Anyone in InfoSec always gets asked this question, “How do I become a hacker” and “Where do I start”. I’ve been getting it an abnormal amount as of late so I figured I would put up a post to save some time.
Simply put, the only thing you need in order to become a hacker is time, patience, and a willingness to learn. I’m a firm believer that some people are just naturally born to be hackers as they have a thirst for knowledge, continually push the envelope, and constantly ask themselves “I wonder what would happen if I were to do this…”.
What is a hacker?
There are millions of definitions and viewpoints on the topic but I feel that it can be summed in one sentence. Hackers have a passion for technological security by attempting to find vulnerabilities and exploit them, thus causing an asset to behave in a way in which it was not intended to. It’s certainly more of a mind-set than an actual title as there isn’t just one thing you can do to make yourself a hacker. For instance, by slapping a stick on ice does not necessarily make you a hockey player. By participating in games, practicing, studying, and having a general passion for hockey is what makes you a hockey player.
Where to start
Join like-minded people
- Look around for security focused groups in your area. You can find tons of information and job opportunities through networking and just hanging out with people. A good example for one in my area is RichSec. It’s informal, has super nice people, and the fact that you get to drink beer while you do it doesn’t hurt either.
- Go to every security related conference that you can. You’ll get to be fully immersed into the security realm and meet some really great people. Can’t recommend this enough!
- There are a plethora of forums and online groups to join so that’s always an option too
Basic computer/networking skills and security concepts
- Build a computer, break it, fix it, break it again, rinse, and repeat
- Use different operating systems to understand how they work
- Understand various protocols and how they work, OSI model, how devices communicate with each other, etc.
- Set up some VM’s so you can host your own lab and explore different configurations and vulnerabilities
- Familiarize yourself with various established security standards and concepts such as PKI, SSL, IDS, Firewalls, WPA2, etc.
This is where I hear a lot of misinformation. You DO NOT have to be a programmer in order to be a successful hacker. It goes without saying, the more you know about technology the better the hacker you can be but programming is not a requirement, it’s merely a suggestion. Start off with some minor scripting and work your way up, push the boundaries of your comfort level. You don’t have to program but you should WANT to just for the sake of knowledge. I would suggest starting out with Python and working your way to other ones such as Java, C, etc.
Aspiring Hacker Series
Black Hat Python Programming
Gray Hat Python
Keep up with recent news
You should be naturally keeping up with security news and recent trends. I won’t belabor this with a list of links as you have google. But I will list out one and that is HackerOne’s list of recent hacker activity. This is a good place to see examples of recent exploits posted and disclosed on their website.
It’s great to read and study, but if you really want to take it to the next level then you’ll have to actually practice. If you see a great article on a security topic that interests you, go out and recreate it and actually perform the exploit. Create your own hacking lab through virtualization or hardware if you have the resources. Enter into various capture the flag (CTF) events to get exposed to even further scenarios. Join a bug bounty program so that you can get live experience against a real organization and maybe even make a little money along the way. No one started out great, we all had to work towards it so don’t worry about being embarrassed or not knowing something. Most of the hackers I’ve talked to are more than willing to help you anyway they can and not talk down to you. Naturally there are bad apples in every bunch but you don’t want to be their friend or take habits from them anyway. :)
You should strive for a degree in a related field in which you hope to be employed in and we’ve all seen exceptions, but it certainly doesn’t hurt. There are numerous training and certifications that you can obtain and should explore them on your own to see what your take is on it. To you get started, here are a few Security+, CISSP, SANS certs, OSCP, etc. I don’t want to get into the whole certification debate but I will say that in my opinion there are two types of certifications. The ones that land you a job and the ones that actually teach you something. I’ll let you be the judge on which certifications are which and how you should go about applying that to your career path.
This is in no way an exaustive list of resources as that’s what you should be researching on your own, this is just to get you started.
- OWASP Top Ten Project
- The Web Application Hackers Handbook
- Metapsloit Unleashed
- Hacker Playbook
- Penetration Testing Introduction
- Red Team Field Manual
- Practical Malware Analysis
- The Shellcoder’s Handbook
- Fuzzy Security
- Corelan Team
- Metasploit: The Pentration Tester’s Guide
- The Basics of Hacking and Penetration Testing
All in all, I don’t think anyone can explicitly give you instructions on how to be a hacker but we can provide blueprints. My aim is to encourage you to go out there and learn as much as you possibly can and contribute to the community. From talking with hackers, everyone seems to have their own journey and I don’t know how to say this any other way; but things just work out the way they work out. There is no right or wrong way, but as long as you are learning something then I would lump it up to a success. Go out there and be bold, learn as much as you can, connect with as many people as you can, and hack everything you get your hands on; the rest will come out in the wash.