[BinarOper]

Forgive me if i am asking too many silly questions as of late, but i am really curious. I mean, the reason why i joined this forum is so i could ask questions.

I haven't really introduced myself but all you need to know is that i am a simple programmer interested to learn more. I like to read about security a lot, but i have never done anything in real life (aside from simple CTF challenges).

It has come to my awareness, from searching deeply and conversing with many people that what i know as "hacking" is very different from reality. In this era that we live in there are many ways someone, a company for example, can fortify their networks, servers etc. to prevent such attacks.
Thus i really doubt that in the real world it is possible to actually gain access to pretty much anything. I don't believe it is impossible, but rather very rare for such thing to happen. Maybe you could do something if you target Mr. Georgie from next door who knows nothing about security, but i think that you would't be able to do much to anyone who has at least basic knowledge.

Since this is a forum about hacking, what do you think? Can a hacker do anything remotely (by that i mean from another network and maybe without physical access) in this age? Can someone who is experienced gain unauthorized access if he really wanted to? How dangerous, or rather how much power does a hacker have?

Thank you very much in advance, and sorry for my spelling.

[Blink]

It is completely possible, although it usually involves social engineering (the real kind, not the bullshit in the section here). You overestimate companies quite a bit too. You'll also have better luck if you write your own exploits.

[mothered]

Provided your questions are on-topic and In compliance with forum rules, there's absolutely nothing wrong with asking for assistance.

I've taken the a key element from your post as follows.

a company for example, can fortify their networks, servers etc. to prevent such attacks

In response to your question, anyone and any entity can be compromised via a combination of technical and social engineering attacks. I've come across (and still do), countless users who focus on having the very best network security systems In place (IDS/IPS, WAFs, 2FA, OTP etc) and believe they're secure from all attack vectors. What about the user operating a given system? How well Is he/she trained In Identifying malicious links via email transmission? All It takes Is a click of the mouse to execute a payload.

How well Is the user trained against social engineering? For example, there's no point In having password policies Implemented (must be changed every 45 days, cannot reuse old passwords, cannot be based on anything that's commonly-used, easy to guess, familiarization, must contain an uppercase, lowercase, special character, minimum length of 10 chars etc) when the user simply hands the password over to (seemingly) a person on the other end of the phone assuming the role of an employee In the HR department.

There's no point In having security cameras In place, when the company's carrier (example UPS) Is not authenticated entry ( building entry code or otherwise) Into the complex. Anyone can slip on a UPS uniform with a UPS parcel, arrive 30 minutes earlier than the real guy and simply walk In- all because the "camera" (seemingly) Identified the carrier.

I've always applied my motto pertaining to social engineering as follows:

T.A.S.K
* Training.
* Awareness.
* Skill Set.
* Know-how.

In closing, from a security standpoint you need to Identify every possible flaw, loophole, misconfiguration, vulnerability and so forth and exhaust all avenues In securing both the technical side of It, and the human firewall (social engineering). From an attacker's perspective, you only need ONE gateway and you're In.

[MrSecurity]

00000000000000000000000000000000=
-

[phyrrus9]

Forgive me if i am asking too many silly questions as of late, but i am really curious. I mean, the reason why i joined this forum is so i could ask questions.

I haven't really introduced myself but all you need to know is that i am a simple programmer interested to learn more. I like to read about security a lot, but i have never done anything in real life (aside from simple CTF challenges).

It has come to my awareness, from searching deeply and conversing with many people that what i know as "hacking" is very different from reality. In this era that we live in there are many ways someone, a company for example, can fortify their networks, servers etc. to prevent such attacks.
Thus i really doubt that in the real world it is possible to actually gain access to pretty much anything. I don't believe it is impossible, but rather very rare for such thing to happen. Maybe you could do something if you target Mr. Georgie from next door who knows nothing about security, but i think that you would't be able to do much to anyone who has at least basic knowledge.

Since this is a forum about hacking, what do you think? Can a hacker do anything remotely (by that i mean from another network and maybe without physical access) in this age? Can someone who is experienced gain unauthorized access if he really wanted to? How dangerous, or rather how much power does a hacker have?

Thank you very much in advance, and sorry for my spelling.

It's awesome that you are here asking questions, for that's the first step you need to take to be able to learn. Thankfully, there are dozens of us here to help you. @"Ender" and I write quite a few good tutorials on the obscure things that are required when you're "hacking", and I suggest you read them. Here's a selection of Ender's:
Mobile Privacy and Security
Rapid Learning
Demistifying the Bitcoin Blockchain
Implementing BrainFuck Data Instructions
and the list goes on. He tends to write about the theory of things you will want to learn, wheras I write about the process and the mindset. I've too many tutorials to link you here, but take a look at my list of them (hosted elsewhere)
Tutorial List


Now, if you want to test your hacking abilities on something that's in the real world, I have a thread just for you: Read this

Good luck

[x n]

Yes, hacking without some sort of physical access or social engineering is still a very real possibility. Things are hacked and exploits are written every day, whether you hear about it or not. Vulnerabilities in huge websites are found constantly (https://hackerone.com/hacktivity), and the ones I'm mentioning only include the ones that people are willing to disclose. Imagine how many private 0days exist compared to the vulnerabilities that white hats inform the companies about.

"Hacking" in terms of unauthorized access of a computer or data isn't so much difficult as it is time consuming. It's pretty comparable to brute forcing, you try dozens of different things until finally something yields an error of some sort, or whatever you were testing returns something it wasn't supposed to. Some people hit the jackpot early with what they happen to choose to test and what they happen to input, and some people spend hours on end trying to find some sign of a vulnerability.

That isn't to say though that anyone can try a bunch of different shit and expect to find a vulnerability, it obviously requires knowledge and experience to know how many and what different vectors/payloads you can use to yield results and to know what to look for that might give off the scent of vulnerability. Different people have different processes that they go through when trying to hack something and some are more successful than others.

[phyrrus9]

That isn't to say though that anyone can try a bunch of different shit and expect to find a vulnerability, it obviously requires knowledge and experience to know how many and what different vectors/payloads you can use to yield results and to know what to look for that might give off the scent of vulnerability. Different people have different processes that they go through when trying to hack something and some are more successful than others.

This is called fuzzing, and it is quite literally just trying a bunch of shit until something interesting happens.

[x n]

It is completely possible, although it usually involves social engineering (the real kind, not the bullshit in the section here).  You overestimate companies quite a bit too.  You'll also have better luck if you write your own exploits.

This post doesn't make any sense. You write exploits after already finding a vulnerability, I don't see how writing an exploit would better your luck or why you'd need luck after already finding a vulnerability.

[Blink]

It is completely possible, although it usually involves social engineering (the real kind, not the bullshit in the section here).  You overestimate companies quite a bit too.  You'll also have better luck if you write your own exploits.

This post doesn't make any sense. You write exploits after already finding a vulnerability, I don't see how writing an exploit would better your luck or why you'd need luck after already finding a vulnerability.

The implication was that you also find the vulnerability, although even with existing vulnerabilities, it can be easier to notice if you use a common payload or exploit.

[phyrrus9]

It is completely possible, although it usually involves social engineering (the real kind, not the bullshit in the section here).  You overestimate companies quite a bit too.  You'll also have better luck if you write your own exploits.

This post doesn't make any sense. You write exploits after already finding a vulnerability, I don't see how writing an exploit would better your luck or why you'd need luck after already finding a vulnerability.

This isn't necessarily true. Almost every piece of code ever written is vulnerable in some way. In that case, vulnerabilities don't really mean a whole lot, since you can always exploit something. The term itself is really just a buzzword for a bug. All code has bugs, some bugs are more useful than others. You write code or input or etc that leverages a given bug to find out if it is useful. This is called a proof of concept, and although it would be an "exploit", it's usually far from the final package you use.