[Nulled] » Programming » Ethical hacking
February 24 2022

Ethical hacking

coder 24-02-2022, 12:09 Programming»,Hacking 337

Ethical hacking: how to hack systems and at the same time earn legally

Who is a hacker? Most people who are far from programming are a malicious criminal who breaks into the security systems of banks to steal money. Something like Hugh Jackman's character from the movie "Password is a Swordfish", who breaks the Vernam cipher to steal $9.5 billion from the government fund. Here we will focus on the legal side of hacking, and if your ideas are inspired by films, we have prepared for you a detailed overview of the profession of a cybersecurity specialist.


You can be a hacker legally. Legal hackers are called pentesters, or "ethical hackers". That's just you need to know well what you can do while testing the system for penetration, and what you can't. Otherwise, you can get very real problems with the law. Most recently, we launched the course "Ethical Hacker", and in this article we will talk about how to engage in hacking, earn good money from it and at the same time not have problems with the law. Go.

Pentester: Differences from hacker

A pentester is a hacker who works completely legally and within the law. The essence of his work is the search for vulnerabilities in security systems.
But there are some serious differences:

The developers are aware of the actions of the pentester. All actions to search for vulnerabilities are carried out either under a special agreement or with the help of Bug Bounty programs. We'll talk about them a little later.
The pentester is only looking for vulnerabilities, and is not going to use them. There is a subtle point here. To detect a hole in the data storage system — everything is OK with this. But trying to download confidential data by testing this hole is already a deadline. The pentester should point out the hole to the developers and point out the possibility of how to use it, but not try to do it yourself.
The earnings of a pentester are completely white. Bug Bounty payments or contract payments are absolutely legal. So you don't have to be afraid of visits from the tax service.

In fact, a pentester is distinguished from a hacker by a set of rules that he is guided by.

The pentester works exclusively under Bug Bounty programs or after signing a contract with the company. Due to the fact that the process of pentesting itself is associated with hacking protection, the procedure is very formalized.


Bug Bounty: how to participate correctly

Most large companies run Bug Bounty - special programs in which software or website developers offer rewards for vulnerabilities found. It is more profitable for companies to pay for the errors found than to deal with the consequences that exploits and vulnerabilities can lead to.

Most of these programs are hosted on HackerOne and BugCrowd websites. 

For example, here are the Bug Bounty programs from Google API, Nginx, PayPal, GitHub, Valve. The average premium for each bug found in these programs is $ 1,000. There are a huge number of smaller companies that offer $50-100 per mistake. 

Even the Pentagon launched Bug Bounty! It's just a dream for a hacker to hack the Pentagon's security system, and even get money for it from the US government. 

But even the published Bug Bounty does not mean that you can break and look for holes anywhere. In the description of the program, the owners prescribe which vulnerabilities will be considered. 

For example, Uber gives a very detailed explanation of what is included in their Bug Bounty program and what is not.

The company wants to find vulnerabilities in data access and storage systems, phishing opportunities, payments and invoices, unauthorized actions on the part of the user and company employees. But the program does not include general application bugs, fraud reports, bugs in working with social networks and email newsletters. 

However, their sense of humor is fine. Because among the unpaid actions there are the following:

Entering the Uber offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted

Enter the Uber office, scattering chips everywhere, releasing a bunch of hungry raccoons and seizing an empty terminal or workplace while employees are confused.

The more detailed Bug bounty is described, the easier it is for the pentester to understand what can be "tried by the tooth" and what should not be done.

At the same time, there are general rules that cannot be violated. For example, if vulnerabilities are detected in user databases, you should not try to download any personal data. Even with participation in the program, this may be regarded as a violation of the law. Because here the rights of users are violated, to which Bug bounty has nothing to do.

Therefore, there are several possibilities for a pentester:

Join one of such large companies. The main plus is a stable salary and the absence of even hypothetical problems with the law. But at the same time, it will not work to earn a lot of money, as many pentesters strive to do. 
Open an individual entrepreneur or work under a contract. The main plus is that the specialist sets the price himself. But at the same time, you will have to work closely with lawyers within the framework of labor relations in order to insure yourself from the legal side. And competitors are not asleep.
Work exclusively on Bug Bounty. The main plus is the freedom of the schedule and the opportunity to earn a lot. But there is always a risk that a specialist simply will not be paid for detecting a bug. However, no one forbids working under a contract, and in Bug Bounty programs.

It's easy to participate in Bug Bounty. After all, in fact, the message about the start of the program is an open offer that any user can accept. You can start working immediately — no additional consent is required for your participation. 

To protect yourself from dishonest companies, we recommend working through the HackerOne and BugCrowd sites. Just register and submit applications with detected bugs through them. 

The only rule is to read the description of the program in great detail. If a company writes that it pays for database vulnerabilities, then you need to look only there. Even if you find a bug somewhere else, they won't pay for it. On the contrary, problems may begin. 

Wesley Weinberg found one of the most serious gaps in the protection of Instagram in 2015. During the pentesting, he discovered a Ruby vulnerability that allowed him to start remote playback of arbitrary code. 

This allowed him to read configuration files that contained PostgreSQL database accesses. Facebook Instagram and 60 employee accounts were there. According to Weinberg, it was not difficult to crack them — most of the passwords were extremely weak - like "password" or "instagram".    

Then he got access to several Amazon Web Services keys, which were associated with 82 S3 buckets. And in these buckets there was a real treasure for a hacker: Instagram source codes, SSL certificates, API keys, email server data, signature keys for iOS and Android applications. We can say that the pentester has received full access to all the secret materials of Instagram. 

He honestly reported this finding to Facebook representatives. He was actually paid $2,500 for one bug. But he also received charges of unauthorized access to employee accounts, a ban on the Bug bounty program from Facebook and a threat of criminal prosecution. Although no criminal case was initiated, Pentester's nerves were pretty battered.


So following the prescribed Bug bounty points is just a must. Otherwise, you can get not a bonus, but an accusation.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: coder
  • Date of publication: 24 February 2022 12:09
  • Publication category(s): Programming»,Hacking
  • Number of views of the publication: 337
  • Number of comments to the publication: 0

Related News

24 February 2022
Programming»,Hacking
How to become a hacker

So let's start with me (sorry for my vanity).This is a translation of a very interesting foreign article.About the

Read more
24 February 2022
Programming»,Hacking
How to become a hacker:

Hacking is the search for vulnerabilities in a network or computer in order to gain access. Becoming a hacker is

Read more
11 February 2022
Cryptocurrency Blogs»,Bitcoin Blog
How Blockchain

"Chancellor on brink of second bailout for banks”" this message was written in the first block of

Read more
19 February 2022
Cryptocurrency Blogs»,Altcoins Blog
Legal Notes Prove that

Two Ripple legal briefs are now available to the public. The defense attorney, former federal prosecutor James K.

Read more
19 February 2022
Cryptocurrency Blogs»,Bitcoin Blog
The FBI is launching a

The FBI Is Launching a "Virtual Asset Exploitation Unit" with a Specialized Team of Cryptography Experts

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +6 Total articles 6749
  • +16 Comments 4218
  • +23 Users : 6011