Current Events > I've spent the last 3 months learning how to hack. Ask me anything

(+) Yeah! (+)

Spent the last 3 months full time studying and learning how to hack, along with cyber security fundamentals.

Just dont ask me to hack someone for you. Thats illegal.

What kind of hacking

itachi15243 posted...

What kind of hacking

Computers, networks, systems, websites, servers. Any and all electronic devices can be hacked, really.

Found the real GTA VI hacker

MFBKBass5 posted...

Computers, networks, systems, websites, servers. Any and all electronic devices can be hacked, really.

Yeah, I understand that.

Are you saying you learned everything about all of that and all hacking in three months or what

How can I learn to be a computer hacker like you, TC? Serious question.

that sounds like you did a lot in 3 months.

[LFAQs-redacted-quote]

-200?

MFBKBass5 posted...

Just dont ask me to hack someone for you. Thats illegal.

Can you hack into Air Bud's bank account and send me some cash?

I hear stunt animals make fucking cash and dogs aren't legally considered "someone"

Kim_Seong-a posted...

Can you hack into Air Bud's bank account and send me some cash?

I hear stunt animals make fucking cash and dogs aren't legally considered "someone"

true

Are you trying to join anonymous?

https://www.youtube.com/watch?v=96cx97GTONI

Will you try to work for a company's InfoSec dept or a cyber security company selling pen testing services to customers?

Also is Kali Linux still the go to OS for a set of hacking tools?

What materials/source did you use to learn?

BlazinBlue88 posted...

Will you try to work for a company's InfoSec dept or a cyber security company selling pen testing services to customers?

Also is Kali Linux still the go to OS for a set of hacking tools?

SOC team, yeah. Eventually wanna do pen testing for sure, but from what I understand it takes some time as a security analyst first before that kinda role. Pays damn well too. Pen testers get paid like $120k/year starting from job postings Ive seen. I plan on taking the CompTIA Pen Test+ and the Certified Ethical Hacker exam within the next year or so. Already knocked out the Security+ exam and am taking the CySA+ next week.

And ya, Kali Linux mainly. Arch Linux has a lot of neat tools too, but I like Kali more.

itachi15243 posted...

Yeah, I understand that.

Are you saying you learned everything about all of that and all hacking in three months or what

I understand the methods. Yes. There are lots of common ways that the vast majority of hackers use to get into systems. Mr. Robot as a tv show actually showcases a lot of whats possible, realistically.

There are a lot of hacking tools out there nowadays that can kind of automate explorations, but most require some pretty complex knowledge of Linux and terminal commands.

Trumpo posted...

What materials/source did you use to learn?

Went through a university bootcamp, mainly. Studied for the Security+ and passed last week. YouTube actually has a ton of great resources, along with websites like Hack The Box and Try Hack Me worked great for learning the different methods and types of attacks. Theyre really fun, too. Almost gamifies learning in a way.

What/who's your inspiration?

[LFAQs-redacted-quote]


i dont ever shit post, you must have me mixed up with another user mah dude

BuckVanHammer posted...

What/who's your inspiration?

a new career thats fun and makes a shit ton of money

Unknown480 posted...

How can I learn to be a computer hacker like you, TC? Serious question.

internet has lots of ways to learn.

being serious. Tons of free resources out there on how to legitimately hack into basically everything. Some harder things require fairly intricate understanding of Python/programming/command line stuff tho

MFBKBass5 posted...

SOC team, yeah. Eventually wanna do pen testing for sure, but from what I understand it takes some time as a security analyst first before that kinda role. Pays damn well too. Pen testers get paid like $120k/year starting from job postings Ive seen. I plan on taking the CompTIA Pen Test+ and the Certified Ethical Hacker exam within the next year or so. Already knocked out the Security+ exam and am taking the CySA+ next week.

And ya, Kali Linux mainly. Arch Linux has a lot of neat tools too, but I like Kali more.

A warning: CompTIA certs are really basic certs that aren't well respected in many circles of IT. Most of the time there are better certs to get in a particular field that'll get you more work than the CompTIA ones will. For instance, if you were to go into networking, Networking+ is a waste of time when you could get Cisco's CCENT or CCNA instead. The only time CompTIA certs are truly worth it imo is when they are required which would be gov't work. For whatever reason, the gov't still required Security+ for most IT jobs. Make sure you aren't wasting your time and money on multiple certs when one cert will get you the job.

Arch Linux doesn't have any built in hacker tools. By design it's a general OS to give you the most basic operating system. From there, the user installs whatever they need. You must have been using some modified Arch ISO. Kali on the other hand is designed for forensics and pen testing so it comes with all of those tools by default.

Which brings me to some advice. During your career, I'd recommend you familiarize yourself with different aspects of IT. It's harder to make reasonable security recommendations to sysadmins/dev/engineers if you don't have a good grasp of how things work. I've met many IT security people that only know how to run their tools and tell me I need to fix my stuff based on the results of their tools. You don't want to tell someone to close port 443 on a webserver just because your tool said "Port 443 is open. This potentially exposes the server to the public internet" You'll end up looking like a jackass.

Have you hacked gamefaqs?

BlazinBlue88 posted...

A warning: CompTIA certs are really basic certs that aren't well respected in many circles of IT. Most of the time there are better certs to get in a particular field that'll get you more work than the CompTIA ones will. For instance, if you were to go into networking, Networking+ is a waste of time when you could get Cisco's CCENT or CCNA instead. The only time CompTIA certs are truly worth it imo is when they are required which would be gov't work. For whatever reason, the gov't still required Security+ for most IT jobs. Make sure you aren't wasting your time and money on multiple certs when one cert will get you the job.

Arch Linux doesn't have any built in hacker tools. By design it's a general OS to give you the most basic operating system. From there, the user installs whatever they need. You must have been using some modified Arch ISO. Kali on the other hand is designed for forensics and pen testing so it comes with all of those tools by default.

Which brings me to some advice. During your career, I'd recommend you familiarize yourself with different aspects of IT. It's harder to make reasonable security recommendations to sysadmins/dev/engineers if you don't have a good grasp of how things work. I've met many IT security people that only know how to run their tools and tell me I need to fix my stuff based on the results of their tools. You don't want to tell someone to close port 443 on a webserver just because your tool said "Port 443 is open. This potentially exposes the server to the public internet" You'll end up looking like a jackass.

Ya getting Security+ and CySA+ are just my starting points to land a job in the first place. Studying for them really has given me a great baseline of knowledge to start with though. I plan on getting more specific certs through other organizations too. Specifically some of the Cisco stuff.

But yes, whats blown me away the most with learning about cyber security so far has been you kinda need to have intermediate/advanced knowledge in pretty much every aspect of technology in general. Which I actually think is super cool.

I really enjoy Python so far, and have realized Im pretty good at writing code/understanding the logic and flow of it all. I could see myself in a DevSecOps role years from now, once I get some experience as a basic analyst while I continue to practice coding.

Do you work in the industry?

MFBKBass5 posted...

Ya getting Security+ and CySA+ are just my starting points to land a job in the first place. Studying for them really has given me a great baseline of knowledge to start with though. I plan on getting more specific certs through other organizations too. Specifically some of the Cisco stuff.

But yes, whats blown me away the most with learning about cyber security so far has been you kinda need to have intermediate/advanced knowledge in pretty much every aspect of technology in general. Which I actually think is super cool.

I really enjoy Python so far, and have realized Im pretty good at writing code/understanding the logic and flow of it all. I could see myself in a DevSecOps role years from now, once I get some experience as a basic analyst while I continue to practice coding.

Do you work in the industry?

OK cool it seems like you are already aware of the knowledge you'll need in other areas of IT. Also knowing that information is a huge benefit in case you decide you don't care for security. It'll be much easier to move over to other specialties.

Yeah I've been in IT for 12 years now. Currently an infrastructure engineer so my job focuses on managing storage and cpu resources against our datacenter and AWS costs, backup/disaster recovery solutions, and making sure the infrastructure is properly built out so our devs can get their money making projects completed.

BlazinBlue88 posted...

OK cool it seems like you are already aware of the knowledge you'll need in other areas of IT. Also knowing that information is a huge benefit in case you decide you don't care for security. It'll be much easier to move over to other specialties.

Yeah I've been in IT for 12 years now. Currently an infrastructure engineer so my job focuses on managing storage and cpu resources against our datacenter and AWS costs, backup/disaster recovery solutions, and making sure the infrastructure is properly built out so our devs can get their money making projects completed.

Ah, yeah nice! Im definitely mainly interested in security. Being like a network engineer or administrator doesnt sound as fun to me. Plus I really like the team aspect of a SOC. A fair amount of thrills and stress from that type of job would be fun.

MFBKBass5 posted...

Ah, yeah nice! Im definitely mainly interested in security. Being like a network engineer or administrator doesnt sound as fun to me. Plus I really like the team aspect of a SOC. A fair amount of thrills and stress from that type of job would be fun.

I enjoy the downtime that comes from dealing with infrastructure. You do get the occasional hectic periods where you're leading major projects with a deadline or something big broke. As long as your built your infrastructure well with a lot of redundancy, the break/fix stuff is few and far between. The downtime gives you the breathing room to PoC new things, study new concepts, or just slack off if you're not feeling great that day. Lol

MFBKBass5 posted...

Just dont ask me to hack someone for you. Thats illegal.

I bet youre a blast at parties

BlazinBlue88 posted...

I enjoy the downtime that comes from dealing with infrastructure. You do get the occasional hectic periods where you're leading major projects with a deadline or something big broke. As long as your built your infrastructure well with a lot of redundancy, the break/fix stuff is few and far between. The downtime gives you the breathing room to PoC new things, study new concepts, or just slack off if you're not feeling great that day. Lol

Haha yeah that makes sense. I guess a good SOC team would have a fair amount of downtime if things are built correctly from the ground up too though, right?

MFBKBass5 posted...

Haha yeah that makes sense. I guess a good SOC team would have a fair amount of downtime if things are built correctly from the ground up too though, right?

Yeah once all of your monitoring systems are fine tuned and reporting properly there would be potential downtime. You'd have to stay on top of zero day vulns that pop up in the news and pester whatever sysadmin/engineers managing those systems to fix the vulns. Depending on the company and the amount of support your team has though, there might not be a lot of reason for the IT guys to listen to you. InfoSec doesn't have a lot of authority to make other teams fix their shit. They can only inform them.

You'd also want to be part of new projects to ensure whatever the teams plan to roll out is approved from a security standpoint.

Security teams are the worst for developers. Yous have no idea what we're doing at an application level and as a developer, I couldn't care less about the tooling results or your infra. Unless you're writing code, I'm not interested in your technical opinion or suggestion involving my code base

warlock7735 posted...

Security teams are the worst for developers. Yous have no idea what we're doing at an application level and as a developer, I couldn't care less about the tooling results or your infra. Unless you're writing code, I'm not interested in your technical opinion or suggestion involving my code base

lol shouldnt a good development team have a member who focuses on security but is also well versed in writing actual code?

MFBKBass5 posted...

lol shouldnt a good development team have a member who focuses on security but is also well versed in writing actual code?

Yes. That never happens.

Have you even hacked a Gibson bro

warlock7735 posted...

Security teams are the worst for developers. Yous have no idea what we're doing at an application level and as a developer, I couldn't care less about the tooling results or your infra. Unless you're writing code, I'm not interested in your technical opinion or suggestion involving my code base

"The security team needs to fuck off and just let my app require local admins rights in order to run!"

MFBKBass5 posted...

lol shouldnt a good development team have a member who focuses on security but is also well versed in writing actual code?

Yes but that's very rare. It's hard to find someone who is knowledgeable in multiple areas. Most are silo'ed within their own field and anything that other departments do is black magic.

[LFAQs-redacted-quote]



Oof

BlazinBlue88 posted...

"The security team needs to fuck off and just let my app require local admins rights in order to run!"

lol thats basically what I gathered from that post honestly

MFBKBass5 posted...

lol thats basically what I gathered from that post honestly

And those are the types of people you'll be dealing with. You are part of the no police. The one that creates roadblocks for other teams. At least that's how most will view you.

[LFAQs-redacted-quote]


some of the lower level hacking doesnt even really need much coding to be done. Command line/terminal commands mainly. But ya a lot of it is exploring vulnerabilities that get found and reported to open source websites, basically.

From the tools, have you had any actual experience, or is it mostly just simulation so far?

By actual I mean stuff like bug bounties, running red team exercises on a real server etc

Rathinor posted...

From the tools, have you had any actual experience, or is it mostly just simulation so far?

By actual I mean stuff like bug bounties, running red team exercises on a real server etc

I built my own home lab and got a Raspberry Pi 4 to setup a SIEM to monitor my own home network traffic. Red team exercises on real servers would be illegal unless youre employed as a pen tester though lol

Just job searching and applying/interviewing for SOC analyst roles to gain that real world experience. Theres plenty of packet capture samples out there to look at and analyze different attacks though that Ive studied a lot.

BlazinBlue88 posted...

"The security team needs to fuck off and just let my app require local admins rights in order to run!"

The app shouldn't require local admin, but the development environment does. I'm also going to need r/w access to the nonprod databases, and you'll probably have sensitive information exposed to your development team. If that's not acceptable, it's an HR issue, not a security one.