If you are trying to think outside the box you have already limited your thinking by using the box as your starting point.
Contact
About
Home
How To Get Started Hacking
.
When I talk with people outside
hacking/
information security circles about learning to hack the most common question I get is, "Isn't teaching people how to hack dangerous? What if they use it to do bad things?" The question is rooted in a mashup of several overly simplistic and misapplied ideas, and
syllogistic fallacies.
1: Hacking requires "specialized" skills.
2: Learning "specialized" skills is a "dark art" and are only pursued by someone intent on doing evil. This is obliquely saying that learning to hack is akin to black magic and only evil people do
black magic so all hackers are evil.
3:
Security through obscurity works.
4: Take all this and wrap it in a
syllogistic fallacy. Driving a car is a specialized skill. A bank robber uses a car in a robbery. Bank robbers are criminals. You drive a car so you are a
criminal.
It is easy to see how shallow thinking, fear, and logical fallacies has lead
mass media to portray hacking as always being a crime.
Is it possible to defend without knowing the methods used by your adversary?
How would police officers catch criminals if they did not know how they think and what methods they used?
How would our military protect us if they did not know the enemies tactics and have the skills to repel them?
The
SANS Institute is one of the premier information security training and certification organizations. They are famous for saying "
your offense should inform your defense."
I am a hacker. My skills were acquired through a lifetime of training on my own, with the United States Navy, and as an information security professional.
I use them daily to defend systems from both criminals and
state actors and I am actively training the next generation of hackers to do the same.
.
.
If you think all hackers are criminals, then see "
Why Teach Hacking" before continuing.
I am often asked, "How do I learn to hack?"
I have learned that the term hacker can mean many things to many people and is a highly debated topic. The meaning of hacker has evolved/devolved over time depending on your point of view (whether you are a hacker or not).
Many hackers today define themselves based on the
roots of hacking, which you can read about in "A Brief History of Hackerdom" and the
Hacker Wikipedia article.
However, the word hacker has morphed and
mass media uses it to mean a person who uses specialized technical skills to commit a crime. For more on this see "
Why Teach Hacking."
Hacking has evolved to address not just the use of skills but the process by which you acquire those skills.
Therefore, the simplest definition of hacking is the process by which you discover the difference between what something was designed to do and what it is capable of doing.
Many would argue that this definition is too broad and would include endeavors outside the scope of technology, computers, and networks.
I have come to see that the same quest for knowledge and skill prosecuted by the old school hackers is the same process used by those mastering other fields of endeavor from astrophysics to knitting.
Hacking is as much about the journey as it is the destination.
I will be focusing on hacking as it applies to technology, computers, and networks.
Our knowledge and skills are like a block of Swiss cheese, which appears solid but is full of holes. Hacking is not just about applying your knowledge and skills but also the process by which you fill in the holes.
Figuring out the best place to start can be difficult because we often are not aware of what we do not know, so I am providing a framework to get started. It will then be up to you to follow the breadcrumbs, find the holes in your knowledge and skills, and fill them in. During this process, you will find more holes to fill in and during that, even more holes. It is a lifelong, never-ending pursuit.
.
.
The "
hacker ethic", just like the term hacker, has morphed over time.
Originally, hacking was driven by a thirst to understand how things work and was conducted on systems that the hackers had a right to access. Mix the ideals of hacking with a bit of anarchy and you end up with hackers that prize ideas and exploration over personal property rights.
Mass media has camped on this idea and do not recognize that most of the hacking going on today is by people who do believe in property rights and are using their hacking skills to defend those who can't defend themselves.
In the non-fiction book "
The Cuckoo's Egg",
Clifford Stoll encounters a new systems administrator who adheres to the anarchistic version of the hacker ethic. Clifford underwent a change in his thinking during his experiences chronicled in the book and knew the systems administrator's philosophy was wrong but could not articulate it. By the time Clifford reaches the end of the book, he provides an excellent rebuttal. Based on Clifford's rebuttal I have formed one of my own.
Property ownership is a cornerstone of society and built using a fabric of trust. In many cases that trust is an unspoken agreement and in others the trust is codified in law. More often than not, the trust is not enforced until after the fact.
The dashed white line on the freeway reminds the drivers of that trust but it does not prevent another driver from making a left hand turn in front of me at 80 miles per hour. Likewise, when I get a drink out of the vending machine I trust that it will not kill me. If it does, my family will be rich after the lawsuit, but I will still be dead.
If we cannot trust one another in any circumstance then the fabric of trust unravels and people stop building the very systems we want to explore. You cannot have your cake and eat it too.
As hackers, we have a choice we can explore without regard to property rights and destroy the fabric of trust or we can repair and reinforce property rights and the fabric of trust.
With great power comes great responsibility.
You have to choose.
I too had to make this choice. Through providence, I was led away from the "dark side" and have spent a lifetime defending others. My hope is that you will join me in this endeavor.
.
.
You will find that everyone's background and skills are a little different so there is no best place to start (see
How Do I Learn to Hack).
I recommend reading through this page to get the big picture and see which area interests you the most and just jump in. No matter what you start with it will eventually lead to all the other areas.
.
.
You do not have to break the law to get systems to play with. It is possible to get lots of equipment to play with at little to no cost.
Tell everyone you know that you will take any old electronics they no longer want. You can also pickup systems
alongside the curb on trash day. Sift through the equipment and keep the useful stuff,
scavenge the rest for parts, and then
recycle what is left.
Power supplies are particularly useful when building
Raspberry Pi and
Arduino based systems.
There is a charge of $10.00 to $15.00 each to recycle TVs and monitors with
CRTs. I have found that people are a little more willing to call you if you tell them upfront that you will use the equipment for training, find it a new home (like a
Hacker/Makerspace), or responsibly recycle anything you do not use. This relieves them of the burden of recycling but you might have to pay to recycle the TV's and CRTs; thankfully, they are becoming less common. The treasure trove of free useful equipment I have gotten over the years more than offset the small cost of recycling the occasional TV or CRT.
Atlanta Electronic Recycling Centers
Companies replace
workstations,
laptops,
servers, and
networking equipment every three to five years. It is common to
depreciate the cost of the equipment on their taxes. If they then sell or donate the equipment to a charity they can end up paying additional taxes because they received a value greater than the depreciated value. The taxes can be more than what it would cost to pay a recycler to take the equipment.
This is an opportunity. It does not cost them anything to give you the equipment. Everyone you know works for a company. Talk to your friends and find the person in the company you need to talk to about getting their older equipment.
.
.
The best way to go through a
minefield is to follow someone. I highly recommend finding local like-minded people with which to trade ideas. I am located in Atlanta Georgia so I will list examples from here. I will also provide some links to help find similar resources where you live. If there are not any, then start a group. Hacking is all about
improvising, adapting, and overcoming (to borrow from the
U.S. Marines). You also have the Internet, and online groups are a good way to get involved with others.
Pick the groups you associate with carefully. Hanging out with the wrong crowd can get you arrested just by association. If you want to work in information security your reputation must be above reproach because they will give you access to their most sensitive information and systems. A single arrest can end a promising career.
You will hear stories of criminals that were caught and later got jobs in information security. This is the exception. What you do not hear are the stories of permanently damaged lives, which are far more common.
.
Atlanta Hacker, Maker, and Security Groups
.
Other Hacker, Maker, and Security Groups
.
.
The skills and technology I am listing here are interconnected. As an example, how do you know what networking option to select in
VirtualBox if you do not know how networking works? How do you experiment and learn how networking works without being able to simulate it with VirtualBox?
You are going to get stuck and frustrated. Will you quit in frustration or use it as fuel to drive you to improvise, adapt, and overcome?
I have chased solutions that took me years to solve. My secret? I did not quit in frustration. If there is one thing that makes or breaks a hacker, it is what they do when they get frustrated. This is when it helps to have other people to talk to (see
Find Like-minded People to Exchange Ideas With).
.
.
The first thing you will need is a computer that can run
Windows or
Linux.
OS X can run on commodity hardware but generally you will need Apple hardware, which is expensive and not readily available from free sources. I will not be covering
iOS or
Android hacking although all the principals I am covering here apply to them as well.
You are going to be running
virtual machines so your computer will need enough resources to run the host operating system and two or more guests at the same time.
I recommend 4
GB of
memory and 256GB of
disk space at a minimum. The more
processor cores the better. It is not necessary to have a multi-core computer but it will be far more responsive if it is.
You can use a
32bit processor but note that you will not be able to host
64bit virtual guests.
If you have a 64bit processor you can run both 32bit and 64bit guests. In addition, some 32bit processors will not be able to provide the proper
virtual machine hardware extensions.
All is not lost If you can not afford a computer (see
Where to Get Equipment to Play With). It does not matter where you start learning, there is no best place to start so if all else fails you can get a
Raspberry Pi Zero for $5 or for $10 you can get a Raspberry Pi Zero/W that has built-in WiFi. Talk to other hackers, they often have equipment laying around they are not using any more and will gladly give it to you knowing it will go to a good home and that it will be one more thing not cluttering up their home lab (see "
Find Like-minded People to Exchange Ideas With
.
.
If you are running
Windows as the
virtual machine host operating system, you are going to need hardware that will run a currently supported version of Windows. You will also have to factor in the cost of a
license. You can use a
demo license but you will be rebuilding your host every 90 to 180 days because the license will expire. This is fine for a virtual machine guest but it is a real pain to have to rebuild your host every few months.
You can avoid the Windows licensing issue by running
Linux as the host operating system. I recommend using a
long-term support version. If you do not know which Linux
distribution to pick, use Ubuntu. I use
Debian, which is what
Ubuntu is based on. Once you get to know Linux, you can branch out and try other Linux distributions.
Windows is more resource intensive that Linux. This applies to the virtual machine host and well as guests. Despite this, I recommend you learn to use both operating systems as they constitute the majority of systems used.
.
.
There are three primary
virtual machine software vendors in the market,
VMWare,
Oracle VirtualBox, and
Microsoft Hyper-V. VMware and VirtualBox support more guest operating system types and will run on a
Windows or
Linux host. Hyper-V only runs on a Windows host so I will not be covering it.
VMWare is the most full featured, however it is expensive. VMWare comes in three versions,
ESXi,
Workstation, and
Player.
ESXi is meant to run on bare metal. Workstation requires a host operating system and Player is used to run virtual machine appliances built using VMWare Workstation.
VMWare Player is free but if you want to build your own virtual machine guests, you are going to need VMWare Workstation.
Oracle VirtualBox is free bit it is not as full featured as VMWare. I have used VMware for many years but moved to VirtualBox exclusively in the last few years and have found that it is well up to the task.
VirtualBox is under active development so they are regularly adding new features.
.
VMWare and VirtualBox Documentation
.
.
Knowing how to use a
search engine is a hacker superpower.
The Internet is a treasure trove of information if you know how to dig for it. Search engines such as
Google have advanced search directives that can make it much easier to find what you are looking for.
.
Google Hacking (Dorking) References
.
.
The better your
systems administration skills the better you will be at hacking. You will need to be able to install
operating systems and configure basic
services. There are plenty of free online resources for learning systems administration. You will also find these skills are essential for reusing the free hardware you have been getting (see Where to get equipment to play with?).
You will need to learn how to modify the system configuration using the
Windows Registry,
Linux config files, and how to use
init services.
Learn to embrace the
Command line (CLI). Some of the most powerful tools for systems administration and hacking do not have a
GUI interface. Often your
foot hold on a system will only be through a CLI. When you exercise a
vulnerability and find yourself with a
shell that that is not a fully interactive
tty your skill with the command line will let you easily overcome the problem. See "
Learn to Code" for Linux and Windows command line tutorials.
.
Systems Administration Training Resources
.
Learn How to Install, Configure, and Harden the LAMP/WAMP Stack
.
.
The default
text editor on all modern versions of
Windows is
Notepad so learn how to use it.
Virtually all
Linux distributions come with
vi installed by default. On some systems, vi is an
alias to
vim. All the vi commands also work in vim. If you learn how to use vi, you will be able to use vim as well.
.
Editor Training Resources
.
.
Originally,
networking hardware had a single function such as a router, gateway, hub, switch, or firewall. The reason was that the equipment was expensive. Costs have come down significantly and miniaturization has allowed manufactures to build multi-function devices.
Today you can commonly find sub $100 dollar devices that are a WiFi access point, gateway, router, switch, firewall, web server, file, and print server.
You need to learn what each of these devices do and more importantly what they do when connected together to form a network.
.
.
Networking is not just the
hardware. It also entails the
protocols that carry the information across the network.
The
OSI model is a standard way of organizing the functions of a
network stack. None of the common network stacks in use today strictly adhere to the OSI Model but the OSI Model is commonly referenced when discussing the functions within a protocol stack and when comparing functions between different protocol stack implementations. Whenever you are reading networking documentation and you see a reference to a "
layer" they are referring to the functional layers of the OSI Model.
There are numerous types of
computer networks utilizing a blizzard of
networking protocols, suites, and
communications protocols. As you learn about networking it can be confusing and overwhelming. Remember the first rule of hacking, the successful hackers are the ones that don't quit.
.
The Internet Is an Amazing Source of Free Training Material
.
At Some Point You May Consider Building a Networking Lab
.
.
Information security, at its heart, is simple and embodies the concept of Confidentiality, Integrity, and Availability (
CIA) of
information at rest and in motion.
.
Confidentiality - only those authorized can access the information.
Integrity - the information is only modified by an authorized person.
Availability - the data is available to an authorized person when needed.
.
What makes information security challenging are the technologies and people used to collect, store, and manage the information. Hardware and software can be
patched but people cannot. More often than not, the biggest challenge in security is how people implement operational security (
OPSEC).
Hacker OPSEC, maintained by The Grugq, has an extensive collection of articles related to OPSEC successes and epic failures.
We also live in a veritable blizzard of new technologies, software, and services, drifting high on top of older technologies and often security was never considered during their design. This is not to say that new technologies take security into account, most devices referred to as the Internet of Things (
IoT) are extremely insecure by design.
It is vital to learn how to hack in order to understand the interplay between the hardware, software, people because without this understanding you will not be able to provide
defense in depth.
.
Information Security Training Resources
.
.
In a
CTF (capture the flag) (see "
How to Practice Without Getting Into Legal Trouble") you will need to find what
services are running on the target and if there are any known
vulnerabilities.
Nmap is the go to tool for
scanning systems on a network. Once you have discovered the systems, you will need to find what services are running and what vulnerabilities they have. Service and vulnerability discovery is also a critical tool that
defenders need to master.
.
Vulnerability Scanners and Databases
Mitre maintains the
CVE (Common Vulnerabilities and Exposures) database.
CVE Details is a site that makes it easy to search for CVEs based on multiple criteria.
SHODAN is a search engine for Internet connected devices.
OpenVAS is an
open source fork of the
Nessus vulnerability scanner.
Nessus is a proprietary vulnerability scanner.
Nessus Home is free and allows you to scan up to 16 IP addresses on your personal home network.
vulscan - Vulnerability Scanning with
nmap the open source cross-platform utility for network discovery and security auditing.
.
.
Network services are not the only
vulnerable processes you will find on a
server. Fully
patched and
hardened system can be
compromised through
web applications running on them. Web applications can be vulnerable due to
bugs in the technologies used to create them or through errors in their
configuration but the most common vulnerabilities are the result of
insecure coding practices on the part of the web application developer.
The
Open Web Application Security Project (
OWASP) first published its "
Top Ten" most critical web application security risks in 2003. Each category in the top ten represents a class of vulnerabilities that may contain more than one example.
The best place to start learning how web application vulnerabilities work and how to prevent them is to use OWASP
WebGoat a self-contained web application security training environment with lessons, labs, and
walk-throughs. WebGoat is written in
Java so you will need to
install it first.
When you run WebGoat the machine you are running it on will be vulnerable. The best way to do this is to run WebGoat in a
virtual machine with
NAT networking. This will protect the virtual machine while allowing you to connect to the Internet through the host computer.
If you run WebGoat on your own computer I recommend placing your system behind a dedicated
firewall so you do not get compromised.
You will need a web application attack proxy to complete some of the WebGoat lessons.
Burp Suite has the most features and has free and professional editions.
OWASP Zed Attack Proxy (
ZAP) is
open source.
.
Web Application Security Training Resources
.
.
You do not need to
code to get started but as you master the
command line (CLI) (see"
Learn Basic Systems Administration") you will eventually need to automate a
process or modify someone else's code to get it to do what you want.
The most common coding is
shell scripting,
bash or
sh on
Linux, and on
Windows it is
batch and
PowerShell. Many of the security tools you will be learning to use are written in
Perl or
Python.
.
Linux Shell References and Tutorials
.
Windows Batch References and Tutorials
.
Windows PowerShell References and Tutorials
.
Perl References and Tutorials
Perl Programming
Perl Books - multiple titles
Beginning Perl
Modern Perl
Impatient Perl
Extreme Perl
Embedding Perl in HTML with Mason
Picking Up Perl
Perl 5 Internals
Practical Mod Perl
Perl & LWP
.
Python References and Tutorials
.
Free Programming E-Books - multiple languages
.
.
A
penetration test (pen test) is a simulated attack on a system to determine
weaknesses. There are
Linux distributions specifically made for pen testing that come with an assortment of the most common
free and
open source tools pre-installed.
Pick a penetration testing distribution and install it in a
virtual machine. Use it to test security on you home
network. You can also install a
boot2root image in a virtual machine to train with (see "
How to Practice Without Getting Into Legal Trouble"). If you do not know which pen testing distribution to use, I suggest using Kali Linux. Once you get the hang of it you can branch out and try some of the other pen test distributions.
.
Popular Linux Penetration Testing Distributions
.
.
.
It is possible to practice your new found hacking skills without the risk of being arrested (see "
Ethics").
Boot2Root is the name given to
virtual machine images designed for
penetration testing and
capture the flag (CTF) training. I recommend starting out with Boot2Root images that have
walk-throughs. Try to complete the challenges on your own. If you get stuck you can look at the walk-throughs for help.
It is also helpful to read multiple walkth-throughs for the same Boot2Root as pentesters don't always use the same tools and methods (see "
Learn to Use a Penetration Testing Linux Distribution").
A good Boot2Root to start with is
Metasploitable 2 which is designed to train pentesters in the use of
Metasploit Framework. You can also try your hand at
Metasploitable 3.
Brimstone has created a VirtualBox
OVA file that makes building Metasploitable 3 much simpler. You just
Download and import the OVA, start the virtual machine, and sit back and relax as it builds your Metasploitable 3 virtual machine.
Once you have got Metasploitable 2&3 under your belt you can visit
VulnHub, a repository of free Boot2Root images you can practice on.
As your skills improve you can also try your hand at competitive CTFs such as
NetKotH (Network King of the Hill) which are run at the monthly
DC404 and
atl2600 meetings. You can also get free CTF training from the
Atlanta Ethical Hackers, Penetration Testers, & Information Security Meetup group.
DC404 has a CTF team you can join (all experience levels are welcome) and alos check
CTF TIME for a calendar of CTFs.
.
.
.
If you know of any questions or comments, please send me an Email me at