Photograph via snooOG

Welcome! r/HowToHack is an open hacker community designed to help those on their journey from neophyte to veteran in the world of underground skillsets. Ask, Answer, Learn.

Visit us on discord


HowToHack Community

3rd Party Links

3rd Party Challenges

Related Subreddits:

Security Advisories


Download Linux


We teach you how to do it, use it at your own risk.


417,528 Subscribers


Need constructive advice

TL;DR I’ve screwed myself and not sure where to really start learning hacking

I know this has probably been asked to death, however, I feel like my situation is a bit different from most. This will possibly be long, and for those that read it all, thank you. Before I begin, I know this post will color me as lazy. I know full well I screwed myself in some ways.

I am currently a Linux SysAdmin. On paper, I look like I really have a lot of knowledge and experience. I have my Sec+, Linux+, and even CEH (more on that in a bit). However, in reality I know just enough to do my job. I have not kept up with new technology, new software, because I honestly did not have to. Hence where the lazy plays an important part. My work environment does not really have the need for me to alter it in order to learn things, and some things need internet which my environment does not have.

I had to have my Sec+ and Linux+ for my job. Linux, I knew ok already, but I had to study for Sec+ and ended up failing my first exam. I studied what was on my first test to pass my second exam, and in all honesty learned nothing. It’s not that I didn’t try to learn, it’s I had no real world frame of reference, nor really anyone to ask questions to or bounce ideas off of. This wasn’t so much lazy at the time, but more desperation since I did not want to lose the job. However, I will admit not following up afterwards and trying to really learn things was out of laziness.

I learned my job well. I can pretty much take care of any issue that happens at work. I will admit there is nothing fancy as far as programs or configurations go. I work in an airgapped environment, so I have also used that as a security posture thinking I’m safe from really 99% of threats minus the possibility of an inside threat. It may be naïve of me, but I don’t see that being an issue given my knowledge of my coworkers.

Last year, I decided to start learning something and hacking was something I had always been interested in. I got work to pay for a CEH bootcamp. I attended classes, asked questions, really tried to learn things. However, I soon realized it was a waste of my time. The class was mainly the instructor telling us how great of a hacker he was, showing us advanced things we couldn’t try to do, and not really explaining what he was doing or why it worked. The “labs” were basically follow the directions, and check the box. Everything was created to be easily exploited using Metasploit. They had “practice exams” which we were even told, memorize the questions and answers and you’ll pass the test. Sure enough, I passed with flying colors, but still not feeling like I really learned anything.

So now I have all these certifications but have no knowledge. I don’t really know much in the way of actual cybersecurity. I have forgotten almost all of my Windows knowledge since I don’t ever use it. I know only the most basic of networking, because again, I never had to and I would not have anyone to mentor me. I have tried several times to honestly learn hacking. I have tried different sites with different degrees of success. I’ve only been a script kiddie with the few successes I have had. I genuinely want to learn this.

So, my question to you all is where should I really start? I know I'm the type to need not only hands on training, but someone I can ask questions to, a mentor of sorts. I’ve heard mixed reviews about using Kali or Parrot. Some saying use the tools they have, while others say those OS’s are overkill and most tools will never be used. I know Linux, so should I start with Kali and learn what I really need and use, or should I start with a basic distro and add to my collection as needed? AFAIK, there are no local groups in my area to join to aid in my learning.

Again, I know my laziness has been an issue for me on most likely some core skills. Part of me feels too old (48) to go back to learn those and then in a few years try hacking. So I’d appreciate any constructive advice as to where to really start. For those that read this all, again, thank you. I know what my flaws have been and I want to start correcting them.

17:06 UTC


Am I a script kiddie?

Hello all,

I am 14 and i am learning ethical hacking through TCM security. I find it so fun and so interesting. However, now and then, i would question if i am a script kiddie. I heard people are script kiddies if they don't code their own tools, exploits and all of that. I can understand python scripts but I can't code them, i just don't know how to start. I am planning to do lots of courses related to python for hackers and more. Am I a script kiddie if I can't code well but i can understand scripts, understand techniques (Like IPv6 DNS takeover attacks, LLMNR poisoning, mainly AD attacks) and tools and how they work? I am determined to be a very good ethical hacker, I have like 20 over courses all related to ethical hacking, i want to be sort of all-rounded at this.

I am very sorry, I am just a bit scared and I don't want to become a script kiddie when i am older. (I want to pursue ethical hacking as a job)

04:56 UTC


Packet Capture tool that can carve packets from Memory dump

Looking for a packet capture tool that can Carve packets from memory dumps - COmmercial or free is fine

1 Comment
13:41 UTC


Apple Notes password help

I created a password to lock my apple notes on my iphone, but forgot the password. it is 37 characters long, with mostly dictionary words, symbols, and one number. i know many of the words in this password but just can't remember the order/capitalization of some of the words. I know for sure the last 11 characters. If i get the hash of this password, is there anyway to figure out the password in a reasonable amount of time? Thank you in advance.

12:44 UTC


Jamming bluetooth network (for school project)

Hey guys lately I'm looking into trying to jam a Bluetooth connection as a school assignment, but I can't really find a good way to do it.

For information I'm using a raspberry pi 3b+ with a TP link wifi antenne, will it be possible to do it with this hardware?

17:38 UTC



I am learning hacking and it really amazes me at how much things you can do. But i have a few questions about IPs: what is a list of things you can do with an ip? can you flood even if there are no ports open ?

20:12 UTC


How does one come to terms with the fact that every pentesting distro(be it Kali, Parrot, Black Arch, Back box etc) come with hundreds of tools that you would probably NEVER use.

I mean imagine all the bandwidth that gets wasted each time you install, update or upgrade your pen-testing distro of choice. It's just annoying(for the lack of better words).

I have my 15-20 tools that I use, of which there are 7 or so I frequently use(or frequently enough). The remaining 120 or so tools I never use.

Edit: Because I ended up listing the tools that I use(because someone asked) I am posting them here as well. I use more then 7 tools(I also said I use 15-25 tools before I said I use 7 most frequently). I use Burpsuite, NMAP, OwaspZap, Wireshark, SQLmap and various other "maps" like LFI map, RFI map etc, WFUZZ AND FUFF, Greenbone, Metasploit and probably a few others. I use NMAP and Burpsuite the most perhaps. 90 percent of the time I am pentesting, I am using NMAP or Burpsuite.

Edit2: OwaspZap, not OpenVas.

09:27 UTC


Edit a Windows Registry Editor key without admin privileges

Hi, I own a business PC and need to modify a registry key. I would like to know how I could do it, in the PC I have at least one local account with administrator privileges whose password the ICT technicians of the company have.

I know that with Kali or maybe even Hiren's I could reset the password but that is not what I need, in my case I would have to find out the password in question.

This is not an invasive change, it is a way to allow me to use 4K resolution on my external monitor, a feature that DELL has disabled with the new drivers but it seems reactivatable by going to enable DSC via registry editor.

Alternative: find a way to edit that registry key without using administrator accounts.
I should add that: I have the BitLocker unlock key so, even after booting any live USB, I have a way to unlock the PC.

09:06 UTC


Learning Aggressor Script

Going to give a quick synopsis on my history with pentesting before posing my question.

I've been pentesting for about a year. I've gone through the joint cyber analysis course, and my understanding of the way exploits work is pretty surface level, but I'm working to improve it. I'm fairly familiar with cobalt strike. I'm currently working to develop a script for it but I'll be honest my knowledge of scripting is the most basic of surface level (basic python and Powershell).

I want to learn Aggressor script but I'm not entirely sure where to start. I have cobalt strike's official documentation, sleep's official documentation, and a video by cobalt strike's creator. But tutorials outside of that are very sparse, and I don't really have anyone to teach me where I work.

03:25 UTC


JTR not coming back with password

So I’m trying a crack me but I can’t even get the password into the zip file. I can get the hash with John the ripper but it doesn’t come back with a password after using the default and rockyou wordlist. Is it because it’s not in there? How can I go about this. I would use hashcat but my pc just won’t let me do that

22:46 UTC


Nmap Issues

Whenever I attempt to scan a certain network or box I am always forced to use the -Pn flag, futhermore I am not getting the same results as others when running the commands, am I missing something?

22:45 UTC


SQLi and String Concatination

I am going through Portswiggers SQLi course and I am understanding all of it beside one very small part that I can seem to understand, and I don't recall there being an explination in the course. An example I can use is when I am doing time delay. The lab is to delay the response by 10 seconds. you are using a PostgreSQL data base so I have to use pg_sleep(10). So I write the command

' AND pg_sleep(10)-- or ' AND (SELECT pg_sleep(10))--

In my head the backend query is something like

SELECT user WHERE trackingID='sdgjnef' AND (SELECT pg_sleep(10))--

The actual solution is

' || pg_sleep(10)--

So I imagine the backend being

SELECT user WHERE trackingID='duonbgfe' || pg_sleep(10)-- which when executed would look like

... duonbgfepg_sleep(10)--???

I am confused by this because when I google what string concatination does it says it puts two strings together, which I understand, but pg_sleep(10) is not a string because it is not in quotes, it is a command that I want to execute. So why is || the correct way to inject the payload? and why is the way I did it not correct.

Thanks for any input

21:37 UTC


Need help cracking these NTLM hashes

I am trying to use John the Ripper to try and crack these hashes but have no luck. Whenever I run the main password part of the hash, for ex: (14E2D0639CC19212EE7A1F2EE95B2304), I am met with no results when I put it through JTR. I am using the command (john --format=nt --wordlist=/usr/share/wordlist/rockyou.txt pass.txt). Please let me know if you require more information. Any advice and help would be greatly appreciated.

06:53 UTC


Reverse tcp shell

If you think you are friendly just jump directly to ,, Problem ,,

I don’t know if this question is getting asked often or not, and if so I don’t care and please don’t tell me how often you already had to answer it, thank you.

Problem: I want to access a computer outside of my network ( public ) to test and learn about reverse tcp shell ( I am allowed to test it with a friends computer ). So I made a payload with msfvenom then put it through scarecrow to make it evade the windows defender ( yes I know chimera exists but I don’t know how to use it yet ) and then I started the exploit/multi/handler with the same payload and then put a random port ( 443 ) and my ip address into it ( kali Linux vm ware machine ). But after I started it I couldn’t start anything, the only thing that displayed was ,, couldn’t bind with ( ip address ) ,, and I tried my best to solve the problem. After some trying and etc. I found out that I couldn’t use public ip addresses with the multi handler it only accepted local ip addresses

Question: What do you think is the problem that my multi handler doesnt work with public ip addresses, only with locals and how can I solve it? And what do I need to do with the ports, should I open them in my router ? Because I already did and it didn’t work? And how would I do it with ( multihop ) VPN, which port would I need to use?

And for both scenarios, what LHOST and LPORT would I have to put in my payload then ?

It would be nice if someone is up for an 1 to 1 talk with me or smth like that ( in a chat or smth like that ). And thanks to everyone who tries to help me.

Best regards

01:19 UTC


Hydra question

When using hydra for a form brute force my question is when getting the request body for the form it has " in it. Do I need to escape these somehow? I.e. request body looks like "{"method":"login","user_login":"^USER^","password":"^PASS^"}" I did google search and all tuts I found have the generic username=^USER^&password=^PASS^ examples. Tried some different variations and got some false positives which I read could be due to bad syntaxes. Any help appreciated. Thanks

19:08 UTC


How do hackers bypass account lock after too many failed login attempts?

im a newbie and i would like to know how hackers bypass account lock while using bruteforce password guess tools?

13:09 UTC


What language are .bin's written in?

I understand this is a basic question, so thank you for your patience.

I'm learning Python, and it's great, but I have to type "python3" anytime I want to run a script - and what if I'm ethically hacking a network, and I get a shell, but the server doesn't have Python installed? Am I just supposed to do everything manually like a caveman? So, here's my question:

Is it fair to say that anything I can do in Python I can do in c? And wouldn't I be able to compile a c script on pretty much any Linux server using the 'gcc' command? And if that's the case, why would I prefer Python to c, if I'm already proficient in c?

(To be clear: I'm not proficient in c... yet... but I am proficient in c++/C#, and c seems like a more appealing target than Python. For context, my primary objective is pentesting and CTFs.)

Any input is appreciated - thanks again.

00:15 UTC


Learning with Portswigger Academy

Hi, so I'm starting to learn web app hacking and currently working through Portswigger Academy. The Apprentice labs haven't been too bad so far, but I'm working on one of the Practitioner level authentication labs. Specifically brute forcing a username/password, but having to bypass an IP based restriction that times out after too many failed attempts.

I'm not asking for an answer, but I am wondering how I should be approaching the solution. Right now I'm trying to do research outside of Portswigger in an effort to work my Google-fu muscles, but it seems like overkill since the solution is there on the lab page.

I'm a sysadmin and have been in IT for a little over 6 years now, but have been given the opportunity at work to practice defense and offense and am trying to make the best of it. The defense part comes a lot more naturally, but I'm brand new to the offensive side of things and having imposter syndrome set in.

In summary: is researching for solutions outside of Portswigger overkill? Should I just accept the resources on the lab page when I get stuck (which is frequently so far)?

16:35 UTC


Unlocking a 7Z file

I have a 7Z file that is password protected, and I know what the password is, but the password probably contains a typo since I can’t get into it with said password. Is there any safe software or program that can unlock the file without the password?

13:31 UTC


Inserting mail ware and back doors thru a two step combination

I am always on the lookout for new projects and also inventing my own projects and theories.
My latest “theory “ is on how to insert a back door thru the use of a IR or laser insertion through a closed loop security cameras.
Feel free to correct me at any time. This is just an idea that’s been percolating for a few days. So most big companies have active malware and other virus protection running 24/7 and it’s very hard to insert a program that has malicious intent already written into it. Even physically infecting the targeted system can lead to whatever software running flagging it and bringing it up to the IT department.
But what if a program was inserted that had no malicious code? Would it be flagged? My working theory is that with the right code set up purely benign will be able to sit in the system undiscovered for a short length of time anyway. That’s step one. Physical access to plug in a sub to the local area network. Whether it’s done by Bluetooth connection or usb connection that’s the first thing.
From there I want to be able to use either an IR light or some other light in order to send in the real code through the cctv network.
The first program will take the code sent in thru a Morse code or other similar system through the closed loop cameras and take the info being sent in and convert it to a more substantial back door , access control ect. Now the second set of info being pumped in won’t be an entirely new program , it will just add a little code here and there to the original program (1st insertion) to create the vulnerability needed. We can even make it a 3 step process where instead of the second set of code making a back door , it just opens a small window of vulnerability that will allow access to the local area networks wifi and or Bluetooth. From there the real attack can be commenced.
Now this sounds like a lot todo in order to get that window of opportunity and I’d agree. The point of this is to have everything set up so the actual attack can be timed and orchestrated to have the most success ( ie. When the techs are done for the day, new information has been added to the system, or just a sleeper program for when and if it’s even used.
Ok everyone can now poop on my idea.

15:39 UTC


SQLi Question

I am going through the PortSwigger web courses. Although I just started it seems like a lot of the solutions that I need to complete the labs are not taught in the course leading me to have questions. If there is something I am missing like if there is a subscription to unlock the full course, please lmk, but my questions are


What is the purpose of NULL in this statement? And, what is the purpose of testing for 2 columns using


If the answer to the second question is simple to run the first command that makes sense, but still leaves me with the question of why I need NULL and can't run


Thanks for any input

03:46 UTC


Hashcat mask

Hi guys, i'm using hashcat to broke a 10 digit password, i know the first 6 carecters are upper-case letter or numbers and know the last 4 carecters either, anyone know what mask should i use?

23:42 UTC


What do i need to learn to use ollyDBG

If i knew what c++ was, would everything in the pogram make sense to me because im a complete noob and i wanted to crack this software that was made for cracking practices and i opened x64 dbg and knew nothing. everything looked confusing to me and i was wondering if i needed to know more than just programming. Please tell me anything useful to know.

1 Comment
09:27 UTC


What is the best kali tool to downgrade https to http??

Ive been using hstshijack on bettercap but it isnt really that effective on chrome.

06:02 UTC


One Time Password Bots

Yea.. A dumb question that will make the whole reddit hate me.. So i became interested after a word came from my friends about OTPBots. I google it and looked everywhere to find out how it works and how can i make one by myself. Well my first solution was to find sorce code in GitHub but boy was i wrong. 95% of them were people advertising OPTbots made by themselves, and other 5% was cheap, outdated, full of bugs and errors. I technically know how they work but no, the bots that were advertised were "SPOOFER, CUSTOM VOICES AND TEXT LINES". Like this is so annoying to find 100's of people having the same titles but no way to find one by myself. Any ideas or tips that would MAYBE help me???

20:10 UTC


bWAPP missing the folder "logs"

I've been setting up bWAPP and have gotten to the step where I have to enable admin permissions to the folders "passwords" "documents" "images" and "logs". however, there is no "logs" folder in the directory (/var/www/html/bWAPP/bWAPP). I've also downloaded older versions to see if it was present in them however it was still not there. Am I doing something wrong?

any help is appreciated and got it from https://sourceforge.net/projects/bwapp/files/bWAPP just to make sure I've downloaded it from the correct source

02:42 UTC


Hilook Security Cameras

Greetings everyone, is there a way to hack into the hilook security camera which is connecting to a 4G Wifi Router?! Is it possible for me to deauthenticate the cameras from the network?

18:16 UTC


Why do we need extra software, like PyPhisher, to do what Social-Engineer-Toolkit (SET) does?

I am new into the area and learning about security and network, then came across this doubt. SET already offers a way to clone sites and serve it into a IP, which I personally used only localhost, so why there are so many tools that does it from scratch, without SET. There have been Black-Eye, PyPhisher, Zphisher and some others.

Is it because these tools offer a more direct way to approach the objective? Is it because they already compile several templates together? Is it because they already offer ways to create public URLs to be sent to other people? Or is there something I am totally unaware of?

Personally I don't see the fact of compiling several site templates in one place a reason strong enough to justify building a tool from scratch.

I would very much appreciate if anyone could explain it to me.

Also, I view this type of question as simple curiosity and learning, but if my question violates some rules of the sub, please let me know. I apologize in advance.

18:49 UTC


How do I diy an omg cable?

Couldn't find this anywhere, i don't care if diy-ing it costs more than its actual price or if it's much more work. Is there a way to diy an omg cable? I've already made a rubber ducky diy using attiny85

07:49 UTC


Is recovering EFS encrypted files on a newly built computer possible?

I made huge mistake. I built a new computer a couple weeks ago and moved my m.2 from my old build to my new build. I had to do a fresh install of windows due to driver issues. Wiping out my old data. After installing, everything seemed fine until I plugged in one of my portable thumb drive. I come to find out that one hard drive was EFS encrypted and not bitlocker encrypted. And now I can't access my data due to missing certs and keys that my old build had. I contacted Microsoft about the issue but they told me that I would have to use a third party tool to unlock my drive. They didn't specify a tool due to it going against policy mentioning it. I've searched and found 3 tools that might work but looking at the guides, they all seem to rely on my old system's certs and keys to unlock my drive. So is it even possible to recover my hard drive?

06:01 UTC

Back To Top