The Short Answer

This might not be the right question.

A hacker...

...is a social engineer.

They are more interested in their interactions with people than their interactions with computers. A hacker would far rather have you hand him your password, than have to brute force it.

...is seeking knowledge...

...and knows that knowledge is power. A hacker is more interested in getting your credit card number than he is in actually using it.

...uses morality as an excuse...

...not a cause. This is why many hackers will take advantage of morally-oriented political events to go public. They know they can use morality to excuse their actions in the eyes of the public.

...doesn't get caught unless he wants to.

Most of the time. Wannabe hackers who just jump right in without any regard for stealth or anonymity are known as "script kiddies" or "skiddies" within the hacking community. There are far more skiddies than hackers, most likely, and they will likely be your biggest annoyance.

...doesn't need any special tools or backdoors.

The frontend that you've provided is likely sufficient.

The Long Answer

You can secure yourself against the exploits in Metasploit all you want. A hacker will just walk right on in through the front door--if not virtually, literally.

The Answer You Want

Seeing as how people don't like the answer that I gave, as adequate as it is, I'll give you something a bit more along the lines of what you want.

Hackers like to stay anonymous. The first step in any attack is stringing together a line of proxies of some sort, be they SOCKS proxies, zombies, or just simple bots forming a botnet. There are a few ways of going about this, but let's get some dead proxies for the sake of discussion. Head on over to pastebin.com and do a search for 8080 . This is a common port for web proxies. Scroll down in the results until you find a list of IP addresses and click to view the result. You should have a long list of web proxies. I can guarantee that most, if not all, will be dead. Sorry, this is not a hacking tutorial.

The next step is to gather seemingly trivial information about your target. Using his proxies, a hacker would run portscans, then probe any services that he finds. Got a website? Let's explore it. Got a MySQL server? Let's see what version it is. Running SSH? Let's see if it accepts text passwords, or is limited to certificates.

Then the hacker sits down, looks at what he's gathered, and decides what the weakest point of the system is. Depending on the size of the system, he might go back and probe a bit more, if there is more to probe and he feels he hasn't acquired a good enough weakness. A weakness doesn't have to be a true security "hole": it just has to be the weakest link. Perhaps you have an FTP server that doesn't protect against hammering (repeated login attempts). Maybe you have a web server with a bunch of forms or potentially exploitable URLs. Those are worth investigating further.

If necessary, the attacker might write a script or program to carry out the final attack, though this isn't always the case. Most weaknesses can be exploited with existing tools, so this usually is unnecessary for the modern hacker. However, occasionally hackers discover new security holes in software, in which case they sometimes need to write special tools to exploit said software.

A good example of a blatantly obvious attack program is one that is used to cause trouble on servers for a game called Terraria. This wasn't its original purpose, but because it does expose various exploits in the server software, it does tend to be used for that by others. I wrote it in C#. The source code is available on GitHub. The exploits use bytecode manipulation to modify the existing client to send malicious data. The server does not expect this data, and reacts in ways in which it was not designed to function. Discovering exploits like this can be as simple as reverse engineering the target software--I say simple because this has become an increasingly easy task with modern reflective languages, such as C# and Java. Programs such as .NET Reflector (paid) and dotPeek (free, for now) make this possible with the click of a button. A sufficiently trained C# programmer can then observe the code, determine its functionality, and write a program to alter this functionality.