About
By MattI’ve been involved in the network security arena for about 15 years now and I wear many hats. My day to day operations include network security, programming (C, Perl, PHP primarily – occasionally others), troubleshooting, network diagnostics, packet analysing, penetration testing, and pretty much anything else that gets thrown my way.
My passion has been, and continues to be, network security and exploitation. I got my start on IRC in the early 90′s, which at that time was a lot like the wild west. If you didn’t know what you were doing and how to protect yourself, as well as attack back, you weren’t going to be on IRC for long. I was immediately intrigued by how easy it was to use simple packets to knock people off IRC. Not to mention all the fun to be had with clones, spoofing, and general IRC abuse. I began researching and writing code. I was really disappointed when the scene changed from, “I’m going to knock you off line” to “I’m going to take down your internet provider, and your providers provider”. This, to me, was not elite. Anyone can knock someone out with a club.. but it takes special knowledge to down an opponent with just your pinky.
Beyond packet exploitation, I dove head first into Linux. My first distro was Slackware with the 0.0.9 kernel, I believe. It must have been 92 or 93.. I don’t really remember. I was about 13 years old. My interest in Linux came from the fact that I had someone that I idolized, who I could never knock off line. He always seemed to have some kind of linux-fu that protected him from what I was doing. He gave me a shell on his box and I was hooked. I remember forcing myself to use strictly Linux for a month. No gui, no point and click, simply a terminal. I loved it.. everyone else thought I was nuts.
By the end of the month, I knew that I wanted to run Linux full time.. so he helped me install it to a zipdisk and do a dual-boot so that I could run Linux without removing Winblows, because I was using my moms computer. She, unlike me, did not appreciate a black and white terminal. 
As I grew older, I began to really hack. I would spend hours digging through code looking for things like, strcpy(), gets(), etc. I knew that 99% of the time any program that accepted input from a user using those methods were vulnerable. Occasionally I’d run across a program written by someone who knew to do bounds checking, but not very often. And even more rarely was it ever done correctly.
I was involved in a few different hacking groups and, eventually, we got in serious trouble. Apparently when you deface the Whitehouse website, the CIA, the FBI, etc., they take it personally. But, we were kids.. we thought we were invincible. Negative.
Thankfully, I had befriended people who, again, kind of took me under their wing and I was able to avoid fines, prison, etc. I was tasked with finding pedophiles on the internet. This was probably the most fun I’d had on the internet up until that point. I was able to experiment, hack, etc., legally, for the most part, and rid the internet of trash. It was wonderful! I was also involved in InfraGard, which had its ups and downs, but I became pretty popular, because an 18 year old hacker-type in a room full of NSA/CIA spooks stands out like a neon light. They’d often pick my brain for hours. Ironically, though, half of the people that they used as examples of hackers in their Power Point presentations were friends of mine. Some of them had been caught, others not. I decided to stay firm and not give up any information to either side regarding my close friends. Because, honestly, I didn’t want to piss off either side.
Anyway! Unfortunately, volunteering for the government does not pay very well and I had finally hit the age at which my mom said that I needed to get a job and do adult stuff. Argh. No more hacking the planet and hunting pedophiles, I actually had to be “a productive member of society”. I thought I was already doing that… who knew?
I started at RadioShack.. which didn’t last long. I then was hired as “tech level 1″ at an ISP. Within 3 months, I had a new title.. “Systems Administrator”. I learned all about telecom equipment, DSL, routers, had a few crash courses in Cisco programming and IOS, etc. Then, I helped get DSL to a person who was told over and over by every other ISP that he was too far away. We did some hackery (I forget exactly what it was.. something having to do with a frame. I think it was eventually called iDSL). He happened to run a computer consulting company and decided that I would be an asset to his company.
I was like, 19 and getting paid $125/hour to do computer stuff. Good times. I had, what seemed to be, endless amounts of money. I was living the dream, kind of. He ended up making me a partner in the firm, which sounds cooler than it was. He liked books, and liked to do things by the book. I liked computers, and knew what worked in the real world, which often differed from what his books said. This caused major, major problems.
To quickly summarize the next 3 years.. fight, fight, fight, non-compete clause, lawsuit, counter suit, termination, firm dissolved.
I wound up being hired by two of our clients (he had been hired by one of our other ones). We parted ways and I’ve now been here for 6 years.
If you’ve made it this far, I’m impressed.. I would have probably moved on by now.
Anyway, all that being said, I’ve been a blackhat; I’ve been a whitehat. Now I like to use blackhat techniques to accomplish my whitehat goals. The network security world has coined a phrase that describes us.. we call ourselves “penetration testers”. Essentially, we’ve all gotten to the age where if we were to continue with our blackhat ways, we’d go to prison for a long, long time, but we don’t want to give up hacking. So, we find companies who will hire us to hack them and provide them with a report that shows their vulnerabilities and offer advice and solutions to help secure them. It works out well for all parties involved. We still get to hack, they wind up more secure. And, the best part.. no prison!
Ok, I’ve run out of stuff to tell you about me. If you have any questions, feel free to ask and I’ll probably answer you.
I really appreciate your site.
It is very helpful.
I am wondering what it takes to become a professional pen tester.
I have seen many so called “pen-tester” relying on Nessus and Metasploit (gui version) tools and calling themselves “pen-tester”.
I have done my homework, so far I know what a fake pen-tester looks like.
However, I am wondering what it take to become a good pen-tester.
What kind of “fu” I good pen-tester should have?
I’ve been learning tools, and sometime I am tired of learning about tools.
I like to learn the concept about the tools before using it.
That’s why I am diving into assembly to understand in and out of a program.
I would like that hear your opinion.
Thanks for sharing your knowledge with the community,
Humble-Desser
Thanks for the kind words..
I think that what it takes to be a professional/really good pen tester is the desire to learn, think outside of the box, and not always rely upon the technical side of things. It’s rather easy to build a network that will thwart off every kind of attack thrown at it.. and it’s at this point that your average tester will fail. You really need to rely upon other methods to gain access to networks like these. You need to look at what services, procedures, etc. that a company relies on in order to operate (email, web browsing, et. al.) and get creative in how you exploit them.
It’s a well known fact that the weakest link in the chain is the human. Through manipulation, coercion, and, well, “social engineering”, you can take down this element quite easily, and also reliably. This is generally what separates a good pen tester from a great one.
If you sit in front of your computer, day after day, programming, learning code, learning tools and techniques, you’re going to lose your ability to socialize and, like I’ve shown a couple times on my blog, this is the best and most important tool that you have access to. You might as well throw Nessus and Metasploit out the window if you can’t walk up to someone and engage in conversation confidently.
I used to have a sales job where I was forced to walk up to people and just start talking to them. My job, essentially, was to manipulate and coerce them into buying… whatever. This was, by far, the best training possible to become a really good social engineer.
It really seems that the most difficult thing for a computer guy to learn is the social aspect. We tend to hold up in small dark places staring at screens for absurd amounts of time.
Beyond the social aspect, however, yes.. learning all the tools available is a good place to start. And yes, definitely understanding the magic behind the tool is critical. Anyone who picks up a tool and just starts using it is a script kiddy.. they’re basically the ankle biters of the world.
But once you understand how the tool works, you can then get it to work to it’s fullest potential. You can also take the tool and add to it, modify it, or whatever, to accomplish your end goal. But, I’ve seen a lot of people rewrite perfectly good tools because they thought it would be more “leet”. Well, sure.. you wrote a tool.. congrats.. but while you were busy writing this thing, I was busy hacking the planet.
The lesson here is.. don’t reinvent the wheel.. make a better wheel.
Assembly is good to know, no doubt.. but I’ve found that it’s becoming less and less important because of all of the tools that are out there these days. Without knowing it, you’ll never really develop any 0day.. but rarely, if ever, do I need 0day to break into something. Companies generally try to avoid being on the bleeding edge of technology.. so they’re usually using software that’s a bit old.
That said, I do know assembly and was, at one point, semi decent at writing it.. but I’d never really call myself proficient at writing assembly.. lol
Anyway, this response has gotten longer than I intended.. it gives me an idea for a post, though. So, thanks for that!
I was introduced to your site just last week and I have to admit that I look forward to reading your posts. I like your writing style and I find your posts very informative and helpful. I am currently working on web application pen testing so any info that you can pass on related to that will be appreciated. Oh, just for the record, you do have at least one female reader
lol.. good to know that there’s at least one of you!
There are SO many good tools out there right now for testing web apps that it’s almost ridiculous. There was one released like, 3 weeks ago that I haven’t played with much yet called Skipfish. There’s also uh.. the Samurai framework. I think the biggest thing to know/learn when focusing on the web aspect is just knowing SQL/MySQL.. simple injections seem to be the most effective. Then XSS/clickjacking/blah blah blah.
I should probably do a post at some point about targeting websites. Most of my clients don’t host their own, though, so the information I get from them resides on some database well outside of their LAN, so it doesn’t really provide me with what I’m looking for (most of the time).
Oh, also.. this just popped up in my reader..
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
Your story is interesting and I always like reading bios of people who have “been there.” I really enjoy sites like this because the wealth of info I find here. To me, this site is worth more than gold! The only people that say such things are other geeks. I hope you post on a regular basis. Thanks for sharing!!!
i admire you so much. your knowledge and abilities are exceedingly impressive. i wish i was capable of half of what you are able to accomplish. my computer has been hacked several times, despite my attempts to protect it, including constant monitoring to ensure my anti-virus program is up to date, downloading security updates from Microsoft, etc., avoiding downloading torrents or “pirate bay” style files and making sure all sharing options are turned off in my settings. It is very frustrating. It must be a great feeling to know the ins and outs of black hat and white hat and therefore be able to protect your machine and defend yourself again having your data compromised. I am very glad to have found your site tonight. Hopefully I will not be too dense to understand the subject matter and will be able to learn a few things that I can use to assist me in self-defense. xo
I got linked to you from Lifehacker about two days ago. I’ve since read through *most* (I’ll be honest) of your posts, and I’m hooked. Very rarely can I find someone who not only has a vast array of technical knowledge to pull from, but also has the ability to write in an engaging, and, thank heavens, accessible way. Out of curiosity, if one wanted to foster a solid understanding of Linux, what would you recommend? I’ve always been a little leery of switching over, mostly because I have absolutely no idea where to start.
@Cole: I think probably the safest and easiest route to get started with Linux is the Ubuntu Live CD. You can throw it in, play around with it, do whatever you want, and not have to worry about breaking anything. It’ll give you a good starting point and you’ll be able to determine if you like Linux or not… you’ll like Linux, though. Promise.
@kittygirl: Thanks for the kind words..
Yeah, I can honestly say that I’ve never had a virus or been hacked.. so I must be doing something right. To be entirely honest, the #1 thing that you can do as an end user to protect yourself is to NOT run Internet Explorer. Like, if you chose to do only one thing to protect yourself from threats on the internet, this would be the one you should choose.
My current suggestion is Google Chrome. Firefox is being heavily targeted now and it’s proving to be a little weak.. but still 1000% better than IE.
Keep reading.. I do my best to make my articles understandable by most. Some of them, though.. not so much.
A very nice read. The only difference between your life and my life is that I never got anywhere with my knowledge, because people now-a-days seem to not really care that I am a self-taught security enthusiast.
I love going deep, deep deep into the underlying mechanics if even the simplest of things. Why does this do that, what was done to do that, what controls that which does that, what is that which that made that made of? etc.
I’m only 20 years old, but I get abit depressed from reading your self-biography, as i’ve probably assembled *alot* of the same knowledge you have… Still nobody wants me
But it was a great read bro… Now back to programming the WinAPI
@Volatile: This is probably going to come across a bit harsh, but I want you to interpret it as constructive criticism. I received a lot of that while I was going through the ranks and it’s something you have to kind of suck up and force yourself to listen to and benefit from. So, please take it as such.
1) Based on your “tone of text”, it kind of sounds like you’re throwing yourself a pitty party. This is essentially accepting defeat, which is not good. You may have to suck it up and do some jobs that you may perceive as being beneath you (which they probably are), but if you are as good as you think you are, they will turn into opportunities because others will notice your talents
2) Continuing on the same point as above, it’s somewhat arrogant to think a company would hire some no-name (no offense) off the street to come secure their networks, especially if their networks hold proprietary information, trade secrets, financial information, etc. Unfortunately, this is one of those things that a degree helps with. A company views a degree as something that makes the person who holds it trust worthy, experienced, dedicated, blah blah blah. Now, granted, it’s usually this mentality that gets them pwned, but I can understand where they’re coming from.
3) Dude, you’re only 20 years old. My whole career and experience changed between 20-26, but you have to be proactive about it.
4) There’s a backdoor to the whole degree thing. Companies trust other companies more than they trust degrees. For a number of logical reasons. So, if you don’t have a degree, but you have a company, you can circumvent a lot of the hiring requirements a company has. I started my first business when was uh.. 19 or 20.. something like that.. and it cost me $125 to incorporate and I was on my way. I sent out mailings, visited networking groups (business networking, not computer networking), and anything else I could think of to help build a client base. The one major thing that I had going for me, was that I was young, and owned a business, which made other business owners think I must be some kind of genius. Well, I was (ha!), but I was never, not once, asked what kind of credentials I have, or what degrees I have, etc. I had a few certs, and that was it.
5) You’ve chosen a tough road, no doubt. It’s definitely much easier to go to school, get dumbed down, and wind up with a piece of paper saying that you know about technology that’s already obsolete.. but, if you have a passion for it and are enthusiastic about it enough to learn the ins and outs of it, your talent will be discovered if you don’t let self pitty get in your way.
And, last but not least, how do you ever expect to get anywhere using Windows??? *zing*
Seriously, though.. dont get down on yourself when you get turned down, or no one shows real interest. You kind of have to make your own path and be a little more creative than others when you’re just starting. But, if you figure that most people your age are just starting college, in 4 years you could be 10x more advanced than they are when they graduate.
- matt
What are we having for dinner?
@wifey: Beef. It’s whats for dinner.
@Matt, I really appriciate you taking your time to write me back bro.
One thing that I learned from researching information security, is that every criticism should be considered constructive. So there was no need to warn me there
Now, let me respond to every part of your post in order:
1) Well, I was actually feeling abit of pity when I wrote the above text, you got that right. Obviously I never thought about having pity for oneself as being defeated, so this part really inspired me to move forward. Currently, i’m working as a washboy for my brother’s construction company. I basicly wash machinery, clean up the offices, sort the workshop, etc… Nothing to do with information technology, i’m afraid… So I might have to find something else like you said.
2) It’s pretty logical to assume that no company would ever hire me, because I have no record of credibility. I already knew, so in retrospect, the above post was actually a complete pity party (lol,
). I do understand and agree with companies choosing people based on their degree or certifications, to account for some sort of credibility in the employee. One question; would it be an (can’t be considered good nor bad) idea to start out by doing some illegal penetration-testing, and slowly crafting a name for myself? Because i’m unemployed at the moment, so I have all the time in the world (except when working for my brother) to do security research and audit code… I’m too broke to pay for certifications, but I thought another approach would be to just establish some fame for myself instead… What do you think Matt?
3) My problem is, that i’m not much of a “do’er”, but i’m more of a “planner”. I read countless articles on the Internet, and know alot about the theory and crafting of any sort of attack. I love when people ask a question on a forum which I know nothing about, then google the information, learn it myself, then write back the answer. But because of this, I have never gotten much into the practical aspect of computer security… What tools to use, and so on. Also, I have two weakness’, and one is that I do tend to have a “oldschool” mentality (sorry, if this offends you, since you are older than me
), meaning I won’t use metasploit to penetration test, and would rather use a stand-alone craft exploit and launch that through a terminal… To me, frameworks seem to automate shit too much.
The second would be, that i’m very impatient. I would much rather audit code manually by hand, in a disassembler, but obviously I have no patience for spending a month looking over, and deciphering, chunks of opcodes to see if theres a stack-based overflow, or if the code has any dangling pointers. Might have to use the same approach as you did, when you “forced” yourself to use Linux
4) I have no intention of making my own company mate. Of course it would be awesome, but i’m too careful with this sort of thing… I already know how business’ work, because I researched into this myself a long time ago when I suddenly went on a “project-frenzy” and chose a random subject to learn.
Also, i’m kinda scared of getting clients, if I did manage to make a business (this problem also applies to jobs). In the back of my head is this nagging question; “What if I can’t do the required penetration-test. And what if everything I researched on my own is actually just bullshit, and i’m walking in here like the cock-of-the-walk, saying I know how security works… But in reality don’t know anything.”, this really gets me.
5) I have a question, bro: Do you think that information security is one of the toughest fields in computer science? Job-wise and research-wise?
I might have to tell you that I never got to finish high school. I failed just about all my exams, and ended up going to web-development school which I never really intend to work as. I did pass web-development school, but not (probably the most socially mandatory degrees) high school, which lets you into university… So i’m not able to go to university for a computer science degree.
So you could say, i’m one of those classic hacker types that don’t have a job, no education (because I basicly thought everything was too easy, so I ended up just sleeping my way through high school, which was a mistake), but with a very analytic and, arrogantly, smart brain. I’m not a logical thinker, but my weakness for logic is compensated with my creativity… Even though it might sound cliché, I always thought that hacking was an artform, so that’s primarily why I stuck with it for so long(I do love hacking obviously
).
Haha Matt, my main computer runs Win7 and my laptop has Backtrack on it. I wanted to put Archlinux up on my laptop, but I couldn’t get the wireless connection to work, so I just used a live-cd instead… I have used Linux many times, so it’s not like i’m one of those guys who just use Windows
. The main reason i’m learning the WinAPI is really to understand how Windows programs work… That’s basicly it… I might as well have told you “back to programming my kernel 
”.
Very inspiring comment Matt. I ate every word, and try to follow these guidelines. Who knows? Maybe you might’ve been my savior
@Volatile: I’m glad you’re mature enough to accept criticism.. I think thats the biggest fault of a lot of people out there (especially in the tech field).. they view criticism as a blow to their ego.. lol
1) Yeah, when I said finding something beneath you, I definitely meant something in the tech field.. lol.
2) That USED to work.. but today it requires a bit more finesse. There have been a number of times that I have been poking around and have come across something on a website, or network, or.. whatever.. that is an enormous gaping hole and I will email the owners and inform them of it. This has, more than once, resulted in them asking me for assistance. You kind of have to walk softly, though, when doing this.. there are a lot of people out there that will view you as malicious for simply poking around. Also, as soon as you discover something, that’s the point at which you should stop. Crossing a boundary can wind up being expensive for you.
3 & 4) Being successful in penetration testing and security requires being able to plan and execute. When I first meet a client, I document everything they tell me. They often times don’t realize the information that they’re giving up. From that, I plan my attack, which route I’m going to take, what seems the most logical, etc. Then, I begin the actual testing. I do my passive/non intrusive tests first, just to see what information I can obtain, then I begin going into my more intrusive tests. But the whole thing is a plan, from A to B to C. There’s an old adage.. those who can, do.. those who can’t, teach. Whether you do, or teach, is up to you.
Nothing wrong with oldschool, but hubris is painful. Metasploit is just a tool, really. Could some kid pick it up and use it to exploit a network? Sure.. but he will be lost if he has to come up with a more creative approach, or has to make changes to code, or disassemble something. Prior to Metasploit, I’d have a million tiny pieces of code, all which I wrote on the fly, to do something based on whatever network I was attacking. Very little was universal, none of it was pretty. It was very utilitarian. Thats the primary difference between a hacker and a programmer. A programmer programs because he enjoys programming.. a hacker programs out of necessity to reach his objective. I’ve seen programmers who hack, and it’s kind of hilarious. They’ll spend hours working on making a piece of code as efficient as possible, when it’s really a one-time use type of thing. Meanwhile, I took a piece of code from this program, some from that one, implemented some of my own, and it compiled with only 384 warnings, but nothing fatal. Score! *pwned*. You don’t want to hire me to write accounting software for your business, obviously.
Metasploit basically makes my job easier and more efficient.. I can write the exploit without having to worry about writing a reverse shell, or handler, or blah blah blah.
Also, you mention having to go through and audit code, disassemble it, etc. Ask me how many times I’ve had to write 0day, or disassemble code to attack the network of a client. … Once. And it wasn’t even really necessary, to be honest. Companies generally don’t run bleeding edge software.. they run older, “stable”, stuff.
And, to be TOTALLY honest, any kid with a laptop, an energy drink, and a car (or bike) can penetrate most commercial networks these days. Drive to company building. Break WEP (or WPA, whatever). Poison ARP. Sniff. Use credentials to penetrate deeper. It’s sad, but thats generally the first point of entry for me. The client doesn’t care HOW you get in, the client cares about whether or not you CAN get in. Once you’ve accomplished that, you can get them to do just about anything when it comes to securing themselves. Granted, when doing anything for a client, you want to be thorough.. so you use more than one entry point, but so long as you’ve accomplished one, the client will feel that the expense was justified. But, yeah, it does suck when you can’t find a way in to a network.. it’s happened to me twice. It’s frustrating, and you hate having to tell the client that you weren’t able to do it.. but, they take satisfaction in that as well, because they feel more secure. So.
5) I don’t think so.. personally, I think programming would be the most difficult. Because, in order to write secure code, you have to keep up with the same stuff I do, but on top of that, you also have to write it in an efficient way, with a boss breathing down your neck to meet a deadline, who doesn’t care if the code is secure or not. I mean, sure, what I do requires a lot of research, reading, testing, blah blah blah.. but it IS my job.. where as with a programmer, it would just be a part of his job.
Yeah, I never finished highschool either. I dropped out on my 16th birthday because school was interfering with hacking.. lol. My mom was *pissed*. She’s less pissed now, because her nightmares of having a 30 year old son living with her never materialized.
To be honest.. I don’t know too many in my line of work that have CS degrees.. most of them have certs, experience, and passion.
Yeah, it’s probably good to understand how windows programs work.. most work something like this:
main() {
while() {
memoryleak();
exception();
bluescreen();
}
}
It’s frightening to think of myself as a savior. ‘Course, maybe I could make some bumperstickers to sell on here.. “WWMD?”
@Matt, haha…
Well, now that you mention it, I am currently in the process of writting a book. However, I will not accept, at any cost, to just be a teacher… I want to be at the cutting edge, etc etc etc… You know what I mean Matt, obviously.
One thing that you need to understand when I say audit code, is that i’m not *exactly* looking for the commercial pentest side of the scene. I have a special passion about finding vulnerabilities, because it just looks so beautiful (lol, don’t know how else to describe it), so it really speaks to me… The 0day doesn’t even have to be for actual exploitation, just to find it is a powertrip in itself for me.
So yeah… I don’t know what to do but you did give me alot of insight into the world of security, bro. So maybe all is not lost… Conclusion; Just keep trying harder, and harder
I’ll be sure to follow your awesome site. Take care Matt, be safe.
Oh I forgot to mention; In my country, going as far as portscanning is an illegal act, and will be considered malicious. So if I was going to go along with my plan, it would be illegal the second I start portscanning, or validate input fields.
Matt,
I’ve recently stumbled upon your blog and have just finished reading your self-biography. It has motivated me to delve deeper into the computer field than from I already have. I don’t expect you to take me under your wing, but I was wondering on how one starts to get proficient in the hacking field.
Just read your bio and the whole comment section, it’s very kind of you to answer and advise on those comments, esp Volatile’s.
Like your site, keep it up, I wish you would write on regular basis but I know it’s almost impossible, still have plenty materials to read from your previous posts.
Best regards,
Gaspar.
@Gaspar: Thanks man. Yeah, I’m kind of in the “epic fail” department when it comes to the regular writing. I keep promising myself (and others) that I’ll begin writing regularly again soon, but I fear that I keep letting people down, so I’m not going to make promises that I can’t keep at this point. Though, I will try to write when something moves me enough to do so.
If you find yourself needing a reason to write what you already know, drop us a line. We’re looking for security minded writers.
Our website provides in-depth coverage of Information Security through deep analysis of vulnerabilities, reverse engineering and exploit development.
Hope to hear from you.
Hey Matt,
Loved the post on Corporate info discovery (part2) you wrote in May of 2010. Would it be OK with you if I used a portion of it and cited back? My writing team should be completing a new blog post on a similar topic in the near future.
Thanks
–
Sabrina K. Carliss
The secret to creativity is knowing how to hide your sources
a really good website,i learn a lot from ur experience,thks a lot! matt