So, some of my friends, in the past, have asked me to teach them how to hack. I normally agree, depending on who it is, to give them the tools. Teach them UNIX, show them how to find stuff online, etc. What I can't teach, however, is the mentality. I had some fun last night, and I figured I'd share it with you, give you a feel for how a hacker thinks.

First, I have to tell you a little bit about myself.

See, hacking, in its purest form, is not what the government, hollywood, or the media want you to believe. Hacking is merely finding a creative solution to a problem. You might remember my post about Hacking Your GPA. I never once talk about actually cracking a system, except to say it's illegal, instead I focus on how an individual can get the GPA they want with a whole lot less work. I want to make a clear difference right now between "hacking" meaning a creative solution and the "media hacking" meaning click a button, and make a botnet (we call them script kiddies).

I'm a big fan of 2600, the hacker magazine (side note, I love the google impersenation they have up right now) and buy every new issue when it comes out. I do, however, pay cash, just in case it is tracked. Every time I buy it, I end up in the same conversation with the cashier.

"So, this is a hacking magazine?"
"Yea."
"So, you're a hacker?"
"Yea."
"Isn't that illegal?"
"Nope, I hack my own systems, do security audits, anything when I have permission beforehand."
"Oh."
"Why are you a hacker?"
"Because its how I think. I like information, knowing how things work, and it drives me crazy if I can't figure it out. have a nice day."

Some things change, others remain the same. There's always an incredulence to their voice when I admit I'm a hacker, as if I should be scared. At first this scared me. What if they recorded who buys this? What if the media gets the government to go on a hacker witch hunt? Then it pissed me off. These people judge what I do. Assume I'm a no talent script-kiddie, and that I only look to hurt people. Now, I enjoy it. Every conversation I get to enlighten one more person that hackers aren't evil. We're normal people, blessed with an inquiring mind. So, after my last conversation, no one was in line, and I opened up to the cashier. Told her about hacking. Pretty much all of the above. Her response?

"Oh, I never knew that's what hacking was. Thank's for telling me."

It was a good feeling, standing up for a whole culture that gets a bad rap. So, that's what I think of when I say "hacker". I know people assume we're script-kiddies, just looking to hurt people. Dirty guys sitting in dark rooms laughing as they take down government systems. But I have to say I'm a hacker because I have the questioning mentality of needing to know how stuff works, and I'm proud of it.

Background aside, yesterday in my phishing class a guy stood up, and told us of a phishing email his sistere got. How he'd now have to talk to his family about Phishing, and all that. I decided to check out this company (name not mentioned to protect them, and me). Here's how I was thinking.

Reasons
The entire reason I did this was to find out if my classmate's sister was in trouble from these

Recon
First I did a dig on the domain name. Found who's it was registered to, and where it was located. Turns out, it was off shore. later I found an IP on one of their pages, did both a dig, as well as a traceroute on it, to find out where it was located, and how it got into the country.

Next I visited the website, and found it was a gambling site. Interesting.

Cracking
While I was trying to get into the page, I ran into the problem that they actually verified credit card info. Since falsifying that is a crime in this country, I had to find a work around. First thing I did was check the source of the page. It normally yields at least the next place to check, if not the answer. Sure enough they had a poor coding scheme, intro page was 1.asp... I was on 3.asp... so I tried 4.asp. Bingo, it welcomed me, and sent me to their main page. This yielded the IP I tracked down later.

Where to go?
So, you're into the site, where do I go from here? So far everything's looked like it's legit, and I wasn't sure if I needed to poke around more. But, all their gambling programs were flash programs. I like messing with that, so I grepped the source again, and found the name of the files. They were fairly decent in security, in the fact that I couldn't use wget to traverse their file structure. Kinda a setback, but I got around it. The goal here was to prove the flash files were fakes. Turns out, after decompiling, they weren't. This was a legit site.

So what?
Well, I got out of the site, and thought about what I'd learned. As an aside, every hacker should learn something from everything. If its the millionth time you've played this game, look at the one spot you never look at. Analyze your own game play. You'll find something to learn. Anyways, I came to the conclusion that this site had some tricks to it... they made it look like it was secure when it wasn't, and had some nasty stuff in the EULA but was legit. So, it wasn't a phishing scam, the guy's sister and family had no reason to worry, but regular users, if they didn't read the EULA, would get screwed out of a ton of money. Well, if you're frequenting off shore gambling sites, you're probably already losing money.

I realize I mention a lot of UNIX command tools, and general network stuff, so if you're unsure of something, feel free to ask. If anyone wants to learn how to hack, feel free to ask, but I can't teach the thought process, so if you're not naturally inquisitive, forget about it. I feel I should say I didn't break any laws doing the above, and I don't support illegal actions (gotta say that to not get sued/arrested).

Share and Enjoy:
  • Slashdot
  • del.icio.us
  • digg
  • Technorati
  • Facebook