could discuss to do some initial reconnaissance gathering that information that helps you identify suitable targets.
Then, if you're doing some scanning, we normally think about port scanning, trying to identify the operating system of ah computer trying to see what service is our running doing. Banner grabs.
All these have their value
to the social engineer because they are trying to gain access to a system they've got to do some hacking as well as the soft skills, like talking on the phone or talking in person scanning could produce
results through social engineering attempts as well. You might be able to call somebody or send them an email asking him a question about a service or an application or some technology that's being used in that organization. And you get the answer without using your tools
to directly get to do a scan. For instance.
Maybe they tell you over the phone or they tell you in an E mail. Oh, yes, we use a lyrical. We use Microsoft.
We use IBM products. We use McAfee products.
You might find this information in a job posting, for that matter.
This could give a lot of details to the social engineer
that show what technologies the organization is using, and then they would then
tryto identify those technologies so that they can look for weaknesses. Look for vulnerabilities, so gaining access to a system might also be done with social engineering techniques could be done with technological techniques, hacking tools,
fishing and spear fishing and wailing. These are all great ways to get
potentially get access to, ah, an individual or get access to their environment.
Fishing is casting a wide net, right.
We're trying to capture many people to try to get some of them to click a link, to go to a website, maybe to get credentials. That kind of thing
spearfishing is throwing a spirit one fish.
Hopefully, you can get that one individual to do something, which allows you to get access to a network or to an application or to their bank account. Whatever the goal of the pen tester or the hacker is
is a variation on spearfishing. We're going after the really big fish, the president of a company
or a high level politicians, whatever your whatever your goals might be.
This is the spectrum, if you will, trying to gain access to a system as it relates to people,
you might also try something like the watering hole technique.
Maybe of many people from a certain organization go to certain websites and you know this because you've done your research, you've done your homework,
and what you can try to do, in that case, is to infect that well known website to that group with some malware, which gives you a chance to access those individuals credentials.
Maybe they all use a particular website for their banking.
So you created off a copy of that website
to try to trick people to go to that Web sites. You can get their credentials. It's very common technique
could also do something like a USB drop.
This is what a lot of security researchers do. Pen testers and hackers also do this.
What you create malware that goes on a thumb, drive these air very inexpensive nowadays to $3 for a for a kick. Dr. I think I saw the other day very cheap.
You create malware, put it on these thumb drives, put a label on there that says something like tax files or secret data whenever some kind of enticing label definitely helps.
And then you leave these. Leave these drives at places like Starbucks or
you leave him at a bar or around you, go to a university campus and leave them in the library. Most likely some people will pick. These devices are plugging in your computer, see what's on it, and now you're malware may have a chance thio get further information about those targets. The next goal is to maintain access,
so typically you need to infect a system with
some kind of tool that lets you elevate your privileges. There are ways to do this that are far too numerous to go into in this course.
But look, it's Trojans
that that get infected through e mail. Any of these possibilities might be there or the USB trick I just talked about.
Maybe that allows the engineer to gain access
installing a root kit or some other kind of backdoors, typically the next step, because now you have the privileges to do that
many times. Maintaining access to a system requires
privileged access to begin with to make changes to the configuration so that the access can be granted to the hacker. To the social engineer,
I might be able to do something like adding a firewall exception.
If you can hack your way into that part of the organization, that might be a possibility,
or you social engineering techniques to trick somebody into doing these things for you.
The possibilities are really only up to the imagination and the timeframe that's available to the social engineer,
and we think about covering tracks. As I mentioned earlier. The social engineer needs to make sure that they're evidence of their activity is not
available on that system. There's lots of ways to do this. You could try delete log files that usually requires administrator type privileges.
Sometimes people will selectively edit log files, just removing certain entries or maybe replacing
one I p address with another to send the investigator down the wrong path.
Other techniques involve disabling auditing so that there's no logs being recorded at all.
Of course, tampering with log files and turning off the logging function
is suspicious activity in itself, and the administrator of that system may notice at some point, of course,
cause them to do an investigation and find the back door and shut all that down. So there are risks
in certain techniques. If you're too aggressive than the target, may notice that something is going on