Programming for Hackers

Learn Python by breaking and defending: encoding, crypto, forensics, and capture-the-flag.

10 projects, 250 hands-on levels, run in your browser.

Syllabus

Encoding & Data Representation: Every hack starts with reading data the way a machine does. Master bytes, hex, base64, bitwise XOR, and byte surgery, then peel apart a multi-layer encoded flag.
Classical Cryptography: The ciphers that ran for two thousand years, and how they fall. Build Caesar, Vigenere, and transposition ciphers, then break them with brute force and frequency analysis.
Hashing & Integrity: One-way functions that fingerprint data without hiding it. Use hashlib for checksums and HMAC, salt and stretch passwords, and build a tamper-evident hash chain.
Password Cracking: Think like the attacker hammering a stolen hash dump. Run dictionary attacks, brute force, and rule-based mangling, measure password strength, then crack a full leaked database.
Modern Cryptography: Build the math that secures the internet, from scratch. Master modular arithmetic and primes, implement RSA and Diffie-Hellman with plain Python integers, then break weak RSA by factoring.
Log Analysis & Forensics: Hunt attackers in the evidence they leave behind. Load logs with pandas, extract indicators with regex, spot anomalies and brute-force attacks, then run a full incident investigation.
Network Analysis: Read the wire. Parse raw binary packets with struct, decode TCP flags, reconstruct flows, detect a port scan, and reconstruct a full network intrusion from the bytes alone.
Web Security: Attack and defend web apps in Python. Parse HTTP, exploit SQL injection and XSS, forge and verify JWTs, then chain it all to pwn a vulnerable app, using only provided, simulated data.
Reverse Engineering: Take apart a program you cannot read the source of. Read raw bytes and bit fields, disassemble a custom bytecode, build the virtual machine that runs it, follow its control flow, and crack a VM-based license check.
Capture The Flag: The finale. Five challenges, one per category, that chain every skill in this track: peel an encoding stack, drag a crib through a cipher, trace an intrusion, crack a salted hash, and defeat a multi-layer final boss to claim grandmaster.

Key concepts

Base64: An encoding that represents binary data in 64 printable ASCII characters, used to carry bytes through text channels. Reversible, not secret.
Cross-site scripting (XSS): Injecting script into a page that runs in other users' browsers; mitigated by escaping output for its context.
Diffie-Hellman: A protocol letting two parties derive a shared secret over a public channel, relying on the hardness of the discrete logarithm.
Encoding vs encryption: Encoding (base64, hex) reversibly reformats data with no secret; encryption hides data using a key. Encoding is not security.
Frequency analysis: Breaking a substitution cipher by matching the frequency of symbols to the known letter frequencies of the language (e.g., via chi-squared).
Hashing: A one-way function mapping data to a fixed-size digest (SHA-256). Used for integrity and password storage; you cannot reverse it, only test candidates.
HMAC: A keyed hash that authenticates a message: only someone with the secret key can produce or verify the tag. Compare tags in constant time.
RSA: A public-key cryptosystem based on the hardness of factoring large semiprimes; encrypt with the public key, decrypt with the private key.
Salt: Random data added before hashing a password so identical passwords hash differently, defeating precomputed (rainbow) tables.
SQL injection: Injecting crafted input that alters a SQL query's logic (e.g., a tautology that bypasses login). Prevented by parameterized queries.
Symmetric vs asymmetric: Symmetric crypto uses one shared secret key (fast); asymmetric uses a public/private key pair (enables key exchange and signatures), e.g., RSA.
XOR cipher: Encrypting by XOR-ing plaintext with a key; self-inverse (XOR again to decrypt). A single-byte key is trivially broken by frequency analysis.