START THINKING LIKE A CRIMINAL
You heard it right! Thinking like a criminal is one of the important ingredients for security testing aspirants or enthusiasts who want to reach the next level of hacking. I quote this always in my talk – To become a better hacker, think like a criminal while you have self-control to not commit the crimes. Some of the examples that I would like to share with the audience of my thinking experience as a hacker,
• I have tried to break-in my school when I was 8 years young and stole the question papers for the exam. I used a duplicate key to open the lock.
• I have hacked some of the dial-up networks and used the dial-up package of someone else when I was 16. I did this with the help of “iOpus Password Recovery”.
• I have hacked some of the yahoo accounts as I wanted to know if my girl was reading my e-mails or not. I did this using “Keylogger” installed in my college cyber café.
Sometimes I think that, security testing was in my blood since my childhood days. If I were running a school of hacking, then I would build an infrastructure and give the practical exercises to the kids where they can bypass the security, break open the doors and lot many things. That’s kind of nutrients that I want to give for kids to become hackers. That’s what I call as “Nurturing” the growth of a hacker or a security tester or a penetration tester.
“Start thinking like a criminal now”
HACK YOUR FRIENDS ACCOUNT
I started hacking a girl’s account and she was my crush. This was long back in the year 2001 when I was schooling. I also tried hacking my best friend’s account. I do not know why I chose them, but I felt they can understand my intention behind it instead of doing it for someone unknown. So, it was like practice session for me hacking my friends account. After I hacked them, I was happy about my skills however; I returned the account to my friend whenever I hacked. I did not look into the data after hacking, but just logged out and that was a billion dollar feeling for me.
INTERACT WITH UNETHICAL HACKERS
Since childhood, kids are taught not to play with some other kids because they think their kids would get spoiled. Well, I have something different to say here when they grow up; let them go out and learn things so that they can become better and live their life in much better fashion.
Likewise, if you are an ethical hacker and want to learn more; it might be one of the important attribute to mix with unethical (Black-hat) folks and learn from them. However, it is not as easy as getting chocolate from a shop. Blackhat folks will not agree if someone ethical wants to meet them or talk to them. For those things, one needs to build the trust and yet it is not guaranteed that blackhat folks would agree to talk to you.
I can only say, give your best to interact with unethical hackers.
BYPASS THE INFRASTRUCTURE SECURITY
To become a better hacker, it is blend of technical skills as well as social engineering skills. Most of them do not understand the importance of social engineering. Let me give you an example: If you want to hack the data which is in a different building, one of the easy way could be do get there and get the hard disc while technical skills might take a bit longer. However, there is a risk involved with it. It’s a matter of, “Whether you are game for it or not”.
In my experience, I have bypassed several organizations security checks by social engineering. One of the example is, I built a great rapport with the security guard at the entrance and was speaking his language and agreeing to whatever he was saying. That made him closer to me and he started liking me just because I was agreeing to whatever he was saying and was speaking to him whatever he likes. Finally he said, “Sir, you seem to be a very good person and I will let you in without the access card as you are visitor. There is no need of approval or calling the escort”.
Wow! That was a cakewalk.
Start practicing these exercises in shopping malls, hotels, supermarkets, hypermarkets, organizations and anywhere which has security checks. You will see that getting access to physical infrastructure is a cakewalk in India at least.
MANIPULATE MINDS OF PEOPLE AROUND YOU
Remember this very well, “Humans are the weakest links” in the “Security World”. Let me give you a better example,
Let us say someone kidnaps your loved ones and later the kidnappers call you and ask you to reveal your password to some account which has sensitive data. At that time, you would be emotional and you just give away the password. However, computers cannot be asked to reveal password by just kidnapping something which is related to computers; they do not have emotions while humans have.
Another example could be, “Someone points gun on your head and asks you to reveal password and you will”. However, doesn’t work the same when someone points gun to computer and demands to share the password.
If you learn to manipulate the minds of people, then you have cracked some layer of hacking to reach to sensitive data. And I bet that it is so not so easy! After lot of practice, I could social engineer at least 6 people out of 10 with whom I converse. Well, not for evil purpose, but educational.
I consult for free for, (Feel free to write to me)
• Security Testing Aspirants
• Wannabe hackers
• Security Testing Projects