Chapter 3: The Hacking Process

Reconnaissance

What is Reconnaissance? From the dictionary meaning, it is a preliminary
survey that is carried out to obtain information. An example is the
exploratory surveys that militaries conduct on the territory belonging to
the enemy. When it comes to cyber-security, Reconnaissance is a way of
gathering information on a target using different techniques. When
performing this exercise, there are three main information that is of
interest to an ethical hacker;
1. The Network.
2. The Host.
3. Users/People involved.

Steps in Performing a Reconnaissance Exercise

In ethical hacking, the first step is normally meant to help a penetration
tester better understand their targets. This is done under a category that is
collectively known as Information Gathering. Hereunder, we have
something known as Reconnaissance, which we define as being a set of
techniques and processes that are utilized in the discovery and collection
of crucial information about a target. They include Scanning, Enumeration
and Foot-printing. In an exercise meant for Reconnaissance, an ethical
hacker tries to gather as much information about a target system as
possible, following the seven steps listed below;
1. Collecting first information.
2. Determine a network’s range.
3. Identification of active machines.
4. Discovering of Access Points and open ports that are available.
5. Operating System Fingerprinting.
6. Scanning for services running on various ports.
7. Network Mapping.
Reconnaissance is categorized into two major parts.
1. Active Reconnaissance: Active reconnaissance involves direct contact
with your target’s computer system to gain information, and information
gotten directly is actually accurate. There is the risk of being caught in the
process of active reconnaissance without permission. But most hacking
activities require active recon.
2. Passive Reconnaissance: In this process, you will not be directly
connected to a computer system. This process is used to gather essential
information without ever interacting with the target systems.

Enumeration

Enumeration, in the actual sense, is the complete listing of things in an
orderly manner with regards to items in a collection. Enumeration is the
act of making a list of policies, user accounts, shares and other resources.
This step happens just before vulnerability assessment and after scanning.
This helps the attacker put together the best strategy for gaining access.
Enumeration can be used to gain information on:
1. Users and Groups
2. Networks and shared paths
3. Hostnames
4. Route Tables
5. Service Settings
6. SNMP port scanning
7. DNS Details Applications and Banners.
Enumeration can be done with the following tools. In the Windows
Operating System, the use of many tools is done to enumerate NetBIOS
names with commands like:
• Net accounts,
• Net config server,
• Net config workstation,
• Net view

Scanning

This is a procedure that is used in the identification of services, active
hosts and the ports that are used by the target application. Let us say you
wish to unearth the vulnerabilities in a system, what you will need is a
point you can attack in the System. In ethical Hacking, Network Scanning
is employed to find out these points. These are points that Black Hats use
to penetrate a system. After discovering these points, the relevant teams
will then direct their efforts to improve the system. We know that all
organizations have networks. They can either be internal or even
connected to the internet. To hack these networks, you must first find a
vulnerable point within them so that you can use it to carry out exploits.
Network Scanning is the method we employ to help us discover such
points within a network.

Network Scanning Objectives

1. It helps in the discovery of open ports, live computers or hosts
and the IP address of the victim.
2. Network scanning makes it possible to identify the services
which are running on the host computer.
3. It also aids in the discovery of the system architecture and the
operating system of the target.
4. Scanning Live hosts enables us to unearth and mitigate
vulnerabilities.

How is Network Scanning different from Reconnaissance ?

To help you understand the difference between the two, I am going to use
this analogy. Assume that you are commander in the army and you have
been tasked together with your team to go and carry out an attack on a
terrorist camp. We are going to assume that you already have an idea of
the camps’ location and the details about the vicinity of the camp. Now,
this is information normally obtained through Reconnaissance. You will
still be required to identify an entry point to the terrorist camp so that you
can launch your attack. This is now what we are calling Network Scanning.
We can confidently conclude that Reconnaissance is a technique you will
use for gathering information to help you know more about your target. On
the other hand, Network Scanning is a technique you will employ to help
you locate possible vulnerable points within the network. It is through
these points that one can penetrate a targeted network. Based on the
information revealed by the scan, Network Scanning can be divided into
two main categories:
Port Scanning
Vulnerability Scanning

Port Scanning

From the name, we can deduce that Port Scanning is a way of identifying
active ports on the network. A Port Scanner works by transmitting requests
from a client to the range of ports located on a network that they are
targeting. The details about the ports will be saved and then a response
will be transmitted back. This, good readers, is how active ports are found.
Upon acquiring a target’s IP address (through scanning a victimorganization’s UDP and TCP ports), the hacker will proceed to map the
organization’s network under his/her grab.

Types of Port Scanning

SYNScan: In this mode of scanning, the TCP three-way handshake
technique is not completed. Here, a hacker or penetration tester will send a
victim the SYN packet. In case the response of an SYN/ACK frame is
received, a connection will be completed by the target and the port will be
able to listen. Receiving an RST from the target can mean that the port is
not activated or it is closed. This type of scan has an advantage in the
sense that only a few IDS systems will log this as a connection attempt or
an attack.

XMASScan: The scan transmits a packet containing PSH (push), URG
(urgent), and FIN (finish) flags. Suppose we have an open port; we do not
expect a response; the target will respond with an RST/ACK packet if the
port is closed. (RST=reset)

FINScan: This scan is almost similar to an XMAS scan with one
exception. FINScan transmits packets with just the FIN (finish) flag. The
scan does not have the other two flags (URG and PSH flags). The response
is similar to that of XMAS scans. Also, the two scans have similar
limitations.

IDLEScan: This kind of scan utilizes a spoofed IP for the transmission of
a SYN packet to the target through the determination of the responses
from the port scan together with the IP header sequence number. The port
is considered opened or closed based on the response of the scan.

Inverse TCP Flag Scan: In this case, a hacker will transmit TCP probe
packets with a TCP flag (FIN, URG PSH) or with no flags. If there is no
response, then it indicates that the port is open and RST means the port is
closed.

ACK Flag Probe Scan:  In this type of port scanning, an intruder will
transmit TCP probe packets to a point where an ACK flag is set to a
remote device that is used for the analysis of the header information. This
information comprises of WINDOW and the TTL field. To know if the
port is open or closed, one uses the RST packet. You can also use this scan
for checking a target's filtering system.

Vulnerability Scanning

Essentially speaking, this is a type of Network Scanning that we use in our
search for a network’s weak points. Vulnerability Scanning unearths the
vulnerabilities which can arise because of a misconfiguration of the
network or due to poor programming. Before we go far, let us have a look
at a few tools used for Network Scanning.

Tools for scanning networks and ports
Nmap: is utilized in the extraction of information, for instance, operating
systems, type of packet filters/firewalls, live hosts on the network,
services and the operating system versions

Angry IP Scanner:this tool can be used to scan for IP addresses on
systems available in each input range.

Superscan:  this is a powerful tool developed by Mcafee. Besides being a
TCP port scanner, it can also be used for pinging.

ZenMap: this scanner has a very powerful Graphical user interface tool
that can help one detect the type of OS version, port scanning, OS, ping
sweep, etc

Net Scan Tool Suite Pack:this refers to a collection of different utilities
and tools that are used for performing web rippers, port scans, mass
emailers and flooding. Note that the tool is a trial version, but paid
versions are also available.

Omnipeak and Wireshark are famous and powerful tools that are used
for listening to network traffic. Both tools can be used as a network
analyzer

Countermeasures against scanning

1. System administrators can set up IDS and firewalls not only
detect, but also block any probing attempts.
2. Employing custom rules which will lock down the network and
bar any ports not wanted.
3. A user can run tools for port scanning so as to ascertain if the
firewall detects any port scanning activities accurately.
4. Security Experts are required to make sure that there is a
correct setting up of anti-spoofing and anti-scanners rules.
5. System and network managers need to ensure that the firewall
firmware IDS and routers are up to date.

Gaining Access

Gaining access is by far the most critical phase of an attack. I am talking
in terms of potential damage. Malicious actors do not always require to
have access to a system to cause damage. For example, a denial-of-service
attack can be carried out remotely with the potential to cause an abrupt
termination of the services that are actively being executed on the target or
in some cases, exhaust available resources. To stop a service, one can kill
processes. This can be accomplished by the use of a logic/time bomb.
Also, a reconfiguring and crashing of the system can achieve similar
results. Network resources can be exhausted locally via the filling up
outbound communication links. Such exploits can be done over a LAN or
the Internet, locally, or offline as a deception or theft. Let us list some
examples of these below:
Session hijacking
Buffer overflows that are Stack-based
Denial-of-service and distributed denial-of-service
Sophisticated attackers normally carry out spoofing so that they can
exploit a target’s system by way of pretending to be different systems or
strangers.
Using this approach, they can transmit a malformed packet having a bug.
This bug will attempt to exploit vulnerabilities that are found in the target
system.
A technique known as packet flooding can be employed to remotely stop
the availability of essential services. We have a different type of attack
known as smurf attacks. These attacks attempt to elicit a response from
the available network users. Their legitimate addresses will then be used
to flood the victim. The success of gaining access to a target system by an
attacker is heavily dependent on the following:
The initial level of access gained.
The level of skill of the attacker and
The configuration and architecture of the target system.
The most damaging type of denial-of-service attack is the distributed
denial-of-service attack. This happens when an attacker employs the use of
zombie software that is spread over many machines on the Internet to
initiate a coordinated large-scale denial of services.

Maintaining Access

After a hacker gains access to his target system, he/she will need to
dedicate their efforts to ensure their boat remains afloat, metaphorically
speaking. The attacker can decide to exploit the hijacked system while
being in stealth mode, use it as a launching pad for attacks such as DDoS
or spam campaigns or use it for scanning and exploiting other systems. All
these actions can be damaging. Let me show you a practical example. A
hacker can create a sniffer to help them intercept all network traffic (both
inbound and outbound). Part of the traffic can include the telnet sessions
with other systems and file transfer protocols to enable them to send the
captured data to any destination. Those who do not wish to be detected
will be required to take steps that will help to conceal their presence. We
have many techniques to do this. The preferred method is where the hacker
installs hidden infrastructure based on covert channels, rootkits, Trojan
horses and backdoors to enable them to have unfettered access to those
systems.

Tools and Methods

A Trojan or backdoor is one such way to establish quick access to a system
that has already been breached. A Trojan horse allows a hacker
application-level access. The downside to this is that the Trojans need to
be installed locally on a target system. In systems running Windows, it is
possible for Trojans to install themselves as a service. After that, they will
have administrative access. This means that they can run as a local system.
A malicious individual can use these Trojans to steal credentials,
passwords and any other sensitive information on the system. As the case
with remote access Trojans, the backdoors attackers normally install come
with inbuilt download and upload functionality. This technique relies on
port 80 in the case of HTTP, 443 for HTTPS and port 53 for DNS for
covering up their traffic.

A Covert Channel

This is a scenario where secret communication tunnels are used for
transmitting data. Examples of such paths include HTTP tunnels, DNS
tunnels, ICMP tunnels and VoIP. Take note that the covert channels we
have mentioned can be used for transporting encrypted data as well.
Detection of covert channels is possible. Only that it requires substantial
efforts on the victim’s part. There are indicators of anomalies in the traffic
going out, such as protocol analysis, network signatures and flow data
analysis. These require special tools to come across. Take note that the
detection of a covert channel is one thing, but blocking it is a different ball
game. You can employ one or more of the following measures.
Barring outbound ICMP at the corporate information border;
Blocking requests that are DNS related to servers outside
corporate networks. The requests can be allowed for internal
DNS servers;
HTTP tunnels disposing through the leveraging of Web proxies;
You can schedule a delay in the delivery of voicemails in cases
of exfiltration tunneling using VoIP RTR. This will allow for
sending the voicemail to an audio processor for the examination
of every packet to find any encoded data in the same way an
antispam software works.

Rootkits

This is a malware that is highly adept at concealing itself from a computer
system. It is this feature that distinguishes rootkits from other malware
types. Their heightened capability to hide gives them the ability to
circumvent security measures that have been put in place on the computer.
The main idea behind their creation is the very fact that they are not easily
detected by normal malware detection software. Normally, Trojan horses
are used to load rootkits beginning with “user” level access on the
platform that is being targeted. Once in the target system, the rootkits will
spy on login details such as passwords so that they can get “administrator”
level access. Keen readers will say this is privilege escalation. That is
correct. Despite this, the real specialty of the rootkits is to maintain
access.
Rootkits will tend to hang around a targeted system slowly and
progressively undermining it. This is unlike the norm with ordinary
viruses that are designed to cause maximum damage in as little time as
possible. The keyword here is ‘secrecy.’ For instance, keyloggers
possessing rootkits are purposely built to capture all the words an
unknowing victim keys in using their keypad. It will collect sensitive
information for as long as it remains undetected. This makes identity theft
highly probable. A good analogy is a parasite which, through various
means, enters the body. It will stay dormant for a very long time. After it
has mustered up enough energy to surmount over the body’s immune
system, it will now go ballistic.
A computer system can be broken down into three basic layers. These are
the operating system, the kernel and the hardware level. The kernel is the
backbone of the operating system, essentially speaking. Many a time, lowpriority processes are used by user-level rootkits to compromise the
software tasked with safeguarding a computer. A dangerous and stealthier
rootkit is the kernel-level rootkit. This is majorly due to the following
reasons:
Time and again, the removal of boot-level and kernel-level
rootkits have been proven to be difficult.
The rootkits that have made a residence in the kernel memory
do not leave any traces on the hard disk normally. Additionally,
these rootkits normally change parts of the disk, files and
sometimes modify the kernel to enable them to become “reboot
resistant.”
Rootkits can camouflage their presence in cases where they
make the addition of their code to sectors of the kernel;
Kernel-level rootkits can run even before the operating system
starts;
This category of rootkits can bypass encryption through the
creation of secret channels to allow them unfettered access to
the compromised system.
Rootkits that are installed at the kernel level will acquire complete
administrator access to the targeted systems. Rootkits normally create an
access path right to the operating system level, unlike Trojan horses.

Removing rootkit

The typical security measures, for instance, antivirus software, cannot
sufficiently deal with rootkits on their own. Alternatively, we have
purpose-built programs such as Malwarebytes Anti-rootkit, TDSSKiller,
Sophos Anti-Rootkit, and GMER that you can use to eradicate rootkits
from your system. Note that, in some cases, the rootkit cannot be removed
from your system for good. The programs above can only reduce the
adverse effects that the rootkit leaves all over your system. In addition to
using software to deal with rootkits, a user can also opt to initiate the clean
slate procedure. Here, the important files are backed up, and a clean reinstallation of the operating system is done. Normally, this will ensure that
the rootkit is removed from your system. Again, this is not a guarantee
that the removal will be 100%. We have BIOS-level rootkits, which are
rare but can survive the re-install. We will always have signs indicating a
presence of rootkits in any system, no matter how hard they try to hide.
This is major because they are designed to keep an ingress path for an
attacker from outside.

Data Exfiltration

This can be described as an unauthorized transfer of data to an external
device or system. The data can originate from IT servers or a computer
system. The process can either be manual (copy-pasting) or automatic
(through malware). Back in 2015, the security organization, McAfee,
reported that the majority of the data exfiltration cases (Around 60%)
were carried out through direct electronic means. The remaining 40%
happened via physical media, for example, stealing a laptop or using a
USB drive to download data. Interestingly, a significant portion of that
40% involved mobile phones. The data categories which were most
exfiltrated were personal health information, personally identifiable
information, financial data and intellectual property. Different kinds of
tunneling protocols, file transfers, web protocols or email transfers are
used in the electronic exfiltration of data. We know that the file transfer
protocol is a standard network protocol meant to help us transfer files. It
can also come in handy in data exfiltration campaigns.
Peripheral devices on the targets and other components such as
microphones and webcams can be rigged to enable the monitoring of the
target’s activities. To stay anonymous, the hacker can use the Tor network
or make use of HTTP file transfers. To prevent hackers from exfiltrating
your data and staying safe from Advanced Persistent Threats, early
detection is what will make the difference. It is important that
organizations possess a working threat intelligence mechanism that will
aid in the identification of suspicious activities relating to data
exfiltration. Linking the local threat intelligence system to the global
threat intelligence network will help in keeping abreast of the latest trends
in the security realm. Let me list some notable indicators of data
exfiltration. These can be used as a platform to launch a comprehensive
investigation. They are:
Port activities that are not approved/sanctioned.
Multiple email transmissions to non-corporate domains
Excessive email sending by hosts
Above normal DNS queries
Web upload activity by the users. The uploads will normally be
directed to non-corporate sites.
As I conclude this sub-topic, you have learned that for an attacker to
obtain meaningful information, they will have to linger around their
targets for some time. That implies that “Maintaining Access” is a key
cycle of the hacking process which you will be required to master. This is
easier said than done. Kali Linux comes with plenty of tools that can help
you maintain access to a targeted system. Maintaining access is like
getting into somebody else’s house without their permission. You will
quickly realize that getting inside the house is just one part. Maintaining
your presence without being detected is another. It may be even more
difficult than the former task.

Clearing Tracks

In this step, we will be learning about how hackers cover their tracks with
the objective of erasing any digital signs they may have left behind. It is
obvious that this as an unethical activity. Simply put, it is concerned with
the deletion of logs of the activities which took place during the hacking
process. I am going to be very detailed in the covering of this sub-topic
since it is of immense importance to the readers who seek to be
professional hackers. There is one more process after clearing tracks, that
is report writing, which is mostly paperwork. To know if a system has been
targeted, we can carefully examine digital signs left behind by an intruder.
It is in a hacker’s interest to clear any traces of such activity that can lead
to them. You may have noticed that in the previous phases, a penetration
tester or hacker successfully avoided detection by intrusion detection
systems and firewalls. In this phase, however, the objective is to conceal
any hints that are likely to disclose the nature of the hacker’s deeds.
The key components of covering/clearing tracks are:
1) Anti-Incident Response – these are measures that are meant to
prevent real-time detection and,
2) Anti-Forensics – these are measures aimed at thwarting the
collection of digital evidence during a possible post factum inquiry.

Anti-Incident Response

The main objective of Anti-Incident Response is to disrupt, confuse and
out-maneuver the incident response team at work in the company, which
was targeted. Additionally, activities falling under this category make it
possible for a hacker/penetration tester to obtain a long-term foothold
within their target even after they have been detected. Crucial tasks that
can be carried out under anti-incident response include:
Deployment of backdoors secretly
Configuration of infrastructure to allow for agility in lateral
movement
Constantly updating the number of infected hosts. Also, their
numbers should not be too large.
Using a wide variety of malware on the network.
Preventing investigators or responders from keeping up with
what is going on by way of picking up the pace yourself.
A perfect cover for internal hop-points can be provided by busy
servers
You can also use busy file servers as avenues for data staging.
Using a VPN for communication in some cases may circumvent
some measures put in place for network monitoring.
Camouflaging the origin of malware transmission
The actions are undertaken in the prevention of immediate detection of an
ongoing, or a continuous cyberattack is what matters when it comes to the
working of an anti-incident response. The deliberate measures undertaken
by hackers or penetration testers to destroy any evidence present and lead
to a digital investigation to die out during the initial stages, anti-forensics,
on the other hand, is designed to handicap the investigators’ ability in
obtaining adequate digital evidence that will be submitted before a court
of law during later stages. This, therefore, implies that activities under
anti-incident response are urgent since a large portion of the action occurs
on a live, running system in real-time. The countermeasures that the
incident responders are likely to take are presumably much more timeconstrained as compared to those by investigators in a potential digital
investigation in the future.

Anti-Forensics

Before we start devouring this topic, let us first understand what forensics
is. We define computer forensics as a discipline whose main objective is to
enable the acquisition, preservation, analysis and presentation of digital
evidence in a court of law by forensic experts. We define anti-forensics as
a discipline that encompasses all the existing means and tools for purposes
of deleting, modifying, or hiding digital evidence. The main objective of
anti-forensics is the destruction, erasure, or manipulation of digital
evidence. Anti-forensics has also been described by some as the “Attempts
made to negatively compromise the quality, amount, and the existence of
evidence from a crime scene or to complicate the examination and
analysis of evidence so that it is impossible or difficult to conduct.” One
can tell from the name that this is involved with the techniques or actions
that are supposed to create obstructions to an eventual digital investigation
and to reduce both the quantity and quality of digital evidence. Cyber
terrorists, hackers, counterfeiters, online pedophiles and other
cybercriminals are among the typical users of anti-forensic techniques and
tools. It is obvious that their intentions are to erase any existing traces
capable of incriminating them

Deleting Evidence

There are those of us who are so paranoid to the extent that they have
invested resources on privacy protection tools and commercial disk
cleaners solely to wipe data they do not wish others to lay their eyes on. It
is believed that these tools can permanently delete everything from the
hard disk. The specific information that can be deleted include:
Web browsers history and cache
Instant messengers chat logs including Skype and others
Giving users a “secure delete” option with which they can wipe
files
Carry out the cleaning of these: registry items, thumbnails,
jumplists, Skype chatsync and so on.
A forensic expert can use specific forensic tools to outsmart many of these
clean-up programs. For example, pictures of interest to a forensic expert
can be recovered. This is because even with the erasure of the original
image, Windows Thumbnails will still have a smaller version of this
picture. Even with the removal of the thumbnail, forensic can restore it by
doing what we call file carving. Jumplists can also give information
pertaining to pictures, applications, documents and numerous other types
of files that the user has interacted with. The jumplists are normally
created even for externally accessed files.
They will stay intact, regardless of whether there has been an erasure of
the original file or that the external device has been removed. These lists
will typically have a MAC address, the name, the path to the file being
accessed, the application used to view the file, the computer name,
alongside the time and date that the item was accessed. This implies that
jumplists can be used as an excellent proof of access. Deleting Skype
history manually will not clean internal data stored in the “chatsync”
folder. The folder’s content can be used to unearth bits of user
conversations. Despite the methods imperfectness (Deleting), when it is
done properly, it can dispose of evidence irreversibly, leading the forensics
experts to come out empty-handed

Hiding, Moving, Renaming or Altering Files

This may sound naïve even though some of the wrongdoers can use this
method to evade detection. The method used to cover tracks here can
include renaming files, moving files containing conversation histories or
changing file extensions. This, my friends, is not an easy task. There exist
programs which can be used to break large files into small partitions.
These partitions can be concealed at the end of other files. Using
specialized programs, a hacker can use the unused file space, which is
known as slack space, for hiding crucial information from plain sight.
Additionally, a hacker can conceal a file inside another (You may have
heard of stenography). This method works fine with executable files.

Timestamping

Many a time, the investigators do not normally examine all the files in a
computer system. In most cases, they sort the information chronologically
so that they can prioritize their search for potentially relevant information.
They will want to view the information just at the time an attack occurred
in cases where it is known. Criminals will typically attempt to counter this
approach through the modification of the metadata belonging to the files
they require. Usually, they alter the times and the dates when each file was
last accessed, last modified and when it was created. This anti-forensic
technique is known as time stamping. Once the modification or
transformation of a file has been done, the computer or device will think
that the file is a different one. For instance, renaming an mp4 file to make
it look like a .gif file.
Despite this, forensic investigators will normally depend on their
experience and skills to find moved or renamed files. Also, we have
methods for information forensics that can assess hard drives for
suspicious discrepancies automatically. An example of such a method is
data carving. This is a method that is used for carrying out a
comprehensive and sequential scan of media. Data carving is effective in
the sense that it can directly read low-level data from the media. It does
not depend on the manner in which the file locations and names appear on
the file system. For instance, an mp3 file is identified based on the
contained actual data stream that is inherent to mp3 files and not based on
the file’s name.
Finally, encryption is a wonderful security measure a hacker can use. As
far as digital forensics is concerned, encryption is a nightmare. Utilizing a
strong encryption algorithm can result in the data being unreadable and
will, therefore, be useless to the investigators.

Log Tampering

In computers running Windows, log files are typically kept in the event
viewer. You can easily find it using the “Search” bar. The logs are stored in
the/var/log directory in most Linux/UNIX operating systems.
System administrators can view any malicious activities that have
occurred in their systems simply by examining the log files. We have two
types of log files, the application generated and the system-generated log
files. In log manipulation, a hacker normally has two options. One way is
to completely delete the logs and the other way is to modify the contents
of the log files. Here, a hacker can also replace the system binaries with
malware such as Trojans to make sure that any evidence of cyber intrusion
will not be detected. Deleting log files is not normally a good idea as it
will create a gap in the logs files and this will raise suspicion. The log files
can be used in the detection of malicious activities. They can be used as a
warning system on the health and the actual state of a system. Any
discrepancies in the logs will likely draw unwanted attention. A wise
attacker will likely carry out his attacks when the probability of viewing
the log data is minimal say on weekends or during nighttime. An attacker
will need to have root privileges to tamper with the information on log
files. After escalating their privilege, a hacker can modify the log data
associated with their activities within the log file itself. Any scrutiny by a
system administrator will, therefore, not display any unusual activity.
Prudent system administrators normally set up their system in a way that
they will send all the log files to a remote server

In summary

One precondition for success is being stealthy. Therefore, preventing
detection during the hacking process is not enough. The process should
continue even after the actual attack has been carried out. Any missteps
will likely set off the radar detection and the forensics team will be
quickly brought in to identify the attacker. This implies that the final step
of covering tracks is of immense significance and should not be
underestimated. If you wish to break into sophisticated systems,
maintaining a low profile is a key skill that you will be required to have.
We can say that covering tracks is a fail-safe technique that hackers
employ to keep them out of trouble. The trouble can be immediate or after
some time, say during an investigation.