Getting into the hacker mindset

[seci]

Yes, this is a how-to-start-hacking topic. Yet another one.. I hope this topic will guide new hackers out there in the right direction. Or the direction which I see as right anyway.

Getting into the hacker mindset
By Seci of Evilzone.org

I have seen this board(Evilzone), and IRC- having a lot of people asking; Where to start? But there are few real good answers. There has been answers, but I can understand the issues surrounding answering, making none of the answers complete. And to be honest, there is no answer. Only guidence. Where to begin is not one fixed point. It will totally depend on what aspects of hacking you want to learn(first?). As well as your definitions of a hacker or and hacking.

Lets start off by getting some definitions straight. These are not facts, but rather how I like to see things. And how most other experienced hackers like myself views things. There are no right or wrong. But my understanding is that Evilzone got many of the same point of views as me, therefore I believe the coming definitions will fit smoothly for anyone browsing Evilzone and are willing to learn. If you disagree with my definitions you better have a good reason why. Or not. Who am I to judge.

<definitions>

A hacker is a knowledgeable person with a mindset fit to crack any challenge. He or she might even enjoy the challenge more than the end product. In general a hacker is creative, not destructive. But destruction will most likely happen at some point. A hacker will never let his challange go without a real fight. A hacker will act professional in all situations, speak properly and remain calm in any situation. And last but not least, a hacker has a lot of fun.

Hacking is in very broad words; Fixing, modifying or make something do something it was not designed to do. This is the stereotypical definition of hacking. Hacking is not limited to computer related stuff. This is an important note. However, the word hacking is today mostly used for the idea of computer-hacking.
Software exploitation is hacking because you are making the software do something it was not designed for.
Web-application exploitation is hacking because you are making the software run in a way the designer did not intend.
Reverse engineering is hacking because programs was not designed to be decompilable.
Social engineering is hacking because you are making people do something they would not have done without modification of the situation.
And so on.

</definitions>


Now we have laid down some ground rules for the coming words. Many of you probably already knew this. But this is a beginner topic. So we have to start with the basics.

Lets jump back to the question; Where to start?
Again, you have to pick a more narrow topic within the bounds of hacking. But then again, how can you do that when you do not know its aspects. I will try to list most of the aspects of hacking, but this is no way a complete list;



The stereotypical computer-hacker topics:

Software exploitation
- Exploiting user-input vulnerabilities like bufferoverflow to gain control over programs that was not intended to be controlled.
Will require a in-depth understanding of computer logics and programming. C/++, ASM, Perl or and Python are key languages that should be learned. In order to perform software exploitation you will need to know how to code vulnerable code, how to spot it and how to NOT code vulnerable code.
Can be used to hack almost any system, locally and remotely.

How to start:
- C# / VB
- Perl / Python
- C / C++
- Assembly
- Hacking theory ( Bufferoverflows )



Web-application exploitation
By far the most used method to get publicity now-days. Exploitation of server-side scripts and programs running web interfaces. Typical topics: Remote File Inclusion(RFI), Local File Inclusion(LFI), SQL injection, Cross Site Scripting(XSS) and Cross Site Request Forgery(CSRF). There will be other topics to, either mix-ups of the ones above, similar ones or completely different ones.
Must-know languages: PHP, HTML, Javascript, SQL and one of the following Perl, Python, C/++
You should also have good knowledge on TCP/IP stuff.

How to start:
- HTML
- Javascript
- PHP
- SQL (MySQL)
- Perl / Python
- C / C++
- Hacking Theory ( RFI, LFI, XSS, SQLi and SCRF )



Software modification
Changing software to do as you want it to. Typically called cracking, reversing or patching. This will allow you to remove or add things like license, mods, hacks to all sorts of applications.
To do this, you need an in-depth understanding of programming languages, compilers, linkers and IDE's. As well as understanding computer logic and machine code translated to Assembly. You will need to know how to work with a debugger and decompilers and disassemblers.
You probably need to know Assembly, C/++, Perl/Python and more wont hurt.

How to start:
- C# / VB
- Perl / Python
- C / C++
- Assembly
- Hacking theory ( Debugging, patching and mods )




Less computer related hacking:
Social Engineering
The ability to manipulate people into doing things they would not normally do in the given situation. Straight up tricking people.
To do this, you simply need to Practice. Don't force it, just act natural. Understand concepts of trust and so forth.
Many major hacks have been pulled off like this.

How to start:
- Chat around
- Chat some more
- Body language
- Facial expressions
- Trust concepts
- Psychology
- Start doing small scale engineerings
- Have fun






In addition, maybe except Social Engineering. In-depth computer logics, concepts and understanding are a must. But you don't really need to think about it that much, as you will gain that by learning to code, using your computer and so forth.





I will end this text here for the moment. This tutorial is not complete, maybe it will. Some time. There about a million more words that could be written. More to come later.






Notes:
- Hacker behavior
- Maturity
- Proper writing
- Coding is the key to all success
- How to start coding
- Coding project
- Make projects
- Make plans
- Write down ideas
- Follow your ideas
- Share your ideas
- Use Google
- Set goals
- Follow your goals
- Hacker mind set in every day life
- Good jobs
- Lots of money to be made
- Most importantly, have fun

[Teh-J0k3r]

Nice tutorial so far...as I know you want to add onto it, I think it would be useful to go a little bit more in depth. Like you say learn these languages, but how do I go about learning these languages. Should I read a book? What book? Should I look at code? Where do I find it? That kind of stuff...that's something I would like to see

Thanks!

[Huntondoom]

this looks like a really nice tutorial/how to start up
great job!

[Z3R0]

My favorite groups of people to social engineer are night club bouncers, and women. Otherwise I don't use it that much.

Being a good liar, and thinking quickly is mandatory for being a good social engineer.

[noob]

http://www.wikihow.com/Become-a-Hacker

[seci]

http://www.wikihow.com/Become-a-Hacker

Oh hello there thread pooper.

You clearly fail to see the value of Evilzone content and a guy who post links. Anyway, I might add some words from that article nonetheless. You probably want to read the entire post and realize its not even quarter done aswell.

[noob]

I posted link about hacker mindest,not cracker mindest

[seci]

I posted link about hacker mindest,not cracker mindest

Makes no sense.

Are you suggesting this topic is about a crackers mindset?

[noob]

Makes no sense.

Are you suggesting this topic is about a crackers mindset?

Yep,learning programing with goal to exploit things is cracker mindset,thats my opinion, not sure if others share same thoughts

[Kulverstukas]

A cracker is a person that uses his knowledge and brakes stuff and brakes into stuff. Nothing more to do for him.
A hacker is a person that uses his knowledge to brake stuff to fix it or to make it better, or make something better than already existing thing or something like that. Hacker mainly is a builder. To be a hacker does not mean that you have to break everything. Being a hacker means that you can hack up some wicked stuff, make something cool. In general "hack" in modern understanding means "trick". So "hacking" does not necessarily mean "tricking"

To sum it up, in my understanding, hacking means creating, or to be more precise, hacking means breaking stuff to make it better.

Script kiddies always mix stuff up and believes what the media tells them, therefore the media and script kiddies are fools.

[Stackprotector]

A cracker is a person that uses his knowledge and brakes stuff and brakes into stuff. Nothing more to do for him.
A hacker is a person that uses his knowledge to brake stuff to fix it or to make it better, or make something better than already existing thing or something like that. Hacker mainly is a builder. To be a hacker does not mean that you have to break everything. Being a hacker means that you can hack up some wicked stuff, make something cool. In general "hack" in modern understanding means "trick". So "hacking" does not necessarily mean "tricking"

To sum it up, in my understanding, hacking means creating, or to be more precise, hacking means breaking stuff to make it better.

Script kiddies always mix stuff up and believes what the media tells them, therefore the media and script kiddies are fools.

That ^ also known as an blackhat.

[mendaxhaxx2011]

Thanks seci for a great intro. Looks like this is on its way to being a good tutorial. Couple of things :

a. I like the way the suggested languages were outlined bec that gives someone a list to choose from and where to start. If you go in depth, maybe it would help if you could give a list of topics per language which you think are specifically important to learn (ex. PHP - file inclusions, C++ - memory alloc) or something similar

b. I also notice that bulk of the skills mentioned are programming related. Anything you suggest for sysadmin stuff? (Unix tools, Windows tools, networking tools)

c. You could also include tips on tools and what you think is the ideal setup for a hacker to have to make his hacking more efficient (C++ IDEs, HTTrack for web exploitation, etc)

Just some suggestions. Kudos for a good tut.

Thanks

[neusbeer]

I just started with pentesting/hacking..
In my opinion,
get the basics of Linux (or Cygwin in Windows)
know the terms and possibilities..
https://www.owasp.org/index.php/Category:Vulnerability
is a big list with things to do.. things to learn..
(and that's only for web servers, sites and networks, that's just a small grab in the things to 'hack'.. you've got bluetooth, 3g, wifi/hotspots, cpi's (stuxnet/duqu), pacemakers , cellphones, car's even.. ahh well.. to much! )


.. and I have to disagree a little bit about that Hackers
try to fix stuff by breaking it..
I never broke anything (except a few admins mentally health and their pride )


In my opinion you have
whitehatters - people who don't break anything, but stops just in time and informs the right person who has to now it at that moment..
(I received actualy some payments of websites for helping them after I e-mailed them with my foundings *most of the time sql injection..)
grayhatters - can go both ways, but won't harm other people by getting juicy private info on the net.
blackhatters - ah you now.. creditcard theft, anonymous/lulzsec who jeopardize other people's safety by sharing everything for a profit.  (few weeks ago I found the SQL database from hackforums.net with my name in it rofl
(But had a vBulletin salted md5 (md5(md5($pass).$salt) so slow slow slow not a big  change that a lot of people could have found a lot (I found of the 200.000 hashes about 70.000 in 2 days -- no cude/opencl, together I have about 50 gig dic's)

oh pentesters are the same as whitehackers only with no guts..
and Crackers arefor adult porn sites userlogins .. like this http://pastebin.com/H3BzH9sy       (I found a convenient way to get a big list within a hour or so I post them because I'm little bored lately.. )

I also found out that programming skills can be handy.
Perl/Ruby - for scripting network things (portscans, enumeration, web bruteforcing, metasploit, ect)
c/c++ - for buffer overflows, binding shells, metasploit , bruteforcing
python - al of the above
bash - making everything easier :-) grinn
asm/shellcode/slq/asp/html/java/flash

Too bad I program about 15 years now.. but in pascal/delphi 

and then epic question: where to start..
I see this question a lot.. hard to tell..
what is it what you want to do!!

if you want to hack programs then you have to take another road to follow then if you want to get some juicy info from websites or defacing them.
disassembler, debugging is something completely different then SQL injections, XSS, CSRF, bof's, fuzzing, ect :-)

I was a fool thinking I could learn me all this in a few months.
So after 2 months gathering all the info I could find I was lost in the possibilities.
(On of the reasons I don't use BT5 or other distro's)

I found that SQL injection was a piece of cake and lots of possibilities,
then needed some things on the way.  like scripting (bash, perl, python), automation  (Havij, sqlmap, sqlninja, pangolin, ect), evasions (url, or in cookie sqli base64)
After that I expand..    XSS, CSRF, clickjacking, bof and after that it went in a fast train..

My advice is don't try to learn hacking but focus on one thing first and expand..
The biggest problem is by having so much possibilities is that you become a skriptkiddy who does know most of the things but not enough to exploit.

and for 'starting programs', same thing.. wadda ya wan't to 'hack' :-)
and program's/tools/frameworks can be different in use for others..
Like some people love burpsuite or BeeF and other metasploit en nessus.

the TOP-125 from http://sectools.org/ is a good start to get known with
all the given software.

For scanning I do w3af, nessus, nikto2, nmap
msf4, core impact and canvas for making it happen; the actual exploits
havij, sqlmap, sqlninja en pangolin for sql tricks
but most of the time I use my good old browser for finding things.
and some have a section of keyloggers, fuds, binders, RAT's, trojans/virussen/scripts/evil pdf/ect .. But I self is not busy with that..

[Dameon]

will there be anymore updates to this?

[lucid]

I just started with pentesting/hacking..
In my opinion,
get the basics of Linux (or Cygwin in Windows)
know the terms and possibilities..
https://www.owasp.org/index.php/Category:Vulnerability
is a big list with things to do.. things to learn..
(and that's only for web servers, sites and networks, that's just a small grab in the things to 'hack'.. you've got bluetooth, 3g, wifi/hotspots, cpi's (stuxnet/duqu), pacemakers , cellphones, car's even.. ahh well.. to much! )


.. and I have to disagree a little bit about that Hackers
try to fix stuff by breaking it..
I never broke anything (except a few admins mentally health and their pride )


In my opinion you have
whitehatters - people who don't break anything, but stops just in time and informs the right person who has to now it at that moment..
(I received actualy some payments of websites for helping them after I e-mailed them with my foundings *most of the time sql injection..)
grayhatters - can go both ways, but won't harm other people by getting juicy private info on the net.
blackhatters - ah you now.. creditcard theft, anonymous/lulzsec who jeopardize other people's safety by sharing everything for a profit.  (few weeks ago I found the SQL database from hackforums.net with my name in it rofl
(But had a vBulletin salted md5 (md5(md5($pass).$salt) so slow slow slow not a big  change that a lot of people could have found a lot (I found of the 200.000 hashes about 70.000 in 2 days -- no cude/opencl, together I have about 50 gig dic's)

oh pentesters are the same as whitehackers only with no guts..
and Crackers arefor adult porn sites userlogins .. like this http://pastebin.com/H3BzH9sy       (I found a convenient way to get a big list within a hour or so I post them because I'm little bored lately.. )

I also found out that programming skills can be handy.
Perl/Ruby - for scripting network things (portscans, enumeration, web bruteforcing, metasploit, ect)
c/c++ - for buffer overflows, binding shells, metasploit , bruteforcing
python - al of the above
bash - making everything easier :-) grinn
asm/shellcode/slq/asp/html/java/flash

Too bad I program about 15 years now.. but in pascal/delphi 

and then epic question: where to start..
I see this question a lot.. hard to tell..
what is it what you want to do!!

if you want to hack programs then you have to take another road to follow then if you want to get some juicy info from websites or defacing them.
disassembler, debugging is something completely different then SQL injections, XSS, CSRF, bof's, fuzzing, ect :-)

I was a fool thinking I could learn me all this in a few months.
So after 2 months gathering all the info I could find I was lost in the possibilities.
(On of the reasons I don't use BT5 or other distro's)

I found that SQL injection was a piece of cake and lots of possibilities,
then needed some things on the way.  like scripting (bash, perl, python), automation  (Havij, sqlmap, sqlninja, pangolin, ect), evasions (url, or in cookie sqli base64)
After that I expand..    XSS, CSRF, clickjacking, bof and after that it went in a fast train..

My advice is don't try to learn hacking but focus on one thing first and expand..
The biggest problem is by having so much possibilities is that you become a skriptkiddy who does know most of the things but not enough to exploit.

and for 'starting programs', same thing.. wadda ya wan't to 'hack' :-)
and program's/tools/frameworks can be different in use for others..
Like some people love burpsuite or BeeF and other metasploit en nessus.

the TOP-125 from http://sectools.org/ is a good start to get known with
all the given software.

For scanning I do w3af, nessus, nikto2, nmap
msf4, core impact and canvas for making it happen; the actual exploits
havij, sqlmap, sqlninja en pangolin for sql tricks
but most of the time I use my good old browser for finding things.
and some have a section of keyloggers, fuds, binders, RAT's, trojans/virussen/scripts/evil pdf/ect .. But I self is not busy with that..

Lol pacemakers?


Thanks for the links btw