Ultimately, what a hacker does is gain access to a system in some way that the system’s designers did not intend them to. How they do this depends on their goals and the systems they're targeting.

A hack can be as simple as sending out phishing emails to steal passwords from anyone who bites or as elaborate as an advanced persistent threat (APT) that lurks in a network for months.

Some of the most common hacking methods include:

Specialized operating systems
Network scanners
Malware
Social engineering
Credential theft and account abuse
AI-enabled hacks
Other attacks
Specialized operating systems
While people can use standard Mac or Microsoft operating systems to hack, many hackers use customized operating systems (OSs) loaded with tailor-made hacking tools such as credential crackers and network scanners.

For example, Kali Linux, an open source Linux distribution designed for penetration testing, is popular among ethical hackers.

Network scanners
Hackers use various tools to learn about their targets and identify weaknesses they can exploit.

For example, packet sniffers analyze network traffic to determine where it's coming from, where it's going and what data it contains. Port scanners remotely test devices for open and available ports hackers can connect to. Vulnerability scanners search for known vulnerabilities, allowing hackers to quickly find entryways into a target. 

Malware
Malicious software, or malware, is a key weapon in malicious hackers' arsenals. According to the X-Force Threat Intelligence Index, 43% of cyberattacks involve malware.

Some of the most common malware types include:

Ransomware locks up a victim's devices or data and demands a ransom payment to unlock them.  

Botnets are networks of internet-connected, malware-infected devices under a hacker's control. Botnet malware often targets Internet of Things (IoT) devices because of their typically weak protections. Hackers use botnets to start distributed denial of service (DDoS) attacks.

Trojan horses disguise themselves as useful programs or hide within legitimate software to trick users into installing them. Hackers use Trojans to secretly gain remote access to devices or download other malware without users knowing.  

Spyware secretly gathers sensitive information—such as passwords or bank account details—and transmits it back to the attacker.

Infostealing malware has become especially popular among cybercriminals as cybersecurity teams have learned to thwart other common malware strains. The Threat Intelligence Index found that infostealer activity increased by 266% in 2022–2023.

Social engineering
Social engineering attacks trick people into sending money or data to hackers or granting them access to sensitive systems. Common social engineering tactics include:

Phishing attacks, such as business email compromise scams, that use fraudulent emails or other messages.

Spear phishing attacks that target specific individuals, often by using details from their public social media pages to gain their trust.

Baiting attacks, where hackers place malware-infected USB drives in public places.

Scareware attacks, which use fear to coerce victims into doing what the hacker wants.

Credential theft and account abuse
Hackers are always looking for the path of least resistance, and in many enterprise networks, that means stealing employee credentials. According to the IBM® X-Force® Threat Intelligence Index, valid account abuse is the most common cyberattack vector, accounting for 30% of all incidents.

Armed with employee passwords, hackers can masquerade as authorized users and waltz right past security controls. Hackers can obtain account credentials through various means.

They can use spyware and infostealers to harvest passwords or trick users into sharing login information through social engineering. They can use credential-cracking tools to launch brute-force attacks—automatically testing potential passwords until one works—or even buy previously stolen credentials off the dark web.

AI-enabled hacks
Much like defenders now use artificial intelligence (AI) to fight cyberthreats, hackers are using AI to exploit their targets. This trend manifests in two ways: hackers using AI tools on their targets and hackers targeting vulnerabilities in AI apps.

Hackers can use generative AI to develop malicious code, spot vulnerabilities and craft exploits. In one study, researchers found that a widely available large language model (LLM) such as ChatGPT can exploit one-day vulnerabilities in 87% of cases (link resides outside of ibm.com).

Hackers can also use LLMs to write phishing emails in a fraction of the time—five minutes versus the 16 hours it would take to draft the same email manually, according to the X-Force Threat Intelligence Index.

By automating significant portions of the hacking process, these AI tools can lower the barrier for entry into the hacking field, which has both positive and negative consequences.

Positive: More benign hackers can help organizations strengthen their defenses and improve their products.

Negative: Malicious actors don’t need advanced technical skills to start sophisticated attacks—they simply need to know their way around an LLM.
As for the expanding AI attack surface, the increasing adoption of AI apps gives hackers more ways to harm enterprises and individuals. For example, data poisoning attacks can degrade AI model performance by sneaking low-quality or intentionally skewed data into their training sets. Prompt injections use malicious prompts to trick LLMs into divulging sensitive data, destroying important documents or worse.

Other attacks
Man-in-the-middle (MITM) attacks, also known as adversary-in-the-middle (AITM), involve hackers eavesdropping on sensitive communications between two parties, such as emails between users or connections between web browsers and web servers.

For example, a DNS spoofing attack redirects users away from a legitimate webpage to one the hacker controls. The user thinks they are on the real site, and the hacker can secretly steal the information they share.

Injection attacks, such as cross-site scripting (XSS), use malicious scripts to manipulate legitimate apps and websites. For example, in an SQL injection attack, hackers make websites divulge sensitive data by entering SQL commands into public-facing user input fields.

Fileless attacks, also called “living off the land,” is a technique where hackers use assets they have already compromised to move laterally through a network or cause further damage. For example, if a hacker gains access to a machine’s command-line interface, they can run malicious scripts directly in the device’s memory without leaving much of a trace.