Tips on Harnessing the Hacker Mindset

00:01

tips on harnessing the hacker mindset

00:04

are learning objective is to understand the best practices when it comes to harnessing the hacker mindset.

00:10

So enumeration, you will hear that so many times in guides and manuals and everything that oh SCP, everyone will say it's all about enumeration and they're, they're so right and it's so easy to say that right, it's so easy to say just enumerate more

00:25

and and there's a strategy to that and the strategy is to keep doing things labs over and over again. So you understand the infrastructure

00:34

of Lennox and and Windows um

00:38

and maybe they'll throw in an operating system you've never seen before and then you have to think, you know what, what should I do here? Because I've never seen this, this operating system before,

00:48

so that's to say that um enumeration is important. Google is your friend uh just a funny story is I worked with some FBI computer scientists when I was an agent

00:59

and I would say, hey you get a lot of your answers by Googling. You know, you have, you have a Bachelor's in computer science, but you're Googling this. Well it's true, right? I mean if if you've been in this space at any time, you know that googling is your best friend and stack overflow is also a great friend as well,

01:15

but also the community helps each other. I I mean there have been very, very, very few times where people are unwilling to help me. Um and even in the forums, the offset forums, people seem more than willing to help and and they do this really great because

01:32

they don't want to give you the exact answer, they're not going to give you that instruction manual, they're going to give you nudges

01:38

and help you and people, that's how I've made friends on hack the box.

01:42

Um and I still have friends that have had friendships with for years because we've helped each other and it's again it's not like it if you're a hacker and someone gives you the answer it kind of is a gut punch. Like I wanted to figure that out and I think you've been been doing this for long to you know the feeling when you figure something out on your own is so much better than when someone gives you a nudge. Of course it's great when your shell

02:07

it gets there and and you've got a nudge for it. But when you figured out yourself like that feeling is is great.

02:15

Yeah

02:15

so definitely embrace the community because there are so many people out there that want to help you.

02:23

Practice is so important. Um I hate when people say I'm an expert in this uh in I. T. Or pen testing because everything changes right. You know, um servers used to be on premises servers and now we have the cloud and now

02:38

you need to learn the cloud and what if people go from a W S two G C P or is or like,

02:46

you know that the environment is constantly constantly changing. So something that you knew one day could be completely different tomorrow.

02:53

Also, this is probably a very great time to get into pen testing because there are so many websites out there

03:00

like this one that want to train you in how to become a pen tester and a hacker. And it's just when I was interested in this stuff, I think there was one book and the guy wrote under a pseudonym, so it wasn't even very helpful. So getting into this type of work now is great. There's just so many resources out there.

03:22

Okay,

03:23

so there's a different mindset, you know, I, I talked about mindset a little in the last lesson, but

03:28

if you're a bug bounty hunter or web pen tester, uh and do application security,

03:34

um you have to kind of think differently because I remember when I got to the company I'm working in now and I've been doing things like O. S, E. P. And C. T. S. And the objective was always too

03:46

get root on the box. Whereas in the bug bounty world it's, hey, I found this vulnerability in your web app, you know, pay me for it. So if you do bug bounty, you know, the goal now is to get a shell and get, you know, route or system on a box.

04:00

So that's a big tweak that you have to make. Um if you come from the bug bounty world or web web at pen testing is getting into C. T. S. Are different and that's vice versa, Right? If if you get your own SCP and you go into bug bounty or you join, you become a web app. Pen tester. Your mindset has to shift.

04:24

I always love taking classes on the basics. Some people will say I am bored, I've already learned this, I'm taking G pen right now and someone said clinton, are you taking G pen? You have like 20 certifications? I don't have 20 certifications, first of all

04:39

and second of all is I always learn something. I always learn something in sands courses. Even you know basic ones, quote unquote basic ones. Um but I always learn things in sands classes. I always learn things new when I take basic classes and I think the basics are important um to understand

04:56

the basics, the base of your pyramid is just so important. So, you know, it's never, it's never below me too.

05:03

Take a basic course. I want to say. I get bored on some of the modules, but I will say, I always try to come in with an open mind set.

05:14

Yeah.

05:15

So don't go down rabbit holes. You'll hear that as well. Uh, no SCP. It's so easy to go down rabbit holes. And sometimes you do something so complex. You might, you know, set up your own VM and, you know, try to emulate the environment of oh, SCP or create some kind of new code.

05:35

You know, maybe you're just over thinking it.

05:38

That happens to me a lot happens to a lot of people that do This is sometimes the simplest path is the right one. Maybe you just need to put a space here or a period there or you'll see I spelled misspelling wrong. Right? So

05:53

maybe you just misspelled something and that's why it's not working. So always triple check your work and make sure you're doing it correctly or

06:00

change your payload up a little bit because that might be the key to getting that shell.

06:03

Yeah,

06:04

the six hour buffer overflow. Let's just say I was taking a test. I'm not gonna name it because I want to give anything away.

06:10

But it took me six hours to do a buffer overflow because I was overthinking it when all I needed to do was go back and check bad characters

06:18

if you've taken this course, you know that I told you to check for bad characters right over and over again.

06:25

So something that could have taken me an hour took me six times as long because I didn't go back to the basics and check things that were very simple. And I should have seen.

06:34

Yeah.

06:35

So in summary, we should now understand the best practices when it comes to harnessing the hacker mindset.