EH-Net

Hi All

I'm trying to get started in Ethical Hacking/forensics, and wondered that burning question....... how what and where do I get started???? I have downloaded quite a bit of literature and am after a  good starting point.

Please help (and be gentle!)

Cerberus

well you've come to the right place.  If you wanna get started, get reading, since you said you downloaded literature.
The best advise I can give you, since you said you wondered about the burning question...

Find out
What is Ethical Hacking?
What is Forensics and how it encompasses IT?

Ponder on the result.  Then after careful consideration (more than five minutes) ask yourself if you think this is gonna be the path that you will follow for the rest of your life.  It does sound like forever and well yes it is.  Both these branches involves daily research, and cannot be learned by just studying a manual, you'll learn as you go, that's how i do it.

Many people think security is all fun and games, believe me it is, that is if you are cut out for it.  If your passion is here, then despite the hours studying/ researching, besides the deadlines which may somehow manage to be completed in the nick of time, and of course the higher ups breathing down your neck, it will never seem boring and frustrating.

I may not have the certs but I have the heart and this is what has kept me in IT security for so long.

I think I'm straying, but to make a long story short, the questions above  are the most important thing to do if you want a good starting point.

If after careful consideration, this is the place for you, start reading the manuals, then come back and let the community know your progress and problems.
This is one of the forums where beginners to elites feel comfortable, so let your questions rip (with hard research done before though).

And welcome to the fold

There is so much on this forum! Have  people that ask this really spent time reading here? 

TCP/IP Illustrated Vol 1 by Richard W. Stevens. If this is not on your bookshelf it should be.

Remember that pentesting is about gaining access to critical data, not critical systems. Getting a shell on a box is cool but that's not the goal. If an attacker can sniff network traffic to get what he needs why bother to try for access to the server. Far easier to intercept traffic to the printer and recreate the files. So that is why I strongly recommend the above book. The better you understand the underlying protocols the easier everything else becomes.

The same applies to forensics. File system forensics is getting harder and harder and so the network is where your forensic data is being gathered more and more often.

Know your protocols. :)

dean

I agree with Dean,  Both TCPIP Illustrated and Internet Core Fundamentals arer good books for noobs, since they provide an understanding of prots

this is one of the first networking books i bought and it really helped me out alot

Network Intrusion Detection (3rd Edition) by northcutt

If you are really motivated to be in the security field, then I suggest you to read fyodor's interview published in slashdot. Refer 4th question and his answer to it. If his answer really motivates you to be "THE ONE", then no one can stop you.

http://interviews.slashdot.org/article.pl?sid=03/05/30/1148235&startat=&threshold=4&mode=nocomment&commentsort=3&op=Change

Happy Reading!!!

Why is it when someone asks where to get started they are always given the same BS answer of learn your TCP/IP protocols.  Sorry but its just not true and I see it as a smoke screen. It reminds me of the Karate kid that has to do wax on, wax off before really learning Karate. Give me one real example of simply knowing  that or the OSI model teaches you how to hack.  The reality is you can do some very effective hacking without understanding much theory at all and its done every single day on the net.  People can run programs without understanding programing. 

If you want to get a good start, download some of the common tools and start working with them.  Start with nmap and scan your own network or DL some vmware and install a free linux disto and scan it.  Get a sniffer and see if you capture data on your network.  Work with the tools on your own network and thats your first start. Or you can just eat up time reading about what the layer 2 protocol is supposed to do.

i started to give my long answer to this question, but its just not worth it.

if you think running nmap, nessus and metasploit  and even getting a shell makes someone a hacker or even a shitty network admin you've got a long way to go...

ironically you tell then in your first steps "anyone can do it" stuff to get a sniffer and capture data and run nmap, if you dont know TCP/IP what good is that going to do? how do you understand why a SYN scan may return different results than a CONNECT scan or even what the differences between the two are? how do they understand what an open or closed port on 21,23,80,443,etc means? as for layer2, explain to them why an arp ping wont work outside of their network without them understanding the differences between layers 2-4.  How do they set up the little VMware network if they dont know networking? in fact, all the stuff you listed REQUIRES TCP/IP knowledge, except for maybe just randomly running tools at IPs.

Here is another scenario for you, EmanoN. The original poster mentioned forensics, you had better know your protocols damn well today if you want to do forensics for a living. If thinking that using Wireshark to do all your protocol decodes for you is going to be sufficient you really need to buy that book yourself. It is trivially easy to script a telnet/ftp like app for covert (not encrypted)  communications and have the traffic 'encoded' so that when it displays in Wireshark it looks like garbage. Simply prepending a byte to the IP header will do this for you. Unless you know how to read the raw packet you will never figure that out.

Do you know what byte to look at to determine the IP version and header length? Do you know the byte to look at to determine the protocol in use? A simple shift of the byte locations will confuse wireshark.

From a pentesting perspective knowing how to read a packet capture is essential. From simply looking for data in plain text protocols to traffic patterns for mapping the network and most used devices. I've said this before but it apparently requires repeating, pentesting is about gaining access to critical data, not dropping a shell on a box


I see comments like these and my first thought is 'Job Security' but then I realize that I'm gonna have to do all the work myself for my clients as it is doubtful that anyone who follows that advice will make it through the first questions in an interview with me. The reality is that I can train a chimp to click on a button but I need people who can think and have a passion for what they do.

One last thing, you might want to take some time and look up what the original meaning of the word "hacker" actually was. You will find that it was used to describe people with a desire and a passion to learn as much as possible about a given topic and to push the boundaries of their environments.

dean

That’s really good. You made my point better than I could. What you are describing is the importance of understanding the output of tools, which really has more to do with understanding the particulars of that tool.  While it may be interesting to understand that an nmap –sS doesn’t complete the 3 way handshake in TCP/IP, what really matters is the results it gives me and what do I do to that particular tool if I am not getting any results I seek.  What options would I add?  Yes its true the tools I mentioned anyone can learn just like anyone can learn TCP/IP. Not sure what that has to do with it.  What takes time is learning all the aspects of a tool and how to customize if need be. That translates in to working with each tool as much as possible and in every possible situation.  Understanding TCP/IP is more crucial if you are writing your own tools. About 30% of the tools and exploits I run where written by me, but could easily by used by anyone with a little instruction on the particulars of that tool, which has nothing to do with memorizing the 7 layers of the OSI model.  If learning all the theory of every protocol makes hacking more interesting to you, that’s fine. Just don’t tell people that want to learn hacking it’s the crucial place to start. Its just not true. Get going with the common tools and start getting experience. The more experience you get under your belt, the sooner you will no longer be a noob.
 The original meaning of the term "hacker" has nothing to do with what you posted. It had to do with individuals that would "hack" hardware to change it to do something different from what it was intended. Later the press used it for people that would break into computers.  Do you guys really understand what hacking is all about or are you more just bogged down theoretical security guys wearing your little suit and ties? 
  Oh and Dean, I did go look up the term hacker and guess what? There was a picture of me there, Ha Ha!   

all i can say to that is... i'm glad you dont work for me or with me with that attitude.

Agreed! I am glad I dont either.

Damn Emanon, and here the entire time I thought you were applying for one! LOL, just kidding.

Seems to make the same point, doesn't it?

Also, if you are going to troll the forums and try to elicit responses from everyone you might want to make the attempt, when picking your viewpoint, to at least back it up with some facts. This goes for the other threads too.


Idiot.

To me hacking is more about the pursuit of knowledge.While i am not in the information security field yet i am pretty sure employers when they hire someone to pen test them they expect that person to be knowledgeable
about protocols and many other aspects of computing.While maybe tcp/ip
mite not be the best route to start it is absolutely needed in my opinion.Maybe the best thing to recommend to newcomers is books on computer ethics thats what everyone needs before they start playing with tools they do not understand. 8) .

And so spoke the god of hacking! Actually you don’t need to repeat it again and in fact you would do everyone a favor not to because it’s not true.  How much bad information can one person give in a single thread?  Accessing critical data might be the end result of a pentest, but not always. Many times just gaining a foothold on the network and planting a flag is all a company may allow in a blackbox test. That alone should have not happened and its enough to display vulnerability.  If doing a pentest from inside the network, collecting critical data might be part of the information gathering process before the hack like sniffing out a password, that is if you consider a password sensitive or critical data. But neither are the hack itself.  Not even in a BlackHat hack is it always the objective. Sometimes the hack is done just to snoop around out of curiosity. Sometimes the hack is done to do something malicious like wipe out a hard drive. With your narrow definition I could say anytime I turn on my computer and access critical data I just hacked it!  If I go in and put a gun to the head of the Admin and force him to turn on his box and access data , I guess I just hacked it?  Hacking as defined by the majority is gaining unauthorized access to a computer or network via another computer. 

The most telling part of this thread is that Cerberus has never posted again. Maybe that should be the lesson here.

Cerberus,

Is there anything I can do to help answer your question or anything else that you feel you maybe didn't get thus far?

Don

You have got to be kidding me.  This thread has turned into the geek version of "tastes great! Less filling!"  and Ginger versus Mary Ann.  Cerberus, the straight answer is that the information security field is still really young, and there is no standard way that folks tend to get involved.  Some people are going to start from the OSI model approach and move into the tools, some folks are going to start from the tools and move into the OSI model.  To be worthwhile you are going to have to be able to do both.  If you get stuck on the OSI side of the house then you are probably not going to understand how to actually carry out or defend against an attack.  If you get stuck using just the tools then you are a scriptkiddie who is completely dependent on other people to make your tools, and if you can't find the perfect tool for a situation then you're stuck.  Try this approach:  If you are already in the OSI mindset (like most students, sys admins, etc) then go on bugtraq and lookup the most common attacks against the systems you are familiar with.  Since you are already familiar with your systems then you should be able to understand what the exploit is doing to break your stuff.  The next step is to research the tools that use that exploit in order to attack your system.  Keep doing that and you'll start to pickup a good understanding of the exploits and the tools.  If you are already on the tools side of the house, then just go the opposite direction.  If you're using nessus, take the time to actually read the reports, follow the links, and understand what the vulnerabilities are that it is finding.  If you're throwing around nmap then read the man page and every time you see a networking/protocol term that you're not familiar with, go research it.  If you're into metasploit then take 10 minutes to bring up the code of the exploit you are about to fire off.  You're probably not going to be able to make heads or tails of it, so take a couple of days to familiarize yourself with some coding.  You'll eventually have to get to this point if you are going to want to write some of your own toys, which is starting to become necessary to avoid mature IDS/IPS systems.  By the time you work through these steps you'll start to be able to figure out where you want to go next.  Before long you'll realize that each of these areas is an enormous field of study by itself, which is why most "super hackers" actually focus in one area at a time. 

Well said Sedated and Pseud0!  Does seem like much to do about nothing. One person says you should go right into tools and later if you want to go deeper and write your own tools and exploits you should know TCP/IP. Others here seem to feel you should have a good understanding of TCP/IP before working with tools. At least that is what I gathered from the discussion. Really not that big a deal and not worth arguing and certainly not worth lowering a thread with name calling someone an “idiot”. 

I would recommend that whens someone asks where to start in computer security, they give a little background information about themselves and also state what their objectives are. For instance, if someone were to come on this board and state they have a Masters in computer science and would just like to learn a few basic tools to evaluate their network, they will get a different response from me than from someone that says they have just a little knowledge of even their own favorite OS, but one day they desire to be one of the hacking greats.  As far as anyone knows in this thread, Cerberusugh may already have an awesome background in networking, programming and TCP/IP. If that were the case it would have made this thread take a different direction. 

Cerberusugh, if you are still reading this thread, please feel free to post a comment and we can get back on track to better help you!

Gotta throw in my two cents.  If you want to learn how to be the best at something, start with the BASICS.  If you want to know how to drive a car, you need to know how to start it first.  This is not to say that you need to know every detail at first, but to actually drive the car, you need to know some basic things.  When you start learning about how cars drive and how the engine works and all, you can actually drive better because you have studied it.  This is with ANY FIELD!

If you don't start with the basics, you won't be very good in the long run.

My suggestion, take a networking class at a local community college.  Read about how to make virtual machines so that you can practice.

Fine, the thread did take a turn for the worse but at least EmanoN took an apposing viewpoint and was willing to defend it instead of just going along with the previous posts. As much as I disagree with his viewpoint I have to respect that.

EmanoN, if you really want to continue this discussion, you can find me in LSO's IRC.

pseud0, Kev, all really good points those, perhaps posting them earlier would have helped keep the thread on track. :)

dean

I thought the proper use of all threads was to troll and flame.  On that note:

You all suck.  If it was physically possible you would suck and blow at the same time.

I'm pretty cool.  In fact, one time I got two gold stars on my drawing of Elmo.

Since don has the power to kill my account, he's tolerable... but just barely I guess.

those of you that just decided, obviously without actually reading the posts, that it was a "great taste vs. less filling debate" really ought to be ashamed of yourself. especially mr badass big 4 pentester, you especially should know better.

 ???

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1812.msg7124/#msg7124

Thanks. Hey but dont blame me for how this thread went,LOL!  Just kidding.
Eh-net is a small community or family if you like,  of contributors. Just like in any family there is going to be some butting of heads now and again. Not really a bad thing once in a while to stir up some passionate debate. Hey, its all good.

Did I miss something?  I thought it was pretty clear my last post was a joke?

Ok, I'm trying to figure out where this thread went off the rails, and I just can't.  From my point of view I saw people getting very heated over the "OSI to tools" versus "tools to OSI" model, and both are perfectly valid paths to take.  That is why I made my "tastes great, less filling" comment.  Did I touch a nerve somewhere?

This has been an interesting thread, I guess we can stop here and just respect other members opinions and not have a big fuss about it. Agreed?  :)

I think the problem with the internet forums is semantics. Sometimes people read things differently than what a poster might mean.  I know I am guilty of doing that.  I agree with your comment pseud0 about both are valid as long as some place TCP/IP is fully understood. I made a post a year ago recommending someone learn TCP/IP as a foundation. But not just memorize it, but actually try and visualize it in their head. Infact, why not learn both tools and TCP/IP at the same time if you are lacking in that understanding. Even Emanon seemed to state that if you want to get good you need it.  To be honest I didnt understand what you meant by "taste great, less filling" but that is I am sure that is due to my dense head.  One thing I have learned is saying things like that can be open to all kinds of interpretations in a "heated" thread.

Hey we are on page 3 now, lol!  Not to change the subject, but has any topic here made it to 4 pages? Just curious.

So moral of thread was learning everything is important its all needed but reading books on tcp/ip is so boring. 8)

Hey Kev, to answer your question, my review on OSCP made it to 4 pages:

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1152.0/ (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1152.0/)

the "tastes great, less filling" was the old Miller Lite advertisement...
http://video.google.com/videoplay?docid=-6857860323414691675&q=tastes+great+less+filling&total=21&start=0&num=10&so=0&type=search&plindex=3

There's something I still want to add to this thread. The book "Programming Linux Hacker Tools Uncovered" by Ivan Sklyarov is a good example why you need to know TCP/IP. By having a strong foundation on TCP/IP you can write code to exploit, backdoor a system, scan your brains out and etc.

By having a little knowledge in TCP/IP, I fully enjoyed this book. It was my first time that I saw TCP/IP in a programmatic  way. All code is written in C plus all the source code comes in a CD. I highly recommended.

Actually I found the commercial a little more intriguing than this thread, LOL. Hey I am guy give me a break!   I am not familiar with that book Blackazarro, sounds good and I will check it out.  Maybe we should stop this thread so it doesnt take away from Blackazarro's 4 page record, lol!  4 pages is a record right?

You know it might be a good idea to have a sticky post for newcomers interested in the field of information security on what they should probably
learn with links to some books for them maybe have a short tutorial of what
the jobs entail and certs to get there.I would write one out but as i am currently in the learning process myself it might not be best.If there is already a thread like this i apologize didn't see one.

heh, seems the thread is not dead but perhaps it should be. Good point on knowing TCP/IP for socket programming, etc...blackazarro.

Anyway, glad to see the thread sparked some interest. But the thread did also start to get into the differences between hacking and pentesting. I don't see the point in posting about that now but seeing as how the importance of tcp/ip & knowing how to read packets, etc... came up again, here is a little quiz. It's pretty simple if you can read hex. :)

From a pentesters perspective knowing what the payload of an exploit looks like and why the IDS alerts on it is important as this can help when trying to bypass IDSes, etc...

I just pulled this out my IDS logs: The destination IP is my Windows 2003 IIS server.

alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS
  (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90
  90 90 90 90 90 90 90 90|"; depth: 128;
  reference:arachnids,181; classtype:shellcode-detect;
  sid:648; rev:5;)

it contained the following payload:

--snip--
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 31 db 31 c9 31 c0 b0 46 cd 80 89 e5 31 d2 b2 66 89 d0
31 c9 89 cb 43 89 5d f8 43 89 5d f4 4b 89 4d fc 8d 4d f4 cd
80 31 c9 89 45 f4 43 66 89 5d ec 66 c7 45 ee 0f 27 89 4d f0
8d 45 ec 89 45 f8 c6 45 fc 10 89 d0 8d 4d f4 cd 80 89 d0 43
43 cd 80 89 d0 43 cd 80 89 c3 31 c9 b2 3f 89 d0 cd 80 89 d0
41 cd 80 eb 18 5e 89 75 08 31 c0 88 46 07 89 45 0c b0 0b 89
f3 8d 4d 08 8d 55 0c cd 80 e8 e3 ff ff ff 2f 62 69 6e 2f 73
--snip--

What does the hex 0x90 represent?

What is the purpose of the 0x90 in the content?

Based on the information available would you classify this alert as an event to log and ignore or something to be concerned about and to dig into further?

dean

Not only does that sound like a great new thread (hint hint), but how about a new board for security quizzes? Or maybe just post quizzes of the topic you like in a board that already exists? They can be anything you want... associated with a job desc or a specific cert.

So should I lock this topic?

Don

0x90s are NOOPs on x86 systems.  Basically you use them to move your point of reference in a selected area of memory to a place of your choosing, then you dump in the selected payload (the rest of the code that isn't 0x90).  This is a normal approach for buffer overflows.

Hmm, good post Dean. I like the idea of a challenge or testing part of the forum. It would be good for those new to this. Just simple things like what you posted. Simple snort logs,etc...  Not full out challenges.

The above hex encoded string is the normal "shellcode" to get a shell. Initial part is filled with "nops" so even if the eip falls anywhere near should reach at the shellcode.
The behaviour of this "sc" is to first set a group id "setgid", then to set session id "setsid". Towards the end it tries to call the "execve" to execute /bin/sh..

Anyway tis was the postmortem report of the small snippet you posted. The last hex byte was missing which should be "68"

This is not a good shellcode..It needs some minor tweakings for successful exploitation and it is not affected to a windows machine [because it is a linux shellcode]

Had some fun in reverse engineering that stuff!!!

I guess the responses are proving my point as far as interest. But how can we keep it for newbs for a  little while before others more experienced respond?  I mean, this would work well if we gave people new to this a little time to respond before more advanced jumped all over it?  I mean if we had an area for this and dedicated to those trying to learn basics. Or maybe everyone jumping on it is a good exposure for even those just beginning?  Hey, I might be way off  the target but this thread did start off as how can a newbie get started right?

Nice, nicky.coder. That is pretty much it.

The exploit would actually work though. It was an old openSSH exploit. I only copied the part that was valid to the questions. Nice catch on the /bin/sh as well. That is the telling part as to whether to treat this as an event or incident.

Just to add a few definitions to nicky.coder's response.

1. EIP – INSTRUCTION POINTER REGISTER – controls program execution by pointing to the address of next instruction to be executed. The Instruction is executed and  the instruction pointer is incremented. When a jump is encountered, the instruction pointer’s value is altered to point to a new location in memory.

2. NOOP. A "NOP" or "NOOP" sled is, as inferred, a lot of NO Operations. The reason for the sled is that an attacker does not know the memory location where the executable code is and it is difficult to guess the location of the shellcode (your exploit payload) in memory and so it is difficult to set the return pointer.
An easier and more reliable method is to create a NOOP Sled.
Include NOOPs in advance of the executable code and if the pointer goes into NOOP Sled nothing will happen and execution will continue down the stack until executable instructions are reached.

dean


Kev, as for keeping it for people learning or starting out, don't you think they'll learn just as much from see other people posting? Honestly, I expected more than one person to answer it too.

Yes I agree. Any response good or bad will be a great learning experience for those interested. Speaking as a long time poster, I would say if you get 1 or 2 responses you are doing good here. We need to figure out how to get more people to feel comfortable to post, but thats a topic for another thread.

exactly.  I'm one of those guys who like to see more than one solution and more than one answer.  Of course, trying something for yourself is the best solution, but you can always learn something new, even when people are trying to defend their view.

Yes Archeron  , you are right and welcome to the few that have some balls to post. I see over 1000 page views on this topic and only a few make posts. How gay.  Why is it so scary to the gutless wonders that lurk here?  So damn scary to post something like” good post , bad post” whatever.  I like this forum. I have been watching forums for a long time. If you don’t make even a small post it will die.  Show you have some balls.  Christ, no one knows who you are and why you are stilled scared?  WEAK!   
 
I got a PM from an important person on this site telling me my posts are close to being a dick. Nice political way telling me I am a dick! REALLY? I never resorted to name calling like calling someone an idiot. Hey that’s fine.  I see this thread went to 4 pages.  Whatever. I will make one more post after this and I am done. 

good post

There is posting and there is flaming and trolling.... I prefer posting and discussing things on a professional level. I feel when someone constantly is negative to others and very sarcastic it does nothing to help others want to post in the forum. This community is built on supporting others and sharing knowledge.

My 2 cents…

Brian

good post

Emanon, I don't think you should leave. You have made a number of posts and thats better than 90% of the people that just lurk out there. Perhaps a little style change might be helpful when you are making your point?

So like I said, I give EmanoN credit for sticking to his viewpoint. As for his method of delivery, well that leaves a lot to be desired and silly comments will get the 'idiot' response from me regardless.

But all that aside he does have a point in that people should post more. You are pretty much anonymous on the forum. If you're wrong, you're wrong. at least you learned something.