Five Phases of Hacking

There are mainly 5 phases in hacking. A hacker does not necessarily need to follow these 5 steps in a sequential manner, but it’s a stepwise process and when followed yields a better result.

  • Reconnaissance
  • Scanning
  • Gaining Access
  • Maintaining Access
  • Covering Tracks


This is the first step of hacking where the hacker tries to collect as much information as possible about the target. It includes identifying the target, finding out the target’s IP Address Range, network, DNS records, etc. The target usually does not notice anything during this phase. It is also referred to as the Footprinting and Information Gathering Phase. Hackers usually collect information about three groups:

  1. Network
  2. Host
  3. People involved

There are two types of Footprinting:

  • Active: Directly interacting with the target to gather information about the target. For example,  Using Nmap tool to scan the target
  • Passive: Trying to collect the information about the target without directly accessing the target. This involves collecting information from social media, public websites etc.

In addition, phase 1 techniques may include the following:

  • Internet sources
  • Social engineering
  • Dumpster diving
  • Observation

Simply put, in this phase, the hacker’s job would involve finding out where the person lives, at what times he usually is at home and the type of security system or fence the target has.


After gathering all the data and information, the hacker must take the information discovered during reconnaissance and use it to examine the network. This phase requires the use of technical tools to further gather intelligence on the target and systems currently in usage.It includes scanning the target for services running, open ports, firewall detection,vulnerabilities that where the entry point can be, OS detection, and so on. Hackers are seeking any information that can help them perpetrate attack such as computer names, IP addresses, and user accounts.

There are three types of scanning:

  • Port scanning: This phase involves scanning the target for the information like open ports, live systems, and various services running on the host using port scanners
  • Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with help of automated tools as vulnerability scanners
  • Network Mapping: Finding the topology of network, routers, firewalls servers and host information and drawing a network diagram with the available information using network mappers.  This map may serve as a valuable piece of information throughout the hacking process.

In this phase, hackers would typically check the locks for complexity or see if there are any open windows they may be able to reach.

Gaining Access

This is the phase where the real hacking takes place. After scanning, a hacker breaks into the system/network using various tools or methods with the help of data collected during Phase 1 and Phase 2. Gaining access is known in the hacker world as owning the system. After owning the system, hackers take control of one or more network devices. Entering into the systems, hackers increase their privilege to reach that of administrator level so they can install an application or modify and hide data.

Some examples of methods to gain access are:

  • Abusing a username/password that was found
  • Exploiting a known vulnerability
  • Breaking into a weakly secure network
  • Sending malware to an employee via Email or a USB stick on the parking lot

Maintaining Access

Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Once the hacker owns the system, they can use it as a base to launch additional attacks. This can be done using Trojans, Rootkits or other malicious files. In this case, the owned system is sometimes referred to as a zombie system.  

In order to maintain access for a longer time, the attacker must remain stealthy to not get caught using the host environment.

Some examples of techniques used in this phase:

  • Privilege escalation
  • Installation of a backdoor or remote access trojan
  • Creating own credentials

In this phase, the burglar may create a copy of a found key or disable the alarm system long enough for him to extract the goods.

Covering tracks

No thief wants to get caught. An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him. This includes clearing out sent emails, clearing server logs, temp files, and more. Any changes that were made, such as installed trojans, backdoors and escalated authorizations, must return to a state at which the network’s administrators cannot recognize the attacker’s presence.

Some examples of covering tracks:

  • Remove logging
  • Exfiltration of data via DNS tunneling or steganography
  • Installation of rootkits

Protect yourself : What to and what not to do?

  • Do not post information on social media that can be related to challenge questions
  • Use passwords that cannot be broken by brute force or guessing.
  • Consider 2 factor authentication when possible.
  • Be careful of password requests emails.  Services like Heroku, Gmail and others will not request to type in passwords for additional promotion or service.
  • Verify the source of contact.
  • Before clicking a link, investigate it.
  • Always scan a file and never click on batch files.
  • Always be aware of the background services that are running in your device and never rely on others’ devices.
  • Be sure to have an antivirus installed and set root passwords for installation.
  • Log out of sessions and clear the cache.

If you think you are compromised, inform the service providers. If you are confirmed, then you must report it to the cyber crime department. These days, such incidents are being taken seriously.