Here’s what we’ll cover:

• What is Cybersecurity?

• Cybersecurity: A World of Opportunities

• Emerging Trends and Threats in Cybersecurity

• Understanding Cyber Risk

• Common Cyber Threats

• The CIA Triad and IAAA

• People, Processes, and Technology

• Domains of Cybersecurity

• Operating Systems: The Foundation

• Security Controls: Your First Line of Defense

• Cryptography Basics

• Advanced Terminology and Concepts

• Conclusion

What is Cybersecurity?

Cybersecurity is the practice of protecting computer systems, networks, and data from unauthorized access, use, disclosure, disruption, modification, or destruction. It's like a digital shield, safeguarding our valuable information and ensuring that systems run smoothly.

In today's interconnected world, where we rely on technology for everything from banking and shopping to communication and healthcare, cybersecurity is more critical than ever.

Fundamental Security Concepts

• Software: Software refers to the set of instructions that tell a computer what to do. It's the brain behind everything computers do, from browsing the web and playing games to controlling complex machinery and enabling critical infrastructure.

• Software Flaws and Vulnerabilities: Software is written by humans, and humans make mistakes. These mistakes in code can lead to software flaws or bugs, creating vulnerabilities that attackers can exploit.

• Exploits: Exploits are the tools and techniques attackers use to take advantage of vulnerabilities. They can be a piece of software, a command, or a sequence of actions that exploit a weakness to compromise a system.

Cybersecurity: A World of Opportunities

The field of cybersecurity is vast and dynamic, offering a variety of career paths for diverse skill sets. Here are a few examples of the many roles in this exciting field:

• Governance, Risk, and Compliance (GRC) are the architects of an organization's security framework. They focus on developing and implementing security policies, managing risks, and ensuring compliance with industry standards and government regulations.

• Penetration Testers are often called "ethical hackers," and they use their skills to identify vulnerabilities and improve security systems before malicious actors can exploit them. They conduct authorized, simulated attacks to test an organization's defenses and identify weaknesses.

• Security Analysts are the front-line soldiers in the fight against cyber threats. They monitor networks for suspicious activity, analyze security breaches to identify causes and vulnerabilities, and implement security measures to prevent future attacks.

This is just a small sample of the diverse opportunities within cybersecurity. Now, let's look at some emerging trends and threats, then explore the concept of cyber risk.

Emerging Trends and Threats in Cybersecurity

The cybersecurity landscape is constantly evolving, with new threats and technologies emerging at a rapid pace.

As we navigate the digital world in 2024, several key trends and threats are shaping the field:

• AI-Powered Attacks: Cybercriminals are increasingly leveraging artificial intelligence to create more sophisticated and targeted attacks. AI-generated phishing emails and deepfakes are becoming harder to detect, posing new challenges for security professionals

• Ransomware Evolution: Ransomware attacks continue to evolve, with attackers now employing double extortion tactics. They not only encrypt data but also threaten to leak sensitive information (double extortion), putting additional pressure on victims

• IoT Vulnerabilities: The sharp increase in of Internet of Things (IoT) devices (think smart thermostats, refrigerators, door locks) has expanded the attack surface for cybercriminals. Securing these interconnected devices remains a significant challenge

• Supply Chain Attacks: Threat actors are increasingly targeting software supply chains to compromise multiple organizations simultaneously. These attacks can have far-reaching consequences and are particularly difficult to detect

• State-Sponsored Cyber Warfare: The rise of state-sponsored cyber attacks is blurring the lines between traditional warfare and cybercrime. These sophisticated attacks often target critical infrastructure and can have geopolitical implications

• Cloud Security Challenges: As more organizations migrate to the cloud, securing cloud environments has become a top priority. Misconfigurations and inadequate access controls in cloud services are common vulnerabilities exploited by attackers

Understanding Cyber Risk

In the context of cybersecurity, risk is the potential for loss or damage resulting from a cyberattack or security breach. My favorite way to explain is it to think of it like a boxer with a "glass jaw" – a known weakness that an opponent can exploit.

To understand cyber risk better, let's break it down:

• Vulnerabilities: These are weaknesses in systems or processes that can be exploited by attackers. In our boxing analogy, this is the boxer's "glass jaw" – a vulnerability that makes them susceptible to a knockout.

• Exploits: The act of actually punching the person with the glass jaw is the exploit. It's the action taken to leverage the vulnerability and cause harm. Similarly, in cybersecurity, an exploit is a specific technique or code used to take advantage of a vulnerability.

• Threats: The possibility of someone throwing a punch at the person with the glass jaw is a threat. It's a potential danger that could exploit the vulnerability. In the digital world, threats are malicious actors or events like viruses, hackers, or even natural disasters that can harm systems or data.

• Threat Actor: The person throwing the punch is the threat actor. They are the specific entity with the intent and capability to exploit the vulnerability. In cybersecurity, threat actors can be individuals, groups, or even nation-states that seek to compromise systems or steal data.

• Impact: The injury from the punch represents the impact. It is the damage caused by the successful exploitation of the vulnerability. In a cyber attack, the impact could be the data loss, financial damage, or disruption of operations.

• Risk: The overall risk is the combination of the vulnerability (the glass jaw), the threat (the potential punch), the threat actor (the person punching), and the potential impact (serious injury). In cybersecurity, risk is the likelihood that a threat will exploit a vulnerability and the resulting damage to the organization.

• Risk Appetite: The person's willingness to step into the boxing ring despite their glass jaw represents their risk appetite. It's the level of risk they are willing to accept. In cybersecurity, risk appetite is the amount of risk an organization is willing to take in pursuit of its objectives.

The relationship between these concepts is crucial: a threat exploits a vulnerability using an exploit to create risk. The greater the vulnerability and the more determined the threat, the higher the risk.

Common Cyber Threats

The digital world is full of threats, just like the physical world. Here are some common types of cyber threats:

• Viruses: A computer virus is a malicious program that self-replicates and spreads from one computer to another, like a biological virus. They can corrupt files, steal data, and disrupt system operations.

• Trojans: A Trojan horse disguises itself as legitimate software to trick users into installing it. Once inside, it can steal data, damage files, or take control of the system.

• Ransomware: Ransomware encrypts a victim's files, making them inaccessible. Attackers then demand a ransom to decrypt the files.

• Malware: Malware is a broad term encompassing any malicious software, including viruses, Trojans, ransomware, and spyware. Spyware secretly monitors user activity and steals sensitive information.

• Phishing: Phishing attacks use deceptive emails, messages, or websites to trick individuals into revealing sensitive information, such as passwords or credit card numbers. These often appear to come from a trusted source, like a bank or online retailer.

• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks: These attacks aim to disrupt a service or network by overwhelming it with traffic from multiple sources. This makes the service unavailable to legitimate users. Imagine a website being flooded with so many requests that it crashes and can't be accessed by anyone.

The CIA Triad and IAAA

The CIA triad is a core principle in cybersecurity and one that I constantly preach and bring my work back to. It stands for Confidentiality, Integrity, and Availability.

Confidentiality

Confidentiality is all about keeping things protected. It’s like having a secret diary with an unbreakable lock, or sending a coded message that only your best friend can crack.

In cybersecurity, we use fancy tools like encryption and access controls to make sure only the right people can see sensitive information. When I say confidentiality, I generally want the association to be encryption.

Integrity

Integrity is like a superhero protecting your data from sneaky villains who want to mess with it. It’s about making sure your information stays accurate and trustworthy. Think of your bank statement — you’d be pretty upset if someone changed the numbers, right?

We use things like checksums and version control to keep our data safe and sound. Think of a hash or checksum as a unique fingerprint for a file or piece of data. If even a tiny bit of the data changes, the fingerprint will completely change, allowing you to easily verify if something has been tampered with. When I say integrity, I generally want the association to be hashes or checksums.

Availability

Imagine trying to get into your favorite coffee shop, but the door is locked! Availability makes sure that the good actors (aka authorized users) can always access the data and systems they need, when they need them — and the bad actors can’t. It’s like having a friendly doorman who knows your face and lets you right in. Redundancy, backups, and disaster recovery plans (more on this later) are some of the tools we use to keep those digital doors open.

IAAA builds upon the CIA triad by focusing on how access to information and systems is managed:

• Identification: The process of claiming an identity, like providing a username.

• Authentication: Verifying the claimed identity, like entering a password.

• Authorization: Granting appropriate access levels based on the verified identity.

• Accountability: Tracking and recording user actions to ensure they are responsible for their activities.

People, Processes, and Technology

Cybersecurity is not just about technology – it's also about people and processes. These three elements work together to create a strong security posture.

People and Security

We are both the strongest and weakest link in the cybersecurity chain. We can create strong passwords, be vigilant against phishing attacks, and follow security best practices. But we can also fall victim to social engineering, click on malicious links, or inadvertently introduce vulnerabilities into our systems.

That's why security awareness training is so important – it helps us become more resilient and less likely to be tricked by attackers.

Implementing Secure Processes

Processes are the policies, procedures, and guidelines that govern how we do things. They provide a framework for security, ensuring that everyone knows what to do and how to do it securely.

For example, a strong password policy might require users to create complex passwords and change them regularly.

Using Technology Securely

Technology provides the tools and solutions we need to implement and enforce security measures. This includes everything from firewalls and antivirus software to encryption and intrusion detection systems.

But technology alone is not enough. It needs to be combined with effective processes and user awareness to create a truly secure environment.

Domains of Cybersecurity

Cybersecurity is a vast field with many different domains, each focusing on a specific aspect of digital security. Some of the major domains include:

• Network Security: Protecting computer networks from unauthorized access and attacks. This involves implementing devices like firewalls, intrusion detection systems, and other security measures to safeguard network infrastructure.

• Data Security: Safeguarding data from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes data encryption, access controls, and data loss prevention techniques.

• Application Security: Securing software applications from vulnerabilities and attacks. This involves secure coding practices, vulnerability assessments, and penetration testing.

• Cloud Security: Protecting data and applications stored in the cloud. This includes understanding cloud security architectures, implementing access controls, and securing cloud storage.

• Cryptography: Using codes and ciphers to protect information from unauthorized access. This includes encryption techniques, digital signatures, and key management.

Operating Systems: The Foundation

An Operating System (OS) is the software that manages all the hardware and software on a computer.

In the context of cybersecurity, understanding operating systems is crucial because they are often the primary target for cyberattacks and the first line of defense against threats. It's like the conductor of an orchestra, making sure everything works together in harmony.

Popular examples include:

• Windows: Developed by Microsoft, it's the most widely used OS for personal computers. Its popularity makes it a frequent target for malware, necessitating regular security updates and patches

• macOS: Developed by Apple, it powers Apple's Mac computers. While generally considered more secure due to its Unix-based architecture, it’s not immune to threats and requires ongoing security maintenance.

• Linux: An open-source OS known for its stability and flexibility, often used in servers and embedded systems. Its open-source nature allows for community driven security improvements, but also means vulnerabilities can be publicly exposed.

Each OS has its own security features, vulnerabilities, and patching processes. Cybersecurity professionals need to understand these differences to effectively secure systems, implement appropriate security measures, and respond to OS specific threats.

Also, many cyberattacks exploit OS level vulnerabilities, making OS security a critical component of overall cybersecurity strategy.

Security Controls: Your First Line of Defense

Let's imagine your digital life as a castle. You've got valuable treasures inside, like your personal information, photos, and financial data. Naturally, you want to protect those treasures from any thieves or invaders. Security controls are the various defenses you put in place to keep your castle safe.

Technical Controls: The Castle Walls and Moat

Technical controls are like the sturdy walls and the deep moat surrounding your castle. They are the hardware and software solutions that act as barriers, filters, and alarms to keep the bad guys out.

• A firewall is like a drawbridge, carefully controlling who and what can enter your network.

• Antivirus software is like a vigilant guard patrolling your castle grounds, searching for and eliminating any malicious intruders (like viruses or malware) that manage to slip past the walls.

• Encryption is like a secret code that scrambles your data, making it unreadable to anyone who doesn't have the key.

These technical defenses work together to create a strong perimeter around your digital castle, making it much harder for attackers to break in.

Administrative Controls: The Castle Rules and Regulations

Even with the strongest walls and moat, a castle is vulnerable if the people inside are careless or untrained. Administrative controls are the rules and regulations that govern how people and systems operate within your castle.

• Security awareness training is like educating your castle staff on how to recognize and respond to potential threats.

• Password policies are like requiring strong, unique passwords for every door and gate in your castle.

• Access control procedures are like assigning different levels of access to different areas of the castle, ensuring that only authorized personnel can enter sensitive areas.

These administrative measures help to create a culture of security within your organization, ensuring that everyone is aware of their role in protecting the castle.

Physical Controls: The Guards and Locks

Of course, even the most sophisticated digital defenses can be bypassed if someone gains physical access to your castle. Physical controls are the measures you take to protect your physical assets, such as servers, computers, and other equipment.

• Locks on doors and server racks are like the heavy bolts on your castle gates, preventing unauthorized entry.

• Security cameras are like the watchful eyes of your guards, monitoring for any suspicious activity.

• Security guards themselves are the ultimate physical control, providing a human presence to deter and respond to potential threats.

These physical measures work in conjunction with your technical and administrative controls to create a comprehensive security strategy.

Cryptography Basics

Remember those secret decoder rings you might have used as a kid? Cryptography is the adult, high-tech version of that, but instead of just scrambling letters, we're protecting sensitive information like your credit card details, medical records, and even classified government communications.

At its core, cryptography is the practice of securing communication and data through the use of codes and ciphers. It's like having a secret language that only you and your intended recipient can understand. This helps ensure that even if someone intercepts your message, they won't be able to read it without the key to decode it.

Encryption is a crucial tool in cryptography. It takes your readable data (plaintext) and transforms it into an unreadable format (ciphertext) using a complex algorithm and a secret key. Only someone with the correct decryption key can reverse the process and turn the ciphertext back into plaintext.

Think of it like putting your valuables in a locked safe. The safe is the encryption, and the key is the decryption key. Without the key, no one can access your valuables without a ton of work.

Common encryption algorithms you might hear about include AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman). These algorithms are used in a wide range of applications, from securing online banking transactions to protecting sensitive government data.

• Cryptographic Hashing: A technique used to verify the integrity of data. It takes an input (like a file or message) and generates a unique "fingerprint" called a hash. Even a tiny change in the input results in a completely different hash, helping detect if data has been tampered with.

• Symmetric Cryptography: Uses the same key for encryption and decryption. It's fast and efficient but requires a secure way to share the key between parties.

• Asymmetric Cryptography: Uses two different keys: a public key for encryption and a private key for decryption. It's more secure for key exchange but can be slower.

Advanced Terminology and Concepts

• Advanced Persistent Threats (APTs): Stealthy and continuous computer hacking processes, often orchestrated by skilled hackers targeting specific organizations or individuals. They often employ sophisticated techniques and remain undetected for extended periods.

• Threat Actors: Individuals or groups who intentionally try to exploit vulnerabilities for malicious purposes. They can range from individual hackers to organized crime groups and state-sponsored actors.

• Zero-Day Exploits: Exploits that take advantage of vulnerabilities unknown to the software vendor or security community. They are particularly dangerous because there is no known defense against them.

• Social Engineering: Manipulating individuals into divulging confidential information or performing actions that compromise security. This can include phishing attacks, pretexting, and baiting.

Conclusion

You've now completed a journey through the fundamentals of cybersecurity! You've learned about various career opportunities, the concept of cyber risk, common cyber threats, the CIA triad, essential security domains, operating systems, and cryptography basics. You've even touched on more advanced concepts like APTs and social engineering.

Remember, this is just the beginning of your cybersecurity adventure. Dive in deeper to learn more about each of these key concepts.

This post relies on basic knowledge of computer networks. Be sure to check my previous post about the five layers model if you need a refresher.

What is Wireshark?

Wireshark is a sniffer, as well as a packet analyzer.

What does that mean?

You can think of a sniffer as a measuring device. We use it to examine what’s going on inside a network cable, or in the air if we are dealing with a wireless network. A sniffer shows us the data that passes through our network card.

But Wireshark does more than that. A sniffer could just display a stream of bits - ones and zeroes, that the network card sees. Wireshark is also a packer analyzer that displays lots of meaningful data about the frames that it sees.

Wireshark is an open-source and free tool, and is widely used to analyze network traffic.

Wireshark can be helpful in many cases. It might be helpful for debugging problems in your network, for instance – if you can’t connect from one computer to another, and want to understand what’s going on.

It can also help programmers. For example, imagine that you were implementing a chat program between two clients, and something was not working. In order to understand what exactly is being sent, you may use Wireshark to see the data transmitted over the wire.

So, let’s get to know Wireshark.

How to Download and Install Wireshark

Start by downloading Wireshark from its official website:

https://www.wireshark.org/#download

Follow the instructions on the installer and you should be good to go.

How to Sniff Traffic with Wireshark

Launch Wireshark, and start by sniffing some data. For that, you can hit Ctrl+K (PC) or Cmd+K (Mac) to get the Capture Options window. Notice that you can reach this window in other ways. You can go to Capture->Options. Alternatively, you can click the Capture Options icon.

I encourage you to use keyboard shortcuts and get comfortable with them right from the start, as they'll allow you to save time and work more efficiently.

So, again, I’ve used Ctrl+K (or Cmd+K) and got this screen:

The Capture Options window in Wireshark (Source: Brief)

Here we can see a list of interfaces, and I happen to have quite a few. Which one is relevant? If you’re not sure at this point, you can look at the Traffic column, and see which interfaces currently have traffic.

Here we can see that Wi-Fi 3 has got traffic going through it, as the line is high. Select the relevant network interface, and then hit Enter, or click the button Start.

Let Wireshark sniff the network for a bit, and then stop the sniff using Ctrl+E / Cmd+E. Again, this can be achieved in other ways – such as going to Capture->Stop or clicking the Stop icon.

Consider the different sections:

Wireshark's sections (Source: Brief)

The section marked in red includes Wireshark’s menu, with all kinds of interesting options.

The main toolbar is marked in blue, providing quick access to some items from the menu.

Next, marked in green, is the display filter. We will get back to it shortly, as this is one of the most important features of Wireshark.

Then follows:

The Packet List Pane

The packet list pane is marked in orange. It displays a short summary of each packet captured.

(Note: the term Frame belongs to a sequence of bytes in the Data Link layer, while a Packet is a sequence of bytes from the Network layer. In this post I will use the terms interchangeably, though to be accurate, every packet is a frame, but not every frame is a packet, as there are frames that don't hold network layer data.)

As you can see in the image above, we have a few columns here:

NUMBER (No.) – The number of the packet in the capture file. This number won’t change, even if we use filters. This is just a sequential number – the first frame that you have sniffed gets the number 1, the second frame gets the number 2, and so on.

Time – The timestamp of the packet. It shows how much time has passed from the very first packet we have sniffed until we sniffed the packet in question. Therefore, the time for packet number 1 is always 0.

Source – The address where this packet is coming from. Don’t worry if you don’t understand the format of the addresses just yet, we will cover different addresses in future tutorials.

Destination – The address where this packet is going.

Protocol – The protocol name in a short version. This will be the top protocol – that is, the protocol of the highest layer.

Length – The length of each packet, in bytes.

Info – Additional information about the packet content. This changes according to the protocol.

By clicking on packets in this pane, you control what is displayed in the other two panes which I will now describe.

The Packet Details Pane

Click on one of the captured packets. In the example below I clicked on packet number 147:

Selecting a specific packet changes the packet details pane (Source: Brief)

Now, the packet details pane displays the packet selected in the packet list pane in more detail. You can see the layers here.

In the example above, we have Ethernet II as the second layer, IPv4 as the third layer, UDP as the fourth layer, and some data as a payload.

When we click on a specific layer, we actually see the header of that layer.

Notice that we don’t see the first layer on its own. As a reminder, the first layer is responsible for transmitting a single bit – 0 or 1 – over the network (if you need a refresher about the different layers, check out this post).

The packet bytes pane in Wireshark (Source: Brief)

Below the packet details pane, we have the packet bytes pane. It displays the data from the packet selected in the packet list pane. This is the actual data being sent over the wire. We can see the data in hexadecimal base, as well as ASCII form.

How to Use the Display Filter

Wireshark has many different functions, and today we will focus on one thing – the display filter.

As you can see, once you start sniffing data, you get a LOT of traffic. But you definitely don’t want to look at everything.

Recall the example from before – using Wireshark in order to debug a chat program that you’ve implemented. In that case, you would like to see the traffic related to the chat program only.

Let’s say I want to filter only messages sent by the source address of frame number 149 ( 192.168.1.3 ). I will cover IP addresses in future posts, but for now you can see that it consists four numbers, delimited by a dot:

The display filter in Wireshark (Source: Brief)

Now, even if you don’t know how to filter only packets sent from this IP address, you can use Wireshark to show you how it’s done.

For that, go to the right field we would like to filter – in this case, the source IP address. Then right click -> and choose filter -> Apply as Filter.

Applying a display filter (Source: Brief)

After applying the filter, you only see packets that have been sent from this address. Also, you can look at the display filter line and see the command used. In this way, you can learn about the display filter syntax (in this example, it is ip.src for the IP source address field):

Applying a display filter (Source: Brief)

Now, try to filter only packets that have been sent from this address, and to the address 172.217.16.142 (as in Frame 130 in the image above). How would you do that?

Well, you could go to the relevant field – in this case, the IP destination address. Now, right click -> Apply as Filter -> and select ...and Selected:

Applying a display filter (Source: Brief)

If you look at the display filter line after applying this filter:

Applying a display filter (Source: Brief)

You can also learn that you can use the && operand in order to perform and. You could also write the word and, instead, and get the same result.

Applying multiple conditions using && or and (Source: Brief)

How to Use Wireshark to Research the Ping Utility

Ping is a useful utility to check for remote servers’ connectivity.

This page explains how to use ping in Windows, and this page explains how to do that in OSX.

Now, we can try to ping <address> using the command line. By default, ping sends 4 requests and waits for a pong answer. If we want it to send a single request, we could use -n 1:

Using the command line to ping Google (Source: Brief)

You can see that Google has responded. The time it took for the message to return was 92 milliseconds. We will learn about the meaning of TTL in future posts.

Ping is useful to determine whether a remote service is available, and how fast it is to reach that service. If it takes a very long time to reach a reliable server such as google.com, we might have a connectivity problem.

Try it yourself

Now, try to use Wireshark to answer the following questions:

1) What protocol does the ping utility use?

2) Using only Wireshark, compute the RTT (Round Trip Time) – how long it took since your ping request was sent and until the ping reply was received?

Next, run the following command:

ping -n 1 -l 342 www.google.com

3) What is the main difference between the packet sent by this command, and the packet sent by the previous command? Where in Wireshark can you see this difference, inspecting the packets?

4) What is the content (data) provided in the ping request packet? What is the content provided in the ping response packet?

Let's solve it together

So the first question is:

What protocol does the ping utility use?

To answer that question, start sniffing in Wireshark, and simply run the ping command. Stop the sniff, and consider the packets pane:

Sniffing while running ping (source: Brief)

Wireshark marks the packets as Echo (ping) request and Echo (ping) reply.

Considering these packets, we can see they consist of Ethernet for the Data Link layer (though that may differ from one network to another), IPv4 as the Network layer, and then ICMP as the protocol for Ping itself. So the answer we found is: ICMP.

Next question:

Using only Wireshark, compute the Round Trip Time

Looking at the captured packets, we can see the Time column, and subtract the time of the Pong packet ( 7.888... ) from the time of the Ping packet ( 7.796...).

So in this case the RTT was: 92 ms. Of course, the value can be different when you run the ping utility.

What is the main difference between the packet sent by this command, and the packet sent by the previous command?

For question number 3, we are asked to run the following command:

ping -n 1 -l 342 www.google.com

Looking at the first run of ping, we can see the length of the packets are 74 bytes:

Sniffing while running ping (source: Brief)

Observing the packets sent after running ping with the -l 342 argument, we can see that the value is bigger:

Sniffing while running ping (source: Brief)

So the main difference is the amount of bytes sent as the data.

Question number four:

What is the content (data) provided in the ping request packet?

What is the content provided in the ping response packet?

Click on the request packet to observe the data sent:

Observing the data sent by the ping utility (source: Brief)

The answer for the ping request is a through w, over and over again.

Regarding the ping response – it is the same as the request.

Summary

Wireshark is a wonderful tool for anyone working with Computer Networks. It can help you understand how protocols work and also help you debug applications or network issues.

As you have seen, you can learn how things work by simply running Wireshark in the background while using them and then inspect the traffic. With this tool under your belt, the sky is the limit.

In future tutorials, we will also rely on our knowledge of Wireshark and use it to further understand various concepts in computer networks.

About the Author

Omer Rosenbaum is Swimm’s Chief Technology Officer. He's the author of the Brief YouTube Channel. He's also a cyber training expert and founder of Checkpoint Security Academy. He's the author of Computer Networks (in Hebrew). You can find him on Twitter.

Additional References

• Computer Networks Playlist - on my Brief channel.
• Wireshark's website.

Ethical hacking is also known as “white hat” hacking or pentesting. It is the practice of using hacking techniques and tools to test the security of a computer system.

The goal of an ethical hacker is to improve the security of the system. This involves identifying and addressing weaknesses that can be exploited by malicious hackers.

Ethical hacking involves simulating the types of attacks a malicious hacker might use. This helps us find the vulnerabilities in a system and apply fixes to prevent or reduce them.

Recent reports say that the demand for Cybersecurity engineers is at an all-time high. If you are thinking of a career in cybersecurity, this is a perfect time.

Whether you are new to the field or have some experience under your belt, this guide will help you get started on your ethical hacking journey. So let’s dive in!

Learn the Different Types of Cyber Attacks.

The first thing you have to do is understand the different types of attacks. This will help give you an idea about what you will be dealing with as a cybersecurity engineer.

Here are some common types of cyber attacks.

1. Malware attacks: These attacks involve the use of malicious software. This includes viruses or ransomware that lock the system and ask for payment. You might remember the Wannacry ransomware that ravaged businesses in 2017.

2. Phishing attacks: These attacks use fake emails, websites, and social media messages. This attack tricks users into giving out their private information like logins, credit card details, and so on.

3. Denial of service (DoS) attacks: These attacks try to crash a target system using too much traffic. A server can only handle a specific number of requests. If the server exceeds its capacity due to a DoS attack, it will become unavailable to other users.

4. SQL injection attacks: These attacks involve injecting malicious code into a database. This happens due to poor security practices in building a web application. If successful, hackers can take over and even destroy an entire database.

5. Cross-site scripting (XSS) attacks: These attacks involve injecting malicious code into a website. For example, if your website has a comments section without proper checks, malicious scripts can be injected into it. This script can then get saved into your database and also run on your customer’s browsers.

6. Password attacks: These attacks involve attempting to guess or crack passwords. There are many tools available like John the Ripper and Hashcat.

7. Wireless attacks: These attacks involve targeting wireless networks like cracking a company’s WiFi. Once a hacker gains access to the WiFi, they can listen to every computer that connects to that WiFi.

These are a few examples of the many types of cyber attacks that exist in today’s world. It is important that you understand different types of attacks and their impact. This will help you plan your training as well as choose a sub-category to specialize in.

Develop Your Skillset

Now that you know the different types of cyber attacks, how do you develop your skillset? Here are five steps that will help you move from beginner to professional.

Learn Linux Fundamentals

Most servers run on Linux operating systems. Though most users use Windows, Linux is still the dominant server operating system in use. From AWS to Azure, most cloud servers are also deployed using Linux.

You can opt-in for Linux certifications like the Red Hat Certification or Linux essentials. You can also play Wargames in OverTheWire to learn some practical Linux commands.

Also, here's a beginner-friendly course that teaches you the basics of Linux for ethical hacking.

Learn Networking Fundamentals

Learning networking is essential for cybersecurity. It helps you understand how computers talk to each other. Understanding protocols, architecture, and topology also help in building effective security measures against attackers.

A solid understanding of networking also helps with incident response and forensics. A strong networking background will get you from beginner to intermediate in a shorter time frame.

I would recommend this Youtube playlist from Neso Academy. They have done a great job in putting all the Networking concepts together.

Learn Basic Programming

There is no alternative to learning to code. Tools like ChatGPT only enhance the way you work, they don't do it for you. So you need some programming basics. Or you will run into the risk of remaining a Script Kiddie.

Programming knowledge helps you understand how computer systems work. Knowing programming also helps you to create secure software and systems. Programming skills are also needed to analyze and reverse-engineer malicious code. This is a crucial skillset for both offensive and defensive Pentesters.

Try these two resources:

• Learn basic Bash scripting

• Learn basic Python programming

TryHackme Pathways

TryHackMe is a platform that provides virtual rooms for learning cybersecurity skills. These rooms are interactive and they help you learn the method of finding and exploiting vulnerabilities. This is all done in a simulated network, so you will get some real-world practice without causing any damage.

They have also grouped rooms together to create pathways. These pathways help you to focus on a single topic, for example offensive security, defensive security, web app security, and so on.

Here are two pathways you can start with:

• Introduction to Cyber Security

• Junior Penetration Tester

Labs / Certifications / Community

Once you have completed the above steps, you can call yourself a mid-level ethical hacker. The next step is to get proficient by gaining some real-world hacking skills.

Here are the things you can do:

• Join HackTheBox and start cracking some virtual machines.

• Prepare for a certification like Pentest+ or OSCP

• Join a community like Stealth Security to keep learning about new tools and techniques.

By doing these steps and continuing to learn and practice, you can build a strong skillset. Do note that ethical hacking requires a strong foundation in Linux and networking, so don’t skip those steps.

Pentesting Tools to Learn

There are a few tools you should learn if you want to be an effective and skilled ethical hacker. These tools are industry-standard and will most likely be used in the company you are looking to get into. Let’s look at each one of them.

• Nmap: Nmap is a popular scanning and enumeration tool. Nmap helps us to find open ports, services, and vulnerabilities in a system. This is usually the first tool you will learn as an ethical hacker. You can read more about it here.

• Wireshark: Wireshark helps us to analyze networks. When you connect to a network, you can use Wireshark to see the packets of data in real-time. As an offensive tool, Wireshark also helps to perform man-in-the-middle attacks. You can read more about it here.

• Burpsuite: Burpsuite is an all-in-one web application auditing tool. Burpsuite helps us to debug issues in web apps, capture requests and responses, and even brute-force login attempts. Burpsuite is also popular among bug-bounty hunters.

• Metasploit: Once you have found a way to get into a system, Metasploit will help you generate the payload. Metasploit is a powerful tool that comes with a lot of scanners, payloads, and exploits. You can also import results from other tools like Nmap into Metasploit. You can read more about it here.

• Nessus: Nessus is an all-in-one scanner that helps us find vulnerabilities. It also provides recommendations on how to resolve those vulnerabilities. Nessus is a paid tool with a limited free option but is commonly used in enterprises.

I have also recently written a blog post on the top ten tools you need to know as an ethical hacker, so you can check it out if you are interested.

Conclusion

In conclusion, ethical hacking is a valuable and rewarding career choice. Given the gap in demand and available security engineers, this is the perfect time to start a cybersecurity career.

Just remember that ethical hacking requires a strong foundation in networking and Linux, so don’t skip those lessons before you start working with a pentesting tool.

Hope you enjoyed this article. You can find more about my articles and videos on my website.

Getting your first job in information security (infosec, or cybersecurity) can be tough.

It's (still) a relatively new industry, and job roles and descriptions aren't always consistent. Plus, it can be hard to figure out where to get started, what skills you need, and how you can acquire them.

What's more, there are a lot of statistics that talk about how many jobs there are in cyber security. This makes it sound as though it should be very easy to get a job without any experience.

The issue is that many of these statistics don't account for the fact that a lot of those open jobs are for more senior roles. And it can be quite difficult to find a junior role, especially for someone who doesn't have any experience.

So, where do you get started, and how can you show that you have the experience to be great at the job?

Figure Out What Part of Cyber You'd Like to Work In

Contrary to what movies usually show, cyber is a big field and encompasses a lot of jobs other than actively hacking into a mainframe.

Jobs span from risk management, to security awareness, to penetration testing (red teaming – this is the hacking most people think of, but it's actually a pretty small percentage of jobs), to security operations center (SOC) analysts (blue teaming), to security architecture (and a lot more).

This is a great place to start exploring different career paths, as is this resource. There's a lot of overlap in the types of skills you need to develop for most entry level jobs, but it can be helpful to figure out which skills to prioritize, based on what you're interested in.

Here's an overview of common paths from non-technical backgrounds into jobs in cyber.

Decide What Makes You Interested in Cyber

In many ways, information security can be a tough industry. The hours are often long, and it's frequently expected that you will spend time outside of work continuing to study and work on projects (like blogs, podcasts, or labs) throughout your career.

The most successful folks I know at every level are constantly learning. That's the case for a lot of fields, but it's worth noting for security.

This is particularly because I often hear people tell me that they're interested in getting into security because they think it will pay well or because they think it sounds sexy or cool.

Those things can be true, but it often comes with long hours and long stretches of very dull tasks, which can be somewhat disillusioning for people who expect the type of hacking you see in movies. It's worth determining if you're committed or passionate enough on the topic to want to keep studying throughout your career.

Start Studying

Since we're assuming you don't have any experience (or formal education) in security, we'll start there. Ideally you need to gain some knowledge and experience in these technical areas:

• Networking (protocols like DNS, TCP/IP, and so on)
• Programming (concepts, scripting, and so on)
• System administration (Windows/Linux/AD/and so on)
• Applications (programs which run on servers)

Before you learn how to break something, or to secure it, you need to understand how it works. Plus, as a security professional, you'll have to work closely with network/infrastructure engineers, developers, and sys admins. The more you understand of their jobs, the better you'll able to work with them.

There are a number of different ways to get that knowledge:

University degree program

First, if a degree-granting program is an option for you (without being too expensive), it can be beneficial. Many employers and government agencies (at least in the United States) still require a degree in order to consider a job applicant.

Though 4-year college degrees can be cost-prohibitive, community colleges can be a more cost effective option, and freeCodeCamp is working on an affordable degree program.

Additionally, university reduces the need for self motivation, since someone else is setting your curriculum and testing you on it (which can be very helpful!).

That's not to say that you can't get a job (or an education) without a degree – but it does make it a little harder, and there's a less straightforward path.

One of the biggest advantages of universities is that you have built-in mentors in the form of your professors and teaching assistants and study groups in the form of your peers. Also, employers will try to directly recruit candidates from the university (often via job fairs dedicated to the university, or to university students more generally and hosted by third parties) and are prepared to hire for entry level roles.

If you're pursuing a self-study plan, you have to go find those opportunities yourself. On the other hand, degrees are expensive and can be time intensive!

If you opt for the degree route, I typically recommend a computer science degree. Computer science is a fairly well understood discipline and teaches skills which are easy for interviewers to test (it also offers you a wide range of career options).

Cybersecurity majors are relatively new, and vary in curricula. Some are essentially computer science degrees with a couple security classes tacked on, and some are primarily risk-based degrees, with a relatively small technical component (which is great if you're looking for a role in risk, but not if you're looking for a job as a SOC analyst or penetration tester).

Given the relative newness of these degrees, and most hiring managers' (un)familiarity with them, I typically recommend opting for a better understood and more standardized computer science degree.

Cybersecurity certifications

A second option is certifications. They can also show that you have some basic skills, though how important they are and how well they're regarded depends on the hiring manager and the certification. I typically advise Security+ for folks just getting started in cyber.

I also recommend that folks usually avoid EC-Council certifications. The one you're most likely to see referenced is the CEH (Certified Ethical Hacker). But I don't recommend it, because it isn't a well-respected technical certification for penetration testing, and because in recent years there have been some concerns about how EC-Council (the organization which administers the exam) approaches sexism and racism within cyber. There's also concern about how often they update the technical information in their exams.

I'm not a big fan of any of their certifications. You can read my full guide to information security certifications here.

Bootcamps

Alternatively, there are boot camps specifically targeted at helping people get cybersecurity jobs. They typically provide flexible options for attendance, and a structure/curriculum for learning.

These have the advantage of usually being much cheaper and shorter than a 4 year degree, but aren't usually as comprehensive, and vary significantly in quality.

Universities typically have to be accredited by a governing body, and there's no similar governance for boot camps. I don't recommend (or recommend avoiding) any specific bootcamps, but I do advise doing careful research before committing to one (reading reviews, talking to past students, asking what the rate of job placement is, and so on). This will help you make sure you end up with a return on your investment.

Typically bootcamps work best for folks who are self-motivated and eager to learn. They provide the structure, and they depend upon the students to do a lot of studying and work outside of the class structure.

Self-study

Finally, there's self-study! The benefit of self-study is that it's free and you can set your own schedule. The downside is that it can be hard to both set your curriculum and teach yourself without knowing if you're missing key pieces. Determining how to set a curriculum is hard.

Also, there are a TON of cybersecurity learning resources out there and it can be hard to figure out which ones are high quality, and which ones you should skip.

Finally, self study requires a lot of dedication and self-accountability. It can be very easy to put your studies on a pause or for life to get in the way.

If you opt for self-study, here are a couple resources to get you started:

I would recommend freeCodeCamp as the first stop - it's well structured, clearly laid out, and there's lots of support along the way.

Past this, there's much less structure, and the best way to learn is to pick something that you find interesting, dig into it, and when you get stuck, start googling.

Some of the smartest people I've met in security are folks who followed that template: they read something, or heard something in a meeting that they didn't understand, and they googled it. That led them to something else they didn't understand, so they googled that, and so on, all the way down the rabbit hole.

This can be a frustrating process, but it's also an effective one over the long term, and one which will mean you have in-depth knowledge over a range of domains.

Here are some links to some helpful resources:

• freeCodeCamp is a great place to learn how to code (and to join a very supportive community to help you on your journey!)
• Cybrary offers a number of free and paid courses, though they are very certification-focused. I used their CISSP class as one of my studying resources for that exam and found it very helpful. This can be helpful if you have a specific certification in mind (like Sec+).
• Daniel Miessler has a list of suggested projects to complete here (it serves as a nice mini curriculum for building an at-home lab for any security professional)
• A free web security course (penetration testing)

The most important part here is not so much that you study specific things. It's rather that you set goals (here's how to do so effectively), and that you stick to them.

You'll need to learn how to keep learning sustainably, without burning out, because learning all of the above takes time. And even once you have a job in security, you'll constantly be learning. Any new vulnerability, exploit, or technology will mean that you have to learn something new in order to effectively protect your assets and networks.

Get Involved with Your Local Community

Getting to know people in your area who already work in cyber can be hugely beneficial. It's a great way to learn new skills, find out who is hiring, find a study buddy, and make professional connections.

Meetup is a great place to get started, as are international groups which have local affiliates like BSides, DefCon, OWASP, WiCyS (Women in Cybersecurity), WoSEC (Women of Security), Cyversity, WISP (Women in Security and Privacy), Blacks in Cybersecurity, and Women's Cyber Jutsu.

Many of these groups also offer free webinars and training options for folks (even if you don't identify with the affinity group which they represent).

Once you've started going to events (and introducing yourself to the folks who are running the event), try volunteering for one! Community groups are almost always looking for more volunteers. If you are dedicated, show up on time, and help out, they're likely to be thrilled to have you.

After you've shown that you're a reliable volunteer who isn't afraid to jump in and help out, see if you can join a committee or the board of a group (this may take a few months). This will help you make friends, and it's a great thing to talk about in a job interview (especially if you don't have much on the job experience to talk about).

Start checking out conferences, as they're another great way to meet people in cybersecurity and pick up some additional skills.

CFP Time and Cybersecurity Conferences list security conferences across the globe and are a good place to get started looking for events in your area. You don't have to go to expensive ones (though some of the affiliate groups I listed above offer scholarships to conferences, as well as their own conferences, which is a great way to attend for free or a low cost). Many local ones are fairly cheap, or have a free/cheap virtual option.

Go and treat it as a learning opportunity (not a partying one). Take notes and strike up a conversation with the people who attend the same talks (that's a great ice breaker!).

If you really liked a talk, reach out to the speaker on LinkedIn or Twitter and tell them what you liked about the talk – be specific. Now you have topics to talk about in a job interview!

Get Involved with the Global Cyber Community

A lot of the security community is on Twitter, LinkedIn, or Mastodon, and joining these sites is a great way to get connected with them.

Following people and groups who work in cybersecurity can be very helpful because they will often post about jobs they're hiring for, free classes, trainings, webinars, and conferences, among other things. It can also be helpful to start engaging in the conversation and treating it like an opportunity to network.

Looking at the authors of freeCodeCamp's cyber articles is a great place to start. From there, check out the authors of the blogs listed in the resources section below, as well as their followers and the folks they follow. This is a great way to find jobs to apply to, as well as interviewing advice, or to stay up to date with the latest cybersecurity vulnerabilities and news (a popular job interview question).

Start Producing Content

Once you've started learning, it's time to start creating content to show what you've learned. You can start a podcast, give a conference talk, write a blog, create projects on GitHub, or stand up a home lab.

The goal is really just that you have something to show for the learning that you're doing – that you can demonstrate what you've learned to a hiring manager.

Also, it doesn't have to be ground-breaking. Often I see folks get stumped. They think that they're not the foremost expert on C++, for example, and so they're hesitant to create any content on the topic at all.

However, often just having a unique perspective can be helpful. You can (for example) write (or give a talk on) 'An introduction to C++' and chances are you can reach someone who isn't quite as far along on their coding journey as you are who can benefit from your experience.

This is a great way to add content to your résumé, to help out the community, and to give you a chance to practice skills like writing, communicating with different audiences, and presenting (all of which are incredibly important in information security).

Write a Great Résumé

Now that you've gained some experience, it's time to put together a résumé. You'll want to include all the projects you've built, the groups you've joined (and are now on the board of!), and the things you've produced. You should also include past jobs with transferrable skills.

If you're applying for a job in security awareness, do you have any experience creating trainings which aren't related to security? If you're applying for a job as a SOC analyst, can you highlight past experience writing daily reports?

Even if none of your past jobs were in technology roles, you can probably identify skills or responsibilities you had which are similar to those in the job posting. Those can be valuable skills to highlight on a résumé when applying for jobs.

You can find my full guide to writing a résumé and cover letter here, as well as my tips on job hunting.

Finally, Start Applying for Jobs

Leverage your connections from in-person groups and conferences, any volunteering you've done, and your online connections.

Tell people that you're looking for entry level roles doing X, and ask them to think of you if they hear of any similar opportunities.

Often recruiters go to local tech events, and you can connect with them about potential job opportunities there. Use those leads, in addition to online job boards and in person job fairs at conferences, and start applying!

Some other advice on breaking into security from some very smart folks:

• Starting an InfoSec Career - Lesley Carhart
• Building a Successful InfoSec Career - Daniel Miessler
• Thinking of a Cybersecurity Career? Krebs on Security
• How to Break into Security - Charlie Miller
• How to Break into Security - Richard Bejtlich
• How to Break into Security - Jeremiah Grossman
• How to Break into Security - Bruce Schneier
• How to Break into Security - Thomas Ptacek

Thank you for reading – and good luck!

From small businesses to large-scale enterprises, databases play a critical role in keeping the systems up and running. Malicious actors always look to gain control of databases during cyberattacks.

In this article, you'll learn how attackers can gain control of databases and what you can do about it.

Note that this article is for educational purposes only. If you do anything illegal and get in trouble, I'm not responsible. Always get permission from the site/system owner before scanning / brute-forcing / exploiting a system.

What is SQL Injection?

SQL injection is a type of cyber attack in which an attacker inserts malicious code into an SQL statement. If successful, it will help the attacker gain access to sensitive data in a database.

Once the attacker takes control of the database, they can steal, modify or even delete the data.

Here are a few scenarios of SQL Injection.

• An attacker might insert a malicious piece of code into a login form. For example, if the login form expects the user to enter their username and password, the attacker might enter a username like admin’ OR ‘1’=’1. This will always evaluate to true and will allow the attacker to log in without knowing the actual password.
• An attacker might insert a malicious piece of code into a search form. For example, if the search form expects the user to enter a keyword, the attacker can enter a keyword like ‘ OR ‘1’=’1. This will return all the records from the database, rather than the ones that match the keyword.
• An attacker can insert a malicious piece of code into a form that allows users to update their information. For example, if the form expects the user to enter their phone number, the attacker might enter a phone number like ‘; DROP TABLE users; — ,. This will delete the entire users table from the database.

These are just a few examples of SQL injection attacks. There are many other ways that attackers can use these techniques to gain access to a database. Databases that are not updated/maintained regularly will often be vulnerable to SQL injection attacks.

What is SQL Map?

SQLmap is an open-source tool that automatically finds and exploits SQL injection vulnerabilities. We can use it to test web applications for SQL injection vulnerabilities and gain access to a vulnerable database.

SQLmap is a favorite tool among pen-testers for its ease of use and flexibility. It is written in Python and runs on Windows, Linux, and MacOS.

We can use SQLmap to perform a wide range of attacks. This includes database fingerprinting, data extraction, and even taking over an entire database. We can also use it to bypass login forms and execute arbitrary commands on the underlying operating system.

How to Install SQLMap

SQLMap comes pre-installed in Kali Linux and Parrot OS. To install SQLMap in Ubuntu / Debian-based systems, use the apt package manager.

apt install sqlmap

To install SQLMap on Mac, we can use Homebrew.

brew install sqlmap

If you are using other platforms, you can find the installation instructions here.

Once installation is complete, we can check the help menu using the -h command. This will also be a handy reference when working with SQLMap.

sqlmap -h

SQLMap help menu

SQLMap also provides a detailed help menu. We can access it using the -hh command.

sqlmap -hh

SQLMap advanced help menu

Now that we have installed SQLMap, let's look at how to work with it.

How to Use SQL Map

SQLMap is a tool used for the automated exploitation of SQL injection vulnerabilities. We can use SQLMap to test websites and databases for vulnerabilities and exploit those vulnerabilities to take over the database.

To use SQLMap, we first need to identify a website or database that is vulnerable to SQL injection. We can either do it manually or use SQLMap to scan the website. Once we have identified a vulnerable website or database, we can use SQLMap to exploit it.

Here is the basic SQLMap command:

$ sqlmap -u [URL] -p [parameter] --dbs

This command will tell SQLMap to scan the specified URL and parameter for vulnerabilities. This includes exposing data, updating data, or even dumping the entire database.

The simplest way to check if a website is vulnerable to SQL injection is via query parameters. Let's assume a website lists user information using an id parameter – for example, testsite.com/page.php?id=1.

This can be passed as input to SQLMap and SQLMap will automatically scan the site to see if the database is vulnerable. Here is the command:

sqlmap -u http://testsite.com/page.php?id=1 --dbs

The -u flag is used to specify an URL and the --dbs command tells SQLMap to try to enumerate the database.

If the attack is successful, SQLMap will list the database used along with the list of tables.

SQLMap output

Once we have gained an initial foothold, we can now work with the database. Here is the command to list the tables in a database.

sqlmap -u https://testsite.com/page.php?id=1 -D <db_name> --tables

To list the column in a table, we can use this command:

sqlmap -u https://testsite.com/page.php?id=7 -D <database_name> -T <table_name> --columns

To dump an entire database, this is the command:

sqlmap -u https://testsite.com/page.php?id=7 -D <database_name> --dump-all

SQLMap provides many other useful commands like setting cookies, cycling user agents, and many others. For more information and a complete list of options, you can refer to the SQLMap documentation.

How to Defend Against SQL Injection Attacks

To prevent SQL injection attacks, we should follow these steps:

Use parameterized queries

Always use parameterized queries when interacting with a database. This means that we should use placeholders in our SQL statements for any user input. We can then supply the input as a separate parameter when the query is executed.

This will prevent an attacker from being able to inject arbitrary SQL into our SQL statements.

Never trust user input

We should always check and sanitize any user input to ensure that it is safe. We must make sure the input does not contain any dangerous characters or malicious code.

This will help prevent an attacker from being able to inject SQL queries even if they are able to find a way to bypass our use of parameterized queries.

Use prepared statements

If the database supports prepared statements, we should use them instead of parameterized queries.

Prepared statements are pre-compiled SQL statements. We can execute these statements multiple times with different parameters.

This will make it more difficult for an attacker to inject malicious code since the prepared statements are pre-compiled.

Authentication and access controls

We should have strong authentication and access controls to our database. This will ensure that only authorized users are able to access our database and protects it from malicious actors.

Monitoring and alerts

Always watch your database for suspicious activity and set alerts. This includes failed login attempts or high numbers of SQL queries.

This can help us detect an SQL injection attack early on, and take appropriate action to stop it.

Summary

Databases are the backbone of every business. Updating, maintaining, and securing databases is essential to protect them from malicious actors.

SQLmap is a powerful tool that helps us audit database vulnerabilities. It is important for developers and security professionals to be familiar with SQLMap for defending against SQL injection attacks.

Loved this article? Join Stealth Security Weekly Newsletter and get articles delivered to your inbox every Friday. You can also connect with me on Linkedin.

Certifications aren't strictly necessary in order to get hired as a cybersecurity analyst (with the notable exception of many government jobs). But they can help you demonstrate to an HR recruiter or hiring manager that you have a specific skillset via a third party's assessment of your skills.

The process of studying for an exam can also help you to gain additional skills. I know that I find the prospect of an exam at the end of my studying to be an effective motivator!

Certifications can't take the place of on-the-job experience (and shouldn't). But they may be particularly helpful for folks coming into the field with a non-traditional background to demonstrate skills.

It can be overwhelming to sort your way through all of the possible certifications, so here's my suggestion for how to progress.*

Certifications if you're just getting started in cybersecurity:

Security+

This is the best certification if you're new to cyber. It's an overview of a number of topics (almost like a shorter, simpler version of the CISSP) and studying for it will probably help you figure out what parts of cyber interest you.

• Pre-requisites: None
• Cost: ~$400
• Organization: CompTIA

CEH

I'm including a note about the CEH (Certified Ethical Hacker) exam here because I see it referenced pretty regularly.

Still, I don't recommend it because it isn't a well-respected technical certification for penetration testing. Also, in recent years there have been some concerns about how EC-Council (the organization which administers the exam) approaches sexism and racism within cyber, and about how often they update the technical information in their exams. I'm not a big fan of any of their certifications.

I'd advise Security+ for folks just getting started in cyber, and advise more specific penetration testing certs for folks more interested in that area.

Certifications if you're a few years into your career...

Certified Information Systems Security Professional (CISSP)

This is generally the most widely-recognized, broad certification within information security. If you're only going to get one certification, this is the one.

It's not particularly technical (it's technical for a management certification), but it's widely recognized by HR teams. It's an inch deep and a mile wide – a HUGE amount of information grouped into 8 domains:

• Domain 1. Security and Risk Management (15%)
• Domain 2. Asset Security (10%)
• Domain 3. Security Architecture and Engineering (13%)
• Domain 4. Communication and Network Security (14%)
• Domain 5. Identity and Access Management (IAM) (13%)
• Domain 6. Security Assessment and Testing (12%)
• Domain 7. Security Operations (13%)
• Domain 8. Software Development Security (10%)

It's tough, but do-able. How long it takes to study will likely depend on how long you've worked in information security.

• Pre-requisites: 5 years of work experience in two or more of the domains listed below (though if you don't have that, you can still pass the exam and have an 'Associate of ISC^2', giving you 6 years to gain the required 5 years of work experience. You can also substitute some other certifications or a 4 year degree for a year of required work experience.)
• Cost: ~$750
• Organization: ISC^2

For more details on this exam, I wrote a post on my experience taking it here.

Next Steps for Security Certifications

Once you have the two certs above, it's typically time to think about where in security you'd like to specialize, or what you'd like to focus on.

Which certifications you pursue past this point depends heavily on where you'd like your career to go.

CISA: Certified Information Systems Auditor

If you're looking to move into auditing work, this is the certification to take (after your CISSP). It's tough, but not a particularly technical certification. This seems to be slightly less difficult than the CISSP exam.

• Pre-requisites: 5 years of work experience in systems auditing, control or security work (though if you don't have that, you can still pass the exam and have 5 years to gain the required work experience. You can also substitute a 2 or 4 year bachelor's degree for 1-2 years of experience, and a master's degree for a year of required work experience.)
• Cost: ~$760
• Organization: ISACA

CISM: Certified Information Security Manager

If you're interested in being a manager, this is a widely recognized certification, and a good follow up to the CISSP. It's tough, but not particularly technical. This seems to be slightly less difficult than the CISSP exam.

• Pre-requisites: 5 years of work experience in professional information security management (though if you don't have that, you can still pass the exam and have 5 years to gain the required work experience. You can also substitute several other certifications for a year or two of required work experience.)
• Cost: ~$760
• Organization: ISACA

GIAC Certifications

GIAC certifications are extremely well-regarded in the cyber security field, but they're also pretty expensive (not including the SANS course that often accompanies the exam).

Typically folks acquire them when their employer is willing to pay for the course + cert attempt. All of their courses are well regarded, but I'd advise starting with GSEC (Security Essentials) or GCIH (Certified Incident Handler).

There are GIAC certifications for pretty much any topic from Security Architecture to Forensics to Network Security. So depending on where you'd like your career to go, or which areas you're looking to upskill in, you can find a GIAC course/cert for that skill.

They vary in difficulty, but are generally regarded as pretty tough, technical certifications.

• Requirements: Most have no requirements
• Cost: ~$2000
• Organization: GIAC

OSCP

This is the certification if you're looking to do penetration testing (though some folks start with the GIAC pen testing cert - GPEN - and then move onto OSCP).

It's tough, it's extremely technical, and it's the gold standard for getting into penetration testing. It is an entry level cert for highly skilled penetration testers, but it's a great place to start.

• Requirements: You have to take their penetration testing course before sitting for the exam
• Cost: ~$1400
• Organization: Offensive Security

**The CRT is a roughly equivalent cert outside of the United States. If you've passed both the OSCP and the CREST Practitioner Security Analyst (CPSA) exam, you can apply for 'CRT equivalency'.

Cloud Certifications

Cloud knowledge (and certifications) are in extremely high demand. They're a particular subset of vendor certifications which are becoming increasingly popular.

I'll cover AWS certs here, as they are the among most commonly requested certifications (as they're currently the most used cloud platform, followed by Azure, and then GCP).

There's also a large amount of overlap between the cloud platforms, as all three major providers have similar offerings and services and if you can build services on one, it's easier to do so on another.

AWS

None of AWS' certifications have any pre-requisites and all certifications are good for three years before requiring re-certification (re-taking the test, or taking a more advanced certification test).

That's different than the rest of the certs on this list which are typically good forever as long as you pay the maintenance fees and complete some continuing professional education credits (CPEs).

The cost is $100 for the Cloud Practitioner exam, $150 for Associate level exams, and $300 for Professional or Specialty exams.

Cloud Practitioner - This is a good cert if you're working in a non-technical field, but work with technical folks often and you'd like to better understand what they're talking about! I don't recommend it for technical folks, as it's a relatively easy certification and won't demonstrate many technical skills.

While it's no longer a requirement to take one of the associate exams before pursuing a professional level certification, I'd still recommend doing so.

Solutions Architect Associate - Designed for folks who want to understand how applications are structured in AWS and how various services work together. A solid all-around cert for folks in security.

Developer Associate - Tests understanding of how a developer leverages AWS, with a heavy focus on their code pipeline and developer tools. Requires both conceptual knowledge and hands on knowledge of how to write code with AWS. A solid all-around cert for folks in security.

SysOps Administrator Associate - Designed to focus on how a system administrator would use AWS - both a conceptual knowledge of the tools, and some understanding of the exact steps someone would take to carry out to administer servers in AWS. A solid all-around cert for folks in security.

Solutions Architect Professional - A far more in-depth look at how various services work together and how you should architect infrastructure. It's a pretty tough, relatively technical exam. A solid all-around certification for folks in security.

DevOps Engineer Professional - A combination of the knowledge required for both the SysOps Administrator and Developer Associate exams, but far more in depth. A useful cert for folks who need a pretty in-depth understanding of DevOps, but not strictly necessary for many security roles.

Specialty: Advanced Networking, Data Analytics, Database, Machine Learning, Security, SAP on AWS

These can be useful to demonstrate specific expertise with AWS services - the Security specialty cert is particularly useful in nearly any cybersecurity role.

Vendor Certifications

Many vendors carry their own certifications, and they can be useful if they're a product you're likely to use often in your role (Splunk certifications, for example).

But you're probably already aware if you fall into this category, and they're generally less broadly applicable than the rest of the certifications on this list.

Conclusion

Before I close out, a brief note: while certifications can be useful, by the time you reach a certain point in your career, you'll see significantly diminishing returns from certifications (with a caveat that this may not apply to specific fields, like government agencies). This is largely because most of your demonstrated value will come with your on-the-job experience.

While certifications are designed to show that someone has a specific skill set, nothing shows that better than someone who can demonstrate they've actually leveraged that skill set/done the thing in the past.

*Of the certs on this list, I currently hold the CISSP and GPEN certs, as well as 4 AWS certifications and a few other third party certifications.

The first step an attacker uses when attacking a website is to find the list of URLs and sub-domains. Web developers often expose sensitive files, URL paths, or even sub-domains while building or maintaining a site.

This is a great attack vector for malicious actors.

For example, if you have an e-commerce website, you might have a sub-domain called “admin”. This might not be linked anywhere on the site but since the keyword “admin” is common, the URL is very easy to find. This is why you must often scan your websites to check for unprotected assets.

The usual approach is to rely on passive enumeration sites like crt.sh to find sub-domains. But these passive approaches are very limited and can often miss critical attack vectors.

Gobuster is a tool that helps you perform active scanning on web sites and applications. Attackers use it to find attack vectors and we can use it to defend ourselves.

In this article, we’ll learn to install and work with Gobuster. We will also look at the options provided by Gobuster in detail. Finally, we will learn how to defend against these types of brute-force attacks.

Note: All my articles are for educational purposes. If you use this information illegally and get into trouble, I am not responsible. Always get permission from the owner before scanning / brute-forcing / exploiting a system.

What is Gobuster?

Written in the Go language, Gobuster is an aggressive scanner that helps you find hidden Directories, URLs, Sub-Domains, and S3 Buckets seamlessly.

This is where people ask: What about Ffuf?

Ffuf is a wonderful web fuzzer, but Gobuster is a faster and more flexible alternative. Gobuster also has support for extensions with which we can amplify its capabilities. Gobuster also can scale using multiple threads and perform parallel scans to speed up results.

How to Install Gobuster

Let’s see how to install Gobuster. If you are using Kali or Parrot OS, Gobuster will be pre-installed.

If you are using Ubuntu or Debian-based OS, you can use apt to install Gobuster.

$ apt install gobuster

To install Gobuster on Mac, you can use Homebrew.

$ brew install gobuster

To install Gobuster on Windows and other versions of Linux, you can find the installation instructions here.

Once you have finished installing, you can check your installation using the help command.

$ gobuster -h

Gobuster help command

What are Wordlists?

If you are new to wordlists, a wordlist is a list of commonly used terms. This can be a password wordlist, username wordlist, subdomain wordlist, and so on. You can find a lot of useful wordlists here.

I would recommend downloading Seclists. Seclists is a collection of multiple types of lists used during security assessments. This includes usernames, passwords, URLs, etc. If you are using Kali Linux, you can find seclists under /usr/share/wordlists.

To try Gobuster in real-time, you can either use your own website or use a practice web app like the Damn Vulnerable Web app (DVWA). DVWA is an intentionally misconfigured vulnerable web application that is used by pen testers for practicing web application attacks.

How to Work with Gobuster

Now that we have installed Gobuster and the required wordlists, let’s start busting with Gobuster.

Note: I have DWVA running at 10.10.171.247 at port 80, so I ll be using that for the examples. Just replace that with your website URL or IP address. I'll also be using Kali linux as the attacking machine.

If you look at the help command, we can see that Gobuster has a few modes.

1. dir — Directory enumeration mode.
2. dns — Subdomain enumeration mode.
3. fuzz — Fuzzing mode.
4. s3 — S3 enumeration mode.
5. vhost — Vhost enumeration mode.

In this article, we will look at three modes: dir, dns, and s3 modes.

Each mode serves a unique purpose and helps us to brute force and find what we are looking for. Let's look at the three modes in detail.

How to use directory mode (dir)

Gobuster's directory mode helps us to look for hidden files and URL paths. This can include images, script files, and almost any file that is exposed to the internet.

Here is the command to run the dir mode:

$ gobuster dir -u <url> -w <wordlist>

We can also use the help mode to find the additional flags that Gobuster provides with the dir mode.

$ gobuster dir -h

Gobuster dir mode help

Now let’s try the dir mode. Here is the command to look for URLs with the common wordlist.

$ gobuster dir -u 10.10.171.247:80 -w /usr/share/wordlists/dirb/common.txt

And here is the result. We can see that there are some exposed files in the DVWA website.

dir enumeration results

If we want to look just for specific file extensions, we can use the -x flag. Here is a sample command to filter images:

$ gobuster dir -u 10.10.171.247:80 -w /usr/share/wordlists/dirb/common.txt -x jpg,png,jpeg

How to use DNS mode (dns)

You can use DNS mode to find hidden subdomains in a target domain. For example, if you have a domain named mydomain.com, sub-domains like admin.mydomain.com, support.mydomain.com, and so on can be found using Gobuster.

Let’s start by looking at the help command for dns mode.

$ gobuster dns -h

Gobuster dns help

To execute a dns enumeration, we can use the following command:

$ gobuster dns -d mydomain.com -w /usr/share/wordlists/dirb/common.txt

Since we can't enumerate IP addresses for sub-domains, we have to run this scan only on websites we own or the ones we have permission to scan.

$gobuster s3 -h

Gobuster S3 mode help

S3 mode was recently added to Gobuster and is a great tool to discover public S3 buckets. Since S3 buckets have unique names, they can be enumerated by using a specific wordlist.

For example, if we have a company named Acme, we can use a wordlist with acme-admin, acme-user, acme-images, and so on. This wordlist can then be fed into Gobuster to find if there are public buckets matching the bucket names in the wordlist.

Here is the command to execute an S3 enumeration using Gobuster:

$gobuster s3 -w bucket_list.txt

How to Defend Against Gobuster

Gobuster is a remarkable tool that you can use to find hidden directories, URLs, sub-domains, and S3 Buckets.

But this enables malicious hackers to use it and attack your web application assets as well. So how do we defend against Gobuster?

You can use the following steps to prevent and stop brute-force attacks on your web application.

1. Audit yourself: Use Gobuster on your own applications and perform an audit. This will help you find the information that will be visible to the attackers.
2. Apply security policies: To prevent resources like S3 from being exposed on the internet, use AWS bucket policies to prevent unauthorized access.
3. Use bot protection solutions: Bot protection services like Cloudflare will stop any brute-force attacks making it incredibly difficult to attack your web application.

Conclusion

Gobuster is a fast brute-force tool to discover hidden URLs, files, and directories within websites. This will help us to remove/secure hidden files and sensitive data.

Gobuster also helps in securing sub-domains and virtual hosts from being exposed to the internet. Overall, Gobsuter is a fantastic tool to help you reduce your application’s attack surface.

Loved this article? Join Stealth Security Weekly Newsletter and get articles delivered to your inbox every Friday. You can also connect with me _on Linked_In.

Hydra can perform rapid dictionary attacks against more than 50 protocols. This includes telnet, FTP, HTTP, HTTPS, SMB, databases, and several other services.

Hydra was developed by the hacker group “The Hacker’s Choice”. Hydra was first released in 2000 as a proof of concept tool that demonstrated how you can perform attacks on network logon services.

Hydra is also a parallelized login cracker. This means you can have more than one connection in parallel. Unlike in sequential brute-forcing, this reduces the time required to crack a password.

In my last article, I explained another brute-force tool called John the Ripper. Though John and Hydra are brute-force tools, John works offline while Hydra works online.

In this article, we will look at how Hydra works followed by a few real-world use cases.

Note: All my articles are for educational purposes. If you use it illegally and get into trouble, I am not responsible. Always get permission from the owner before scanning / brute-forcing / exploiting a system.

How to Install Hydra

Hydra comes pre-installed with Kali Linux and Parrot OS. So if you are using one of them, you can start working with Hydra right away.

On Ubuntu, you can use the apt package manager to install it:

$ apt install hydra

In Mac, you can find Hydra under Homebrew:

$ brew install hydra

If you are using Windows, I would recommend using a virtual box and installing Linux. Personally, I don't recommend using Windows if you want to be a professional penetration tester.

How to Work with Hydra

Let’s look at how to work with Hydra. We will go through the common formats and options that Hydra provides for brute-forcing usernames and passwords. This includes single username/password attacks, password spraying, and dictionary attacks.

If you have installed Hydra, you can start with the help command like this:

$ hydra -h

This will give you the list of flags and options that you can use as a reference when working with Hydra.

Hydra help command

How to Perform a Single Username/Password Attack with Hydra

Let’s start with a simple attack. If we have the username and password that we expect a system to have, we can use Hydra to test it.

Here is the syntax:

$ hydra -l <username> -p <password> <server> <service>

Let’s assume we have a user named “molly” with a password of “butterfly” hosted at 10.10.137.76. Here is how we can use Hydra to test the credentials for SSH:

$ hydra -l molly -p butterfly 10.10.137.76 ssh

If it works, here is what the result will look like:

Hydra single username and password

How to Perform a Password Spraying Attack with Hydra

What if we know a password that someone is using, but we are not sure who it is? We can use a password spray attack to determine the username.

A password spray attack is where we use a single password and run it against a number of users. If someone is using the password, Hydra will find the match for us.

This attack assumes we know a list of users in the system. For this example, we will create a file called users.txt with the following users:

root
admin
user
molly
steve
richard

Now we are going to test who has the password “butterfly”. Here is how we can run a password spray attack using Hydra.

$ hydra -L users.txt -p butterfly 10.10.137.76 ssh

We will get a similar result to the following output if any of the users match with the given password. You should also notice that we have used the flag -L instead of -l. -l is for a single username and -L is for a list of usernames.

Hydra password spraying

How to Perform a Dictionary Attack with Hydra

Let’s look at how to perform a dictionary attack. In real-world scenarios, this is what we will be using Hydra regularly for.

A dictionary attack is where we have single/multiple usernames and we provide a password wordlist to Hydra. Hydra then tests all these passwords against every user in the list.

I am going to use the Rockyou wordlist for this example along with the users.txt file we created in the previous attack. If you are using Kali Linux, you can find the RockYou wordlist under /usr/share/wordlists/rockyou.txt.

Here is the command for a dictionary attack:

$ hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 1010.137.76 ssh

If this attack is successful, we will see a similar result to the other two commands. Hydra will highlight the successful username/password combinations in green for all the matches.

How to Use the Verbosity and Debugging Flags in Hydra

Hydra can be awfully quiet when running large brute-force attacks. If we have to make sure Hydra is doing what it is expected to do, there are two flags we can use.

The verbosity (-v) flag will show us the login attempt for each username/password combination. This can be a bit much when there are a lot of combinations to go through, but if it is something you need, we can use the verbosity flag.

Here is a sample result. We can see that Hydra prints information about failed attempts in addition to the successful matches.

Hydra verbose mode

We can also use the debug (-d) flag to gather even more information. Here is the same result when using the debug flag:

Hydra debug mode

We can see that Hydra prints way more information than we need. We will only use debug mode rarely, but it is good to know that we have the option to watch every action Hydra takes when brute-forcing a service.

How to Save Your Results in Hydra

Let's look at how to save results. There is no point in spending hours cracking a password and losing it due to a system crash.

We can use the -o flag and specify a file name to save the result. Here is the syntax.

$ hydra -l <username> -p <password> <ip> <service> -o <file.txt>

More flags and formats

Hydra also offers a few additional flags and formats that will be useful for us as pen testers. Here are a few:

Service specification

Instead of specifying the service separately, we can use it with the IP address. For example, to brute force SSH, we can use the following command:

$ hydra -l <username> -p <password> ssh://<ip>

How to resume attacks

If Hydra’s session exits when an attack is in progress, we can resume the attack using the -R flag instead of starting from scratch.

$ hydra -R

How to use custom ports

Sometimes system administrators will change the default ports for service. For example, FTP can run in port 3000 instead of its default port 21. In those cases, we can specify ports using the -s flag.

$ hydra -l <username> -p <password> <ip> <service> -s <port>

How to attack multiple hosts

What if we have multiple hosts to attack? Easy, we can use the -M flag. The files.txt will contain a list of IP addresses or hosts instead of a single IP address.

$ hydra -l <username> -p <password> -M <host_file.txt> <service>

Targeted combinations

If we have a list of usernames and passwords, we can implement a dictionary attack. But if we have more information on which usernames are likely to have a set of passwords, we can prepare a custom list for Hydra.

For example, we can create a list of usernames and passwords separated by semicolons like the one below.

username1:password1
username2:password2
username3:password3

We can then use the -C flag to tell Hydra to run these specific combinations instead of looping through all the users and passwords. This drastically reduces the time taken to complete a brute-force attack.

Here is the syntax.

$ hydra -C <combinations.txt> <ip> <service>

We have seen how to work with Hydra in detail. Now you should be ready to perform real-world audits of network services like FTP, SSH, and Telnet.

But as a pen-tester, it is important to understand how to defend against these attacks. Remember, we are the good actors 😎.

How to Defend Against Hydra

The clear solution to help you defend against brute-force attacks is to set strong passwords. The stronger a password is, the harder it is to apply brute-force techniques.

We can also enforce password policies to change passwords every few weeks. Unfortunately, many individuals and businesses use the same passwords for years. This makes them easy targets for brute-force attacks.

Another way to prevent network-based brute-forcing is to limit authorization attempts. Brute-force attacks do not work if we lock accounts after a few failed login attempts. This is common in apps like Google and Facebook that lock your account if you fail a few login attempts.

Finally, tools like re-captcha can be a great way to prevent brute-force attacks. Automation tools like Hydra cannot solve captchas like a real human being.

Summary

Hydra is a fast and flexible network brute-forcing tool to attack services like SSH, and FTP. With a modular architecture and support for parallelization, Hydra can be extended to include new protocols and services easily.

Hydra is undoubtedly a powerful tool to have in your pen-testing toolkit.

Hope this article helped you to understand how Hydra works. If you have any questions, let me know in the comments.

You can connect with me or signup for the Stealth Security Newsletter. If you really enjoyed the article, you can buy me a coffee here.

John the Ripper (JtR) is a popular password-cracking tool. John supports many encryption technologies for Windows and Unix systems (Mac included).

One remarkable feature of John is that it can autodetect the encryption for common formats. This will save you a lot of time in researching the hash formats and finding the correct tool to crack them.

John is also a dictionary-based tool. This means that it works with a dictionary of common passwords to compare it with the hash in hand. Here is a common password list called rockyou.txt.

While you can use popular wordlists like RockYou, John also has its own set of wordlists with thousands of common passwords. This makes John very effective when cracking systems with weak passwords.

This is how John works by default:

• recognize the hash type of the current hash
• generate hashes on the fly for all the passwords in the dictionary
• stop when a generated hash matches the current hash.

This is not the only way John finds a password. You can also customize John based on your requirements. For example, you can specify the password format using the — — format flag.

In this article, we will first install John followed by a walkthrough of the different modes you can use. We will then use John to crack passwords for three different use cases — a Windows password, a Linux password, and a zip file password.

A quick disclaimer before we get started: do not use this tool for nefarious purposes. This is meant to be an educational tutorial to help you protect yourself and your clients or team from password attacks. Use this information responsibly and safely!

Let's get cracking.

How to Install John the Ripper

If you are using Kali Linux, John is pre-installed. You can use John by typing the following command:

$ john

For Ubuntu/Debian, you can get John from the apt source. Here is the command to install John in Ubuntu:

$ apt install John

In Mac, you can find John in Homebrew:

$ brew install john

For windows and other operating systems, you can find the binaries here.

Once you have installed John, try the help command to make sure your installation is working. The help command can also be used as a reference when working with John.

$ john -h

Here is the output of the help command:

John help command

How to Use John the Ripper

Now that we know what John is, let's look at the three modes it offers you. You will be using one of these three for most of your use cases.

• Single crack mode
• Wordlist mode
• Incremental mode

Let’s look at each one of them in detail.

What is Single Crack Mode?

In single-crack mode, John takes a string and generates variations of that string in order to generate a set of passwords.

For example, if our username is “stealth” and the password is “StEaLtH”, we can use the single mode of John to generate password variations (STEALTH, Stealth, STealth, and so on).

We use the “format” flag to specify the hash type and the “single” flag to let John know we want to use the single crack mode. We will also create a crack.txt file which will contain the username and the hash value of the password.

stealth:d776dd32d662b8efbdf853837269bd725203c579

Now we can use the following command to use John’s single crack mode:

$ john --single --format=raw-sha1 crack.txt

And here is the result. You can see that John has successfully found the correct password “StEaLtH”.

John single crack mode

That was fun, wasn't it? Now let’s look at the dictionary mode to crack more complicated passwords.

What is Dictionary Mode?

In dictionary mode, we will provide John with a list of passwords. John will generate hashes for these on the fly and compare them with our password hash.

For this example, we will use the RockYou wordlist. If you are using Kali, you can find it at /usr/share/wordlists/rockyou.txt. We will also have a crack.txt file with just the password hash.

edba955d0ea15fdef4f61726ef97e5af507430c0

Here is the command to run John in dictionary mode using the wordlist.

$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 crack.txt

And John finds the password pretty quickly.

John wordlist mode

The weaker the password is, the quicker John can figure it out. This is why it is always recommended to have strong passwords.

What is Incremental Mode?

Incremental mode is the most powerful mode provided by John. It tries all possible character combinations as passwords.

This sounds great, but there is a problem. The cracking can go on for a long time if the password is too long or if it's a combination of alphanumeric characters and symbols.

You will rarely use this mode unless you have no other option. In typical cases, a combination of Social Engineering attacks and wordlist mode will help you crack most of the hashes.

If you would like to try the incremental mode, here is the syntax.

$ john -i:digits passwordfile.txt

Here, the -i flag tells John that we want to use the increment mode. The “digits” placeholder can be used to set the maximum number of digits in the password.

You can also add the “format” option to make it easier for John to start cracking.

Use Cases for John the Ripper

Now that you understand the different modes of John, let’s look at a few use cases.

We will use John to crack three types of hashes: a windows NTLM password, a Linux shadow password, and the password for a zip file.

How to Crack a Windows Password

Let's start with Windows. In Windows, the password hashes are stored in the SAM database. SAM uses the LM/NTLM hash format for passwords, so we will be using John to crack one.

Getting passwords from the SAM database is out of scope for this article, but let's assume you have acquired a password hash for a Windows user.

Here is the command to crack it:

$ john --format=lm crack.txt

The crack.txt will contain the password hash. If John is unable to crack the password using its default wordlist, you can use the RockYou wordlist using the — — wordlist flag.

How to Crack a Linux Password

Now, let's crack a Linux password. In Linux, there are two important files saved in the /etc folder: passwd and shadow.

• /etc/passwd -> stores information like username, user id, login shell, and so on.
• /etc/shadow -> contains password hash, password expiry, and so on.

In addition to the “john” command, John comes with a few other utilities. One of them is called “unshadow”.

The unshadow command combines the passwd and shadow files together into a single file. This can then be used by John to crack passwords.

Here is how we use the unshadow command:

$ unshadow /etc/passwd /etc/shadow > output.db

This command will combine the files together and create an output.db file. We can now crack the output.db file using John.

$ john output.db

John tries to find the password for all the users in the passwd file and generates the output with the list of cracked passwords. Again, you can use custom wordlists via the  — — wordlist flag.

How to Crack a Zip File Password

Finally, let's crack a zip file password. To do that, we first have to get the hash of the zip file’s password.

Like unshadow, John has another utility called zip2john. zip2john helps us to get the hash from zip files. If you are cracking a .rar file, you can use the rar2john utility.

Here is the syntax to get the password hash of a zip file:

$ zip2john file.zip > zip.hashes

The above command will get the hash from the zip file and store it in the zip.hashes file. You can then use John to crack the hash.

$john zip.hashes

John also has several other functionalities that will help you crack a variety of passwords. You can find the complete documentation for John here.

How to Defend Against Password Attacks

So far we have seen how to crack passwords with John the Ripper. But how do we defend against these types of brute-force attacks?

The simplest way to defend against password attacks is to set a strong password. The stronger the password is, the harder it is to crack.

The second step is to stop using the same passwords for multiple sites. If one site gets hacked, your password will be exposed to the internet. A hacker can then use the email/password combination to test your credentials across other sites. You can check if your password is on the internet here.

The final step would be to generate random passwords and use a password manager. There are a variety of options including the Chrome built-in Google password manager. If you use a strong password for each site you use, it becomes extremely hard to crack your password.

Summary

John is a popular and powerful password-cracking tool. It is often used by both penetration testers and black hat hackers for its versatility and ease of use.

From automated hash discovery to dictionary-based attacks, John is a great tool to have in your pentesting toolkit.

Hope this article helped you to understand John the Ripper in detail. You can connect with me here or visit my blog here.

In this article, we will learn how to use Ffuf, a fast web fuzzer written in Go. You will learn how to fuzz your way to find directories and files and bypass the authentication of a website using ffuf. Then you'll learn how to defend against these types of attacks.

Remember – to protect yourself and your websites, it helps to know how an attacker would try to get in. That way, you can more effectively keep them out.

Note: Before we dive into using ffuf, I would like to emphasize that this tutorial is only meant to help you defend yourself against fuzzing attacks. If you use this material for malicious purposes, I am not responsible.

What is FFuf?

Ffuf is a fuzzer written in the Go programming language.

Ffuf belongs to the exploitation phase in the pentesting lifecycle. It is also the fastest open-source fuzzing tool available in the market.

But before we start using Ffuf, let's understand what fuzzing is.

What is Fuzzing?

Fuzzing is a method of sending malformed or abnormal data to a system in order to get it to misbehave in some way, which could lead to the discovery of vulnerabilities.

Finding hidden files, sending random data to forms, or even login attempts to web applications can be considered fuzzing.

Then you might be wondering “How is it different from Brute forcing?”.

Brute forcing can be considered a part of fuzzing. In brute force, the attacker uses valid data, for example, to check if a login attempt works. But with Fuzzing, they can send random data to break the expected behavior of a system.

For example, if you use a tool like Ffuf and load it with hundreds of username-password combinations to try on a website, it is fuzzing. And that’s exactly what we will do using Ffuf.

Make sure you have written permission if you are going to try this tool on a third-party website.

How to Install Ffuf and Wordlists

Ffuf comes pre-packaged with the Kali Linux distribution. If you want to install Ffuf on your personal computer, here are the instructions.

Since Ffuf is written in the Go programming language, make sure you have the Go compiler installed in your system before trying to install Ffuf.

If you are new to wordlists, a wordlist is a list of commonly used terms. This can be a password wordlist, username wordlist, subdomain wordlist, and so on. You can find a lot of useful wordlists here.

I would recommend downloading Seclists. Seclists is a collection of multiple types of lists used during security assessments. This includes usernames, passwords, URLs, etc. If you are using Kali Linux, you can find seclists under /usr/share/wordlists.

To try this tool in real-time, you can either use your own website or use a practice web app like the Damn Vulnerable Web app (DVWA). DVWA is an intentionally misconfigured vulnerable web application that is used by pen testers for practicing web application attacks.

Fuzzing with Ffuf

Now that you understand what Fuzzing and Wordlists are, let's start using Ffuf.

We will use ffuf to fuzz the web application to discover directories, find usernames, enumerate virtual hosts, and even brute-force email/password combinations.

You can use the help command (-h) if you want to quickly look at the options provided by Ffuf. This is useful since you don't have to memorize all the options provided by Ffuf.

ffuf -h

Do remember that the URL (-u) and wordlist (-w) parameters are always required.

Note that I'll be using http://localhost:3000 for my examples. If you setup your own web app or use an existing website, you have to replace “localhost:3000” with the ip address or the domain name of the website.

How to Enumerate URLs with Ffuf

Let's see how to find some URL paths.

Finding URLs is useful, especially if they are being hidden from being publicly indexed. We will use the web content wordlist from seclists to fuzz the web app for hidden URLs.

You can use the following command to look for URLs:

ffuf -u http://localhost:3000/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

Here, the “FUZZ” keyword is used as a placeholder. Ffuf will try to hit the URL by replacing the word “FUZZ” with every word in the wordlist.

Here is what I found from the DVWA:

Result of looking for URLs

Interesting. You can see that we have found a few (possibly important) locations like /config, /docs, and /server-status.

If a real-world web app had pages that were not linked anywhere but used standard names, Ffuf would easily spot them.

How to Enumerate Files with Ffuf

What if you want to look for specific files? Thankfully, Ffuf provides us with the extension option (-e) that we can use. We can tell Ffuf to look only for files that have certain extensions – in our case, .html,.php, and .txt.

We will be using the raft-medium-words wordlist for this. Here is the command to look for specific files:

ffuf -u http://localhost:3000/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.html,.txt

This command looks for all the files at the root of the domain with an extension of .html, .php, and .txt. Here is the result from DVWA:

Result of looking for specific files

We have found a long list of files. Even if some files are not served on the web app (403 status), we can learn that there are files, just that we cannot access them yet.

Let’s run the same command, but now, we will only look for files that are accessible to the public. We will use the match code (-mc) flag to only look for files with a status of 200.

Here is the command:

ffuf -u http://localhost:3000/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.html,.txt -mc 200

And here is the result.

Files accessible to the public

You can see that we have found a few files that we can access. The login.php looks interesting, and we will use it for bypassing authentication in the following sections.

How to Enumerate Sub Domains using Ffuf

You can also look for sub-domains in a web app using Ffuf.

You might have guessed the approach that we are going to use. We will replace the subdomain of the URL with the word “FUZZ” and try looking for URLs that are up.

Since my web app is hosted on my local system, it does not contain any subdomains. But in the real world, if you want to enumerate subdomains, here is the command. You can use the sub domains wordlist from seclists.

ffuf -u http://FUZZ.mydomain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

How to Find Usernames with Ffuf

Have you been annoyed when web applications don’t tell you whether you have the wrong username or password? They just tell you “This combination doesn’t work”.

This is to protect the web app from username/email fuzzing attacks. If authentication systems give you specific information about your login attempt, it gets easier for attackers to brute force and discover a list of usernames or emails.

Let’s assume that our web application tells you that you have the wrong username with the message “username does not exist”. We can use this error message to find valid usernames with the following command:

ffuf -w /usr/share/SecLists/Usernames/top-usernames-shortlist.txt -X POST -d "username=FUZZ&&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://mydomain.com/login -mr "username already exists"

Here, we are sending POST requests to the login page, with the fuzzed usernames and a dummy password to check if the expected error message is returned. You can use a username wordlist from seclists for fuzzing.

The -mr flag is used to match a regular expression. You can have complicated regular expressions or a simple string message to validate the requests.

Here is a sample response.

Brute Forcing using Ffuf

Now, let's do some brute forcing with Ffuf. We will try a bunch of common username/password combinations and see if anything works.

If the web application you are testing uses a combination of email and password, you can replace the username wordlist with a email wordlist.

So for this attack, we need two parameters: username and password. Also, we will be using two-word lists: as you guessed, a username wordlist and a password wordlist.

In addition the default placeholder FUZZ, Ffuf supports the use of variables. So we will use W1 for our username wordlist and W2 for the password wordlist.

Here is the command:

ffuf -w usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://localhost:3000/login -fc 200

If Ffuf finds any valid combinations, you will see the combination in the results. You can also filter by status codes (for examle filter 400 or look for 200) using the -fc or -mc flags to reduce the noise.

Here is a sample response.

That was fun, wasn’t it? We can find a lot of interesting information about a web app without using a complicated tool like Burpsuite.

How to Protect Your Site from Fuzzing

But since we are not the malicious attackers, let’s look at how to defend against fuzzing.

The easiest way to protect your website from fuzzing attacks is to be careful about the type of files on the web server. If you don't want something to be found, don't put it on the web server.

To prevent authentication bypass, it is important not to allow multiple attempts to log in. Most modern websites don't allow more than 5 consecutive login attempts. It is more secure to ask your users to reset their passwords via email instead of letting them try multiple combinations.

You should also be careful about the error messages returned on failed attempts. Displaying that “Email does not exist” or “Password not correct” will let the hacker know that an email or username exists. This just makes their job easier.

Finally, you can use Web Application Firewalls (WAF) to monitor traffic and block suspicious IP addresses. WAFs also have options to set alerts if it comes across brute forcing attempts on your authentication methods.

Summary

Ffuf is a great tool to have in your pentesting toolkit. It is a simple yet fast fuzzer that makes it easy to enumerate directories, discover virtual hosts, and brute-force web applications.

Ffuf also has more options that will help you to look for specific information. It has support for regular expressions, rate limiting of requests, and saving your results to a file.

Hope you enjoyed this article. You can connect with me on Linkedin or read more articles on my blog. I’ll see you soon with another article.

What is a cybersecurity tabletop exercise (TTX)?

Cybersecurity breaches are resulting in an increasing number of losses ($4.2 million in 2021). So it's important to do as much as possible to prepare and train before experiencing a potential incident yourself.

A cybersecurity tabletop exercise (TTX) is one of the best methods that you can use to exercise your incident response plan – short of experiencing a real incident.

In short, the TTX is designed to help assess the preparedness of your company to handle an incident. The exercise should reinforce a culture of learning and training – there are no failures during an exercise, just opportunities to iterate and refine processes.

Main Benefits of a Cybersecurity Tabletop Exercise

• Develop a better understanding of the impact of a breach in a cost-efficient manner
• Maintain a positive reputation through transparency and communication
• Solidify roles and responsibilities and explore decision making processes
• Assess the capabilities of your existing resources
• Identify and address deficiencies in planning

What Makes a Tabletop Exercise Effective?

Given that this exercise is a critical component of testing how prepared your company is to handle an incident, it is important to go into the exercise with clear objectives.

The following components will help ensure that your exercise is as efficient as possible.

1. Have an incident response plan. Without an incident response plan, the exercise will likely be extremely chaotic, as you will be figuring out roles and responsibilities on the fly, without defined processes to follow. The goal is to test your plan, not create a new one!
2. Perform risk analysis ahead of time. Unless the goal of the tabletop is to reinforce that a formal risk analysis is needed, it is important to have performed at least a cursory analysis to understand the key risks to the business. Why do they care about funding the security program? What do they care about protecting? What is the potential harm to the company if an adverse event occurs?
3. Have clear objectives. Think of what you want to accomplish with this exercise – what outcomes are you looking for? You may have numerous scenarios testing various components of the business you want to run, but you might also have limited time with senior executives. Make sure you don't throw too many objectives into the exercise. Keep focused. Develop the scenario only after you've decided what you want to get out of the exercise.
4. Get stakeholder/executive buy-in. To be successful, the exercise needs to be performed willingly with the intent to learn, not just to tick a checkbox for compliance. Executive leadership needs to be involved and willing to learn from the results, transforming the lessons learned into actionable changes within the company where appropriate.
5. Strong facilitator. The facilitator needs to keep everyone on track, ensuring that all important points during each inject are covered. While open discussion is great, the facilitator needs to ensure that the conversation stays on point rather than going down various rabbit holes and tangents.

How Does a TTX Generally Flow?

The general flow of a cybersecurity tabletop exercise will walk participants through the process of an incident from inception until conclusion. There will be a focus on exploring the various decision points that come up during the process, ensuring that all participants understand who the key decision makers and stakeholders are in an incident.

The below diagram illustrates the various key components of the exercise itself, from planning to execution:

Exercise Flow:

Typical flow for a cybersecurity TTX

Let's go through each element in this flow:

Building valuable objectives

It is important to identify key learning opportunities that stakeholders can take from the exercise (for example, "Does leadership know who is responsible for deciding whether to halt trading activity of our company's stock on the exchange?" or "Who makes the call to unplug a critical, revenue generating system.").

Once these objectives are identified, it will be possible to inform the scenario's design. Example objectives could include:

• Test efficacy of out of band communication processes
• Assess training gaps
• Determine inconsistencies between the incident response plan and implemented processes
• Evaluate current decision making processes

Who needs to be involved in the exercise?

Participants should be actively involved in the exercise, taking part in the discussion and decision making process. It is important to involve a variety of stakeholders as appropriate for the scenario.

Typically, representatives of the following groups will be present:

• C-suite: CEO, CFO, COO, CIO, CTO, and so on.
• Human Resources
• Legal/CLO
• Compliance and Privacy
• Business unit leadership

A facilitator is an internal or external resource who will walk participants through the scenario, the various injects, and control the flow of conversation.

It is critical to keep everyone focused on the scenario and to ensure that participants don't fall down rabbit holes poking holes in the scenario or addressing unnecessary elements.

Note: Consider having a third party, such as an incident response forensics firm, take on this role as a primary or supporting facilitator. They can provide broader background information on attacks they have observed and answer macro-level questions posed by executives.

Outside agencies can include law enforcement, outside counsel, security forensics firms, or regulators.

Finally, you'll need a scribe to take notes of participant's reactions and decisions, lessons learned, what went well, and what did not.

What types of exercise formats are there?

There are generally two main forms an exercise can take: a discussion or live-fire/wargame. There is no right or wrong format. The type of exercise selected should match the participants and desired outcomes and objectives of the exercise itself.

A live-fire exercise, sometimes known as a wargame, is when an incident is simulated in real-time, requiring swift action by teams that may or may not be aware the event is taking place.

This type of exercise is typically performed for the incident response team and the "boots on the ground" responders - for example, network, firewall, application, and database teams.

This exercise is designed to measure how efficiently the company's people, process, and technologies will operate in an environment as close to a real incident as possible.

A discussion-based exercise will typically feature a presentation where general, high-level information is provided to the participants, who are typically a cross section of senior leaders across various business functions in the company.

Periodically, an inject will be used throughout the presentation. These are often meant to provide some new information or other type of curveball to the participants. Examples of an inject can be an internal memo, a media report, a phone call, or even a slide with further information.

You should perform the following after each inject:

• Assess situation
• Revalidate assumptions
• Identify security and organizational implications
• Develop a course of action
• Review resources
• Develop recommendations
• Take actions to implement changes
• Outputs – document the discussion, lessons learned, and so on.

How do I design a relevant scenario?

When building your scenarios, here are some example questions you can use to help structure your exercise:

• Who is the threat actor?
• What is the threat actor's intent?
• What threats are occurring against your industry? This can inform your scenario or various decision points.
• How will the team handle and respond to the attack?
• What external entities should be involved?
• Will employees, customers, or regulators need to be informed?

Make sure that each slide that conveys information has a timestamp to let the participants know how much time has elapsed between events. The scenario should not include too many slides or injects – typically 2-4 injects and some for of media content should be sufficient, alongside the general information slides.

Logistics

Discussion-based exercises work best when performed for approximately 3-4 hours, with the majority of participants physically located in the same room.

Prior to the exercise, the facilitator should have a list of key topics that should be explored for each slide and ensure that these are discussed throughout the exercise. Make sure to have coffee and snacks too 😊.

The rules

Make sure everyone understands the "rules" of the event. Suspend disbelief, no enemies, work together.

Provide rules both several days before as well as during the event. Include the IR plan. Do not fight the scenario!

How to leverage the "hot wash" and lessons learned

A short review (the "hot wash") should occur immediately after the exercise (optionally with or without any third parties that may have been present) to review what went well and what could be improved while information is still fresh.

Close out the session by asking each participant to name one takeaway they have from the event.

Over the next couple of weeks, review all notes and observations from the exercise and compile a list of lessons learned. Distill these into several themes that you can share with leadership, after which you can construct a plan to address these items.

Some example lessons can include:

• Create a "pocket runbook" so that individuals "on the ground" have a clear and concise set of instructions on what to do / not do during an incident
• Establish authority for the incident commander
• Implement an asset inventory system that takes into account systems, applications, critical suppliers, and critical personnel
• Onboard an alternate communication system to allow for communicating with staff if core systems such as email and chat are inaccessible
• Retain a crisis PR firm on retainer in the event of an incident and ensure executives undergo media communication training

Conclusion

Well, that was a LOT of information. Hopefully you've learned quite a bit about how a tabletop exercise works, and how to build a valuable exercise.

Here are some key takeaways to help ensure that you are building an effective tabletop:

• Establish clear objectives – what is the desired outcome after running this exercise? Use that to identify valuable objectives to achieve throughout the exercise.
• Be engaging – slides can be dull. Never just read off the slides. Try to add some form of multimedia (like a fake news report about leaked data causing stock price to decline, a phone call from a journalist, and so on.) to break up the flow.
• Action the lessons learned – Once you have consensus on the lessons learned, put together a roadmap and project plan for each item, along with an owner. The goal of the exercise is to produce actionable tasks that will improve the readiness of the company when responding to an incident while also mitigating the impact of any future incidents.

Last, if you are looking for inspiration, be sure to check out CISA's Tabletop Exercise Packages for some ready to go templates!

There’s no doubt that DevSecOps is on the rise, as the need for fast but highly secure application delivery increases.

A report by Emergen Research shows that the DevSecOps market is set to reach a $23.42 billion value in 2028 with a CAGR of 32.2 percent over the forecast period 2020-2028.

Notably, this growth does not only address the growing importance of security in rapid application development and delivery. It also has a significant positive impact on cloud security.

As organizations see increased use of cloud computing and SaaS applications, the adoption of DevSecOps is also becoming more appealing.

The Current Cloud Security Situation

A survey on the state of cloud data security in 2022 conducted in partnership with Gartner shows that an overwhelming majority of organizations (over 90 percent) say they struggle with the enforcement of security policies around their data. This is because of various reasons, which add to cloud security difficulties.

Conventional solutions no longer cut it, and cloud security needs to level up to match the different challenges brought about by growing cloud adoption and the complexities that come with it.

These challenges include the following:

Visibility and tracking inadequacies

As organizations embrace Software-as-a-Service (SaaS) apps and the Infrastructure-as-a-Service (IaaS) model, they face the challenge of protecting data and assets that are usually beyond their control.

Typically, cloud service providers do not provide customers full control over the infrastructure layer. This produces a lack of visibility and control in the context of security.

Broader attack surfaces

Threat actors are particularly attracted to organizations that use the public cloud environment. It is relatively easy to attack with zero-day, malware, account takeover, and other attacks in the absence of reliable security solutions.

Workload changes

The dynamic nature of cloud asset provisioning and decommissioning makes it difficult to protect them, especially when scaling and agility are involved.

Complex environments

Hybrid and multi-cloud environments appear to be preferred by many organizations at present because of various advantages. But this results in security management complexities and the need for security tools and solutions that seamlessly work with each other.

The need for granular privilege and key management

Because of the number of users that access cloud assets, it is not uncommon for access or privileges to be granted loosely. Extensive privileges are usually provided to avoid having to implement specific configurations for different users or user groups.

This can be problematic for security. With the use of SaaS apps, for example, when keys and privileges are given carelessly, sessions can be exposed to various security risks.

Weakening of cloud standards compliance benefits

The top cloud service providers notably advertise their compliance with various security accreditations or standards such as the NIST 800-53, PCI 3.2, and GDPR. But the benefits of compliance are diluted or almost entirely eroded because workload and data process management is usually relegated to customers (organizations).

Since most organizations have visibility and tracking difficulties, poor attack surface management capabilities, and the lack of granular privilege management, the security compliance of cloud providers do not necessarily benefit their customers.

The rise of DevOps

Many organizations have shifted to DevOps as they seek to shorten the lifecycle of systems development and promote rapid and continuous app delivery.

This can impact cloud security, though, especially when there are security-related changes implemented post workload deployment.

How DevSecOps Can Help

As I explained above, it is not only the expansion of attack surfaces and security management complexities that come with cloud adoption that make cloud security more challenging. The increased adoption of DevOps practices also adds to the problem. This is where DevSecOps comes into play.

DevSecOps adds the crucial security component to DevOps and guides developers to embrace “security by design.”

It is a step-up from the previous shift-and-adopt strategy used in incremental cloud re-platforming. It involves an integrated team of multi-skilled specialists in the field of cloud and cybersecurity working together under a common operating paradigm.

Teams can establish a center of excellence (usually helmed by the organization's digital transformation point person) to take charge of the coordination of the cloud and cybersecurity specialists working together in the new development operating model.

DevSecOps ensures that flexible and agile practices do not disregard security, allowing development processes to proceed at the same pace an organization wants its business to move.

Teams can achieve this with an emphasis on shared responsibilities. Organizations nurture collaboration, cross-skilling, and cross-teaming to attain better outcomes.

Diana Kearns-Manolatos, Senior Manager in Deloitte’s Center for Integrated Research, characterizes DevSecOps as “more than moving existing security processes earlier into the development process.”

DevSecOps entails the rethinking and rearchitecting of the way app design processes work. "It is about elevating, embedding, and evolving (your) organization’s risk response," Kearns-Manolatos adds.

To answer the question "What is DevSecOps’ role in cloud security?", teams need to incorporate security into the efficiency, rapidness, and continuousness thrust of DevOps.

Simply put, it is about quickly rolling out apps or software products that are already secure to help better manage the expansion of cyber attack surfaces.

Instead of having another team (the security team) undertake rigorous app security review, the apps can be deployed immediately. Tweaks and patching will still be needed eventually, but they will no longer be as exhausting as compared to deploying apps developed conventionally.

DevSecOps in Practice – Not Easy but Very Doable

Embracing DevSecOps to achieve the quick, secure, and efficient rollout of applications or software products is not going to be a walk in the park. But it is not overly tricky to be restrictively achievable.

Organizations will face the need for process innovation and they'll need to rethink their cloud security and development operations.

One crucial factor in successfully adopting DevSecOps practices to improve development outcomes (especially in terms of security) is communication.

Teams need to properly communicate with each other to ascertain that everyone is on the same page during the development process. Real-time knowledge sharing is important and it may also be necessary to integrate ChatOps, automation, as well as artificial intelligence in the process.

Final Thoughts

DevSecOps and cloud security may appear unrelated or remotely connected concepts. But the former does have an impact on the latter.

DevSecOps will not address all cloud security issues or threats. But it can make DevOps-driven apps used on the cloud or in hybrid environments less vulnerable, and can limit means for threat actors to penetrate cyber defenses.

If you want to learn more about DevSecOps in depth, check out this free article and course from freeCodeCamp.

Image via Murrstock / Adobe Stock

In my previous article, we talked about some basic Linux skills and tricks. In this article you are going to learn a basic Wi-Fi hacking procedure using those skills.

You'll learn things such as how to:

1. Monitor Wi-Fi networks around you
2. Perform a DOS attack
3. Protect yourself against Wi-Fi attacks

Disclaimer: This is strictly for educational purposes only (and, of course, for a little fun). Do not under any circumstances, conditions, or influence of unwise friends use the hacks you learn here on organisations, individuals, or your probably annoying neighbour. You would be committing a crime and you'll either be fined, sent to jail, or just get your parents embarrassed.

And now that we have that lovely introduction out of the way, let’s proceed.🙃

What We'll Cover:

Here's a basic rundown of what this tutorial contains:

1. Introduction
2. What is a Packet?
3. How to Crack WPA2
   • Prerequisites
   • How to put the network card into monitor mode
   • How to look for the target
   • How to capture the handshake packets
   • How to perform a DOS attack
   • How to obtain the password (hopefully)
4. Mitigations Against WiFi Attacks
5. Conclusion

Introduction

A router ¦ Credit: Unsplash.com

Wireless Fidelity (Wi-Fi) is a common technology many of us use in our daily lives. Wether it's at school, home, or simply bingeing Netflix, it’s increasingly rare to see anyone carry out Internet related activities without it.

But have you ever tried to hack Wi-Fi? 🤔 (I’m sure you’ve been tempted 😏).

In order to hack something, you need to know how it works. This means you need to understand how the tech works in the first place. So let’s start from the basics: The Packet.

What is a Packet?

A Basic Packet. Credit: ResearchGate.com

A Packet is the basic unit/building block of data in a computer network. When data is transferred from one computer to another, it is broken down and sent in packets.

Think of packets like Lego building blocks. You (the computer) receive the complete set (the complete data) in pieces (packets) from the seller (another computer). You will then assemble the blocks together to build up the figure based on the instructions given in order to enjoy it (or in this case, for the whole data to make sense).

A packet, also known as a datagram, is made up of two basic parts:

1. A Header
2. The Payload/Data

The Header contains information about the packet. This helps the network and the receiving computer know what to do with it, such as the source and destination IP addresses.

The Payload is the main content the packet contains. It’s also worth mentioning that packets can be encrypted so that their data can't be read if gotten by an attacker.

In a network, packets are a requirement for packet switching. Packet switching means breaking down data into packets and sending them to various computers using different routes. When received, the computers can then assemble these packets to make sense of it all. The Internet is the largest known packet switching network on earth.

Now let's see how we can apply this knowledge to wireless networks.

How to Crack WPA2

A bunch of random code. Credit: Unsplash.com

Wi-Fi can use a number of various protocols to give you a secure internet connection. From the least to most secure, they are:

1. Open
2. WEP (Wired Equivalent Privacy)
3. WPA2 (Wi-Fi Protected Access 2)
4. WPA3 (Wi-Fi Protected Access 3)

An open network is pretty much as the name implies – open. It has no password and practically anyone can connect to it.

WEP is an old protocol, rarely in use and requires a password like its successors.

WPA2 is the most commonly used protocol around the world. WPA3 is a newest and the most secure protocol known till date. But it is rarely used and only available on newer devices.

Prerequisites

Wi-Fi works by constantly sending packets of data to your authenticated device. In order to hack it, you’ll need:

1. A Linux machine (Preferably Kali Linux)
2. A wireless adapter

To install Kali from scratch, you can follow this tutorial.

If you haven’t already, you’ll need to install a tool called Aircrack-ng on your machine. To install it, just type in the command below.

sudo apt install aircrack-ng

How to Put the Network Card into Monitor Mode

You first want to get information about the target. This is what hackers call reconnaissance.

In order to do that you need to first change your wireless card from ‘managed’ mode to ‘monitor’ mode. This will turn it from a mere network card to a wireless network reader.

First you need to find out the name of your wireless card. Plug in your adapter and run the iwconfig command to find out. It’s usually the last one on the list.

iwconfig. Credit: Daniel Iwugo

As you can see, mine is wlan1. Now run the following commands:

sudo airmon-ng check rfkillsudo
airmon-ng start <network interface>

sudo indicates the need for root privileges, check rfkill stops processes that could hinder the card from going into monitor mode, and start tells airmon-ng which network card to execute on. Replace the <network interface> with the name of your wireless card.

airmon-ng is a script that instantly changes your card to monitor mode. You actually can do this manually or make a script of your own but I personally prefer something rather simple.

How to Look for the Target

To see what networks are around you, run the following command:

sudo airodump-ng <network interface>

Airodump. Credit: Daniel Iwugo

airodump-ng is a part of the aircrack-ng suite that allows a network card to view the wireless traffic around it.

As you can see we get a lot of information. But let's take a quick look at the ESSID (Extended Service Set Identifier) column. Also known as the AP (Access Point) name, this column shows the name of the target network, which in my case will be ‘Asteroid’.

You want to concentrate on the target AP and ignore the rest. To do this, press Ctrl+C to cancel the current scan and this time, append the bssid of the network with the bssid flag as shown below.

sudo airodump-ng <network interface> --bssid <AP>

Airodump in action. Credit: Daniel Iwugo

The BSSID stands for Basic Service Set Identifier, a fancy name for the MAC address of the device. You use it to identify the device on a network, along with the ESSID (Name of the AP). Technically, you could just use the ESSID flag instead but different APs could have the same name. However, no two APs can ever have the same BSSID.

Below is a code snippet of what you would type to get info about the AP using the ESSID only.

sudo airodump-ng <network interface> --bssid <AP ESSID>

Note: If the name has a space, enclose it with quotes. For example, --bssid “Asteroid 1” .

You’ll notice I highlighted the MAC address of a client connected to the AP under the ‘Station’ column. To its left is the MAC address of the AP it is connected to.

How to Capture the Handshake Packets

The next step is to capture the handshake packets (Remember packets? 👀). Handshake packets are the first four packets sent from the AP when an authenticated device connects to an AP.

This means we have two options:

1. Wait for a device to connect to the AP
2. De-authenticate the device and then let it connect to the AP

The second one sounds a lot more fun so let’s go for it.

An LED keyboard. Credit: Unsplash.com

How to Perform a DOS Attack

You can use aireplay-ng or mdk4 to disconnect devices from APs for a time. This is called a de-authentication attack or a wireless DOS (Denial-Of-Service) attack.

Now here’s the game plan:

1. Setup airodump-ng to capture packets and save them
2. De-authenticate the device for some time while airodump-ng is running
3. Capture the handshake

Got all that? Good. Let’s roll. 👨‍💻👩‍💻

First, run the command to capture and save packets:

sudo airodump-ng -c <channel number> --bssid <AP BSSID> <network interface> -w <path for saved packets file>

Airodump capturing packets. Credit: Daniel Iwugo

Here, we're using the -c flag to specify the channel to search, the --bssid flag for the MAC address of the AP, and the -w flag to give a path you want to save the captured packets to.

Quick lesson: Channels reduce the chances of APs interfering with each other. When running airodump-ng, you can identify the channel number under the CH column.

While that is running, you’re going to run your de-authentication attack against the device connected to it using the command:

sudo aireplay-ng -a <BSSID of the AP> --deauth <time> <network interface>

The -a flag specifies the MAC address of the AP, --deauth specifies how long you want the attack to run in seconds, followed up by the network card.

A de-authentication attack involves using your own network card to send packets to interrupt communication between the AP and the client. It’s not perfect and sometimes the client may connect back, but only for a short time.

If your Wi-Fi is acting crazy and you seem to be disconnecting and connecting randomly back to it, you may be experiencing a de-authentication attack.

In the command above, you’re targeting the AP and running the attack. Note that you can instead attack any device connected to the AP and you should get the same result. All you need to do is to change the -a flag to the MAC address of any device connected.

While the DOS attack is underway, check on your airodump scan. You should see at the right top : WPA handshake: <mac address>. Once you have verified that, you can stop the replay attack and the airodump-ng scan.

Carrying out the replay attack to get the handshake. Credit: Daniel Iwugo

How to Obtain the Password (Hopefully)

In the final steps, you are going to run a bunch of generated Pairwise Master Keys (PMKs) against the captured packets to get the password. Let me break it down.

A PMK is basically an algorithmic combination of a word and the APs name. Our intention is to continuously generate PMKs using a wordlist against the handshake. If the PMK is valid, the word used to generate it is the password. If the PMK is not valid, it skips to the next word on the list.

I’m going to use the rockyou wordlist located in the /usr/share/wordlists directory. I think this is only found in Kali so if you have a different OS, you might make one of your own manually or generate one using crunch.

If it isn’t already extracted, just run the command:

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

Quick history lesson: The rockyou wordlist is a bunch of passwords gotten from one of the most infamous cybersecurity data breaches that affected a company of the same name. It contains approximately 14 million unique passwords that were used in over 32 million accounts and as such, is one of the most dependable wordlists on the planet.

Now run the command:

sudo aircrack-ng <captured file with .cap> -w <path to wordlist>

Password cracking. Credit: Mercury

Alright, everyone – mission accomplished 😎.

The password was, well… ‘password’. Pretty disappointing from a security perspective, but I set this network up just for fun for the purposes of this tutorial. In reality, this could take minutes to hours depending on the length and strength of the password.

To clean up, simply remove the file captures, close your terminals, and run the command service NetworkManager restart to change your network card back to managed mode so you can connect to the Wi-Fi.

Mitigations Against WiFi Attacks

A basic personal workspace setup ¦ Credit: Wallpaperflare.com

Basic Wi-Fi security should cover this attack from a defensive perspective. Using WPA3 which is a newer protocol is your best bet against such an attack. To mitigate against de-authentication attacks, use an ethernet connection if possible.

Assuming that option is not on the table, you can use a strong passphrase (not a password) to minimise the attackers chances of getting it. A passphrase is a string of words simply used as a password. Passphrases tend to be longer than passwords, easier to remember, and are a rarer practice. Therefore, they will hardly be found in wordlists.

For example, ‘mercury’ is more likely to be found in a wordlist than ‘mercurylovespluto’. The later is a 15-character passphrase and as simple as it is, it would be hard for an attacker to find, guess, or generate.

Another mitigation would be to disable WPS (Wi-Fi Protected Setup) and avoid under any circumstance using a router that uses the WEP protocol. You’d just be asking for unwanted attention as it’s a lot easier to hack both of these than WPA2.

Conclusion

Let’s summarise what you’ve learned:

1. Change the wireless adaptor to monitor mode using airmon-ng
2. Scan for the target AP using airodump-ng and capture the packets
3. Perform a DOS attack on the AP to get the handshake packets
4. End the DOS once you have verified you captured the necessary packet
5. Use aircrack-ng to generate PMKs to run against the handshake packets

Sometimes, the password may not be in the wordlist. In that case, there are many other ways to get the password such as an Evil Twin Attack or variations of what you have learned here. I also encourage you to practice this and many other attacks you discover out there, as this helps make you a master hacker.

Remember, this is strictly for educational purposes. Only perform this on others with their consent, or on your own devices.

And with that, we have come to the end of this article. Hope you enjoyed it. And as I always say, Happy hacking! 🙃

Resources

1. A little more explanation on the handshake theory
2. More details on packets
3. WPA2 vs WPA3

Acknowledgements

Thanks to Anuoluwapo Victor, Chinaza Nwukwa, Holumidey Mercy, Favour Ojo, Georgina Awani, and my family for the inspiration, support and knowledge used to put this post together. You’re my unsung heroes.

Cover photo credit: Lego Gentlemen working on a router from Wallpaperflare.com

All it takes is a single click, and you're in trouble.

This kind of email has a very clear definition:

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

In this article, I'll explain what phishing is and how to recognize the signs that an email may not be legit. For that, we will learn to do the following:

• Recognize some obvious flags of a phishing email

• Use some command tools on Linux to carefully inspect suspicious links

• Analyze the suspicious emails with several free online tools

All this while having some fun.

Example of a Phishing Email

Let me share a quite clever example email (some details have been changed to protect the innocent):

Phishing email pretending to be GoDaddy

Let me show you how you can quickly spot scammers, without using a single line of code

You will need the following to go through some of the steps of this tutorial:

• A Linux installation, with curl installed.

• A Web browser (Brave or Firefox are good choices)

• Curiosity

Now let's move on and see what we've got in our mailbox...

Common Sense Phishing Red Flags

Right out of the box, this email violates two simple rules, despite having proper grammar and nice presentation:

First, of all, it forces you to act immediately to fix an issue (Urgent action required), no questions asked (Click the nice button).

To make it worse, there's no way to verify that the person contacting you really works for the company. Reputable companies ask you to log into their website and offer a case # so you can track the issue. Neither of those are here.

Second, despite their best efforts, scammers make qualitative mistakes. Do you see that customer # on the upper right part of the screenshot? I compared it to mine on the real website and guess what? It's a different number.

But where is the fun of analyzing this if we cannot do even a little bit of poking? Well, when I moved my mouse over the button image I could see the link and it was pointing to tiny URL (an URL shortening service):

https://tinyurl.com/xszszasxdxdxdxdxdxdxdzs?a=xxx@xxxx.com

So whoever is doing this is trying to conceal the real URL. No problem, copy the URL address (never click it), change the email part of the GET request to some garbage (?a=xxx@xxx.com)) and then run it through curl. I got this:

<table width="75%" bgcolor="#FFFFFF" align="center" cellpadding="10">
        <tr>
            <td>
                <h2>URL Terminated</h2>
                <p>
                    The TinyURL (xszszasxdxdxdxdxdxdxdzs) you visited was used by its creator in violation of our terms of use.
                    TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you.
                    Such violations of our terms of use include:
                </p>
                <ul>
                    <li>Spam - Unsolicited Bulk E-mail</li>
                    <li>Fraud or Money Making scams</li>
                    <li>Malware</li>
                    <li>or any other use that is illegal.</li>
                </ul>
                <p>

So the good people from Tiny URL noticed this too and terminated the URL. Nice work!

Let's use other tools to confirm what we know already.

Online Tools You Can Use to Analyze Suspicious URLs

Tiny URL was nice enough to tell us about the original URL:

https://parasolhealth.org/resources/sass/hgjhgbgb/%20hxghxhgcgzvzvhgxvgzhxgvvgvcgvhgvjhvxhgvzhgvshgvhgvhgvhgwvhgwvhgwvhgwvhgvhgvdshvshgvhgvhgdvhgdsvhgdvhjgdvjhdgdvhgfvhgvf/vhgvjhgvghgvghvhgvghvhgvjlnkjndkjdkjdhbgytdvghdvhvshgvshgvjsvhvahgvhvwgvhwvhvajgvsgshgvhsgvjhsvgavjgvsgvahgvahgvhgsvjgavhgsvhgsvhjvshgvahgvsjvshgvajvshvhgwvhgvehgvehgvehjvegvejhgvhgavhavhs/dhbjhjfhjfkbkjfhbjkbfjbjdbkjbsjhbdjbjkdbhbdjkbjdbjdbjhbdkjbsjbjkdbjkdhbjdbjbsjhbsjbjdkbjhdbkjhbdkjbsbdjbjdbkjhbjhbsjkhbdjbjdbjdbjhsbjhbejhbejhbjwhbjhwbjkwhbjbhbs/jdbhdhdbkjbsjbsjbwjbjwbjkbwhbehbjhbejbebebjebjbejbjhbsjhbshbahbjhsbshbjkhdbjhbjhbdbdjkbdhbjhsbjhbajhbsjbkjshbhbdjhbjdhbjkbshbsjhbsjbdbdhbdhbjehbjhebjhbrrhbjbjekhbjhbjsbjhsbjhbdjhd/jbdjhbdkjbdjhbkjabjhbsjbdjbksjbhsbjhdbjhbjkbdjhbjhbkjbejhbwkhbjkwhbjhwbjkwhbjhwbjhbwhbwkjhbwjhbjhbajhbajhbsjhbsjhbdjkhbdjhbdjhbjdhbjshbjhsbjhbjhsbkjhbdjhbsjbjabjhabjkbs/redirect.php

If you go to the Virus Total website and search for the URL you will see that this was also reported here:

Interestingly enough, only a single vendor reported the URL as malicious. That will do it for me :-)

Also Abuse IP DB doesn't know anything about the offending website. However keep this tool around as it is known to reports multiple other actors.

There is anything else we can learn from the original message? Most email readers allow you to copy and paste the email headers. I'm sharing mine here (with a few changes):

Received: from MN2PR19MB4030.namprd19.prod.outlook.com (2603:10b6:208:1e8::11)
 by MW3PR19MB4204.namprd19.prod.outlook.com with HTTPS; Tue, 4 Oct 2022
 16:35:05 +0000
Received: from BN9PR03CA0959.namprd03.prod.outlook.com (2603:10b6:408:108::34)
 by MN2PR19MB4030.namprd19.prod.outlook.com (2603:10b6:208:1e8::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.31; Tue, 4 Oct
 2022 16:35:01 +0000
Received: from BN7NAM10FT104.eop-nam10.prod.protection.outlook.com
 (2603:10b6:408:108:cafe::cc) by BN9PR03CA0959.outlook.office365.com
 (2603:10b6:408:108::34) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.24 via Frontend
 Transport; Tue, 4 Oct 2022 16:34:59 +0000
Authentication-Results: spf=softfail (sender IP is 170.10.162.128)
 smtp.mailfrom=bounce.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=oreject header.from=godaddy.com;compauth=fail
 reason=000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
 bounce.com discourages use of 170.10.162.128 as permitted sender)
Received: from host.solutiononellc.com (170.10.162.128) by
 BN7NAM10FT104.mail.protection.outlook.com (10.13.157.118) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5676.17 via Frontend Transport; Tue, 4 Oct 2022 16:34:59 +0000
Received: from ip250.ip-37-187-205.eu ([37.187.205.250]:38823)
    by altar47.supremepanel47.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.95)
    (envelope-from <postmaster@bounce.com>)
    id 1ofksk-0005Zd-LV
    for xxx@xxxx.com;
    Tue, 04 Oct 2022 16:34:58 +0000

Using [MXToolbox](https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=4205dc8f-5147-4da5-a448-d633f2bbca61) shows that 2 of the email addresses used in the chain are **blacklisted**, another red flag.

![Image](https://www.freecodecamp.org/news/content/images/2022/10/godaddy_scammer_mxtoolbox.png)
_2 blocked emails from this list. Another read flag_

I think that's good enough. Delete the email and move on with your life, and be sure a new email is coming your way (hopefully landing in the SPAM folder automatically).

## What's Next?

There are many tools on the Internet you can use to identify phishing emails, but there is no substitute for common sense. It if looks too good to be true then it probably is.

As usual, do not click the link right away! Do a little investigating first, just to be safe.

In this article, you will learn what the hacking process really looks like. And hopefully one day, you'll get to say those famous words: “I’m in”.

Disclaimer: This is for educational purposes only. Please (with a cherry on top), do not use this knowledge to perform illegal activities. I might be one of the white hats to put you in jail someday 🙃. Thank you.

How do Hackers Hack?

Tony Stark attempting to hack S.H.E.I.L.D | Credit: animatedtimes.com

Since you are reading this article, I’ll assume that you already know the basics of what hacking is, so let's jump right in.

There really is no general agreed upon process of hacking, in part because there are a few different types of hackers. But, I will tell you the steps the majority of hackers (and I myself) follow.

They are:

1. Reconnaissance
2. Enumeration
3. Exploitation
4. Privilege Escalation
5. Post Exploitation
6. Covering Tracks
7. Report Writing

We'll go through each one in detail so you get a good feel for the process.

If you want to dive deeper and learn more about what white hat (ethical) hackers do, check out this course.

Reconnaissance

A neon themed hollywood hacker | Credit: Wallpaperflare.com

Recon (aka footprinting) is the first, longest, and most important step. This entails getting as much information as you can about the target without interacting directly with the target.

Basic OSINT (Open Source Intelligence) skills are a hacker's best friend here.

Quick lesson: OSINT is the collection and analysis of information from public sources in order to gain actionable intelligence. National security agencies, investigative journalists, and hackers legally gather such information in order to create measures, stories, and dossiers, respectively, about targets.

You can find the OSINT framework guide here.

The greatest resource for recon is the Internet, and the greatest tool is the search engine, Google. To make this a lot easier, Google dorking would be a good place to start. Dorking in this sense means the use of advanced search techniques to find out more information about a target that you normally wouldn’t be able to find using normal methods.

Other resources for recon include:

1. Wikipedia (The biggest encyclopedia to this date)
2. Social Media such as Instagram, Twitter, and Facebook (Best resource for social engineers)
3. who.is (To get information about a website)
4. sublist3r (Lists subdomains publicly available)
5. Media such as newspapers, radio, and television

Enumeration

Magnifying glass over binary ID fingerprint | Credit: Wallpaperflare.com

This is like reconnaissance, except you gain information about the target by interacting with it for the purpose of looking for a vulnerability.

Do note, though, that things can get a lot riskier as the target could discover that you are trying to find out information about them, and could put countermeasures in place to hinder you.

Network enumeration involves port scanning and network mapping. This helps you learn about the target’s operating system, open ports, and services being run, along with their version. Nmap (network mapper), burp suite, and exploit-db/searchsploit are common tools you can use for network enumeration.

Tip: Knowing the version of services is a great way to find a vulnerability. Old versions of software may have a known vulnerability which could be on the exploit-db site. You could then use this to perform an exploit.

Physical enumeration involves gaining information through physical means. This could be done via dumpster diving (getting credentials and confidential information from the trash) and social engineering.

Social engineering is quite a broad topic and will get an article of its own later. However, in simple terms, it means hacking humans using manipulative social skills.

Exploitation

A fake terminal access | Credit: Wallpaperflare.com

Exploitation involves gaining access to the target successfully using a vulnerability discovered during enumeration.

A common technique for exploitation is to deliver a payload after taking advantage of the vulnerability. In simple terms, this is finding a hole in the target, and then running code or software that lets you manipulate the system, such as a bash shell.

Infamous vulnerabilities that are commonly exploited are EternalBlue (Windows) and the Apache log4j (web servers) vulnerabilities.

Common tools you can use for exploitation include:

1. Metasploit (The big gun 🔫)
2. Burpsuite (For web applications)
3. Sqlmap (For databases)
4. Msfvenom (Used to create custom payloads)

Quick lesson: A payload is software run after a vulnerability has been exploited. Once exploited, the target computer doesn’t have anything to give you access with. And so you need a payload to give you access and allow you to manipulate the target.

A very common payload many hackers use is meterpreter. It is a payload by metasploit that allows you to easily transverse the hacked computer.

Privilege Escalation

Random Text with “Administrator” | Credit: Wallpaperflare.com

In order to understand privilege escalation, you need to grasp two concepts:

1. User Accounts
2. Privileges

A User Account is a profile on a computer or network that contains information that's accessed via a username and password.

There are two kinds of user accounts: Administrator account and Standard account. Home computer users usually only have one user account, which is the administrator. In contrast, organisations have multiple accounts on a network or computer, with a system administrator having the administrator account and the basic employees having various standard accounts.

Privileges are the permissions that let you write, read and execute files and applications. A standard user doesn’t have privileges (permissions) to critical files and applications which we want. However, an administrative account will have privileges for everything.

Escalation is the movement from one user account to another. This could either be vertical or horizontal.

Vertical escalation is when a hacker moves from an account with fewer privileges (standard account) to an account with more privileges (administrative account).

Horizontal escalation is when a hacker moves from one user account to a similar account of the same privilege level in hopes of performing vertical escalation with the new compromised account (standard account to standard account).

The administrative user accounts you would want to target are root (Linux) or Administrator/System (Windows). These accounts have all the privileges and are practically a goldmine if you get access to them, as you can take absolute control of the computer.

Techniques to perform privilege escalation include:

1. Password spraying (Reusing passwords)
2. Cracking password hashes (Finding passwords of other users)
3. Finding ssh keys (Used for horizontal escalation)
4. Abusing SUID binaries (Taking advantage of misconfigured privileges in Linux)
5. Running tools scripts to look for escalation routes (enum4linux is nice and PEASS-ng has a great suite)

Post-Exploitation

Code with text “malicious virus” | Credit: Wallpaperflare.com

Usually, white hats skip over to the very last step. But I will include this and the next for the sake of knowledge.

Post exploitation is the use of tools with the aim of gaining persistence and obtaining sensitive information from the target computer.

This could be done in a number of ways including:

1. Installing a permanent backdoor, listener, or rootkit
2. Installing malware such as viruses and trojans
3. Downloading intellectual property, sensitive information, and Personal Identifiable Information (PII)

Covering Tracks

An Anonymous themed background | Credit: Wallpaperflare.com

This is as simple as it gets, but can be incriminating if there is even a slight mistake. A malicious hacker has to be careful to not leave behind files, scripts, or anything that can be used by a digital forensics expert to track the hacking back to them.

Some basic things to do would be to delete log files and the history file in Linux. The meterpreter payload even has a feature to delete all logs on the Windows Event Manager.

Reporting

Digital report writing | Credit: Wallpaperflare.com

This is the final step of the hacker methodology. It involves writing down a basic rundown of the entire process you went through above.

There are various formats, but a basic one will include:

1. Vulnerabilities found and their risk level
2. A brief description of how the vulnerabilities were discovered
3. Recommendations on how to remediate the vulnerabilities

Tip: Note taking when hacking is very important. I personally learned this the hard way when doing CTFs (Capture The Flag).

Not only does it make it easier when writing reports, but they also allow you to avoid repeating failed attempts and sort through information easily. They also let you look back on what you’ve done later on. Taking screenshots is also a great idea.

Conclusion

Alright so let's do a quick recap of the hacker methodology:

1. Reconnaissance
2. Enumeration
3. Exploitation
4. Privilege Escalation
5. Post-Exploitation
6. Covering Tracks
7. Report Writing

Resources to help you practice:

1. Test your knowledge on the hacker methodology
2. Tips on how to protect yourself from hackers
3. More information about OSINT

Acknowledgements

Thanks to Chinaza Nwukwa, Holumidey Mercy, Georgina Awani, and my family for the inspiration, support, and knowledge used put this post together. You guys are the best.