Testing Your l337 h4x0r skillz Safely and Legally
by Br@d
O.K., so you are a 1337 h4x0r, or you at least think that you are, but how do you test your ability?
Sure, you could use Shodan to find exposed targets to hack, but that is not really safe nor legal, not to mention there are enough jerks already out there doing this and giving hackers a bad name.
So if you are looking for the thrill of the hunt and want that euphoric high that only gaining root can provide, what can you do?
The good news is that there are many safe havens available.
You are probably aware of the term CTF or Capture the Flag, and have seen or hear of the groups of highly skilled hackers taking part in CTF competitions online or at conferences like DEFCON, but do you really know what it is? CTFs tend to come in two main flavors: Jeopardy and Attack and Defense (Red versus Blue).
Jeopardy, which is much like the TV game show, is comprised of categories (Forensic, Sysadmin, Reverse-Engineering, Crypto, etc.) and, as you progress though the challenges in each category, their degree of difficulty increases.
Attack and Defense, on the other hand, pits you directly against another team. In this CTF-style of competition, each team is presented with a network/host that contains multiple vulnerabilities. The teams are then given a predetermined period to find and patch their weaknesses (Blue Team). Once the time has expired to set up defenses, the CTF then transitions to the offense phase where the teams start attacking their opponents' network, exploiting vulnerabilities that they might have missed (Red Team).
If you want the same challenges of a CTF without the direct competition, or you just prefer to go the lone wolf route, there are options for you too.
A quick (insert your favorite search engine) search of either "hacking CTF" or "hacking wargames" will return many free sites that have safe, legal CTF-style networks/systems and challenges for you to hone your skills on.
Here are a few of the noteworthy results that you will come across (at the time of writing this article):
ringzer0team.com - This was my first encounter with a CTF site and I was introduced to it via my local security group meetups. Ring Zero has over 270 challenges spanning 13 categories. This CTF is ideal for a team, as the categories are diverse enough that very few humans should/can complete every challenge solo. There is also enough low-hanging fruit to not crush the spirits of the novice while still presenting many challenges to the experienced hacker.
www.hackthebox.eu - Hack the Box is another site, but this one is not for the noobs, since the very first task is to hack the invite system to gain access to the actual site.
If you are a noob (and I consider myself to be), fear not. There are some great sites for beginners too.
overthewire.org - The very first wargame called "Bandit" is the perfect place to start. The challenges here get you further by searching and filtering information on a Linux system. Each level is only a small increase in difficulty than the previous, giving you both valuable knowledge and a sense of accomplishment too.
Remember, as you go through these challenges, many of them are designed to test an experienced hacker. You will win some and lose many.
Don't give up or get frustrated; the whole idea of these sites is to test and challenge you. If you do hit a road block, that means you are about to learn something new.
Happy hacking!