BSides Berlin 2022: Tzouriel Saadoun - Learn To Be a Hacker

well done all right ladies and gentlemen hi welcome to seabase now I'm very excited to be here on stage and I would like to first of all thank the organizer for putting up this amazing event of course I would like to thank you ladies and gentlemen for being here today nevertheless I would like to thank the people behind the screen that are watching us whether it's live or recorded and just because you're here today I would like to share with you a story now don't get me wrong this story is not unique or individual to me probably every self-taught cyber security practitioner can tell you the same thing you know Although our job as cyber

security practitioners are usually to read between the lines to connect dots that no one had connected before to make something new but as we all know two websites that can look completely identical would have completely different code and not to mention completely different logic but right now nobody is at work you're not supposed to work out so sit back relax enjoy let me do the hard work for you so I this is me if you'll Google me hi you find out that besides giving your name tags in the entrance I'm also named juliel I'm 34 years young and for the last eight years I've been a self-employed massage therapist I also want two medals from the

international massage Association wait a second a massage therapist on a stage of a cyber security event is this a run time or a logic error well none of the above the reasons why I'm standing here today cannot be found online luckily for many years I spent more time with technology than sleeping of course I assembled my own computer for my own workstation from spare parts my brother used to bring from work even more I experienced the best time of Technology land land parties who have been through a LAN party in his life there we go fun ain't it the biggest problem in my time it wasn't the huge cathode ray tube monitors even as a kid carrying those 10 kilogram

things was not a problem the biggest problem was to find enough tables and cables that can contain all the guys around of course when I got my internet when my mom connected our home to the World Wide Web two days afterwards you know what I got virus makes sense that was the time of course all of my cool friends had those hidden directories which are do not open well I can assure you also the content of those directories wasn't from the cool type later on I realized that I am just too much of a hyper person and I couldn't sleep and I couldn't sit in a chair for more than a few hours so I had to look

for different directions many years have passed the passion for technology still remain the good news is I'm not fixing my mom's printer anymore now I teach her how to Google you know email sharing screen with zoom the funny thing is that I noticed that writing code and explaining things to my mom is quite familiar because both of them need their own information written down in their own words if not there will be a problem and you can definitely see that even more when it comes to a lot of thinking and very very deep understanding of the subject they both tend to overheat however the biggest difference that my mom is not able to repeat the same action

twice

true sentence literally a true sentence my mom told me well as I mentioned and as Natalie mentioned I want to be a cyber security practitioner and what can I tell you folks that is the nut that is hard to crack how would you even start what makes a good hacker good how do you earn a living from being a hacker of course you can go rug and go to Google and start search for vulnerabilities you know you find one amazing you succeeded to exploit it even better and now what you're gonna put on your gray hat and say here I come to save the day I found a problem in your system now would you

like to pay well find it a bit skittish you know you can always go darker you know be the best world from West Wall black hacker one which all everyone is afraid of you and top secret agencies come and beg you for your help solving those cases well those things happen only in the on the movies just like you see viruses that have a GUI oh so if you want to be a black hacker you should always remember the consequences Kevin metnick for example is known to be the world best hacker he spent two two in two different occasions he spent about six years in prison now besides the time that he spanned in prison he was also avoiding the law and

literally isolated himself from the environment nowadays he is the perfect example for a white hacker he helps companies to make their security better if it was worth it surviving through jail because he didn't also got phone calls because the judge was afraid that he would launch nuclear missiles regardless if it's true or not this is a life story that you should think about if you want to go black if you want to go legal it might be a bit problematic because there are a few ways in which you can show the world and prove you know what you're doing the first option is back bounty a back Bounty is a platform platform that community that

connects companies that want to test their code or digital products with hackers which want to hack things now the subject is very very complex since you need to know which kind of attacks you should do you also need to be aware of which attacks you are prohibited and not to mention if you found something you need to provide a proof of concept which would be legally submitted to explain to you how much I find this topic very complicated I found this anecdote what is the difference between a hacker and a ethical hacker bureaucracy

a second way to actually get acknowledged in a lot funner event is a CTF I capture the flag basically a game in a digital environment where you will receive a link if it is a web you would receive a file if it's a reverse engineering and a hint with a text that can help you understand where you need to go this is a picture from the set from the second CTF 2022 this is a Jeopardy style which you have a lot of questions and you should answer them the flag by the way is a set of characters if you do want to try this I would totally recommend going to ctftime.org this website updates on a regular basis

and practically every weekend you can find yourself in a competition two biggest advantages that most of the competition are actually free and if you're in the same age as me so without an age limit foreign problem with those ctfs is they are ridiculously hard as a beginner I participated approximately six and I solved six percent yeah helpful isn't it and thank you for supporting and it just means that you need to learn if you want to prove the world that you've learned something then society's standards to show you know something it is a certification now a certification a human certification is very similar to a machine certification because eventually someone just designs and print a paper

and just like a machine certification this will not get you anywhere you need to make sure that Society will acknowledge and will be familiar with the certification so you have to choose correctly which kind of school you will learn although two of those certification which are involving pen testing are quite Advanced so they require two years of experience to learn to those certifications you have a few ways the conventional way is with a school or boot camp which in boot camp you will just cram a lot of information in your brain for a very short time if your brain can actually understand organize and remember all of the information I say go for it if you can

go to school and have time and Financial Resources can be also a good example because someone can teach you and Lead You the way and you will not ending up three days in a row bugging a problem which is not involving the hack itself if you don't have those options one of I found out that if you go online you can actually categorize the options into three a learning platform is very general it's provide a lot of information from infos to walkthroughs that you can simply walk through the state walk through the room and exploit the machine or you can fight with other people on the same machine you can build rooms and you can also

enjoy the time over there I would recommend try hack me try hack me is perfect for beginners because it provides all of the information needed please check it out second option is the website it's literally someone that's built a website that you will be able to hack and penetrate most of those could most of the attacks that you should know are actually web related just like the xss the third option is the loading hack now load and hack are Standalone applications that you can download and simply load on your VM on your Local Host it is very useful because you can hack the machine when you're offline I would recommend the following the Juice Shop which is a JavaScript based

it has a list that you can actually see which kind of attacks you should use every attack is categorized into a few difficulties and every difficulty have his own scoreboard so you can follow up and see what is going to be how good you became the second option is the metasploitable which is very good for beginners it's a Linux base that you can also root and it contains funny vulnerabilities like an anonymous login from an FTP or you can even open up a back door in the same way that we will talk about the load and hack there is something that you have to know Von Hub as you can see is lit is telling in its website that

most of the content that is being uploaded haven't been scanned that means you might download something which is not safe because we all know that freeware is something which can be very dangerous because someone needs to make money in this world and in this case people are uploading their machines that they will be able to hack and it's not everything being tested so keep in mind when you download stuff online you need to pay attention what you're downloading especially when it's involving hackers one of the most important skill that hackers should use is the ability to search because we search everything we search Target exploits information anything and it is very important to be able to

locate the needle in the high stack a skill Which is less talked about is to make the high stack as small as possible and this is why we have search operators because search operators will help Google understand exactly what you want baby you want Berlin the city or you want Berlin the name from the from the House of Cards it all depends what you want to get because if you will tell Google exactly what you want to get you will receive what you need now in the same verse that we are talking about those search operators I want to open up the door to make people realize how hacker thinks because if you would search in Google for a path

of a familiar uh sorry A Familiar path in a in the Linux system for example you know a directory that contains password So eventually if you would write down this in the search engine eventually you will get a massive scan of a local file inclusion and this is how hacker thinks they take functions that everybody use on a regular basis but the actions that they will do with this information afterwards is completely not normal

along with the search operators you can also solve one of the problems with the online platforms or any kind of online exercise you can actually exclude an option so you can be a little bit more of a live hack a real life scenario

now if you come to think about it there are two entities that use code one of them are machines like computers wash machine the arcade machine we all know the second one are human like us and people like my mom of course the best documentation in the world can be any care manual where you can just look at everything and understand where what nitgo goes where sadly our profession is a lot more technical orientated and is a lot more difficult so we need a lot more information just to print pictures is not enough in any case you would find out the documentation the explanation to people what they're supposed to do with the code it is everywhere the smallest type

is a comment where you simply describe what's going to be the next paragraph of code now we all know that those comments are there just to help people other people understand what our code does because we know exactly what our code is doing even if you wake UPS up in the middle of the night you know we know it foreign

now the documentation can be very hard and very technical that they contain a lot of information it can very it can be very frustrating to not find your answer directly and directly go to stack Overflow but keep in mind that the best Minds that made this app or hacking tool or programming language you name it they wrote the documentation to help you understand how to handle with their own baby you can say it how to handle with it how to make the best out of it foreign a few lines of code in your life you probably know also the code's ugly sister the debugging this can be also a very process very annoying process but it works eventually

because you understand that the problem was not in the computer in any case if you are a very in a special scenario that you haven't found your information in the documentation you would probably go to the stack overflow one of the biggest problems that you see in stack Overflow especially for beginners that there is a lot of content and a lot of information is being missing because we want to help the other peoples this is the concept of a community but what happened if the information is being given is not enough so when you write down and you do decide to post something online make sure you write down all of the important details you know

if it is a code situation you should probably write down all of the code oh that's related it should also add a lot the error log and please read it before you you even post it it is kind of like imagine yourself when you're going to eat to a burger you like burgers right yes good imagine yourself you're going to get yourself your burger you made a reservation online you're going to pick it up because you want it to warm you want it nice how would the guy in front of you would know which hamburger is yours you cannot just go inside into the shop and say I ordered a burger you need to give details you need to be

precise you need to be accurate you can imagine yourself if you cannot go and actually if you can't figure out what you want to write and what you need to explain go through other questions see what are the other questions why the other questions are not related to your topic why this second question cannot answer your problem you can even start right down with a draft you know put some information edit it if you have a problem talking you can always go for the second option it's called the rubber ducky now I know you are not talking about the normal rubber ducky we're talking about rubber ducky you just have to explain the rubber ducky which is not so

technologically competent what is the problem he can help you to understand exactly how you should say it thank you and now it is the time to be a person forget all the technology forget all the technicalities we're going to talk about motivation and what keeps you motivated because it is a hard it is a hard profession you will find out that you will stuck your head inside the wall many times without even knowing if you are on the right path to hacking a system so have a look these are possibility to get a job as a cyber security practitioner go to Google see what you need to learn because even if you want to learn a

programming language we should you which you should know how to read write and explain basic code syntax but every profession has its own specialty a malware analyst will probably need a lot more C language a web penetration will probably need a little more JavaScript if we do talk about programming language I will tell you this the best tip that I can give you if you are talking without the developers or programmers unless you know the opinion of the other side never say HTML is a programming language so to finish this again I would like to thank all of you that you are here don't hesitate develop Advanced and you have to keep it in mind and try to be

like the internet from the 90s you remember that it doesn't matter how long it doesn't matter how stressful it doesn't matter how slow the process would be eventually you would have done it just like the internet again the internet back in the days used to transfer a bit by bit a little bit a little bit eventually it got the entire file transferred so you should have that as well have a bit of motivation a bit of motivation and not a bit of motivation eventually you will have a terabyte of motivation and I tell you you can do this okay