A blue print: Brand new pen tester, what I've learned in three months.

[pezdispenser]

1. Learn Opsec and develop good habits. (operational security) first. The DNB darknet bible is a great resource to learn about opsec regardless of who or what you are.

2. Learn passive Reconnaissance/OSINT.
This is a great starting point because it's perfectly legal to do, especially on one self. This will help identity your own vulnerabilities and develop the primary skills involved in a exploit. And it helps to find holes or limitations within your own opsec measures.

3. Learn to cover your tracks. CYA/CYT. Before you do any "hacking" it's a pretty good idea to have contingency plans. Most pen testers on YouTube do not cover much about this part of things because many of them do penetration tests in a professional/ white hat capacity and this is a good thing! But even for them, these skills and habits are important for many different reasons.

4. Learn active recon. But only after a mastery of the first three things, and create private home labs to practice on.

5. Learn post exploit first. Seems backwards, but the end goal determines what exploit is used and how the exploit itself is performed. (From my limited understanding)

6. Learn the tools needed to perform the exploit, and if needed, create a lab on a private network that mimics the target network and it's topology as closely as possible.

7. Develop cloud computing skills and take full advantage of AI post haste.

So to sum it up, the hat you wear really decides much of what you do and how you do it, although everyone I think could benefit from this blueprint.

A black hat, as an example would need to place much more emphasis on not getting caught, that would be the primary goal and time wouldn't be too much of a factor.

For a pentester though, having the ability to quickly identify vulnerabilities and get paid for their findings and fixes is the goal. For them, a bare metal install of Kali is the only way to go because reliability of the system can't get in the way.

However, they don't need to worry about data forensics etc because they are not actually committing any crime. But, neither a hobbyist-beginner or full fledged black hat probably needs a bare metal install of Kali in the case of the beginner, and is probably detrimental in the case of the black hat, data forensics and CYT skills being what they are.

Id love to hear what I missed and what I was wrong about and why for my own knowledge, and am looking forward to those critiques...
Thanks!

Edit: Spelling and grammar. Probably still not great.

 

[KGIII]

The word 'allot' doesn't mean what you think it means. The word 'alot' isn't a word, just so you know. The word is two words, they are 'a lot'. You're welcome. Many people make this mistake, along with typing stuff like 'noone'.

Anyhow, there's nothing (yet) wrong with this thread.

I will point out that Linux.org does not condone illegal activities. They are not to be discussed under any circumstances. There are, shall we say, better places than this to learn about and freely discuss things that are on the wrong side of the law.

As for which laws apply, given where there server is and where the admin is, you can safely assume that United States laws are those that apply.

 

[pezdispenser]

I was pointing out that it doesn't matter what color hat, these are all useful skills for everyone. Was I incorrect? I certainly wasn't implying that individuals should behave in any criminal way, what I am saying is certain things are mentioned and some are not. I think many beginners don't see a big difference between penetration testing and hacking when their definitely is. But, I take it from the correction of my spelling or grammar that I am on the right track. So thanks.

 

[KGIII]

Was I incorrect?

Oh, you're fine. It's just a preemptive response to what others may respond with. It's a warning to those who comment to ensure they remember what rules are in place.

 

[CaffeineAddict]

For a pentester though, having the ability to quickly identify vulnerabilities and get paid for their findings and fixes is the goal. For them, a bare metal install of Kali is the only way to go because reliability of the system can't get in the way.

Not sure what you mean by this, Kali is not needed for any kind of hacking.

I personally find Kali useful to explore and test new tools, most of those tools can be then installed on any other distro if needed for daily usage.

I'm also sure a lot of white hats don't use Kali because they need daily driver and their setup to be present all the time for work.
Not sure about black hats but I think they're even more likely to have daily driver because they can't afford getting exposed like you said and Kali is insecure distro so it wouldn't help them much with that.

Other than exploring and testing, Kali is useful for temporal usage to solve some task, but it's not suited as daily driver unless you'll be learning for hours every day or something like that.

 

[pezdispenser]

Not sure what you mean by this, Kali is not needed for any kind of hacking.

I personally find Kali useful to explore and test new tools, most of those tools can be then installed on any other distro if needed for daily usage.

I'm also sure a lot of white hats don't use Kali because they need daily driver and their setup to be present all the time for work.
Not sure about black hats but I think they're even more likely to have daily driver because they can't afford getting exposed like you said and Kali is insecure distro so it wouldn't help them much with that.

Other than exploring and testing, Kali is useful for temporal usage to solve some task, but it's not suited as daily driver unless you'll be learning for hours every day or something like that.

I may be wrong, but many pentesters I have read about or review the content of, do use Kali Linux. And most of them use a bare metal install from what I've seen or heard them say.

As far as "black hats" go, I have read the book "how to hack like a ghost" by Sparc Flow. If your live USB fails, does it leak a bunch of your meta data? I don't think so. You may fail what you are trying to do, but as an attacker you can always try again later. Professional pen testers don't have that luxury/ not worth the hassle. So I disagree with you, but id be happy to know where I went wrong.

Anyway many of us know by now that any of the tools one would like to use are fairly easy to install and use on other Linux environments besides Kali or other pen testing distros, sure. But it seems that the hacker who wrote the book was most focused on cloud environments, and using live environments on any computers he could gain physical access to.

In most cases, a live USB will not leave any logs that it was used, and it will probably have everything needed right away, it is easy and small to carry practically anywhere.

The premise of several of his talks was cloud environments, to scale vertically for cracking hashes, or horizontally for things like DDOS attacks. In this case, a bare metal install isn't required, but being able to quickly scale one hundred cloud machines might be, depending on the task.

Kali is used by lots of people, this reduces signature to some degree. Making something custom instead is like signing your name from what I gathered.

Is Kali super secure? No, it isn't. And that's why running a live environment on someone else's machine, or war driving for access on someone else's network is most beneficial.

But what about being linked to the cloud services you are using to do it? The author goes into the various cloud providers that accept cryptocurrency.

 

[CaffeineAddict]

As far as "black hats" go, I have read the book "how to hack like a ghost" by Sparc Flow. If your live USB fails, does it leak a bunch of your meta data? I don't think so. You may fail what you are trying to do, but as an attacker you can always try again later. Professional pen testers don't have that luxury/ not worth the hassle. So I disagree with you, but id be happy to know where I went wrong.

All that hackers care about are zombies because that's what makes their botnet bigger and that (the numbers) is all that matters.

They really don't don't hack machines the way one might think they do, e.g. using Kali or what ever tools to hack a server here or there to raise their numbers, it would be painfully too slow and would take too much effort.

They use social engineering e.g. Trojan horse to trick regular users into installing their malware, normally trough torrents but also by hosting software that claims X but does Y that is otherwise desired by a wide group, e.g. registry cleaners, optimiziers, driver installers etc.

Using this method one can build their botnet relatively huge in short time and without much extra effort beyond initial programming which is much easier than active hacking (e.g. using tools or stale exploits)

It's one well known reason why Windows is more targeted than Linux.

In most cases, a live USB will not leave any logs that it was used, and it will probably have everything needed right away, it is easy and small to carry practically anywhere.

Haxor doesn't care so much about logs on their PC because they could simply encrypt their disk and if whoever knocks on their door they'll simply shut down their PC and nobody will be able to read anything, all that they could do is seize their hardware and not much more after that.

What haxor will be more concerned is trace they leave online, such as IP's and traffic they generate etc. and the answer is very simple, they'll use their botnet and use their victims machines to do what they plan to do and stay anonymous on the internet.

In case of RAT's (used to control their bonet) they'll use either VPN's, VPS or Tor or similar to isolate their machine from their traffic and hide the trail.

Kali is used by lots of people, this reduces signature to some degree. Making something custom instead is like signing your name from what I gathered.

Sounds to me like confusing Kali for Tails Linux, but for above reasons this makes no sense to me because nobody will go hack them back or trace them back, and even if somebody does it will not lead to their machine for above reasons.

Ofc. exceptions exist and hackers get caught, there are numerous examples online.

But what about being linked to the cloud services you are using to do it? The author goes into the various cloud providers that accept cryptocurrency.

IDK, using cloud services means to agree to their terms of service so useful only if you can stay anonymous while using their services.

 

[pezdispenser]

Thanks for the reply and explanation! Except, couldn't the Uber l33t get caught setting up their botnet to begin with? That's definitely the issue I see. Sure, the FBI would investigate and say, oh all these are botnet zombies, but digging deeper they might see that everyone who's computer was involved also liked to download torrents, and lo and behold they all downloaded one torrent in particular.

I wasn't confusing tails with Kali, only pointing out that they both can be useful for different things out of the box with no/very little configuration. Sure, if you use Kali on a server with a verbose logging policy they will definitely know you used Kali.


Next, staying anonymous while using cloud services...
Would their terms matter if you used a stolen identity from the dark web? No, probably not.
Would their terms matter if you connected over Tor and paid with tumbled or mixed Bitcoin. Also, probably not.

 

[CaffeineAddict]

Sure, the FBI would investigate and say, oh all these are botnet zombies, but digging deeper they might see that everyone who's computer was involved also liked to download torrents, and lo and behold they all downloaded one torrent in particular.

There are thousands or torrents from thousands or sources, this trick is so old everyone knows it and I doubt it could lead to any one particular person.
Also when MS started letting users download Windows for free and use it "free of charge", that damaged a lot of potential, I think games are now major route and this isn't going to change anytime soon.

Would their terms matter if you used a stolen identity from the dark web? No, probably not.
Would their terms matter if you connected over Tor and paid with tumbled or mixed Bitcoin. Also, probably not.

I'm sure they wouldn't use their own info for payment, but not sure if cloud services accept crypto.
I don't think cloud providers accept anonymous crypto payment, but could be wrong, I don't use cloud.

---

Back on topic about Kali, I think Kali is great OS and I'd like to have it installed as daily driver, I think you're right many pentesters use it, but unless you'll all in into hacking and don't do anything else in your life then no.

But unlike you, I don't recall seeing anyone saying to be using Kali, most people, even Administrators on Kali forums say it's not an OS to be used as daily driver.

 

[pezdispenser]

There are thousands or torrents from thousands or sources, this trick is so old everyone knows it and I doubt it could lead to any one particular person.
Also when MS started letting users download Windows for free and use it "free of charge", that damaged a lot of potential, I think games are now major route and this isn't going to change anytime soon.


I'm sure they wouldn't use their own info for payment, but not sure if cloud services accept crypto.
I don't think cloud providers accept anonymous crypto payment, but could be wrong, I don't use cloud.

---

Back on topic about Kali, I think Kali is great OS and I'd like to have it installed as daily driver, I think you're right many pentesters use it, but unless you'll all in into hacking and don't do anything else in your life then no.

But unlike you, I don't recall seeing anyone saying to be using Kali, most people, even Administrators on Kali forums say it's not an OS to be used as daily driver.

I agree, it's definitely not a daily driver. That doesn't mean some pen testers don't run bare metal installs or dual boot. Some have mentioned they have separate laptops with Kali and use them for those types of things exclusively.

 

[pezdispenser]

As far as running it reliably to use all the time, a dual boot setup might be the best option. And yes, there are several cloud hosting services that accept crypto payment, but buying an identity is a possibility also for the evil ones.

Bot nets are fascinating, and that was one of the reasons I mentioned developing infrastructure, which is part of that.

 

[pezdispenser]

There are thousands or torrents from thousands or sources, this trick is so old everyone knows it and I doubt it could lead to any one particular person.
Also when MS started letting users download Windows for free and use it "free of charge", that damaged a lot of potential, I think games are now major route and this isn't going to change anytime soon.


I'm sure they wouldn't use their own info for payment, but not sure if cloud services accept crypto.
I don't think cloud providers accept anonymous crypto payment, but could be wrong, I don't use cloud.

---

Back on topic about Kali, I think Kali is great OS and I'd like to have it installed as daily driver, I think you're right many pentesters use it, but unless you'll all in into hacking and don't do anything else in your life then no.

But unlike you, I don't recall seeing anyone saying to be using Kali, most people, even Administrators on Kali forums say it's not an OS to be used as daily driver.

Hackers definitely do get caught sometimes, and they are able to link certain individuals to certain activities, some people develop a taste for a certain OS and use certain tools they are familiar with all the time, that meta data is used to link crimes. Some use similar or the same usernames for GitHub and so on. This is how they are getting caught (allegedly). I follow "OTW" occupy the web, I read his books and watch his content so that is one of a few of my sources for this information.

I think you may have misunderstood me when I say many pen testers as far as I'm aware do use bare metal installations, that doesn't mean that is what they use as a daily driver, although I can see where I might have implied that.

 

[Trenix25]

Black hat hackers are primarily interested in making money or causing harm. Such people need to get caught and locked away. A white hat needs to be able to complete their assignment within the time allotted by the client so they will certainly need to be able to move quickly and carefully without unduly burdening the client's computers or networks. It is generally safe to attack your own stuff on your own private network, provided doing so does not violate any software licenses, like microsoft windows. That license specifically forbids exploiting any of their security weaknesses. Perhaps they just don't want pentesters checking microsoft systems to see if they are secure, or perhaps exposing how insecure they really are. Perhaps people should use something better than ms windows, like Linux. The legitamate purpose of hacking is summed up in this statement: Hacking is only to be done for the benefit of the client and only with the client's permission. Obviously a would-be hacker will need training so they'll need targets to attack and defend. This is when they use their own stuff or any of the hacking training web sites that exist for this purpose. They give people permission to attack intentionally vulnerable systems running on virtual machines. Someone could try using something like metasploitable and metasploitable 2 for practice at home to help them to get started. Hacking is more about knowing how stuff works and looking for bugs to exploit, including writing your own tools rather than being totally dependent on tools written by others. Being a script kid does not make someone a knowledgable hacker. A good hacker can find weaknesses and write their own tools, but it isn't necessary to reinvent the wheel either. Knowing how to develop and use exploits can put power in your hands, but with power comes responsibility. It takes someone with real integrity to be able to handle that power without being corrupted by it. Pentesting, from a cybersecurity perspective, is like looking over the lock on the door to see if it looks durable and secure, but is not like kicking in a locked door just to get in. The whole point is to check out the system and the network to see if the defenses are up to the task. Not being able to get in is a good thing, but it can also mean that the pentester wasn't up to the challenge. There is never such a thing as perfect security. It can be very good, but never perfect. People continue to find bugs. Such bugs could not be found unless they exist. Working as a pentester is never about exposing the ignorance or incompentance of the client's IT department. One person may see what another person misses. This is a two way street. This is why pentesters are brought in. It can help to look over a system with an extra set of eyes. A pentester must work in harmony with the IT department in a professional manner and as a friend, not as a correctional agent to criticize mistakes. A pentester should help to provide a positive experience for the client to help to empower them with the knowledge they need to better secure their equipment. It is not the pentester's job to fix the mistakes or misconfigurations they find, but only to report them and suggest appropriate remedies. A pentester NEVER touches the client's sensitive data and only uses tools approved by the client and only attacks the systems or networks the client provides permission to attack. It can be very helpful for a new pentester to work on a team of more experienced pentesters so they can learn from the experience of their team members. It can also be very helpful to be able to ask such team members questions and receive guidance from them about how to solve a particular problem or how to proceed in a certain situation. A pentester should provide the client with the IP address they will be attacking from before the pentest begins. A white hat doesn't need to hide, but should try to avoid being detected by the client's blue team.

Signed,

Matthew Campbell

 

[Trenix25]

The thing that really bothers me is the opposition to people learning anything at all about cybersecurity. Big tech companies have been working to censor or hide such knowledge regardless of the apparent goal. I personally believe that people should be allowed to learn about cybersecurity so they can gain the knowledge they need to defend their own stuff rather than being low hanging fruit for any two-bit criminal to come by and pick. It should be possible for people to learn how to become a good pentester, a white hat, for free so they don't have to shell out thousands of dollars to take classes. Search engines and AIs have been trained to filter out such requests to keep people from learning about cybersecurity or finding out about vulnerabilities or exploits. This can make it more difficult for legitimate pentesters to learn about such things. Ignorance is never an acceptable security policy. There are plenty of bad guys out there with plenty of knowledge. Hoping someone simply won't be able to hurt you because of their own ignorance offers a false sense of security. Sure, people don't want bad people learning about how to cause harm, but good people need useful skills so there must be an effective balance between the two. The intent of the student needs to be considered.

Signed,

Matthew Campbell

 

[pezdispenser]

The thing that really bothers me is the opposition to people learning anything at all about cybersecurity. Big tech companies have been working to censor or hide such knowledge regardless of the apparent goal. I personally believe that people should be allowed to learn about cybersecurity so they can gain the knowledge they need to defend their own stuff rather than being low hanging fruit for any two-bit criminal to come by and pick. It should be possible for people to learn how to become a good pentester, a white hat, for free so they don't have to shell out thousands of dollars to take classes. Search engines and AIs have been trained to filter out such requests to keep people from learning about cybersecurity or finding out about vulnerabilities or exploits. This can make it more difficult for legitimate pentesters to learn about such things. Ignorance is never an acceptable security policy. There are plenty of bad guys out there with plenty of knowledge. Hoping someone simply won't be able to hurt you because of their own ignorance offers a false sense of security. Sure, people don't want bad people learning about how to cause harm, but good people need useful skills so there must be an effective balance between the two. The intent of the student needs to be considered.

Signed,

Matthew Campbell

All great responses and posts as always and thanks. Admittedly I am extremely new. My opinions and perspectives may not be totally accurate, the purpose of the post was to clear up any of the things I've missed in terms of a holistic strategy for learning about Offsec.

I think there are way too many gatekeepers that know exactly what a good hacker should do to be successful, but they don't advertise that information for a variety of reasons.

You are right that some AI models have higher moderation or censorship, but not all do.

I can run Alpaca, and download some very good unmoderated models to run on my system locally. At this point I don't require subscription or permission from anyone, and I can train the models as I see fit, downloading guides, books, and tons of other documentation for it to scan and use to provide answers to any questions I may have, regardless of their moral or legal implications.

As a test I asked one to create a bot to scrape/scan GitHub for visible API keys, it said "sure, no problem" .

I have had it read guides and create fixes where it modified my kernel... That's pretty cool. (I did delete everything and reinstall my system afterwards though).

And on others I've cracked hand written coded messages from images.

I won't mention exactly what models, and how this is done for ethical reasons, but I will say it can be done, and if I was doing this a month or so into my offsec journey, anyone willing to devote the time to it definitely could figure it out.

The issue I had when getting started, and the reason it has taken this long to give this area of computing a more serious look was because people were and still are very tight lipped. If anyone offered me any help or useful information in the days of backtrack, I may have a completely different career now. That's the second reason for my original post.

 

[CaffeineAddict]

Big tech companies have been working to censor or hide such knowledge regardless of the apparent goal.

I know google publicly allows to attack them and they offer hefty payment for success.

Here is one example for chrome:

Chrome Vulnerability Reward Program Rules | Google Bug Hunters

ATTENTION As of 4 February 2024, Chromium has migrated to a new issue tracker, please report security bugs to the new issue tracker using this form . Please see the Chrome VRP News and FAQ page for more updates and information. The Chrome...

bughunters.google.com

I think you may have misunderstood me when I say many pen testers as far as I'm aware do use bare metal installations, that doesn't mean that is what they use as a daily driver, although I can see where I might have implied that.

I apologize.

Yes, bare metal and daily driver is big difference, I was referring to people who like most people have only one PC which they use for normal needs like browsing, playing games etc.

In this sense Kali isn't a wise option, that is to mix hacking and normal tasks.
But having a secondary PC or laptop with bare metal Kali installed on it that's used to learn hacking or to do hacking is perfectly fine, I personally use a VM instance which runs as fine as if it's secondary PC.

Also I'm really not against using Kali as main and only OS on single one PC I have or anyone else has, I see this no different than using Arch or any other rolling release distro, you gotta be ready to fix things with the distro itself and packages that is provides since it's bleeding edge, that's first step and requirement for Kali user, a user has to be skilled with Linux without dealing with the pentesting tools at all.

The truth however is opposite, most people who install Kali to drive have issues unrelated to pentesting, the internet forums are full of such issues and users, and I think that's one of the reasons why everybody says you should not use Kali be it as main OS or in general, and many folks ignore this.

Rarely who (or nobody) however tell you all the reasons why not.

 

[pezdispenser]

I know google publicly allows to attack them and they offer hefty payment for success.

Here is one example for chrome:

Chrome Vulnerability Reward Program Rules | Google Bug Hunters

ATTENTION As of 4 February 2024, Chromium has migrated to a new issue tracker, please report security bugs to the new issue tracker using this form . Please see the Chrome VRP News and FAQ page for more updates and information. The Chrome...

bughunters.google.com

I apologize.

Yes, bare metal and daily driver is big difference, I was referring to people who like most people have only one PC which they use for normal needs like browsing, playing games etc.

In this sense Kali isn't a wise option, that is to mix hacking and normal tasks.
But having a secondary PC or laptop with bare metal Kali installed on it that's used to learn hacking or to do hacking is perfectly fine, I personally use a VM instance which runs as fine as if it's secondary PC.

Also I'm really not against using Kali as main and only OS on single one PC I have or anyone else has, I see this no different than using Arch or any other rolling release distro, you gotta be ready to fix things with the distro itself and packages that is provides since it's bleeding edge, that's first step and requirement for Kali user, a user has to be skilled with Linux without dealing with the pentesting tools at all.

The truth however is opposite, most people who install Kali to drive have issues unrelated to pentesting, the internet forums are full of such issues and users, and I think that's one of the reasons why everybody says you should not use Kali be it as main OS or in general, and many folks ignore this.

Rarely who (or nobody) however tell you all the reasons why not.

Oh, you are right about that! I agree with everything you said. For some reason it took me too long to find where the misunderstanding was.

I tried it also (bare metal and daily driver), to devote my time to learning and using it. But, I decided to go back to Mint for all the reasons mentioned earlier. I didn't completely trust the VM configurations either. (Is it really using my VPN? what happens when I use TOR on my VM but my host machine is using a VPN over NAT, etc)

Some tools on Kali are extremely easy to use, meaning easy to commit some type of crime and potentially get in trouble by not knowing what I'm doing. So I decided I probably shouldn't use Kali as a daily driver or bare metal in any capacity. VM, like you, definitely. Live USB, sure, it's handy and makes allot of sense for me, and beyond that I think it makes good sense from a OPSEC standpoint for OFFSEC purposes. I still have a ton more to learn, and I always will have a ton to learn. There's no end. And because of that I think good opsec practices are important for everyone.

 

[CaffeineAddict]

I still have a ton more to learn, and I always will have a ton to learn. There's no end.

Sure! one needs Intel CPU in their head to process all the info and learn, it's too much out there, you need to be youngster like 10 yo. willing to learn your whole life only IT.

I'm slowly giving up from learning anything, grasping Linux is probably my last journey and only because I'm using it, otherwise nothing is interesting regarding computers to me any more. (maybe things will change with a small pause IDK lol)

 

[pezdispenser]

Sure! one needs Intel CPU in their head to process all the info and learn, it's too much out there, you need to be youngster like 10 yo. willing to learn your whole life only IT.

I'm slowly giving up from learning anything, grasping Linux is probably my last journey and only because I'm using it, otherwise nothing is interesting regarding computers to me any more. (maybe things will change with a small pause IDK lol)

Definitely, in my case I decided that to understand it and get anywhere it was going to be like learning a new language, I am bilingual and it has taken hours per day for years to get where I am at in terms of speaking a new language. My breakthrough came when I learned that language and culture aren't separate, they are more or less one thing. It's nearly impossible to fully understand one without the other.

I've always had an interest in tech, but this part of it is for me in its honeymoon stages still. I devote practically all of my free time to learn it because it is new and interesting, and have decided to apply myself to learning about it in the way I've learned a second language.

There are allot of similarities I've encountered between linguistics/culture and tech/culture and it's fascinating for me ....for now.

 

[CaffeineAddict]

Definitely, in my case I decided that to understand it and get anywhere it was going to be like learning a new language, I am bilingual and it has taken hours per day for years to get where I am at in terms of speaking a new language. My breakthrough came when I learned that language and culture aren't separate, they are more or less one thing. It's nearly impossible to fully understand one without the other.

I've always had an interest in tech, but this part of it is for me in its honeymoon stages still. I devote practically all of my free time to learn it because it is new and interesting, and have decided to apply myself to learning about it in the way I've learned a second language.

There are allot of similarities I've encountered between linguistics/culture and tech/culture and it's fascinating for me ....for now.

There is well over 100 programming languages: https://en.wikipedia.org/wiki/List_of_programming_languages

To learn just one takes at least a year of hard work, e.g. 8h a day.
And that's only about programming lol.

Knowing upfront what one wants to deal with in the future can help save a lot of time unless one is going to live more than 1 live heh.