PG - How I Learnt Hacking in High School - Lokesh Pidawekar

Yes. [Music] Okay, folks. We're going to get started with our last talk of the day. The name of the talk is what I learned in uh hacking in high school. And uh here's our speaker, Loesh. [Applause] Thanks. Thanks, guys. And uh thanks for saving the best for the last. Let's begin. So uh let me tell you what I'm going to tell you during the talk. We'll start with why I learned this. So, uh this this 20 minutes talk is more or less a journey of how I started hacking and how I learned all these things and I'll I'll I'll cruise you through how I created the lab environment. What did I learn? How you can learn some of the

opportunities we can talk and finally we'll end this with conclusion. So, something about me currently I'm working as a security engineer at Cisco. recently graduated from Northeastern University Boston. Uh sometimes I blog and this is my handle and if you have any questions you can reach me at my email address as well. So a custom way disclaimer all the things that I'm going to show are illegal. So please don't try uh without permission. uh this this this is strictly a violation of federal and sometimes state laws to try out these uh tools and techniques on resources where you don't have permissions. So please get written permission for that and um yeah and I will not assume any

responsibilities of anything me neither my mentor or this conference. So let's start with why learn this you know why why hacking. So before begin uh uh talking about hacking let's delve into something called as pent testing. This is a cool definition from NIST. I like it uh because they say that we mimic real world attackers trying to uh when we can try to assess the features in terms of infrastructure uh systems your network web application and even uh people. So pent testing is testing everything before attackers find out holes. why why pentesting is required. So it's it's always good to find out holes before attackers find it saves you money and efforts both and uh one more

thing is VAS are not enough you know that gives you ton of tons of false positive as well as it's not a foolproof thing and sometimes it's a requirement from compliance standard say for example PCIDS it has a specific requirement for pentesting so that's where uh pentesting comes to into picture and now let's begin uh with my journey me how did I start? So I started with the same philosophy every kid has that's there there is an alien in the space so that that's the cartoon and so I started with my curiosity like how things work. I started reading about blogs like how this web is working or how this tool is working, how this toy is working and

then I started working on uh old software practicing those techniques which bloggers used to write in their blogs and finally uh the I used to attend lot of meetups uh lot lot of group uh gatherings where people used to just uh brand brainstorm about things that they are trying at their home something new something old and that's where it started for me. Why? The main reason about starting this is they don't teach everything in class you know but when you move from school to your corporate environment your employer expects you know you'll be able to protect from the advanced persistent threats and everything but uh not they they don't teach these things in classes and one more thing which is important

here is when you go through all these tools you will be cruising through your interviews, you'll be able to develop pentesting skills easily. So, let's begin with the show. What do you need to start hacking? You need some kind of lab lab environment because remember our premise was to learn things legally. So for that you will need some virtualization platform, some software that can be used for attacking, some software that are vulnerable so that you can practice your attacks and last but not the least your brain and the technique. So the infrastructure uh I started uh with my old PC and uh it it's surprising to know that my PC has had 256 MB RAM whereas my uh phone has 2 GB

of RAM. So yeah so I started uh uh with all uh with with with some old hardware but virtualization platform uh software they they came to my rescue. So I started with free uh virtualization software such as virtual box but when I joined northeastern uh one uh good thing happened they give out free tools so I got free license for VMware uh workstation and that really worked wonder so that's where uh I I I got into VMs and now the thing the next thing was to install attacking operating system so go to tool uh is Kali Linux Kali is an operating system combines various attacking tools. You name it, you have the tool in that operating system. So if

you want to do information gathering, vulnerability assessment, exploitation to forensics to uh memory corruption or password testing or anything. It's a good uh uh tool to have in your armory. But there are other operating system that are available that one can use. I have uh so last year when I was interning at sigital I started delving deeper into samurai because my job was pertaining to more of web application exploitation and that's where I came to know about samurai but at the same time we have OS likeu so when I took a forensics class this uh operating system helped me a lot because it has bunch of tools for forensics so you don't have to install

one by one all the tools but you have got everything. So there are a bunch of other tools that you can do also recently uh there are frameworks that have come into existence like pentest box app or pentest framework uh that you can install on top of your windows. So I have installed pentest box and app. App is specifically for mobile application pentesting and that's one of the coolest tool you know you can just run it on your uh windows box. Now you have installed attacking software what next. Now we have got we have to install vulnerable platforms as well. So if if if so I started with metas-loit but it has got upgrades to metas-loitable too.

So correction metloitable. So uh it's it's a good offering from offensive security. It has bunch of vulnerable services, web applications, everything you name it. So that you can try your attacks. You can read on how to exploit things. And here is an operating system full of vulnerable software. You can just launch your attacks on this operating system. There are specific images for vulnerabilities from pentest lab or onehub where so I wanted to try a hard bleed but I cannot just attack any server in the wild it's it's illegal but how will a curious student like me will try those things that's where uh specific images comes into picture and I I I downloaded hard specific image to

test hard attack SQL injection uh specific image for trying out more of SQL injection there are web applications available web code that that I I love myself because it has less format. So I get to know injection attacks then a solution then process scripting then solution and now that we are moving towards mobile application age we have bunch of applications which are vulnerable to all sorts of mobile vulnerabilities. Good droid insecure bank view to one of uh the application written by one of uh my friends DVIA on um iOS platform. So these are the things that you can install on your machines. So some of the things I have already installed on my machine I tested day in day out. But

there are um cloud specific images like hack.me that you can use. I have used it myself. Now coming the hardest part like how to learn software will not teach you hacking because it's not pointed shoot where you install metasloit you install metasloit table and start attack hacking no it doesn't happen like that you need to know the fundamental and where do do you get all these fundamental oasp is a great resource I refer OASP a lot I started my journey in web application security with OASP so even now whenever ever I get doubt I just go back to their site. They have good resources on how to attack um a particular how to find a

particular vulnerability, how to resolve that vulnerability and what are the mitigations. Then comes the blogs. So I started um so I mentioned earlier that I use to read a lot of blogs. Now security researchers uh have started putting up specific blogs on vulnerabilities. I have mentioned project zero is one of the uh example because they have specific things on system security. So all the system security is not one of my areas of expertise but I try to read those things just to get a small understanding of that those kind of things you know that keeps your uh uh juices flowing in your mind and then conference talks talks like this. So earlier in the day I was in in a talk

where someone was describing Wi-Fi pentesting. That's where I get to learn more about Wi-Fi. So attending these kind of talks helped me a lot in learning and um finally online courses. So no matter if you are not able to get into a school or college for a specific course but there are websites available targets only on software security or Udemy has courses on SQL injection cross scripting. So you can uh attend those kind of courses to get more information. But this is not enough again you once you get into this field uh once you get into learning you need to practice a lot SQL injection process scripting so it's it's not enough to find out a payload

which works on certain vulnerable web application because you have to get creative into it you know just by script alert uh script uh although it can pop an alert box but again you can get into new vectors to find out that vulnerability. That's where practice will come into picture. So till now we are just talking about how to do it, how to do it, why to do it. But what kind of opportunities do we get and I am one of the examples of opportunities. So what I have gained from my experience is there are tons of opportunities available for security uh analyst folks you know people who are working in security uh in terms of jobs. here is something

that a recent survey from CNN it's it's one of the good paying jobs in US and um but but it's trickier the recruitment so if you are going through the path where you are learning the concepts building um a fundamental from sites like OASP trying out things on your own then you are on right track but if you think uh you you you are just trying to hack a company to get into that uh as a security analyst that's not the right way that will put behind the bars. So, uh nowadays companies are getting more hands-on. So, last year when I was giving my interviews, uh most of the companies uh they have put up a

vulnerable website. So, what they wanted from the candidates is to attack that site and get as much as vulnerabilities uh and report it in in in a in a format that uh a pentester will report. So, those kind of things are getting into industry more hands-on. It's not about theoretical and that's where all the learning will help you. So what else we can do and what else I rely on to learn my skills. The the next thing is war games and capture the flag competitions. As you can see outside this room we have a capture the flag competition going on. There are new techniques, new vulnerabilities that are being the the participants will be exposed to. So one of the things that

I'm I'm mentioning here is over the wire. So it's good that you are able to attend the con conference and participate in CTF. But if you are not able to attend the conference what will you do? Over the wire has bunch of challenges based on web application SSH or other things you can just try out those things and learn things. I personally like over the wire because I have tried their web app challenge and they have good uh levels like 1 2 3 where you start from basic and then go to uh advanced stage. Uh the other thing I do a lot is online challenges. So with uh the exposure that web application security is getting in the industry most

of the companies are putting up challenges. So last year Google put this cross-ite scripting challenge uh and there were five levels. uh the moment they dropped it in uh you know they made it live I I I tried this and there were five levels and I was able to do all the five levels. I tried to blog it on my blog wrote all the walkthroughs. So walkthroughs are important. So the way I I I do it is I try my best to get uh the vulnerability get the exploit working but sometimes I'm not able to get success. So what I do I go back to walkthroughs. So cure 53 is one of the resource that I go back for uh getting

to know what kind of payloads they are using for passing different challenges. So consider if if if a challenge is to do a cross-et scripting with just 11 characters or 15 characters. I don't know a payload of 15 characters which will give an alert box. But when I go back to cure 53, I get to know those kind of things. So that's where your walkthroughs will come into picture. Now shifting gears again. So you have gained a lot of knowledge if you are following with me with me. I am cruising from starting like I was start I started with my curiosity then I I created a lab and I practiced challenges in open environment in cloud. But now what? I I

I I I stumble upon zero days. I stumble upon web application vulnerabilities. How to deal about that? And one of the things that I do myself is responsible disclosure. So that's that's the reason I'm wearing a white t-shirt here because yes, we are white hats. We are not blackheads where uh you know I I I'll not sell the vulnerability in black market. I I responsibly disclose the vulnerabilities to vendor. I have disclosed critical vulnerabilities to vendors uh in the past uh and do it on regular basis. This this builds de trust between the vendor and the security researcher as well as it gives you name and fame and sometimes money as well. So so uh just because you know a few months

ago I was a student. So how to make money when you are student with responsible disclosure bug bounties. So CTFs are cool but they don't pay you money and that's where bug bounty comes into picture. You know your responsible disclosure will not only gives you name and fame but also money. So I started my uh stint in bug bounty more than a year ago and uh uh I I I responsibly disclosed vulnerabilities to sites like Sony, Prisy, Eventbrite and recently 2 days ago I I disclosed a vulnerability to United although they are still in a phase of triaging it. I I'm I'm hoping to get more miles as part of their bounty program. But um but but yes, so I

I I I practice my skills on platforms such as buck crowd hacker one act. I'm part of uh I'm I'm I have participated in various bug bounty programs in in in their platform where they give an opportunity to researcher like me to try out real attacks on Google web applications. Now it is important to know few things and I'll talk about this. It does not give you luxury to try out anything. So just because a program or a vendor has put up a bug bounty challenge, it doesn't mean you can just scan them left and right. You know, again, go back to the slide that we started pentesting. The more important thing was scope. You you always have to

have permission and scoping is really important. So sometimes uh in my experience what people do what what vendors do is they they they put very specific things for testing. So like Google initially they started with google.com and then they uh integrated more services into bug bounty program and recently with all the uh crazy things happening around Android world they have put Android into their vulnerability uh disclosure program. So that's that's one of the things that I think uh I personally think that you need to follow is scope. The other things are always respect the vendor. So uh another example that I want to share is LastPass. So Last Pass uh started their bug bounty last year. So I

reported few bugs to them and I forgot totally forgot where that I have reported but they actually fixed those vulnerabilities uh last month. So it's almost a year they took almost a year to fix those vulnerabilities that I reported to them. And uh so I did not take any offense in that because no I I respect completely because uh you know coming I've seen developers making their life a lot lot of efforts in fixing those vulnerabilities. So I respect them a lot. The other thing that um I really vote for I really recommend is don't copy paste another researcher's report. It's their work. always give credits and uh there are a lot of cool bugs to find.

Get creative and find new things. So that's one of the uh recommendation that I always give and I try to find out new vectors to do something crazy. Various business logic uh bugs are uh still out there to find. So coming to conclusion, I I I ran very fast. I don't know if I I've uh I'm like just 15 minutes and I've covered everything. But uh oh yeah so coming to the conclusion one of the things that that I noted from my experience as a student and now as a as a as an employee is rapid skill development is a key to success in security. The landscape is changing in security. Every day we are facing new

vulnerabilities. So last week we had a big Android bug. So you have to be hands-on with most of the vulnerabilities. If you don't know how to exploit a bug, you might not be able to put right defense uh in order to protect your employees from that. So that's where these kind of hacking things uh uh will come into picture. And um the other thing is courses, security courses are great, but they don't teach everything in class and that's that's not feasible. Um also because my my teacher my my professor told me how to do a SQL injection but he just showed me one way that's fine because he did not have time but as a student it's my

responsibility to try out different SQL injections and try out how I can extract more data how I can do do it differently and that's uh more important here you you don't have to restrict yourself to the class and uh the other thing is it's always good to gain a real experience of exploiting u vulnerabilities uh instead of just writing it theoretically that yes there is a side channel attack and that can uh extract my passwords and everything in 2 million years. So it's it's always good to have a rational behind whatever you are recommending. So that's where these all skills will come into picture and the everything has helped me a lot from my journey as a

student in northeastern to my internship in Sigal and uh right now in Cisco. So that's uh that that's it from my side. Uh these are the references. I'll put all these slides on slides share so that you know anybody can look into it and um any questions. Okay. First off, I'm sorry. Uh this uh yes, I I'll put up I I'll put I'll put this as of now. It's not online. So So

So short answer I don't know. Yeah.

So yeah, short answer. I I I don't know how to stop a kid, you know. I I I can talk to, you know, my mentors here. I you know, they they are more experienced. I'm like I'm still in the learning phase. But something that I have learned from my professors is always be on the right side like be responsible in whatever you are doing. And you'll be surprised to know that we have a course network security practices. We had a course and we had a specific question that what will you attack and four answers one you have specific permissions from the responsible party. So so so people are putting effort in teaching in classes that please do not attack in wild.

Yeah, because because yeah, I was reading a story I think few week two weeks back that some intern got fired and you know some some crazy things happened in internship. So yes, internship is dicey but uh uh it's it's it's security is really uh there's a very thin line between right and wrong, black and white. So you know what

Maybe I should

bring you

longm.

That's not

I want to remind you we have a few younger folks here that fight in front of us.

be a good question. Yeah. Thanks. Yeah.

Yeah. Any other questions? So yeah, I want to thank a big thanks to my mentor Ming um for yeah being with me for all this uh time and uh putting this talk up and thanks to Bides for having me here. Enjoy.