Where To Hack?

Five years ago I got my first taste of a real IT job. I was teaching in China for an English boarding school in China and a new firewall needed to be installed. The manual was all in Chinese and the school didn’t want to bring in an outside technician to set it up. So I gave it a try and managed to get ACLs and other rules up and running. Soon after that, I would find myself securing the networks, cleaning USBs and recovering important financial data from a highly corrupted computer that no longer booted!

Needless to say, China got me interested in cyber security as a career field. In the following months after leaving China, I studied the basics and slowly grew my knowledge of security concepts and best practices. I learned a lot. Occasionally this information flowed out of my mouth like a glorious fountain when I did helpdesk and consulting work. Despite all of this knowledge I slowly realized that everything I have learned did not address the must crucial element to defending any point of information. I had absolutely no clue how to hack! Even if I did, I didn’t know where to hack…legally.

Sure I could go home, spin up a VM and try to attack but how would I even begin? I did find tutorials on hacking but there are so many exploits out there. Which ones do I want to try? Can I set up the victim machine properly so that the attack works? What if I wanted to try a different exploit? What will I need to do the configure the victim machine so that would work? Where does it end? I realized I would be spending more time configuring VMs than actually learning penetration techniques. Thus, I walked away…

Only to return a year later. I still wanted to know how to exploit systems. Places like ITProTV and Cybrary are good places to get some hands on training but it costs money which builds up over time. There are training seminars that cost thousands of dollars. Maybe on the job experience or going back to school is a good option to learn? These choices can limit who can get hands on ethical hacking training which seems to be the opposite of what the industry needs.

Fear not! It is not all gloom. If you are willing to self-study, there’s hope!

There are free sites online that offer hacking challenges from absolute newbie (me) to advanced (Hackerman?). I am going to go through some that I found pretty helpful even if some of these sites are already well-known.

Over The Wire

If your Linux skills aren’t great, OTW can help with the Bandit challenges. You’ll learn things like ssh, file traversal, netcat, and general command line usage. It is not hacking per se but knowing some basic Linux is a must for the field. I am sure that Windows or MacOSX are capable of performing hacking techniques. However, a lot of tools are designed for Linux and nine times out of ten a hacking tutorial is designed for a Linux environment. Give it a try!
https://overthewire.org/wargames/

Hack This!

Probably one of my favorite sites, HT! has challenges from webpage exploitation to steganography to cryptography. It is beginner friendly with a hint for almost all of the challenges and a forum where you can ask for help. It is also a great way to improve researching skills as you learn about different security concepts and how they can be exploited. The only downside is that you won’t actually be penetrating any VMs. Regardless, this site is a definite must!
https://www.hackthis.co.uk/

Hack This Site

Similar to HT!, HTS offers challenges from newbie to advanced in a similar categories. It also offers a forum and hints that point you in the direction you should go to learn about a concept. As before, you won’t be hacking into VMs but the experience hacking web apps should not be passed up. Another must!
https://www.hackthissite.org/

Hack The Box

Another favorite is HTB. HTB has different challenges much like before but it also has VMs just waiting to be hacked into! That’s right! Legal hacking! HTB is a step up from HT! and HTS. There are still challenges for newbies though newbie is a bit relative for this site. If you’re like me, I would recommend going through walkthroughs for retired challenges while attempting an active challenge. There is a monthly fee for access to retired challenges but it’s less than $15. The one catch is you have to hack your way into the site. If you feel up to the task, hop on, hack on.
https://www.hackthebox.eu/

Microcorruption

Although it is not hacking in the conventional sense, reverse engineering is a great way for to learn how to pick something apart and exploit it. MC is essentially an online game where you have to trick security locks to open and let in your operatives. The challenge here is that you will be working with assembly language and a simple debugger. It adds an extra twist to analyzing code and understanding what is happening. Relatively speaking, this site is accommodating for beginners.
https://microcorruption.com/login

There are a couple more sites and resources that can be helpful learning hacking with hands on experience that I do not have a lot of experience with but worth looking into.

I’m sure there are other wonderful resources out there that won’t break the budget and still give a bang for your buck. But you get what you don’t pay for. There will be little hand holding and the learning is largely up to you. But if you don’t give up and dedicate the time, the rewards are worth it!

BSides Idaho Falls – Day (n where n > 2)

I’m back home from from BSides Idaho Falls which was an amazing conference. I hope to go to more like it and back to Idaho Falls next year. Now that the initial excitement of the conference is a little more tame, why not write a “lessons learned” post? Since this blog is focused on cyber security and my personal journey in the field, I will mainly stick to those topics but want to clarify that this conference also affected me on a more personal level. With that said, here are my after-conference thoughts.

Participating in the Cloud Forensics training seminar had the largest impact on me. This course made me reconsider my career focus. From first hand experience with AWS, I can definitely say that setting up a cloud environment is both a blessing and a curse. Yes, it is ridiculously easy to spin up a machine and hop on it in a matter of minutes. The documentation of implementing different features is pretty reliable and its modularity makes it very powerful. At the same time, that modularity makes it easy to misconfigure the setup and can accidentally allow unwanted access to your resources. It’s not enough to setup an environment and load up all of your stuff on it. You need to work out the security settings and infrastructure which often seems to be overlooked when using cloud services. Remember, cloud services like AWS will protect their infrastructure. You have to protect your resources. Having a deeper understanding of cloud security in my back pocket will not only benefit me but it will allow me to help others navigate this relatively new territory.

A somewhat less career-focused benefit of this seminar is that it pointed out some skills I can improve on. During the CTF (Capture The Flag) challenge, I realized that I can learn a lot more about encryption. I already know the main concepts of encryption but I do not know of the numerous ciphers and techniques that can be used to encrypt data. I am aware of some but there are a lot more I can know! This is important to me since I currently inspect network traffic for breaches and occasionally see encrypted text that could be remote code executions. In the long run having this knowledge during investigations means less guessing and more knowing which in turns improves how I report suspicious or compromising activity. This fits firmly with my belief that in order to defend something, you need to know how to attack it.

The seminar was not the only thing that had an impact. The different villages inspired me to do more. For example, the tinkerer’s village renewed my interest in hardware and circuit boards. I doubt that I will ever make that my career focus but it is fun to play around with and to have a better understanding of how machines physically work. I have to see if I actually do have an Arduino board in my tiny collection of circuitry tools so I can access the microprocessor of my conference badge. The lockpick village was a reminder that my skills have seriously atrophied…not that they were really good to begin with. However, a high school kid gave some pointers that I have to try out on my sets at home. Kudos to that kid!

The career village was the one village I forced myself to go into and I’m glad I did. Much like networking with people, writing resumes does not come naturally to me. Also like networking with people, it is a needed skill with great benefits. I received advice on how to craft a resume for my industry which is quite different from all of the other resume workshops I ever attended and what to think about as I move forward with my career. So, I will be rewriting my resume to make it stand out even more for future positions.

Finally, the talks. Honestly, I did not see many talks this time but the ones I did see really inspired me to one day present a topic myself. I don’t know what I would present on but the idea is enticing. I’m thinking maybe something about cloud security. Or maybe how hacking has improved my defending skills? Or maybe I find an unknown exploit and present it after responsible disclosure and a patch has been released? I really don’t know at the moment but I do feel that one day I will be in front of an audience to give a presentation.

Going forward, I want to keep learning so that I may help others. That’s what started this blog in the first place. Finding a way to contribute and help others even if it is a small contribution. I plan to continue going to conferences like BSides that focus on cyber security and technology as a whole instead of ones that focus on a specific tool or product. There is nothing wrong with those conferences. I’m just not that into them at the moment. I like being able to switch from one area of security to a completely different one that does not explicitly endorse one tool over another. My view is that if I know my end goal or have an idea of what I want to do, I can research the tools along the way. And there are generally multiple tools that provide the same basic functions. It’s a matter of features/bugs. Anyway, I hope to continue contributing to this amazing community one way or another.

BSides Idaho Falls – Day 2

The second annual BSides Idaho Falls conference is now done and it was great! There were many things to do but I kept things relatively low key in comparison to yesterday. Nevertheless, I got a lot out of this conference and once again it had me thinking of my next steps going forward in my career in cyber security.

Most of my time today was dedicated to the Tinkerer’s Village to learn more about my badge. Since the badge is a circuit board with LED lights, a resistor and a microprocessor, I just added one extra resistor to the circuit board to produce different colors than what the badge originally came as. This was nice but I was not quite satisfied. My badge periodically flashed red which indicated that an error had been tripped. That was no fun. Also, I wanted to get access to the microprocessor to tweak the coding. I’ve learned that the best way to do this as a beginner is to connect the badge to an arduino board and tweak it from there. I have some research to do once I am home again.

In second place for where I spent most of my time goes to the Career Village. As someone who feels that everything sounds interesting, it was good to get some grounding and a sense of direction. I learned about resume writing, a bit about self-marketing, and really got a sense of what I can bring to the community at large. Learning about these things were not new. If you have ever been to a class about resume building or mock interviews, you have probably experienced these lessons as well. What made the lessons from today different for me is that they were specifically designed for people in cyber security. This changed how I would talk about myself and how I present my job history. These are skills that people in the industry (IT/CyberSec) should have.

In third place, the memory forensics seminar. Thanks to my time trying out digital forensics in the past, I had some exposure to memory forensics though I had never delved into it. This seminar introduced tools like Volatility, DumpIt, RedLine, and LiME. I also learned concepts specific to memory forensics. A good example is that memory from a peripheral device gets mapped to the system memory address space. If I remember correctly, system memory address space is notwhat software programs load into to run because that address space is used by the OS and messing with it could cause the machine to crash. Instead, programs use a virtual address space where it thinks it loads at slot number 0 when in reality it is loading at some completely different slot nnumber in actual memory. It seems a peripheral makes it more difficult to capture data from memory. It was a good lecture to attend!

By the end of the conference, I began networking (another soft skill worth knowing) and gained a new mentor: my instructor from the cloud forensics seminar! Having a mentor feels as if it will boost my career and give me more opportunity to contribute back and help others. Speaking of which, networking also gives me chances to help others, collaborate, and learn. Networking is not a trait I naturally have but developing it has been a big boon. Technical people need connections too!

One last major thing happened that I cannot skip over. Due to my performance as team lead during the CTF (Capture The Flag) challenge yesterday, I received a challenge coin! It is the first time I received one and it was unexpected! Now I feel I have to get even better in this field.

I likely have more to say about my thoughts on my experience at the conference but it is getting late and I am saving all of my final thoughts for the next blog post. Stay tuned!

BSides Idaho Falls – Day 1

Today, I woke up to ominous clouds and chilling rain. Not what I was hoping for the first day of the conference. In my mind, I could only think this was a sign that I would be an embarrassment to the cyber security community. Not to mention that my frustrations with setting up my AWS machine for the seminar continued after writing the blog post yesterday. That is another story that I plan to write about more since it sparked a new blog idea.

Overall impressions of the conference? Amazing!

I joined the seminar on Cloud Forensics taught by Kerry Hazelton. There were concepts in the seminar that were familiar: The different kinds of cloud. What is cloud computing? Who owns the data you put into the cloud? Then there were things like vendor-locking or the CLOUD Act that I absolutely did not know about! The seminar definitely had me thinking of ways to expand professionally and tinkering with cloud security more.

Another thing the seminar made me ponder about is getting new certifications. He mentioned a few but the CCSK (Certificate of Cloud Security Knowledge) seems like a good place to start. And since this was focused on forensics, I wondered about trying my hand at forensics again. It might be easier to practice on instances in the cloud. Not to mention, I can blog about that too!

I also got to meet some really nice people as well. One thing that I found amazing when meeting people was how humble everyone was. There was the sense that everyone felt they did not really know anything and wanted to learn as much as possible. How much of the former is true is legitimately questionable but the latter was definitely true. No matter what the skill levels were, everyone wanted to be better. It was refreshing!

Then came the CTF (Capture The Flag) event for our seminar. We were all split randomly into teams…then I moved to a different team to help even the numbers…then more people came late and just joined our team. In total, we were a massive nine person team compared to the average size of four! And guess who was elected as team leader?

We all did not really know how to go about the CTF but I may have had best idea of what was expected. I did capture the first flag for our team which was pretty cool but I still tip my hat to the team member who got the 1000 point flag! That was amazing and really pumped the team!

Meanwhile, I had to keep track of at least three different challenges the team as a whole was working on. I’ll tell you. Working on an encryption, network and two stenography challenges at the same time is not easy. However, I found that I was a pretty good resource of random information and often could point people in the general direction to solving the challenges. I also taught a few new linux commands to one of my teammates who I am soo happy he had a linux vm on his computer! There were a couple challenges that were easier to do thanks to him!

In the end, our team came in 2nd place! My imposter syndrome kicked in and told me that we didn’t deserve it because there were nine of us. A few seconds later, I disregarded that thought and replaced it with a new one. Our team consisted of people who mostly have never done any kind of CTF challenge and were new to cyber security. And we came in 2nd! We congratulated each other and the team member who solved that 1000 point challenge got a custom challenge coin! We did really well!

At the end of the day, many of the conference attendees gathered together to play board games. It was relatively relaxing and we continued to meet more great people. There were a ton of games but I opted to play only one game called “Jamaica”. It was great looting gold from people and attacking ships on a gamble.

Despite the deathly looking clouds and the freezing rain, this was a great start to the conference. I’m looking forward to tomorrow. Especially the Tinkerer’s Village. Stay tuned!

BSides Idaho Falls – Day 0

This weekend, I am attending the BSides conference in Idaho Falls. This is the second BSides I have ever attended and I thought it would be a great idea to write a post for each day of the conference. I have been to other conferences (not many) before and each time I wish I had some way to express what I am feeling, what I learned, and just the sheer inspiration the conferences give me. In which case, why not do what other people do? Blog about it!

This post is day 0. I’m not at the conference but I arrived in the city and checked into the hotel. And most of the evening was spent wrangling my computer to be ready for the seminar I signed up for.

Generally, I am pretty nervous about attending a seminar or taking a test. I always assume that I will make a laughingstock out of myself and possibly get chased out for not being talented enough…my brain. This time, thanks to computer wrangling, I am more livid than nervous. I never knew setting up a virtual Windows machine in AWS to use for a seminar would be so annoying! Normally, I spin up Linux machines, SSH into them, and I’m good to go. It is the easiest thing to do! Windows is a different beast! At least Windows Server 2012 R2 is.

Before my rant, I want to acknowledge that I know 2012 R2 is showing its age but in my mind, why do I need something like server 2016 if I am just loading up some tools that should work no problem with a slightly older OS? I think AWS may have sensed my thoughts and has decided to make my life miserable. I digress.

Back to my frustrations.

I created the Windows 2012 machine, decrypted the pem key for the password, and logged on without a hitch. Cool! Except, when I tried to use Internet Explorer to download Firefox, the OS happily told me that the built-in Admin account does not have permission to use the browser. How and why is this a feature!? This makes me think of theSpongebob meme with Patrick and Manray where Patrick tells Manray that he cannot perform a task because of insufficient permissions even though he has the permission to do it!

Well fine then! I created a new admin account and logged in as the new account. Now I had access to the internet browser! Time to get Firefox. Except, for some reason I did not want to try to figure out, I could not get the download prompt. In fact, I could not get a download prompt for any program I wanted to download. They did not make it to the downloads folder nor were they scheduled for download. Blank.

Frustrated, I did the next logically thing I could. I obliterated the vm and created a new one using Windows Server 2016. And almost as if nothing ever happened, I could access the browser as the built-in admin and download programs. I was even allowed to install the programs! Can you imagine? Performing simple commands as an admin without the OS telling you you can’t! It is a beautiful thing…Not to mention how much time and the headache it’s going to save me!

For the rest of the evening, I’ll be installing and testing different forensic software so I can be as ready as possible for the seminar. Still nervous about it all. Until tomorrow!

Hacking: Why We Need To Do More Of It

Let’s get the obvious out of the way. I DO NOT condone hacking for malicious purposes that harm innocent people.

Hacking is generally divided into three hats: black, white, and grey. Black hats are generally labeled as the bad guys but that honestly depends on framing. Hacking to shutdown a city for money while denying services for citizens? Bad. Hacking to prove there is unbridled corruption in a questionable government? Could be a good thing though this is still black hat territory.

White hats are almost always good. These are the people who are paid by the target to hack the target. Doing this can expose vulnerabilities in a company or system so that it may be fixed or mitigated. In the long run, a company would be saving money instead of shelling out cash to fix an attack, recover/rebuild lost data, defend their reputation through PR, and possibly pay legal fees.

Grey hats are the people that come in a myriad of flavors. There people who want free stuff. People who do bug bounties. People who want to mod the electronics. People who just like poking around. People who want to tip the game in their favor. People who want to improve a product. The list can go on.

As a society, we typically lump hackers into two categories: good and bad. The good hackers are working for respectable groups and are paid for sanctioned hacks. The bad is anyone else. This binary view of hacking is a detriment to society for it lumps grey hats in with black hats without thought. It discourages people who may be curious about hacking from trying it. Although we now have courses to teach people to become white hats, many people get their start from being a grey hat! Some do go off and do black hat work but many more do white hat work to apply their skills for the benefit of society at large. And the cyber security industry always seem to bemoan that there aren’t enough people to fill in the gaps.

Of course, not every position that needs filling requires hacking skills. A SOC analyst or security engineer isn’t going to fire up a laptop and start furiously hacking away and get paid for it! Though…that would be kind of cool. However, knowing how to hack means that these people will know how to improve security. It means that people can detect and interpret threats better. Learning how to hack introduces new concepts to people and forces them to think outside the box. Malicious hackers are thinking outside the box all the time to find ways to trick the system. The ability to do the very same is a crucial skill needed in the cyber security world.

And hacking isn’t just for hoodie wearing youngsters. Anyone can learn the basics of hacking! You don’t have to be super smart. No offense. Fortunately, security awareness training is a great tool to teach the basics of hacking. Besides knowing about phishy emails, check the urls of links. Look at the email header. See strange text that looks out of place? Report it! Are you entering your personal information to a site without a green padlock next to the url? I wouldn’t unless you really, really know for sure that it’s safe. Think you don’t need to follow all of the security protocols because you are “too low” in the business hierarchy to matter? A hacker doesn’t think that. If fact, a hacker probably views you as their best friend. Often times, it is the least guarded that malicious hackers exploit to get their foot in the door. If it helps, think of malicious hackers as a very hangry bear. You can outrun the bear or not be at the back of the group of runners. The bear doesn’t care who it mauls. It’s happy to catch anything delicious.

In the near future, society has to discard the blind binary view on hacking and judge it in the context of how it is used and to what end. We need to encourage responsible disclosure of vulnerabilities from people who weren’t hired to find it. We need reformed black/grey hats who know all the tricks of the trade. We need tinkerers and explorers of technology who occasionally break things so they can figure out how the technology works. Anyone who has ever used a computer will know that those impish little boxes do weird things just to savor our frustrations and confusion. These explorers strike fear into computers. It’s why a bad computer suddenly behaves when such a person threatens to fix it. I feel confident of this!

Bottom line is that technology is becoming more complex. Complexity introduces chances for exploits. We can’t just sit back and let men in white labcoats…or hats… protect us. We need to be proactive in defending ourselves from cyber attacks. And if I may quote one of my favorite books:

Know the enemy,
Know yourself,
And victory
Is never in doubt,
Not in a hundred battles.

He who knows self
But not the enemy
Will suffer one defeat
For every victory.

He who knows
Neither self
Nor enemy
Will fail
In every battle.

–Sun Tzu, The Art of War