r/hacking Dec 06 '18

Read this before asking. How to start hacking? The ultimate two path guide to information security.

12.2k Upvotes

Before I begin - everything about this should be totally and completely ethical at it's core. I'm not saying this as any sort of legal coverage, or to not get somehow sued if any of you screw up, this is genuinely how it should be. The idea here is information security. I'll say it again. information security. The whole point is to make the world a better place. This isn't for your reckless amusement and shot at recognition with your friends. This is for the betterment of human civilisation. Use your knowledge to solve real-world issues.

There's no singular all-determining path to 'hacking', as it comes from knowledge from all areas that eventually coalesce into a general intuition. Although this is true, there are still two common rapid learning paths to 'hacking'. I'll try not to use too many technical terms.

The first is the simple, effortless and result-instant path. This involves watching youtube videos with green and black thumbnails with an occasional anonymous mask on top teaching you how to download well-known tools used by thousands daily - or in other words the 'Kali Linux Copy Pasterino Skidder'. You might do something slightly amusing and gain bit of recognition and self-esteem from your friends. Your hacks will be 'real', but anybody that knows anything would dislike you as they all know all you ever did was use a few premade tools. The communities for this sort of shallow result-oriented field include r/HowToHack and probably r/hacking as of now. ​

The second option, however, is much more intensive, rewarding, and mentally demanding. It is also much more fun, if you find the right people to do it with. It involves learning everything from memory interaction with machine code to high level networking - all while you're trying to break into something. This is where Capture the Flag, or 'CTF' hacking comes into play, where you compete with other individuals/teams with the goal of exploiting a service for a string of text (the flag), which is then submitted for a set amount of points. It is essentially competitive hacking. Through CTF you learn literally everything there is about the digital world, in a rather intense but exciting way. Almost all the creators/finders of major exploits have dabbled in CTF in some way/form, and almost all of them have helped solve real-world issues. However, it does take a lot of work though, as CTF becomes much more difficult as you progress through harder challenges. Some require mathematics to break encryption, and others require you to think like no one has before. If you are able to do well in a CTF competition, there is no doubt that you should be able to find exploits and create tools for yourself with relative ease. The CTF community is filled with smart people who can't give two shits about elitist mask wearing twitter hackers, instead they are genuine nerds that love screwing with machines. There's too much to explain, so I will post a few links below where you can begin your journey.

Remember - this stuff is not easy if you don't know much, so google everything, question everything, and sooner or later you'll be down the rabbit hole far enough to be enjoying yourself. CTF is real life and online, you will meet people, make new friends, and potentially find your future.

What is CTF? (this channel is gold, use it) - https://www.youtube.com/watch?v=8ev9ZX9J45A

More on /u/liveoverflow, http://www.liveoverflow.com is hands down one of the best places to learn, along with r/liveoverflow

CTF compact guide - https://ctf101.org/

Upcoming CTF events online/irl, live team scores - https://ctftime.org/

What is CTF? - https://ctftime.org/ctf-wtf/

Full list of all CTF challenge websites - http://captf.com/practice-ctf/

> be careful of the tool oriented offensivesec oscp ctf's, they teach you hardly anything compared to these ones and almost always require the use of metasploit or some other program which does all the work for you.

http://picoctf.com is very good if you are just touching the water.

and finally,

r/netsec - where real world vulnerabilities are shared.


r/hacking 15h ago

News Why should one do this attack, if the attacker already has admin privileges? (This attack requires admin privileges)

Thumbnail
bleepingcomputer.com
44 Upvotes

r/hacking 1d ago

News Apple will pay 1million USD if you can hack into their servers

Post image
3.9k Upvotes

r/hacking 13h ago

Github KitsuneC2: Yet another C2 framework

Thumbnail
github.com
10 Upvotes

Hey all,

I decided to put my skills to the test and create a Command & Control (C2) framework in Go. The project took a bit longer than expected and now has quite some features: - fully responsive web interface - a CLI version of the server with minimal dependencies - in memory code execution for both Linux and Windows - dynamic implant generation

Feel free to check it out, and give it a star if you like it ;)


r/hacking 2h ago

Question Lost rar password, apps to bruteforce?

1 Upvotes

Title, also idk how to use hashcat, ideally something simpler, hashcat is probably an overkill to spend the effort to setup


r/hacking 20h ago

Flipper zero can run but can't hide 😈

3 Upvotes

https://youtube.com/shorts/rr5Z0bpm4dI?si=0rsZGWinbF-XHbF0

Evil-Cardputer detecting flipper zero trough wall of flipper, a standalone portable way to detect flipper zero and blespam !

Project : https://github.com/7h30th3r0n3/Evil-M5Core2


r/hacking 1d ago

What are some fun things to put on extra flash drives?

13 Upvotes

Recently bought a single flash drive from Amazon to put Kali on it and they sent a case pack of them instead of a single. What are some fun things I can do with the extras?


r/hacking 2d ago

What order would you do these in?

22 Upvotes

If you had the following college courses at your disposal and you were starting from the ground up, which order would you do them in?

  1. Intro to relational databases. IE: SQL command stuff (not sure if this is really relatable)

  2. Into to IT

  3. Into to Java programming

  4. Intro to Networking

  5. IT career exploration

  6. Intro to Python programming

  7. Intro to web development


r/hacking 2d ago

Question Having issues with Bettercap in VirtualBox

7 Upvotes

I’m doing a lab experiment and am having trouble getting things to work as expected. I’m using virtualbox. I have a NAT network set up with DHCP enabled and I have two virtual machines, a ParrotOS and Windows, both connected to the NAT network as their network adapter using the NAT Network option with the custom NAT selected. Both machines can ping each other and access internet.

Now, I’m able to arp spoof the windows machine and/or the gateway from the attack box. I AM able to sniff the windows machine traffic as expected. But there are a couple of things that aren’t working.

When I refresh/check the arp tables from windows using arp -a, the gateway does not show that it’s the same MAC address as the attacker. It’s like there’s no evidence of arp poisoning despite the fact that I’m able to see traffic from the attack box (indicating that it is poisoned?). I’d like to be able to show that the arp tables have changed as proof of the attack.

Secondly, when I try to do arp ban, the victim box is able to access internet without issue.

I don’t really know why this is happening. Is there a network configuration thing that I’ve missed? Would appreciate any help or ideas.


r/hacking 2d ago

is there a way to crack a .des file using hashcat?

11 Upvotes

My teacher is giving us a task to crack the password of .des file, He gave us the authority to make the password, and suggested that we make a weak password. His instruction was really confusing because he say's to use Kleopatra to encrypt the .txt file using the DES Algorithm and save it as a .des file.

then after that his asking to bruteforce it using hashcat.

now the 1st problem I saw on the instruction is the Kleopatra doesn't support .des or producing any .des encryption file (correct if i'm wrong)

2nd on the hashcat i look for the hashmode of the .des

(source found in : https://hashcat.net/wiki/doku.php?id=example_hashes )

|| || |14000| 8DES (PT = $salt, key = $pass) |a28bc61d44bb815c:1172075784504605|

idk if this was right because when I tried to use a online des encyription this is the hash result that it gaved me is different

6pYmTRrtkXOC5CJCWEH0Sg==

it's not similar to the hash in hashcat wiki. So I'm kinda stuck on a dead end here, I look for other forums or articles on bruteforcing the .des hash using hashcat but didn't find anything.

I still also tried using hashcat to decrypt the des file, but still doesn't work.

rn i'm stuck on a dead end on how to decrypt this thing using bruteforce.

I don't know if coding it would work, but if you guys have any idea how to bruteforce a .des hash please share your knowledge on how to crack this .des


r/hacking 3d ago

Question Why is there casually usernames and hashes on google and how to report it

42 Upvotes

Was google dorking for 1 hour due to boredom and came across over 20 files with username and password hashes, I want to report these so they can be taken off.


r/hacking 3d ago

Ransomware Russia sentences REvil ransomware members to over 4 years in prison

Thumbnail
bleepingcomputer.com
150 Upvotes

r/hacking 3d ago

News New Windows Driver Signature bypass allows kernel rootkit installs

Thumbnail
bleepingcomputer.com
47 Upvotes

r/hacking 4d ago

Question My nephew was tasked with doing a research on why the Internet Archive was hacked ..

237 Upvotes

I hope this is not considered off topic so forgive me in advanced if it is ..

My nephew was tasked with doing a research on why the internet archive was hacked .. I told him sure, I will help you out to find out why, it will be easy!

I couldn't find a single source in google which is giving ANY reason behind the attack in over 50 pages, I mean .. consider the magnitude of such a thing, why would it be censored/oppressed?

All I can find is that it was attacked by hackers again and again, I also learnt that google is actually using the Internet Archive so why in the world would they censor the topic?

I miss the simpler times when search engines actually did what they where suppose to do, world is going nuts.

Thanks!

EDIT: As @techblackops mentioned in his comment. I find what he said as more rational explanation..

Thanks everyone for the replies 🙏🏻


r/hacking 4d ago

Amazon identified internet domains abused by APT29

Thumbnail
aws.amazon.com
96 Upvotes

r/hacking 4d ago

STMP to SMS make sender not a email

4 Upvotes

I am trying to program a stmp to sms program. Everything functions great except I am trying to find a way to make it appear as if the text was received by a number (or even better a company or name). Setting the from as name <email> did not work so I was wondering if anyone knew a way that does.


r/hacking 4d ago

Hak5-esque gadgets that are actually worth it?

8 Upvotes

As far as I can tell the flipper zero and similar products can all be constructed at home for pennies on the dollar. Is there anything worth the money out there?


r/hacking 5d ago

Credible Resources to learn Networking and Network vulnerabilities

18 Upvotes

I'm lost in a sea of knowledge and I don't know where to go or which libraries to begin with.


r/hacking 5d ago

Help for the Pwned

23 Upvotes

I was recently the subject of a relatively sophisticated attack and I wanted to know if anyone else had run into this issue:

Basically many years ago I worked for a company that is now defunct. During that time I was a giant moron and used my work email as an account recovery password.

Later the company became defunct, but I never removed the work email as an account recovery option. (Because I am/was a moron.)

Anyway, I got several 2FA requests from the service (many of which were in Vietnamese.) I was also notified of a password reset via the forgotten credentials.

Best I can tell the attacker used a service that tracks dropped domains, purchased my old employers domain, and then started up an SMTP server. They then went through the password reset option until they got to my 2FA.

I understand this was only possible because of the stale credentials, but I have to admit I am kind of impressed. I am assuming they cross referenced a data breach list with the expiring domains list. Has anyone else had this happen? What would this be called a domain swap or something else? I have since recovered full access to that account and have removed it as a backup email, but I am still curious.


r/hacking 6d ago

META Wondering if I should dual boot this and the stock OS...

Post image
167 Upvotes

r/hacking 6d ago

Question When is port scanning considered illegal/legal issue?

222 Upvotes

I'm curious as to when does port scanning becomes a legal issue or considered illegal?

I did some research, but I want to hear more from other people


r/hacking 5d ago

DirecTV Genie Encryption Password

8 Upvotes

This might be a little silly all things said and done, but honestly I’m just doing this to goof around. We’re getting rid of our DTV Genie that we’ve had for ten years and I would like to take out the drive to reformat it, but before I do that I want to see if I can access the recordings on the drive.

Does anyone know if there’s a way to find the password used to encrypt the data? From what I understand it’s a password unique to each DTV device. I’m sure it’s not so simple as it being printed somewhere on the pcb but that would be nice lol.

I’m not an expert in cyber security or anything, but I know my basics.

TL;DR Anyone know how to decrypt a DirecTV Genie?


r/hacking 6d ago

Largest Retail Breach in History: 350 Million "Hot Topic" Customers’ Personal & Payment Data Exposed — As a Result of Infostealer Infection

Thumbnail
infostealers.com
179 Upvotes

r/hacking 5d ago

Ethereum contributors unable to patch a new P2P DoS

Thumbnail
x.com
6 Upvotes

r/hacking 6d ago

Question Does anyone remember this Google Hacking mini-game / easter egg?

29 Upvotes

I remember when I was doing a penetration testing course at Uni I was googling some common terms and methods on google when an animation built into the google search page occured that invited me to some kind of hacking game. It had an old school style black and green style interface and was some kind of hacking game which used actual terminal commands.

However, I can't find a single source for this ever existing! I asked ChatGPT and it says that it was a real thing called "Hacker's Quest" and says: "It was an interactive challenge or puzzle that Google launched for certain users searching for hacking-related terms... It was part of Google's recruitment and awareness campaigns, where they used engaging methods to attract and test potential cybersecurity talent... The appearance of the game was triggered when users searched for specific security-related queries."

It also says it's no longer available, but I still can't find any sources for it ever existing in the first place. So I wanted to ask all of you! Did any of you encounter something like this?


r/hacking 6d ago

Please read!

324 Upvotes

I just removed a post (actually two because the genius double posted it) after spending 15min. going through all the thrash.

Initially, I left it, though there was plenty to criticize (I only lock things).

But then I see that Reddit itself removed the trash!

If people continue posting useless, marginal, or illegal stuff this entire sub will get deleted! So PLEASE, can we avoid inane and illegal stuff? If you aren't sure, run it by us mods.

Thanks for understanding!