Most exploits are based on social engineering, not some clever hack, although weak passwords make it easier.

Hello, entry level cyber security person here. Most of the exploits that are found are a result of people throwing everything they can think of at the wall and seeing what sticks.

Many of these exploits are recorded and kept in public databases and websites. A vulnerability is found, patched by the publisher, reported in the patch notes, and recorded by these sites. Then a lazy (or cheap) system admin somewhere neglects to patch his systems and a hacker might stumble across it. It’s actually very easy to scan ports on public web services and see what’s open. It’s kinda like checking a building for what doors are locked.

If you know anything about setting up virtual machines, it’s relatively simple to set up a pre-configured OS like Metasploitable that has a ton of known vulnerabilities to practice hacking on. The purpose of this is an educational tool to help people learn how to protect their data, and maybe make a career in cyber security.

The best thing you can ever do to keep your system safe is keep it updated. Microsoft, Apple, and Google spend billions a year to keep their products as secure as possible.

Edit: Extra note just because I get asked this a lot: Anti-virus software does not work like people think it does. In general I recommend removing it. It is another attack vector to be infected or exploited and anti-virus loves to take system level privileges and break built in defenses for otherwise secure services.

Edit 2: 99% of all hacks are through social engineering. Phishing emails, infected USB drives, fake web links, or even just literally calling a company and making up a story to get access to their systems… these are your bread and butter as a hacker.

Vulnerabilities can be broken down into several categories, most of which come from certain security measures being outdated.

* The password protection (hashing) is outdated and easy to crack
* The website doesn’t support encryption (HTTPS)
* The website is vulnerable to code injection – tricking the computer into executing code when it’s supposed to be storing data (like if your username contains a piece of code.)

Hackers test for common problems and when they find one, they use it to expose more issues. You work on a website bit by bit, exploit what you can, and run into a lot of dead ends. This is an example of how you might break into a database and then how you would crack the passwords in it:

[https://www.youtube.com/watch?v=ciNHn38EyRc](https://www.youtube.com/watch?v=ciNHn38EyRc)

Systems are like a house. They all look different but they have things in common.

For instance if I wanted to mess with someone’s plumbing, I don’t know where exactly it is, but I know what it looks like, where it is in other houses, and most importantly what it needs to function (ie a toilet or drain). At that point it’s a mix of trial and error/“I wonder if…” until I find it.

Like graphing calculators and math you don’t actually have to know how things work to get the answer.

Once a math equation is solved (vulnerability is discovered) that equation is added to a calculator (automation tools).

Bad actors (script kiddies) can use calculators (automation tools), to find math answers (vulnerable software).

EIL15:
Once an exploit has been identified it’s added to a public list of common vulnerabilities and exposures (CVE). That cve list is maintained and used to identify other instances of that vulnerability in different programs.

As a known cve ages that additional time allows bad actors to creat more automation tools that can exploit the vulnerable. Those automation tools are then distributed. That’s how you get script kiddies. Bad actors without the actual knowledge of the exploit but using automation tools that allows them to exploit without knowing how it works.

This is why older systems missing older patches are more susceptible to hacking. Now a days any program that can be reached by the internet can be crawled by automation tools (bots) and tested for the presence of known CVEs.

We use Enterprise tools to discover them, determine the risk score (chance of being exploited x damage if exploited), and patch/remediate before the bad actors do.

Application security is like physical security of a building. If you leave a window open bad actors can get in easily.

Instead of open windows, software developers frequently code software in ways that can be easily manipulated, or that introduce easily exploitable vulnerabilities.

Companies hire security guards to go looking for open windows and hope they discover them before bad actors do.

ELI5 Edition: Protecting a computer/network is like building a brick wall around your castle. You need to have all of the bricks secure and stacked properly so your wall will be strong and keep out intruders. Intruders (hackers) only need to find one weak brick out of the thousands of bricks that you put in the wall, break that brick, and it all comes crumbling down. Now they’re in your castle.

ELI10 Additional information: There’s TONS of ways to break a brick. Maybe a hammer, sure! Maybe you need to freeze a brick with liquid nitrogen, then hit it with a hammer and it breaks. Maybe the brick is strong, but can be dissolved in water. Or acid.

Hackers have giant toolboxes they use that have all the equipment they need to test for what types of bricks are in the wall, and then they’ll know if they have any ways to break any of these bricks. Some toolboxes you can find laying around for free (metasploit). Others might be super secret that no intruder wants to ever let their secret get out. Sometimes intruders even steal tools from other intruders!

Now to be smart and sneaky, they don’t go around banging on all the bricks and throwing acid everywhere just to see what sticks. That would be too noisy and you, the person in the castle, would probably hear them and try to fight them off. Instead, they’ll very methodically run some tests on all the bricks and see if anything comes up. It could take lots of time to run all these tests, but if the jewels in the castle are really pretty, it’s worth the wait. Finally, if/when just ONE of their tests come back with a known way to break it, that’s all they need, and they’re in your castle. (This is penetration testing)

And now for how they actually come up with these ways to break a brick? Patience, knowledge, creativity, and more patience. Some mad scientist, who has studied bricks very heavily, sat in a lab with a brick and tried every way he possibly could to come up with new ways to break a brick. He’ll try to heat it up, sing to it at just the right pitch, turn it upside down three times under a full moon. Maybe he even tried to go to the brick maker and blackmail him. “Put this secret powder in your brick batter or I tell your wife about your ‘poker night’. Don’t ask any questions!” Then the mad scientist has a special chemical that reacts with the secret powder and blows up!

Sometimes the mad scientist has a particular castle in mind when he’s working with these bricks, other times he just went to the brick store and bought their 100 most popular bricks, just to see what he could do. If he’s a “good” mad scientist, he’ll tell the people in the castle that their bricks are weak and they should fix them. But if he’s not, he might try to break in himself, or sell his new brick breaking method to someone else, or maybe he just tells everyone about it on Reddit because he likes to see the world in chaos!

My background: A guy who has worked with computers for about 27 years and in the computer industry for nearly 15, with an interest in video game speedrunning and console hacking.

A lot of exploits are found through understanding how technology works, previous experience, and trying a few different things to see what sticks. A recent example I saw was how to hack a Nintendo Wii Mini. They were able to exploit the console via the Bluetooth stack (software which handles the controllers).

They did this by looking at the Wii (which has been hacked for more than a decade) and realizing that the bluetooth stack for the Wii / Mini was also the same one used by Android phones. So they got the source code (which Google published, because open source), and went through it, looking for code that, if sent something unexpected, would act strange.

Once they found some code that acted strange when fed unexpected data, they sent it carefully crafted data and a carefully written program so that when the Wii Mini crashed over the data, it would run the program it was sent, which was just a program designed to run another program on the inserted USB stick.

So most exploits follow this method. People (researchers, malicious people, curious people) send unexpected data to something (a website, a computer program, a phone, a video game console) and see if the thing trips up. If it does, they send different data and see if it trips differently, and they then try and make it trip up in a specific way so that it’ll get confused and run whatever you tell it to run.

The really, really advanced hacks (such as breaking encryption) can be done using really cool methods, like timing how long it takes to encrypt / decrypt something and finding weaknesses in how those things are encrypted / decrypted.

But don’t forget, if you want to hack into a system, the best way is usually the most low-tech way. People will write their passwords on post-it notes (or tell you in the middle of a packed room) or a cleaner will let you into a room if you pretend you’re a contractor, or you can just [buy a wrench](https://xkcd.com/538/)

Play around with the code or website until you find cool stuff.

Simple example – search the source code for Steam and you’ll find a list of banned words…

Hacking basically requires a lot of Research on the targeted system, Reconnaissance of the target, and trial and error.

If somebody wants to hack an Kanye’s twitter password, they could google if somebody happens to know Kanye’s password (research), look over Kanye’s shoulder when they type it in (reconnaissance “shoulder surfing”), or create a pssword cracker that runs through all of the possible passwords (trial and error). They can research and develop malware that can control Kanye’s device and then you can look up where the passwords are stored, all of which requires research into what kind of phone Kanye has.
Fact is a lot of basic hacking tools are readily available from reputable companies as penetration tools.
Hackers good and bad are motivated to find vulnerabilities in computer systems just about every computer system on the planet (research and trial & error). They poke at a given system, seeing what inputs give what outputs and see if any otlf then can give higher privedges. When a vulnerability is first discovered, that’s called a “zero-day” hack. Developers need time to patch these and some consumers may not update their systems when the patch is published.
Fact is just about every computer, language, networking protocol, etc was built with security as an after thought, and as a result most security measures are built on top of these insecure systems.