This is going to be series of Events around Cybersecurity, If you are lucky enough try to witness it live on our GDSC chapter.
Link of todays Event : https://gdsc.community.dev/events/details/developer-student-clubs-indian-institute-of-technology-varanasi-presents-introduction-to-cybersecurity-learn-to-hack-series/
Socials :
Website: https://copsiitbhu.co.in
LinkedIn : https://linkedin.com/company/cops-iitbhu
Instagram : https://instagram/cops.iitbhu/
Facebook : https://facebook.com/cops.iitbhu/
GitHub : https://github.com/COPS-IITBHU
2. About the speakers
Hello everyone!
We are Yuval, Arnav and Abhinav from CSE second year and are core members of the
IIT(BHU)Cybersec team.
We regularly play CTFs (basically cybersecurity contests but we’ll talk about them in
detail later in this session) and these are some of our performances this year:
1. PearlCTF - Globally 5th
2. BITSCTF - Globally 12th
3. VishwaCTF - Globally 14th
4. CodefestCTF - Nationally 2nd
#
3. Before we begin
Above all, this workshop series has been designed to get you interested and give you
an overview of what an interesting world of security is!
By the end of this series, you will have a good understanding of all basic concepts you
need to know. The topics covered in this series are just the tip of iceberg, but it will give
you a strong foundation for more advanced concepts.
To make things more interesting, tasks will be given after every workshop and a
leaderboard will be maintained. The workshop series will conclude with an exciting
event, which will be launched on 4th of April as part of COPS Week. Concepts
covered in the series with some creativity of yours will be enough to top the
leaderboard.
#
4. What is Security?
Security (cybersecurity) refers to any technology, measure or practice for preventing
cyber attacks or mitigating their impact.
It aims to protect individuals’ and organizations’ systems, applications, computing
devices, sensitive data and financial assets against computer viruses, sophisticated and
costly ransomware attacks, and more.
#
5. Why Security?
Cyberattacks have the power to disrupt, damage or destroy businesses, and the cost to
victims keeps rising. For example, according to IBM's Cost of a Data Breach 2023
report,
➔ The average cost of a data breach in 2023 was USD 4.45 million, up 15% over the
last three years;
➔ The average cost of a ransomware-related data breach in 2023 was even higher,
at USD 5.13 million. This number does not include the cost of the ransom
payment, which averaged an extra USD 1,542,333, up 89% from the previous
year.
By one estimate, cybercrime might cost the world economy USD 10.5 trillion per year
by 2025.
#
6. Why should you care?
According to a study by IBM, human error is the main cause of 95% of cyber security
breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20
cyber breaches may not have taken place at all!
Moreover, cybercrime is not limited to organizations only. Phishing, identity theft,
ransomware, malware, cyberstalking, social media stalking, web jacking and much
more are increasing against individuals every day.
Basically, being not aware of cybersecurity make YOU susceptible to cyberattacks,
causing damage to your organization or even worse your personal life!
#
7. Other Incentives?
First of all, security gives you some exciting career paths to explore - Penetration
Tester, Ethical Hacker, SOC analyst, Security Consultant, Security Auditor, Security
Researcher, Security Engineer, IR analyst and so on.
However, apart from this it also gives you an opportunity to be better at whatever role
you want to pursue. Security is always required in every tech product, be it a web
based, mobile based, LLM model, CV model or even a modern day car.
More and more companies are trying to incorporate security in their products from the
very beginning of the development phase (called the ‘left shift development’) - Extra
edge for your internships and placement if you knowledge of security!
#
8. More?
With appropriate knowledge, you can start with your side income in college by Bug
Bounty Programs (reward you $100-$10M based on the criticality of bug found).
Can win cash rewards and other rewards by winning CTFs that keep on going literally
every week!
Be “cool” and show off in front of others :)
#
9. Capture the Flags (CTFs)
All hackers and security researchers need a place to practice their craft. However,
attacking real targets is not always feasible and legal. So CTFs provide a platform for
them to practice, learn and showcase their skills.
CTFs consists of various challenges with points. Each challenge is uniquely designed
for the participants to get creative and find the “flag” - a secret string by using their
skills. Getting the correct flag gives you points, giving you a position on leaderboard.
Top leaderboard scorers get exciting awards and sometimes even job offers!
#
10. Categories
CTFs comprise of various different domains to make you learn different aspects of a
cyberattack. Broadly speaking, these are
➔ Web exploitation
➔ Open Source Intelligence (OSINT)
➔ Cryptography
➔ Forensics
➔ Mobile exploitation
➔ Reverse engineering
➔ Binary exploitation
➔ Web3 exploitation
The topics marked in bold are ones you will see most often, and we will be covering in
the series and the CTF
#
11. Web Exploitation
Websites all around the world are programmed using various programming languages.
While there are specific vulnerabilities in each programming language that the
developer should be aware of, there are issues fundamental to the internet that can
show up regardless of the chosen language or framework.
These vulnerabilities often show up in CTFs as web security challenges where the user
needs to exploit a bug to gain some kind of higher level privilege or sometimes directly
the flag.
#
12. Open Source Intelligence (OSINT)
OSINT is the collection and analysis of data gathered from open sources (covert
sources and publicly available information) to produce actionable intelligence.
Although this may seem as useless in practical life, it is in fact the most fundamental
skill to get the information on the target, before an attack can be performed.
This involves gathering information about previous data leaks, employee history, leaked
emails/passwords, doxing individuals etc.
#
13. Cryptography
The word “cryptography” technically means the art of writing codes.
Cryptography is the reason we can use banking apps, transmit sensitive information
over the web, and in general protect our privacy. It is used everywhere and thus a flaw
in its implementation can cause serious issues.
A large part of CTFs is breaking such improper implementations of widely used
encryption schemes. The math may seem daunting, but more often than not, a simple
understanding of the underlying principles will allow you to find flaws and crack the
code.
#
14. Forensics
Forensics is the art of recovering the digital trail left on a computer. There are plenty of
methods to find data which is seemingly deleted, not stored, or worse, covertly
recorded.
Digital Forensics is usually connected with Incident Response and together called
DFIR. This covers gathering information about a system that has been attacked by a
malware, tracing the origin of the malware, dissecting the malware to understand how it
works etc. These challenges usually contain real malware samples are its advised to
use them carefully in an isolated environment.
Another domain, “Steganography” is usually seen together with Forensics.
Steganography is hiding and recovering hidden messages in plain sight (usually
images/audio/text)
#
15. Challenge 1.1
A message was hidden in plain sight in the poster for this workshop also. Did
you see it?
The answer to the challenge can be submitted at https://ctf.copsiitbhu.co.in/ after the
workshop ends.
Register with your institute email address, and an alias you would like. The scoreboard
first sorts on the basis of score (highest first) and then same score users are sorted
with time of last submission (lowest first).
*Although this is not exactly steganography, but you can see how easy it is to miss
things that are in front of you. This will happen a lot in CTFs and you would develop a
lot of presence of mind while tackling challenges (another incentive xD)
#
16. Reverse Engineering
Reverse Engineering is typically the process of taking a compiled program and
converting it back into a more human readable format.
Very often the goal of Reverse Engineering is to understand the functionality of a given
program and get desired functionality.
Most related real world application of Reverse Engineering can be seen when using
cracked software and games. The keygen programs are built by reverse engineering
the authentication systems of these paid products.
#
17. Binary Exploitation
Binary Exploitation is the process of finding a vulnerability in the program and exploiting
it to gain control of a shell or modifying the program's functions. These usually happens
by passing inputs that the program cannot handle.
This domain requires a good understanding of assembly language and the function
stack. “Big words” hehe. Don’t worry, we’ll cover everything in detail :)
#
18. Do I need programming?
The answer to this question is debated in the security industry, even at professional
level!
The reason is you can do a lot of stuff by using appropriate tools, hit and trial and
manual work. However, in our experience, having knowledge of basic programming will
give you a much better experience of hacking. Being able to read and understand code
is an essential skill required many times. You can also use LLMs like ChatGPT and
Bard to assist you in this.
If you have zero knowledge of coding, don’t worry as there are categories like OSINT
and Forensics, that would need programming skills only at a much later stage.
However, there are also other categories which do require programming. So, you can
start from here:
Python (MOOC, FreeCodeCamp) C(Jacob Sorber, Beej’s Guide) OR any other
#
19. What do you need?
Although, all you actually need is enthusiasm and interest, some things would make it
much smoother to sail ahead.
➔ A Laptop
➔ Internet Connection
➔ Linux (in detail later)
◆ VM/Dual Boot/WSL/Docker container all suffice
➔ Hacker Mindset (more on this later)
➔ Loads of enthusiasm!
#
20. Hacker Mindset
Undoubtedly, the most demanded skill is that of having the right attitude and mindset
while you learn and apply your skills.
➔ Be curious
◆ Always try to play with apps/devices you use in everyday life
➔ Be creative
◆ Think of different ways to solve the problem
➔ Don’t be too rigorous on your approach
◆ Always welcome new ideas
➔ Have Patience and don’t give up
◆ Good things take time :)
#
21. Linux
As a tech student, linux is something that you would use on a daily basis in your career.
You don’t need to be a pro, but being comfortable with using a command line is very
important (increases efficiency).
First and foremost, linux is a kernel and not an operating system (you don’t need to
understand this). There are many different distros available for linux. The choice of
which distro to use depends entirely on you. The answer to which is best is different for
everyone. You can try all and settle for the one that suits you best.
#
22. Distros
Ubuntu is one of the most used linux distro
and has a large community support
available on internet. Kali is another distro
specially suited for hacking due to pre
installed tools, although it doesn’t provide
anything you can’t install on your own in
other distros. Other options worth having a
look at are Debian, Mint, Pop OS, Fedora,
Arch.
#
23. Why Linux?
➔ Lightweight and fast
➔ Privacy focused
➔ Less prone to malware
➔ Portable
➔ Compatible with a lot of tools
# Linus Torvalds
(creator of linux)
24. Trivia 1.1
Just a few days ago, a backdoor was discovered in one the core linux utils packaged
with almost all major distributions. Created a havoc in the tech industry due to its large
supply chain effect. Can you name the utils package?
#
xz utils v5.6.0-5.6.1
Many of you who have linux installed, may have got this backdoor in their system. It is
advised to downgrade the package to v5.4.6. Anyways, an important thing to
remember is that nothing is completely safe from malicious actors. One benefit of
being aware of latest security news is that you remain safe, contrary to an average
user who would get the news much later, probably after the damage is done.
Constantly following security researchers on Twitter and reading blogs etc. will keep
you in the loop.
25. How to install?
You can install linux in anyway you like
➔ Virtual Machine (NetworkChuck, David Bombal)
◆ Runs on top of your existing OS. You can use both at the same time.
Performance may slightly be reduced on a low spec machine.
➔ Dual Boot (DorianDotSlash, David Bombal)
◆ Runs one OS at a time. Best performance with graphical interface.
➔ WSL (Fireship, TechHut)
◆ Runs linux terminal on Windows. Very fast and good integration but no
graphical interface by default.
➔ Docker (NetworkChuck)
◆ Runs a “container” on your host OS. Similar idea to WSL but for mac and
linux also.
#
26. Basic Commands
➔ pwd : Print current working directory (path)
➔ man <name> : Open man page for the command
➔ ls [-l] [-a] : List files
➔ cat <path> : Print the contents of a file
➔ cd <path> : Change current location to the path
➔ mkdir <path> : Make a new directory at the given path
➔ touch <path> : Make a new file at the given path
➔ rm [-r] <path> : Remove a file
➔ echo <text> : Print the text
#
27. Other useful commands
➔ grep
◆ Grep is a useful command to search for matching patterns in a file
➔ find
◆ find a file using given parameter
➔ ln
◆ create symbolic link
To learn and practice Linux commands - Linux Journey, Over The Wire Bandit
The only way to get good at something is to do it! So start using linux from the
command line and you will be comfortable within days. You can always take help from
ChatGPT among other things as its good at stuff like helping with docs and standard
commands.
#
28. STDIN, STDOUT and Pipe
By default all linux commands take in input from STDIN, which is your terminal screen
and shows output on STDOUT, which is also your terminal screen (buffer to be exact).
However, many times you would wish this to be a file. This is where file redirectors
come into play.
Output to a file: command > file
Take input from a file: command < file
Now what if you want the input of one command to be the output of another? This is
where pipe comes into play. It makes the STDOUT of the first command as the STDIN
of the second. Using this you can chain multiple commands.
Chaining commands using pipe: command_1 | command_2 | command_3
#
29. Hands on Demos
The website we’ll be using for today’s demos is picoCTF. This has a really good
collection of beginner problems and is recommended to be solved in the community.
If you don’t have an account, it is recommended that you make one right now, so you
follow along as well.
Problems we will solve:
1. Magikarp Ground Mission
2. First Grep
#
31. Before we come to doubts
1. Are all years eligible to participate in COPS week?
a. Yes
2. Will there be selections in the club based on this?
a. Yes
3. Does attending sessions matter?
a. Your presence in the sessions is only way for us to know how dedicated you
are. So yes, we are recording attendance.
4. Is this going to be tough?
a. We wouldn’t say that it will be smooth, but it is too interesting and exciting to
be left due to some obstacles. Some things might seem more difficult than
others but with time everything will become natural. Just don’t lose
enthusiasm or patience, remember Rome wasn’t built in a day :)
#
33. That’s all for today!
In the next session we will be starting with actual stuff and deep dive into the world of
OSINT and Forensics.
It will be good if you setup linux on your laptop before the next session.
If you have zero programming experience, it is recommended you start learning today
itself. One dedicated week is more than enough for learning things in depth!
Hope to see you in next session! Bye :)
#