Current Events > Learning how to hack has been surprisingly easy

(+) Yeah! (+)

Have been in this cybersecurity bootcamp since the end of June, and after learning Linux and Python/networking fundamentals for a while.

We finally got to red team attacking last week, and its seriously laughable at how easy it is to crack passwords/break into websites and stuff like that.

Theres literally a job in this field where companies pay you to try and break into their network/website. What a sweet job thatd be. Some of those jobs even give you permission to try and lock pick/RFID spoof your way into the physical building lmao

you gonna go for CEH or any other pen test certs after the bootcamp? there are TONS of jobs looks for those.

I wish I knew programming or how to hack stuff >_> Sounds fun

Is it as cool, flashy and exciting as presented in most mainstream media?

BLooD_WoLf posted...

you gonna go for CEH or any other pen test certs after the bootcamp? there are TONS of jobs looks for those.

Maybe. My instructor told me getting a red team job typically requires experience in blue team/SOC first. Those red team jobs pay insanely well too.

Prismsblade posted...

Is it as cool, flashy and exciting as presented in most mainstream media?

Cool and flashy yes, maybe not as exciting. Lots of things take a while. Especially brute forcing passwords

NeonOctopus posted...

I wish I knew programming or how to hack stuff >_> Sounds fun

check out hackthebox

its a free platform that teaches you how to hack

MFBKBass5 posted...

check out hackthebox

its a free platform that teaches you how to hack

oh wow, thank you!

NeonOctopus posted...

oh wow, thank you!

it does need some beginner level Linux knowledge tho

oh....

https://gamefaqs.gamespot.com/a/user_image/7/5/3/AAJHVqAADi_Z.jpg

Are you a script kiddie or do you actually build you own tools?

MFBKBass5 posted...

Theres literally a job in this field where companies pay you to try and break into their network/website. What a sweet job thatd be. Some of those jobs even give you permission to try and lock pick/RFID spoof your way into the physical building lmao

We also get them to social engineer the customer facing employees. When I worked at a bank, we would have them call the bank tellers and have them name drop someone in the IT dept to convince them to click links in emails. "Hi I'm working on a project with Bob and he needs me to install this on your computer. If I send you the email, can you click the link and get it installed real quick?"

It's so easy to look up a company on LinkedIn and find the names and job titles of their employees.

BlazinBlue88 posted...

We also get them to social engineer the customer facing employees. When I worked at a bank, we would have them call the bank tellers and have them name drop someone in the IT dept to convince them to click links in emails. "Hi I'm working on a project with Bob and he needs me to install this on your computer. If I send you the email, can you click the link and get it installed real quick?"

It's so easy to look up a company on LinkedIn and find the names and job titles of their employees.

Our systems are managed by Microsoft System Center so I just ignore all instructions to install software and eventually Systems does it for me.

I still think any pentesting involving phishing is a waste of time. just give them a fuckin user account and save the hours in your scope, one of your users is going to click the link eventually. then you can scope a pentest for "anything other than phishing" if you really care about testing your perimeter security.

Neoconkers posted...

I still think any pentesting involving phishing is a waste of time. just give them a fuckin user account and save the hours in your scope, one of your users is going to click the link eventually. then you can scope a pentest for "anything other than phishing" if you really care about testing your perimeter security.

This is what we do. We also give them a machine inside the data center that literally doesn't do anything except attack.

I will point out that there's very much a difference between hacking in a bootcamp and hacking in an actual infrastructure. a decade of steady evo/devolution in an active directory, software debt, generations of sysadmins, etc, leave you with not so lovingly a crafted environment

The podcast Darknet Diaries has a few episodes dedicated to ethical/unethical hacking as well as physical penetration testing that are SUPER interesting. I highly recommend checking it out

edit: https://darknetdiaries.com/episode/36/ is a good one for physical penetration testing!

darknet diaries is a good podcast, can vouch for that one. I don't really have the time for podcasts these days anymore though, shame

also a guy I know named Cooper is a class act, goes around a lot of the technical conferences with a collection of recording rigs, will video the talks for free under the condition the videos go online for free, including one of my talks. there's enough variety in there that SOMETHING should tickle your fancy

https://administraitor.video/

RlP posted...

Are you a script kiddie or do you actually build you own tools?

Wouldnt call myself either her. Just learning the basics so far. Been using the tools in Kali Linux like Wireshark, nmap, recon-ng, stuff like that. just downloaded blackarch Linux to play around with that too.

Neoconkers posted...

I still think any pentesting involving phishing is a waste of time. just give them a fuckin user account and save the hours in your scope, one of your users is going to click the link eventually. then you can scope a pentest for "anything other than phishing" if you really care about testing your perimeter security.

Thats fair. Unless all the employees are fairly young and educated about phishing emails. My gfs hospital sends out practice phishing emails from their security team to educate them on what to click.

With just basic knowledge I could hack back in highschool. But I went away from the programming route so all that knowledge is gone and decades outdated.

I'm gonna be learning to code at school but it's a uni so I doubt they will teach hacking

Wish me luck I'll need it

MedeaLysistrata posted...

I'm gonna be learning to code at school but it's a uni so I doubt they will teach hacking

Wish me luck I'll need it

Your standard programming degree won't teach hacking. Universities are starting to offer classes and/or degrees in cyber security/ethical hacking. There's also computer forensics which incorporates hacking concepts to pull data for courts and such.

BlazinBlue88 posted...

Your standard programming degree won't teach hacking. Universities are starting to offer classes and/or degrees in cyber security/ethical hacking. There's also computer forensics which incorporates hacking concepts to pull data for courts and such.

I just want to learn the formal stuff, but the school I'm at offer cyber sec... Would probably be a better career move

MedeaLysistrata posted...

I just want to learn the formal stuff, but the school I'm at offer cyber sec... Would probably be a better career move

Really depends what you want to do for a living...which of course you won't fully know until you get into the field. A lot of cyber sec stuff is just running vuln reports and having meetings trying to convince devs and infra guys to fix their shit while having no real power to make them. Each field has their pros and cons but luckily once you're in one IT/dev field, it isn't that hard to move into another.