I'm sure most people of this generation have at least contemplated "hacking" or having someone "hack" something for them. There are many misconceptions about hacking largely due to the film industry's romanticized and fantasized depiction of it. If you're looking for a tutorial on "How to Hack X" or "How to Crack Y", this article is not for you. However, if you're genuinely intrigued by how computers and the internet work, I welcome you to a hacker's roadmap. This article attempts to give you a good head start, clear up your doubts and prevent you from burning in tutorial hell forever.
Let's get this out of the way: a hacker is not someone who you can pay to get you free V-Bucks or Robux. A hacker is someone who is trained in a variety of skills and has the wisdom, curiosity and playfulness to apply those skills to find unconventional solutions to problems. Whether or not the problem is how to subvert the law depends on the colour of their proverbial hat. Hat colours is how we can categorize hackers by their actions. There is no real hat involved and I won't waste much of the readers time obsessing over such mediocrity. There are three universally accepted hat colours: white, gray and black—though there exist other unofficial hat colors. As fast as possible: white hats are the certified ethical penetration testers; gray hats are otherwise white hats who sometimes engage in unethical activities (like a red teamer); and black hats are malicious hackers.
If you thought that penetration testing is some sort of prostitution quality control; you're wrong and get your mind out of the gutter. Penetration testing is when a company hires you to see if you can "penetrate" their network security. These jobs pay a lot of money, sometimes $20k to $50k per contract.
If you want to make an honest living with a solid $100,000+ yearly salary, you must be a skilled white hat or gray hat. There is almost never a good reason to don a black hat since the activities you'll be participating in are probably not even close to as profitable as being an ethical hacker and won't help you sleep at night. Unless you have nothing and have no hope of getting an honest job, just stay away from being a black hat.
Becoming a hacktivist is also not a good idea. You'll be constantly surrounded by either radical left-wingers, radical right-wingers or other extremists. It's just not good for your physical, mental, financial nor social health. You stain the media perception of your cause and could be more successful in peaceful protest. Having your name attached to an act of terrorism isn't great for your future.
Stop associating hacking with Guy Fawkes masks. Anonymous is not a hacker group per se. They are a movement for cyber-anarchists. Most self-proclaimed members of Anonymous are not hackers but either activists or kids. Anonymous does not deserve to be the poster child of the entire hacker community. There is not much to gain from being involved with them since there is no money to be made and the days of taking to the streets seem to have ended.
With that out of the way, we're going to focus on you becoming either a white or gray hat hacker. Everything can be applied to becoming a black hat if you feel so inclined—I just saved you a google search and an ISP log of you asking "how to become a black hat hacker".
Get this through your head, learning hacking takes time. One 15 hour video is not going to transform you from noob to a pro. An unnamed wise man on a TOR site once said: "If you want to learn to hack to make sure your girlfriend isn't cheating on you; she'll have left you by time you learn." This statement is the most honest answer I can give you to question "how long does it take to become a hacker?". Good things come with time and the number one thing you must teach yourself is patience. It takes an unspecified number of years to gain proficiency in hacking. The act of successfully hacking something can also take a long time. Standard annual penetration tests usually take 2-3 months, if not longer.
I hope this crushes your expectations of what I can do to make you l33t. Fortunately, not depending on others makes you depend on yourself, and this article is about enlightening you as to what you can do for yourself.
Let me tell you, the golden age of hacking has been over for more than 10 years. If you think you'll be hacking things in the real world left and right; you're wrong. Companies of all sizes take their security very seriously so you'll have an exceedingly hard time trying to make money by stealing from them. Everyone is aware of how important their personal security is these days. It's more than likely you'll have to be very advanced as a hacker to get a job or to screw someone or something.
A lot of teaching media, be it courses or articles or books, teach a rather watered-down approach to cybersecurity—usually so you don't get sued using black hat methodologies. You are taught techniques, tools and tips but may not have any idea of how to apply what you've learned when it comes time to test your skills. You can't learn to hack overnight—let alone be a hacker. I'm going to give you a set of steps that will help you fill any hat, not just white. I will not hold back any "secret evil hacker knowledge".
It is very difficult to list an order of subjects to learn in cybersecurity since they tend to be large and interwoven. So, I'll break down each subject into it's most possible independently digestible stop in the roadmap. Let's go!
Learn the basics of programming.
If you're new to programming, you might be drowning in the vast amount of options of where to start. There really is no wrong way to start, but you should take steps in the direction that is most convenient and least painful to you. You may have asked someone or watched a video and been recommended Python. Python tends to be presented as a be-all-end-all solution when it comes to cyber security. Don't think this way. Hackers utilize any technology necessary to accomplish their goals. Hacking requires both a breadth and depth of knowledge since you often need to know how many or all components in a system work in order to exploit it. You'll need to at least be able to read multiple programming languages.
Looking back on my life choices, I wish I would've learned C first (I learned C# and Python first). C gives you a stripped down view of what your computer can do. You don't have to worry about object oriented programming, functional programming nor any advanced theoretical concepts. You also don't have much abstracted away, so you learn a hell of a lot about your computer by just learning the language. C has aged remarkably well and is still in widespread usage, despite turning 50 soon.
Most operating systems have a huge amount of code written in C and/or C++ and even some of the libraries in Python are written in C. This is due to C being a compiled language, rather than an interpreted language like Python. In C programs, all code is turned into a machine code executable, called a program binary. In Python and other interpreted languages, each line is read and executed line by line. This makes Python scripts much, much slower than compiled programs.
You may have already heard of C++. C++ is a superset of C, it contains almost all the features of C plus Classes, Polymorphism, and other abstrations. Please learn C before C++ or you will probably have a hard time. Most of the C++ programmers I know personally and have seen say the exact same thing.
Please be aware...I'm not saying one language is better than the next. You should know both C/C++ and Python as a hacker and also other languages such as:
- HTML, CSS
- Java or C#
I grew up loving Perl as a scripting language but have recently found out that Ruby is much more enjoyable to script with—even overshadowing my 5 years of Python love. In the end, it really doesn't matter which scripting language you choose for your personal needs, as long as it makes your work easier. Perl has been the scripting language of hackers for decades but the code looks like shit. Python has been the language that tries to do everything and enforces readability but is really only an average language—let's be real here... Ruby has been the language to make the internet boom with it's web framework Ruby on Rails, though can sometimes be hard to read.
PHP is also considered a scripting language among some and is still a good language to learn, despite losing popularity for newer, shinier languages. A huge part of the sites on the internet are running PHP, and you know from earlier that to a hacker...anything is open season.
Learn UNIX AND Windows
Guides before this one often tell you to learn some form of UNIX, often implying the abandonment of Windows. As a hacker, you should be well versed in all popular computing technologies, which includes Microsoft Windows and maybe even Mac OS X! Criminals always target the largest number of people to gain the largest amount of profit. Windows being the most popular consumer operating system is the prime target. Most servers you'll be hacking will be running some form of UNIX, while most users you'll be targeting will be running Microsoft Windows. Get familiar with the inner workings of both to a system administrator level.
For UNIX, I don't mean grab the true UNIX operating system from 1970. I mean grab yourself a modern UNIX-like operation system such as GNU/Linux. GNU/Linux—or just Linux, as people who aren't unwashed hippies call it—is a free, open-source and community driven family of operating systems.
The GNU part in GNU/Linux refers to the software used by the Linux kernel in order to be a usable operating system. The GNU Project was publicly announced by Richard Stallman in 1983. Stallman could not write a kernel for his operating system as promised, but all the core utilities had be written. In 1992, Linus Torvalds wrote his own kernel and used the GNU software to build the GNU/Linux operating system. Calling the operating system Linux instead is proper but will send Stallman into an incredible fit of rage. When I say Linux, I'm referring to GNU/Linux. So, continue to call it Linux and tell Stallman to shower once in a while.
There are many "flavours" of Linux and you should choose the one that helps suit your needs best. Many guides push something like Kali Linux or ParrotOS in your face but I advise against using these.
Kali Linux and ParrotOS are just standard Debian Linux installs (with a few tweaks) with a couple hundred pre-installed tools. You probably won't use all the tools provided since many serve the same purpose and you'll favour one over the other. I'd say grab yourself Debian or Ubuntu (Debian's flamboyant son) and install the tools you need. Getting used to Linux in this fashion is more healthy in my opinion since you're not focussed on being the l33t3st hacker. You'll be more focussed on building skills needed for your future job. Be serious and you'll get serious results. You can still use Kali or Parrot if you still want to, it's up to you.
Networking is one of the most crucial skills to master if you want to become a cyber security professional—you can't put it off for long. Whether you are trying to access another machine you own remotely, have a some malicious code "call home" and give you a command prompt, search for exploitable services on a machine; or extend your foothold on a network, at least a basic understanding of TCP/IP and other protocols is required. Some protocols you'll need to be familiar with are: TCP/IP, UDP, SSH, FTP, VNC, OpenVPN, LDAP and Active Directory. You don't need to know what this alphabet soup stands for while you're reading this article but you will learn about them in books or a course. You should learn more than tool usage for these protocols and actually take the time to understand why they work and why a tool may not work in certain cases. Trust me.
Learn classical computer science
Learning a programming language is one thing and writing useful programs is another. Efficiency and usability are king and you really ought to learn to understand and write good code. You'll need to learn algorithms, data structures, design patterns, concurrency, logic, and software architecture. All of these topics are taught in any university computer science degree. Your financial situation might prevent you from enrolling in university courses which affects your chances of obtaining this information. However, everything you can learn at a university in computer science can be learned online, in books and in other mediums where you can teach yourself. I'm publishing an article on a self-taught computer science master's degree soon. Please subscribe to The Daily Shitter so you won't miss it.
Get good at math if you aren't already. Math is the language of science, including computer science. Practicing mathematics also enhances your reasoning and problem-solving skills—crucial traits of an effective hacker. Understanding of elementary Calculus, Probability, Discrete Math, and Linear Algebra will take you a long way. If you don't like math very much, maybe just stick to being a web developer and be very ashamed (I'm joking, I'm also a web dev. Do what pays.).
Your performance in these topics really define you as a programmer and mirror your level of proficiency. Thinking algorithmically will help your critical thinking and beat some discipline into you. Most of your software development career will be creating and implementing efficient algorithms for the data structures of your program. Yes, it is hard at first if you don't know much math but it does get easier.
Learn computer architecture
There is no way around learning how your computer works for a hacker. Exploitation of computer systems is reliant on understanding of how they work. If you want to learn how to crack and patch programs, everything you need is right here. You'll need to learn the x86 instruction set and architecture, C, maybe Rust, sometimes Verilog, operating systems and reverse engineering.
Knowing how programs operate as close to the metal as possible gives you a significant advantage when it comes to finding exploitable bugs. Developing exploits depends on the understanding of especially the processor and memory. Reverse engineering a program allows you to find stack overflows, heap overflows and other forms of memory corruption to exploit. You'll also learn how files, program binaries (executables), and network sockets work more in depth. With all of this knowledge, you'll be able to: crack and patch software, develop exploits, develop malware and maybe someday write your own operating system.
Now that you've learned programming, computer science, networking and computer architecture; you'll now be able to write some efficient, sophisticated and complicated programs to tackle problems you'll encounter in your day-to-day life. At this point you should realize that you're not just training to be a hacker, you're training to make a 6-figure job in general software development. A whole world just opened for you.
Learn how to use databases
In 2017, the Economist reported that data had surpassed oil in value. Data is the reason we have the internet in the first place and great effort is taken to preserve its integrity. The understanding of databases is crucial to the hacker since compromise of data is most likely your end goal. Carrying out SQL injections requires knowledge of how the database systems you're attacking work and common failures in security safeguard implementation. The most popular and used database solutions of all time have been Oracle's MySQL and PostgreSQL. Newer solutions such as MongoDB have been gaining a lot of popularity in recent years, please educate yourself.
You'll need to learn the Structured Query Language or SQL for database solutions; how to build tables and relations in databases; and how to protect and break them. I recommend starting with MySQL as the first database system you learn. MySQL is ubiquitous thanks to its seamless integration into PHP and speed for web-based applications. When you install try to install MySQL—especially on UNIX—you'll get MariaDB instead, which is a drop-in, free, open-source, not Oracle, fork of MySQL. Usually, when someone says "MySQL", they are referring to MariaDB. Just sparing you some confusion.
Cryptography and encryption is essential to keep your data safe. Encrypting your network activity, encrypting your harddrive, breaking ciphers, verifying public key signatures, and cracking password hashes all depend on an understanding of cryptography. Some basic to intermediate number theory and information theory is required to fully grasp what is going on in encryption algorithms, though for everyday usage you probably won't need to know how 256-bit AES is implemented.
Embrace Hacker Culture.
If you've ever had a job, it is often hard to be accepted by your coworkers without participating in their work culture. The same goes for becoming a hacker. Watch movies, read books, learn history in your field. Although the standard hacker-flick makes me cringe and want to fly to my keyboard to debunk everything they got wrong, movies are a part of the culture.
Some movies, documentaries and TV series you definitely should watch are: Who am I (2014), The Internet's Own Boy, The Hacker Wars, and Mr. Robot. In my opinion, the TV series Mr. Robot portrays hacking best—minus the Fight Club rip-off they call the plot. All of this media is available online on YouTube or....other means...
Learn the history of hacking from the days of the MIT railroad club—who coined the term "hacking"—to the modern ransomware crisis. Doing this not just gaining an appreciation for our art but also educates you on how the hackers of the past pulled off their exploits. Some people you might be interested in learning about are: Linus Torvalds, Richard Stallman, Eric Raymond, Dennis Ritchie, Ken Thompson, Brian Kernighan, Kevin Mitnick, Mark Abene, Max Butler, and Alfred Gonzalez, to name a few.
I might just post an article to serve as a crash course on hacker culture.
Learn how to keep your activities private.
Especially when hacking, you need to stay anonymous and protect your identity. You'll need to learn about VPNs, Proxies, darknets and other various ways to help maintain your privacy. I posted an article a few days ago called "Anonymous Online, Top 10 Steps". I encourage you to check it out and learn from it.
VPNs are nice for everyday users but may not be the best option for hackers. Very often, hackers will use computers they compromise as proxies for them. Doing this requires knowledge of how to use SOCKS proxies, which is not hard.
Believe it or not, collaborating with people on the dark web is actually quite pleasant. You can meet a lot of very smart people on TOR's IRC networks.
Surround yourself with good people.
There is no reason for you to learn and work by yourself. If you want to learn, get in touch with people more experienced than you. These people can greatly help you understand concepts and demonstrate applications. If possible, get involved in a mentorship or hackerspace. Both of these will provide you with a good experience (in most cases) and someone or some people to keep you motivated on the long road ahead.
Don't ask people to hack for you. Asking people to hack for you makes you look like an idiot. No one is going to help you even if you had the money for it. Most people you meet in the hacker community either won't help you because it violates their moral code or are trying to scam you into paying them for "hacks".
Though you could download or pay for known exploits and exploitation tools, most have already been analyzed by the InfoSec community and have their signature added to antivirus databases. Building your own tools allows you to stay completely undetected you if you do it right. Personal experience and pride are other good reasons for why you should write your own tools and exploits. Every program you write, the better you are getting.
Practice better communication skills
Learn to collaborate with others better by improving your communication skills. If you ever join a hacker group or a hackerspace, you need to be able to express your ideas in a way that everyone is on the same page. Take time to understand the views and perspectives that your teammates have to offer and allow them to help you. Make sure not to "go maverick" and leave your teammates in the dark as to what you're doing. Always brief your collaborators on what needs to be done and what you'll be doing—don't step on any toes.
Learn the popular collaboration software such as Git and Mercurial. These programs will greatly accelerate your development and project management but also serve as a way for multiple people to work with you on a project in an organized way. Having an account on GitHub or GitLab is very important these days. When you want someone to hire you for a remote or local programming job, you show them your GitHub page so they can see the quality and quantity of your past projects. Make sure to impress people by putting a lot of effort into striving for quality.
GitHub — https://github.com
GitLab — https://about.gitlab.com
When do you know you're a hacker?
Being a hacker is a state of mind, it doesn't just apply to computers. If you have the curious nature to explore and solve problems in interesting and creative ways, you might already be a hacker ready to bloom into your career. Don't be a script kiddie. There is more to life than just popping boxes. There is a joy to finding a solution to a complicated problem or optimizing a program to be just perfect. The script kiddie will never feel these joys and is missing out on the bigger picture of what they're trying to do.
You will have to put your skills to the test chugging through CTFs and eventually getting certified as an ethical pentester. CTFs (short for Capture The Flag) are simulations in which you are tasked with hacking a known vulnerable machine either on your computer or in a game network to test your skills as a hacker. There are many sites with these kind of games available, I'll list a few.
OverTheWire — http://overthewire.org/wargames/
HackTheBox — https://www.hackthebox.eu
VulnHub — https://www.vulnhub.com
WeChall — https://www.wechall.net
If you want to get certified to work for companies and be well off for the rest of your life, please consider taking OSCP. OSCP stands for Offensive Security Certified Pentester and is the most widely recognized certification a cybersecurity professional can get.
Do well. Learn. Figure things out. Invent new things. Break things. All of these things are part of being a hacker. Persevere and you will eventually make it as a master hacker. I wish you safe travels. Happy hacking and have fun in cyberspace and meatspace.