.

I Need Money And Experience

<<

hitmen

Newbie
Newbie

Posts: 5

Joined: Mon Mar 22, 2010 6:17 am

Post Wed May 18, 2011 4:22 am

I Need Money And Experience

Not sure if this is supposed to go here but anyway..

I just got my CCNA Cisco Certified Network Associate and I want to be a hacker at least part time. I wish to earn some side income. What should I do next.

Are there any site where one can hack for profit legally? 
<<

millwalll

Post Wed May 18, 2011 7:51 am

Re: I Need Money And Experience

Hi hitmen,

First of all welcome to the site. I would say please you the search function on the site as this question has been asked many times and there are many good answer to it.

Well done on passing the CCNA this is a good start to learning to become a Ethical Hacker. However your journey has only started I am afraid to say working as Penetration tester is not a easy task and takes many years to be at a level where you can be self employed.

The best way to get experience is set up your own Lab where you can try news tools and practice then maybe try get a job as Junior Penetration tester where a company will be willing to train you more.

If you have money there are lots security courses online that will help your get expierence OSWP,OSCP and Hackingdojo to name a few.

I would also say being a Ethical hacker is a full time job there is so much to learn and in order to get work you have to try keep ahead of the game. If you only trying to do it for bit extra cash I would not recommended wasting your time and stick to setting up networks. 
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed May 18, 2011 2:19 pm

Re: I Need Money And Experience

  Code:
links -dump "http://blog.tsa.gov/2008/10/zero-tolerance.html" | awk 'NR==2026 {print $5}'
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed May 18, 2011 3:05 pm

Re: I Need Money And Experience

sil wrote:

  Code:
links -dump "http://blog.tsa.gov/2008/10/zero-tolerance.html" | awk 'NR==2026 {print $5}'





lol Nice.  Totally saving that.
GSEC, eCPPT, Sec+
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu May 19, 2011 7:45 am

Re: I Need Money And Experience

Thanks for the laugh Sil. Gave me an excuse to play with awk a bit this morning. I really need to learn awk a bit better. Had not used NR before but I'm sure I will now.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 19, 2011 10:44 am

Re: I Need Money And Experience

Pays to know variations of commands. Never know when you may be stuck and unable to use a specific command. This is very true if you ever run into something like Tru64, TrustedSol, SunOS and Solaris pre 8.

Also helps to understand as many commands as possible and the chaining of those commands in the event you're in a situation where you don't have a tool or the ability to install a tool (perhaps HIDS is in place).

E.g., let's assume I needed to do some recon/fingerprinting/bruteforce guessing to check hostnames in a domain. I have zero tools to work with other than whatever commands are available to me on a Linux system. What would I use?

Well, I could use the dictionary file, perhaps try something like:

  Code:
grep [a-z] /usr/share/dict/words |\

while read words

do echo $words.hostname.com

done


So I'd have a pretty long list of potential hostnames to check against. t would be pretty ugly and long not to mention noisy. But in practice, I could make:

  Code:
grep [a-z] /usr/share/dict/words |\

while read words

do echo "ping -c 1 $words.hostname.com | grep -vi unknown" | sh

done


And there you have it, an instamagic bruteforce hostname finder from scratch. So another practical use for one liners in a McGuyver like environment? How about: GoogleSets + Links + awk

  Code:
links -dump "http://labs.google.com/sets?hl=en&q1=alpha&q2=omega&q3=&q4=&q5=&btn=Large+Set" |\
awk '!/[A-Z]/,!/\ /{print "ping -c 1 "$2".domain.com"}'|\
grep -vi "1 \." | sh


Same applies for scanning when a scanner is not an option:

$BSDs (free/open/etc)

  Code:
jot - 1 10 | sort -u | sed 's:^:ping -c 1 192.168.1.:g' | sh


$Linux

  Code:
seq 1 10 | sed 's:^:ping -c 1 192.168.1.:g' | sh


For kicks and giggles, you could hide a vast majority of crap in plain sight as an SSL cert ;)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 19, 2011 11:13 am

Re: I Need Money And Experience

wget -qO - www.infiltrated.net/scripts/bogusethicalhackercert.txt

....

wget -qO - www.infiltrated.net/scripts/bogusethicalhackercert.txt | sed -n '8,11p' | python -c "import sys; print sys.stdin.read().decode('base64')"

Hiding in plain site ;) Most admins would ignore this file if it were named something like /etc/ssl/domain.pem

  Code:
$ more /etc/ssl/domain.pem
-----BEGIN CERTIFICATE-----
CzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMQ8wDQYDVQQKEwZGc2NrZXIxFDASBgNVBAsT
bTEkMCIGCSqGSIb3DQEJARYVcG9zdG1hc3RlckBmc2NrZXIuY29tMIGfMA0GCSqGMIICvzCCAiig
VQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xDzANBgNVBAoTBkZzY2tlcjEU
c2NrZXIuY29tMSQwIgYJKoZIhvcNAQkBFhVwb3N0bWFzdGVyQGZzY2tlci5jb20wHhcNMTAwMzA2
imwLmQIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADgYEACa1BoZTm
EoUkocRo6DfWFn43bNzoqaHF1a7QC72wxAnsnKIxc4g38TXjd9t/bM/zey/9yLBnEoUkocRo6DfW
CmxpbmtzIC1kdW1wICJodHRwOi8vbGFicy5nb29nbGUuY29tL3NldHM/aGw9ZW4mcTE9YWxwaGEm
cTI9b21lZ2EmcTM9JnE0PSZxNT0mYnRuPUxhcmdlK1NldCIgfGF3ayAnIS9bQS1aXS8sIS9cIC97
cHJpbnQgInBpbmcgLWMgMSAiIi5kb21haW4uY29tIn0nfGdyZXAgLXZpICIxIFwuIiB8IHNoIAo=

-----END CERTIFICATE-----


When needed, parse out the lines you want: sed -n '8,11p' /path/to/certs decode it and you're good to go
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu May 19, 2011 11:17 am

Re: I Need Money And Experience

Stringing commands together like this is something that was just brought to light for me during a recent HackingDojo class.  Once you start diving into it, it's really amazing what you can do.

Thanks for those examples, sil.  Some more commands for me to analyze and learn :)
GSEC, eCPPT, Sec+
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 19, 2011 11:25 am

Re: I Need Money And Experience

Also (and I'm sorry for sniper like posting... actually working while I post), these examples work when you need to bypass DLP. In order to understand why, you need to understand the *gist* of 99% of DLP systems.

DLP focuses on the following:
Data in Motion (monitors data being sent in and out)
Data at Rest (data being stored)
Data in Use (agents prevent printing and transferring)

Data in Motion - Fail. Guess what, I don't need to send data out using more. I can copy and paste it from the terminal.

Data at Rest - Fine. I set off a trigger. What did I do with the data though? Most systems won't understand what occurred in the event of copying from my terminal to a file on my machine. "ALERT, ALERT, someone accessed a file!!!" So what. There would never be a file created while I copy over the data. Incident Responders (most) would think of it as an anomaly. TRUST ME, I've had to explain this to a few now.

DiU - I don't need to print or transfer it off of the machine. All I need is to pipe it to more.

For those doing some metasploiting, try it next time. Makes for fun anti-incident response WTF Happened?! I think Crapafee has their DLP as a beta. Install an agent on a Windows machine and watch it fail miserably ;)
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu May 19, 2011 11:37 am

Re: I Need Money And Experience

hitmen wrote:
Not sure if this is supposed to go here but anyway..

I just got my CCNA Cisco Certified Network Associate and I want to be a hacker at least part time. I wish to earn some side income. What should I do next.

Are there any site where one can hack for profit legally?



To bring us back to the original question, I could use a little clarification. What do you mean by "site where one can hack for profit legally?"

There are plenty on which to practice, but the profit part throws me. Makes me think we're getting close to the unEthical Hacker side of things.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu May 19, 2011 3:55 pm

Re: I Need Money And Experience

I think the OP is looking for a legitimate, hacker-for-hire type of website.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu May 19, 2011 11:50 pm

Re: I Need Money And Experience

BillV wrote:I think the OP is looking for a legitimate, hacker-for-hire type of website.


I was thinking the same thing. Something like a Hacker version of Rent a Coder
OSWP, Sec+
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Jun 19, 2011 10:01 pm

Re: I Need Money And Experience

For the OP (who probably went on his merry way after not getting the "easy money" answer)... Might want to focus on getting a networking gig, you got your CCNA so put that to use.  Work your way up the ladder.  Network Engineers make decent coin eventually and if you make you way further into the Cisco realm and obtain higher certs you may be making more than the pen testers. 

If you want the six figures well get the experience and shoot for that CISO spot.  If you seriously want to get into full time hacking, well get yourself a lab and start where you might be strongest, networking.  Plenty of exploits out there that attack networking equipment.  Be aware of those, learn how to thwart them and in turn you learn how to execute them as well.  Then move onto trying other tools.
Certs: GCWN
(@)Dewser
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Jun 19, 2011 10:48 pm

Re: I Need Money And Experience

Triban wrote:For the OP (who probably went on his merry way after not getting the "easy money" answer)... Might want to focus on getting a networking gig, you got your CCNA so put that to use.  Work your way up the ladder.  Network Engineers make decent coin eventually and if you make you way further into the Cisco realm and obtain higher certs you may be making more than the pen testers. 



I'm working as a Network Engineer. It's paying me good too. 75% of my time is spent configuring VPN tunnels via the CLI and making ACL changes the same way. I'm supposed to take on some web app scanning in the future, after we get the new server built. Not sure why us, but we're the ones that do it.

Anyway, that's with an expired CCNA and no need to get any more Cisco Certs. Not that I don't plan on studying. I also want to get some firewalls for my lab to practice the IPSEC VPN tunnel configs for other devices.

My point is: Don't have to hack to be involved in security.
OSWP, Sec+
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Jul 10, 2011 12:09 pm

Re: I Need Money And Experience

Very true, the day I decided to focus on security was the day I realized that I was doing it part time as a system admin and consultant.  But now I have a reason to make it my full time job.  We all practiced security 101 during our early careers, that is if we were doing our jobs right.  But in the case of certain Sys Admin jobs or consulting gigs, the clients just want you to make sure things stay running, and sadly that is all the client wants to pay for no matter how much you push for better security and such.  At least now, when I am asked my opinion on something, as a security consultant, people will listen and usually do.  Then again it has become easier to push security focused projects due to the ever growing breaches being caused by groups such as Anonymous and Lulzsec. 

Security as a profession is certainly not an entry level area, if you want to be good at it, you need to have some experience in those areas you want to protect.  Like building a web server and securing a web server are two different things.  Think about it :D
Certs: GCWN
(@)Dewser
Next

Return to Other

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software