How to be an Ethical Hacker? Tips to choose the right path
Like many other people working in the field of information security in Pakistan, I also get tonnes of messages about “How to into this field”, “how to start”, “Where to start”, “Where to learn?”, “How to apply?”, “What skills do I need to start it?” and what not.
So I think this article will help many of you on getting started in the InfoSec field. Remember it’s up to your guts if you can manage this transition! If you know little about it, you will learn many new things but if you have seen someone doing it and you think you want to start that too, then note it down it isn’t that easy as it appears.
First, you will have to develop some real skill in computers, learn about networks and how the web works! Only then can you come and “join the party”.
I want to play sports; where should I start?
This vague, open-ended and very ambiguous question is very similar to someone asking how they should go about getting into information security. The first thing to realize is there is a huge range of information security fields, and within each of those huge fields is a lifetime’s worth of learning content. Just like picking a sport, there is no ‘best’, it’s simply sometimes area’s you may enjoy more than others. Off the top of my head, here are some example areas.
- Web Application Security
- Reverse Engineering
- Malware Reverse Engineering
- Network Security
- Incident Response
- Standards Compliance
- Programming / Creating Tools for Others
- Exploit Development
Some of these are more of a technical nature while others are more of a theoretical focus. I guarantee that whatever you like, there are others out there who will find it boring, just as you will find boring what they are interested in. Right now, I expect that if you’re reading this you, may know very little about any of these areas but what’s important is your willingness to learn and what type of motivation you have.
The Hacking Type
One trademark that is almost universal of people throughout the fields of hacking is their focus on independent, self-directed learning. Unfortunately, in some ways, security is still considered a ‘Dark Art’. I mean why would anyone want to know how to break into a computer system unless they were going to do so? As a result, plenty of people will show disdain or even outright hostility when you are asking about security related questions under the false (or perhaps sometimes true) assumption that it’s merely a ‘script kiddie’ looking to learn to hack systems instead of wanting to learn and use that knowledge for a good purpose. It’s also a fact that the ‘learning’ resources of information security are quite disjointed with no real central repository of learning material.
The point I want to highlight is this that if you wish to prosper and successfully enter into the information security, you should be prepared to jump in and find your way without waiting for someone to hold your hand and lead you down the right path. Google some of the above categories of information security listed above and see what sounds like fun. Despite what sometimes may seem like a constant battle to find the ‘best’ field to learn, or the ‘best’ resource, or the ‘best’ way to learn, more than often, it is time spent procrastinating wondering these questions rather than dedicating the time to actually learning. Look up a video on youtube for hacking examples — it’s ok if you don’t know what a lot of it means, but write down a list then google those terms. Use points of interest to spawn out with an ever increasing web of knowledge around the topics you’re interested in.
Do I need to learn X first?
“Of course you need to have a full knowledge of the OSI layer before you begin. Yes, you need to read that 1000 page book on the TCP protocol. Yes, you need to be proficient in 5 programming languages (at least!) before you consider hacking. Can you compile your own Linux kernel from source code? No? Don’t bother learning hacking.”
Actually…. all that is full of rubbish, yet it’s one of the most common responses given to people looking to learn information security. There is one requirement to becoming a decent hacker — interest. The difference between a future hacker and a script kiddie isn’t knowledge, it’s the willingness to learn.
“Ok, I get the hint — I need to learn things myself, but can you at least give me a starting point?”
Sure, there are a ton of great free or cheap resources out there to get started depending on what topic appeals to you. Here are some examples.
Web Application Security
- HackThisSite — Good for some basic web-based challenges (link)
- Enigma Group — Similar to Hack this site (link)
- OWASP Top 10 — Idea of what are the most common vulnerabilities (link)
- OWASP Broken Wep Apps — A virtual computer you can load up to practice hacking skills on your network (link)
- Pentesting Lab — Another web focused virtual machine (link)
- In fact, anything from vulnhub that interested you is good (link)
- The Web Application Hackers Handbook — The book on web hacking and vulnerabilities (link)
Reverse Engineering / Malware Reversing
- Lena’s Tutorials — Known as pretty much one of the best introductions to reverse engineering (link)
- The Legends of Random — Again another solid set of tutorials for reverse engineering (link)
- Reversing: Secrets of Reverse Engineering — A good book on the foundation’s of reverse engineering (link)
- Practical Malware Analysis — A great book focusing on reversing malware (link)
- Malware Analysts Cookbook — Another book focusing on reversing malware (link)
- Virtual Machines dominate this category as they allow you to practice against real machines. Head to vulnhub and download any VM that looks interesting (link)
- Metasploit Unleashed — A solid run through of the metasploit testing framework to be used in conjunction against VM’s. (link)
- The Basics of Hacking and Penetration Testing — A very basic look at penetration testing useful for those completely new to the field. (link)
- Metasploit — The Penetration Testers Guide — Another book focusing around the use of metasploit in penetration testing (link)
- Because this is such a huge field often it’s breaking it down into one aspect, then researching that aspect specifically. Blogs are your best friend here. (link)
- Corelan — This is by far the best resource out there for learning about exploit development. (link)
- FuzzySecurity — Another good learning resource with some tutorials available (link)
- Exploit-DB — One of the best things you can do is find examples of exploits (often with apps attached) and try and replicate the exploit independently (link)
- Hacking — The Art of Exploitation — A fantastic book that covers ton’s of different exploitation techniques (link)
- The Shellcoders Handbook — Another fantastic book on exploit development and shellcoding (link)
Other than that, Google, Google, and some more Google. I’ve left off some area’s such as forensics and compliance because personally I’m not interested in them so I haven’t gone looking for resources, I’m sure there are some fantastic ones out there.
Outside of the free resources, you can also begin to get certificates to make yourself more appealing to employers, but only if you wish to transition into the field as more of a career path. Some certifications I’d highly recommend would be the “Penetration Testing with Kali Linux” course from Offensive Security if you’re interested in network security. It’s easily one of the best learning experiences I’ve ever had in the field and taught me more in 60 days than I’d learned in a year on my own. Their “Cracking the Perimeter” is also a great course, focusing a little more on exploit development.
If you’re looking at developing your programming skills, things like SecurityTube’s “Python for Pentesters and Hackers” is a great foundation that will teach you how to do plenty of nifty things like building your own port scanners, password crackers etc. I don’t place a huge value into the certifications that they offer from an employment perspective, but I’d look at it more as a consolidated lump of knowledge and examples for sale which can still be valuable.
The “Certified Ethical Hacker” course is another commonly mentioned. Honestly, it’s typically looked down upon so I don’t think it’s necessarily worth the money — but if you need a formal course to learn things then it might be worth the money to you. A lot of these certifications and their value are discussed over at TheEthicalHacker.net’s forums located here.
“Just seeing if you can”
Hacking is all about gaining access to things that we’re not meant to. Creating an exploit, finding an SQL injection, cracking a password! It’s all designed to put us towards the goal of taking control of the box we’re attacking. I guarantee that almost every new hacker has started dreaming about “just seeing if they can” get access to that school website, “just seeing if they can” gain access to the neighbors WiFi network or sending their friend a trojan virus “just to see if they can” take control. Worse still you might end up visiting places like HackForums.net and seeing a lot of people trying to infect others with RATs, build botnets etc under the impression this is hacking, or sadly that this is the only way you can learn.
I need to emphasize that this is not the case. Any type of “just seeing if you can” type exercises can be replicated through the use of virtual machines, your own routers or even capture the flag / wargame competitions out there. Being realistic, even if you can access another person’s machine, what are you going to do with it? Are you really going to try and steal credit card details and make fraudulent transactions? Are you really going to steal passwords and be paranoid that your activity is going to be traced back to you for the sake of peeking at someone’s emails? There have been plenty of examples of newbies being charged, not realizing the seriousness of the crimes they are committing. If you went for a job with the FBI and they had a look through your post history, would you like them to read that post about you asking how to host a botnet? It’s a classic example of what’s on the internet, it’s forever, and if you really want a career in information security, you need that clean record to obtain any security clearances you’re going to need to do your job. Getting caught for stupid stuff just isn’t worth it.
So after a long ramble, what are the key points?
- A hacker will actively seek out information, not wait for others to give it to him!
- The difference between a script kiddie and a new hacker is the desire to learn!
- You need to experiment with a wide range of information security fields to find what interests you!
- Don’t let anyone tell you that there are prerequisites for learning information security, there isn’t!
- It’s not worth “just seeing if you can” do anything that isn’t legal, the risk vs reward makes no sense for doing so!
- With courses, wargames, capture the flags and more importantly, virtual machines, there is no hacking scenario that can’t be replicated legally!
Have fun, sorry if it got preachy towards the end and enjoy pwning boxes! Information security is an awesome field and you’ll be learning something new every day that you’re involved in it. There is no right answer for getting into the field apart from jumping into it with both feet. Get wet, learn to tread water and stay afloat, one day you might even be able to swim a little!
Orignally published over here, this article has been edited by Rehan Ahmed.