System Hacking
Here are comprehensive study notes on System Hacking — covering all 25 key concepts in depth.
V
Part 1 — Reconnaissance (Information Gathering)
1. What is System Hacking?
System hacking is the process of exploiting weaknesses in a computer system or network to gain unauthorized access, escalate privileges, steal data, or disrupt services. In ethical hacking (penetration testing), these same techniques are used legally and with permission to find and fix vulnerabilities before real attackers do.
2. Reconnaissance — Passive
The attacker gathers information about the target without directly interacting with it. No packets are sent to the target, so there is no risk of detection. Techniques include OSINT (Open Source Intelligence): searching social media, LinkedIn, WHOIS lookups, DNS records, job postings, and Google dorking (site:, filetype:, intitle: operators).
3. Reconnaissance — Active
The attacker directly interacts with the target system to gather information. This carries a risk of detection. Techniques include ping sweeps, port scanning, OS fingerprinting, and banner grabbing. Tools: nmap, netcat, Shodan.
4. Footprinting
The structured process of collecting as much information as possible about a target before attacking. Output of footprinting includes: IP ranges, domain names, employee names, email formats, network topology, and technologies in use. This intelligence shapes the entire attack strategy.
Part 2 — Scanning and Enumeration
5. Port Scanning
Probing a target's network ports to identify which services are running and potentially vulnerable. Common port scan types:
- TCP Connect scan — completes the full TCP handshake (noisy, detectable)
- SYN scan (half-open) — sends SYN, doesn't complete handshake (stealthier)
- UDP scan — targets UDP services (DNS, SNMP, DHCP)
Key tool: nmap. Every open port is a potential attack surface.
6. Enumeration
Extracting detailed information from open services — usernames, share names, group policies, running services, and routing tables. Goes deeper than scanning. Common targets: NetBIOS, SNMP, LDAP, NTP, DNS. Tools: enum4linux, snmpwalk, nbtscan.
7. Vulnerability Scanning
Automated tools compare discovered services and versions against databases of known vulnerabilities (CVEs). Output: a prioritized list of exploitable weaknesses. Tools: Nessus, OpenVAS, Nikto (web). Not the same as exploitation — it only identifies, not attacks.
Part 3 — Gaining Access
8. Password Attacks
One of the most common ways to gain initial access. Types:
| Attack | Description |
|---|---|
| Brute force | Try every possible password combination |
| Dictionary attack | Try words from a wordlist (e.g., rockyou.txt) |
| Credential stuffing | Use leaked username/password pairs from breaches |
| Rainbow table | Pre-computed hash lookup to reverse password hashes |
| Pass-the-hash | Reuse a captured password hash without cracking it |
Tools: Hashcat, John the Ripper, Hydra.
9. Exploitation of Vulnerabilities
Using a known flaw (CVE) in software, firmware, or a protocol to execute malicious code or bypass authentication. Exploits can be:
- Remote code execution (RCE) — run code on the target without physical access
- Buffer overflow — overwrite memory to redirect program execution
- SQL injection — manipulate database queries through unsanitized input
Tool: Metasploit Framework — the industry-standard exploitation toolkit used in both attacks and penetration testing.
10. Social Engineering (as an Access Vector)
Manipulating people rather than systems to gain access. Examples: calling the IT helpdesk impersonating an employee to reset a password, or tailgating into a secure building. Often faster than technical attacks. The human layer is frequently the weakest point.
11. Privilege Escalation
Once inside a system with limited (user-level) access, the attacker seeks to gain higher privileges (administrator or root). Two types:
- Vertical escalation — gaining higher-level privileges (user → admin)
- Horizontal escalation — accessing another user's account at the same privilege level
Techniques: exploiting misconfigured SUID binaries, kernel exploits, unquoted service paths, DLL hijacking.
The diagram below maps the escalation pathway from initial access to full system control.
V
12. Man-in-the-Middle (MitM) Attack
The attacker secretly intercepts and potentially alters communications between two parties who believe they are talking directly to each other. Techniques: ARP poisoning, DNS spoofing, SSL stripping, rogue Wi-Fi access points. Enables credential theft, session hijacking, and data manipulation.
13. Session Hijacking
After a user authenticates, a session token (cookie) is issued. An attacker who captures this token can impersonate the user without needing their password. Methods: packet sniffing, cross-site scripting (XSS), predictable session IDs. Defences: HTTPS everywhere, HttpOnly and Secure cookie flags, short session expiry.
14. SQL Injection
Malicious SQL code is inserted into an input field and executed by the database. Can lead to: dumping entire databases, bypassing login authentication, modifying or deleting data, and in some cases executing OS commands. Classic example: entering ' OR '1'='1 into a login field to bypass authentication.
15. Buffer Overflow
A program writes more data to a buffer than it can hold, overwriting adjacent memory. An attacker crafts input to overwrite the return address in memory, redirecting execution to malicious shellcode. A foundational exploitation technique, though modern mitigations (ASLR, DEP/NX, stack canaries) make it harder.
Part 4 — Maintaining Access
16. Backdoors
A hidden mechanism that allows an attacker to re-enter a compromised system, bypassing normal authentication. Can be a modified system binary, a web shell, a reverse shell script, or a dedicated Remote Access Trojan (RAT). Once a backdoor exists, the attacker has persistent, on-demand access.
17. Rootkits
Malware designed to hide the attacker's presence at the deepest level of the OS — hiding processes, files, network connections, and registry entries from security tools. Kernel-level rootkits are especially dangerous as they operate with the highest OS privileges and are extremely difficult to detect or remove without rebuilding the system.
18. Persistence Mechanisms
Techniques that ensure malicious access survives reboots or user logouts. Examples on Windows: adding entries to the registry Run key, creating scheduled tasks, installing malicious services, DLL side-loading. On Linux: cron jobs, modified .bashrc, SSH authorized keys. Persistence is what turns a one-time breach into a long-term compromise.
19. Lateral Movement
After gaining access to one system, the attacker moves across the network to reach higher-value targets — databases, domain controllers, financial systems. Techniques: Pass-the-Hash, Pass-the-Ticket (Kerberos), remote service exploitation, using legitimate admin tools (PsExec, WMI, RDP). Makes attackers harder to contain to a single system.
20. Command and Control (C2)
An infrastructure the attacker uses to remotely control compromised machines (bots). Compromised hosts "call home" to a C2 server to receive commands and send back stolen data. Modern C2 frameworks (Cobalt Strike, Metasploit) use encrypted channels, domain fronting, and legitimate cloud services to evade detection.
Part 5 — Covering Tracks
21. Log Tampering
Attackers delete or modify system logs — Windows Event Logs, syslog, web server logs, authentication logs — to erase evidence of their activity. Commands like wevtutil cl Security (Windows) or echo "" > /var/log/auth.log (Linux) clear logs. Defence: forward logs to a remote, append-only SIEM in real time.
22. Steganography
Hiding data inside ordinary-looking files — images, audio, video — to covertly exfiltrate data or smuggle commands. Example: embedding stolen credentials inside a JPEG image. Difficult to detect because the carrier file looks completely normal. Used in advanced persistent threats (APTs) for covert communication.
23. Anti-Forensics Techniques
Broader category of methods to defeat digital forensics investigations:
- Overwriting files with random data before deletion (defeating file recovery)
- Timestomping (modifying file metadata timestamps)
- Encrypting stolen data before exfiltration
- Using volatile memory only (fileless attacks leave no disk artifacts)
- Operating through Tor or VPNs to obscure IP addresses
Part 6 — Key Defences Against System Hacking
24. Hardening and Patch Management
Reducing the attack surface by disabling unnecessary services, closing unused ports, removing default credentials, and applying security patches promptly. A hardened system gives attackers far fewer footholds. Benchmarks: CIS (Center for Internet Security) Hardening Guides.
25. Detection and Response Controls
Layered monitoring to catch attackers at each phase:
| Phase | Defence |
|---|---|
| Reconnaissance | Honeypots, rate-limiting, OSINT monitoring |
| Scanning | IDS/IPS, firewall rules, port scan alerts |
| Gaining access | MFA, WAF, vulnerability management, strong passwords |
| Maintaining access | EDR, integrity monitoring (Tripwire), anomaly detection |
| Covering tracks | Centralised SIEM, immutable logs, audit trails |
Quick Reference — The Five Hacking Phases
| Phase | Goal | Key Tools |
|---|---|---|
| Reconnaissance | Gather intel | OSINT, nmap, Shodan |
| Scanning | Find weaknesses | nmap, Nessus, Nikto |
| Gaining access | Exploit vulnerabilities | Metasploit, Hydra, SQLmap |
| Maintaining access | Stay persistent | Rootkits, C2, backdoors |
| Covering tracks | Erase evidence | Log wipers, steganography |
Comments
Post a Comment