[ How to Teach Hacker Highschool: Unit 3 ]

Hacker Girl
This entry is part 3 of 3 in the series How to Teach Hacker Highschool

This is the third unit of my course for teachers, which brings together a lot of material I generated while working as Project Manager for the Hacker Highschool v2 Rewrite Project, 2012-2016. This session offers some hints on conducting classes, and help for you to be a great teacher of hacking. Polish your Google Hacking skills, learn to search more safely, show your students easy ways to start coding and start getting familiar with your eyes and ears on the network: Nmap and Wireshark.

Here’s the video of Unit 3, with the links it mentions below. Tell me what you think in the Comments, and thanks for taking a look.

Powerpoint: http://gnorman.org/HHS/Teacher_Training_Unit_2_GN_017-11-20.pdf

Uncut Lessons: http://gnorman.org/2017/05/16/hacker-highschool-download-uncut-lessons/

School for Hackers: https://schoolforhackers.com for Hacker Night School and Hacking 101

Hacker Highschool (http://www.hackerhighschool.org/) is a free, open curriculum from ISECOM (http://www.isecom.org/). Uncut lessons are available at http://gnorman.org/2017/05/16/hacker-highschool-download-uncut-lessons/.

Google Advanced Search Operators: http://www.googleguide.com/advanced_operators_reference.html

DuckDuckGo Search Engine: http://DuckDuckGo.com








–Musical Credits–
Opening and Closing: Loops by Mark D’Angelo, copyright 2017
Cold Funk – Funkorama by Kevin MacLeod is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/…)
Source: http://incompetech.com/music/royalty-…
Artist: http://incompetech.com/
Music promoted by Audio Library https://youtu.be/Vhd6Kc4TZls

[ How to Teach Hacker Highschool: Unit 2 ]

Hacker Girl
This entry is part 2 of 3 in the series How to Teach Hacker Highschool

This is the second unit of my course for teachers, which brings together a lot of material I generated while working as Project Manager for the Hacker Highschool v2 Rewrite Project, 2012-2016. This session is about building a classroom laboratory for security training.

So here’s the video of Unit 2, with the links it mentions below. Tell me what you think in the Comments, and thanks for taking a look.

POWERPOINT: http://gnorman.org/HHS/Teacher_Training_Unit_3_GN_2017-12-12.pdf

Uncut Lessons: http://gnorman.org/2017/05/16/hacker-highschool-download-uncut-lessons/

School for Hackers: https://schoolforhackers.com for Hacker Nightschool and Hacking 101

Hacker Highschool (http://www.hackerhighschool.org/) is a free, open curriculum from ISECOM (http://www.isecom.org/). Uncut lessons are available at http://gnorman.org/2017/05/16/hacker-highschool-download-uncut-lessons/.

–Musical Credits–
Cold Funk – Funkorama by Kevin MacLeod is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/…)
Source: http://incompetech.com/music/royalty-…
Artist: http://incompetech.com/
Music promoted by Audio Library https://youtu.be/Vhd6Kc4TZls

Online victim resources:



Equifax Did Three Simple Things Wrong and Hacked Us All

Glenn Norman hacking

So Equifax was hacked not once, but twice? No way. I don’t believe it. If you’ve been hacked twice, you’ve been hacked at least 3.6 million times (or pick any other really big number you like). And notification of this new hack, like the last one, came at a languid pace. I’ve gotta give it to Equifax: if I did something like this, anything like this in my own business, I’d quickly go to prison. Their people are just walking out the door.

What irritates the devil out of me is that Equifax took an equally languid attitude toward the security of my personal information by violating three simple tenets of security. I know it’s not easy to manage a corporate network; I’ve been there. But there are fundamental measures anyone with a brain or responsibility has to take in this field, and Equifax outright failed to do these obvious things.

Principle One: Isolation

Not every system needs to touch the internet. Of those that do, none of them should have access to anything but the absolute minimal resources (meaning other systems) they need to do their job. Production networks should always be totally isolated: human resources, accounts payable, management, customer service and every other production operation should be utterly isolated from each other. Even if systems within them are compromised via email or the internet, they should provide no ingress – absolutely none – across functions. Your deepest assets (consumer records would qualify) should be deeply isolated.

“But customer service needs access to records, and so do the customers!”

Yes, and that functionality is still available. You’ll do it via strongly encrypted, strongly authenticated, highly secured connections. In other words, the segregation cannot be simply VLANs on a switch or even casually configured internal routers. No. Every production network should be encapsulated, firewalled, filtered and logged as an independent unit, one that considers itself surrounded by hostile would-be intruders. If I can walk through your DMZ to your online-data network, that’s a problem. But if I can then pivot to other production networks, it’s time for a firing squad.

Principle Two: Patch Management

All the mainstream security firms will hound you about this: stay patched right up to the minute! There is a tiny minority who would dispute this, arguing that proper isolation makes urgent patch management a useless exercise in anxiety. For my money, I’m going to do both (and a lot more).

The likely culprit here was an unpatched Apache Struts installation. Frameworks like Struts are popular with developers but eventually have to be managed by sysadmins, who may not love or follow them as closely. This is where tight collaboration between these teams has to ensure things that need to be patched (which includes practically everything that’s installed) are included in patch management lists and applications. I shouldn’t have to say it but those lists and apps must be intensively managed. That’s a pain, but lawsuits are a bigger pain, and really big lawsuits can be fatally painful for organizations.

Principle Three: Competent Management

Repeat after me: a degree in music does not qualify you to be CSO. (A degree in music does not qualify ….) Experian did not get this memo, and hired as Chief Security Officer one Susan Mauldin, music major, whose LinkedIn profile was edited and made private shortly after the hack was revealed, likely because she listed no relevant qualifications whatsoever.

I have been working, studying and teaching in this field for some 20 years, and I consider myself hardly qualified for a job like CSO. You’re playing with blood and money in that job. Even if you’re a brilliant poker player, this is 3D chess played with lions. If you can only play Whack-a-Mole on the computer, you should not be managing computer security for a major corporation. You’ll need to be a fanatical, deeply involved security fiend to play cop or Batman for a company like Experian.

This whole question of qualifications goes far beyond this field. A Chief Scientist should, for instance, be a scientist. This quickly gets political (at least for me), so I’ll stop now. But what Experian has done is not political, and not forgivable. They’re doing something that affects far too many people to approach it lackadaisically.

Now, the kernel: if you’re a malicious hacker, you’re going to be looking for exactly these weaknesses. During the Reconnaissance stage, finding a weak CIO or CSO would be a whiff of blood in the water. If a simple scan reveals unpatched vulns, bingo. And if weak or nonexistent network segmentation lets me go bounding through the corporate cyberverse, oh joy, oh glad (assuming I’m that malicious hacker). If I’m NOT a cracker, I’d be testing exactly these same limits because I’d be a pen tester or researcher or bounty hunter or whatever. Right?

[ CEH Training ] :: [ Day 1 ]

This entry is part 3 of 10 in the series [ Certified Ethical Hacker Training ]


Short bios and description of experience

Assessment test

Some discussion of the CEH:

Chapter 1

Hacking in theory and practice

  1. Origins and definitions
  2. “Hacking as it was done in 1998”
  3. Deeper hacking methodology
  4. EC-Council’s definitions
  5. The role of contracts

Colors of Hats

Colors of Boxes

Scope, Terms of Engagement, etc.

Hackable Websites

Hackthissite.org: Take them up on this offer! A great learning site. https://www.hackthissite.org/

Root-me.org: There are challenges in several categories, and they’re quite good. There is no clear pathway through, though, so it’s up to your hackerly curiosity to explore your interests.

Shellterlabs: Work through a series of lessons to gain competencies in one area after another. The challenges are truly challenging. https://shellterlabs.com/en/

Chapter 2

TCP/IP models, important ports, proxies and firewalls

Chapter 3


In-Class Exercise:

Maltego: activation and configuration

Official training videos: https://www.youtube.com/watch?v=sP-Pl_SRQVo&list=PLC9DB3E7C258CD215


  1. Begin a Maltego investigation (graph) of yourself. Start with the Person object and expand outward to work information, email addresses etc. Every single particle of information you can gather about yourself, anyone else can too.While this kind of scanning is perfectly legal in many parts of the world (think about what ad agencies know about you), remember this critical hacker principal: Don’t attract unneeded attention.
  2. Take your first reading pass through Chapters 1, 2 and 3. Highlight liberally. Plan for using special markers in locations that directly discuss test topics (i.e. questions).

[ Certified Ethical Hacker Training ] :: [ Syllabus ]

This entry is part 2 of 10 in the series [ Certified Ethical Hacker Training ]



Certified Ethical Hacker Exam Guide, Third Edition, by Matt Walker

# CEH v9: Certified Ethical Hacker Version 9 Study Guide 3rd Edition, by Sean-Philip Oriyano

Learning Objectives

Successful preparation to pass the EC-Council Certified Ethical Hacker exam.

Gaining a thorough familiarity with hacking tools and techniques.

Day 1

Hacking in theory and practice

Open-source intelligence research with Maltego




Command line


Day 2

Stage 1 of a hack: Footprinting

Google Hacking and Google Dorking

Open Source Intelligence: OSINT

Stage 2 of a hack: Scanning




Banner grabbing

Vulnerability scanning

Network mapping

Day 3

Stage 3 of a hack: Enumeration


Command line in Windows and Linux




Day 4

Stage 4 of a hack: System Hacking

Password cracking

Cracking cryptography


HashCat and sample hash dumps

Day 5


Constructing trojans

Covert channels

Sniffing on the wire

Social engineering




Sample VOIP capture



Day 6

Session hijacking






Cain & Abel

OWASP suite

Burp Suite

Day 7

SQL injection

Wifi cracking

Firewall running









[ Hacking 101 ] :: [ Lesson 1 ]

This entry is part 2 of 2 in the series [ Hacking 101 ]

Lesson 1: Do You Need A Handle?

Yeah breaker one nine this here’s the Rubber Duck
Uh, you got a copy on me Pig Pen C’mon
Uh yeah Ten-Four Pig Pen fer sure fer sure.
-C.W. McCall, “Convoy”

Long before there were hackers, there were truckers. Truckers understand the need for handles in the Citizens’ Band (CB) radio world. People are coming and going, real names are useless or dangerous, and descriptive terms are a lot easier to remember.

Hackers use handles for some of the same reasons. One legendary hacker promoted the fun fact that a whistle packaged in boxes of Cap’n Crunch cereal emitted exactly the right tone to initiate a free long-distance phone call (phreaking). He will be Captain Crunch essentially forever in the hacker universe. Others created handles by playing with spelling (Phiber Optik, Dzen Hacks), referencing antique space opera (Mentor) or thumping their chest (MafiaBoy). Gigabyte earned her rep over a decade ago; St. Jude died deeply beloved; Susy Thunder was just being kooky (and kicked ass all over DEC).

Do you need a handle? Seriously, what’s the point anymore? Do any of us kid ourselves that we have a secret super-hero identity? Probably not … depending on our reasons for hacking. In the US, most people take privacy and confidentiality and safety for granted. In Europe, the data privacy laws could legitimately be called “ominous,” at least for organizations that had better comply with them. But there are plenty of countries and regions where revealing your identity might be highly dangerous, depending on your politics or religion. So in some cases, an online handle might not be just a good idea, it might be mandatory.

Even in cases where your life isn’t at stake, using a handle is awfully smart. Did you find a vulnerability in your school’s network? Reporting it might be an unpopular move. Found a problem with a vendor’s software? You might be in trouble from the instant you admit you were testing it. You could just report things anonymously (which is harder than you think), but that has one major problem: you don’t establish a reliable communication channel, and you may need one. If authorities know they are at least dealing with a single individual, for instance, any dialog that’s necessary can happen more safely.

Do you believe in free speech? Does your government? You can’t take this for granted, because there are so many shades of “free.” For instance, if you have free speech (in theory), is it safe to exercise it? Why do we have all these whistleblower-protection laws; in fact, why should we even need them?

We need them because free speech often challenges those in power, or those who have an interest in preserving the status quo, or those who have done things they don’t want made public. Any of these situations can be dangerous, or even outright deadly, depending on where you are. A handle lets you establish a consistent character online, and say your piece to your heart’s content. People will come to recognize your positions on issues – or at least the positions your handle (your alter ego) espouses. Speaking from behind a mask also protects you from those who mean well but misunderstand you, or those who flatly mean you ill.

One of the thinks you’re going to do at the end of this lesson is choose a handle. It should mean something to you, even if it’s a misleading meaning (sometimes those are the most clever handles). Tempting as it may be to want to be The Flash, you’re likely to be competing with thousands of 11-year-olds who like that name too. But if you’re interested in anime too, which for a long time came almost exclusively in Flash format, Flash Gundam might have some appeal.

Should you be Deadly Ninja or Silent_Avenger? Uh, are you really a deadly ninja? Because pretending to be one invites the real ninjas to show you the ropes, and the chains and the knives too. I once thought along this line and decided, Okay, I’ll be Fluffy-Bunny, until a friend pointed out that the handle made me sound like a cousin of PedoBear. Thanks, never mind.

Should you make up a name in leet speak (1337)? Like Haxor75 because you’re a hacker born in 1975? Or Sh@d0w? There are about nine hundred “Shadows” out there using different characters for the letters. They end up just sounding pretentious, and ironically those unique spellings help researchers pin handles to individuals.

You can try for something more directly relevant, if that’s safe. Do you teach for a living? How about Professor Thwackum? Do you run a bookstore? How about ExLibris? Just remember to avoid giving away too much. Don’t use the real name of your bookstore, unless you’re deliberately being provocative. In many cases, it’s not going to be safe to provide the least hint who you are.

Should your handle be your email address?

Good God, no. Not unless you have a separate, private, confidential, protected email account just for that identity.

In a larger sense, your various identifiers and names should have one, and only one, function apiece. The login name you use at your company or school should never be the same name as your company email address. (That’s a serious rookie administrator mistake, one you may capitalize on later in your hacking career.) If your login name is Costanza, your email address had better not be costanza@vandelayindustries.com. Unless you really, really want us to come read your email.

Do remember, though: if one of the reasons you’re creating a handle is to report something, you likely need to establish a persistent communication channel with the people you’re reporting the problem to. Anonymous complaints or reports get a lot less credence than reports that are clearly backed up by someone who can be contacted again. At some point, depending on circumstances, you may need to come forward to identify yourself. Normally you’d want to keep private forever, but if the situation warrants it, you might prove you’re the person who made the report by proving you can access the email account used by the whistle-blower.

What you can do with your handle

By now you should be realizing that a handle amounts to an identity. A handle is ideal for the kind of research and communication hackers need. Want to visit that IRC channel where the double-top-secret hacking tools are shared? Or that forum where the seasoned hackers actually answer questions? Will you eventually become an information source yourself? You need a handle for that facet of your life.

Consider the opportunities: you can start a blog or bulletin board of your own. This calls for commitment; you’re going to spend a lot of time on either of these, but they’re also excellent vehicles for enhancing your fame, assuming you give a damn about fame. You could do these to enhance your infamy, too, if that gives you a bigger kick.

You got to keep ‘em separated

Once you’ve established a separate identity, or handle, play this game seriously. When you’re “in character” with your handle, never mention your real self, real job, real school, real employer, real partner – nothing. Get paranoid about this, for reasons you’ll see as you take this course.

This is particularly critical when you’re using your handle to report a vulnerable web site, a leaky server or an exploitable application – especially to your employer, your parent or your teacher.

It’s critical to understand what you’re protecting here. Security training often focuses on the Magical Triad: Confidentiality, Integrity and Availability.

Confidentiality, in our world, means people can’t read your stuff. In the world of cyber security, it means encryption: your data is literally unreadable. In the context of handles, it means communicating via confidential (encrypted) means when you’re using a handle.

Integrity means your data hasn’t been altered, which is awfully important when you are negotiating immunity or proving a point. In our world, we use hashing to prove that data hasn’t been altered.

Availability means your goodies aren’t being blocked by a Denial of Service (DoS) attack, or being kept from you by some other means. Ensuring things are available keeps system admins paying weekly fees to ulcer doctors.

Notice that there’s no mention of Privacy there? Privacy is what you have when nobody knows who you are or what you’re doing. Corporations and governments don’t actually value privacy, at least for you; they want to know everything they can about you. You, on the other hand, may not have been taught sharing as a child, and might not want to be so friendly. Privacy is your friend. Your best friend. Don’t share.

Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.
-Eric Hughes, “A Cypherpunk’s Manifesto”

Using your handle for fun and reputation

Okay, you may want a sexy handle that’ll attract attention as you gain fame and respect for your hacking activities. Giant-Panda may not strike quite the note that Poltergeist666 might, assuming that your main qualities are persistence and noisiness. The bigger issue is that you’re bragging, though as a certain person once said, “It ain’t bragging if you can do it.” You may find it wiser to conceal exactly what you can do.

Or go ahead and be DeathAdder or whatever you like at the moment, and burn through handles like TV spies burn cell phones. Just remember that some day when you’re the author of some magnificent cyber-universe-shaking exploit that saves the free world you’re going to be stuck with HoseWrangler or whatever you’re using at the moment.

In any case, you may eventually attain the degree of respect that you can safely come out from behind your handle and reveal who you really are. This is actually quite an achievement, one not many hackers actually see.

Do you need multiple handles?

So should you have more than one handle? Depending on your main activities, or the various private activities you engage in, this may be mandatory.

If you’re an uber-geek you’re familiar with Jung’s shadow or shadow aspect, the hidden form(s) of your personality. If you read popular soft porn you’re familiar with Fifty Shades of Gray, with “shades” meaning the different layers of personality of one Mr. Gray. Either way, it’s no surprise we’re all composed of multiple sides, like the facets of a jewel. You may not want to reveal all our shades to everyone.

Depending on the areas you’re working in, you may want multiple handles. You might use some, or all, only once. Just remember: unless you take additional precautions, you might make things easier for someone who’s trying to hunt you down. For instance, many bulletin boards show each user’s IP address; one IP used by many different “users” is a pretty obvious clue that someone’s playing games.

But you may want to segregate your identities in a different way, namely:

Using multiple identities

You could consider each distinct handle you use an identity, but remember: the real purpose of a real handle is to remain anonymous. What I’m talking about here is creating an entire background identity for the handle to point to, openly or secretly.

This technique involves creating email accounts and possibly social media presences. If you’re a genuine spy this is probably worth the time. For us mere mortals, it may be too much work to keep up. It is useful, though, to have a “spam address” for pure junk, and another false identity for all those sites you have to sign up for, and maybe another one for sharing files and other private collaboration. In this scenario these identities are Mike and Joe and Greg, not Dark_Knight.

The point is still this: don’t allow any connection between these accounts. This can be almost supernaturally difficult, so in the real world do the best you can. When you realize your mistakes, you become better at the privacy game for the next round.

Being a ghost

There’s a breed of hacker who doesn’t want fame and will never willingly out themselves. If you’re going to be one of these, you may not have a real handle per se, but you may use handles as layers of curtains between you and the world.

You’re going to have to be a master of secrecy to pull this off. Don’t hang around any venue for long. Don’t use any handle for long. Use technology like VPNs to hide your real IP address, and change servers often.

Even more important is varying your language, style and personality in print. Take it from me: any good English teacher learns to recognize a particular writer very quickly. Use one or two unique words, or the same pattern of misspelling, under more than one handle, and you’ll raise suspicions faster than you’d think.

Being nobody

There’s a cost in privacy every time you post. If you don’t consider every word carefully, you’ll reveal details that can be traced back to you. If you expose the same detail under two different handles, a determined researcher will connect them and potentially build a connection to you.

Kiddies want to brag about what they’ve done. Mafioso don’t know nothin’ and don’t say nothin’. You can decide to be either or neither, though it’s hard to be both. If you’re a true genius you may manage to keep two identities like this separated, but the talkative handle can never brag about the most stunning exploits of the silent persona.


101.1     Do you have a secret hacker identity you conceal from the whole rest of the world? One way or another, you do. So, what is your handle? (Don’t tell me or anyone the answer to this question.)

101.2     Who said “It ain’t bragging if you can do it”? Is that actually exactly what they said? What is this person’s real name? What is their handle?

101.3     Find “A Cypherpunk’s Manifesto”. Read it. Save a copy of it. Think about it for the next 20 years.

101.4     Read this article from the very excellent null-byte, including the comments:


Choose the one single most important sentence in the article.

101.5     Some of the most important stuff you’ll find on the Internet comes in the form of Word docs, Excel spreadsheets and PDFs left laying around on websites. This is a great place to introduce Google Advanced Search Operators, if you’re not using them already. First, see this page:


Next, go to the Wikipedia entry for “List of hackers”. Note that some handles are matched to users, while other users don’t use them – or their handles aren’t known. Pick one of these handles (which in this list, obviously, already has a name associated with it).

Create and run a Google search that finds Word docs for your chosen handle. Try it again for docx files, xls and xlsx files, and pdf files. Do you find anything that connects your chosen handle to a person? Get used to looking beyond the first page of results.

101.6     There actually is a hacker out there who uses the handle nobody. Identify this person. There’s a sort of Unix joke here: who is the “nobody” user on a Unix/Linux/Mac system?

[ Hacking 101 :: Introduction ]

Glenn Norman
This entry is part 1 of 2 in the series [ Hacking 101 ]

Yet Another Explanation of What “Hacking” Really Means

If you’ve read a book or two about networking or security (and if you’re here I’ll bet you have), you’ve already had to read some version of where the word “hacker” comes from and what “hacking” really means. But what began as a title of honor has been corrupted by the media into a synonym for “criminal.” That’s a shame, because criminalizing curiosity and solution-finding steers both students and professionals away from a critical awareness we all need.

People use the term “hacking” in a whole range of ways, aside from the “sociopath computer geek” meaning. “Life hacking” is finding clever solutions to life’s challenges; “Ikea hacking” is building something original from the stuff you find at Ikea, like, say, a go-kart. I’ll bet Ikea never had go-karts in mind, but would you be a criminal if you built one using furniture components? In theory, no; but try the same test with your cell phone (or don’t because “hacking” it might in fact be a criminal act).

But we’re not talking about life hacking or Ikea hacking here. We’re talking about hacking in its original sense: exploring the world of systems and networks in which we all live, cobbling things together, testing things, breaking stuff, fixing it. We’re talking about computer hacking.

Most cyber-security material, even if it uses the word “hacker,” is about regulatory compliance, or security awareness, or protecting corporate systems. That’s not us, at least not in these courses. These courses are about how to hack.

[ Hacking 101 ] is the introductory freshman course: learning the basics, and making some decisions about, hacking. It covers some of the basics of research, exploring with your digital senses, mapping and understanding the world’s digital terrain. We’ll give you a huge amount of information, but you’ll also do a lot of homework. The biggest part of being a hacker, after all, is learning to do it yourself.

We’ll help you stretch your new abilities and introduce you to the vast array of tools and resources available to the budding hacker. We’ll explain the footprinting > scanning > enumerating > exploiting process, and look at the kinds of things you can do once you’ve successfully exploited a system.

One of our main priorities is giving you the information you need to hack safely, which is to say invisibly. The heavy thud of boots in the hall and that pounding on the door are sure signs of unsuccessful hacking. That’s why we’ll talk about how to preserve your privacy and confidentiality, which are two very different things. As you begin the lessons for these freshman courses, remember that one of the most critical things is to hack safely. But another is to have fun. So do both.

-Glenn Norman

Copyright 2017 Glenn Norman. All rights reserved.