This post is in response to a private DM I received about where to begin with learning the insane amount of things we hackers have to know just to be competent. It’s not exhaustive because nothing we ever talk about ever is going to be, there truly is TOO MUCH TO LEARN but you all asked me to delve a little more deeply into my methodologies and thinking so here goes.

——————————————
Hi there!

First, I want to thank you for reaching out to me and trusting me with giving you a response. I hope my answer is satisfactory.

I don’t want you to overwhelm yourself to the point where you will feel discouraged and possibly walk away from the sheer amount of information there is out there which can be smothering at times. Please remember this for the road ahead. There’s going to be days where you’re going to be trying so hard to nail a technique and you’re going to fail more than you will succeed.

Before you proceed further, you must understand that failing is a great sign not a bad one. It means you’re not giving up and it also means that’s one less thing you have to try because that didn’t work.

What I did (and currently do!) was keep a list of all the things I wanted to learn, writing down questions I had under each topic, such as this example

Hacking Embedded Devices

1. How would I determine if the device had a serial/debug port to connect to and then how do I actually connect to this device?
2. What kind of hardware tools will I need?
3. How do I measure the header pins? Where can I buy the header pins? What if I can’t get pins, what else can I use?
4. How do I desolder the populated pads on the pcb? Do I need flux? I don’t have a wick, can I use a solder pump?
5. How do I determine which is TX, RX and GND?
6. How do I determine the proper baud rate?
7. What software can I use to connect?
8. Once I get it all connected, how do I drop to a root shell? What if there isn’t a root shell? Can I flash another firmware?
9. Will the password persist on reboot?
10. What if the bootargs command with /bin/sh doesn’t work, what are my options?

This is how I tackle any new thing I want to learn and stay organized and focused. In the future, once you master a topic and you might feel like you want to share your own experiences in learning it, you can refer back to your notes and your questions because guess what? Others will be asking the same questions at the same stage you did when they are learning it and will find your insight very helpful!

The good news is you have some of the foundation you need already learned so now you need to fill in the gaps. I’m not going to lie to you. This is a significant investment of TIME.

You’re not going to learn this overnight.

You’re not going to master this in a year.

My total hacking years are in excess of a decade but I have twenty five IT years under my belt and I still don’t know it all and never will. In fact I often tell people if I ever get to the point where I DO know everything? Kill me with fire because I’m a Pod Person and you don’t want me hanging around!

I dedicate my time to building my own skillset and helping others but I’m never where I want to be and probably will die never being where I want to be.

I am OK with that. You need to be OK with that too.

You asked me how you get better at computer hardware. When I started out computers weighed more than I did and I actually had to move into a two bedroom apartment at one point to fit all of them. Every night, after working a full day, I sat down at whatever server I had lugged home and figured it out. Going to bed at three am and up again at 7 to start another day. My entire twenties if I got more than 5 hours sleep a night it was a lot. I was on FIRE. You need to be too.

I am more willing to help someone who shows me what steps they took and that they are desperate to learn something the right way than someone who expects me to do the work for them or hand them every answer. Others will see your commitment and want to help you for these same reasons. Represent yourself as an avid learner and others will jump at the chance to assist you. It’s the Rocky Syndrome, as I call it. The underdog that we want to see rise above and win.

These days you can fit a computer in your pocket so I advise those weak in this area to ask their local computer or electronics repair store if they would be willing to hire you so you can learn. Don’t have one of those? See if you can find a local ham radio club or a train club.

Why trains? Because humans who collect trains are ridiculously serious about them and they tend to construct large electronic networks in their basement complete with PCBs they had silkscreened on their own.

They know electronics and hardware like no one else.

I know five individuals who have train networks which are so complex yet so beautiful I am actually jealous. Seek these people out. They will help you.

Now if you do have a computer repair store, you walk into that store with your CV and a technical skillset in hand. You sell your strengths AND your weaknesses but you come across eager to learn and ready to get to work. If they can’t hire you for money, ask if you can volunteer one day a week so you can learn.

If they say no, go find another repair shop. Don’t give up. Or see if the library will let you volunteer, go to your local hobby store which may have private LAN parties. Mine does. The owners are in their twenties. They never ever heard the term LAN party but they have them.

No hobby store? Game Stop. Or those pop-up Phone repair shops. You won’t believe what they can teach you. I volunteered to fix one I knew about’s systems a few years back in return for the owner teaching me how to replace the LCD screens and other common fixes.

Now I don’t pay $200 to fix a broken screen, I do it myself for virtually nothing because I also have a guy I know who buys parts in bulk from China.

Sit there and think of who you can reach out to to teach you what you want to know, is my point. It can be done. I’ve lived this, trust me. I begged and borrowed and traded and did everything I could to learn what I know. I will never stop.

If they hire you, you make sure you do all the grunt work, learning the same thing, repeatedly, until you master it. Learn what the tools are called, what they can do, how much they cost and begin making a list.

I had my toolkit fully built by the time I was seventeen. It cost me a fortune. These days you can assemble a great toolkit for under two hundred dollars and that’s if you aren’t dumpster diving or getting them free from friends and whatnot.

Pick up a book on electronics so you can learn how circuits and such work from the local library for free. Watch YouTube videos. ASK questions of every single person you can just like you did me. I didn’t have YouTube. I had to watch it happen in real life and learn it on the fly sometimes. I still do.

My point is if it plugs in, lights up and can calculate, you are interested in it, even if you never work with the technology, you learn about it because it may come in handy one day.

The harder the task, you take it on. So you fail the first time, get upset, pick yourself up, do it again and keep failing until you get comfortable at failing so you don’t beat yourself up.

Now, for hacking.

Look up the Pentest Standard. I’m not linking to it, go find it on your own and get used to researching because you’re going to be doing a lot of it.

It is a LOT of information but it is THE guideline for how we do an assessment. Hacking borrows from the Standard and breaks it down into five key categories or stages. They are:

Recon/Enumeration
Privilege Escalation
Post-Exploitation
Maintaining Access
Cleaning Up Tracks

Let me break this down for you in more simpler terms:

Recon/Enumeration –

This is the phase where we gather information on our target not assuming anything and not taking ANY piece of info for granted. Everything is up for grabs, everything is open season. One time I did a hack where I was viewing a pcap (packet capture – also called a packet trace), which is essentially a recording of what actually transpired “on the wire” or over the physical Ethernet cable wire, the traffic in and out. These days wifi traffic is included in this but initially there was no such thing hence the term wire. We hackers refer to it as “packet sniffing” As I was reviewing the data I came across something that looked like this

8dh23y:J(hnvy

On first glance it appears like garbled text or even encrypted text (although the portion of traffic I was viewing was not encrypted but in plaintext but I didn’t rule that out – remember no assumptions!) and then it dawned on me that it was, in fact, a username and password combination separated by the “:” colon character. From experience I know this is how we sometimes write out usernames and passwords. The person whose traffic I was viewing, after the fact, also knew this and deliberately wrote it that way so I’d see it and know to use it to login.

The goal of the Enumeration phase is to gather creds or credentials. Or some other piece of information which will allow us to leapfrog to a place where we can either gather credentials or input any we might have found.

Our secondary goal is to avoid rabbit holes (wasters of time and dead ends which will lead us nowhere) You might be asking “But how do I know it’s a dead end before I actually find out it’s a dead end?” There could be signs.

One of my friend trolls corporation’s hiring pages and help wanted ads (shout out to @bl4de) to see what kind of software they have at their org by reading what software they mention in their ads.

So let’s apply some logic here. Let’s say our target company has mentioned they need coders experienced in GoLang and Lua and I come across a Ruby app, I’m NOT going to assume it’s NOT important but I am also NOT going to waste time on it right now because if they’re hiring people for langs other than Ruby this indicates the real important info is going to be in databases designed for the people they are hiring. I will make a notation on my worksheet (Yes I have a worksheet when I hack) and focus on the low-hanging fruit I can find instead.

Bear Grylls, survivalist, warns that when foraging for food in a survival situation you should never expend MORE energy than the food you’re going to acquire will give you in return. I apply this to hacking/pentesting.

If I’m working four hours on something and all I’m getting in return is a crummy email addy? I’m not approaching the problem the right way and I need to regroup and get on the right track again.

My hard and fast rule is if I haven’t gotten anything which moves me closer to my goal of an entry-point or what we term a “foothold”, in the first two hours, I walk away for a bit and clear my head.

Every hacking challenge I do, every box I root, everything I compromise is in its own folder on my private database with every step I took, every exploit I edited/created myself, so that I can refer back to them in the future.

My notes have saved me more times than I can count and even got me a raise one time. Don’t ever lose those notes. And if you aren’t great at report writing than learning how to be great at it now becomes a top priority for you. Take a creative writing class. Download reports on the web. See how they are structured. Do what you need to do to convey your thoughts in formats that can be read by both technical and non-technical audiences.

Privilege Escalation –

This phase entails increasing your level of access to a point where you either gain admin/system or root credentials on the server you’re attacking and can manipulate it into doing what you want to do. In order to be successful here we either have had to find a vulnerability in some hardware/software which lets us do this or we have found a set of creds which has higher access than we, as a guest, do. Sometimes there are PrivEsc vulnerabilities which get you from guest access to root and sometimes you have to chain vulnerabilities/exploits, gradually increasing your access, to get to root.

I like to think of this phase like a slow dance. And it is one where you are ALWAYS getting your feet stepped on.

It’s also the most stressful. It involves a ridiculous amount of research into software we may not be familiar with and then once we find the way in we often have to make our own exploit or edit existing exploits to fit the environment we’re faced with.

Once we’re at this stage we are typically VERY INTERESTED and invested and won’t give up until we have “popped the box” meaning we have gained administrative rights and have full control over it.

At this stage, it doesn’t matter how long it takes (sometimes minutes, sometimes hours, mostly days and sometimes WEEKS or MONTHS even!) we’re going to completely own our target, come what may.

My motto is “What can I see, what can’t I see? What can I do, what can’t I do?” Remember my example where my target has Go and Lua but weirdly has a Ruby app? Yeah, this is where I come back to that now and look at it further. Suddenly I’m ALL ABOUT that Ruby app.

Let’s apply some logic. Why would a company that is advertising it needs Lua and Go programmers have a Ruby app public-facing like this? Is it possible it was an abandoned project and someone didn’t uninstall it? Is it possible it contains information which may help me p0wn the living daylights out of them and they don’t realize this?

I often say that with hackers you want to come across as boring. If we get interested in you or we see things which at first glance might not make anyone else pay attention but are curious to us such as the analogy I just described? We’re not going to leave it alone and will dig until we find something.

So the moral here is if it’s truly an abandoned app it should’ve been uninstalled. Because even if it doesn’t have any loot in it for me, you know what this tells me about the individuals in charge of their public website presence?

They are at worst lazy and don’t remove unused software (which not properly patched will eventually have vulns I or someone else can leverage) and at best they are SO busy they forgot about it or didn’t have time to remove it in which case there’s probably lots more to find they haven’t had time to update/fix/tweak if I keep poking around.

And I’m going to keep poking around. Your goal as defender is to keep me the hell out!

Post-Exploitation

This phase is directly after gaining access to the server now we start gathering information to increase our access if we’re not already root/admin. If we’re root on Linux, this phase is skipped because we’re in End Game Scenario. Your server is our mindless puppet which we now own. We will jump to Maintaining Access directly from PrivEsc. If we aren’t at the highest level we can be we start to look at configuration files, anything which will give us the holy grail of creds System/Root.

We also pay attention to what kinds of files are stored, are they maintained (this goes to the psychology of who the admin is – are they lazy or astute?), what kinds of permissions are there and do they indicate more laziness?

Are there indications of pivot points to other networks with more goods for us to gather? An example of this is a dual-homed system (a server that has multiple NICs with static routes to other servers not directly accessible from the outside but now that we’re inside can jump to from systems which DO have access to them) or software which are configured to access these other systems.

We look at the whole picture and make notes as to the kinds of things we’re coming across and finding.

This is where we get into the admin’s head.

If names are listed, I go find them on social media and start building dossiers on them. I stalk the hell out of my target until I know more about my target than they know about themselves.

It’s also the phase where we start making modifications like changing passwords and understanding our playground a little more.

Maintaining Access

During this phase we are looking for places where we can store a shell that is bound to a port, a permanent door into your system from which we can come in and out, at our leisure, to do further damage when it’s comfortable for us to do so.

Rootkits and Trojans fit into this category. What we also refer to as Backdoor Shells.

We also are making sure at this phase that our payloads and efforts are hidden in such a way as to evade your AntiVirus and your monitoring systems. Last thing we need is for you to discover us and undo all our hard work!

Cleaning up Tracks

Finally we have the phase where we delete logs and erase as much of our presence as humanly possible. If we are so lucky to land onto an admin’s terminal with access to every system (like firewall access! woot!) in the network which contains logs, etc, we make notes and go about deleting ourselves from it.

This is why the principle of Least Privilege is so very important because it can help minimize the damage done in the event of a breach.

By this phase we have acquired what we came for, we know enough about you to make educated guesses as to how long it will take you to find out you were compromised, and we have enough information on you stored so that should you make any changes, we can account for them should we decide to circle back around to you one day and try to p0wn you again.

Now, all I’ve done is talk about stages. Your job is start researching what each stage is, in-depth, hardware/software tools employed at each step, and how we’re able to accomplish all this sorcery.

I wish you the best of luck and as many failures as your ego can stand so you can become the hacker you want to be.