Takes a Hacker to Catch a Hacker

My computer was hacked.

All the work I’ve ever had, all those hours sitting in front the computer to work. Articles that I wrote, personal contacts, my notes from college, almost lost, and for not taking security seriously. Everything was saved by transferring the hard drive to another computer, the last measure.

This has to change. Now I am taking security seriously and start gathering knowledge and learning on information security to prevent any hacking. True, I already had a database holding a lot of information (from investigative research I did from time to time for journalism), but now I pretend to learn.

I am no computer wizard, even less a hacking wizard, and probably wouldn’t even get near to be accepted in the hacker’s version of Hogwarts. But thankfully, there is internet.

Regarding hacking there is one advice running across many websites. If one pretends to stop attacks from ever to happen again one has to enter the mind of the attacker, and must try to become a hacker.

It all starts, at least for me, with articles to gain inspiration from, like the tale from a chef. She changed her career, be inspired by her achievement:

Now, how would look the activity of hacking? Would it be like in the movies where everything happens in a few strokes? Is that even possible for a professional? I certainly don’t know if a professional can do what the movies pretend, but most probably I’m right in something that hacking is not, and is not just the looks, even if it “looks cool” thou:

Is not necessary to give up fascination in the quest for learning, but the visualization part is not very common, although some fascinating representations do exists. At the left is the good guy, protecting the blue bubbles that are innocent accounts, at the right there is the hacker, launching red “evil” bubbles:

But what in the world would guide me to the “hacker mentality”? And yes, many hackers require one to have certain mentality to even think of trying (no pun intended). Well, it might be brought by instances of determination and interest, like trying to catch one’s own attacker. Sure it is what got me interested in the first place:
http://www.webtorials.com/content/2012/07/tracking-hackers-down---then-striking-back.html

But it takes more than a weekend hobby to get in the shoes of someone with enormous resources, with years of practice on its back. It takes dedication to get into this, it takes a personal decision, it takes…time. Time, a lot of patience and stubbornness to be into something one is awfully bad at, to get to the level of understanding and working on stuff that requires a lot of knowledge:

In the next episode, your favorite angry beaver (me) attempts to decipher more on this mindset, and perhaps building up skills himself.

PD: Don’t blame me if I am bad at this, but I’ll stick to it (rule number #1, determination).

This is all quite interesting and inspiring. But I think the main focus should be prevention and recovery: Prevent that someone hacks you and have backup systems in place for the case that you got hacked anyway.

Trying to track down hackers and get revenge sounds cool and stuff, but first of all it’s really hard if the hacker is really good and second, it won’t increase your security by much.

Yes.

Yes.

No.

Prevention methods are among those articles, its just that I don’t get to point what they are because I am not there yet. Prevention is my mayor concern as I did said, but I’ll post what paths are taken for that the next week.

One week has pass. To continue with the previously said, we are not heading to think different.

Diving into the hacker culture I came to know that the very definition of “hacker” has another connotation than that given by the mainstream. And one particular resource pointed that:
http://catb.org/~esr/faqs/hacker-howto.html

The previous link is a step further into a world that can be quite complicated. Because as it point out, there is a lot requested to become a hacker, and is not just knowledge. On the other hand, is refreshing to know that “hacking” has another meaning, a meaning that implies good attitudes, and solving skills and initiatives, not destructive. Hacker, now we understand, means a problem solver, and as we will find out, this skill is crucial.

There is still the need for security, but that now we find it reinforced by the need of self improvement:

And in the security arena, there are many actors:

White hats, black hats, even grey hat hackers. Many flavors. But why we should concern on this if we are just looking for security? If you ask this, is because you haven’t seen the video in the link above ;). But ok, lets give more depth into what is this field about:

One can be a lot of fields, but to prevent a security breach, one needs to first know how such a breach is done. Here enters the ethical hacker. Ethical hacking is a concept that invokes the fact that bad guys are out there to get your computer no matter what you think, and to prevent this is to take the lead in any hole in the security, discover those and give a solution. And meanwhile. they actually get paid for that.

If by now I have made the point to distinguish between “black hat” and “white hat”, is time to move on to what’s next- And, how to gather the skills?

A few concepts to start with: system administration, networking, scripting… These fundamental skills are the base, and one presumes to go deeper from here on, one must start somewhere. But never forgetting one key fact: There are no easy ways.

And its ok to be at the bottom, we must start somewhere.

In the next week, there will be a lot of hands on. Finally some actual building blocks and some action.

And here again after anoher week. Before starting is necessary to say my duties avoid me from doing much publications but as my practice on hacking/programming has been steady, so would be my recommendations.

Now, this is probably the most hands on publication thus far on what means to get the skills previously mentioned, you are warned.

We have to be clear that reading (or at least skimming) trhough the links should now guide anyone to some certain facts about what to do, as also understanding the true nature on what one wants with all this. This is now going to contain some exercises.

We first need to get an entire environment dealing with both, programming and system administration, on which Linux is the best shot.
http://www.linfo.org/newbies.html

Why Linux? Is filled with the best tools and than this operative system itself is the test bed for improving all skills makes this a requirement.

It would be a good idea to mention that we have a lot of choices for installing Linux, among which we have the option to install it on a virtual machine, but I strongly recommend to ditch your current operative system and go with one of these:

Linux Mint: The best way to start in the Linux culture is to do it with fashion, and Mint is the best good looking “distro” (that, and “flavor” is how they call a Linux version).

Kubuntu: Well perhaps this looks better that the previous, but its highly configurable options makes it more for people who have spent already some time in Linux.
http://www.kubuntu.org/getkubuntu

Lubuntu: Do you want a lightweight and fast distribution? You can find it in Lubuntu, a very sober and light option for old computers or people who wants the performance plus.
https://help.ubuntu.com/community/Lubuntu/GetLubuntu

Kali Linux: Not your first distro in Linux I hope, but is the main choice when someone wants to start out as “penetration testers” (jargon for what is commonly known as “hacker”).

For the installation you need first to know if your machine is 32 or 64 bit, and download the appropriate link. Here is more on how to know what type your PC is:

When on the installation, you better know some details. First, you can d other things than replacing your current OS permanently, but I will not cover it unless I am asked. What I will say is that you can just burn one of the “.iso” files downloaded on a cd and reboot your computer with the cd inside and follow one of these instruction:

In the case you want to do a full installation, you don’t need to worry on partitioning, that is automatic (and one more reason to consider the permanent passage to this world). Oh yes, don’t forget to BACKUP EVERYTHING and you’ll be fine.

Are you following me so far? Good, because you are going to have some serious business here on. And here is a funny guide through Linux for start:

Here is a short guide:
http://freeengineer.org/learnUNIXin10minutes.html

To take it real easy you might want to “play” this game:
http://www.mprat.org/Terminus/

After testing the waters, you might want to try out more interesting tutorials:

And then, you can join the more serious path of inscribing in the online free course made by the Linux Foundation:

Since moving around and testing all the options is a very long job, I better stop here. You have now all the tools for starting with the most basic of skills required, the “system administration” (or at least a basic version).

Wow, that looks like an awesome tutorial. You seem like you are getting really serious about this and I’m loving it!

Personally, I have been using Kubuntu for years, but I haven’t become a real hacker regardless, because I mostly use web apps for everything. During the last months I’ve learned a bit more, because I had to set up some virtual private servers remotely. I’m also currently writing a blog post about how I moved my radivis.com blog to a VPS.

What Linux distribution are you currently using, Maximo? And why haven’t you listed ordinary Ubuntu as option? Anyway, I know that Mint is also a good option. I have used Linux Mint during an internship in a web programming company. Lubuntu and Kali seem to be rather esoteric suggestions. I don’t think these distributions are really popular. Kali seems to be a Linux distribution that has been made by hackers for hackers!

Some people might suggest Debian (version 8 has been released quite recently) or Arch Linux (seems to be popular among some programmers).

Thanks.
I am serious on this for many reasons, obviously for security but now seems like a hobby. It might take me a couple years of practice to make it a true job alternative but I guess my improving in system administration and web design would help me in the short term.

You have an edge with your blog experience. I still need to mount a real web to take care and practice, thus far virtual servers are my only experiences. So, if you ever consider take the risk of inviting some rookie sysadmin into home server, go ahead and give me a tour, could be fun.

Currently i am on Lubuntu, is pretty lightweight and suits on my ram consumption, thus is why I recommend it. Pretty austere too but I like it. Here is my wallpaper btw:

“Main” Ubuntu has deviate from mainstream a bit too much, their experiment is not yet clear or likeable, and is adware, and that is the reason i like to ignore it. Kali Linux, well, is “for hackers by hackers”, but someone who is more advanced than me would demand me to put it on the list. Debian is relegated, it offers thinks that other distributions forked and made it better, not even the base installation is exemplary.

Now, Arch Linux is a beast of its own, and I was about to mention it. I leave it for another week, I have special plans for working with Arch, and its feature of “lecturing installation” is one reason why.

Again, all this experience requires time from me, and I am very loaded of work but my commitment remains.

Blogging indeed helped me to express myself more clearly in the English language, which is always a challenging task for non-native English speakers. Also, using popular shared hosting providers is a rather soft introduction to system administration. With shared hosts you have to use FTP and set up a database, and of course use the WordPress administration panel, or the administration panels of the host itself. Now with a virtual servers you need to use SSH and SFTP to communicate with the server and install all the software you need on it – without the guarantee that it will actually work.

Anyway, here’s the blog post I was talking about: How I migrated my WordPress blog to Digital Ocean in about 6 steps. I hope it can be a useful resource for you and others. Digital Ocean is a really good place for experimenting with virtual servers. They charge per used hour, so you can basically start with 1 hour of low end VPS time for about $0.007 which is close to nothing. And please use my referral code if you do. I’ve used the referral code from a prominent Zero State member, so it all stays “in the family” ^^

As to the tour for rookie sysadmins: I would be glad to do that soon, but I think I need to prepare myself a little bit better before I do that. Otherwise I would probably look like a rookie, too, which unfortunately I still am to a large degree.

I love your wallpaper! The Lovecraft quote is awesome and the use of complementary colours is brilliant!

Yeah, I hope the Fractal Future Network can attract more serious “hackers”. It would be awesome to learn from them

Cool, I’m looking forward to it

Yeah, I’m actually very positively surprised that you find the time and energy for learning all of this and also for presenting your findings on the forum, too! Your engagement is very much appreciated!

Here again after another week of hard work.

Hopefully after installing Linux on the machine you like the process, because you will do a lot of this. An important task is installing a lot of things and become proficient with it. And we need practice. I’ve found that my lack of knowledge on system administration came from having a fully graphical Linux, but my skill was improved by installing a virtual machine with a Linux server and operating everything from the command line.

As a hands on in our distribution we need to install Virtualbox. Probably you have chosen a distribution based on Debian, one of the *ubuntu’s, here is a quick guide to install virtualbox in it:

Then you need an operative system, and Ubuntu server is the easiest as it can get. You probably should download the one that says 14.04 LTS (Long Term Support), if you have a machine of 64 bits of course. Remember that if you have a machine of 64 bits you can use anything that comes from either 64 or 32 bits, but if you have a 32 bit machine you can’t use anything of 64 bits. If you have a 32 bit machine, you better look for a 32 version server:

Now we are closing to the fun part. Be ready to set up your virtualbox to install the server, follow these steps until the boot up of the machine:

After that, go to Settings >> Network >> Attached to and choose Bridged Adapter

When you boot your server for the first time, you need to follow really easy steps:

But when you come to this screen:

Press space over “OpenSSH Server” and “LAMP Server” and then press enter, as these will give you an edge later. If you do this, you will be required to insert a “root password” for MysSQL WHICH IS NOT the same root as the server but for the database. The two are different and if you use two different passwords you get two different passwords.

If you dare to not listening me (how dare you!), here is a quick guide on installing the AMP stack (Apache, MySQL, PHP, yada yada):
https://help.ubuntu.com/community/ApacheMySQLPHP

You then enter the name of the user and the password (you better remember those!).

As the final step for now, you must login to your server on the virtual machine via the terminal on your real machine. First run in the virtual machine:

ifconfig

then look at the second line where it says inet addr, there is a number there, copy that number

Now, without closing the virtual machine (the guest) login from you real machine (the host) open a terminal (you should know what is by now, don’t be lazy, look at the links from a week ago) and follow these steps:

Ok, you ask what is this for? Well, I needed a profound knowledge of the system and a way to play with remote servers, moreover, to become familiar with the “filesystem”. You too need to learn how to move on this environment from the command line:

Know that I did all these steps only recently, and I am still learning. What are the next steps for me in future? I don’t know much, but have some clear goals to get, and my database of knowledge links indeed helps me a lot.

I will probably keep doing some installations of servers because I need to understand the filesystem, but also might start learning more on web development because it seems like a quick second job on my country (still, it requires months to be learnt).

This time lets something different, lets try web development.

It seems that this field very broad, one need to know first how the web works. This is what I mean: https://coggle.it/diagram/52e97f8c5a143de239005d1b/56212c4e4c505e0045c0d3bda59b77e5977c2c9bd40f3fd0b451bdcf8da4aa52

First, we need to know what is back-end development and front-end development. Obviously the first thing people learn is HTML and CSS, but that is front-end, which is the part of viewing the website in our browser, and being back-end the part of the server we almost cover that in the last week, but just almost. The back-end, also called “server side”, is often composed of a database which is the MySQL, and being that one of the complex issues, we leave the entire back-end to another time.

To get an idea of where to go, here is an brief introduction of the field:

So, where to start? With HTML of course. The concept of tags, knowing than we need to close tags (almost always), and knowing to differentiate the “head” from the “body” would help you. The best and most common place to go for learning HTML is W3Schools, and this particular link is the most recommended for people starting in the field, not just for HTML:

Of course, there are other places like:
http://learn.shayhowe.com/html-css/

and:
https://en.wikibooks.org/wiki/HyperText_Markup_Language

For CSS we have Mozzilla’s page:

and another wikibook:
https://en.wikibooks.org/wiki/Cascading_Style_Sheets

In general, to guide us on what to do we have Mozzilla:

Is a pretty straightforward path, and this is almost all that is necessary to start.

At first, I was a bit confused about this post, because it felt a bit off-topic. Why suddenly web development? But it actually makes sense: Hackers use the internet, and the world wide web is a prominent part of the internet. It’s also a part of the internet that most often acts as primary gateway, and is thus often the primary target for hackers. If you want to hack something, you better know how it actually works.

The front-end of web development is of course only the surface of what’s going on, but it’s a good idea to start learning there, because the basic principles of the front-end are relatively easy. HTML is much easier than a real programming language.

Much of the topics here covered enter in the realm of information security, and by that I almost forgot than the hacker’s first entry is HTML, scripting and such.

Is only logical to dedicate a few entries to understanding a bit about the web because is the gateway for the hackers. Is not my favourite area thou, because I am more into this for the “server” side security, but I guess this can be useful for many other purposes.

Thus far we only dedicated to mention the areas to investigate for diving into the shallow waters of computers, not in any deep waters so far. It will stay this way because this could get complex, and probably the next week is going to be a final view and from that on there is going to be a change.

The part I’ve started these days is from programming. What is this about? Is it related to hacking? Of course it is. Aside from scripting (which would be the next week), is one of the things that power the hacker. It is a difficult subject and despite having many references it is difficult to grasp.

Any malware comes from someone writing that software for malicious purposes. And if we get serious, one area in charge of stopping malware is called reverse engineering, where to take a virus for example and putting it on some software to see how it was built, and how to stop it.

I clarify that this is the edge of my knowledge, and being a difficult subject, I can only provide subjects to focus on to develop further. But then again, all previous subjects were the same.

First things first, as this field is very broad. we need to see what path to take by answering the most common question: “which language should I learn?”

To be honest, I would advice to the total rookie to briefly “play” with Scratch just to understand base terminology and some common stuff ( Programming with Scratch | Linux Journal). But this requires a lot of terminology that Scratch is short to provide. So is probably better to understand the areas in which the programming language operate:
How to Pick a Language

And here:

In the case you are curious, here is an interesting roadmap to help you decide:
http://choosing-a-language.techboss.co/

After you decide on which programming language to use, you need a place to look for lessons. And you are lucky because there are a lot of places to look for:

From Nand to Tetris / Part I

Learn to Program: The Fundamentals

Introduction to Computer Programming, Part 1

And those are just a reference on coursera and edx, which is by no means the only ones in there.

After that, do not stop there. I am currently engaging in a couple of exercises to put hands on, because (it seems) one can’t learn programming just by looking videos. Where to look for good exercises?

Project Euler is a place of a series of mathematical challenges that require programming for solving the exercises:

And another source to learn is reading a lot of source code. One that is particularly interesting to read are simple programs named “keyloggers”. Apparently these are good to understanding not only input/output operations but also to understand some operating system functions. Here is an example:

And we are done. This is as far as I’ve been. Not done much programming, but from the next week I will start trying some exercises and to read some keyloggers. It will be fun.

I can say that Project Euler is definitely a good place to start learning new programming languages. There’s a huge problem about Project Euler though: The exercises are becoming crazily difficult after the initial stages. At the higher stages it becomes more an issue of solving mathematical problems than actual programming practice.

Welcome to the beginning of the end. Actually is only the beginning, but lets explain that later.

In this week we will focus on developing skills that will make us something more than a rookie, the passage to being the ones that answer questions in the forums instead of asking the questions, which comes only by a profound understanding of what we operate in an “Operative System”. And here is where Arch Linux comes into action.

Being the beast that it is, Arch Linux comes as a bare bones linux but what makes it powerful is the way it provides and encourage total user control over it. Of course first is not easy, but the need to understand everything that happens inside linux, and the need of understanding how to install and what to install, is particularly lecturing.

I found it very intriguing all the talk on Arch over the internet, and much of how to approach the forums as also other useful non-installation hints are covered here:

One needs to understand the principles on which Arch is based first, as to avoid a harsh welcome with the command prompt without understanding why is all made this way. So first, it is important to read “The Arch Way” carefully:
https://wiki.archlinux.org/index.php/The_Arch_Way

Then we should read the FAQ:
https://wiki.archlinux.org/index.php/FAQ
and this
https://wiki.archlinux.org/index.php/Arch_Linux

Before any installation, is good to know what a partition is and how to do them:

and this other reference:
https://help.ubuntu.com/community/PartitioningSchemes

The best and quickest way to do a partition is with GParted Live, which is a live distribution that boot from a cd, usb or an iso in virtualbox:
http://gparted.org/download.php

Of course the main source of information over anything Arch is the wiki, but we can use this other installation guide, up until the part of the drivers:

One quick installation guide from the Arch wiki is:
https://wiki.archlinux.org/index.php/Installation_guide

And here we have the “Beginners’ guide”:
https://wiki.archlinux.org/index.php/Beginners’_guide

Why I mention the drivers? Because if we install Arch inside VirtualBox we need to follow other steps for the part of the drivers:
https://wiki.archlinux.org/index.php/VirtualBox#Installation_steps_for_Arch_Linux_guests

Some problems I’ve encountered thus far is that with a different configuration of network access from inside virtualbox makes it difficult to download packages from internet. Not being able to solve it all, a temporary solution was to input:
dhcpcd

Other problems may come with that, but for installing Alsa this one helped:
https://bbs.archlinux.org/viewtopic.php?id=166363

Beyond a basic installation we are offered the “general recommendations” for further advance:
https://wiki.archlinux.org/index.php/General_recommendations

And a list of applications to install after the base install:
https://wiki.archlinux.org/index.php/list_of_applications

Will this be the end? No, it is only the beginning. Our aim in installing Arch is to meet all configuration files, how they interact in the environment, how to tweak and reconfigure. The goal of installing Arch is to know what’s inside our computer, and how it moves.

When first started these publications I mentioned how time and dedication was necessary, and this is all necessary within Arch. Because while Arch might be a rolling release, meaning that we always have the latest from the latest without reinstalling anything, my personal goal is to install it a couple of times. This way I can remember what needs to be done from the ground up.

And that is perhaps my last publication, at least until new notice. All the skills mentioned require time and practice, and they are sometimes repetitive tasks, but important to practice. One needs to give time to re-learning and practice in way to get the most out of a skill. I encourage anyone who follows these guides to do all the mentioned steps across these publications once and again, in this way we grasp more understanding and we really go from easy things to a more advanced understanding.

And as tweaking is synonym for the original concept of “hacking”, this is indeed only the beginning. Practice will make us masters.

I just had the idea that your guides would be quite nice as WordPress posts on the Fractal Future Blog. If you are interested in publishing them that way, whether as blog post series, or as single blog post, please register on the blog and go ahead copying and perhaps editing your guides. That would be quite appreciated.

I also wanted to ask you why you’ve chosen to focus on Arch Linux in your guides. Is it for didactic purposes, meaning that it’s the best to learn how Linux really works by using Arch Linux? Or do you need Arch for specific purposes, for example some very specific configuration?

Perhaps in the future, I certainly have a lot of work before getting a blog.

I’ve chosen Arch Linux because makes necessary getting involved with the hidden parts of Linux. This Linux is very didactic, but certainly could fit specific purposes, as the wiki says it can fit the personal preferences someone could look for. I am not proficient enough to use it at is fullest myself, but I would like to. Perhaps with practice I could make most of it, but I am just starting.

There are other Linux distributions that go deeper, but I won’t risk to try them yet. Things like Slackware, or the monstrous LFS (which is not even a distribution, but guides on how to compile Linux from source). I decided for Arch Linux first because I saw information that lead me to think this can be easier to grasp if done correctly, with the proper information at hand.

The Fractal Future Blog is just a community blog for the Fractal Future Network. The articles there don’t have to be super professional, but if they are interesting, that’s enough. You also need to consider that there are two types of blogs:

1. Blogs by experts on a topic. Experts write with authority and deep knowledge about certain topics.
2. Blogs by people who are on a journey. Whether that’s actual travel between countries, or exploring certain topics as learner. This is where your guides would fit into. You just report about your journey to become a hacker. There are certainly many people who would like to read about it. Especially if you come with the angle that the future is maybe becoming increasingly insecure and especially futurists should be able to protect themselves against cyber-attacks.

Your choice of Arch Linux sounds quite plausible. There may still be many people who ask about the necessity to learn Arch Linux. After all, they might argue that any Linux distribution is relatively secure and that you can do most things with most distributions.

At the moment it’s not clear to me how deep you want to go and what you want to be able to do finally. Do you have some kind of core mission or core goal?

There are some articles for Transpolitica that I need to attend, and with the passage of time it seems crucial to spent time and effort. That alone takes a lot of time, and it is by no means the only thing.

I am particularly bad at math and my college depends on me practising, so guess on what I will spent any spare time I could have.

But as stated, Arch Linux offers a unique blend of active involvement that seems ideal to understand some stuff beneath the normal use. With that said, is only what appears to me, and I am not an expert, there can be other distributions with better educational resources (Kali Linux?).

I just thought about your comments. Am I missing something? You seem to have an idea “at the tip of your tongue” so to speak.

If you indeed have an idea or an observation please don’t hesitate on telling it, there is
still a lot I don’t know and my informal training is by no means perfect, so you could easily show me things I don’t realize.