Saturday, June 4, 2016

How to become a hacker: Part 1

I know it's been a long time since blogging, I have been finishing up with coaching clients, working, and studying in the evenings.  I have decided to show you what I have been learning and how you can do the same if you want.

The biggest advantage I have with becoming a hacker has been having a friend ( who is a hacker ) agree to mentor me.  My end goal is to get hired as a Ethical Hacker / Pen Tester, I am not simply learning to learn.  I want to learn how to hack and be good enough to actually go out and get hired as a hacker.  I am not learning to impress anyone or look cool, the mission is:

Get good enough to land a job as a hacker.

One of the first questions my mentor asked me ( who is on a Red Team currently ) was what type of security testing / hacking do you want to get into?  He compared me wanting to become a hacker as the same as someone saying:

"I want to get into Computer Science."

That is too vague, computer science is not specific enough, you could become a programmer, you could become a test automation engineer, you could do Big Data, the possibilities are endless.  The same is true with becoming a hacker, that is too vague, you need to get clear on what you will be security testing / hacking.

I decided on web application security pen testing since I like working with web apps and am most familiar with them.  My hacking training is specifically geared toward learning web application pen testing techniques.

So the first rule to becoming a hacker is:

Get clear on what type of security testing / hacking you want to do, don't try to learn everything.

On that note, I am learning some of the lingo used by real world hackers, and have found that they actually do not like the term 'Ethical Hacker', they call themselves 'pen testers', or penetration testers' but almost never Ethical Hackers.

The next issue is where and what to start learning?

There are so many resources and places to learn you can absolutely waste your entire life trying different courses and tutorials.  Everything I am writing about is my own personal journey to becoming a web application pen tester, with that said here is the first resource that you need:

http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html


Start on lesson 16and go through lesson 19.  The other lessons are good, but I am told are over my head for now.  The hardest part of this training is the homework, reading 80 - 100 pages after each lesson takes a long time and even longer to really understand what you are reading.  The book you will need is:

Web Application Hackers Handbook.

The to learning pen testing is not simply watching a video and reading a book, pen testing is all about hands on.  You absolutely must do what the book recommends as exercises or else you will only get the theory but not the actual how to.

How to actually do the exercises?

You need a web application that you are actually allowed to pen test without going to jail or being illegal.  The solution is:

https://github.com/WebGoat/WebGoat

Web goat is the best way to actually try out all the techniques you have read about.  Watch the lesson, read the homework go through some challenges using web goats insecure web application.  This is how I am learning and will be for sometime. 


Tools:

The first thing you need to do is to only use a Virtual Box or VM for all of your testing in case something goes wrong, you can simply delete it.  I did this wrong before, trust me you need a VM.

Install Virtual Box

Install Kail:
https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/

On Kali install:

Firefox
Burp suite ( latest version )

There are more things you need to know, you will need to know how to set up a browser proxy to talk to Burp Suite so that you can test the web app.  If there is interest I will write some more posts on more specifics ( as they can be tricky when you are new to it ) if I receive enough emails.

The last thing I will say is that learning how to code was tough, getting an actual junior dev job was even harder, but none of this will be even close to how hard it will be to land an actually job as a pen tester at a company.  Companies want you to basically be able to hack an international bank and not get caught with very little supervision.  I am nowhere even remotely close to that level of skill but know I will get there eventually.  Follow along on this journey if you want me to show you the way!

Never give up, you can do it!