I receive a lot of messages from people who are just starting out on their hacking journey. One of the most common questions that gets asked is “what prerequisite knowledge is required to start learning hacking?”. This question comes in many forms, but a few examples are below:
- Do I need to know how to code before I start hacking?
- Should I do OSCP or CCNA?
- Do I need to learn Linux or can I hack from Windows?
- Do I need to learn networking before I start hacking?
The answer is not so straightforward.
I remember my first “hack”. I figured out that I could use “File -> Save As” in my web browser to download a web page, edit it in notepad.exe, then open the edited local version. I did this on google.com and legitimately thought that I had hacked Google’s homepage.
It’s funny looking back but also understandable. At that time my perception of the Internet was more equivalent to my understanding of a dictionary. I would enter a few words in the browser address bar and it would give me a web page with information. Also it made weird noises and stopped our home phone from working (I’m talking about dialup modems, for those of you who were born this millennium).
I later learned why the “hack” didn’t change the actual Google homepage, of course, it was because when someone enters “google.com” into their browser address bar it retrieves the page from Google’s servers, not my computer.
Reflecting on this now, I know that the prerequisite knowledge to get to this point of understanding is actually quite significant.
To understand why this wasn’t hacking, my knowledge of the Internet needed to expand to include the idea that this document was being retrieved from a remote source that I can’t edit. That brings us to the level of understanding that I think most people have of the Internet now.
We’re talking about hacking here though. We aren’t just using the Internet normally, so we could add a bit more depth to the knowledge by asking questions such as:
- What exactly is that remote source?
- What’s the process of retrieving that source?
To understand the process at this level requires a whole other level of knowledge, including concepts like web applications, web servers, HTTP, SSL, TCP/IP and DNS.
How much of this do we actually need to know as hackers?
Considerations
First, let’s start with some things to consider.
- You will never know everything.
- We can’t be expected to know everything before we start hacking, because we will never start.
- What is considered to be “foundational knowledge” will change depending on who you ask.
- What are you hacking? Your sphere of knowledge will need to be drastically different if you’re hacking web apps vs. IoT fridges vs. compiled binaries.
Know it Exists
When hacking, the most important thing is to know that the thing you’re hacking actually exists. For example, if I want to start hacking a web application it’s good to know that web frameworks exist. Without that knowledge I might not know to enumerate the framework that is being used which opens up a whole new attack surface.
That’s not to say that I need to have an in-depth knowledge of every framework in existence. It just means I need to know about frameworks as a concept. For this reason I think it is usually better to begin with broad shallow knowledge of everything and explore different topics more deeply as you encounter them.
Once I figure out which specific framework is in use I can research that framework in more depth in order to gain a deeper understanding of the application while I’m hacking it. This brings me to the next concept, Just-In-Time Learning.
Just-In-Time (JIT) Learning
JIT learning is an approach to education where you learn new skills or concepts as the need arises to know them. A great example of this is when I started exploiting Route53 DNS takeovers. I knew these were possible but at the time there weren’t really any guides on exactly how to exploit them so I had to figure it out myself. Prior to diving into this I had a limited understanding of how DNS actually worked. My mental model of DNS was roughly equivalent to:
- DNS translates hostnames into IP addresses
- In order to get an IP address, you send the hostname to a DNS server and it sends back the IP address
I’d never had to set up my own custom DNS beyond basic A records, I didn’t fully understand the different types of DNS lookups (A, AAAA, CNAME, TXT, MX, PTR, NS, etc.) or how DNS records were stored or edited. I didn’t understand what a recursive lookup was, and I had no idea how to use the AWS console to add/edit Route53 zones. Suddenly I had a requirement to learn this information so I did, just in time!
This is a very effective way of learning because you won’t waste time learning things that will never be useful to you and your motivation will be soaring to learn something that you can put to immediate use.
Many educational institutions attempt to accelerate a student’s learning by simulating JIT learning. They do this by setting exams, assessments and assignments that test the student’s knowledge directly after they learn that topic. It works! Are you more motivated to learn a concept that will be in an exam, or one that won’t?
The Tree of Knowledge
A common analogy for knowledge is a tree. The absolute foundational knowledge is pictured as the roots of the tree. Without the roots (foundational knowledge) the rest of the tree can not exist.
Beyond the roots are the trunk and main branches which are quite important but still require the roots to survive. Next comes smaller branches and finally leaves, the smaller, less foundational knowledge that relies on the foundational knowledge to exist at all.
The point is, you can not have an understanding of the leaves if you don’t understand the roots. Foundational knowledge is exactly that, it is the foundation that other knowledge can be built on.
Process-Based Learning vs. Deep Understanding
It is absolutely possible to find some vulnerabilities without having deep understanding or foundational knowledge. There’s probably a better name for this, but I’ll call it process-based knowledge. Some examples of process-based knowledge are:
- Finding XSS by opening every web application and putting <script>alert(1)</script> into every text field until an alert box fires.
- Finding bugs by running an automated scanner that you found on Github.
Process based knowledge is when you know how to go through the motions of performing an action without actually knowing how it works. It is enough knowledge to allow you to discover some bugs, but it will ultimately hinder you.
In bug bounties you are competing against a lot of other hackers. The majority of these hackers have at least this shallow process-based knowledge, or better. If your knowledge is at a shallow process-based level, you are competing with – at a minimum – absolutely everyone.
The opposite is also true – there are fewer people who have deep understanding and strong foundational knowledge. This deeper understanding allows them to recognise dangerous edge cases, opportunities to chain vulnerabilities together, new novel attacks, etc. and ultimately uncover more bugs, often with higher severities.
Having strong foundational knowledge is the base that allows your creativity to shine through. Given that the whole essence of hacking is discovering ways to use things that are not intended, creativity is the key.
Conclusion
You don’t need foundational knowledge to start bashing away at some webapps and finding some basic bugs, but gaining foundational knowledge should be part of your hacking journey. The sooner you build your foundations, the more quickly you will be able to move into a realm of heightened creativity and success.