The field of cyber security is vast. You have to learn a lot of tools to execute an ever growing number of techniques. From the earliest stages in information gathering to post-exploitation cleaning up, a hacker needs to keep a lot of things in mind. One small slip up is often the difference between success and failure. From a hobbyist to a professional pentester, it can definitely be a little daunting for all of us.

We’re here to try and make sense of it all. Presented below is important information that everyone from a beginner to a hardened expert will need for offensive or defensive hacking. The most common tools, the stages, the process, the quick cheats and more. We’ll often go back and forth between the point of view of a malicious adversary and that of a defensive hacker (pentester). This will help us understand the big picture. So let’s get started.

Your toolkit is your weapon and your shield. It’s the most critical asset you possess, second only to actual hands-on experience. In cyber security, you have to be a master of all trades. Below are all the different kinds of tools you must have in your toolbox and a few examples:

Password cracking software: ophcrack, Proactive Password Auditor

ophcrack, Proactive Password Auditor Network scanners: Nmap, NetScanTools

Nmap, NetScanTools Network vulnerability scanning software: LanGuard, Nexpose

LanGuard, Nexpose Network analyzing: Cain & Abel, CommView

Cain & Abel, CommView Wireless network analyzers: Aircrack-ng, CommView for WiFi

Aircrack-ng, CommView for WiFi File search utility: FileLocator

FileLocator Web application vulnerability scanning software: Acunetix Web Vulnerability Scanner, AppSpider

Acunetix Web Vulnerability Scanner, AppSpider Database security scanners: SQLPing3

SQLPing3 Exploit software: Metasploit

Remember, this is not an exhaustive list, but a guideline. These were the most common tools that I find myself returning to over and over. Your journey may be different, but all our goals are aligned.

Common Attack Vectors

All experienced hackers and penetration testers have their own way of doing things, but they’re largely different flavors of the same process. Check for open ports, vulnerable services, outdated software etc. and attack. Over time, a pattern emerges…

People get lazy and choose weak passwords

People get annoyed and close the frequent update notifications (Adobe Reader, I’m looking at you), leaving them with potentially vulnerable software

People never expect that they may be open to attack. “Surely, it can’t happen to me. That’s just something you read about in the news”. They let down their guard and then it does happen to them.

It makes sense to begin your testing with the most common vulnerabilities. The following physical and digital security flaws should be at the top of your checklist when carrying out a penetration test:

Gullible and overly-trusting users

Unsecured building and computer room entrances

Discarded documents that have not been shredded

Storage devices (hard disks, pen drives) that have not been securely erased of sensitive data

Network perimeters with no firewall protection

No intrusion detection systems

Default passwords

Poor, inappropriate, or missing file and share access controls

Unpatched systems that can be exploited easily using popular tools such as Metasploit

Online access portals with weak authentication mechanisms

Insufficient or outdated password storage methods (eg: MD5 hash)

Insecure routers

Guest wireless networks that allow the public to connect into the corporate network environment

Employee hardware lacking full disk encryption

Mobile devices with little to no mandatory protection

Weak or no application, database, and operating system passwords

COMMONLY HACKED PORTS

Everyone knows to secure common ports, such as TCP port 80 (HTTP) - but other ports may get overlooked and hence be open to attack. In your security testing, be sure to check these commonly hacked TCP and UDP ports:

TCP port 21 — FTP (File Transfer Protocol)

(File Transfer Protocol) TCP port 22 — SSH (Secure Shell)

(Secure Shell) TCP port 23 — Telnet

TCP port 25 — SMTP (Simple Mail Transfer Protocol)

(Simple Mail Transfer Protocol) TCP and UDP port 53 — DNS (Domain Name System)

(Domain Name System) TCP port 443 — HTTP (Hypertext Transport Protocol) and HTTPS (HTTP over SSL)

(Hypertext Transport Protocol) and (HTTP over SSL) TCP port 110 — POP3 (Post Office Protocol version 3)

(Post Office Protocol version 3) TCP and UDP port 135 — Windows RPC

TCP and UDP ports 137–139 — Windows NetBIOS over TCP/IP

over TCP/IP TCP port 1433 and UDP port 1434 — Microsoft SQL Server

And some general advice when it comes to dealing with ports:

Avoid using default ports (such as 22 for SSH) whenever possible.

(such as 22 for SSH) whenever possible. The server should ideally flag and block attempts for bulk port scanning . A legitimate user is almost never going to sequentially ping every single port one at a time. It may not be enough to prevent an attack (A smart hacker could query ports in a random order from different IP addresses), but at the very least you will be alerted and prepare.

. A legitimate user is almost never going to sequentially ping every single port one at a time. It may not be enough to prevent an attack (A smart hacker could query ports in a random order from different IP addresses), but at the very least you will be alerted and prepare. As a rule of thumb, nearly all ports except 80 and 443 (HTTP and HTTPS) must require authentication to allow connection unless there’s a very good reason not to (there usually isn’t).

General Tips For All Hacking Endeavors

For all hackers:

Have well defined goals and develop a plan before you get started.

You do have permission to do what you’re doing, right? Permission is pretty much the only difference between legal and illegal.

Know the right tools to use for the task at hand

Understand that it’s not possible to detect every security vulnerability on every system. This is where having a plan pays off.

Don’t overlook nontechnical security issues; they’re often exploited first (e.g: Social Engineering or simply waltzing in an unsecure server room)

Treat other people’s confidential information as well as you would treat your own. Violation of privacy is not a game.

For professional security analysts:

If you’re pentesting for a client, do make sure that what you’re doing doesn’t interfere with their work.

Be aware that attacks can come from inside and outside.

Keep the key players in the loop during your testing.

Report critical vulnerabilities as soon as possible

Study malicious hacker and rogue insider behaviors and blackhat tactics. The more you know about how the bad guys work, the better you’ll be at testing your systems for security vulnerabilities.

Make sure that all your testing is aboveboard.

Don’t treat every vulnerability discovered in the same manner. Not all weaknesses are bad. Evaluate the context of the issues found before you declare that the sky is falling.

Show management and customers that security testing is good business and you’re the right professional for the job. Security assessments are an investment to meet business goals, find what really matters, and comply with the various laws and regulations — not about silly hacker games.

And there you have it, the ultimate hacking cheat sheet. Remember, this is not meant to be all-inclusive. Every hack is different and requires you to use your best judgement. There is no single one-size-fits-all approach when it comes to hacking. But with this little cheat sheet in your pocket, you should now be able to hack more efficiently and be successful more often.