This had been a long gig, with many long nights just crawling through logs, or reconnaissance data but as I sipped from my cold cup of coffee, it clicked. I had access. Finally, all my effort paid off. I spent what seemed to be endless days trying to worm my way into my targets systems. There were days I wanted to just bang my head on the table from the frustration of it, I needed to get in, and failure was not an option.
I started by foot-printing my target so that I knew as much as I could about them. I even set up social media accounts and scrapped all the information I could to generate a list of accounts and passwords that might get me on to their network. I needed to know everything about anyone who worked for the company, how many children or pets they had, their names and ages. What they like to do, what they like, even what they eat.
With my new-found knowledge I poked and prodded the organisation's protections trying to find my way in, that crack in the armour that would be their downfall, but I couldn’t find any. I had to be careful not to do something that would alert them of my approach, soft touches so the firewall or IDS wouldn’t see me as a threat and alert the IT team that the defences were being tested. If they caught me it was all over.
Every touch I made left a trace. Yes, I cloaked my systems with several layers of anonymisation, but one mistake could be enough to get me caught. I was getting closer, I could feel it. Just another couple of hours and I would have the access I needed to own my targets systems. They would be mine.
In the end, it was social engineering that got me access. I had sent phishing emails to all the staff to try and get one of them to click on my link and allow me onto their system. I had to refine my efforts and sent four different versions to different targets, Specific employees who I thought would be my way in for one reason or another, sometimes just a hunch on someone that I get from their social is enough to put a target on their back.
The victim that got me in, was chosen because they would give me the access I needed and allow me to work unabated. Their social media had told me they were leaving in two days and would be out of the office for two weeks why they were in Bali, soaking up the sun. Perfect target for me to work my magic. I sent them a nicely crafted email from the IT department asking them to reset their password due to suspicious activity on their account via my conveniently added link that would take them to the reset page, once they gave me the details it redirected them to a "failed to change" page and asked them to press ctrl-alt-delete on their systems and click the reset password option then re-enter the new password info to ensure that it takes effect.
Password changed, they gave me a copy before they actually changed it and they think everything is now all safe (they were wrong). Now I could have gone crazy and accessed the systems right then and there but that would have given me away. I waited until they went on leave (they told me for certain via their social pages – People share way too much on there).
I was in the network and no one was any wiser, I had valid credentials and there were no red flags being raised. IT probably didn’t even know the user was on leave, so why would they even look at the account access twice. I dug through the systems and took notes on what I found for future reference. I had access to everything, once past the outer wall protections nothing had been implemented to restrict my access. A mistake on their behalf.
Now it was time for the boring part, writing my report on what had occurred and outlining the weaknesses that had led to me gaining access to their systems. Yes, you have probably now guessed it I am a Pentester. I had been paid to break into the organisation's systems in secret, to break what is not supposed to be able to be broken. To then help them fix what I was able to break in the first place. In some people's eyes that would make me a hacker. Which I guess in a way it does but in today's society the word hacker has been made out to be a hooded figure hunched over a keyboard with some weird matrix code running down the screen while they steal all your secrets or drain the money from your bank accounts...
That is not what a hacker is, hackers are normal people who in most cases are the ones who are actually defending your networks, not cybercriminals who are the ones that have been wrongly defined as hackers for too many years now. Now to be clear, even the malicious actors and cybercriminals or even the state-sponsored hackers don't hang around in dark rooms with dark hoodies on while hacking your systems (okay, so there is a slim chance that one or two might do this but very unlikely).
Walk through any public place and you will probably see a hacker. Maybe on your way to work on the bus or train, in the car that was stopped at the lights next to you when you turned into your suburb or dropping off your kids at school. We are everywhere. Now let’s clear something up, I am a hacker and I barely ever wear a dark hoodie or hang out in dark rooms unless I am watching the latest movie at a cinema or sleeping (something we all need to do occasionally).
So how about we all start thinking a little different about who or what makes a hacker. Secondly let's start calling cyber criminals exactly that cybercriminals, not hackers. Yes, I know it's not as dramatic or sexy as calling them all hackers and yes, I know the media has already made everyone believe that stereotype hacker in a hoodie scenario but let’s do one thing to make our society better and tell the world we are hackers and remove the stigma that comes with the name.
Apologies for going all Hollywood at the start of this article but I thought it would be the best way to draw readers in and maybe drive home the message, I AM A HACKER (not necessarily a very good one but I am) and that’s okay, I am one of the good guys. I would love it if the worlds security folk stood up and said it for all to see that we are hackers and we are here to help, not all of us are bad guys you need to fear. You have probably even met some of us and didn’t think twice about it. We may even be your neighbour or a part of your family. We are not the bad guys.
Hacker is just a name, don’t judge to fast.