Hacking is bad. This idea is deeply rooted among a lot of people. And many journalists only seem to make this notion stronger.
But it is, in fact, false. Hacking – in and of itself – is not bad. And people using it are not all criminals. In this aspect, hacking is similar to lock picking – the ability itself is not harmful and in the hands of a locksmith or a firefighter saving people from fire in a locked apartment, it’s actually very helpful. Only in the wrong hands can this ability do harm.
Hacking is just a tool; a skill that can be used ethically. And there are hundreds of people in the world doing just that, every day. Thanks to hacking, they can reveal security holes and vulnerabilities of various applications, they document them thoroughly and then pass them on to the app’s developers. In short, they help to improve the world of cyber security. Almost every university in the world has its own team of such specialists.
And you can use hacking to make your servers more secure as well. By getting into the role of an attacker, you will start to see your infrastructure and data in a different way. Where are the vulnerabilities, how can you get behind the usual defence lines? Finding holes in your security this manner allows you to improve your system in a myriad of ways. Maybe you will even find out about processes you did not know could endanger your data.
But how can you learn to think like a hacker? I will show you three ways that you can use to learn the basic abilities of a hacker, practice them safely and use them to your benefit.
1) Wargames. Practice hacking on real servers
Hacking requires a particular set of abilities. You need to know how programs, CPUs, networks, privileges and other important things work, and a knowledge of a few programming languages will come in handy as well. But that is not much of a problem. All the information is easily accessible on the Internet.
The most common types of attacks and exploits can be studied online as well. Most of them are carefully documented. You can use the well-known database OWASP (Open Web Application Security Project). It is highly regarded by a lot of security experts worldwide, so you should at least quickly browse through it when you can.
But once you have mastered the theory, where can you practice your newfound hacking skills safely and without breaking the law?
In so-called wargames. They consist of sets of hacker challenges that use real servers belonging to the community. The most well-known are Over The Wire, Hack This Site, Smash The Stack a We Chall. The last one mentioned serves as a gateway of sorts, so there are many links to other wargames on the We Chall. There are many to choose from.
Wargames let you practice hacking using real tools and processes that real-world hackers could use. Because the servers are intended to be hacked, you can practice your hacker-like thinking in a safe and legal environment.
The task in wargames is usually to get an access password for the next level or some other sensitive (and protected) information that is saved on the server.
The ‘levels’ or challenges are parts of sets of increasing difficulties. So while the first ones only require you to be able to access a server through SSH and open a text file, the later challenges need you to actively look for possible security holes or even errors in code and to overcome basic security features as well.
Wargames are an excellent gateway to the world of internet security even for those who don’t yet have a lot of experience in the field – it is possible to finish the easier challenges without any knowledge of programming languages.
2) Is freedom what you are looking for? These web apps don’t do handholding
If you are put off of wargames by the structure divided into levels, you will be glad to hear that there are more free form hacking training tools available. There are several ways to learn hacking without any handholding. This is important, as it teaches you the reality of looking for errors without any outside help.
This approach can be practiced with, for example, Damn Vulnerable Web Application (DVWA). All you need to do is download an archive containing the web app and after a quick setup you can go ahead and look for security holes.
A similar service is even provided by Google. Feel free to try and hack its application called aptly Gruyere – it is indeed full of holes, just like the famous cheese.