How To Get Started Hacking
Why Teach Hacking How Do I learn to Hack Ethics Where to Start Where to Get Equipment to Play With Find Like-minded People to Exchange Ideas With Dealing With Frustration What Computer Should You Use What Operating System Should My Computer Use Which Virtual Machine Software Should You Use Learn Advanced Search Engine Techniques Learn Basic Systems Administration Learn the Built-in Text Editors Learn About Networking Devices Learn How Networking Works Learn About Information Security Learn How to Find Systems, Services, and Vulnerabilities on Networked Systems Learn About Web Application Security Learn to Code Learn to Use a Penetration Testing Linux Distribution What Security Tools Should You Learn When First Starting Out How to Practice Without Getting Into Legal Trouble Additional Resources
When I talk with people outside hacking/information security circles about learning to hack the most common question I get is, "Isn't teaching people how to hack dangerous? What if they use it to do bad things?" The question is rooted in a mashup of several overly simplistic and misapplied ideas, and syllogistic fallacies. 1: Hacking requires "specialized" skills. 2: Learning "specialized" skills is a "dark art" and are only pursued by someone intent on doing evil. This is obliquely saying that learning to hack is akin to black magic and only evil people do black magic so all hackers are evil. 3: Security through obscurity works. 4: Take all this and wrap it in a syllogistic fallacy. Driving a car is a specialized skill. A bank robber uses a car in a robbery. Bank robbers are criminals. You drive a car so you are a criminal. It is easy to see how shallow thinking, fear, and logical fallacies has lead mass media to portray hacking as always being a crime. Is it possible to defend without knowing the methods used by your adversary? How would police officers catch criminals if they did not know how they think and what methods they used? How would our military protect us if they did not know the enemies tactics and have the skills to repel them? The SANS Institute is one of the premier information security training and certification organizations. They are famous for saying "your offense should inform your defense." I am a hacker. My skills were acquired through a lifetime of training on my own, with the United States Navy, and as an information security professional. I use them daily to defend systems from both criminals and state actors and I am actively training the next generation of hackers to do the same.
If you think all hackers are criminals, then see "Why Teach Hacking" before continuing. I am often asked, "How do I learn to hack?" I have learned that the term hacker can mean many things to many people and is a highly debated topic. The meaning of hacker has evolved/devolved over time depending on your point of view (whether you are a hacker or not). Many hackers today define themselves based on the roots of hacking, which you can read about in "A Brief History of Hackerdom" and the Hacker Wikipedia article. However, the word hacker has morphed and mass media uses it to mean a person who uses specialized technical skills to commit a crime. For more on this see "Why Teach Hacking." Hacking has evolved to address not just the use of skills but the process by which you acquire those skills. Therefore, the simplest definition of hacking is the process by which you discover the difference between what something was designed to do and what it is capable of doing. Many would argue that this definition is too broad and would include endeavors outside the scope of technology, computers, and networks. I have come to see that the same quest for knowledge and skill prosecuted by the old school hackers is the same process used by those mastering other fields of endeavor from astrophysics to knitting. Hacking is as much about the journey as it is the destination. I will be focusing on hacking as it applies to technology, computers, and networks. Our knowledge and skills are like a block of Swiss cheese, which appears solid but is full of holes. Hacking is not just about applying your knowledge and skills but also the process by which you fill in the holes. Figuring out the best place to start can be difficult because we often are not aware of what we do not know, so I am providing a framework to get started. It will then be up to you to follow the breadcrumbs, find the holes in your knowledge and skills, and fill them in. During this process, you will find more holes to fill in and during that, even more holes. It is a lifelong, never-ending pursuit.
The "hacker ethic", just like the term hacker, has morphed over time. Originally, hacking was driven by a thirst to understand how things work and was conducted on systems that the hackers had a right to access. Mix the ideals of hacking with a bit of anarchy and you end up with hackers that prize ideas and exploration over personal property rights. Mass media has camped on this idea and do not recognize that most of the hacking going on today is by people who do believe in property rights and are using their hacking skills to defend those who can't defend themselves. In the non-fiction book "The Cuckoo's Egg", Clifford Stoll encounters a new systems administrator who adheres to the anarchistic version of the hacker ethic. Clifford underwent a change in his thinking during his experiences chronicled in the book and knew the systems administrator's philosophy was wrong but could not articulate it. By the time Clifford reaches the end of the book, he provides an excellent rebuttal. Based on Clifford's rebuttal I have formed one of my own. Property ownership is a cornerstone of society and built using a fabric of trust. In many cases that trust is an unspoken agreement and in others the trust is codified in law. More often than not, the trust is not enforced until after the fact. The dashed white line on the freeway reminds the drivers of that trust but it does not prevent another driver from making a left hand turn in front of me at 80 miles per hour. Likewise, when I get a drink out of the vending machine I trust that it will not kill me. If it does, my family will be rich after the lawsuit, but I will still be dead. If we cannot trust one another in any circumstance then the fabric of trust unravels and people stop building the very systems we want to explore. You cannot have your cake and eat it too. As hackers, we have a choice we can explore without regard to property rights and destroy the fabric of trust or we can repair and reinforce property rights and the fabric of trust. With great power comes great responsibility. You have to choose. I too had to make this choice. Through providence, I was led away from the "dark side" and have spent a lifetime defending others. My hope is that you will join me in this endeavor.
You will find that everyone's background and skills are a little different so there is no best place to start (see How Do I Learn to Hack). I recommend reading through this page to get the big picture and see which area interests you the most and just jump in. No matter what you start with it will eventually lead to all the other areas.
You do not have to break the law to get systems to play with. It is possible to get lots of equipment to play with at little to no cost. Tell everyone you know that you will take any old electronics they no longer want. You can also pickup systems alongside the curb on trash day. Sift through the equipment and keep the useful stuff, scavenge the rest for parts, and then recycle what is left. Power supplies are particularly useful when building Raspberry Pi and Arduino based systems. There is a charge of $10.00 to $15.00 each to recycle TVs and monitors with CRTs. I have found that people are a little more willing to call you if you tell them upfront that you will use the equipment for training, find it a new home (like a Hacker/Makerspace), or responsibly recycle anything you do not use. This relieves them of the burden of recycling but you might have to pay to recycle the TV's and CRTs; thankfully, they are becoming less common. The treasure trove of free useful equipment I have gotten over the years more than offset the small cost of recycling the occasional TV or CRT.
Atlanta Electronic Recycling Centers
CHaRM - Tue - Thu 09:00 - 16:00, Sat 08:00 - 16:00 Dekalb County Georgia Recycling Centers Seminole Road Landfill M - F 08:00 - 17:00, Sat 08:00 - 16:00 In the DeKalb County Tax Commissioner' Office parking lot (M-F 08:00 - 16:00)Companies replace workstations, laptops, servers, and networking equipment every three to five years. It is common to depreciate the cost of the equipment on their taxes. If they then sell or donate the equipment to a charity they can end up paying additional taxes because they received a value greater than the depreciated value. The taxes can be more than what it would cost to pay a recycler to take the equipment. This is an opportunity. It does not cost them anything to give you the equipment. Everyone you know works for a company. Talk to your friends and find the person in the company you need to talk to about getting their older equipment.
The best way to go through a minefield is to follow someone. I highly recommend finding local like-minded people with which to trade ideas. I am located in Atlanta Georgia so I will list examples from here. I will also provide some links to help find similar resources where you live. If there are not any, then start a group. Hacking is all about improvising, adapting, and overcoming (to borrow from the U.S. Marines). You also have the Internet, and online groups are a good way to get involved with others. Pick the groups you associate with carefully. Hanging out with the wrong crowd can get you arrested just by association. If you want to work in information security your reputation must be above reproach because they will give you access to their most sensitive information and systems. A single arrest can end a promising career. You will hear stories of criminals that were caught and later got jobs in information security. This is the exception. What you do not hear are the stories of permanently damaged lives, which are far more common.
Atlanta Hacker, Maker, and Security Groups
dc404 - Atlanta Chapter of DEF CON atl2600 - Atlanta Chapter of 2600 Atlanta Ethical Hackers, Penetration Testers, & Information Security Georgia Tech College of Computing Information Security Student Organization Atlanta Information Security Resources Atlanta Hacker/Maker Spaces
Other Hacker, Maker, and Security Groups
The skills and technology I am listing here are interconnected. As an example, how do you know what networking option to select in VirtualBox if you do not know how networking works? How do you experiment and learn how networking works without being able to simulate it with VirtualBox? You are going to get stuck and frustrated. Will you quit in frustration or use it as fuel to drive you to improvise, adapt, and overcome? I have chased solutions that took me years to solve. My secret? I did not quit in frustration. If there is one thing that makes or breaks a hacker, it is what they do when they get frustrated. This is when it helps to have other people to talk to (see Find Like-minded People to Exchange Ideas With).
The first thing you will need is a computer that can run Windows or Linux. OS X can run on commodity hardware but generally you will need Apple hardware, which is expensive and not readily available from free sources. I will not be covering iOS or Android hacking although all the principals I am covering here apply to them as well. You are going to be running virtual machines so your computer will need enough resources to run the host operating system and two or more guests at the same time. I recommend 4GB of memory and 256GB of disk space at a minimum. The more processor cores the better. It is not necessary to have a multi-core computer but it will be far more responsive if it is. You can use a 32bit processor but note that you will not be able to host 64bit virtual guests. If you have a 64bit processor you can run both 32bit and 64bit guests. In addition, some 32bit processors will not be able to provide the proper virtual machine hardware extensions. All is not lost If you can not afford a computer (see Where to Get Equipment to Play With). It does not matter where you start learning, there is no best place to start so if all else fails you can get a Raspberry Pi Zero for $5 or for $10 you can get a Raspberry Pi Zero/W that has built-in WiFi. Talk to other hackers, they often have equipment laying around they are not using any more and will gladly give it to you knowing it will go to a good home and that it will be one more thing not cluttering up their home lab (see "Find Like-minded People to Exchange Ideas With
If you are running Windows as the virtual machine host operating system, you are going to need hardware that will run a currently supported version of Windows. You will also have to factor in the cost of a license. You can use a demo license but you will be rebuilding your host every 90 to 180 days because the license will expire. This is fine for a virtual machine guest but it is a real pain to have to rebuild your host every few months. You can avoid the Windows licensing issue by running Linux as the host operating system. I recommend using a long-term support version. If you do not know which Linux distribution to pick, use Ubuntu. I use Debian, which is what Ubuntu is based on. Once you get to know Linux, you can branch out and try other Linux distributions. Windows is more resource intensive that Linux. This applies to the virtual machine host and well as guests. Despite this, I recommend you learn to use both operating systems as they constitute the majority of systems used.
There are three primary virtual machine software vendors in the market, VMWare, Oracle VirtualBox, and Microsoft Hyper-V. VMware and VirtualBox support more guest operating system types and will run on a Windows or Linux host. Hyper-V only runs on a Windows host so I will not be covering it. VMWare is the most full featured, however it is expensive. VMWare comes in three versions, ESXi, Workstation, and Player. ESXi is meant to run on bare metal. Workstation requires a host operating system and Player is used to run virtual machine appliances built using VMWare Workstation. VMWare Player is free but if you want to build your own virtual machine guests, you are going to need VMWare Workstation. Oracle VirtualBox is free bit it is not as full featured as VMWare. I have used VMware for many years but moved to VirtualBox exclusively in the last few years and have found that it is well up to the task. VirtualBox is under active development so they are regularly adding new features.
VMWare and VirtualBox Documentation
Knowing how to use a search engine is a hacker superpower. The Internet is a treasure trove of information if you know how to dig for it. Search engines such as Google have advanced search directives that can make it much easier to find what you are looking for.
Google Hacking (Dorking) References
The better your systems administration skills the better you will be at hacking. You will need to be able to install operating systems and configure basic services. There are plenty of free online resources for learning systems administration. You will also find these skills are essential for reusing the free hardware you have been getting (see Where to get equipment to play with?). You will need to learn how to modify the system configuration using the Windows Registry, Linux config files, and how to use init services. Learn to embrace the Command line (CLI). Some of the most powerful tools for systems administration and hacking do not have a GUI interface. Often your foot hold on a system will only be through a CLI. When you exercise a vulnerability and find yourself with a shell that that is not a fully interactive tty your skill with the command line will let you easily overcome the problem. See "Learn to Code" for Linux and Windows command line tutorials.
Systems Administration Training Resources
Unix filesystem The PC Guide Professor Messer's CompTIA 220-901 and 220-902 A+ Training Course Linux and Windows Training Cybrary Systems Administration Training Introduction to Linux The Linux Documentation project Linux Knowledge Base and Tutorial Debian Linux Documentation Red Hat Enterprise Linux 7 System Administrator's Guide Linux How-To Build Your Own Linux Debian Administrator's Handbook Ubuntu Pocket Guide and Reference Ubuntu Documentation Orqacle System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) The Linux Command Line training and book Boot and run Linux from a USB flash memory stick A Sysadmin's Universal Translator (ROSETTA STONE) Create a Free UNIX Shell Account Free Microsoft eBook Giveaway Professor Messer's Free Microsoft 70-680 Certification Training
Learn How to Install, Configure, and Harden the LAMP/WAMP Stack
LAMP (software bundle) How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 14.04 MySQL Documentation Apache Documentation PHP Documentation
The default text editor on all modern versions of Windows is Notepad so learn how to use it. Virtually all Linux distributions come with vi installed by default. On some systems, vi is an alias to vim. All the vi commands also work in vim. If you learn how to use vi, you will be able to use vim as well.
Editor Training Resources
Vi Lovers Home Pagee - links to all things vi and vim vimtutor - vim tutorial native to most Linux distributions Interactive online Vim tutorial The Beginner's Guide To Notepad
Originally, networking hardware had a single function such as a router, gateway, hub, switch, or firewall. The reason was that the equipment was expensive. Costs have come down significantly and miniaturization has allowed manufactures to build multi-function devices. Today you can commonly find sub $100 dollar devices that are a WiFi access point, gateway, router, switch, firewall, web server, file, and print server. You need to learn what each of these devices do and more importantly what they do when connected together to form a network.
Networking is not just the hardware. It also entails the protocols that carry the information across the network. The OSI model is a standard way of organizing the functions of a network stack. None of the common network stacks in use today strictly adhere to the OSI Model but the OSI Model is commonly referenced when discussing the functions within a protocol stack and when comparing functions between different protocol stack implementations. Whenever you are reading networking documentation and you see a reference to a "layer" they are referring to the functional layers of the OSI Model. There are numerous types of computer networks utilizing a blizzard of networking protocols, suites, and communications protocols. As you learn about networking it can be confusing and overwhelming. Remember the first rule of hacking, the successful hackers are the ones that don't quit.
The Internet Is an Amazing Source of Free Training Material
Networking Fundamentals Training - Microsoft Virtual Academy Professor Messer's CompTIA N10-006 Network+ Training Course Networking Training Hurricane Electric has one of the better free IPv6 training programs Service Name and Transport Protocol Port Number Registry List of TCP and UDP port numbers Well known SCTP, TCP and UDP ports Wireless LAN Security and Penetration Testing Megaprimer IP Calculator
At Some Point You May Consider Building a Networking Lab
Information security, at its heart, is simple and embodies the concept of Confidentiality, Integrity, and Availability (CIA) of information at rest and in motion.
Confidentiality - only those authorized can access the information. Integrity - the information is only modified by an authorized person. Availability - the data is available to an authorized person when needed.
What makes information security challenging are the technologies and people used to collect, store, and manage the information. Hardware and software can be patched but people cannot. More often than not, the biggest challenge in security is how people implement operational security (OPSEC). Hacker OPSEC, maintained by The Grugq, has an extensive collection of articles related to OPSEC successes and epic failures. We also live in a veritable blizzard of new technologies, software, and services, drifting high on top of older technologies and often security was never considered during their design. This is not to say that new technologies take security into account, most devices referred to as the Internet of Things (IoT) are extremely insecure by design. It is vital to learn how to hack in order to understand the interplay between the hardware, software, people because without this understanding you will not be able to provide defense in depth.
Information Security Training Resources
Kali Linux Revealed Book Metasploit Unleashed - Free Ethical Hacking Course SANS Cyber Aces Online Free and Open Source Cyber Security Training Texas A&M Engineering Extension Service (TEEX) Cybersecurity Training Learning Computer Security and Ethical Hacking OpenSecurityTraining Microsoft Fundamental Computer Investigation Guide for Windows Professor Messer's CompTIA SY0-401 Security+ Training Course Security Training Learn To Hack, Learn To Protect Yourself SecurityTube - Security training and hacker conference videos SecurityTube - Mega Primers Irongeek - all things information security
In a CTF (capture the flag) (see "How to Practice Without Getting Into Legal Trouble") you will need to find what services are running on the target and if there are any known vulnerabilities. Nmap is the go to tool for scanning systems on a network. Once you have discovered the systems, you will need to find what services are running and what vulnerabilities they have. Service and vulnerability discovery is also a critical tool that defenders need to master.
Vulnerability Scanners and Databases
Mitre maintains the CVE (Common Vulnerabilities and Exposures) database. CVE Details is a site that makes it easy to search for CVEs based on multiple criteria. SHODAN is a search engine for Internet connected devices. OpenVAS is an open source fork of the Nessus vulnerability scanner. Nessus is a proprietary vulnerability scanner. Nessus Home is free and allows you to scan up to 16 IP addresses on your personal home network. vulscan - Vulnerability Scanning with nmap the open source cross-platform utility for network discovery and security auditing.
Network services are not the only vulnerable processes you will find on a server. Fully patched and hardened system can be compromised through web applications running on them. Web applications can be vulnerable due to bugs in the technologies used to create them or through errors in their configuration but the most common vulnerabilities are the result of insecure coding practices on the part of the web application developer. The Open Web Application Security Project (OWASP) first published its "Top Ten" most critical web application security risks in 2003. Each category in the top ten represents a class of vulnerabilities that may contain more than one example. The best place to start learning how web application vulnerabilities work and how to prevent them is to use OWASP WebGoat a self-contained web application security training environment with lessons, labs, and walk-throughs. WebGoat is written in Java so you will need to install it first. When you run WebGoat the machine you are running it on will be vulnerable. The best way to do this is to run WebGoat in a virtual machine with NAT networking. This will protect the virtual machine while allowing you to connect to the Internet through the host computer. If you run WebGoat on your own computer I recommend placing your system behind a dedicated firewall so you do not get compromised. You will need a web application attack proxy to complete some of the WebGoat lessons. Burp Suite has the most features and has free and professional editions. OWASP Zed Attack Proxy (ZAP) is open source.
You do not need to code to get started but as you master the command line (CLI) (see"Learn Basic Systems Administration") you will eventually need to automate a process or modify someone else's code to get it to do what you want. The most common coding is shell scripting, bash or sh on Linux, and on Windows it is batch and PowerShell. Many of the security tools you will be learning to use are written in Perl or Python.
Linux Shell References and Tutorials
Advanced Bash-Scripting Guide GNU Bash Reference Manual Linux Shell Scripting Tutorial A Beginner's Handbook Bash Guide for Beginners Bash Reference Manual The Comprehensive List of bash Reference Documentation and Examples Shell Scripting Tutorial
Windows Batch References and Tutorials
Windows Script Resources for IT professionals Microsoft Script Center Windows Batch Scripting Windows NT Shell Scripting by Timothy Hill - best book I know of on Windows batch scripting
Windows PowerShell References and Tutorials
Learn Windows PowerShell in a Month of Lunches - video series Gateway to All Things PowerShell PowerShell.org YouTube Videos PowerShell - Microsoft Virtual Academy The Big Book of PowerShell Gotchas
Perl References and Tutorials
Perl Programming Perl Books - multiple titles
Beginning Perl Modern Perl Impatient Perl Extreme Perl Embedding Perl in HTML with Mason Picking Up Perl Perl 5 Internals Practical Mod Perl Perl & LWP
Python References and Tutorials
Free Programming E-Books - multiple languages
A penetration test (pen test) is a simulated attack on a system to determine weaknesses. There are Linux distributions specifically made for pen testing that come with an assortment of the most common free and open source tools pre-installed. Pick a penetration testing distribution and install it in a virtual machine. Use it to test security on you home network. You can also install a boot2root image in a virtual machine to train with (see "How to Practice Without Getting Into Legal Trouble"). If you do not know which pen testing distribution to use, I suggest using Kali Linux. Once you get the hang of it you can branch out and try some of the other pen test distributions.
Popular Linux Penetration Testing Distributions
There are numerous security tools and it can be hard to know which ones learn first. Most of the tools I list here are commonly included in penetration testing (pen test) Linux distributions (see "Learn to Use a Penetration Testing Linux Distribution"). These tools are not listed in any particular order and you will often need to combine tools to get a complete picture of a system, network, or application. For training resources on some of these tools see "Learn About Information Security".
nmap is an open source cross-platform utility for network discovery and security auditing. netstat is a cross platform command-line network utility tool that displays network connections. Metasploit Framework is an open source cross-platform tool for executing exploit code against a remote target machine. Nessus is a proprietary vulnerability scanner. Nessus Home is free and allows you to scan up to 16 IP addresses on your personal home network. Also see Learn how to find known vulnerabilities and vulnerable systems. OpenVAS is an open source fork of the Nessus vulnerability scanner (see "Learn How to Find Systems, Services, and Vulnerabilities on Networked Systems"). Burp Suite is a proprietary web application security testing tool. The free version comes built into Kali Linux (see "Learn About Web Application Security" and "Learn to Use a Penetration Testing Linux Distribution"). OWASP Zed Attack Proxy is an open source web application security testing tool and comes built into Kali Linux (see "Learn About Web Application Security" and "Learn to Use a Penetration Testing Linux Distribution").
It is possible to practice your new found hacking skills without the risk of being arrested (see "Ethics"). Boot2Root is the name given to virtual machine images designed for penetration testing and capture the flag (CTF) training. I recommend starting out with Boot2Root images that have walk-throughs. Try to complete the challenges on your own. If you get stuck you can look at the walk-throughs for help. It is also helpful to read multiple walkth-throughs for the same Boot2Root as pentesters don't always use the same tools and methods (see "Learn to Use a Penetration Testing Linux Distribution"). A good Boot2Root to start with is Metasploitable 2 which is designed to train pentesters in the use of Metasploit Framework. You can also try your hand at Metasploitable 3. Brimstone has created a VirtualBox OVA file that makes building Metasploitable 3 much simpler. You just Download and import the OVA, start the virtual machine, and sit back and relax as it builds your Metasploitable 3 virtual machine. Once you have got Metasploitable 2&3 under your belt you can visit VulnHub, a repository of free Boot2Root images you can practice on. As your skills improve you can also try your hand at competitive CTFs such as NetKotH (Network King of the Hill) which are run at the monthly DC404 and atl2600 meetings. You can also get free CTF training from the Atlanta Ethical Hackers, Penetration Testers, & Information Security Meetup group. DC404 has a CTF team you can join (all experience levels are welcome) and alos check CTF TIME for a calendar of CTFs.
So You Want to be a Hacker? By Christopher Grayson, Founder, CEO at Web Sight.IO So you want to be a Hacker? By Peleus How to start in Infosec - Curated List by Rob Fuller Open Source Society University - Path to a self-taught education in Computer Science MIT Open Courseware - Electrical Engineering and Computer Science
Multi-Discipline Training Sites
Free and Open Source Training Free Networking, System Administration, and Security Tutorials Microsoft Virtual Academy
If you know of any questions or comments, please send me an email me at .