Pentesting Fundamentals

This isn't going to be a comprehensive guide on "how to hack" because, frankly, I don't know enough to be able to teach everything. Everything is *a lot* of things. I can, however, tell you what it is and what it isn't, and show you where you can start. # What it is, and isn't Hacking - usually called penetration testing or "pentesting" - is often thought of as, basically, this guy: ![](d494ab2a833efc27fc70341d96d43938_MD5.jpg) I'd love to tell you that this is something Hollywood decided hackers looked like back in the '80s but it's not that far from the truth in some respects. Hacking culture started as [phone phreaking](https://www.youtube.com/watch?v=wVyu7NB7W6Y) (what we call it today) in the '70s with [John "Captain Crunch" Draper](https://en.wikipedia.org/wiki/John_Draper). The term has expanded considerably since then to include everything from car hacking to lockpicking to social engineering. Hacking really just means making something do what it wasn't originally designed to do. So, Hollywood aside, what can you *actually* do with hacking? What does it really look like? # Learning the technical stuff In order to make something do what it wasn't designed to do, you first need to learn how it works. You have to fully understand what you're about to break so that you can break it in just the right way to do what you want. A blacksmith, for example, needs to learn how metal works. Not just the different kinds of metals, but also the ratios involved with different types of steel and how those work when put to heat or after quenching. They need to know exactly how the metal is going to behave when they work it, what the grain structure will look like when it's cooled, and what kind of cooling and treatment the metal will need after shaping in order to get the desired result. Much like any trade that creates things, hacking requires an intimate understanding of the thing you're working with (and lots of practice) in order to be successful. The wood didn't fall off the tree into a pile of two-by-fours in exactly the right length for your house frame. Similarly, the Flipper sitting in someone's hand didn't magick anything from thin air in order to open your garage door or [change the numbers on the gas station sign](https://www.youtube.com/watch?v=wtHr7x_wT40). ![](95262e4378adcf08dd3b169366c455d7_MD5.jpg) Hacking seems a lot like magic when you don't have an understanding of the principals behind what you're seeing. > [!quote] > "Any sufficiently advanced technology is indistinguishable from magic." > \- Arthur C. Clarke What all this means is that hacking is bound by the same principals as any other thing in this universe. It *isn't* magic. It's *understanding something well enough to be able to do something cool with it*. You can hack anything if you have a good enough grasp of how it works. There are no wizards- just people curious about what makes things tick. # Getting started This is often the question people start with: "How do I hack X?" The answer, ultimately, lies in **learning the technical stuff**. But, while true, it's not a satisfying answer. That road requires watching hundreds of hours of YouTube, reading many books, and developing a deep understanding of the technology you want to change over the course of years. So, in the interest of saving you some time, I'll boil down the most-asked question here. I'll be making the assumption that you would like to "hack Google" or "hack Twitter" or Discord or whatever platform is today's current. Usually, this is with the intent of stalking someone (no matter how you justify it, it's still stalking) but for the sake of argument we'll provide the following scenario: Your friend has asked you to try to hack their account to see if it's secure. You're the "bad guy" in this instance, trying to gain access to any - or all - of their online accounts. ## Step 0: Understanding your limits We're back at "understanding things" already, but this is important. You must know **your own limitations**, as well as **limitations imposed by the universe** (those pesky laws of physics), **limitations in law** (hacking is usually illegal just about everywhere), and **limitations imposed by companies such as Google and your local internet provider**. The laws of physics and nature, I hope, should be obvious. If you have a way around them then you're already a hacker and you've also got a Nobel prize waiting for you. Human laws are a little more subtle, but they can become very real very quickly. Just ask [Kevin Mitnick](https://en.wikipedia.org/wiki/Kevin_Mitnick). While I am not a lawyer and you should absolutely look at any laws you may possibly be about to break, here's my understanding of US laws around this kind of subject: - Hacking is [pretty much universally illegal](https://www.justice.gov/jm/jm-9-48000-computer-fraud), except for the following: - When you own the network that people connect to, you are free to change the network in any way you see fit - This does **not** cover trying to access the person's machine if they're on your network - If you can see it, you're free to look at it - But unless you own the network the machine is communicating on, you are **not** free to change it - You also can't connect to password-protected wifi without permission - If you have permission from the owner of the device, you can also do whatever, as long as it's covered in the **written** contract This leaves some interesting holes where you can legally do things like [Evil Twin attacks](<https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)>) or snoop on unencrypted traffic (or decrypt the traffic) in your local coffee shop as long as you don't change it. Unless you're the owner of the network, of course. Again, remember, I'm not a lawyer. Don't go to jail for doing stupid things. Finally, there's limits imposed by companies. eg. Instagram/Facebook, your Internet Service Provider (ISP), etc. Almost always these limits are technical in nature. For example, Google definitely will *not* allow you to keep guessing someone's password on their platform. Not for long, anyway. There's many anti-bot measures such as CAPTCHAs and browser integrity checks to prevent automated software from using their login forms, and it'll definitely lock you out after a few wrong guesses and will probably alert the account owner. Your ISP will likely be oblivious or turn a blind eye until someone like Facebook or Google tells the FBI about your activity, and then it becomes their problem. ISPs really don't like your problems being their problems, and they will absolutely terminate your account with them if the FBI comes asking about you. So, know your limits. What can you safely get away with? If you don't know and still decide to go for it this will very likely come back to haunt you in a really bad way. Some people get lucky and get away with it for a while, but luck will always run out eventually. You need skill, which comes from knowledge, if you want to do this kind of thing and stay in everyone's good books. ## Step 1: Know your target > [!quote] > "Give me six hours to chop down a tree and I will spend the first four sharpening the axe." > \- Abraham Lincoln This, once again, falls under the "hacking is understanding" category. Research is hard, but it's important. Remember that, in this scenario, your friend has essentially asked you to try to hack them. Anything you can get. So, the first question you should be asking is: what *can* you get? What accounts do they even have? What services do they use? What do they log into? The internet is a big place, and you could spend your entire life trying every combination of username, email, and password on every website that exists and get nowhere. Let's break this down step-by-step. What we need, first, is information about the target. We'll say that your friend's first and last name is Roy Williams, and that you know he's around 35 years old and that he lives somewhere in California. You also know that he has a dog named Spot, which may come in handy later. Next, we need to be able to find any potential email accounts, Facebook profiles, etc associated with the target. Knowing the name, age, and location will help us significantly, here, since we can use the US's public records to our advantage. You can use any online "people search" website to find out more information on your friend, like exactly where he lives, his relatives, and maybe even some online accounts and phone numbers to start. Most people don't know these services exist, and it's expensive and/or time-consuming to constantly remove yourself from them. All of these websites use the same sets of data, so it's mostly just a matter of which one you like the best. Google "people search" and find one you like. They'll all likely require a few dollars for the information, so get your credit card ready as well. We'll say that with his name and approximate age and location you found what looks to be his exact address, several phone numbers that might or might not belong to him (and you may be able to confirm this yourself since he's presumably your friend), a few email addresses that also might or might not belong to him, and his Facebook profile. ## Step 2: Find services Now, you can make use of these email addresses. You can search all sorts of websites using them to see if he used them to register anything- additionally, it's a safe assumption that, if it's a gmail email address, he also has a Google account that he's actively using. You can make use of plenty of tools for this kind of broad search. Beware, though, that a lot of these will very much be a "install/run it yourself" type of thing and that very many of them will only work on a Linux system. The biggest thing to know here is [how to effectively use Google](https://www.youtube.com/watch?v=cEBkvm0-rg0) and, likely, [how to use Linux](https://www.youtube.com/watch?v=lmeDvSgN6zY). There are a lot of projects on Github which help you with this exact problem, but over the years the most popular or updated ones change significantly so if you're just Googling for "how to find accounts for X person" you're going to hit a wall of outdated recommendations really quickly, if you even find anything legitimate at all. Here's the kind of Google searches I would perform to find these kinds of tools: - account finder github - username search github Currently, the most common tool is [Sherlock](https://github.com/sherlock-project/sherlock) but this can (and probably will) change in the future. I would append "github" to the end of the result because otherwise you'll get all sorts of fun websites that either find the accounts that you already found in your people search or are just outright scams or worse. This is a dangerous area for people who aren't familiar with how the internet works. If you don't have a username to search for, you can try another tool or extrapolate and assume that the first part of the email would be a likely username or, more commonly, first letter last name (eg. rwilliams) would be a good one. It's uncommon to be able to get that kind of name, though, so people usually put numbers in their usernames. Normally, that's an important date to them like their birthday. Check their email address again for confirmation or look at their profile that you pulled up on the "people search" website that you picked. Try a few different usernames and see what comes up with the most hits. ## Step 3: Passwords We'll assume you found a few services that look like they might be valid and some usernames and/or email addresses to try. The problem, now, is that it requires more than a valid email address to log into most of these. Well, most of the time, anyway. The holy grail, here - the thing you're really looking for - is access to the email itself. Let's take a moment to understand why: When you ask Facebook to reset your password, what happens? Where does it send that password reset link to? Same with Google. Same with Amazon, your local library, and pretty much every other service under the sun. They ask for your email address and, when you "forgot" your password and need to reset it, they'll send all the info to your email that you registered with. If you can access someone's email address, you will own everything they care about. This is why most of the popular email providers will have two-factor authentication, although most people won't enable it because it's effort to set up. If you're targeting someone tech or security-minded you'll be in for a rougher time, here, but nobody's perfect. Speaking of, how are we going to get passwords? Well, we have a few options here, and some are sketchier than others. We'll start with the least sketchy and the most effort. When people create passwords, they will usually do something like `<pet's name><birthday>` - in our example, it would be something like `Spot89`. Often, password fields will require a special character so most people will use `!` or a substitution. eg. `Spot89!` or `Sp@t89`. There's quite a few passwords to try, so we'll get some help with a program. Again, Google will be your friend: - wordlist password generator github Currently, tools like [bopscrk](https://github.com/r3nt0n/bopscrk), [cracken](https://github.com/shmuelamar/cracken), and [wgen](https://wgen.io/) show up. This is where you put in every detail you can think of about the person. Where they work, pets names, birthdays, family names, hobbies, favorite music, favorite colors, etc. You'll get a wordlist where something resembling at least one of their passwords will almost certainly show up. Password re-use is very common (using the same password across different services) but most people will use a couple of different passwords and forget that some of their accounts exist so you're pretty likely to hit at least one. The sketchier but possibly easier method is to look around for people selling leaked and/or cracked password databases. Websites get attacked all the time, and someone else has probably done the hard work of figuring out people's passwords, so you can take advantage of that and buy a couple of data dumps if you know where to look online. This isn't something you should Google, more of a "if you know then you know" kind of thing. You're very likely to fall victim to something nefarious here if you don't know what you're doing, but it **is** an option. ## Step 4: Putting it all together Now, you can use a service like [haveibeenpwned](https://haveibeenpwned.com/) to find password dumps and try out your passwords. Really, you should be trying your generated password lists against an offline database stored on your own computer, because, as I mentioned earlier, most online services don't like you guessing passwords for their users. So, you can use haveibeenpwned to look at the email addresses you found and see if there's any compromised database dumps that you can check. If you've been on the internet for any length of time, you'll be in one of these dumps, so you'll definitely find something. The problem with these dumps is: 1. You have to find the actual dumped data - this can be a little tricky, but most of the time you'll get them via some clever Googling 2. The passwords will almost certainly be [hashed](https://en.wikipedia.org/wiki/Hash_function), which is a one-way operation. You'll need to guess passwords until you get it right. That's how "password cracking" works 3. The data is usually in a format that you'll need to convert in order to do said password guessing [hashcat](https://hashcat.net/hashcat/) is one of the few constants, here. It specializes in taking your password guesses, transforming them (which will be very helpful with things like character substitutions), and trying a lot of guesses per second - mostly using your GPU. Once you have a password dump (and have it converted into a format that hashcat understands) you'll need to [learn how to use hashcat](https://www.youtube.com/watch?v=6mEk84n8zg0) and then try it against your friend's password. Assuming you're successful on at least one of the services, you can manually try this password or variations of it that you think are likely on other services. You might get lucky and get in- and, well, then you're in! # Alternative: Social engineering Alternatively, you can try social engineering your friend (or, more likely, their friends, family, and co-workers) into giving you access to their accounts. Don't underestimate the power of a [well-crafted phishing email](https://www.youtube.com/watch?v=TemZcHSvTFE) or a [microphone and camera in someone's face](https://www.youtube.com/watch?v=opRMrEfAIiI)! Unfortunately, I'm not well-versed in this subject, but the [SE Village at DefCon](https://www.youtube.com/watch?v=4LdwU71Gpi4&list=PL9fPq3eQfaaA_Wd3dSrA8WWdUrQm3k2Ix) is a great place to start learning. It's very much a people-focused thing, so if you're better at getting people to do or say things than you are at getting computers to do or say things, then this approach might be for you. It's often more effective than the purely-technical approach I detailed above.