Get AI summaries of any video or article — Sign up free
learn to HACK (the best way) // ft. John Hammond thumbnail

learn to HACK (the best way) // ft. John Hammond

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Hacking skills grow fastest through hands-on practice: Linux command-line basics, then scripting for automation, then repeated CTF exploitation.

Briefing

Hacking is best learned as a hands-on discipline—especially through capture-the-flag (CTF) competitions—then reinforced with practical Linux and scripting skills, rather than through buzzword-heavy theory. John Hammond, a security researcher at Huntress and a long-time CTF and penetration-testing educator, framed hacking as something that gets harder over time but becomes manageable when learners keep their curiosity alive and practice in real environments.

Hammond’s core learning path starts with getting comfortable at the keyboard: explore, tinker, and “get in the weeds” by writing code and probing real vulnerabilities. He recommends beginning with Linux fundamentals and command-line navigation, pointing learners to OverTheWire’s war games as a structured way to build those basics. From there, he pushes learners toward a scripting language—Python as a common “hacker’s language” due to readability and extensive libraries—then into CTFs as the fastest route to practical experience.

CTFs aren’t treated as “toy hacking.” Hammond argues they closely mirror real-world techniques because they expose competitors to the same kinds of vulnerabilities, exploitation patterns, and sometimes even zero-day-like surprises. For finding competitions and events, he highlights ctftime.org and encourages learners to play online when in-person options are limited. He also praises TryHackMe for being beginner-friendly, including guided hints and write-ups when learners get stuck for too long.

A key theme was how much programming is actually required. Hammond said learners don’t need to become full software architects, but they do need programming logic: understanding variables, functions, and control flow well enough to reason about how inputs change outcomes. He used blind SQL injection as an example of where logic and scripting matter—when an application doesn’t return full results, code can automate inference character-by-character by interpreting true/false responses.

On certifications, Hammond emphasized that practical, hands-on exams tend to validate skills better than rote multiple-choice tests. He described his own progression: Security+ as a high-level requirement for DoD contracting, then OSCP as the “crown jewel” offensive-security rite of passage, followed by additional offensive-focused training such as OSWE and eLearnSecurity options (including EJPT and later OSCE/OSCE3-style material). He also warned against becoming a “script kiddie,” arguing that tool use is fine only when paired with understanding and adaptation—reading code, tweaking it for the environment, and building intuition about why an exploit works.

The conversation also pivoted to the SolarWinds Orion supply-chain compromise, using it as a real-time example of why defensive hygiene and deep analysis still matter. Hammond described how attackers used a seemingly legitimate Orion update containing a malicious backdoor DLL, blending into normal network activity and leveraging operational security. He noted that at least initially, detection could fail even across major scanning engines—illustrating how signature-based defenses can miss novel payloads—before more engines began flagging it.

Finally, Hammond connected the dots between learning, careers, and the modern security landscape: DevOps and CI/CD increase deployment speed but also expand the surface area for mistakes, while automation can reduce some manual work yet can’t eliminate the need for human judgment due to false negatives. His advice to beginners was blunt but encouraging: keep trying, expect failure, and switch from “try harder” to “try again,” using persistence and curiosity as the real differentiators.

Cornell Notes

John Hammond argues that hacking skills come from disciplined practice on real systems, not from buzzwords or passive study. He recommends starting with Linux command-line fundamentals, then learning a scripting language (often Python) to automate testing and exploitation logic, and finally using CTFs to get repeated, hands-on exposure to vulnerabilities. He distinguishes “script kiddie” behavior from real capability by emphasizing understanding and adaptation—reading and modifying code rather than just running tools. He also treats CTFs as legitimate training for real-world techniques and highlights how supply-chain attacks like SolarWinds Orion demonstrate why defenses must go beyond signatures and rely on strong security hygiene plus analyst judgment. Certifications can help, but practical exams and lab work matter most.

What is Hammond’s recommended path for learning hacking from zero to practical skills?

He starts with curiosity-driven tinkering, then builds Linux command-line competence (navigating the filesystem with tools like cd and ls). Next comes a scripting language—Python is his default—so learners can automate testing and exploitation logic. The final step is repeated practice through CTFs and war games, using platforms like OverTheWire for Linux fundamentals and ctftime.org to find online CTF events. He also recommends TryHackMe for beginners because it offers hints and write-ups when learners get stuck.

Why does Hammond treat CTFs as “real” hacking rather than practice games?

CTFs force learners into the same exploitation mindset used in real incidents: identifying vulnerabilities, chaining techniques, and working through unfamiliar software and attack paths. Hammond argues that CTFs narrow the problem space by making the target vulnerability known, which helps learners focus on exploitation and learning. He also claims CTFs can expose competitors to techniques and even zero-day-like surprises, making them valuable preparation for real-world adversarial work.

How much programming does a budding hacker actually need?

Hammond says learners don’t need to be expert software engineers or build enterprise-scale applications. Instead, they need programming logic: variables, functions, loops, and the ability to interpret how inputs produce true/false outcomes. He illustrates this with blind SQL injection, where a script can infer data one character at a time by automating requests and interpreting server responses.

What separates a “script kiddie” from a capable attacker in Hammond’s view?

He frames the difference as understanding plus adaptation. Using tools is fine, but the learner should write or modify scripts/tools, automate workflows, and understand why an exploit works. If someone only changes superficial parameters (like IP/port) and doesn’t understand the underlying technique, Hammond considers that closer to script-kiddie behavior.

What does Hammond say about defensive detection during the SolarWinds Orion incident?

He describes how the malicious Orion update included a backdoor DLL that blended into legitimate update behavior and used network activity resembling normal Orion communications. He also notes that detection can initially fail even when scanning engines have no signatures or heuristics for a novel payload—then later improve as more analysis and indicators spread. The takeaway is that defenders can’t rely solely on signatures; they need deeper investigation and strong baseline security hygiene.

How does Hammond connect automation and DevOps to security jobs and risk?

He argues DevOps and CI/CD increase deployment speed, which can increase opportunities for mistakes and therefore vulnerabilities. Automation tools can scan code and pipelines, but he warns that defenders must account for false negatives—malicious activity that automated systems miss. That keeps human analysis and operational security work relevant even as tooling improves.

Review Questions

  1. What specific learning sequence does Hammond recommend (Linux → scripting → CTFs), and what purpose does each step serve?
  2. Explain Hammond’s definition of the difference between a script kiddie and someone who can genuinely exploit vulnerabilities.
  3. In the SolarWinds Orion discussion, what factors made detection difficult early on, and why does that matter for defensive strategy?

Key Points

  1. 1

    Hacking skills grow fastest through hands-on practice: Linux command-line basics, then scripting for automation, then repeated CTF exploitation.

  2. 2

    CTFs are legitimate training because they teach vulnerability discovery, exploitation chaining, and real adversarial workflows—even when the target is constrained.

  3. 3

    Learners don’t need to become full software architects, but they do need programming logic to interpret outcomes and automate inference attacks (e.g., blind SQL injection).

  4. 4

    Avoid “script kiddie” mode by understanding and adapting code and tools—reading and modifying implementations rather than only running one-click exploits.

  5. 5

    Practical certifications and lab-based exams validate skills better than rote memorization, and OSCP is positioned as a major offensive-security milestone.

  6. 6

    Supply-chain attacks like SolarWinds Orion can bypass defenses by blending into trusted update mechanisms and using novel payloads that may initially evade signature-based detection.

  7. 7

    Automation and DevOps increase both speed and risk; security teams still need human judgment because false negatives remain a serious threat.

Highlights

Hammond’s learning mantra is simple: keep hacking fun by tinkering, but make it real—keyboard time beats buzzwords.
CTFs aren’t “fake hacking” in his framing; they train the same exploitation thinking used in real incidents.
He argues that programming knowledge is about logic and automation, not about building enterprise software.
During SolarWinds Orion, detection initially lagged because the malicious DLL looked legitimate and could evade signatures until more analysis caught up.
Automation can reduce workload, but defenders must plan for false negatives—malicious activity can slip past scanners.

Topics

  • Learning Hacking
  • CTF Training
  • Offensive Security
  • Certifications
  • SolarWinds Orion

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library