Getting Started in Ethical Hacking
There is a Catch-22 problem in the Cyber Security industry here in the UK. On the one hand the government and media are saying that Cyber Security threats are a major concern and that there are not enough Cyber Security professionals to meet the demand, and that more must be done to combat this problem. Yet we are making it so difficult for people to get into the industry. For example a Cyber Security degree will set you back £27-£40k and it’s considered to be a mere stepping-stone. In addition, the current strategy appears to mainly target those of 16-19 years of age. Very little is being done to persuade those already working in the IT profession with transferable skills to switch to Cyber. Industry certifications are exorbitantly expensive and employers won’t even consider you without years of experience in the field.
I’ve been working in the IT industry for over 25-years and I found myself in the same boat as everyone else wanting to switch to Cyber but facing many hurdles. The courses and certifications are prohibitively expensive and some aren’t even worth the paper they are written on. Employers and clients won’t even consider you for a junior role unless you have certificates X, Y and Z as well as at least 4-years in the industry. Seriously, go look at the job boards, it’s becoming a joke, but not a funny one.
After completing one of those expensive certifications I realised that I was no nearer my goal of entering the industry. I didn’t fancy becoming an intern at my age and I wasn’t about to spend more money on further certifications with no guarantee of work.
The weekend after completing the certification I booted my laptop with my Kali virtual machine and started playing with nmap. I scanned my home network and then once mapped-out I probed all the connected devices and ended up finding security weaknesses within two. The whole activity was a lot of fun and entirely legal as it was my own home network. It also cost me nothing other than time and effort.
This got me thinking back to my own career in Quality Assurance (QA). I only have one certification and that’s only because one particular employer early on in my career offered to pay for the exam (not the training). My skills in QA were acquired through a combination of hands-on experience and autodidacticism. In a constant strive to improve my craft I would devour every book and article on testing and play with every new tool, framework and methodology I could get my hands on. So why not apply this process to Cyber, or in my case, Ethical Hacking?
This article aims to give the reader some ideas of how they too can start their own journey towards becoming an ethical hacker without spending any money on courses or certifications. Standard disclaimer: I’m not a trainer or certified expert in all things Cyber and don’t play one on the internet ;) so please do your own research. Everything in this article is my own opinion based on my own experiences and is written down for reference only.
Definitions used in this article:
Free - By free I mean in terms of money. You still have to invest time and effort in order to acquire the skills and experience.
Ethical Hacking or Hacker - The techniques and tools used by the Cyber Security profession including Penetration Testing can be used for both good and bad. In this article all references to hacking relate to the good. You should only practice hacking against targets that you own or have permission to attack. Consult the laws and regulations in your own country.
The rest of this article follows the learning process I have followed and the tools, techniques and resources that have helped me. My own Cyber Security path is ongoing but I wanted to take the time to write up the following in the hope that it may help others on a similar path.
YouTube and your home network
In order to practice Ethical Hacking you need a target and there is none better (both legally and in terms of cost) than your own home network. These days the average home network is comprised of a network router (broadband modem) with a myriad of devices attached ranging from home computers, tablets, smartphones, smart TVs, printers, set-top boxes and other smart devices. With the help of Ethical Hacking follow-along videos on YouTube you can map out your home network using a tool like nmap and then probe each device further scanning for weaknesses. It’s a great way of learning how scanning tools work as well as learning more about how your home network is structured and what each device is actually doing. You may even find some security holes that you can patch!
OWASP (the Open Web Application Security Project) offers some free tools that can help you learn about attacking (and defending) web sites. Juice Shop is an easy to install and run vulnerable e-commerce website. Employing gamification, Juice Shop acts as both a web application that you can legally attack (when installed on equipment you own or have permission to attack) and as a scoreboard.
Once installed you can play with Juice Shop navigating its functionality as if it were a real e-commerce site. Once you have found the (slightly) hidden scoreboard you can score points for each challenge you complete. The hacking challenges range from easy (1-star) to very hard (6-stars). There are 100 challenges in all and the scoreboard tracks your progress autosaving completed challenges.
You can also use Juice Shop as a target in which to test hacking tools against. For example OWASP ZAP allows you to scan web sites for vulnerabilities. Pointing ZAP at your instance of Juice Shop will allow you to become familiar with ZAPs features and controls without fear of doing any harm to a website in the real world. If you accidentally mess-up your copy of Juice Shop you can just reinstall it. Don’t forget to backup your scoreboard beforehand!
Learning Ethical Hacking can be fun but there are quirks and nuances that mean that playing with the tools and techniques on your own computer may not be best practice. For example just the action of keeping notes in a text file can trigger your antivirus to quarantine them if they contain example injection code or reverse shells. I was forever telling Windows Defender to ignore this file or that before I switched to storing my notes in the cloud. Best practice is to use a virtual machine (VM) for learning hacking. The majority of hacking tools appear to be Linux-based so a Linux distro is ideal as your operating system of choice for learning ethical hacking in my opinion. Having a Windows operating system at hand is also useful to round-out your knowledge.
Over the years I’ve played with a selection of Linux distros. When deciding on a distro to be my pen-testing rig I was using both Kali and Parrot for a while but my preference is to use Kali as it’s the most widely supported of the distros aimed at ethical hackers, and most how-to articles and videos use Kali.
CTF (HTB and THM)
At this point you are probably eager to learn more. I know I was. After mastering tools like nmap and OWASP ZAP and learning about the OWASP Top Ten with the help of Juice Shop, you probably want to know how to attack different types of targets and to use even more tools. A great way to do this is to try online learning sites that employ gamification and Capture The Flag (CTF) learning methodologies. My personal favourite is Hack The Box (HTB). I started with the HTB Academy as you can do a bunch of free modules that when completed yield 40-cubes (the HTB currency). You can then attempt more free modules that cost 10-cubes each and yield 10-cubes when completed. You can pay for more cubes if you want but if you put in the effort you can actually learn a lot with no money spent (only time and effort). You are constantly spending the same cubes over and over again and earning them back by putting in the effort. At the time of writing I have 37-cubes as I have two active modules that are proving difficult to complete. I won't give up though as I want those three cubes back!
Once you feel confident enough you can register with HTB itself. Registration is in itself a challenge, one that is more complex than finding the scoreboard on Juice Shop and a lot more fun! HTB offers virtual machines that you can attack in a CTF manner with two flags to capture: user and root. There are also challenges that you can complete that will teach you web hacking techniques, steganography, OSINT, hardware hacking and so on.
Another popular site is Try Hack Me (THM), which is similar to HTB and which I dip into on occasion. That said I’m not a big a fan of THM as I am of HTB as you cannot seem to complete a module without paying a fee so the free content is just bits of modules here and there. Plus the lessons are very very basic aimed at the complete beginner with little to no IT experience. That said, if that is you then I suggest consuming all you can of THM first before switching to Juice Shop then HTB. I still recommend learning nmap and scanning your home network and attached devices first.
Cheating is not cheating
Cheating is not cheating. Let me explain. Ethical Hacking is actually hard to learn and even harder to master and therefore cheating is encouraged. To clarify, by cheating I mean reading a walk-through or write-up or watching a YouTube video on how to solve a challenge such as a HTB machine. This is not cheating if you learn from the process. If you cheat just to get a better score but don’t actually learn anything from the experience then you are only cheating yourself. However if you learn a new technique, tool, methodology, framework etc. and it allows you to progress avoiding getting stuck and giving up then great.
As an example, lets say I’m attempting a machine on HTB and I get stuck. I’ve tried everything I can think of in my playbook (a set of Ethical Hacking notes I keep on tools and techniques I’ve learned so far). So I’ll fire up Google and I’ll go find a write-up or YouTube video and I’ll follow it up to and including a solution for the part I’m stuck at. I’ll bookmark the info and I’ll go back to hacking until I get stuck again. Once I’ve completed the challenge I’ll go look for as many write-ups or videos on the challenge that I can find to see if everyone else solved it the same way. Usually I find that people have come at the challenge from different angles with different tools and I’ll try them all to see if I like them. If I do I’ll add the tools and tips to my own notes and playbook. I’ve learned a lot this way. Especially from watching videos by people like Ippsec and John Hammond and write-ups by people like Samantha.
Compare yourself to yourself yesterday
You’ll find as you progress that you are constantly learning, and as the learning process employs gamification you are having fun while doing it. I know I am. My knowledge of Linux and Windows has improved. I’ve written shell scripts from scratch to automate tasks I perform a lot. I’ve learned Python by hacking other people’s code and playing with exploit scripts. I wrote a Python program that brute-forces LDAP logins by hacking a bunch of pre-existing Python scripts together that I downloaded from GitHub combined with some code I wrote after Googling the syntax I needed. I haven’t followed any Python training videos (yet). I just needed to automate a process and cobbled something together out of what was available. You’ll find that you do that a lot in hacking.
One tip I’ll give you is to not compare yourself to others. Don’t look at Hacker X on YouTube/Discord/Twitch and think you’ll never be as good as them. Instead compare yourself to yourself yesterday. How much more do you know today over what you knew yesterday? I am constantly learning and hardly a day goes by where I haven’t learned something new. Whether it’s a useful tool like tmux or some Linux commands that can be piped together to do something that would take you a while to develop as a script. Each day you put in adds something to your skills and experience. The more you practice the more it becomes second-nature.
It’s like going back to University, only deeper
Sometimes I feel like I’m back at University learning IT all over again, only this time I’m more focused and I’m going deeper. This time around I don’t need to just know about the basics of HTTP. I’ve got a print-out of all the official (and unofficial) response codes by my desk as well as the known issues with the standards, the methods, headers etc. Whereas previously, working in QA I’d be using a GUI tool like SoapUI, Postman or JMeter, today I spend a lot more time on the command-line so I use curl (a lot) and I’m piping like there’s no tomorrow. I also have a print-out of the OSI model, common port numbers and their assignments, and other charts at hand. I’ve also written my own cheat sheets. No one is expected to remember everything so learn to love cheat sheets!
You’ll find yourself delving deep into protocols, Operating Systems, popular application documentation and other reference material just so you can learn more about something that may help you get a foothold or root on a machine that you are attacking. And the weird thing is that it won’t feel like learning. Not like the boring lecture or text book formula that most education establishments that I’ve frequented over the years employ. No, this is gamified learning. You are learning to get better at capturing those flags and to increase your hacker rank on sites like HTB.
Competitions, battles and speed-runs
You’ll get to a point where you start to feel that you are getting pretty good at this. You could even call yourself an expert if you want as the definition of expert is "Someone that knows more about a particular subject than the average person". You may be able to hack Medium-level machines on HTB and fly through the challenges without the aid of a write-up. Then you try something like HTB Battlegrounds and you think WTF?
Battlegrounds is where you go up against another random hacker located somewhere in the world. The goal is to own the box first. The first time I tried this I was owned in no time. By the third attempt I realised that the trick is to take all that you have learned to date and to apply some thinking. For example in my playbook I had a set of tools that I will try against a box that is running a web server in this order: nmap, whatweb, nikto, gobuster (dir then vhost) and Firefox with Burp/ZAP. When I learned about tmux I switched to running some of these tools in parallel as they can take time to complete. The problem is that battles have more in-common with speed-running than linear hacking. You only have minutes to capture the flags so the fastest hacker wins. So sure, fire-off an nmap scan (a simple fast one) but don’t run whatweb but instead assume that there is a webserver running and try accessing it with your browser or even curl (faster). Don’t bother with nikto unless you want to fire and forget it in another shell window, only referring to it if none of the usual go-tos work.
Speed hacking can be a lot of fun as it takes what you’ve already learned – all those tools and techniques – and forces you to apply exploratory testing techniques to the hack in-progress. Your thinking switches from probing and following steps to logical thinking. If the target is running A and B then attacks X and Y are more likely to work, forcing you to place your effort where it is more likely to yield results rather than relying on the run-time and findings of automated tools. Plus you will learn how to craft tools to work faster in a more targetted way and you will get better at automating your playbook.
Hacker battles are just another step in your learning journey. Take what you’ve learned so far and make it second-nature, memorising your favourite tools and arguments that can be employed at every point you pivot.
Being part of the community
Ethical Hacking does not have to be a solitary activity. You don’t have to learn on your own all the time. There are communities of like-minded individuals out there that want to share their knowledge and experiences with you as well as to make new friends. Sites like HTB and organisations like OWASP offer communities where you can make new friends and share knowledge while having fun along the way. Plus with the worldwide pandemic more of these communities are online as are their events. Taking OWASP as an example. I have found that there are so many chapters worldwide offering free events (via Meetup) that I can attend 1-10 events a month depending on how early I am willing to get up or how late I am willing to stay awake. On one particular day I was attending OWASP Sydney’s Fight Club at 7am then attending various worldwide chapter meetings throughout the day followed by OWASP Seattle’s lunchtime event at 8pm.
Cyber Security is not just about hacking so it pays to round-out your knowledge by learning more about the industry. There is so much content on the internet and not enough time in the day so I find that absorbing content via passive learning is a great way to round-out my knowledge. When driving, walking, doing jobs around the house or just resting I find that podcasts are a great way to passively absorb content. Even if you only take in a small percentage of what you hear it’s more than you knew previously. My favourite go-to podcast is Security Now.
My current computer setup utilises multiple screens. While hacking on one screen I’m often on Discord, Twitch or YouTube on another screen off to one side. I passively listen to videos from the likes of Stok, InsiderPhD, Nahamsec and LiveOverflow. I have Notepad++ open in the background with several tabs open labelled "To learn" and "Acronyms". In the first I just paste in the names of tools, techniques, frameworks etc. that I heard mentioned that sounded interesting and that I intend on checking out later. I’ll return to this list when I want to learn something new. Once I’ve learned something I delete it from the list. The second is a list of acronyms that I’ve heard mention (every profession has their own techno-speak) and that I don’t know the meaning of. I’ll add the acronym then look up it’s meaning and type it out and go read up on it. This text file then also serves as a reference if I hear someone throwing out an acronym in future that I’m not sure about.
Learning via gamification and CTFs is a great way to start your Ethical Hacking journey. You will learn the tools and techniques employed by Ethical Hackers and how to make use of them in a fun way. The next logical step is how to start applying your new skills in the real world. Real targets are not gamified. They are employed to carry out functions and provide services for their owners and their customers. They will (hopefully) employ Cyber Security systems designed to keep hackers and malicious software out. Using automated tools is going to trip those defences locking you out and possibly even blocking your IP from further access. You will need to learn stealth techniques (read up on the methodology around the OSCP certification as an example). For me the next steps are signing up to Bug Bounty programs, CTF completions and learning defensive techniques (the Blue part in Red v Blue).
Before I sign-off I’d like to leave you with this analogy:
There are two people, both millionaires that both find themselves bankrupt. The first built their fortune by building a business from nothing into a profitable enterprise but lost it all due to changes in the market. The second won the lottery and promptly spent it all. Which of the two are more likely to become a millionaire once again? In building their business, the first person learned all about setting up a company, sales and marketing, finances, investors and a lot more. Those skills and experiences don’t just go away. If anything the path to being a millionaire once again will be faster the second time around for the first person whereas the second was just handed their fortune on a plate and has no skills and experience to fall back on to get them back to being a millionaire, other than buying more lottery tickets and hoping the odds are in their favour.
The point I’m making here is that every day that you apply to learning your craft is not wasted. With each new skill you learn your knowledge increases and pretty much everything you learn in Cyber is transferable to other fields in IT. Even if I myself don’t become a Penetration Tester my skill-set as a QA will have massively increased. The security testing services I provided previously are now a pale comparison to the skills I have today. And besides, Cyber is such a big industry with many opportunities.
The best of luck on your journey!
If you have any issues, suggestions or feedback for this article please email me.
Did you enjoy this article or find the information useful? Help keep Dave and his articles online by keeping him fed with coffee by clicking the link below. Cheers!
Last updated: 3rd March 2022