1. Welcome to PHCorner Forums. Take a moment to Sign up and gain unlimited access and extra privileges that guests are not entitled to, such as:

    All that and more! Registration is quick, simple and absolutely free. Join our community today!

Tutorial How to learn how to hack: a guide for the uninitiated

Discussion in 'Windows Tools & Tips' started by IrresistibleMiggy, Sep 9, 2016.

  1. Foreword:

    As specified by the title of the topic, this tutorial is not going to teach you how to hack anything. This tutorial is about learning how to learn (geared towards how it pertains to hâckïng), and to give you some specific starting points/guidelines and milestones so that you might become more proficient in x area of your choosing in y amount of time.



    My personal technical abilities pale in comparison to the other members of this forum, but I feel that over the last couple of years since I began my journey as a security enthusiast I have grown considerably, from having little to no background at all in computers. I owe it to this community to contribute something of value, and since I lack the knowledge to create a worth-while technical tutorial, I've written this to share my strategy for learning, in the hopes that it will help others who may be where I was a few years back.



    What to do when you do not understand something.

    This is going to happen a lot when you first start. It's a good thing. If you know what you don't understand, then you already know exactly what you need to learn. Allow me to present you with a scenario to illustrate how you can use what you don't know to your advantage:



    You're watching one of the ensuing Defcon talks and ARP spoofing is mentioned. Maybe you've heard the term before, maybe you haven't, but in either case you still don't know what it is. Make note of it, write it down. Pause the video, and go read up on it. Frequently (especially with a topic as dense as computer science and security), this technique will lead you down a spiral of learning new terminology, definitions, and explanations, more so when you're just starting out. Try not to veer too far off the path of your original research goal. A good way to figure out how well you know a particular topic is to explain it to someone else. In my case, I'll just talk aloud to myself like a crazy person, since I don't know anyone willing to sit through me explaining to them what TCP/IP is. The point is, if you follow that method for every single puzzle piece, eventually you'll be able to go through that entire video and comprehend what is being discussed. Moreover, the knowledge you've obtained is going to carry over to the next topic you look up, so that next time someone says "WAF" or "entropy" or "LAMP", you know what exactly what it means.



    That is the fundamental idea behind how I learn or teach myself pretty much anything. Break it down into smaller parts and eventually the big picture will come into focus on it's own.



    Get a foundation.

    Yes, the amount of material out there can be overwhelming. Start with the basics first; learn about operating systems, networking, and the basics of Computer Science.



    If you're looking for some sort of guidance, check out some computer science and computer security syllabi from universities. There are a lot of these available freely as a PDF online, and, as a fellow autodidact, you can follow them as a road map for what to learn.



    If you're looking for even more structure, check out:

    Harvard's Intro to Computer Science (through EdX)
    Cybrary's beginner-level learning path
    Udemy's IT & Software courses (if you've got some extra money to spend)
    MIT's Intro to Computer Science (also through EdX) - Resource provided by @sonNe



    Once you've got a good handle on the above, and if you're interested in pentesting, check out these links for info on some of the common pentesting tools and another collection of awesome pentester resources:

    Software Testing Help's pentesting tool list
    enaqx's awesome pentest resources via (Github)



    If you have a specific career goal or job in mind, look through job postings on LinkedIn, Monster, Workopolis, or other job searching websites to see what the requirements are for your desired position. Write up your own syllabus to tackle learning exactly what your potential future employers are looking for. The job you want requires you to have knowledge of and experience using monitoring and alerting systems? Better find out what those are and learn them. An employer wants you to have experience with Solaris and you've never used it? Better set up a VM. I think you get the idea, it's easy to find out what you need to learn if you know the kind of job you want to apply for; the employer is going to give you a straight forward list.



    Start using a *nix.

    If you're not currently using a Linux distro, you should start. There are many benefits to a free and open source operating system that I'm not going to cover here, but I will go over some of the major points. First off is customizability. Compared to OSX and Windows systems, you'll have far greater control over what's actually installed on your system. You can have as much or as little installed on your system as you'd like. Heck, a fresh install of Arch has little more than a command prompt on boot, which can make for a very efficient box. Next is resource usage. Most iteraions of Linux have are less resource-hungry than Windows, enabling Linux to run smoother on less powerful machines and give you a little extra RAM and hard drive space. Beyond that, arguments could be made for better vanilla security features, administrative abilities, and reliability.



    There will probably be some discrepancies between people on this forum and elsewhere that Windows is just fine for hâckïng, and maybe it can be, but it's unnecessarily bloated from the start, and (without any modification) lacking in useful aspects like an easily navigated command line, and BASH [redacted, PowerShell is the bomb]. I also recommend the switch to Linux, since, if you're new, you've likely had the Windows experience for most of your life up until now (or up until your parents bought you the shiny new Macbook when you started post secondary). Since, if you fall into that category, you're not familiar with Linux, it's time to switch it up (remember what was mentioned earlier in regards to learning about operating systems).



    If you're set on using Windows, check out d4rkcat's tutorial on Kulverstukas' Method for a Better CMD Experience, learn how to operate the omnipotent Powershell, and take a gander at pentestbox - a phenomenal pentesting Swiss army knife available (currently only) for Windows. Pentestbox is loaded with a ton of useful tools, and doesn't require setting up a VM.



    Also, before moving on to the next topic, it's important for me to address my own bias towards Linux. The truth is that it really does not matter what OS or distro you choose to work with; the focus should always be on the tools themselves and the OS the tool in question works best on. These days most tools (or their alternatives) are available across multiple OSes, so in the end any workstation should be adequate once you've got the skill set.



    Set up some VMs.

    You can watch as many videos as you want, and read as many books as you like, but in the end that will only get you theory. The best way to learn (especially in terms of remembering how to do something) is by doing. The best way to do this? Virtual machines of course! "But zenith," you protest, "I don't know the first thing about setting up a VM, let alone setting up a vulnerable lab for myself!" Well, fear not, for once again I will provide you with some links. The great thing about using VMs is that there are a ton of ISOs out there that were created with vulnerabilities for specifically for pentesting labs that require no set up. A lot of them will even have handy documentation/solution guide to the exploits if you're looking for help along the way. Also, if you're set on sticking to Windows as your primary OS, a VM will allow you to play around with some different operating systems, thus granting you with that valuable experience and diversification.



    VMware - I use this, and it suits my needs fine. The basic version is free, and they have other paid-for versions as well.
    VirtualBox - Probably the de facto virtualization software out there. Free and available across Linux, OSX, and Windows.
    vulnhub - A collection of ISOs to install on a VM for you to break.



    Start using CLI.

    Make yourself do this. I know it's tempting to use a GUI when there's one available (i.e. for dragging and dropping that single file from one folder to another) but the more you use the CLI, the faster you'll become at it. Eventually, putting in the command: mv /path/to/file.file /path/to/move/file.file will be faster and more convenient for you, especially with auto-complete. You're going to be spending time in terminal for a lot of reasons, so you might as well get comfortable working there.



    Learn to love the CLI. Force yourself to use the terminal whenever possible. A lot of it will seem like a chore at first, but as you adjust it'll actually end up being faster for you than a GUI with practice. The other reason you want to get comfortable with it is because a lot of apps are going to work exclusively in command line, so you won't have a choice. Better to step out of your comfort zone early and learn from necessity! Also, once you start coding and want to make your own apps and tools, it will be far easier and quicker to develop something that will work solely in command line.



    Learn a coding language.

    In fact, learn as many as possible, and learn them as well as you can. This couldn't be more essential. Only start with one, of course, and get that down pat before moving on. As for which one, that's really up to you. Honestly, it really doesn't matter, as long as you're dedicated you'll be fine. You can check out Daemon's guide on Which Language to Start With if you're looking for some help there.



    It's important to be able to code so you can 1) write your own apps/tools/exploits, and 2) having an understanding of how something is built will also give you knowledge of how to break it.



    Once you've picked a language to start with, there are a plethora of free resources to learn it. Check out EZ's coding and ebooks sections, you'll find a lot. Aside from that, here's a few sites to get you started:



    codecademy [HTML/CSS, PHP, Javascript, Ruby, Python] - A decent and popular starting point, albeit particular about your syntax and can be a bit buggy.
    codeschool [Ruby, JavaScript, HTML/CSS] - Also good, a little more polished than codecademy. Also courses revolving around iOS, Git, and some other interesting aspects.
    w3schools [HTML/CSS, JavaScript, SQL, PHP, JQuery] - Excellent for a more web-centric learning experience.
    tutsplus [PHP, JavaScript, Android SDK, iOS SDK] - As well as a slew of other coding-topics, also more than just coding.
    teamtreehouse [Python, Ruby, Swift iOS, HTML/CSS, PHP] - Plus other tutorials regarding WordPress and running a business.
    codefellows [Rails, iOS, Python, JavaScript] - A costly boot camp course, but apparently they guarantee you a job after... not having used it myself I can't speak for how good it is, but the option is there if you have the money but lack the motivation to learn on your own.
    koding - Again, not tutorials. It's a cloud-based development platform for you and your friends. Useful once you start your own projects.
    codeavengers [HTML/CSS, JavaScript, Python, Web Dev, Game Dev] - Pretty good and current material. Level 1 is free, levels 2 & 3 must be paid for.
    freecodecamp [HTML/CSS, Javascript] - Resource provided by @sonNe.
    Harvard's Introduction to Computer Science [HTML/CSS, C, PHP, JavaScript, SQL] - This course was awesome, and completely free from EdX. Sign up.
    Udemy's Development courses - Lots of variety here. Good option if you're not opposed to spending a little bit of money.





    The main thing that I noticed with any coding site when I first started learning was (unless you're learning more web-based languages) the lack of an explanation for real-world application. There was no bridge between the ability to print 'hello world' on the screen or input integers for calculations via the console and the usefulness of being able to do that in the real world. For me, this understanding is every bit as crucial as any other aspect of learning code, and I feel like it took me a while to get a concept that I now believe is relatively simple in explanation:

    A program is a set of instructions. In addition, anything you do on a computer can, potentially, be done through the command line. The basis of that screen is that it takes instructions. You don't click things, but you give it input, and it gives you output. All these fancy applications that we use on a daily basis just automate that process; they can input complex commands way faster than you could on the keyboard. All of the programs we use that have a pretty GUI that we can click on are still doing those rudimentary command-line-esqe things in the background whenever we click something, we just don't see it.



    Read. A lot.

    There are a ton of ebooks available in our ebooks section, as well as from other sources, such as torrents. If you're just starting out, there will be a lot of books that are beyond your current scope of comprehension, but do not be discouraged. If you're looking for a crash course in the basics (which is important), I'd recommend starting out with study guides for A+ certification, Network+ certification, etc. As dry as most of them are, they provide a great foundation for what is essential knowledge in our community, and are geared towards people just getting into the industry.



    Watch videos.

    More specifically, I would say to look up videos from university Computer Science lectures, as well as talks from Defcon, Blackhat, and other security conventions. There are a surprising number of university lectures available freely on ÿôutubê, take advantage of them. Here's a short list to get you started:



    Defcon 22
    Defcon 23
    Blackhat USA 2015
    Derbycon 2015
    Schmoocon 2015
    Introduction to Computer Science and Programming - MIT 2011



    Search engines really are your friend.

    It's mentioned time and again on this forum, even in pinned posts, but as long as people keep doing it then it can't hurt to mention it again. Please do not ask a question that can be answered via a simple Google search. It makes you seem lazy and unwilling to learn, and that combination when applied to the pursuit of hâckïng will not do. I have yet to have come across a specific problem (and by specific I mean what is usually a one-sentence question) that didn't yield positive and helpful results on Google. Beyond that, it’s beneficial to learn how to search for things effectively. That means not giving up after your first attempt didn’t get any results on the first page. Sometimes answers can require a bit of digging, but with patience and perseverance you can usually find what you’re looking for. Also, learning search operators can help immensely.



    That's not to say you shouldn't ask questions on here. By all means, as a community we are here to support each other, so ask questions if you have them. Just make sure to provide as much detail as possible. The more time you put into a question, the more time someone else will devote to an answer.



    Baby steps.

    You can’t just dive in and start hâckïng your way to glory and riches. One of the things I see a lot of newcomers doing to jumping into complex scenarios without having the experience to do what they’re attempting. Either they’re simplifying something that is more complex, complicating something that is relatively simple, or just plain doing something that's going to get them into trouble. You have to crawl before you walk. If there’s something specific that you want to learn how to do, add it to your list, and try to do it on your own box first.


    Secrets... shh!

    List making. It's actually one of my favorite things to do. Seriously, one of my first programming projects I made for myself was an app to make and organize lists. Make a list of things you need to or would like to learn, go learn about them, and cross them off as you complete your task. This is going to keep you on track and give you some clear goals to work on, not to mention feel great when you do get to cross something off or complete your whole list (in which case it's time for a new one). HTH once said it's good to keep your lists, so you can look back on them and see how much progress you've actually made. Pretty good call, I've since started doing that. You should try to keep your lists pretty short (it's generally recommended between 5 and 8 items), and concise. This will also keep you from becoming too overwhelmed with a never ending amount of tasks.



    No doubt you'll want some down time from absorbing all of this knowledge that you've set out to acquire. What I'd recommend for your leisure time is you find a hobby or activity that you enjoy that will also keep your mind sharp, instead of completely vegging out for 10 hours playing League of Legends or watching Netflix (although, sometimes that sort of therapy is needed). Personally, I'm fond of twisty puzzles (Rubik's Cube, etc.), logic questions, riddles, and sudoku. Also, not that I do them, but crosswords would be great in this category. Here are some sites I use:



    logicpuzzles.org - A collection of logic puzzle grids you can solve online or print out.
    The Online Test Center - Because who doesn't love tests?
    twistypuzzles - All things twisty!
    Mefferts' puzzles - One of the best names in twisty puzzle design and quality (IMO).
    r/riddles - No dragon can resist the fascination of riddling talk...
    r/dailyprogrammer - Daily programming challenges of varying natures.



    End notes.

    If you follow this guide diligently, I guarantee you'll be a changed person in six months. Best of luck to anyone just beginning their journey into the wonderful world of hâckïng, and stay humble.​
     
    mC_eLLi likes this.
Tags / Keywords: