I’m Learning Ethical Hacking, here’s how I got from 0 to 1
Cybersecurity is probably one of the hottest topics of 2020/21.
Pandemic and smart working drastically increased the use of that magic thing called “Personal Computer”: thousands of people from all over the world with practically zero IT knowledge, rediscovered their old unused Personal Computers with their late 90’s photos and malware under the dust and that old newspaper they stored because had some fun articles they didn’t read for more than 10 years.
During the last two years, I got many emails who says
“Hey man, we got hacked, your email and some of your data are now on a public data breach downloadable from the internet and you can’t literally do anything about it”.
And I was like
“Oh nice to know about that… or maybe not.”
Once your data are involved in a data breach, spam intensifies. In the last year, the number of phishing emails, SMS and even calls I received almost doubled.
Data breach?
A data breach is the act of releasing private or/and confidential data to an untrusted environment.
It usually happens due to a cyberattack, and that usually is not put in there randomly. Think of a website you’re registered in where administrator credentials are “admin” with password “admin” and imagine an attacker randomly discovering them. Once the attacker gets into the website, he can access all the data in there (including your login credentials and all your related data), dump them to a file and sell them or even worse, release them freely on the internet. You may think that “admin” as a password is a dumb move and that system administrators aren’t dumb… you may be surprised.
If you’re curious to know if your data leaked somewhere, there’s a good service you can use called “Have I Been Pwned” (“pwned” literally means “owned someone else”).
It’s easy: you open the website, fill the input with your email or your phone number (with your country prefix) and just click “pwned?”.
If lucky enough, you would see something like this “no pwnage found”. You’re safe, but don’t claim victory just yet, stay alert, change your passwords and keep an eye on data breaches!
But if you have many accounts, even unused ones that you didn’t delete or you kept taking dust, willing or not, you may see the red message screaming “Oh no — pwned!”.
If you keep scrolling on the pwnage page, you can see the breaches you were involved in and what data were on that leakage.
For example, one of my emails is on a data breach of a service called “000webhost” since 2015. That service offered free web hosting with PHP and MySQL and I used it a lot for my experiments but I literally paid those “free experiments” with my data. You can see that data leaked were: my email address, IP addresses from my logins, name and passwords.
If you discovered your data are in a data breach, the first thing you should do is to change the passwords you’re using on your leaked email addresses or the passwords you’re using for more than a website. The best practice is to use a different password for each website you use, this is kinda hard because if you’re willing to use complex passwords, you’ll probably forget them after minutes (if you have a redfish memory like me), so my best tip is to use a password manager where you store all your passwords and you’ve to remember just one main password to unlock them all!
The choice of a password manager is not easy: there are many of them and each one focuses on different aspects, but the purpose of this article is not to compare them, so I’ll just suggest to you the one that I use: BitWarden! It’s open-source, you can have it for free, you can pay for a family plan, you can even have a self-hosted version. Is up to you, do what you want and keep your password safe and periodically updated!
Hacking… Ethical Hacking… talk about it.
I always had a crush on cybersecurity and the truth is that I even know more than I thought on this topic (not enough to be considered a pentester, but maybe… a day). I’ve been developing software since eight years ago and one of the first things you learn (if your teacher is good enough — spoiler: mine was) is to “don’t trust users, NEVER trust users”.
During these years, I’ve seen lots of environments: from blockchain and applied data structures to WordPress plugins, passing by Android development and REST APIs. What I really learnt from those changes was architecture, patterns and in general, that “thinking”, designing and structuring an application is always way more important than simply coding it. Coding undoubtedly helps because knowing tricks about language may make the projecting part easier , however having a wide vision of how you want your software is the most important part.
And here it comes Cybersecurity. Many times, when you don’t have a clear overview about what you’re coding or you have to build it faster because it has to be ready for yesterday, you start doing shit. I’ve seen this happening lots of times.
Some years ago I got a call from one of my co-workers (I’ll change people name for privacy) saying “I assigned a Job to Jonathan but he screwed up and disappeared. I need someone to fix that job fast because it must go online next week and you’re the only one I know that can do the trick, will you help me?” I didn’t deny it, so they shared with me the git repository of the project and the specs, started looking at the code and the first thing I noticed was that there wasn’t data validation. All inputs were literally taken from request and thrown into the database without any processing.
The project was low budget, I got paid almost nothing for some fixes. I talked once with the clients warning them that they were using an unsecure version but they didn’t want to pay more and were nice with what they got. Who knows if they survived pandemic attacks.
Anyway, situations like this can be avoided if security, and in particular cybersecurity, is taken seriously. And the best way to understand how to secure an applications… is learning how to crack it.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War
How to get started?
As Linus Torvald said: “Talking is cheap, show me the code”. I decided to start learning ethical hacking thanks to the YouTube algorithm (wait, what?).
One day it tipped me to watch a video from the John Hammond channel. I was astonished of how he managed talking about attacks and how he could easily explain stuff and explore tools. I knew that behind that ease there was lots of hours passed studying and trying and exploring but that turned me on for a while. I was really fascinated by him and his abilities, I keep watching his videos and he amazes me all the times.
Later on, I stumbled across another video of an interview to John Hammond made from David Bombal. That’s where the it all started, that’s where I really got triggered. David Bombal is an amazing teacher. I don’t know him personally but with its videos, its contents and the way he prompt you doing stuff to improve yourself instead of just being passive, he gave me the spark to start doing.
I love practice. I studied theory for most of my life and I keep doing it at university, the first time I got a client paying me to get my hands dirty coding I was extremely happy about that. John’s philosophy is to get your hands dirty in Ethical Hacking to start and that’s what I wanted to.
I’m an extremely curious person, one way wasn’t enough so I picked both:
- the David way: attending to its Ethical Hacking course which is totally for beginners. While I’m writing this I already watched the first seven sections of the course that I considered as a revice because I use Fedora Linux daily on my desktop PC and I already have good basics on programming and networking but all what I watched was done really well, anyone can understand every concept.
- the John way: playing with PicoCTF. I never played CTFs (Capture The Flag) before. For those who doesn’t know what a CTF is: it’s a challenge where there’s an hidden flag that you should find being smart and getting around the challenge with your knowledge. While I’m wrinting my PicoCTF score is 2810.
How to get started with PicoCTF
PicoCTF is extremely easy to use, you register then login, open the practice section, and you’re ready to go.
Once you pick a challenge, it’ll show a name, a description, some tags like its category, the hints section (you won’t always have hints), the percentage of users who “got the flag” and obviously the points of the challenge.
The first challenge is named “Obedient Cat” and it will give you 5 points. If you ever used a bash on linux, you’ll probably remind of that cat command. The description reads:
This file has a flag in plain sight (aka “in-the-clear”). Download flag.
and the “Download flag” part has a link. You can get your flag in any way you want. I’ll show you two really easy using the bash. The first is using the curl command:
$ curl https://mercury.picoctf.net/static/33996e32dce022205a6a36f69aba56f0/flagThe second includes the cat command:
$ wget https://mercury.picoctf.net/static/33996e32dce022205a6a36f69aba56f0/flag
$ cat flagAnyway, the output will be:
picoCTF{s4n1ty_v3r1f13d_2aa22101}That’s the flag. After findind it, you should only submit it into the previous challenge page on picoCTF. Every flag will be picoCTF{flag_here}. Now, all you have to do is practice.
I read once on an O’Reilly Book (Building Microservices) that when you start a project, there isn’t “the programming language” for that kind of project, you’ll have to pick the language you’re comfortable with.
Some programming languages will fit “Cybersecurity tasks” more than others because of their diffusion, Python as an example is one of them. There are plenty of tools written in Python, and you can even find many of them on Pentesting distro like Kali Linux, but this doesn’t mean that if you’re good in Java, you can’t use Java to practice, you’ll probably spend more lines of code for some tasks but hey, stay cool and practice, that’s the goal!
Keep it ethical
There is a subtle line between the good and the bad hacker, it’s up to you to pick a hat. Why a hat? Because hackers distinguish in white hat and black hat: the white hats are the ones doing it for good reasons, to help, or for work, they get paid for penetration testing and vulnerability reporting, while the black hats are the ones you read the news about and that do data breaches. If you want to begin learning to hack, do it for good and keep it ethical.
If you get here by reading and you liked this, let me know and ping under here if you started learning to hack and remember to always stay cool 🥂
