A good ethical hacker makes sure that he's left no stone unturned
be it during a pentest, while playing CTFs and the list goes on.
The entire process, from getting a machine to exploiting it, has been divided into 5 stages.
It stands for its literal meaning. Gathering Information.
You could view the source code of the website(if its a web pentest), look for subdomains,etc.
You could look for data breaches of the website and even try to find out the framework that the site is using.
Look for anything and everything that you think will be of some work to you and most importantly Make Notes!!!
This is the step where you actally get hands on with the target.
You could start off by looking for the open ports and services running on them, with a tool called nmap(there are other's as well).
You could use gobuster or dirbuster to look for possible pages that are not meant for normal people to view. Some also prefer nikto, a common vulnerability scanner for web servers.
Some other tools that could come handy are: masscan, metasploit, nessus, dirb, wpscan(made for wordpress),etc
By now you will have a list of all the ports, services running on them, credentials(if any), vulnerable plugins or services running.
This is the stage where you actually get to test your victim machine for the vulnerabilies that you came across or learnt during
the enumeration phase, and get into the machine.
It could be by getting anonymous access to a ftp server that is active and placing a script for it to give you access to the system.
Or it could be bruteforcing SSH (if active) with the credentials that you have hold of or just trying it against your random list of usernames and passwords.
Gaining access could be tough and you want to make sure that once you get access to the machine, you don't have to go through the same trouble again to get access to it.
What if the internet connection went down or the user shut down his machine?
Simple : You place a backdoor in the system.
And what is a backdoor, you ask?
Well, a backdoor is any source through which you can get back into the system without much trouble. It could be saving a malicios script that gives you a shell everytime you connect to it or
creating a new user, in the compromised system, and then SSH into it.
Well the last step would be to cover up your tracks.
You wouldn't want the victim to know either your IP address or the exact set of commands that you performed on that system.(Linux stores all the commands that you performed in .bash_history file)
The perfect remedy for this would to be clear the log files, both the access and the error ones.
