cft

How can you learn to hack — without breaking the rules?

You might be an expert at learning new skills. But how do you learn to hack real-world vulnerabilities without landing in trouble?


user

Skanda Vivek

a year ago | 5 min read

There are 3 reasons why I think learning how to hack is an important skill:

1. Explosive growth in connected systems and vulnerabilities

It’s no surprise that the pace of data generation continues to accelerate — it is estimated that in the financial services sector alone, the data generated per second will grow over 700% in 2021. But along with this increased pace in data generation and connected surfaces, comes increased vulnerabilities. Recent events illustrate how hackers are taking advantage of all possible vulnerabilities, such as supply chain vulnerabilities — taking down multiple organizations at the same time by attacking a common trusted vendor. This is what happened in the Dec 2020 discovery of the SolarWinds Orion breach that impacted multiple Fortune 500 companies and governmental organizations. A basic knowledge in vulnerabilities between networked systems and how hackers take advantage of such vulnerabilities could help those in charge of generating and using data be better prepared to reduce the risks of cyber-attacks.

2. A great way to learn networking fundamentals:

Pablo Picasso once said:

“Learn the rules like a pro, so you can break them like an artist”

Learning to hack teaches you solid Linux, networking, and Internet fundamentals — all important data science fundamentals. Also during the process of hacking you learn how various protocols are built, and get a deeper understanding by enumerating and exploiting vulnerabilities.

3. Jobs, Jobs, Jobs!

All of this sounds interesting, but where’s the money?

There is a growing job market in cybersecurity, and cybersecurity shortage. A recent study predicts a $15,000 salary boost for employees with cloud security skills. Companies are expected to use AI based technologies to complement existing cybersecurity approaches, this could lead to a new demand for skilled employees at the interface of multiple fields like data science, machine learning, and cybersecurity.

OK now that you are convinced that hacking is worth putting some effort into…let’s begin!

Getting started with TryHackMe

TryHackMe is a website created by 2 cybersecurity students that found learning cybersecurity to be a fragmented and frustrating experience due to the lack of hands-on resources.

tryhackme.com
tryhackme.com

TryHackMe has rooms dedicated to learning concepts in cybersecurity. Each room contains multiple questions that you need to answer, in order to complete the room. This requires accessing (and attacking) TryHackMe machines dedicated to the room through it’s IP address.

These machines can be attacked through another computer (the attacking machine) that is provided by TryHackMe. An alternative is to attack the target machine over VPN through OpenVPN. Typically the lessons are not very straightforward, and it requires a combination of knowledge, persistence, and creativity (and of course — googling) to pass.

I prefer using the OpenVPN method, as I can have dedicated access to a Virtual Machine which I can then use to practice without necessarily connecting to TryHackMe. Also attacking a machine over VPN is much quicker than using TryHackMe’s attack machine — which for some reason is extremely slow.

TryHackMe remote access
TryHackMe remote access

Installing a Kali Linux Virtual Machine

Kali Linux is the hackers go to for operating systems. It comes with most hacking programs pre-installed. Nmap, Metasploit, Hydra, and much much more are literally a single line of code away. It is quite easy to install Kali Linux on a VMware machine.

First you need to download VMware for your operating system.

VMware download
VMware download

Next, download the Kali Linux virtual machine for VMware. That’s it, you are all set!

Kali Linux running on VMware | Skanda Vivek
Kali Linux running on VMware | Skanda Vivek

Exploiting common vulnerabilities

The Complete Beginner learning path on TryHackMe has a room on network services, and introduces some common vulnerabilities.

TryHackMe room on network services
TryHackMe room on network services

The first vulnerability mentioned is SMB — let’s use that for demonstrating the process of hacking. SMB or Server Message Block Protocol — is a communication protocol for sharing access to files, printers, serial ports, etc. on a network. SMB vulnerabilities have been featured in prominent cybersecurity incidents.

For example, the 2017 WannaCry ransomware that targeted and encrypted data on computers running Windows (and demanded ransomware in return for decryption) exploited a vulnerability in Microsoft’s implementation of SMB.

This room is basically oriented around finding SSH credentials of a particular user which is stored on an SMB file share that is not properly configured.

Connecting to TryHackMe and the target machine

First, download the TryHackMe OpenVPN configuration pack for Linux.

https://tryhackme.com/access
https://tryhackme.com/access

Next, connect to the TryHackMe servers through OpenVPN.

If you are successfully connected, you should see a tick near the connected button.

Successful connection to TryHackMe server through OpenVPN
Successful connection to TryHackMe server through OpenVPN

Next, go ahead and open the TryHackMe room on network services. Click on start the machine, and you should see the IP address.

https://tryhackme.com/room/networkservices
https://tryhackme.com/room/networkservices

Now you are all set to start the hacking process and exploit the SMB vulnerability!

Enumeration

The first part of the process is enumeration: to find out as much information as possible on the service, application, and operating system once you know the target IP address. A great tool for this is Nmap. Nmap is an open source network scanner that reveals open ports and the communication protocols used. Running:

nmap [IP address]

gives a list of open ports among the first 1000 ports. As you can see below, 3 ports are open.

nmap scan on TryHackMe machine with SMB vulnerability
nmap scan on TryHackMe machine with SMB vulnerability

Enum4Linux is a great tool (pre-installed on Kali Linux) for enumeration. Through Enum4Linux, you can find a file share that sticks out, named “profiles,” that seems to contain user profile information.

The “profiles” share sticks out as it might contain sensitive user information
The “profiles” share sticks out as it might contain sensitive user information

Exploitation

The next step is exploitation — to see if the information we got from enumeration can be used to gain access to the machine. We use the smbclient to see if we can gain access to the SMB share through an anonymous identity.

Exploitation through misconfigured SMB share
Exploitation through misconfigured SMB share

In this case, the SMB share has been improperly configured to let an anonymous user (username: Anonymous, blank password) access the profiles share.

You get lucky and find the user’s .ssh directory within the share.

SMB share contents
SMB share contents

As you suspect, the .ssh folder contains the RSA public/private keys.

RSA keys for SSH
RSA keys for SSH

You can download the keys to your local computer using:

mget rsa*

On your local computer, from the id_rsa.pub file, you see that the username is cactus

RSA public keys and username from id_rsa.pub file

Next, copy both keys into the ~/.ssh directory, and change the permissions of the id_rsa file (chmod 600 ~/.ssh/id_rsa) — so that you have read and write access to the file). And now you can ssh into the compromised machine!

And Success! — You now have SSH access to the machine!
And Success! — You now have SSH access to the machine!

Congratulations, you have completed the room!

Apart from SMB, TryHackMe features numerous other communication protocols and vulnerabilities to exploit.

Conclusions

There’s currently a cybersecurity talent drought — by some estimates there is a gap of around 3 million qualified cybersecurity professionals. I’ve shown how to get started in learning how to enumerate and exploit vulnerable IP address. However, cybersecurity is much more than just preventing individual exploits from occurring. Due to the complexity in connected interfaces, it is becoming harder and harder to secure systems against attackers.

This is why there are huge opportunities at the intersection of AI and cybersecurity. The UK company Darktrace which recently went public says it stops cyber disruptions through self-learning AI. Recently, Darktrace has partnered with Microsoft to protect organizations that use various Microsoft services.

I hope this tutorial motivates you towards your hacking journey! You may not end up becoming a penetration tester, but there is a lot you can learn during the process of gaining cybersecurity skills. And who knows, maybe you land an awesome career at the intersection of AI, and cybersecurity!

Upvote


user
Created by

Skanda Vivek

Senior Data Scientist in NLP. Creator of https://www.answerchatai.com/


people
Post

Upvote

Downvote

Comment

Bookmark

Share


Related Articles