“There are few sources of energy so powerful as a procrastinating college student.”
-Paul Graham, Hackers & Painters: Big Ideas from the Computer Age
What is in a title?
Hacking is a topic that is becoming more and more prevalent every day. In the late 2000s hackers were just started to get hired by small companies. These companies saw the potential in hiring someone so specialized in breaking into system. They could use these individuals to make sure their own systems were as secure as possible, but hacking goes back much farther than just the 2000s. Hacking is the culmination of generations of curious minds who stood against authoritative powers. Ranging from the mid 1950s with the original Massachusetts Institute of Technology’s Hackers all the way to the modern “Script Kiddy” or Skid for short. These followers of decade old traditions pave the future every day for the next generation of hackers to make their mark.
But the question on everyone’s mind is: “How do I become a hacker?” With all of the stories talking about these hackers of old like Cult of the Dead Cow and L0pht and even newer faces like Anonymous and Lizard Squad, how does one join the fun? The simple answer is: its complicated. While that might seem counter-intuitive, its still the truth. Hacking is a field full of endless potential and there are so many different parts to it that it can be almost impossible to put simply. Hacking can be described as the art of curiosity, the stance against the man, and the school of “why not?” Through these definitions we can get a glimpse of hacking might truly entail. The way that a hacker might go about accomplishing any of these ideas is almost limitless. They could specialize in Social Engineering and convince others to talk just a bit too much. The might try their hand at Pentesting and make a handsome career telling others “you got pwnd”. Maybe they will take a gamble and dive into the rabbit hole of Exploit Development and get published in Phrack.
One very important thing to note when first entering the hacking scene is that there is no real “hat”. The idea of White, Grey, and Black hats is a gross simplification of a complex issue. While there have been movements from the community to expand the color palette of the hat concept, it has not severed to further the original idea of categorizing people into Good, Bad, and Morally Questionable. Manul Laphroaig from PoC||GTFO mentions the idea that he is a “Strawhat” in that he has woven together his knowledge from many different facets of the hacking community. He is not a white, black, grey, green, red, or any hue of hat. He simply is a hacker and that is all anyone needs to know.
As mentioned, there are a lot of different places to start on a journey to learning how to hack. The most important part of this journey is learning where to start. With some many different fields it can be really difficult for someone to find one that like. Many will take to throwing up a VM and popping in Kali to start hacking boxes. Others will grab the newest version of Tor and start browsing random .onions to find “hacker things”. The truth is that none of these are the right choice in a general sense. There are stepping stones that all hackers must go through before they can really begin depending on their field.
Obtaining the mindset
Quite possibly the biggest hurdle for any fledgling hacker to get over is obtaining a hacker’s mindset. There is no easy way to go about thinking like a hacker. It comes down to a curiosity for how things work and an appreciation for its flaws. A good hacker knows that nothing is perfect, a better hacker knows how to find those holes, and the best hacker already pwn’d it yesterday. A hacker must look critically about anything and everything they use. Everything has a flaw and that flaw can be exploited. Depending on the flaw this can be completely benign or very critical. This mentality applies to everything from TVs to Computers to Cars to ATMs. With the growth of the IoT market this is becoming a far harsher reality. Dildos and Baby Monitors are being allowed to connect to home networks with little to no oversight from the manufacturers. These are the kinds of situations that a hacker must be aware of as an opportunity to attack may come from anywhere. While this mindset can be learned over time, it is usually starts with a natural curiosity that is built upon with experience.
The most common path that people go down when picking a field of hacking is the Penetration Testing field or Pentesting for short. This is the most “professional” hacking field as it is what companies and government agencies usually hire. They want someone who is able to take a set of tools and break into a network. Penetration testers generally want a strong foundation in Linux first. Starting with a simpler Linux distro like Ubuntu can be very helpful here. Once a solid foundation has been formed a penetration tester in training should begin their move to something like Kali or ParrotSec OS. These Linux distros are essentially just bundles of pre-existing tools that are very useful when trying to perform a pentester’s job. A pentester should become familiar with tools like Metasploit, Dirbuster, SQLMap, Hydra, and more. These tools are the main parts in a pentester’s toolkit. Good resources to practice these skills are websites like Vulnhub or HackTheBox. When faced with difficulty on a particular challenge, do not be afraid to look up a writeup or seek assistance from others. Not everyone has the same level of experience and there will always be those there to help a willing mind.
Social Engineering is by far the oldest form of hacking known to man. It is the art of people manipulation. This can be a tricky skill to practice as there really aren’t any places to practice it other than day to day life. However, there is a lot of reading material surrounding the subject such as Social Engineering: The Art of Human Hacking by Christopher Hadnagy, or The Art of Deception: Controlling the Human Element of Security by Kevin Mitnik and William Simon. Research into Social Psychology can also be greatly beneficial in this field.
C is especially useful for Exploit Development as it is native on almost every operating system and it is a very low level language while still being human readable. Knowledge of C can be critical in the understanding of more advanced low-level concepts such as the Stack and Heap, Pointers, and Memory Segmentation. This will also give a leg up when trying to pivot to extremely low-level languages such as ASM as many guides for different ASM variants will show the pre-compiled C code.
Python is a favorite among the CyberSec/NetSec communities for its portability and ease of use. There are also a large amount of libraries that are very easy to implement such as BeautifulSoup for web parsing, ZBarLite for QR Code processing, PwnTools for advanced IO exploitation and many more. Given an experienced enough programmer, a Python script made with access to any possibly needed libraries can be rolled out in a fraction of the time it would take a compiled language like C/C++ or Java.
Even more “harmless” languages like XML and the CSV format can have their own attack vectors. Again, while the attacker does not strictly have to understand how all these languages and formats work, they should still have an idea of their flaws.
Along with services like HackTheBox and Vulnhub mentioned in the Penetration Testing chapter, this is one of the best methods to practice. Using sites like BugCrowd and HackerOne a new hacker can get real world experience and even earn a decent cut from their work. Here companies will pay out bounties to curious hackers who want to attack something much bigger than the one Linux box they grabbed off VulnHub. These bounties usually revolve around a domain range defined in the bounty program itself. Such as AT&T mentioning that anything under the *.att.com banner being acceptable. As long as the service that a bug is found in has that domain setup and is not a part of an external service sitting on that domain, the attacker is good to send in the bug and claim a nice bounty. As these challenges are usually web based, it is recommended that the attacker have a strong web penetration background. Knowledge of XSS, SQLI, CSRF, SSRF, XXE, and Rate Limiting, and more will be very beneficial.
Some bug bounties will even award based on software exploits. In these cases a lot more effort will have to be given as Exploit Development is an entire field of its own. Here attacks like Buffer Overflows, Fuzzing, and Format String Attacks will be very useful. However, software bug bounties will usually pay substantially more than web bounties as it can be much harder to detect software bounties than web bounties using automated tools. Tools like Nikto can quickly scan sites for possible exploits, but this is much more difficult to do with a modern binary running ASLR or DEP.
The best piece of advice than I can give for bug bounties is to not spend too much time looking for low hanging fruit. As mentioned previously, there exist tools that can completely sweep a site looking for XSS and SQLI vulnerabilities. However, attacks like SSRF happen so infrequently in the wild and under such odd circumstances that it is very difficult to create a tool to automate the process. These are where an attacker should truly be spending their time looking. Although one should not focus on low-hanging fruit like XSS and SQLI, they should not entirely discount them either. I have seen XSS go unpatched for months because the exploit had to be the name of a file that was uploaded to the server. The core idea is to be creative with attacks on a target. Think of attacking the service in ways the target would not try to secure themselves such as data feeds that the target might assume are always clean.
Capture The Flag (CTFs)
One of the final ways to practice hacking is to participate in CTF challenge from sites like Pwnable for Exploit Development or any of the CTFs listed on CTFTime. These challenges are generally lighthearted and span an incredibly large amount of subjects from SQL Injection to NFC Forgery and everything in between. Due to the nature of CTF Challenge, these can be extremely useful for learning more niche attacks or even sharpening one’s skills with more general attacks. Usually after a CTF finishes, users will upload their own writeups to assist others in the learning process. There are even whole channels dedicated to assisting others in learning from these challenges like LiveOverflow.
The road to becoming a hacker is a long one. A hacker will always be learning as they travel it no matter their level of skills. The only difference between a newbie hacker and an experienced one is how far they have traveled their own roads. No matter how difficult the challenge, remember the Offensive Security motto of “Try Harder”. Hacking is not born of ease and lethargy, but of struggle and strife over seemingly impenetrable defenses. Hack the planet.