Thursday, May 19, 2016

A Hacker's Digest about Criticizing, Condemning and Complaining

For the next few professional development related posts, I am going to be giving my commentary on Dale Carnegie's book, How to Win Friends & Influence People.

In my mind, this book is a must read for every human being because no matter what job you're doing or with whom you're working, you will have to deal with another human being. This book describes many different ways about how to work with, deal with, and even succeed with people (see here), and I am going to give you my digest of the first chapter and the first chapter's principle: "Don't criticize, condemn, or complain."

So what does that principle mean in the real world? Essentially, it means learn to keep your mouth shut about other PEOPLE. I emphasize the world people because you can still completely disagree, reject, or criticize an idea without criticizing or condemning the person who proposed the idea. That is a skill that takes many, many years to learn and master but it's the difference between a good and great employee or a highly technical employee and the Technical Director of a company. So what does criticizing a person look like? "You're late", "You missed another meeting", "How could you say something like that?", "Who do you think you are?" and so on. Criticism of a person really comes down to making them the subject of the criticism rather than the direct or indirect object of the criticism. For example, what's the difference between, "You missed another meeting" and "Meetings in the future will benefit from your attendance." A couple things are different: one, the subject changed from 'you' to 'the meeting', two, the tone of the sentence switched from negative to positive. Instead of talking about a person's faults, why don't you recognize the improvement and positive impact that person could have on the meeting when they attend. This will make them feel welcomed and like they belong at that meeting; ultimately, people just want to belong.

I am grouping criticism and condemnation into the same group because I believe that condemnation is qualitatively the same as criticism and you can use whatever scaling factor or words to make their definitions equal. However, complaining can be very different. First off, no one likes people who complain constantly about their life, their kids, their spouse, their job, their knees, etc. however, complaining can be very cathartic for those who have the aforementioned afflictions and tend to process their emotional, mental, and physical pain verbally, thus, we have complainers. I don't believe complaining will get you anywhere professionally, especially in the hacking community, because our merit and community worth is rooted our desire to learn, struggle, and conquer challenging tasks, technologies, and processes in order to more completely understand the way somethings works and exploit it's design for our own use. So, how do we combat complaining especially when "my boss sucks", "I can't get a job", or "I'm not about that corporate life, man." The answer is hack yourself.

Yes, hack yourself. Find out how you work. Find out what makes you tick, get up in the morning, why you don't like certain foods, why you prefer the weather or climate that you do, why you're reading this blog, why you're living where you are, why you're with whomever you're with (friends, spouses, girlfriends/boyfriends). Fair warning: This takes work. This takes dedication and work. The results are all on you and how much you truly, truly want to know who you are. This is the only time you should run an Nmap scan with every option set so you can learn the most about the human box you're going to hack. Once you know yourself and know exactly how you work then, you can exploit buffer overflows in your psyche and take advantage of who you are rather than excusing who you are. For example, if you're a night owl, then do your best work at night when your mind is the most sharp. If you don't like the way you feel after eating take out chinese food, then stand up for yourself and suggest an alternative when your office or group of friends decides to go there. If you really feel energized by taking a bath after dinner, then plan to take a bath after dinner so you can be the optimal you that day.

Once you figure out how everything affects you, you can minimize the complaining in your life and start looking for exploits in yourself and your environment to improve yourself.

Work on recognizing when you criticize others, when others criticize others, and when others criticize you. Once you notice it, make a choice to not criticize or condemn others and include them in your professional life. You never know when someone might surprise you, and supporting them when they need it most will help everyone involved.

Saturday, May 7, 2016

Password Cracking: Hashcat

For hackers and security analysts that crack passwords, make sure you learn to use hashcat too! I normally use JTR (John the Ripper aka John) but, a friend of mine pointed out that hashcat is also a very viable tool. He insists that it's better than john but, I have not tested them nor am I saying one is better than the other. They are both password cracking tools and any great hacker/security analyst should be able to use either proficiently.

To get a basic understanding of how hashcat works, check out these posts*:
Now, for both my and my readers' benefit, I am going to walk through using this tool to crack passwords.

First, I am going to create a new user so I can crack the password. 

Now, I am going to follow the instructions of the previous articles to crack this password (it's fairly simple to start ;) )

I put my hashcat1 user line from /etc/shadow into the hash.lst file. I checked the hash function and it is SHA512.

Now, I will run the same commands to crack this password.

It worked in THREE seconds. Now, to be fair, it was a dictionary word and I used the rockyou dictionary to crack it. Let's make it a little more difficult for hashcat. I created a password that uses uppercase and lowercase. Let's see how hashcat does.

Hashcat allows for 'masks' which allow you to specify which types of characters will be where in the password. As we can see, I have an upper case letter, followed by 4 lower case letters, an upper case letter, followed by 5 lower case letters. Two words, put together, first letter capitalized. These masks allow for very specific guessing of passwords and drastically reduces the keyspace that hashcat needs to guess. For example, if you knew that I only used upper and lower case and that it was 11 characters long, the keyspace is 52^11 ~ 7.5*10^18. By specifying a mask, we reduce the keyspace to 26^11 ~ 3.6*10^15. The keyspace becomes approximately 2000 times smaller. So if we go by hashcat's output, 10 years would become 20,000 years. This is a great example at how computationally expensive cracking passwords can get just by adding one more letter or one more set of characters (numbers, upper case, lower case, special).

Hashcat allows for masks, dictionary files, combinations of dictionary words from files, permutations of words from a dictionary, hybrid attacks, table-lookups, and rule-based attacks. I recommend looking at hashcat's wiki to understand the more complex attacks but they can get pretty specific and the more you know about the potential password, the easier it will be to crack.  

Lastly, if anyone is looking for unsolicited advice, I always recommend using a passphrase rather than a password. 'ILoveMyCatSoMuch!0906' which could be a true statement (easy to remember), punctuation that emphasizes your true statement, and your cat's birthday (in this case) makes a very secure password that incorporates all four categories of characters, 21 character length, and it's easy to remember because it's a true statement about yourself. Now, like everything else, this is exploitable. Specifically, this is subject to Social Engineering. This password could be guessed however, the attacker would have to know you love your cat, know which letters you capitalized, which order each word goes in, and which order the sentence, punctuation, and birthday go in (for example, !0906ILoveMyCatALot, MyCatFluffyWasBorn0906, 123MyCatIsSoAwesome?!?! are all great passwords that revolve around an important part of your life.

There is no silver bullet to password cracking but hashcat is a very powerful password cracking tool and I'm very happy I decided to add it to my arsenal of hacking tools. Look it up, learn it, be great!

*These posts are not in any particular order, I am not receiving any compensation from anyone to post these sites, and these sites do not necessarily reflect my opinion, my employer's opinion, nor any certification bodies' opinions of which I hold one or more of their certificates. 

Friday, May 6, 2016

Professional Development Methodology

Most hackers/security analysts have been exposed to the 'Hacking Methodology.' In general, it is as follows:
  1. Perform Recon
    1. Passive
    2. Active
  2. Enumeration
  3. Exploitation
  4. Privilege Escalation
  5. Exfiltration
  6. Persistence
You can argue semantics all you like but, skilled hackers/penetration testers/security analysts will follow these steps and the more determined the attacker is...the more time they will spend in recon and enumeration. This is where most of hacking is done and to create an analogy to professional development, it is where you should spend most of your time hacking (read developing) yourself. In addition, your professional development results are directly correlated to how much time and effort you put into yourself; just like spending time researching your target before you exploit.

So, you're here, reading this post. What is it that you want to improve? Where do you envision yourself in 1, 5, 10 years? How do you do that? Recon!

Passive recon for professional development, especially when it comes to the computer security industry, is very useful. Reading blogs, reading books, listening to podcasts, and learn about the industry. Who are the big names? Why are they the big names? what are the basics of the industry? This extends outside of hacking or computer security! If you want to be a musician, you start learning how to read music. If you want to be a doctor, you start learning biology.

Active recon for professional development would be more participatory. So, in the computer security industry, it would be participating in CTFs, it would be downloading metasploitable and running some exploits. You are still honing your skills and solidifying your baseline understanding. Extending this to other industries and professional development in general it becomes the Nike slogan: Just do it. If you want to be an artist, just paint. If you want to break into the finance industry, start by budgeting your own finances.

Active and passive recon will be a permanent part of hacking and professional development and no matter what, you should always spend SOME time in this area so you can continue to learn and improve upon new skills.

Enumeration, in terms of professional development, will be listing out what you want to/need to work on in order to become a professional, IN YOUR TERMS. That's the most important part. What do YOU believe, based on your passive and active recon, that you need to accomplish to push yourself forward. Only you can make you a professional and only you can push yourself to accomplish what you want and only you know where you stand on any individual skill. So enumerate them and then perform more passive and active recon if necessary.

Now, it's time for everyone's favorite part of the hacking methodology: Exploitation. What is exploitation when it comes to professional development?? It's your first shot. Your big break. Your first painting sold. Your first taxes filed as a CPA. Your first patient as a doctor. Your first computer exploited with MS08-067 (if you don't know which exploit that is, add it to your passive and active recon). This is a very important step and also where a lot of people fail. Lots of people can't take rejection of their ideas, business plans, or pieces of art. You MUST be able to take this rejection. Something that helped me deal with rejection is understanding that I am as much of the product as what I do, which includes this blog! I am confident in my knowledge and what I've learned and I believe it is worthwhile to spread my knowledge. My first post on this blog got 10 views. Only 10, but, there were people from three different countries that viewed it! I choose to focus on those individuals across the world that may or may not have been influenced by my first post rather than the fact that only 10 people saw it. Your rejections makes excellent stepping stones to your ultimate success.

Lastly, privilege escalation, exfiltration, and persistence can all be combined, when it comes to professional development, as professional maintenance. You are the best you in the world. So be the best you and continue to be the best you the world has ever seen. Continue to do recon, continue to actively enumerate future steps in your journey, continue to step outside of your comfort zone and show the world what you can do. Every failure is something to learn from and every success is something to celebrate but, you are never done. Use the Navy SEAL 40% rule: when you think you're done, you're only 40% done.

So all you hackers out there that want to become more professional or develop yourselves, keep this analogy in mind and as Offensive Security says about their OSCP certification, Try Harder.

Tuesday, May 3, 2016


As an aspiring security expert, there are many blogs, podcasts, articles, and tutorials for learning anything and everything from a technical perspective on security.

There are also many professional development resources that might be ignored by the security community or simply not relevant to our field.

I am going to combine our desire for highly technical learning and help us conquer one of our biggest problems: professional development. In my experience this is also phrased as, "helping management understand", "convincing C-level execs to spend money on security", "Ugh, my boss is such an idiot he doesn't understand how security works."

So for my first post, I'm going to give you three professional development tips and three technical bits of information.

Professional Development:
  1. 95% of the time it's better to hold your tongue and say nothing. The other 5% of the time it's best to hold your tongue, sleep on your response, and form your response in a constructive, supportive, problem-solving manner. If you want to convince managers to like you, support you, and provide you with what you need then you need to help them to help you. You don't have to be best friends with your management but, having a positive working relationship will make every one's life easier.
  2. Invest in yourself. Whether this means training on a new technology, a vacation to reduce stress, or going back to school to advance your current skills and/or gain new ones. Most companies offer opportunities to do this. Go for it! Take advantage of these opportunities to become the best incident handler, technical manager, penetration tester, security engineer, etc that your company has. Professional development is not all about improving your soft skills.
  3. I know I just said it's not all about improving your soft skills but, it is ALWAYS beneficial to work on your soft skills. Always. Better writing, better speaking, better conflict resolution, better change management, etc. Any highly respected individual has a great aptitude in these areas and knows how to use them to solve problems. Business is all about solving problems and if you can't communicate your solutions, no matter how great they are, they will never be implemented. 
Technical Bits:
  1. If you're sick of seeing tons of errors while typing commands on the linux command line redirect STDERR to a file or my favorite, /dev/null. So after you type your command: ping -c 3 777.777.777.777, append 2> /dev/null if you never want to see or recover your errors. Otherwise, write 2>error.txt. It will look like this: ping -c 3 777.777.777.777 2>/dev/null or ping -c 3 777.777.777.777 2>errors.txt. If you chose to redirect STDERR to errors.txt, you can cat errors.txt and you will see the following error message, ping: unknown host 777.777.777.777. I often use this to eliminate errors while I am grep-ing for a file in a file system so I only see my findings and not all the errors about directories I cannot access. 
  2. In my opinion, there is one best way of listing files in a directory on linux: ls -halt <directory> (If no directory is specified then it will list the current directory you are in. If you don't know where you are run pwd). Each of these flags has an important use but it's also very easy to remember 'halt'. -h renders the sizes of the files in a human readable format, such as 23KB or 4GB instead of 2342523 Bytes. -a lists all the files including the current directory . and the next level up directory .. (you can use -A to not show those but I never remember that when i'm actually running the command). -l prints the results in the 'long listing' format. The difference is quite dramatic so I recommend the reader run both ls -hat and ls -halt to see the differences but in short, one shows you all the files and one shows you all the files with all of their metadata. Lastly, the -t command orders the files by modification time with newest first. This can be really helpful from an incident handling perspective to see which files have been modified recently by malware, a malicious user, or a guilty employee trying to cover their tracks. 
  3. The most simple way to make a backdoor in any system is using netcat! This tool is invaluable for security experts and whether you believe you know it well or not, go read about it again. In fact, I am as soon as I finish writing this post. nc -nvlp <port> . That is how you make a backdoor in any system. -n removes dns lookups so you just need the ip address to reconnect. -v is verbose, depending on the security posture and what your intentions are for setting up the back door use this flag to fit your needs. -l is to listen (which is why you don't specificy an IP address in this command). -p is for the port. Now, the downside is that anyone who finds this port can simply connect and will have a shell as whatever user ran the 'nc' command. On the upside, this tool is very versatile and you will use it for the rest of your security career so you might as well get really, really comfortable with it. 
I hope you guys enjoyed my first post, I will be making them as often as I can and feel free to reach out to me with suggestions or comments on my blog. I make no guarantees to anything but, I consider myself a reasonable person. I also should mention that my thoughts, comments, opinions are my own and do not represent any companies I work for, associate with, or are certified by. We are starting a new era of highly professional, highly technical security experts.