How to hack

Not all hackers are criminals. But when so much of our life exists online, the ones that commit crimes become serious threats. That’s why it’s so important for us all to understand them. So, while we do not condone criminal hacking under any circumstances, let’s take a walk through the dark side to see what we can learn.

What type of hacker would you be?

To understand what kinds of hackers there can be, let’s define hacking. The most common definition is that hacking is gaining unauthorized access to a computer system. There are other definitions out there, but it’s easiest to work with this one.

The unauthorized access at the heart of hacking can be used in different ways. White-hats will use it to help shore up vulnerabilities in the system they’ve just penetrated. Black-hats will abuse that access to the detriment of their victims. For more about the other “hats,” check out our post on different types of hackers.

The kind of hacker we really want to stay safe from is the black-hat hacker, so let’s walk a mile or two in their shoes.

How would you become a black-hat hacker?

The most direct way to become a black-hat hacker is to perform nefarious hacks for personal gain, so let’s get started! First, you’ll need to decide how to hack…

What hacking methods would you use?

• Social engineering: Social engineering attacks hinge primarily on fooling a human victim into granting the hacker privileged access. Attacks like this can be almost entirely scam-based – using an email or SMS to fool the target into telling you their password – or they can involve technical elements as well, like malicious documents or fake links. We’ve got a more detailed breakdown of social engineering attacks here.

• Exploits: An exploit is when an attacker takes advantage of a technical vulnerability to gain unauthorized access. Code-based exploits are the most common, but there can be other types as well. Hackers can take advantage of exploits using custom code or by downloading pre-made scripts (attackers who rely exclusively on pre-written code are called “script kiddies”). One of the most dangerous types of exploits is a zero-day – an exploit that the security community is not aware of yet. If a hacker discovers a zero-day before researchers do, they’ll be free to attack indiscriminately until they are detected and the vulnerability is fixed. We have a more comprehensive list of the most common hacks and exploits here.

  Less commonly, exploits can include a mix of code- and device-base vulnerabilities. Hackers can employ Wi-Fi scanners or cell phone tower spoofers to find and attack their victims.

Whatever method you’d choose to use as a hacker, the gold standard is the same – gaining root access. Root access grants complete access to all of a device’s software and even hardware resources. If that’s not available, however, there are lots of lesser forms of access that will let hackers do tons of damage.

Last but not least, we need to mention the hacker’s most important tool – the internet. This is where most hackers will:

• Discover their hacking method of choice;
• Find information about their victims;
• Access their victims.

Who would you hack?

That depends on what you want to achieve. Different hackers want different things, but since we’re pretending to be black-hats, let’s say we just want to hack anyone whose money we can get our hands on.

The question still remains – how will you choose your targets?

• Individuals: There are lots of reasons why a hacker could be interested in one specific target. Maybe they know the target is wealthy, unsecured, or they have a personal interest in the target. There are pros and cons to targeting individuals, as their habits and vulnerabilities will determine what kinds of attacks are and aren’t viable. You’ll have to do a lot of research and work and you may not wind up getting what you want.

• Groups: One of the most common fallacies in cybersecurity is safety through obscurity – the idea that you’re safe because you’re not interesting or important or wealthy enough for hackers to target you. However, lots of hackers have found efficient ways to launch attacks against large groups of people – thousands or even millions at a time. An automated attack with a small success rate can still bring in a significant profit.

  If you think a hacker would never be interested in you personally, well, maybe you’re right. But that doesn’t mean they still won’t have ways to hack you without having any idea who you are. There are tons of tools and techniques available to target groups. Hackers can use massive data breach dumps with millions of people’s personal data or login credentials to look for recycled passwords on other sites. They can use that data to launch broad phishing scams with thousands of targets.

Real-world examples

What you’ve just read through are the key building blocks behind most of the hacks we’ve seen in the cyber era. Here are a few real-world examples of famous hacks and howthey used these building blocks to succeed.

Robert Tappan Morris and the Morris Worm

Robert Tappan Morris wasn’t what we’d consider a black hat when he launched the Morris Worm virus, but it was still able to cripple the internet (such as it was in 1988).

Morris’ goal with the worm was to measure the size of the internet. He intended to do that by coding a virus that would infect every computer connected to the internet. It spread as an exploit by using known vulnerabilities in popular operating systems at the time, but it also took advantage of what Morris knew about poor security habits – that people rarely change default passwords.

Kevin Mitnick

Kevin Mitnick is a famous hacker who was caught, served time in US federal prison, and is now a cybersecurity consultant who works with both businesses and the government. Fortunately, he has spoken in great detail about his hacks. In US Senate committee testimony, he said the following about his activities:

“…most of my hacking involved the social engineering exploitations. But I think that most of the hacking out there is really the weaknesses that are exploited in the operating systems and the software applications. Because if you go on the internet, you can simply connect to computer sites that basically have scripts of the exploit codes so anybody that has access to a computer and modem can download these exploits and exploit these vulnerabilities that are in the operating systems developed by the software manufacturers.”

Albert Gonzalez

The truest black hat on this list is Albert Gonzalez. He led a team of hackers who used sql injection, packet sniffing and other exploits to steal more than 170 million sets of credit card numbers and ATM credentials that they then sold to other hackers online. Even after being apprehended and working for the government, he continued to launch hack and scam attacks. He is currently a bit more than halfway through a 20-year prison sentence.

Conclusion

We don’t want you to become a hacker. But hopefully, by understanding how they work, you can develop a stronger understanding of how to stay safe. Knowing is half the battle, but the other half is having the right tools ready.