There are 2 phases: reconnaissance and target acquisition and the other of real attack.
The pre-attack phase is made by 3 steps: footprinting, scanning, enumeration.
The footprinting consist to obtain much information as possible about the target, profiling infrastructure, mainly about security point of view. This is much hard if the target has a complex structure (for example a computer/server of a company network) instead of a normal home pc connected to internet. There are 2 types of footprinting: passive (the target is unaware of the reconnaissance activity, for example search information on internet like Whois searches) and active (the target may be alerted to the activity, such for example social engineering).
Scanning is the active step of attempting to connect to systems to elicit a response, this is done by scanning target’s ip address ports determining which services are active (for example web server, ftp, etc…), OS detection, etc… There are various types of scan, i will not list them as will result too much “technic”.
In conjuction to scanning there is also enumeration; the intrusive process of determining valid user accounts and accesible resources like shares.
Then there is the attack phase, here we can determine 4 phases: gaining access, privilege escalation, maintaining access, covers tracks and place backdoors.
Gaining access is the key phase, the intruder try to find software/services vulnerabilities holes and use the bugs to gain access (this is called exploit).
Once done, the intruder attempts escalate privilegs, it means to gain full control system instead of a normal user account, it’s like to have administration rights.
Once the target is definitively compromised the intruder can do all, for example install rootkits and trojans (called backdoors) without victim notice them; this allow the attacker to hide tracks of own activity, maintain system access re-entering in victim’s pc everytime he wants.