Learning to hack at the RSA Conference

Here at the RSA Conference, Grant Hatchimonji take his first steps into the world of hacking

This is a side note story from the second day of the RSA Conference. While Salted Hash is roaming the halls, Grant Hatchimonji , Senior Editor for CSO Online, is here making friends in the security space and learning. He is a newbie, like all of us were at one point in time, so on Monday he attended a Hacking 101 event hosted by Rapid7. He's offered his thoughts from the class below.

For me, my sense of pride comes from the fact that Grant put himself out there, took the initiative, and wanted to learn. We've all got a story about learning something new, and I'm sure many of us can vividly remember the rush that came with it. Needless to say, Grant thought the Hacking 101 class was just awesome.  -Steve

Before today, it is not an exaggeration to say that I knew absolutely nothing about the process – or, as some would argue, art – of hacking. So when I went into Rapid7's "Hacking 101" event here in San Francisco during RSA week, I was truly flying blind. While it goes without saying that I didn't leave the event today ready to take over the world, it gave me a better idea of what goes on in terms of the hands-on, nitty gritty aspects of hacking.

Michael Belton, a professional pen tester and the leader of Rapid7's assessment team, kicked off the lesson with a brief history of hacking dating back to the 1980s. While hacking initially began as a means of exploration as opposed to anything particularly harmful, it eventually led to more sophisticated tools and a shift in motivation towards fortune and glory.

Belton's point in drawing up the landscape of hacking as it has developed over time was that while the motivations of adversaries have changed, the attack vectors have remained static. With that said, he began the more hands-on aspect of the event, where he provided us with machines booted to Kali Linux with which to hack another machine.

As someone who was brand new to the world of hacking, one of the more surprising aspects of Kali Linux to me was how heavily it's equipped with tools from the start. A successor to Backtrack, Kali Linux comes absolutely loaded with a suite of open source hacking tools that can carry out any number of tasks, including info gathering, vulnerability analysis, sniffing, spoofing, and a lot – no, really, a LOT – more.

But while it may seem like having such an expansive arsenal at your fingertips would make it easy for a newbie to understand the process of hacking, I quickly learned that this is far from the case. The operative word here is "understand," because yes, having so many intelligent processes and commands makes it easy to just punch in commands from a cheat sheet – which is precisely what we did – and hack into a network. But at no point did I fully understand what I was doing with each line of code I typed in until I asked for a full explanation (and even then, my grasp on the concepts were sometimes tenuous at best).

What I mean to say here is that the process is not as intuitive as the seemingly user-friendly suite of built-in tools would imply. Perhaps the most important thing that I learned at "Hacking 101" is that there is a wealth of background knowledge that is absolutely imperative in order to actually hack. That may seem obvious to just about everybody on the outside looking in, but the extent to which this holds true is arguably greater than most people would think.

For example, when you're first learning to code – let's say HTML – there are basics that can be easily picked up right off the bat without any prior knowledge. You want the typeface to show up bold? You learn that you need to type "<b>" tags and that's it. There's no further explanation necessary. That's all you need to know in order to accomplish what you want to do, and there's no big picture for anybody to worry about.

With hacking, there are much larger (and at times, more abstract) concepts at play that you need to understand before you can understand why you're typing in that particular line of code and what exactly it will accomplish.

During the discovery phase, for instance, we conducted an NBTScan with a line of code that read, "nbtscan -r 10.0.100.0/24". Had I not asked, I would have had no idea why I needed to insert the "/24" at the end of that IP address; it was, I now know, to identify all of addresses of the systems participating in that particular Windows domain between 100.0 and 100.255 (and yet I would not have known to use "/24" as opposed to other numbers like "/8" had I not been directly told that that was the appropriate number for this particular size of network).

Admittedly, there were some intuitive aspects. Once we had moved on to using Rapid7's Metasploit tool to gain access to and attack a Windows host, we created an active Meterpreter shell on the exploited host. Once the shell was active, an extremely straightforward list of commands -- complete with explanations of what each of them did -- were spit out onto the screen.

It was so straightforward that I perused the list and was able to shut down the host we had hacked by simply typing, "shutdown." It effectively put a halt to the remainder of the hands-on presentation so I'm not particularly proud of what I did, but I did it simply because I didn't expect it to be so easy to do on my own when everything else had required so many additional layers of knowledge.

On the whole, there were no corners to be cut. We actually had to skip over part of the guided hands-on process given time constraints, and this, of course, caused me to be confused later over why we were typing a particular line of code containing a specific IP address. Belton had to explain that the only way we could have known what address to type there was to determine it in one of the steps we glossed over.

I think the moral of the story that I learned today is that when it comes to hacking, it's all about the why. There is so much background knowledge that you need to be armed with, and there's no easy way to figure it out on the fly. There's a whole process you have to go through ahead of time to get that crucial information; namely, learning the different commands, knowing when to use them and, most importantly, why.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies