Hacker Lifecycle Phase 2: Scanning and Penetration Testing & IncMan SOAR's Protective Mechanisms

Back to all articles

penetration testing

Following on from my previous blog post regarding Phase 1 of the hacker lifecycle, which was the first post in this 5 part hacker series, let's now begin to examine the second stage known as “Scanning.” At this point in the game things begin to get a little sketchy. Without proper preparation and the education on the evolution, it is very easy to fall into the trap of being identified as performing malicious activities on an organization. Once a hacker has been named for wielding illegal operations it is possible for a company to take legal action for the ramifications involved. Thus, it is crucial that if you are a white hat hacker you follow the necessary actions to ensure sanction against any wrongdoing. However, if you are an unethical black hat hacker you do not have the luxury of this umbrella.

As time evolves within the cybersecurity and information technology field, hackers that were once classified as ethical have now began to dabble in the dark side. Even though cybersecurity professionals are in high demand and the need for those with that skill set is expected to grow by 400% by 2020 and unmanned positions will exceed 3.5 million by 2021, it is sometimes difficult to land jobs willing to pay those individuals what they are truly worth. Therefore, ethical hackers with the knowledge are now beginning to take on side projects that fall into the grey zone or even black hat hacking. The reasoning behind this is of course for monetary reasons, where the reward far outweighs the risk involved.

Seemingly, the tools and techniques have become very sophisticated and with the proper training the means to make supplemental income once the foundation has been laid can be very lucrative. As popularity in the dark web continues to grow exponentially and the breaching of multibillion-dollar companies such as Facebook, Equifax and Target to name a few occurs on a daily basis, the means to exploiting this reality is only limited to the imagination. I personally have been presented with the opportunity over the last several years to step into the dark side as the return on investment is quite high but my moral fiber has prevented me from doing so.

Without further ado, let's explore the second stage of the hacking life cycle recognized as the “Scanning” portion. I have again included the circulatory structure below for your viewing enjoyment and as a reminder of the 5 phases.

The following listed steps illustrate the standard operating protocol to infiltrate/own a system:

  • Reconnaissance

  • Scanning of System (External/Internal)

  • Gaining Access

  • Maintain Access & Elevate Privileges

  • Cover Tracks & Remain Dormant


Here are a couple of examples of the more commonly applicable scanning tools, free and paid versions, that are widely used commercially and available within the open market:

  • Nmap

  • Burpsuite

  • Nexpose

  • Nessus

  • Qualys

These vulnerability scanners are often occupied within Information Security departments or by the white hat hacking community. These open source applications are applied to satisfy port scanning, service scanning, systems reconnaissance, vulnerability scanning, or any type of network mapping. However, personally I will often resort to unknown scanning engines available through certain operating systems specifically designed for hackers like Kali Linux, which is one of the more popular flavors of Linux explicitly designed to appease the hacker mindset. I will refrain from listing any of these to avoid legal reprimandation.

I had previously mentioned that the Scanning technique may be carried out either internally or externally. If you're an ethical hacker and you are perhaps doing a legitimate hack on a system there are certain types of hacks that can be considered. A legitimate hack will fall into three categories which will either be a black box, grey box, or white box hack. The following information to proceed will define each one of those categories:

  • Black Box - In this particular schema often times no information shall be given to the penetration tester such as the location of the company, type of company, number of employees, industry of the company, types of systems and services, IP addresses, domain names, or really any useful information that could help initiate the engagement for the hacker. Usually the only type of information that is given is the name of the company and that's about it.

  • Grey Box - This methodology will fall somewhere in between the Black Box and White Box concepts thus the term Grey Box. At this point the ethical hacker will be given a little compassion and a certain amount of restricted information shall be disclosed to the ones conducting the reconnaissance and scanning phase. The type of information supplied by the customer may consist of the size of the company, what type of industry it is in, its location, and usually a vague description of the type of operating systems, database types, applications, and or the network infrastructure that is occupied within that particular information technology architecture.

  • White Box - If one is so lucky enough to get contracted out to perform this type of hack they will usually receive the keys to the kingdom. This means that all of the information that was once previously undisclosed is now handed to them on a silver platter. Not only will they obtain the information listed above, but they will usually get their own accounts, credentials to include passwords and login information to various systems, source codes, and also VPN access into confidentially restricted spaces that are internal and inaccessible from external and outward-facing systems, services and the public. This usually includes access to a demilitarized zone (DMZ) and the internal network.

Passive vs. Active

Moreover, Scanning will fall into two different types of categories that are labeled as either passive or active. Below is a brief description of each type and why each one has its positive and negative attributes. It is also important to note that in the event that you are an ethical hacker and have been contracted out or work for a company that provides assessments or penetration testing, it is critical that various legal documents such as Non-Disclosure Agreements (NDA) and Service Level Agreements (SLA) are enacted. The primary reason behind this is that depending on what country, state, or city the work is being implemented in it may be illegal to conduct such operations. This provides a level of blanketed legal protection against any or all actions associated with the mapping of an organization's network.

  • Passive: Passive scanning is considered to be a less obtrusive type of scan. Additionally, it may be referred to as a scan which is less “noisy” then an active scan. Here you will find that this form of scanning sometimes will last anywhere from weeks, months, or even years. The positive aspects to this particular type is that intrusion detection systems (IDS) , firewalls (FW), security incident and event monitoring (SIEM), next-generation endpoint protection (NG-EPP) and other forms of security appliances or applications will not be able to pick up on the passive scan. The obvious downside to this is that it takes a very long time and the results can be limited.

  • Active: Active scanning is a more intrusive type of scan and is considered to be extremely noisy. This means that the security posture and tools being utilized within the particular network infrastructure being scanned will be able to pick up very quickly on the fact that they are being mapped. At this point any one of the various security tools previously mentioned will block the particular IP address discharging the activity. There are of course ways around this like using proxies or programming scripts that can modify and change the IP address or URL that is being used by the scanning engine every second making it incredibly difficult to trace. The negative aspect is that because the scan is so noisy and obvious the IP will get dropped immediately or the hacker could be lured into a honeypot or honeynet for observation with the reporting of the illegal actions to authorities. The upside to this is that the results are very quick and the greater the risk the greater reward.

IncMan SOAR Playbook: Suspicious Network Activity Template

The functionality of IncMan SOAR from DFLabs supplies a very crafty Playbook template that applies to suspicious network activity. Within the seven stages of the Incident Response progression, step-by-step methods are applied to fulfill certain requirements and obligations to meet defined guidelines. Moreover, this particular template permits for an organization to specifically tailor it to the needs of the environment or industry in which it resides. The elimination of human intervention with applied automation ensures that service level agreements are being met and action is being taken in a timely manner as soon as the alert is created and potential incident triggered. Without going into too much depth on the particulars of the Suspicious Network Activity template, a few of the steps will include but not limited to:

  • Proper use of security tools or appliances to block the attack

  • Determine acceptable mitigation measures for business-critical traffic

  • Terminate unwanted connections or processes on affected machines

  • Consider involving Computer Security Incident Response Teams (CSIRTs) and law enforcement if required

  • Actions to improve network intrusion management proceedings


This concludes the second part to the hacker lifecycle. To briefly recap, once the first stage of Reconnaissance has been executed it is time to begin the Scanning routine. It is during this phase that a company's network infrastructure can be mapped to determine what services and systems are being utilized. Given the complexity of an organization’s security posture and how noisy the scanning will be, will determine whether or not the scanning engine will be blocked.

Additionally, a company may rely on the fact that IncMan SOAR’s “Suspicious Network Activity” Playbook will provide the needed defense capabilities through an automated manner of sequential steps to guarantee protection.

Stay tuned for the next chapter as we explore the third phase of the hacker lifecycle classified as “Gaining Access.”

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo