Virtual attack boxes meet hacktivism


Over a decade ago, whenever I wanted to test new malware or explore a new attack vector, I always executed them in the wild. I searched for vulnerable computer networks by exploiting weaknesses in remote desktop protocols and then executed. I didn’t consider the maliciousness of my research methods until it all caught up with me.

As most nights went in my early 20s, I sat in my dark living room at my bank of computer monitors, listening to The Prodigy or Pendulum, which thumped out war beats through my headphones. I was whacked out on caffeine but fueled by bad ideas.

Even while my neurons were firing like racing pistons over the excitement of exploring a new technological landscape, I had no foresight into what I was doing or whether or not my experiments would have any real, lasting negative impact on the victims. I didn’t see people or think of them as victims because I could only perceive the machine itself, the goal, the target, and the reward of gaining knowledge.

I didn’t mean anything malicious by it. I just wanted to know. I thrived on intrusions and relished gaining understanding during my work as a blackhat. This is why I saw computer systems as puzzles to solve, even during malware research when I executed nasty executables and sometimes even crashed systems.

I didn’t create any system restore points for them. I just double-clicked and released the payloads while observing from the safety of my home base as it unleashed, satisfied that the malware was working and that their antivirus program hadn’t detected it.

Virtualizing attack labs

After I had served a lengthy prison sentence, I had ample time to reflect on these things and the dark path I had traveled on for so long. Simultaneously, it changed my perspective on how I would experiment and explore systems in the future.

Well, not illegally this time.

This often puts me in an interesting juxtaposition. Whenever someone asks for remote systems to test their malware on, this is when I bring up the importance of using VMs. That’s because they’re ideal attack boxes, which provide the most optimal environment for exploring and testing new attack vectors – without the consequences or the possibility of causing damage for no justifiable reason.

Moreover, back in the day when I was at the pinnacle of my skills and hacktivities, we didn’t really have any educational and training resources outside of our own hacking communities. I mean, don’t get me wrong, to this day we still have HackThisSite, which was, and still is, an excellent training platform, but the point I am trying to make is that it was a different era.

Nowadays, online training sites such as HackTheBox and TryHackMe are but a couple of educational platforms amid a sea of training services to help set people on the right career path. They provide preconfigured deployable virtual machines straight from the web browser, allowing instant access to labs. Another great feature they offer is Capture The Flag (CTF). If you’re competitive and enjoy a little tournament, then this is right up your alley.

While I advocate for aspiring hackers to use these services to insulate themselves from the possibility of getting caught doing something illegal while learning or exploring, I prefer something a little more rugged, organic, and familiar.

VulnHub

Welcome to VulnHub. The site reads Vulnerable By Design. As soon as I stumbled up it, I knew I’d found my vice. The website features a library of vulnerable virtual machines, each with its own unique environment, while simultaneously existing as CTFs. These VMs are like games, while not being games in the conventional sense.

The old me would have popped open Metasploit framework and scanned an external IP range, or an entire country’s IP netblock for that matter, and possibly spent days trying to uncover a machine I could take over.

If being a former blackhat hacker could be the equivalent of being a recovering alcoholic, VulnHub is equal to non-alcoholic beer. It meant that all I had to do was download VirtualBox, select the type of vulnerability environment I wanted, and then go to work using my scanning, enumeration, and network penetration testing tools. That’s just a fancy phrase for hacking tools.

#OpNewBlood training modules for hacktivism

Vulnerable VMs are ideal training modules, especially for hacking groups involved in #OpNewBlood, an initiative for training and educating newcomers who want to adopt hacktivism ideologies and learn hacking techniques so they can participate alongside others in live operations.

However, there’s a critical issue with #OpNewBlood which fatally poisons the movement. Most of the teachers within the Anonymous Collective do not spend enough time helping eager minds how to differentiate between targets and victims. The need to prove one’s worth and impress their companions while making a name for oneself seems to override the ability to reason.

Therefore, fledgling hackers end up using the internet in the same way I once did. They learn how to attack anything, even if it has nothing to do with the goals of the operation they’re participating in. So, while they are supposedly fighting to liberate others, they’re attacking businesses, bank accounts, and other online assets, which is contrary to any just cause.

That is why cybersecurity and hacker training websites agree that using virtual attack boxes is critical. With virtualization, we can minimize the potential of causing unnecessary damage to computer systems caught in the “proverbial blast radius” of unskilled and easily impressionable upcoming “hacktivists,” who get their hands on powerful tools but don’t know how to use them skillfully.

The urge to hack is like a reflex, especially when I see injustice in the world. Even after spending over a decade in federal prison for hacking. I can’t help what I am or why it is a fundamental part of who I am.

However, I can control what I do while practicing and training within these virtual machines. I can learn new techniques and pick up new skills along the way. More importantly, I can still be the hacktivist that I am while not abusing the public.