The Phases of Ethical Hacking

The process of ethical hacking can be broken down into 5 main phases. These phases are:

1. Reconnaissance

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks

In this article, I will walkthrough each of the phases to give a general overview of what each phase entails.

Phase 1: Active and Passive Reconnaissance

Passive reconnaissance is the act of gathering information about a potential target without the target’s knowledge, whereas active reconnaissance involves probing networks which can increase risk of detection by the target. There are many different methods of reconnaissance utilized by attackers to help find vulnerable targets. When you first receive a target, you may decide to run an internet search on the company, and on any individuals of interest at the company. This type of search would be a type of passive reconnaissance typically called information gathering. Gathering information about a target and individuals who are involved with the target can be valuable for social engineering type attacks. Knowing physical locations for your target is also valuable for physical attacks, or dumpster diving (a lot of sensitive information is thrown away by employees).

Sniffing a network can also be done in a passive manner, which can yield information such as IP addresses, naming conventions, servers, networks, and services that exist on the network. Sniffing tools can be rather easy to use and can in turn reveal a large amount of critical information about a target. Sometimes, we may even be able to expose sensitive data just from the act of network sniffing. This can happen if traffic is sent over insecure channels, such as http.

Active reconnaissance can be seen as trying doorknobs to see if any of unlocked. If someone is monitoring the door, they may notice you trying to open it, which would reveal your presence. Although there is more risk involved, if the door is unlocked and unmonitored, it can serve as an important foothold on a target. There are many methods for active reconnaissance, and they can typically tell us information such as ports that are open and listening on a device, as well as operating systems that are being used.

Phase 2: Scanning

Scanning a network takes what was learned in reconnaissance and applies it to examine what is on the network. In this phase, we can apply tools such as ping sweeps, network mappers, SNMP sweepers, and vulnerability scanners to look for any potential attack points on the targets discovered through phase 1. In this phase, we are looking to gain information such as device names, operating systems, software installed on the system, IP addresses, and accounts that exist. Gaining this information can help us find a vulnerability to gain access to the system.

Phase 3: Gaining Access

This phase is where the hacking takes place. The vulnerabilities that we exposed through phase 1 and 2 can now be used to gain access to a target system. There are several different ways that a payload can be sent to a system. Typically, these would be through the network, an adjacent network, local access to the network, or physical access to the computer. There are many examples of exploits that you will see in your studies of computer security, including things such as buffer overflows, denial of service, and injection vulnerabilities. If an attack is successful, the hacker will now have control over the system, to be able to violate confidentiality, integrity, or availability. In some cases, they may be able to do more than just one of the CIA triad.

Phase 4: Maintaining Access

Once an attacker has access to a target system, they want to keep the access available for future use. This is typically done using tools such as backdoors, rootkits, and other malicious software. Once the system is in control of the attacker, they can use it as a base to launch additional attacks. The system that has been compromised is sometimes referred to as a zombie system.

Phase 5: Covering Tracks

Once an attacker has gained access to a system, they will need to cover their tracks to avoid detection by defensive security. This would involve removing any sort of evidence of their attack, by deleting logs and potential IDS alarms.

In addition to the phases of ethical hacking, there are also a few different types of testing that can be discussed when completing these five steps. The first type of testing is called black-box testing, which involves performing a security evaluation with no prior knowledge of the system and network you are attacking. This would simulate a malicious attacker from outside the security perimeter. These types of attacks typically take the most amount of time but are the most realistic type of attack to complete. A white box attack involves performing a security evaluation with complete knowledge of the network and system. This type of attack if much faster and allows the ethical hacker to jump right into the attack phase, skipping information gather and scanning altogether. We can also conduct tests that sit in between these two extremes, known as gray box testing. With gray box testing, we have some knowledge, however it is not complete.

This gives you some idea of the process ethical hackers go through to typically attack a system. As you learn more about the tools and skills used for ethical hacking, you can apply them back to each of these phases to know when they can be used.

Interested in learning more about Ethical Hacking? Until May 24, get 70% off course “An Introduction to Ethical Hacking with Kali Linux”. Available at:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store