1.2 The Five Phases of Ethical Hacking
Key Takeaways
- EC-Council's hacking methodology has five phases: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks (covering tracks)
- Reconnaissance splits into passive (no direct contact, e.g., OSINT, WHOIS, DNS) and active (direct probing) information gathering
- Scanning turns reconnaissance data into a live attack-surface map: open ports, services, versions, and known vulnerabilities
- Gaining Access is exploitation and privilege escalation; Maintaining Access is persistence (backdoors, rootkits); Clearing Tracks is anti-forensics like log tampering
- The five phases map onto the 20 CEH modules and ~550 attack techniques; an ethical hacker never destroys a client's logs during Clearing Tracks
Why the Five Phases Matter
EC-Council frames an attack as a repeatable five-phase methodology, and CEH v13 explicitly integrates AI assistance into each phase. Almost every later CEH domain — reconnaissance, scanning, enumeration, system hacking, evasion — is one of these phases studied in depth. Memorize the order and the intent of each phase: exam questions frequently describe an activity and ask you to classify it into the correct phase, or ask which phase comes next.
The Five Phases
| # | Phase | Attacker Goal | Representative Tools/Activities | Primary Defensive Control |
|---|---|---|---|---|
| 1 | Reconnaissance | Gather information about the target | OSINT, WHOIS, nslookup/dig (DNS), Maltego, theHarvester, Shodan, Google dorks | Minimize public footprint, monitor brand/domain mentions |
| 2 | Scanning | Map the live attack surface | Nmap (port/service/version), Nessus/OpenVAS (vuln scan), Netcat banner grab | Network segmentation, IDS/IPS, reduce exposed services |
| 3 | Gaining Access | Exploit a weakness for a foothold | Metasploit, Hydra/John/Hashcat (password attacks), SQLmap, exploit code | Patching, least privilege, input validation, MFA |
| 4 | Maintaining Access | Keep persistent control | Backdoors, rootkits, trojans, scheduled tasks, new accounts, C2 channels | EDR, file-integrity monitoring, baseline review |
| 5 | Clearing Tracks | Hide evidence of intrusion | Log deletion/editing, clearev (Meterpreter), timestomping, removing tools | Centralized tamper-evident logging (SIEM), write-once storage |
Phase 1 — Reconnaissance (Footprinting)
Reconnaissance, also called footprinting, is information gathering. It divides into two sub-types:
- Passive reconnaissance — no direct interaction with the target's systems. Examples: public records, social media, search-engine data (Google dorking), WHOIS, DNS, Shodan. Very hard for the target to detect because the attacker never touches the target's infrastructure.
- Active reconnaissance — direct interaction such as DNS zone-transfer attempts, banner grabbing, or social engineering of employees. It yields richer data but is observable and can trigger alerts.
Phase 2 — Scanning
Scanning converts recon data into a concrete map: which hosts are alive (host discovery / ping sweeps), which ports are open, which services and versions run, and which known vulnerabilities exist. The canonical tool is Nmap; vulnerability scanners such as Nessus and OpenVAS automate the vuln-discovery step. Detective controls (IDS/IPS, NetFlow monitoring) are most effective here because scanning generates noticeable traffic.
Phase 3 — Gaining Access
This is exploitation — turning a discovered weakness into a foothold, then often escalating privilege from a normal user to root/administrator. Tools include the Metasploit Framework (exploit delivery), password crackers (Hydra online, John the Ripper/Hashcat offline), and injection tools (SQLmap). The exam tests why an exploit works and which control would have prevented it (patching, least privilege, input validation, MFA) — not exploit syntax.
Phase 4 — Maintaining Access (Persistence)
The attacker establishes persistence so a reboot or password change does not lock them out — via backdoors, rootkits, trojans, scheduled tasks, or rogue accounts — and may pivot to other hosts and establish command and control (C2). Endpoint detection and response (EDR) and file-integrity monitoring are the key countermeasures.
Phase 5 — Clearing Tracks (Covering Tracks)
The attacker performs anti-forensics to erase evidence: editing or deleting logs, timestomping (altering file timestamps), disabling auditing, and removing tools. Ethical hackers do not destroy client logs. Full, preserved logging supports the engagement report, lets the blue team validate detection, and maintains the client's forensic trail.
Mapping Phases to the 20 CEH Modules
The CEH v13 curriculum is 20 modules covering 550+ attack techniques, and they map cleanly onto the five phases: Module 1 (Introduction) sets context; Modules 2–4 (Footprinting, Scanning, Enumeration) are Recon + Scanning; Modules 5–6 (Vulnerability Analysis, System Hacking) plus 7–12 (Malware, Sniffing, Social Engineering, DoS, Session Hijacking, Evasion) drive Gaining/Maintaining/Clearing; Modules 13–20 (Web Servers, Web Apps, SQL Injection, Wireless, Mobile, IoT/OT, Cloud, Cryptography) are attack surfaces exercised across phases 2–4. Thinking in phases keeps the large blueprint coherent rather than a flat list of 20 modules.
Enumeration: The Bridge Between Scanning and Access
Between scanning and gaining access sits enumeration, an active extraction of detailed information from services the scan revealed — usernames, share names, group memberships, routing tables, and SNMP data. Where scanning answers what is open, enumeration answers what is behind it. Classic enumeration targets and ports include NetBIOS (137-139), SMB (445), SNMP (161 UDP), LDAP (389), SMTP (25), NTP (123), and DNS (53). A successful enumeration of valid usernames, for example, turns a blind password-spray into a targeted attack — which is exactly why it is the natural bridge to Phase 3.
Tools by Phase (Exam-Ready Summary)
| Phase | Go-To Tools the Exam Names |
|---|---|
| Recon | Maltego, theHarvester, Shodan, Recon-ng, WHOIS, Google dorks |
| Scanning | Nmap, Hping3, Nessus, OpenVAS, Netcat |
| Enumeration | Enum4linux, snmp-check, ldapsearch, NetBIOS tools |
| Gaining Access | Metasploit, Hydra, John the Ripper, Hashcat, SQLmap |
| Maintaining Access | Netcat backdoors, rootkits, Meterpreter persistence |
| Clearing Tracks | Meterpreter clearev, timestomp, log editors |
Memorize a couple of representative tools per phase; CEH loves to give a tool name and ask which phase it belongs to, or vice versa.
Methodology Flow
Place the five phases of ethical hacking in EC-Council's standard order, from first to last.
Arrange the items in the correct order
A tester reviews the target company's public DNS records with nslookup, its LinkedIn employee list, and WHOIS data without sending any traffic to the company's production systems. Which phase and sub-type is this?
Which tool is most associated with Phase 2 (Scanning), where the goal is to discover live hosts, open ports, and service versions?