The Frugal Hacker: Hacking on a Shoestring Budget

z3roTrust
z3roTrust
Nov 18, 2019 · 12 min read
Image (left) credit

So, you want to learn how to hack or get into the information security field, but you are a little short on personal funds? I get it, trust me when I say I come from humble beginnings. Not to worry, friend. I’ve got you covered. I am a frugal person by nature, which is to say that I don’t like wasting money when I can get something for free or at a discounted price. I draw the line though on certain gross factors, but you can bet if I can find something for free or for less than that’s the option I will usually choose. There are certain instances where it pays dividends, in the long run, to pay the extra money for quality, but with information and computer hardware or software, rest assured there will be an unending litany of new information and products that will appear in the future. You’ve got to be smart with your money and save wherever you can. There is actually a ton of information and tools you can get for free and there are many, many hackers who’ve done a lot with very little resources.

Being frugal pretty much comes with the territory as hackers.

Even once you’ve established yourself within the field and you’ve landed your dream InfoSec job, you may find that your employer isn’t going to cough up the necessary funding you need to start or even maintain an existing cybersecurity program. It’s pathetic after all the examples of what can happen with shoddy cybersecurity, but many companies still consider cybersecurity to be an afterthought and hire a token “cyber” employee just to cover their bases. Often they’ll just double-tap the IT employee with the added responsibility for implementing a strong cybersecurity posture and depending on the size of the organization this may work for a while. Eventually, though, it will become necessary to hire a cybersecurity professional or three. If you belong to an organization like this, you may find that you have to submit justification for any budget expenditures for the next fiscal year because the organization doesn’t have a budget for cybersecurity.

Hacking Tools

Here’s a basic list of free resources and tools you can use to learn or even start a career in infosec. There’s a lot more available than just this, but this isn’t meant to be an exhaustive list. It’s just enough to whet your appetite.

If you’re running a Windows box (i.e., another name for a computer), download VirtualBox to be able to run Virtual Machines (VM) such as the famed Kali Linux or BlackArch Linux distros. Linux is the language of hackers, period. If you’re serious about learning how to hack, you should make an effort to learn Linux. I recommend that you just start tinkering around with one of these Linux Operating Systems (OS) and become familiar with the many different applications included within. Simply Googling a particular tool will point you to tutorials and write-ups on how to use them most effectively or in a particular type of hack. Remember though, there is usually a lot of information tucked into ReadMe files when you install applications and built-in tutorials like you might find in an MS Office application. Or, just type “help” at the command prompt.

Kali Linux run as VM via VirtualBox

Nmap is king as far as free port scanners go. Download it and play around with this tool. There are so many different types of scans you can do and flags you can set. Hey! We’re coming up to Christmas soon so try some Christmas Tree scans! Take Google, for example, Google’s Domain Name Service (DNS) resolves to 172.217.11.164. Plug that IP address into Nmap and set what you get.

Regular Nmap scan of Google’s IP address

Shodan is another fun website you can test out. It’s amazing to see just how many devices are connected to the Internet that are unpatched against published vulnerabilities. You can still get to some juicy stuff without being a paying member, who knows for how much longer though... Sometimes you can find some decent unprotected IP addresses that are vulnerable to certain types of exploits.

“Yes Alex, mmmm I’ll try Cams for Free- Admin/Admin coming right up”

Oh have a look here, merely logging onto one of these cameras (I won’t say which) with the default “admin/admin” credentials yielded usernames and passwords that are listed in plaintext. Interesting… If I weren’t an ethical hacker, I might do something with these credentials. As it is, this is a camera listed as default credentials on Shodan which means hundreds if not thousands of other hackers have already looked at it. Move along…

Snapshot of a Shodan “admin/admin” camera — This is why you never use default usernames & passwords!!

Hack-The-Box (HTB) is another useful resource that allows hackers to practice their skills in a safe environment. It should go without saying hacking real targets could land you in prison, so best not to go that route.

Hack This Site is another free practice site, there are others as well but I just want to give you a couple to start off with.

HackerOne is a good place to cut your teeth if you’re interested in the Bug Bounty game. You can earn money to find vulnerabilities in websites and it is all done legally, HackerOne has graciously played the middle man for you as the hacker. The best part about this site is that you can actually earn a nice chunk of money as you hone your skills if you’ve got what it takes.

HackerOne is a great place for Bug Bounty hunters

Beginner-Level IT Security Certifications

Many seasoned InfoSec workers often get asked by n00bs (newbie’s) how they can break into the industry or where to go for a particular type of information. I think one of the best certifications you can start off in your career is CompTIA’s Security+ce certification. It’s hard to go wrong with this cert, but it will require some work on your part to learn the material. If the study material seems too daunting for you to tackle then I suggest going back and tackling some basic IT foundational courses on networking and basic IT security concepts. CompTIA also offers other entry-level certifications such as A+ and Network+ if you’re brand new to the IT field they may be useful for you to break into IT and then you can re-attack entering the InfoSec later on. Many folks who’ve worked in IT as Help Desk technicians or system administrators have moved into the InfoSec field after they’ve developed a foundational understanding of how IT and IT security work.

CompTIA’s Security+ce certification
CompTIA’s Security+ce Exam Details

To prepare for such an exam, I and many others have also recommended using free resources available on sites such as Cybrary.it. I used Cybrary’s Kelly Handerhan CISSP course videos to help prepare myself for the daunting 6-hour, 250 questions ISC² Certified Information Systems Security Professional (CISSP) certification back before they switched to the newer adaptive exam version which is now a 3-hour, 125 question exam. I passed on the first attempt, but I believe that is owed to my work ethic and the fact that I studied intensely for about a year before I attempted the exam and I had at that time many years of experience in InfoSec under my belt. The CISSP requires a minimum of 5 years of experience in at least two of the domains of the ISC² Common Body of Knowledge (CBK), or 4 years with a 4-year degree. Successful completion of the CISSP exam is only part of the certification process, another CISSP certification holder must endorse the new candidate and fees must be paid before the conferral of the certification is bestowed.

Cybrary.it Catalog Menu is a very useful information resource for any practitioner level

Attaining the CISSP certification is a much more involved process and that is why you should not start out in your quest to break into the InfoSec field aiming for the CISSP certification, you should start low and small, and chunk it up so that over time you can accomplish what you want to. With the CISSP, however, many more doors to jobs will open for you. Because employers have set these two certifications as a minimum standard for many jobs in the InfoSec industry across all job sectors, they’ve become targets of criticism by seasoned InfoSec professionals and for good reason. Listen, just because you passed a certification exam at one time in your life doesn’t make you an expert in this field. That’s why there are continuing professional education (CPE) requirements to maintain these certifications. Stay humble and keep learning, there’s so much more out there.

ISC².org certifications are highly respected & valued in the industry

Certification bodies push their agendas to employers like the government who set employment requirements and then you end up with certifications that have become de facto gatekeepers keeping many otherwise worthy, knowledgeable, skilled professionals out of a job. So, certifications are a double-edged sword. I posit that they are necessary to ensure a foundational level of knowledge, but many folks don’t put too much stock in them for the reasons I’ve previously mentioned. There will always be those in the industry who are what I call unicorns, no, not that type of startup company unicorns that managed to become wildly successful, but those working in the industry who are fundamentally against certifications and college degrees holding that they are both a waste of time and money. Good luck to those who attempt to go this route because though they may be correct if someone is skilled and experienced enough to not need them, those people are very rare and most employers require them on principle to demonstrate basic mastery of knowledge and skills or for contractual reasons like government contracts.


Become a Code Monkey

credit

You don’t have to be a fricking genius to program computers. I’m not saying anyone can do it either, though. It takes a special kind of person who is able to think logically, in terms of how computers read code that makes them perform certain functions. Understanding how programming works is a major advantage in the InfoSec industry, but it’s not a requirement either for many InfoSec jobs. So, if coding is not your thing then don’t be discouraged. There are plenty of other jobs you can do besides reverse engineer malware.

python.org

Thankfully, you can learn how to code for very cheap. Python is free, open-source software (FOSS) that you can download off the Internet. You can learn how to code by reading books or taking inexpensive courses online on sites such as Udemy (snapshot below- left image) or one of the many other sites like Udemy (snapshot below- right image).

Udemy.com offers a plethora of IT training courses that won’t break the bank (left); Top 10 websites like Udemy for eLearning (right)

Python is a popular language to learn, but there are several other languages that are also useful such as C, C++, JavaScript, PHP, Ruby, and SQL.


Plenty of Free Information to Read in this Space

Quite frankly, there’s more information to read than you could possibly imagine that is related to information security and hacking. So, many people including myself, have written very useful write-ups and blogs that you can read for next to nothing or totally for free. I post on Medium.com which I believe only allows for 3 free articles to be read by non-members before they block your IP, but if you’ve got a VPN you can just switch your VPN location and use a different IP address to get around that. Either that or just pay the $5/month to get access to tons of great articles which I think is the wiser option. Sometimes, we writers will also give out friend links to our published works that allow for free access to the article for non-members to read.

OccupytheWeb, or <@three_cube> is his Twitter handle has a wealth of knowledge and information that you can use to get as technical as you want. If you’ve decided you want to break into this field, I highly recommend checking out his material.

There are also excellent resources like Peerlyst.com that host volumes of incredibly useful information about information security, hacking, digital forensics, and much, much more. It’s worth a look and it costs nothing to sign up for an account. As a bonus, there are a lot of great folks to network with and learn from in the Peerlyst community.

Peerlyst.com

eBooks are another excellent tool for the beginning InfoSec professional. There are literally thousands to choose from, so I suggest that you narrow your focus to one or two areas that interest you the most and delve into the knowledge. Check out these links which offer a lot of free IT eBooks but ensure you virus scan whatever you download before opening the file.


Save the [InfoSec] Drama for Your Mama

Kenan Thompson of Saturday Night Live (SNL); credit

Last but not least, if you’re active on Twitter, there’s a sizeable InfoSec community that occasionally gets into some important yet highly dramatic debates that play out over social media. I am not active on Facebook (because I hate FB) or Reddit, but there are other forums and social networking sites like Slack (communication tool) that InfoSec pro’s collaborating on share information. I’d caution you against throwing your hat into the ring whenever there’s trending drama tweet going around for a couple of reasons. 1) If you’re a n00b and haven’t worked in the industry (or even if you’re an old hat), it’s best to exercise you’re right to remain quiet. Just sit back, heat up some popcorn, and watch the fireworks. You can thank yourself later, it’s best to stay out of the drama if it doesn’t involve you directly. 2) Some folks hold grudges, imagine that! I know, they’re human just like the rest of us. They might even sit on a hiring team or serve as the hiring manager for a company that you’ve applied to. It’s best not to taint those waters ahead of time if you follow what I am saying and maintain a low profile.

There’s nothing wrong with asking people questions or for career advice, don’t be intimidated by large follower counts. Heck, I’ve seen people DM resumes to InfoSec pros to get their advice. It happens quite often. Just don’t expect your questions to always be answered, because some people are super busy, get tons of DMs, or are just dicks and won’t respond because they consider themselves above that (let’s hope it’s not the latter). Forget them, just do your thing and don’t involve yourself in their drama. Find a mentor, someone nice that you aren’t intimidated by that you can ask career advice of. This will help you out quite a bit and give a sounding board to ask questions and get advice in a safe way. It’s a win-win situation because chances are the mentor will get something out of giving back to the community as well.

This is the Part Where I Bid You All Adieu

I hope that this short compilation of free resource information will be enough to pique your interest and that you’ll be able to better decide if a career in InfoSec (a.k.a., cybersecurity) is something you are interested in. Try not to ever let money stand in the way of your life ambitions. I’ll leave you with a couple of links to other potentially useful information. Happy hacking!

z3roTrust

Written by

z3roTrust

1-part infosec engineer, 2-parts independent PrivSec researcher/writer, 3-scoops of cyberpunk hacker/tinkerer & a big cup o’ dystopian Marine curmudgeon coffee.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade