Phase 1 – Reconnaissance
Gathering preliminary data or intelligence on your target. Reconnaissance can be performed actively or passively. In this phase you learn as much as possible about the target business and how it operates. It includes identifying the target, finding out the target IP address range, network, domain name, mail server, dns records, etc..
Phase 2 – Scanning
Scanning perimeter and internal network devices looking for weaknesses. Requires the use of technical tools to gather further intelligence on your target, about the systems that they have in place. It includes scanning the target for services running, open ports, firewall detection, finding vulnerabilities, os detection, etc..
Phase 3 – Gaining Access
Taking control of one or more network devices in order to either extract information of value or use the network as a launch site for attacks against other targets. It includes vulnerabilities exploitation, social engineering, etc..
Phase 4 – Maintaining Access
Having gained access, you should now take the steps involved in being able to maintain access long enough in order to gather as much data as possible. In this phase you must remain stealthy, so as to not get caught while using the host environment. It includes privileges escalation, backdoor installation on the target machine/network so that you can maintain the gained access and connect to target anytime, etc..
Phase 5 – Covering Tracks
Take the necessary steps to hide the intrusion and possible controls left behind for future visits. Remove all kinds of logs, uploaded backdoor(s) and anything related to the attack.