Most upvoted comment
ELI5: How do hackers … hack?(r/explainlikeimfive)
Edit: Because of how popular this is getting I wanted to make a couple of points clear. First, I am not nor will I ever claim to be a hacker or even a script kiddie. I’m just a first year computer science student and these are the best examples I could come up with on short notice.None of it is real. Second, Yes I know a lot of this is outdated. It was written to be an example of how hacking works, not a technical manual. Third, I know that hacking doesn’t explicitly, or even implicitly, mean breaking into a system. A hacker is more like someone who isn’t satisfied until he learns exactly how a certain technology or system works and is constantly trying to learn more. Finally thanks for the Karma and I hope reddit enjoys my explanation.
Edit: Where I learned the little I know – [Exam cram] (www.amazon.com/CompTIA-220-801-220-802-Exam-Cram/d…) – www.enigmagroup.org/
That is a very complicated question but, I’ll see if I can hit some of the basics for you.
First you need to know what hacking is
- Hacking is using or accessing a technology in a way that is contrary to the intentions of, or permissions given by, the owner, operator, or creator of said technology.
So in layman’s terms, Hacking is using flaws in technology to gain access to, or change, information on a computer system.What are these “flaws”? Well, that is when it starts to get complicated. Just know that these flaws can usually be narrowed down to three categories: human, hardware, and software. I’ll try to give a decent example of each.
Human: One of the easiest things to protect yourself from, and one of the most common techniques, is tricking people into giving you access to their systems. This can easily be done on people who have a limited understanding of computer security or people who don’t practice proper security measures. This kind of hacking is commonly referred to as “social engineering”. It is also the kind most often used by famous computer hacker and security expert Kevin Mitnick. If you want to know more about the life of a hacker then google him and read his books.
Now an example, Let’s say I work for company XYZ and my manager is Mr Man. Well, Mr Man is a douche and I am planning on quitting soon but, before I leave I want to get some revenge on him by hacking his account. So here is what I do. I wait till Mr Man leaves for lunch then sneak into his office and get on his computer. I could access his account from my computer but the tech department would be able to see where I logged in from and realize that it wasn’t logged in from his office computer. They would soon know something is wrong, and I don’t want to get caught. So, there I am at his computer when suddenly my luck runs out, Mr Man had logged out and I don’t know his password to get back in! That’s when I remember, the new IT guy started today and they always make the new guys deal with simple or common problems at first. Since this is a new guy I am confident that he won’t know best security practices and, I’m certain I can trick him into getting me logged in. So I call the company tech department and say that I forgot my password and can’t login. I’m in luck, they hand the phone to some guy and he sounds very nervous. This has to be him, I’m sure of it. So, I tell him that I’m Mr Man and that I seem to have forgotten my password. He is about to ask me what I assume would be a security question when I yell “Shit, It’s almost 3:00. Listen man, I have a very important client that will be here in a matter of minutes and I NEED to get back on my computer. I don’t have time for the normal speel. Just get me a new password and let me get back to work or I swear you will lose your job faster than I can say ‘you’re fired’, you understand me?” Now a normal worker wouldn’t fall for this but this guy was new and got scared. He fell for my act completely. Now with the new password in hand, I login to his account and get to work. Let’s see… deleting all his documents? Sounds like fun! Download gay porn? Why not! After, a few minutes of this I leave and get back to my station. Now, because they don’t have cameras inside they have no way to pin it on me and I quit work the next day and get away free. Mission accomplished!
Hacking lesson – 1) Normal people are ignorant of computer security, take advantage of them.
Hardware:
I want access to somebody’s documents on their computer. If I had another computer I could use, I would simply remove the hard drive from this computer and connect it as a secondary drive on mine. I don’t though, so instead I have to use my trusty flashdrive with a boot-able version of linux installed on it. However in order to use that I have to change the boot order, which is determined by the bios. I restart their computer and enter the bios setup… or try to anyways. It turns out that they have a password on their bios.Now what? Because of my knowledge of computer hardware, I know that the bios password is saved on the motherboard in the cmos, which has volatile memory. This means that if the cmos loses power, everything resets back to its default state and all passwords and other information (like time, date and boot order) are lost. So I simply open up the computer, find the lithium battery that powers the cmos and remove it. After waiting a minute to insure all the data is lost I put the battery back in and close up the computer. Turning on the computer, I try to enter the bios again. Success! It is no longer password protected. I then go into the section where you determine the boot order and change it so that the usb ports boot before the hardrive. Now I restart the computer again and wait. It worked! The linux login screen is now showing. I login to my account on the flashdrive and get to work. From the linux operating system I can access the info on the other hard drive. So, I grab all the files I want and copy them to my flash drive. I then log out, restart the computer and change the boot order back to normal. If somebody enters the bios they will know something happened when it doesn’t ask for a password but, let’s be honest. How often do normal people enter the bios on their computers? Mission accomplished!
Hacking lesson – 2) Software security is useless without hardware security. Lock that shit up!
Software:
Software is much more complicated to explain. If you want know more about this start googling “sql injection”, “Javascript Injection”, “DDOS”, “bruteforce hacking”, “URL Manipulation” and any other term you come across while doing so. Just realize, these concepts maybe be hard to understand if you don’t have a basic understanding of programming or how the internet works. I’ll try to give a brief example though.
I was playing an MMO the other day and was just about to finish defeating a boss character when some asshole came by and stole my kill. Now, were it a normal monster I would just shrug it off and move on but, I had been trying to defeat this monster forever and was just about to win. I was pissed! So before the guy leaves, I pretend to thank him because “I was about to die”. I then friend him so I can keep track of when he is online and remember his username. Later that day I get back on the game and check to see if he is on. He’s not! I logout of my character and type his username in to the login screen. Using some online bruteforce hacking tools and a little coding of my own I put together a program that continuously tries to login to his account changing the password every time it fails. This program will cycle through all the upper case and lower case letters and all numbers, hitting every combination possible until it succeeds. With people who have long passwords or passwords with special characters this could take a long time, maybe even years. However most people don’t use complicated passwords, especially on online games. If this website followed good security practices they would limit the amount of login attempts possible from a certain IP address in a certain period of time or lock an account with to many incorrect login attempts. Unfortunately the creators of this game did no such thing. I head to the kitchen to fix myself some french bread pizza and wait. In a little over an hour I hear a beeping noise, the sound I programmed it to make when it succeeded. I head back to my computer and there it is. I’m logged in to his account! First things first, I open up another tab in my browser and log in to my account on the game. I then trade all of his best items over to my character, along with all his gold and anything else that looks useful. I could have deleted his character but I decided that him seeing the character without all of the items and money he had collected would be much more entertaining. Finishing up, I log out and continue on about my day with a smile on my face. Mission accomplished!
Hacking lesson – 3) Read this
TL;DR- They take advantage of stupid people, bad security and their own knowledge of computers and programming.
Edit: fixed a few grammatical errors