Hands on Hacking training: Hacker House

By | August 21, 2017

4 days learning from industry leaders:

I recently attended a four day intense Hands on Hacking course in Manchester, hosted by Hacker House. If you’ve not heard of the company, chances are you’ve heard of the founders; Jennifer Acuri and Matthew Hickey, both of whom are respected InfoSec professionals who not only have many years hacking experience under their belts, but also promote the hacker spirit of learning and sharing.

It was an intense 4 days!  The pace was just about right; certainly not too slow but at times, mainly when discussing a tool or technique that I’d never encountered before, there was frantic scribbling of notes whilst keeping one eye on the screen and one ear on our tutors.  Saying that, we were reminded constantly that if we had questions or weren’t sure about a topic we were covering, we should ask.  It’s not a course that’s full of unnecessary padding and reviewing bloated slides – everything that we covered was relevant, on topic, and essential to our learning.  I’ve been on numerous courses over the years that could have been delivered more efficiently by cutting out meaningless slides and diagrams, the sort of content that bores delegates.  The Hands on Hacking course provided by Hacker House doesn’t need any padding because they’ve included so much.

Course materials

Every delegate receives the following:

  • Printed course slides (it’s huge!)
  • Reference guide
  • Notepad
  • Virtual Machines

I’m not going to drill down into the specifics of each module (no spoilers 🙂 ), but they cover the following topics:

  • Legal
  • DNS
  • Mail
  • Web fundamentals
  • VPN
  • NAS
  • UNIX
  • Database
  • Web applications
  • Windows
  • Passwords

A quick note about the reference guide; it’s applicable to all the labs that we participated in, but it’s something that will sit next to me for all InfoSec engagements, as it’s got plenty of useful pointers and reminders in the same way that the Red Team Field Manual does, but with a few extra bits in there, some of them are definite epiphany moments that solve in one line what I’ve previously spent ages swearing at 🙂 The inside cover of the notepad also has useful content that you’ll turn to at some point during an engagement.

Each module would begin with Matthew reviewing the slides and adding a ton of extra information about the subject matter, before running a demonstration of the lab that we would undertake.  This demonstration was a really good addition, as it highlighted any areas that you were already familiar with, and gave a good indication as to where you might have knowledge gaps, so you could prepare accordingly.

This usefully leads me to talk about the practical labs.  Each module finished with delegates running their own simulated attack against a virtual machine that we’d each installed on our laptops.  I have to highlight here just how much work the Hacker House team have put into these virtual machines.  I’ve attended other courses where the practical lab section was a case of  “here’s an old version of software, see what you can do”.  The Hacker House labs have a back story built in, every VM is configured with the software that we’ve covered in the module, and is designed with varying levels of vulnerability, so that you start off easy (and hence you will have success in your attack) which is ideal for increasing your confidence as you progress.  It would have been easy for Hacker House to throw us into the deep end, but this structured and measured approach means that you saw immediate progression and real feeling of achievement.  It also meant that as you made your way through the module lab, vulnerabilities and exploits became progressively harder – a great way to remind attendees that InfoSec engagements are never going to be plain sailing.

Another really great feature of the labs is that the vulnerabilities and exploits cover a wide range of time.  We had exploits that were a few years old but are still out there in the public domain (people who don’t patch are the people that keep us busy 🙂 ) through to exploiting a VM using the latest tools; anyone who followed Matthew’s weekend of manic tweeting when the NSA tools were leaked will love this feature of the course.

During the practical labs Matthew and his fellow course tutor Dragos Donici (Lead hacker at Hacker House) were on hand to help out when we ran into a problem, answer all our questions, and provide extra information and anecdotal responses to everything we threw at them.  I can’t stress enough how their knowledge of the course material and the InfoSec industry helped us all through each module.

The best thing about the labs?  Every attendee takes all the VM’s home with them, so you get to continue practicing and learning afterwards.  All too often course VM’s are restricted to use only in the labs of the course provider, which is incredibly frustrating when you’ve completed a course and want to revisit an area of study. It’s also clear to see that the VM’s and labs have been thoroughly tested, meaning that all attendees didn’t have to worry about labs not working, or further configuration required before starting the labs.  I recently attended and paid a lot of money for some training with another training company where the VM’s used in the labs were under-tested, poorly configured, or plain just didn’t work.  Hacker House have set the bar high now, their model could be used to show other educational companies how to put a course together.

So, now you’re hopefully interested in attending one of the Hacker House courses, but maybe wondering at what level of hacking, penetration testing and InfoSec you’ll need to attend.  I think if you had a rough idea what the industry was about and wanted a good way to quickly get a solid introduction it to it all, then you should attend, but the people who will really benefit are those with some experience of the tools and methods – you’ll certainly complete the course in a position that will put you above a junior penetration tester.  If you’re familiar with the core hacking tools and a solid understanding of network, web, database and IT infrastructure, you’ll find that this course will change how you look at and approach your hacking engagements; I’ve found that after this course my approach has changed and is now more efficient, logical and effective.

Finally, the course venue is ideal; we spent 4 days at Mad Labs Manchester, a great location, really helpful staff, plenty of space, and amazing lunches! Hot and cold drinks throughout the day, pastries in the morning and cakes in the afternoon meant that we were never hungry or flagging.  If that wasn’t enough, we all received a Hacker House t-shirt, and a few of us also bought the infamous Hacker House Hoodie. I can confirm that it’s very comfy, my cats can confirm that too 🙂

I can see this course being in high demand very soon; it’s great value for money both during the course and with the materials you’ll take home, and you’re being taught by a team that are incredibly enthusiastic about teaching hacking tools and methods, and growing the InfoSec community.  You have access to a team with a great hacking heritage who are at the cutting edge of what they do.  I suspect you’d be hard pressed to find a better course, so if you have the chance of attending, you should.