System Hacking

 Here are comprehensive study notes on System Hacking — covering all 25 key concepts in depth.

V

visualize show_widget

Part 1 — Reconnaissance (Information Gathering)

1. What is System Hacking?

System hacking is the process of exploiting weaknesses in a computer system or network to gain unauthorized access, escalate privileges, steal data, or disrupt services. In ethical hacking (penetration testing), these same techniques are used legally and with permission to find and fix vulnerabilities before real attackers do.

2. Reconnaissance — Passive

The attacker gathers information about the target without directly interacting with it. No packets are sent to the target, so there is no risk of detection. Techniques include OSINT (Open Source Intelligence): searching social media, LinkedIn, WHOIS lookups, DNS records, job postings, and Google dorking (site:, filetype:, intitle: operators).

3. Reconnaissance — Active

The attacker directly interacts with the target system to gather information. This carries a risk of detection. Techniques include ping sweeps, port scanning, OS fingerprinting, and banner grabbing. Tools: nmap, netcat, Shodan.

4. Footprinting

The structured process of collecting as much information as possible about a target before attacking. Output of footprinting includes: IP ranges, domain names, employee names, email formats, network topology, and technologies in use. This intelligence shapes the entire attack strategy.


Part 2 — Scanning and Enumeration

5. Port Scanning

Probing a target's network ports to identify which services are running and potentially vulnerable. Common port scan types:

  • TCP Connect scan — completes the full TCP handshake (noisy, detectable)
  • SYN scan (half-open) — sends SYN, doesn't complete handshake (stealthier)
  • UDP scan — targets UDP services (DNS, SNMP, DHCP)

Key tool: nmap. Every open port is a potential attack surface.

6. Enumeration

Extracting detailed information from open services — usernames, share names, group policies, running services, and routing tables. Goes deeper than scanning. Common targets: NetBIOS, SNMP, LDAP, NTP, DNS. Tools: enum4linux, snmpwalk, nbtscan.

7. Vulnerability Scanning

Automated tools compare discovered services and versions against databases of known vulnerabilities (CVEs). Output: a prioritized list of exploitable weaknesses. Tools: Nessus, OpenVAS, Nikto (web). Not the same as exploitation — it only identifies, not attacks.


Part 3 — Gaining Access

8. Password Attacks

One of the most common ways to gain initial access. Types:

AttackDescription
Brute forceTry every possible password combination
Dictionary attackTry words from a wordlist (e.g., rockyou.txt)
Credential stuffingUse leaked username/password pairs from breaches
Rainbow tablePre-computed hash lookup to reverse password hashes
Pass-the-hashReuse a captured password hash without cracking it

Tools: Hashcat, John the Ripper, Hydra.

9. Exploitation of Vulnerabilities

Using a known flaw (CVE) in software, firmware, or a protocol to execute malicious code or bypass authentication. Exploits can be:

  • Remote code execution (RCE) — run code on the target without physical access
  • Buffer overflow — overwrite memory to redirect program execution
  • SQL injection — manipulate database queries through unsanitized input

Tool: Metasploit Framework — the industry-standard exploitation toolkit used in both attacks and penetration testing.

10. Social Engineering (as an Access Vector)

Manipulating people rather than systems to gain access. Examples: calling the IT helpdesk impersonating an employee to reset a password, or tailgating into a secure building. Often faster than technical attacks. The human layer is frequently the weakest point.

11. Privilege Escalation

Once inside a system with limited (user-level) access, the attacker seeks to gain higher privileges (administrator or root). Two types:

  • Vertical escalation — gaining higher-level privileges (user → admin)
  • Horizontal escalation — accessing another user's account at the same privilege level

Techniques: exploiting misconfigured SUID binaries, kernel exploits, unquoted service paths, DLL hijacking.

The diagram below maps the escalation pathway from initial access to full system control.

V

visualize show_widget

12. Man-in-the-Middle (MitM) Attack

The attacker secretly intercepts and potentially alters communications between two parties who believe they are talking directly to each other. Techniques: ARP poisoning, DNS spoofing, SSL stripping, rogue Wi-Fi access points. Enables credential theft, session hijacking, and data manipulation.

13. Session Hijacking

After a user authenticates, a session token (cookie) is issued. An attacker who captures this token can impersonate the user without needing their password. Methods: packet sniffing, cross-site scripting (XSS), predictable session IDs. Defences: HTTPS everywhere, HttpOnly and Secure cookie flags, short session expiry.

14. SQL Injection

Malicious SQL code is inserted into an input field and executed by the database. Can lead to: dumping entire databases, bypassing login authentication, modifying or deleting data, and in some cases executing OS commands. Classic example: entering ' OR '1'='1 into a login field to bypass authentication.

15. Buffer Overflow

A program writes more data to a buffer than it can hold, overwriting adjacent memory. An attacker crafts input to overwrite the return address in memory, redirecting execution to malicious shellcode. A foundational exploitation technique, though modern mitigations (ASLR, DEP/NX, stack canaries) make it harder.


Part 4 — Maintaining Access

16. Backdoors

A hidden mechanism that allows an attacker to re-enter a compromised system, bypassing normal authentication. Can be a modified system binary, a web shell, a reverse shell script, or a dedicated Remote Access Trojan (RAT). Once a backdoor exists, the attacker has persistent, on-demand access.

17. Rootkits

Malware designed to hide the attacker's presence at the deepest level of the OS — hiding processes, files, network connections, and registry entries from security tools. Kernel-level rootkits are especially dangerous as they operate with the highest OS privileges and are extremely difficult to detect or remove without rebuilding the system.

18. Persistence Mechanisms

Techniques that ensure malicious access survives reboots or user logouts. Examples on Windows: adding entries to the registry Run key, creating scheduled tasks, installing malicious services, DLL side-loading. On Linux: cron jobs, modified .bashrc, SSH authorized keys. Persistence is what turns a one-time breach into a long-term compromise.

19. Lateral Movement

After gaining access to one system, the attacker moves across the network to reach higher-value targets — databases, domain controllers, financial systems. Techniques: Pass-the-Hash, Pass-the-Ticket (Kerberos), remote service exploitation, using legitimate admin tools (PsExec, WMI, RDP). Makes attackers harder to contain to a single system.

20. Command and Control (C2)

An infrastructure the attacker uses to remotely control compromised machines (bots). Compromised hosts "call home" to a C2 server to receive commands and send back stolen data. Modern C2 frameworks (Cobalt Strike, Metasploit) use encrypted channels, domain fronting, and legitimate cloud services to evade detection.


Part 5 — Covering Tracks

21. Log Tampering

Attackers delete or modify system logs — Windows Event Logs, syslog, web server logs, authentication logs — to erase evidence of their activity. Commands like wevtutil cl Security (Windows) or echo "" > /var/log/auth.log (Linux) clear logs. Defence: forward logs to a remote, append-only SIEM in real time.

22. Steganography

Hiding data inside ordinary-looking files — images, audio, video — to covertly exfiltrate data or smuggle commands. Example: embedding stolen credentials inside a JPEG image. Difficult to detect because the carrier file looks completely normal. Used in advanced persistent threats (APTs) for covert communication.

23. Anti-Forensics Techniques

Broader category of methods to defeat digital forensics investigations:

  • Overwriting files with random data before deletion (defeating file recovery)
  • Timestomping (modifying file metadata timestamps)
  • Encrypting stolen data before exfiltration
  • Using volatile memory only (fileless attacks leave no disk artifacts)
  • Operating through Tor or VPNs to obscure IP addresses

Part 6 — Key Defences Against System Hacking

24. Hardening and Patch Management

Reducing the attack surface by disabling unnecessary services, closing unused ports, removing default credentials, and applying security patches promptly. A hardened system gives attackers far fewer footholds. Benchmarks: CIS (Center for Internet Security) Hardening Guides.

25. Detection and Response Controls

Layered monitoring to catch attackers at each phase:

PhaseDefence
ReconnaissanceHoneypots, rate-limiting, OSINT monitoring
ScanningIDS/IPS, firewall rules, port scan alerts
Gaining accessMFA, WAF, vulnerability management, strong passwords
Maintaining accessEDR, integrity monitoring (Tripwire), anomaly detection
Covering tracksCentralised SIEM, immutable logs, audit trails

Quick Reference — The Five Hacking Phases

PhaseGoalKey Tools
ReconnaissanceGather intelOSINT, nmap, Shodan
ScanningFind weaknessesnmap, Nessus, Nikto
Gaining accessExploit vulnerabilitiesMetasploit, Hydra, SQLmap
Maintaining accessStay persistentRootkits, C2, backdoors
Covering tracksErase evidenceLog wipers, steganography

Comments

Popular posts from this blog

Kali Linux Commands for Ethical Hacking Tools

Cyber attack.