Open source software security

Madirish Tutorial 01

30 November -0001
After reading the 'Happy Hacker' and having learned a thing or two in the following years I decided to troop back to www.happyhacker.org to check and see if anything new had shown up. It looked like Meinel had published her new book Uberhacker. After skimming the table of contents that she posted online I realized that much of what she discusses is really newbie stuff. So I figured it was a waste of money to pay for the book. After thinking about that for a while I realized it was a waste of money for ANYONE to buy the book. After all, all the information she has in the book is freely available on the internet. Why should anyone shell out money for a book unless they're going to use it as a technical manual or reference guide (Uberhacker looks like neither). So in the spirit of good netiquitte and all I decided to compile what I know on the subjects covered in her book. I'll wager the content will vary a great deal, but the technical information should be the same. I'm surprised the boys over at Attrition.org haven't begun a project like this already given their dubious history with Ms. Meinel, but somebody really should (namely me). So here goes, here's my guide to becoming a hacker. Make that Madirish's Guide to Hacking. You'll get what you pay for out of my guide, but hopefully it will be helpful.

Forward
Nobody ever seems to read the forward in books, and my forward will likely be no different. Given this assumption I will use this area for my own personal rant. If you don't feel like hearing what I have to say, well skip this section. First off, let me make it abundantly clear that hackers are neither pimply 16 year olds who stay up all night and sleep all day, nor are they mysterious super cyber criminals. Hackers are people, like anyone else. The only real defining characteristic among hackers is a desire to learn (computers specifically). Hacking is a lifestyle in a way, to be more precise it is a mindset. I knew I was a hacker when I started to pull apart everything electronic to see how it would work. When I programmed battleship onto my graphing calculator, it was only further evidence. Being a hacker drives me to learn everything and anything about how computers work. This ranges from programming to hardware configuration. From basic networking to advanced database design. All these topics are a hacker's bread and butter.

Hacking is NOT cracking. If you want to learn how to crack systems, good luck. It either takes incredible intelligence or a rare stroke of luck to be able to hack a system. All those 'out of the can' systems the media likes to portray as floating all over the internet that supposedly allow you to crack systems with a point and a click -- they don't exist. So forget whatever myths you may have heard or believed. Cracking a system takes incredible patience and a very good understanding of how networking functions. Yes, there are prewritten scripts out there that you can run to exploit systems. Most of these, however, require a local user account on the system you wish to exploit and getting an account is a hurdle all its own. In addition most of these scripts will require at least a little knowledge of the language they are written in so you can compile them if necessary and run them. If you've never heard of C, Perl, or shell scripting you've got a LONG way to go. I'll try to get you up to speed, but its still going to take a lot of work on your part.

Chapter 1 - Setting up your own computer
I once heard it said that a truly great hacker doesn't need any particular operating system, he can use whatever tools are handy and make the most out of them. I will agree with this completely. You can hack just as well from Windows 95 as you can from FreeBSD. The choice of operating system (especially Linux distribution) is an entirely personal one. I feel that certain operating systems make it easier to hack, and others are a bit more obfuscated. I would recommend any budding hacker to get into Linux (see later), but Windows 95 will work just fine. The problem with Windows 95, 98, and Me is that they are personal operating systems, rather than network operating systems, and will not have many of the tools you will need for network operations. Windows NT and 2000 are the best 'hacker' OS's made my Microsoft because they are designed as network operating systems. That said, they are also more difficult to learn because they are designed for professionals rather than grandmothers at home who only use their computers for AOL and storing their cookie recipes. My personal favorite operating system for hacking is Linux. The reason I favor Linux is because in addition to being a network operating system, most distributions provide (for free) web servers, e-mail servers, programming language compilers, network security and monitoring software and many other packages. The argument that Linux is more difficult to use than Windows is as dead as the dodo these days because so many popular releases include Graphical User Interfaces (GUI's - pronounce 'gooeys') and easy to use installer/uninstallers. For the beginner I would recommend Linux Mandrake or Caldera OpenLinux. Mandrake is a streamlined release of Red Hat which is advantageous since the most copiously written about Linux distribution is Red Hat. You can also install multiple operating systems on your hacking computer if you like (which offers all sorts of versatility) very easily if you are using (to my knowledge) any of the popular Linux releases. I would recommend purchasing a distribution that is packaged with a "How To" or "Learning X Linux" type book. This way you'll have a manual to assist you with install and getting familiar with Linux. O'Rielly publishes a great "Learning Red Hat Linux" that comes with a CD of Red Hat, the most popular Linux distribution. To install dual operating systems you're going to need a lot of room on your hard drive (I would estimate a Gig at least) so make sure you can spare the room. Installing a second operating system SHOULDN'T mess up your original OS, but you can never be sure. Make sure you back up anything critical before installing a new operating system on an existing machine.

If you're not sure what sort of computer to get, rest assured that almost any will do. I have an old Pentium 133 with 56k of ram and a 2 gig hard drive and it works great for pretty much everything I need to do with it. Don't get sucked into the "YOU NEED A 1 GIG PROCESSOR!" marketing hype. The reason for this is because a processor only really handles calculations. Its like the big number cruncher in your computer. RAM (Random Access Memory) is much more important in having a fast computer. RAM handles the stuff your computer has to hold in memory (such as what you just cut out of your word document, or where certain pieces are located on the board in a computer game). These sorts of processes will slow your computer down a lot more noticeably than your processor. If you put a 1 Gig processor in a machine with only 16 megs of RAM it will run slow as shit (if at all) regardless of the processor. I would recommend (these days (early 2001)) at least a 400 Mhz processor (yup, that's right, that's all I think you need) and I'd make sure to grab a Pentium for software compatibility reasons (trust me, it may happen once in a blue moon, but it sucks to have an install interrupted because the software can't run on whatever crappy knock off processor you've gotten to save money). Once you've decided on a processor spend as much money as possible on RAM. I would say you need at LEAST 64 Megs, and 128 Megs would be much better. I have 192 Megs of RAM in my work computer and it smokes. The problem with RAM is that its expensive. You'll be lucky if you can find RAM for only $1 a Meg. Most people are also going to want a computer with a fast download time. Don't listen to the hype that a good processor or RAM will speed up your download time, because IT WON'T. It may speed up display time but that's it. Download is completely dependant on your connection. It used to be that a 56k Modem was great, but dial-ups are becoming obsolete in the United States. In addition most DSL accounts are getting pretty cheap. I would recommend a cable modem or ISDN if you can afford it, after that DSL. Make sure your provider throws in a free modem when you sign up or you could be in for some hefty costs at sign up.

Ok, so once you've decided on an operating system, computer and internet connection you're on your way. If you really want to get a great hacking experience try setting up a home network (this may run into money though so you may want to forgo a LAN). If you think you'd be interested check out the 'Setting up a Home LAN' in the computers section.