/ devops

Top Tips For Getting Hacked

Here is a step-by-step tutorial for anyone who would like to get hacked.

  • When you install OSMC on your Raspberry Pi, be sure to leave the default user as osmc and the password for that account as osmc
  • To make sure that hackers can gain access to your Pi, make sure that you don’t configure password logons (and certainly don’t enforce them)
  • To save hackers having to scan all of your ports, be sure to leave SSH running on port 22
  • Remember: unless you set up port forwarding on your router, your Pi will only be accessible from your home network. Configure port forwarding to make sure that anyone trying to access your Pi remotely can do so
  • Wait until you log in via SSH yourself to see whether anyone has accessed your Pi. You’ll know when you log in and your Pi says that the last log in was from Italy
  • For bonus points, make sure to keep a bitcoin wallet somewhere on the Pi. Make sure it’s called ‘wallet.dat’, otherwise the hackers might not find it
  • If you are super eager to get started, why don’t you try to find an IRC bot written in Perl. Maybe it could be base 64 encoded and wrapped in an eval statement just to obfuscate it.
  • If you can’t find one, you could pop over into a quiet IRC channel where all the members are named Hack-1234 and see if anyone with a real handle can help you.
  • Don’t have any form of login monitoring set up on your servers.

Clearly, I would never be so stupid as to try any of the above, but theoretically, if I had, I would perhaps have changed ports, passwords, enabled (and enforced) key-based SSH sign on, and maybe I’d have set up the following in /etc/ssh/sshrc

ip=\`echo $SSH_CONNECTION | cut -d “ “ -f 1\`  
host=\`hostname\`  
ifttt= #IFTTT Maker key  
curl -i -s \  
-H “Accept: application/json” \  
-H “Content-Type:application/json” \  
-X POST — data ‘{“value1”:”’”$host”’”,”value2":”’”$USER”’”,”value3":”’”$ip”’”}’ \  
https://maker.ifttt.com/trigger/login/with/key/$ifttt > /dev/null