My friends have expressed an interest in hacking, but we don't want to do anything illegal, and considered CTF365, but it was WAY to expensive. Is it possible/legal for one of us to create a private website for us to hack, or play attack/defend with two websites of our own?
-
4Have you considered the many hack-able VMs? – schroeder Mar 12 '15 at 04:41
-
21[Damn Vulnerable Web App](http://www.dvwa.co.uk/) A PHP website with intentional security vulnerabilities you can install on your webserver to practice hacking. – Philipp Mar 12 '15 at 09:18
-
23You should seriously consider setting up a private VPN as a secure environment for your webservers. When they are public, they will also get attacked by other people, will get compromised, and used to spread spam and malware. – Philipp Mar 12 '15 at 09:22
-
6Related website: [Hack Yourself First by Troy Hunt](http://hackyourselffirst.troyhunt.com/) – LoveFortyDown Mar 12 '15 at 11:25
-
5This site also comes to mind: https://www.hackthissite.org/ – beattyac Mar 12 '15 at 12:57
-
11Questions relating to legality and use of tools will vary by jurisdiction and this is generally off-topic. – Eric G Mar 12 '15 at 13:28
-
@EricG I completely agree about legal questions, but I don't think there is really a legal question here. I think that there is a more basic question being asked in the context of "legality". – schroeder Mar 12 '15 at 17:44
-
2@schroeder I had this in mind: https://www.schneier.com/blog/archives/2007/08/new_german_hack.html I thought this was more recent, I am not sure on the current situation in regards to this. There may be jurisdictions with similar or more oppressive laws. Otherwise, its a question of whether or not its illegal to setup a purposely buggy website - which could potentially be illegal or made illegal in the future, etc. – Eric G Mar 12 '15 at 18:26
-
1Here in the UK this would be legal, I believe, because it wouldn't be 'unauthorised access' (you'd be a legally authorised user) - but I'm sure in other jurisdictions the answer will vary. You need to say what country you (or the attacker) are in and what country the server is in. – A E Mar 12 '15 at 19:08
-
1Make sure you own the whole server of your site, to not cause collateral damage to other sites. – Paŭlo Ebermann Mar 12 '15 at 21:17
-
As well as the free level of CTF365, you could try https://microcorruption.com/about (and/or forthcoming http://www.kalzumeus.com/2015/03/09/announcing-starfighter/) – armb Mar 13 '15 at 16:56
-
As a side note, there are hundred of companies that do such run tests, eventually very advanced ones, to verify that your server can't be hacked (at least not easily). So if it were 100% illegal, none of these companies would exist. So it's possible to do, it's just that you may need to use some caution on how you do it. – Alexis Wilke Jul 19 '19 at 04:40
8 Answers
To the best of my knowledge, yes, it's legal. Every anti-hacking law I'm aware of refers to unauthorized access, and if you've got permission to hack it, it's not unauthorized, is it?
Note that there are some things you'll need to watch out for. Some jurisdictions prohibit the possession of "hacking tools" (akin to prohibiting possession of lockpicks, but less well-defined), and some techniques, such as packet spoofing or (D)DoS, can have collateral damage that would fall afoul of the law.
You'll also want to check your webhost's opinion of what you're doing. They may not permit this because of possible effects on other customers; if you're hosting the website on your home connection, you might be violating your ISP's terms of service.
If you want to be completely safe, do this on a dedicated network that is isolated from the Internet entirely. A cheap Ethernet switch and a Raspberry Pi or two can get you a setup you can play with for under $100.
- 34,390
- 9
- 85
- 134
-
1The LAN approach only works if they are physically together. And an ISP might freak own and shut down their brain and "just say no, in doubt", as soon as you pronounce the word "hack". – o0'. Mar 12 '15 at 09:43
-
34@Lohoris then don't use the word and instead use "extended penetration tests". – ratchet freak Mar 12 '15 at 10:24
-
24@ratchetfreak Perhaps you should go for "advanced IP layer tests" before they bring out the no-porn clause. – Lilienthal Mar 12 '15 at 15:10
-
2
-
2Most ISPs I've dealt with are so dumb that they might never even notice. – curious_cat Mar 13 '15 at 12:14
As Mark states, it more or less has to be legal to do this, since it's effectively authorized access, although perhaps by unconventional routes.
Also consider the many hacking contests where the prize is the hacked machine (or whatever). Some (if not many) of these contests are not on a private network, but are conducted over the public Internet. Search for "pwn to own" and similar "leetspellings" of that phrase, and I'm sure you'll find sites for such events -- and their terms and conditions ought to be of interest to you.
Here in Denmark, Henrik Kramshøj is quite an authority on all things related to IT (and especially network) security, and he frequently states that one may (attempt to!) hack his website as long as he's notified in advance. And that's over the public Internet, although in this case, he actually owns his Internet provider, so that's less of a risk factor.
Have a look at Rory's answer to a similar question, which includes a link to a list of hacker-welcome sites.
First of all: No one can answer this question because we don't know what country you are talking about. Even if we would know we are not lawyers and can not answer this. I guess in most countries the legal situation about this would not be clear anyway. It would probably be in a grey area.
In reality it does not matter if is legal because your server will get hacked and your hoster/ISP will take it offline anyway.
Make the system non public (VPN or similar) and you will have no problems.
- 5,394
- 4
- 19
- 36
-
4_"we are not lawyers and can not answer this"_ - You don't have to be a lawyer to answer the question. Conversely, and this may be a shock to some, **lawyers are sometimes wrong**. – Bennett McElwee Mar 12 '15 at 21:05
-
@BennettMcElwee In my country it is illegal to give legal advice without been a lawyer. I am forced to mention that I am not a lawyer. – PiTheNumber Mar 13 '15 at 09:41
-
-
1@BennettMcElwee Germany. See http://security.stackexchange.com/a/83664/5518 Also free wifi is illegal here. But otherwise it's a nice country ;) – PiTheNumber Mar 16 '15 at 08:24
In a nutshell, regardless of what country you are in, 'Hacking' is defined as unauthorised access to a system. You are not necessarily 'hacking' so much as 'testing a system for vulnerability'
- 41
- 1
-
Do keep in mind that "testing a system for vulnerability," when you do not own the system, or are not allowed to access it, is probably very illegal in your country. – sleblanc Mar 12 '15 at 17:04
-
@sebleblanc Yes, but by the very definition in this question, it is their *own* site or sites. – David Conrad Mar 12 '15 at 20:11
You need to be a little more lateral in your thinking. To practice hacking on a web site, you don't need a public web site - in fact, you don't want a public web site because once it is public, you no longer have control over who can try to hack it. I would also suggest, without wanting to be rude, that based on your question, you and your friends are unlikely to have the skills necessary to setup a public web site in such a way to allow hacking, but control/manage who can hack it.
The big problem with a public web site for hacking is that not many hosting organisations will be willing to do this. For them, it is too high a risk as anyone who can successfully hack the site could very well end up getting sufficient access to be a threat to the other customaers/sites they are hosting. Most hosting companies will have the sites they host build on top of their own infrastructure, which is designed to make their job of hosting as easy as possible and there is no guarantee that a successful hack won't be at the level of their infrastructure i.e. your exposing them to the hacking, not just your site. This doesn't mean you won't find a hosting company who would be willing to allow this as it could be viewed as a type of pen test for them, but it is unlikely.
The best solution is to setup a site using a VM. Even if your not all on the same local network, you can have each person run their own VM. You could use one of the many 'hacking' VMs which have been designed specifically for this sort of thing, or you could role your own, create a snapshot and then give a snapshot to each person to run. This will then allow everyone to hack away on their own site without interferring with each other.
Often when your trying to hack things, you can do things which either make the site/host unstable or even render it unable to run. When learning how to hack, you regularly need to restore everything to a known state so that you can confirm that a successful hack works and you fully understand how it works. Once you think you have found a 'recipe' which works, you can restore your VM to a known state and attempt to repeat the process. If you succeed, then you hve more confidence you know exactly how to do it. On the other hand, if you fail, then you know that your recipe is missing something - probably a side effect caused by a previous attempt.
The other benefit of using the VM approach is that you avoid any possible legal issues. Your doing it all on a private host and in an environment you control. It is also relatively cheap to do. All you need is a PC with sufficient memory to run one or more virtual box or vmware images. I use a Linux box running virtuabox with 16Gb of RAM. I can run multiple VMs at once - simulating a netowrk etc.
For an idea of how you can do this, see Set up your Pen Testing/Hacking Lab Network using a Single System.
- 3,242
- 13
- 13
-
I've only read English translations, but section 202c (the prohibition on possessing or manufacturing hacking tools) only appears to apply if those tools are used to violate sections 202a or 202b (both of which have "without authorization" clauses). The problem isn't that possession of `nmap` and the like is illegal, it's that if `nmap` is used to commit a computer crime, the *author* of `nmap` is in violation of the law. – Mark Mar 12 '15 at 21:06
-
@Mark: I read legal discussions about that back then and everyone was quite annoyed by the law as was not clear. A friend of mine worked at a security company doing research and they requested an interpretation (cannot remember exactly what it was called, a constitutionality question I think) but they did not get any. Since there are still pentesting companies in Germany they must have let go. – WoJ Mar 12 '15 at 21:11
-
@Mark : your comment on the author being at fault for the usage of its product is also true, I forgot that (but as I mentioned, they users were also targeted) – WoJ Mar 12 '15 at 21:13
In most website hostings, the part that is "your website" is very thin, and there is not much to hack except php/asp input sanitization. The bigger, hackable part is not actually yours - it is provider's infrastructure shared among your website and many others.
You need to consider this: unless you run the website on your own computer, your friends are not hacking your website. They're hacking hosting provider's computers.
This is one of the reason why CTF has to be expensive: one needs to dedicate up-to-date set of commercial infrastructure to create a playground that accurately represents commercial environment - without compromising an actual commercial environment.
You should set up a dedicated computer for this task, possibly in local network and inaccessible from the internet. It has it's benefits: no one will ever know it was hacked, except you and your friends.
- 1,921
- 14
- 13
Is it legal? In most jurisdictions, yes, but read up on local law first. A few answers above highlight jurisdictions where hacking is illegal even when authorized, but for the most part, the kinds of exercises you're talking about are authorized, since the owner of the machine is setting it up this way deliberately and expressly for the purpose of security testing.
Is it a good idea? Only if you are very careful. Remember that if you can hack it, so can someone else. Keep the vulnerable machines well away from the open Internet: this means you'll need to get at the machines through a LAN or VPN, but this is still better than having it get hijacked by someone or something you didn't expect.
- 1,637
- 9
- 10