Describe the five phases of ethical hacking as defined in the C|EH v13 curriculum. What are the key objectives and common tools used in each phase?

The Certified Ethical Hacker (C|EH) v13 curriculum establishes a systematic, five-phase methodology that provides a professional framework for conducting a penetration test. This structured approach ensures that security assessments are thorough, repeatable, and comprehensive. Unlike malicious attackers who may act opportunistically, ethical hackers follow these phases to meticulously identify and document vulnerabilities, ensuring all potential attack vectors are explored. Understanding these five phases is fundamental to the C|EH certification and the practice of ethical hacking.

The Five Phases of Ethical Hacking

Phase 1: Reconnaissance (Footprinting)

This is the initial and most critical information-gathering phase. The objective is to collect as much data as possible about the target organization before launching any active attacks. A more comprehensive reconnaissance phase leads to a more successful penetration test. This phase is divided into two types:

• Passive Reconnaissance: Gathering information without directly interacting with the target's systems. This method is difficult to detect and involves using publicly available sources.
• Active Reconnaissance: Directly probing the target's network and systems to gather information. This is more intrusive and carries a risk of detection.

Key Objectives: Identify network ranges, active machines, DNS records, employee information, operating systems, and technologies in use.

Common Tools & Techniques:

• WHOIS Lookup: To find domain registration details, contact information, and name servers.
• Google Dorking (GHDB): Using advanced search operators to find sensitive information indexed by search engines.
• Maltego: A tool for open-source intelligence (OSINT) that visualizes relationships between pieces of information like domains, people, and email addresses.
• theHarvester: Gathers emails, subdomains, hosts, and open ports from public sources.
• Nmap (Host Discovery): Can be used for initial host discovery using techniques like a ping scan.

Phase 2: Scanning

In the scanning phase, the ethical hacker uses the information gathered during reconnaissance to actively probe the target's network for specific vulnerabilities. This phase involves a more direct engagement with the target's infrastructure to identify potential entry points.

Key Objectives: Discover open ports, running services, and system vulnerabilities on target hosts. Map the network topology.

Common Tools & Techniques:

• Nmap: The quintessential port scanner, used for port scanning, service version detection, and OS fingerprinting.
• Nessus / OpenVAS: Comprehensive vulnerability scanners that check systems against vast databases of known vulnerabilities and misconfigurations.
• Wireshark: A network protocol analyzer used to capture and inspect live network traffic for valuable information.
• Hping3: A command-line packet crafting tool used for advanced network scanning and firewall testing.

Phase 3: Gaining Access

This is the phase where the actual "hacking" occurs. The ethical hacker attempts to exploit the vulnerabilities discovered during the scanning phase to gain unauthorized access to the target system or application. The goal is typically to obtain control, whether it's at the user level or administrative (root/system) level.

Key Objectives: Exploit a vulnerability to compromise a system, escalate privileges, and gain control.

Common Tools & Techniques:

• Metasploit Framework: A powerful platform with a vast database of exploits, payloads, and auxiliary modules used to launch attacks against vulnerable systems.
• Burp Suite: A proxy-based tool for testing the security of web applications by intercepting, modifying, and replaying web traffic.
• John the Ripper / Hydra: Password cracking tools used to perform brute-force or dictionary attacks against authentication services.
• SQLmap: An automated tool for detecting and exploiting SQL injection vulnerabilities.

Phase 4: Maintaining Access

Once access is gained, the ethical hacker's objective is to ensure persistent access to the compromised system. This simulates how a malicious attacker would maintain a foothold in the network to exfiltrate data over time or use the compromised machine as a pivot point to attack other internal systems. This phase tests the organization's ability to detect long-term intrusions.

Key Objectives: Install persistent backdoors, escalate privileges, and move laterally across the network.

Common Tools & Techniques:

• Metasploit (Meterpreter): The Meterpreter payload provides extensive post-exploitation capabilities, including creating persistent services.
• Rootkits/Trojans: Malicious software designed to hide its presence while providing remote access.
• PowerShell Empire / Cobalt Strike: Post-exploitation frameworks designed for lateral movement and maintaining long-term access.
• Creating Rogue User Accounts: Adding a new administrative user to the system for easy future access.

Phase 5: Covering Tracks (Clearing Tracks)

The final phase involves removing all evidence of the intrusion. A malicious attacker does this to avoid detection by system administrators and forensic investigators. An ethical hacker performs this phase to demonstrate how an attacker could remain undetected and to test the organization's logging and monitoring capabilities (SIEM, IDS/IPS).

Key Objectives: Erase traces of the attack to avoid detection and legal repercussions (for a real attacker) and to test the target's security monitoring.

Common Tools & Techniques:

• Log Manipulation: Clearing or altering system logs, such as Windows Event Logs or Linux's /var/log files.
• File Shredding Utilities: Using tools that securely delete files by overwriting them multiple times.
• Steganography: Hiding data (e.g., exfiltrated files, tools) within other files like images or audio files.
• Using Rootkits: Many rootkits have built-in functions to hide files, processes, and network connections, effectively covering the attacker's tracks.
• Meterpreter's `timestomp` command: Modifying the timestamps (MAC times - Modified, Accessed, Created) of files to make them look untouched.