The Kill Chain

This is an article about defending from attacks, but we can use it as the “7 steps of hacking”. This shows the basic categories of where we can exploit vulnerabilities. So use this for ideas as to how you can break into a network but beware because it’s also how people defend against us.

EDIT: Don’t get ahead of yourselves, if this looks completely foreign to you, keep working at things that are simpler. Learn how to case your victim, learn all about them before you strike, learn what systems they used and find how you can exploit that.

Step 5: Practice, Practice, Practice

Ok, lets review, we know our basics. We know how to use a computer, we know how to write code, we know what unix systems like Linux are, and we know how to use Unix tools like those provided in Kali.

Wait, I still can’t get into my friends Facebook account, what are we really learning anyways? Well giant corporations like Google or Facebook are hard to hack, especially for people new to hacking like us. Not to mention it’s usually illegal to try to hack a company without permission.

So in the meantime, use the VMs we set up in step 3 to practice known vulnerabilities and learn basic hacking methods! Now, OWASP’s BWA isn’t something we fully understand; but the developers who wrote it also provided some awesome documentation! To become a hacker you need to explore how to gain information for yourselves. Here’s some links to get you started with OWASPs BWA.

Resources:
https://code.google.com/p/owaspbwa/wiki/UserGuide#Training_Applications
https://www.owasp.org/index.php/Category:Attack
https://www.owasp.org/index.php/Category:Vulnerability
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series

Step 4: Get into the toy chest

KaliTools

If you’ve never played with BASH/terminal or you don’t know what Linux is. I suggest you read into that first before you get much further into hacking. Most of Kali’s toys are based off of the terminal, so in order to run them, you will be typing commands like “nmap -A http://your-ip-address”. This link is Offensive Security’s website where they have some awesome documentation about what’s available on Kali.

KaliTerminal

If you want a link to learn about terminal / Linux, try here. I borrowed this link from a web administration class, but the information is what matters!

Step 3: Set Up Your Hacking Environment

Everyone wants to break into their neighbors wifi or steal someones password at Starbucks, but depending on National, State, and local law, even packet sniffing could be illegal. So how do we safely practice how to hack before we are ready to find Sony’s back door? We set up a environment for virtual machines on our local computer or server!

For those of you who don’t know what a Virtual Machine is, it’s a “computer” inside your computer. Using programs like VMware or Oracle’s VM VirtualBox (which is free) you can have multiple systems running on your computer depending on your computer’s RAM and processing power. I suggest you download VirtualBox to get started: https://www.virtualbox.org/wiki/Downloads

VirtualBox view of environments

After you have that installed, you need to get the operating systems that’ll make up your VMs. I suggest using Kali for your “hacker” machine and OWASP’s BWA for your “victim” machine. OWASP is a open source community for watching web application security. You should check outhttp://www.owasp.org to learn more about them. Be sure to check out their top 10 vulnerabilities for websites. You can download the files for both VMs at the links below. Special note about the BWA VM: It’s made of VMware files, there’s no installing like you would with Kali. Be sure to use an existing harddrive and select one of the files from the .zip folder you downloaded.
https://www.kali.org/downloads/
http://www.slideshare.net/michael_coates/lab-setup-28126110

Follow these tutorials to get your systems online!
Installing Kali as a Virtual Macine

Installing OWASPs BWA as a Virtual Machine

If you’ve never used a linux operating system before, I suggest you learn fast! Check out how to use the bash commands (terminal) and learn some of the tools that Kali has to offer.

Kali environment

Now, your “victim” is specifically made to have vulnerabilities! Its up to you to find them, or if you want more of a step by step then I suggest you google how to get in or check out the BWA project files

 

OWASP BWA environment

 

Confession: While writing this blog I got OWASP BWA working on my Windows machine for the first time. I’m very excited to try it out!

Step 2: The Basics

Learn general IT well. Learn how OS, networks and code work. You can’t break it if you don’t understand it.
Lesley Carhart, Incident Response, Motorola Solutions

Step 2: Learn the basics

Google and the internet is your friend. If you can’t take a class, there is a multitude of online resources you can use. Whether you’re trying to learn programming and use Stackoverflow or you’re learning about basic hacking skills and want to use Hacking Highschool; you really do need to have some understanding of how things work before you try to hack them.

Step 1: Join the community

When people say “I want to be a Hacker” a lot of people don’t know where to start. Google is a good option but there’s a lot of dead ends, if you try to find “How to hack my friend’s Facebook account” you’re more likely to find a way to get a virus then to actually find a way to get into Facebook.

Step 1 to becoming a Hacker:

Find communities both online and local. Now, Hacker is the buzz word here, but most of the information security professionals have more “proper” names such as: Penetration tester, Incident Responder, or Forensic Analyst.

Find a title a little more specific that you want to become, and you’ll find a more reliable answer. For instance, if you want to break into companies code, then you should look at penetration testing. If you want to do the opposite of that, look at incident response. These will help you find the right group to help you learn.

There are forums, IRC chats, and tutorials online that are very beneficial to learning information security. Finding experienced people willing to help you along the way is also an amazing advantage. It all depends on how you want to learn. There’s a lot of different kinds of communities. Do not be afraid to find a few to find your favorite.

Joining local communities are the fastest and possibly the most fun way to get into hacking. There are hackerspaces, groups, and classes; where you can learn quite a lot. It’s the same group of people, and there is a massive amount of experience pooled between everyone, it’s harder to not learn anything then to learn something. But one of the most important opportunities are the conventions!

Why go to Conventions if you have a community?

There was a convention in Washington DC that covered three tracks: “Build it, Belay it, Bring it on”.  This convention was so popular that their tickets sold out in 5 minutes. Going to conventions is important because it’s a way to meet other people who really know their field. You are learning from the best when you go to conventions like Shmoocon or Defcon.

Why use Greenjam94?

Hello There I’m James, everyone calls me that and its probably the only name I respond to. However my name has one problem. Google it and you’ll find little about me.

That’s where my username came in. Greenjam94 is my alias for anything and everything on the internet from gaming to social media. I’ve used this username since the 8th grade when I first realized my Internet presence would stick with me throughout my life. Click the link and it’ll show you so many links, almost all of which are a part of my digital footprint.

If scrolling through a google search isn’t your thing and you’re still reading. Let me tell you why I started this blog. I spent two years at MSU as a computer science student. This is where my interest in hacking changed from wanting to do what you see in the movies to actual things like penetration testing and password cracking.

Blackhat Movie with Chris Hemsworth

blackhat-hemsworth-mann

Who’s excited for the next Chris Hemsworth movie coming out Friday January 16th?!? He’s trading in his hammer for a laptop in this up and coming action packed thriller.

Now, granted, anyone who calls themselves a hacker would cringe to call Hemsworth a “black hat hacker”. But there’s one thing I love about movies like this one. It opens your minds to the endless wonders of what hacking can do. (Please note: it’s never as easy as movie magic makes it look)

In fact, a movie like this is what first got me interested in finding a job with computers. Watching people drain billionaires bank accounts in seconds, or controlling the traffic signals to get away.

My favorite hacking movie would be Live Free or Die Hard. I liked the idea of a “fire sale” attack. Remotely controlling utilities, communication, and the stock market. While this isn’t really doable in the real world. It’s fun to think about what really is possible!

Kevin_Smith_002