Hacking for Beginners: From Novice to Ethical Hacker Overnight
Updated: May 17
I’m a complete novice when it comes to penetration testing and/or security research, and I have no technical experience. All I have is an unprecedented desire to break into systems and devices, so why not document my journey on how I do this?
To manage expectations of any proficient pen testers/hackers, this article is a very layman approach towards hacking. Hopefully, as my expertise develop over the coming weeks/months, the level of expertise in these articles will improve significantly.
So, where did this burning desire to break into things come from? A little project called Iotabl.
Having launched our cybersecurity startup, Iotabl, earlier this year, it became quickly apparent that my hacking knowledge was limited. Going into an industry like cybersecurity, there is a ridiculous amount of information to digest over a very short period of time. So, to improve my domain knowledge, and to give me a better handle on what it means to drive the commercial leg of a cybersecurity startup, it was about time I tried my hand at becoming a red-hat.
My journey started as most learning journeys do in this day and age... YouTube. ‘How to hack’ to be specific. This definitely wasn’t going to cut it. I landed on an overwhelming page of technical jargon and 12-hour tutorials on how to ethically hack a system. Not ideal for a beginner, so I decided to scale it back.
My next step was to google ‘commonly used hacking tools’, which (perhaps unsurprisingly to cyber geeks), prompted me to look into Kali Linux. Now, for those who don’t know and are reading this thinking ‘I’m also an amateur, where do I begin?’, Kali Linux has everything you need. Kali Linux is a Debian-derived Linux operating system designed for digital forensics and penetration testing. Essentially, Kali Linux has a wide suite of tools that any security professional would be happy with. So, that’s where I started.
Step 1: Dual Booting Kali Linux with MacOS X.
I’m a Mac user. So, again, as a non-technical person, this was perhaps a lot harder than it should have been to dual boot Kali. Of course, I consulted my tech friends and mentors, all of whom gave me conflicting advice. Not ideal. So, instead of spending too long investigating the different methods, I jumped into these methods head first.
Firstly, partitioning my hard drive to run 2 different operating systems. In theory, this is a very simple process to execute. In practice, it's also quite simple. However, functionally, it was a disaster. My computer was running at a speed of 0 x Windows XP. Back to the drawing board.
Method number 2 - booting Kali onto a removeable disk. Again, extremely straightforward in theory and practice. Again, it runs Kali like a potato. Back to the drawing board again.
Third time lucky? Let’s hope so. My next approach was to download Virtual Box and try to virtualise Kali Linux this way. It worked! After a few tweaks and consultation with my tech friends, I got Kali up and running. Now what?
Step 2: Getting Started
As I’ve already mentioned, Kali Linux comes built in with a whole suite of tools that make it incredibly easy for penetration testers and/or security experts to use. I am not one of these experts. So, my experience was a learning curve to say the least.
Back to Google. I search ‘first steps when pen testing a network using Kali’. The overwhelming response was NMAP, which is an abbreviation for Network Mapping. Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses. NMAP also facilitates the use of the NMAP Scripting Engine (NSE) which is essentially a database of scripts that the user can run with NMAP to perform specific security practices e.g., brute force, cross-site scripting etc.
To use NMAP, the user needs to be aware of the local IP addresses they’re trying to scan. Local IP addresses are typically structured something like 192.168.X.X. To run a scan on the entire network, simply add /24 at the end of the IP.
So, I run a simple network scan with the command:
The output from that command will look something like this for every device that NMAP is able to scan:
PORT STATE SERVICE
80/tcp open http
443/tcp open https
554/tcp open rtsp
8000/tcp open http-alt
8443/tcp open https-alt
This is where it gets interesting.
Step 3: Finding Access
At this stage, the typical practice for a security professional would be to target the open ports as a means of exploiting the device. I don’t know how to do that, so I go back to Google. A port is a virtual point where network connections start and end. Ports are software-based and managed by a computer's operating system. Each port is associated with a specific process or service.
Google tells me that the next stage is to perform a version scan on the devices in question using:
Nmap –A 192.168.0.1/24
This returns a lot of technical jargon, most of which I do not understand. However, one thing that was very clear to me is which IP address is associated with the office cameras. Bingo.
By default, certain ports have to remain open to communicate through various protocols. Ports 80 and 443 are good examples of this. However, port 554, which is the Real Time Streaming Protocol (rtsp), is not supposed to be open by default. RTSP is a network control protocol designed for use in entertainment and communication systems to control streaming media servers e.g., security cameras.
So, given that this port shouldn’t be open, it triggers the assumption that there must be a relatively simple way to run an exploit. Time for the hacker hood to go up. Let’s exploit it.
Step 4: Gaining Access
I head back to Google - ‘how to exploit the rtsp port’. Nothing conclusive that my non-techie brain can understand as quickly as I’d like, so I give the NMAP Scripting Engine a look. NSE has a huge bank of scripts that you can run against a network to test the security. One of these scripts being the rtsp-url-brute. This script allows the user to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras.
Having found a potential script to use, I run the command:
nmap --script rtsp-url-brute -p 554 192.168.0.5
Again, the output is incredibly complex to understand for my layman brain. However, one line of the output that is crystal clear is the user=admin, password=xxxxxx line. Hardly surprising for an IoT device.
So, the final step of my extremely complex hacking adventure is to enter the username and password to gain access. In the search bar on my browser, I type:
Which brings me to the login screen of the security camera in question. I type in the username and password which I now have access to, and voila... access to the office security cameras.
Now, admittedly this is a very basic exercise in hacking and arguably not complex enough to excite the minds of proficient security researchers/hackers. However, this is my first attempt. As my expertise improve over the coming weeks and months, the complexity of my projects will also improve.
I’ll be documenting my journey every step of the way, so if there are any hackers who see themselves as a good Samaritan and want to support a complete hacking noob in their journey, I’m all ears!
At Iotabl, a community of hackers and security researchers is at the forefront of the business. We’re building a platform to make the industry more inclusive and accessible. If you’re an ethical hacker, security researcher, or IoT hobbyist, sign up for early access to the platform at www.iotabl.com.