Welcome back, my greenhorn hackers, and happy New Year!
Now that your heads have recovered from your New Year’s Eve regaling, I’d like to grab your attention for just a moment to preview 2015 here at Null Byte. I hope you will add your comments as to what you would like to see, and I’ll try to honor as many requests as I can.
This year, I will attempt to balance advanced and beginner tutorials. In that way, I hope that those of you who have been faithful readers and contributors here will stay to learn more, and that those of you who are new will have new beginner material and something to work towards. I will continue to expand the Linux series for the novices and work our way through exploit development for the more advanced.
In the last year, Null Byte has grown dramatically! At one time, I could answer all your personal messages. If I did that now, I would never have time to get any work done. I’d like to request that you ask your questions in the comment section of an appropriate article and I, or someone else in our community, will try to help. In that way, everyone gets involved in the diagnostic process and the solutions are available to everyone in our community, rather than just a single person.
Members of our community such as ghost_, CyberHitchhiker, Ciuffy, and others offer significant insights and wisdom into the hacking process. Utilize them, they love the questions and the challenge of helping you solve you hacking problems.
Exploit development will probably be the most important addition to Null Byte in 2015. The idea here is that we will develop our own exploits through numerous steps. I began this new series with my an introduction to buffer overflows.
To develop an new exploit requires significant background and knowledge in coding, operating systems, vulnerabilities, memory structures, and more. I will try to impart that knowledge in byte-sized pieces over the course of this year. This should be an exciting new endeavor for Null Byte!
I just published the first article in my series on Python scripting. As Python is the most popular scripting language for hacking, I’ll spend a lot more time with it than I have with the other scripting languages such as Perl, BASH, and PowerShell.
I want to begin a whole new series in 2015 on the multiple ways to execute a denial of service (DoS). Although in many ways this is the simplest type of attack to execute, there are innumerable ways to do it. In addition, we look at the various methods that are unique to each operating system and application.
So many of you have been asking for Facebook hacking that I am finally going to concede and start a new series on this subject. Expect the first entry in this series within the next week or so.
Last year at this time, I promised a series on mobile hacking, but unfortunately, I never got to it 2014. I promise you that this year we will start on series on mobile hacking—including Bluetooth. Since Android is the most widely used mobile platform, we will start with it and then progress to iOS as time allows.
Surprisingly, no one has requested articles on hacking VoIP. I’m not sure what to make of that as VoIP is rather easy to hack and is growing dramatically. The possibilities are nearly endless for eavesdropping on conversations for cyber espionage and other things. I will start a series on VoIP hacking in 2015.
I did a single tutorial on using THC Hydra with Tamper Data and it proved wildly popular. We really need to really explore further this powerful application to effectively hack the multiple types of online accounts.
I’ll be expanding those tutorials this year, showing you some new exploits and explore some of Metasploit’s other modules such as post-exploitation and auxiliary modules.
We began with some web app hacking in 2014, including using Nikto and Wikto for recon, using Dirbuster to find directories behind websites, how to clone websites, and how to extract metadata from websites using Foca.
This year we will look at more ways to hack web applications including using Metasploit, Burp Suite, Paros Proxy, Beef, and others to do so.
One of my most popular series has been the “Linux Basics for the Aspiring Hacker.” The more you know about Linux the better hacker you will be as Linux is really the only hacking platform. In addition, since nearly two-thirds of all web servers run Linux, it is essential to understanding this operating system to enable your hacking those servers.
I will expand this series with tutorials on Linux email clients and servers, Apache, and SQUID, among many others.
I’ve written a number of tutorials on Wi-Fi hacking and they have been among the most popular articles here on Null Byte. I’ll add a few more guides this year including using Airsnarf to harvest Wi-Fi credentials and using a Yagi antenna to crack Wi-Fi access points (APs) miles away.
We looked at the basic principles of SQL injection in 2014 and used sqlmap to hack a simple web-based database. This year we will use more advanced SQL injection tools, such as Havij, that will help us get behind the websites to the database, the hacker’s pot of gold.
I’d like to do a few tutorials on building a rootkit. This is pretty advanced material and I’m not sure how far we can get this year, but I’ll give it a try to give the more advanced hackers here something to look forward to.
I’ve developed a number of tutorials on digital forensics and I hope to expand your knowledge in this area. I believe that digital forensics complements hacking. If you want to be a good (and free) hacker, you had better know what the forensic investigator knows and can do and, if you want to be a forensic investigator, you better know what the hacker knows and can do.
IDA Pro is an amazing tool that every advanced hacker and forensic analyst should be conversant in. It allows us to disasemble code for forensic analysis or disassemble code to build a better piece of malware. Either way, it is indispensable.
I have a couple of tutorials here on evading AV software. Like everything in our discipline, it is rapidly becoming outdated. As soon as we develop a method to evade the AV, the AV developers find ways to detect it, as the arms race continues.
I’ll be offering some new tools to alter exploits and payload to evade AV and intrusion detection systems. Ultimately, the way to evade all of these—including law enforcement—is to develop your own exploits, and that will be our key task for 2015.
Sometimes all we want is privacy. Part of my intention and goals here at Null Byte is to help people maintain their privacy from the overarching and overreaching hand of Big Brother. We all know that NSA is watching everything we say and do on the Internet, even the most trivial communication. (You know that pic or text your girlfriend or boyfriend sent you that you like so much? Someone at NSA may be “enjoying” it right now.)
We know from Edward Snowden’s leaked documents what the NSA can crack and what they can’t. (I have to confess here that I do have inside knowledge on this subject as I have trained many at NSA. That’s one of the reasons I must maintain my anonymity.)
I’ll start a series in 2015 on how you can keep your communication private from NSA. I’ll warn you now, its not easy.
I find that many newbie hackers are unfamiliar with the Windows registry. They know it exists, but are unfamiliar with what it does and how they can manipulate it as a hacker.
I’ll do a few tutorials giving our community the basics on the Windows registry and how to manipulate it.
Apache is the most widely used web server in the world. Roughly, two out of every three web servers on this planet are using Apache. Although I introduced Apache in the Linux series, I’ll go into greater depth in the inner workings of Apache that will help you understand its weaknesses and vulnerabilities.
I started a series on password cracking to explore the multitude of ways to crack passwords and some of the fundamental concepts of doing the same. I will continue this series with new tools and new technologies in 2015. Two of the areas I would like to cover are using a multi-machine (botnet and others) configuration and GPUs to crack passwords.
I started a new series in 2014 titled “How to Hack a Computer & Spy on Anyone.” This year, I’d like to add a few more tutorials to this series especially on how to spy using a webcam, grabbing screenshots, and keylogging. I’ll also try to do at least one tutorial on hacking phones to gain root and use it as a spying device.
Like any software developer, hackers are reluctant to reinvent the wheel. Why not simply use existing malware and re-engineer it for a new purpose? That’s exactly what most malware is, reverse-engineered and re-purposed software.
We will look at ways to reverse-engineer some malware and then edit it for a new purpose and getting past security devices such as an IDS or piece of AV software.
I’m excited about what we will be covering in 2015, so stick around and invite your friends and neighbors as we are in for an incredible ride this year!