How To Become An Ethical Hacker
Happy new year to everyone! Because of my New Year’s resolutions, I am now blogging about the nerdy things I did in the last months. Honestly, I hope that I will invest more time this year to evolve my hacking skills :-).
Last year I asked myself the question ‘How to become an ethical hacker?’. Obviously it’s a very simple question, but for me it took a while to get a starting point in the business. After starting to read a few books (not finished yet), visiting the BruCon security conference twice and connecting with some security guys I was able to find my way. To be clear on this, I am talking about hacking with explicit permission! So here it is.
My Way Of Dealing With The Question ‘How To Become An Ethical Hacker?’
The first thing I wanted to understand is what types of problems a hacker has to solve, in other words, what does a hacker need to know to attack a system. There are a lot of different types of attacks like web level attacks, application level attacks, network level attacks, password cracking, etc… The best thing to do for me was to find a website that offers challenges to practice these kind of attacks. You can kill two birds with one stone by investigating existing challenges: You get to know the needed skill set and you are able to practice your skills by solving the challenges without getting in conflict with the law ;-)
My favorite website for practising my skills is Root-Me. In the time of writing they have published 323 kinds of challenges on their site. If you are already a software developer, you may be able to solve some of the challenges already, but not all. I promise.
But what about the missing knowledge to pull off the attacks and do the actual hacking? There is no easy answer. You have to read a lot, you have to understand the system to attack, you have to understand attack types and you need to memorize them. You will probably have to put a lot of effort in it. But coming back to the question, my way of dealing with it was to register at another security platform HackerOne. I did this for two reasons. First, you get a free PDF where the author goes through different attack types and explains them by referencing existing disclosed bugs from their bug bounty program. You really learn a lot by reading and understanding the referenced reports, each containing a proof of concept of how to exploit the discovered bugs! Secondly, if I have enough skill, I want to earn some extra money by participating at the bug bounty program.
Next, when it comes to build up some knowledge also books can be helpful in the era of digitalization ;-) I can recommend two books serving as a starting point. For me CEH - Certified Ethical Hacker is a book to get started with, if you want to have an overview of almost everything related to tools, techniques and exploits. The author states several times that the book is for passing the CEH exam and sometimes is a little far away from the real world, if you want to pull off an attack. But nevertheless, the book gives you good insights although it does not go too much into the details of the attacks. Mostly you will read: You can use this or that tool to attack the system. Hacking: The Art Of Exploitation goes much more into detail and it helps if you already know about C, because you will see a lot of C code in this book. The author gives nice introductions into memory segmentation, command-line debugging and assembler code and then dives deep into exploitation techniques.
The last thing I have identified to be very important when evolving your hacking skills is to be up to date with vulnerabilities in existing software. I was using the SecurityTracker alert to get a weekly vulnerability report, but unfortunately they discontinued the delivery of the free alerts. So I need an alternative soon.
Key Takeaways
- Figure out what a hacker needs to know to attack a system
- Find a website that offers challenges for hackers
- Read and understand vulnerability reports (bug bounty, securitytracker, etc…)
- Sometimes also reading a book helps to understand the context, get to know what tools exist or get better introductions into exploitation techniques
I hope this post helps to figure out where and how to start with evolving your hacking skills. I am curious how much I will improve my skills in 2019 as I know that I am at the very very beginning.