Learning to hack

Everyone wants to be a hacker. Just like that. For fame or for money, and preferably for both. I even heard being a SOC member is sexy.

In 2019 I wrote an article Ethical Hacking - How to start. Check it as an introduction or supplement to this article.

I work in IT about 15 years, including about 5 years as an eDiscovery analyst (something like forensic, but for big data, so maybe count as security), 4 years as a security analyst, and about 2 years as a penetration tester/red teamer. Rest as administrator, consultant, IT support or any other crap things related to IT. Thank God I was never service desk operator). I graduated from an electrical and electronic technical school. Then I graduated with a degree in engineering with a specialization in computer science, and then a master’s degree in security of computer systems and networks. While working for various companies, I’ve done a ton of certifications. And guess what? I’m not writing this to brag, but because I still feel like a fool who doesn’t know enough. My school days are years behind me, and every day I still have to study and gain knowledge. Every day other professionals tell me (from RSS feeds I follow) things I don’t understand and I have to take the time to catch up with them. And as soon as I learn a new topic and start to understand it reasonably, along the way I discover 10 others that I need to understand in order to know what the first one is about. Such a fucking infinite loop. I’ll die trying to gain knowledge, and still some prick in the comments will write me that I don’t know shit :)

I was never an outstanding student, I didn’t like to study and preferred to party and go to concerts. It always hurt me that I needed more time to understand certain things than others. Unfortunately, I always compared myself to better or more talented people. Not that I’m some sort of genetically mutated retard. Maybe it’s the fault of the education system, maybe it’s my laziness, or a rebellious soul or I was either too ambitious for my abilities, or the media around me created ideals that were impossible to achieve.

To study more efficiently I had to learn it, and I did it only as an adult. Now I improving, while in the past I studied to pass. Pass exams, schools, classes etc.

I know people who, without school or certifications, are 100 times better than me, they are security experts or world-renowned hackers. But they didn’t ask anyone how to hack, and they didn’t have very colorful private or social lives. They just sat in front of the computer, clicking like madmen learning from their mistakes in addition to reading everything they could. And that’s pretty much true of every field of science and culture. You can have talent and it will be a little easier for you. You can have no talent and it will be more difficult, but only time spent on education and practice will bear fruit in the future.

No matter what, the balance must be maintained. Either you’ll be a super virgin hacker who never drink a beer or a jobless chav on welfare. Or you will be a no one, just average like me who enjoys life and at the same time has a good job. Balance bitch! Balance, routine, consistent action.

By learning something every day an hour a day, you will see tremendous progress after a year. By learning from time to time, taking long breaks, you won’t learn anything. Or you will learn, but you will not be good at it and you will still be very far from an expert level.

Well, also keep one thing in the back of your mind. In my day, nothing was available just like that. You had to spend time searching for knowledge first, in order to get it later. Books, libraries, magazines, or colleagues from the neighborhood local network, all that was the source of knowledge, and a lot of mistakes and hours trying to fix stuff I didn’t understand. Today we have an Internet with everything, search engines, ebooks, hundreds of free eLearning sites, thousands of paid ones, millions of experts, billions of blogs, petabytes of YouTube recordings and artificial intelligence at your fingertips.

If you really want someone to help or mentor you, come with basic knowledge, show where you’re stuck, what you’ve already done, how you’ve tried to solve the problem, what ideas you have for solving it, or where something isn’t working as it should. As you’ve done all this, sleep on it for a day and try again fresh. I assure you that 80 percent of the time you will solve your problem yourself and learn more than if you ask someone, or find a ready-made solution. However, if all fails and you show your reasoning, maybe someone will find an error in it or simply give you a hint that you missed for some reason.

So fuck me, when sometimes someone writes to me simply to say that he wants to hack and I should tell him how to achieve it and how to learn, it…. probably the best way to illustrate it is with a meme just change cyber to hacker.

When you attain knowledge in a subject, you may become as disgusted with certain questions as I am. It’s not that I know something and am now offended that others are asking about it. I remember that I had to learn it myself, I just know how much time it took and how many things around I had to learn before achieve goal, and what someone’s expectations are. So the question “how to become a hacker?” from random person from the internet is ridiculous. And there are as many answers as there are hackers on the world. Simply is, just keep learning. No magic at all. You become a hacker when you have proper fundamental IT knowledge and skills especially on field of cyber security (where cybersecurity is everything in IT + security), and you can use that knowledge and skills to find threats, security issues and vulnerabilities (when you are lucky or genius then even 0days). After that how you use those skills define what kind of hacker you are. Black, gray or white hat. You are not a hacker when using a YouTube tutorial, you entered the Instagram account of the girl who dumped you last week. Then you are an asshole with a bit of luck and a criminal at the same time.

You can also be a bad hacker who gets a second chance as a security consultant expert. But only if you are an outstanding individual. In any other case, you’ll just go to jail.

Now that I’ve farted off all my bitter regrets. Check out the following list of eLearning platforms that will help you (in most cases for free) gain complete knowledge of IT and security. They will give you the opportunity to start your career as an IT security analyst from scratch, and help you choose the path in which you want to grow.

eLearning platforms

You need only time and be consistent in action. Study regularly, have recovery time, don’t get discouraged if something doesn’t work out for you. Each platform has a community that helps when you get stuck, or is willing to discuss task-related topics, and there is always support that solves problems.

Labs

Don’t do labs just to complete labs and get higher rank. I have seen a lot of people who register to platform, doing all labs they can with some tutorials from web (copy paste, or step by step, or copy flag only) just to complete labs and get some rank in same time learn nothing. Each lab is very well described with theory behind it and bunch of links and references to help you understand everything. Sometimes lab have recommendation to do another lab before, just to understand basics of some topic and be able to complete main one. Some of labs are grouped and build paths, so they are built with some logic to understand global topic or achieve main goal.

I know everyone wants to login, run virtual machine and only practice, but practice without knowledge can be painful, longer or with no effect. Labs are to learn stuff, to use learned skills for CTFs, where you have no tutorial, but only problem to solve.

TryHackMe is probably most user friendly platform where you can learn a lot of theory and practice’s at once. Check their learning paths, it’s best place to start if you are non IT. There is a lot of free labs, and if this is not enough for you you can subscribe for 12 USD per month (for example just to complete some path and get cert) or 108 USD for year + 3 month free. During that year you can become an expert if you keep doing a few labs per day. In my opinion it is cheapest way to get dreamed job. For 108 USD and one year or education you have a few certs, knowledge and possibility to get good paid job in cybersecurity as a junior. You will find here labs and CTF’s too.

• https://tryhackme.com/

Hack The Box can be a little hard for the beginners, but this is another place to check when you feel stronger and check what you have already learned. Labs + CTF’s and more. They have also academy, but it was always out of my reach because of the price. Maybe I will ask my boss to buy it for me :)

• https://www.hackthebox.com/
• https://academy.hackthebox.com/

Attack Defense is fully free and you have there 1800+ labs. Very good if you have no money.

• https://attackdefense.pentesteracademy.com/

Pentester Lab was partially free, but now I see everything is paid. It’s more expensive than TryHackMe, but also organized in path from easiest stuff to advanced.

• https://pentesterlab.com/

Port Swigger (Burp company) has it own WebSecurity Academy. Using Burp and labs you can learn everything about web applications security, and thanks to that start your career as penetration tester.

• https://portswigger.net/web-security

Immersive Labs is mostly paid and focused on delivery labs for enterprise. I always found it a little boring. One of the company I was working for offered it as internal security labs. If I would have a choice I would choose TryHackMe or PentesterLab.

• https://immersivelabs.online/

Lets defend have some free labs, worth check. Personally I never used it. But they are recognizable on the market.

• https://letsdefend.io/

Root me, never had a time to register there, but has a lot of free labs.

• https://www.root-me.org/

Blue Team Labs is focused more on testing your skills. It’s part of Security Blue where you can get some Blue Team certs.

• https://blueteamlabs.online/

Coding

Every hacker needs to know the code. Maybe not on the developer level, but to know what is going on. I personally used only Code Cademy free edition. I am aiming to buy pro and finally learn with cert Python… but yeah, lazy.

https://www.codecademy.com/

CTF

Some of labs platforms listed above also have CTF’s, but here is a separate section for places with CTF only. When you will learn theory and pratice on labs, and you would like to check your skills, do some CTF’s. Don’t stuck on labs with guides only. Always practice your skills. If you will fail, you know where you have gaps in knowledge, get back to labs and theory, and then start CTF back again. Real life scenarios does not have guides. You need to use knowledge and skills to solve real issues with no hints!

• https://overthewire.org/wargames/bandit/
• https://316ctf.com/
• https://ctf.hacker101.com/
• https://parrot-ctfs.com/
• https://online.pwntilldawn.com/
• https://echoctf.red/
• https://cohackers.co/

Self hosted tools

If you have option to host something locally, it is a good alternative to cloud solutions. You can setup some virtual machines or local web server, and then practice your skills offline at your home. Setting stuff listed below is also a good option to learn how to configure stuff and learn Linux, coding, configuration, administration etc.

• https://www.hackthissite.org/
• https://owasp.org/www-project-webgoat/
• https://owasp.org/www-project-juice-shop/
• https://github.com/digininja/DVWA
• https://github.com/strellic/Hackbox
• https://vulnmachines.com/
• https://www.vulnhub.com/

Other stuff

Don’t try to be a hacker. Try to be a security researcher, security professional, security analyst or security enthusiast. Get knowledge to get job in IT security, for example as 1st line analytic in SOC, and you will do amazing stuff and have a chance do develop and learn more. If you want to be a hacker just to do a evil stuff, the consequences of this may be inadequate to profit, you will lose time to study, to get rich quick for short term, and then you will spend the rest of your life behind bars.

So for the question addressed directly to me like “how to become a hacker?” or “how to start a hacking adventure?” my answer is, do all listed labs, complete a few CTF, and read rest stuff I wrote listed below. I have nothing more to add in this topic for now.

• Ethical Hacking - How to start
• Test Environment
• How to report a vulnerability and not go to jail
• I am not that hacker you are looking for
• Security roadmap
• Penetration test report template
• Healthy mind and body of hacker

Here are some other sources of news and communities to join:

• Hacker Forums
• Hacker News

My life is too short to mentor, or teach others. I think what I already wrote on this blog may be a good signpost and knowledge source. Good place to start. Rest is in your hand.

Finalizing this never ending topic and chats around it I can now focus on other stuff.

Good luck!

PS: If you become a famous hacker and make millions thanks to these tips, don’t forget about me and then send me donations. I work in a security, I have for food, but if I could quit all that, and focus only on writing, it would be great. Head for the hills… escape to the wilderness… stay in a small cabin…

Remember this is a next step in every security professional career ;)