If you want to hack (all the things)

In my last post, I told my story about how I started hacking. Hopefully that made you want to learn too, so I made the honorary ‘How to start hacking’ post. The following are tips when starting out that I wish I knew, as sometimes it’s hard to figure out what you should be learning.

Google

Google v Bing

As stated, googling is the most important thing you can do. When you don’t know how something works or need to learn about a system, google a question. Using specific google parameters like ‘-’ to exclude words or “” to always include specific words are very useful.

Example:

Searching for something like a cisco vulnerability, instead of searching this

Cisco 2000 series vulns

doing this would yield much better results

Cisco "2000" series vulns -1000 -3000

Although realistically you could just search for Cisco CVEs using the exploitdb. But nonetheless, google things. Instead of asking a question right away, see if you can google around and figure it out first. It’ll take more time, but that’s how you learn, and you save time for others. You’ll appreciate it as you start to learn more and begin helping others.

Learn the language

All your base

As with many fields, cybersecurity is full of unique language and acronyms. Unlike most professions and fields however, it also includes several gifs, inside jokes, cats, and unprofessionalism that is awesome in several ways. Security is one of those fields that unless you work in the public sector or a few older style financial institutions, will never have people wearing suits, and the dress code will more often then not be casual.

But the language and gifs can sometimes be hard to sift through, especially older jokes that you don’t know about until someone explains them to you. In general, if you want to make a joke, use cats doing cat things and you will be accepted. As far as acronyms, it’s ok to ask about what they mean if a quick google search doesn’t yield, considering sometimes there are multiple meanings for the same acronym, and the only way to tell which one is being talked about is context. I can’t think of any specific examples right now, but you’ll see them as you research

Don’t get shiny newness syndrome

New Tech Everywhere

Many people, including myself, have wasted several hours and attempts at new tech and programming languages because they’re new. Don’t pay attention to new tech. If you are trying to do something and new tech makes it easier, more secure, faster, or better in some way, then worry about new tech. Focus on what you’re trying to do, and find tech that helps you achieve that goal. Don’t get tech then make a goal for that tech, have a goal and use tech to achieve that goal.

Where to start

What do I do

This question is near the bottom because although it’s the most popular question for every field, it’s the least important. Starting isn’t the hard part. The hard part is consistent effort, focus, and working through the failures, because there will be several.

When starting in programming, python is probably best for security considering how many tools are written in python, how easy it is to write, and how fast a scripted can be written to automate repetitive tasks. Personally I started with Powershell and still use that because I know it better, but I use python on linux systems. Ultimately, whatever you’re better with and can use more effectively, use that. If your making bigger programs that do more complex things, I’d urge you to look at Rust rather than C or several other lower languages, it’s pretty cool for several reasons listed on their site. However, it’s still pretty early and some things you need libraries for you’d want to look at other languages for. Just whatever you do, don’t use Java. Don’t do it.

The infosec community is pretty big on twitter, and is a great place to see the industry day-to-day and what people are working on, as well as connecting and actually talking to the awesome, friendly people that make up the infosec community. If you embrace some of the stranger things infosec people do, it’s a lot of fun.

At the bottom of this post is a list of other resources and forums you could take a look at and which I use, although there isn’t really a ‘this is the place to be’ minus twitter. Lots of people have blogs and the technical details are spread out, which is a good thing, as it keeps the community diverse and interesting.

Get a mentor

Mentor

I know, you’re thinking ‘but I don’t know anyone good with computers/cybers, how and where can I find a mentor?’ You’d be surprised. People that helped me along were online, and I’ve never met them. I don’t know who they are, or anything about them personally really. But I still have a go-to guy about networking that I met at 7s, a gaming community I used to use extensively when I was still into gaming. If you get a job in infosec, you’ll probably get to work with some very smart people, who can act as mentor’s as well. When I worked at an internship in Milwaukee last summer, the guys I worked with there were some of the nicest people I’ve ever met, and I still talk to them often, and I think they’ll be mentors and friends for a long time going forward.

Work hard, but not too much

Hard Working Cat

I used to work on computers all the time. If I didn’t have class, homework, or soccer, you’d find me working on computers. Every few days I’d hang out with friends. This is ok to do for awhile, but I didn’t realize how important the human aspect of working is. Time to get to know people, learn about them, and time away from the computer will actually let you work harder, smarter, and better, with more people who can help you help yourself. I didn’t get this at first, and I think I’d be a year ahead if I knew this in the beginning. Put another way, no one cares how much you know until they know how much you care. And if you don’t have relationships with other people, your work can’t reach a wider audience, and it helps less people. Expansive influence is extremely important, whether your willing to admit it or not. Make sure you make time for friends, family, and the people you work with. They’re important. I try to dedicate 3 hours per day to working on personal projects infosec related, with varying amounts on the weekends, but Fridays and Saturdays are always reserved for friends and family. I used to think of that as time I could be working, but it’s actually just as productive, just in different ways. Even if you’re a quiet person, which I am, you have to get yourself out there, it’ll help you so much. As far as getting yourself out there in terms of the infosec community, cons are a great way. I went to my first this year thanks to winning a ticket, as they’re normally pretty expensive, and it’s hard to express how many great people I met, awesome things I saw, and badasses doing their magic I got to witness.

Understand who your talking to

Who are you

This doesn’t really apply until you start to get into infosec more. Initially, you’ll probably be talking to teenagers. That’s just how it works. You’ll find a lot of younger people at places like hackforums. There’s a reason trollforums.com redirects there after all. You’ll find that online, most of the people are very young. At cons and in person, you’ll find that many, many people are former military, especially older folks. I believe this is because only the military had computers and worried about security before the internet became widespread, and the infosec community is still relatively small compared to several other industries. The reason I bring this up is because when online, not getting mad at younger people ‘trolling’ is very important in staying productive and getting accurate information quickly. In the professional context, it helps to understand that ex-military are generally more direct and often cut the bullshit, which is important to understand in that they aren’t being rude, it’s just the way it is.


So that’s my incomplete list of how you can get started if you also want to go from cyber noob to elite lulzsec ddosing machine.

Website Resources (sites I use and go to, in no particular order):

se7ensins.com - gaming forum, just have some old friends there

hackforums.net - general intro hacking topics

twitter.com - infosec community

news.ycombinator.com - startup/tech news, HQ discussion. This is where you find new/shiny

github.com - open source code, everything is awesome, great to browse

shodan.io - advanced search, highly recommend

wigle.net - wifi network map of the world, useful for some projects

bugcrowd.com - get paid to find bugs

wikipedia - everything

kernelmode.info - semi-dead forum, very technical stuff though

exploit.in - keep up to date and russian hacking

digitalocean.com - great for hosting small projects, this blog will soon be hosted there

pastebin - watching new posts is fascinating, you’ll never know what you’ll find

jare.io - for free CDN using the AWS network. Good for small projects

keybase.io - for PGP verification. Mainly professional use

Krebs - smart guy, does great work researching cyber crime

Troy Hunt - another smart guy who does awesome work

Samy Kamkar - practical hacking. Makes awesome stuff you can do yourself

radb.net - internet stuff like whois, nice api, useful in many scripts

speedof.me - speed tests, uses HTML5. Avoid flash when possible

VirusTotal - Virus scanning, both sites and files

Tool Resources:

I wasn’t going to list any tools since tools change all the time based on what you’re doing, but there are some I use often. These are useful in general, but it could be different for you:

KeePass - password manager (vital, use one)

Putty - SSH for windows

VirtualBox - VMs, very important, super easy to use

Kali - everything

Hugo - static site generator, it’s what I use for this blog

Notepad++ - it’s like notepad, but better. Also, VIM on linux

Vagrant + Ansible - scriptable/automated VMs. Badass? I think so

Wireshark - Network inspector/hacking. Cool stuff, very useful

Tor - the deep web. It’s not scary like the news portrays, I promise

Reading Cat

So that’s it, hopefully this helped!

Thanks for reading.