EH-Net

..Whats your opinion?

<-- Complete n00b to the ethical hacking community and I've been on a windows computer all my life.  I'm in IT and I want to be more learned on security and everything that is involved.

So far I know that you need 

-->

Basic/Advanced Linux Knowledge



Add to my list!

Why not start out reading a book on hacking, like Hacking for Dummies, Hacking Exposed, any Kevin Mitnick book?  This could give you an overview of the fundamentals of hacking, and the Mitnick books have good stories, and history on hacking.

There are too many elements to consider on where to start.

Welcome by the way.

Thanks,

I've read Mitnik's art of deception... Really cool what you can do with social engineering.

I'll check out the two other books you mentioned.

Welcome to the forum! There are lots of nice people here.  ;D

I agree with Dengar13 about starting with a couple of books.

I also agree with you about basic Linux knowledge. But, I would not start right off with a hacking distribution, I would get to know the basics. Start with something like Ubuntu. Learn how to use the terminal, install programs, etc.

Since you are already in IT... If you don't already know, I would suggest learning about the TCP/IP protocol, and learn the differences between a hubbed network and a switched network.

There are a lot of aspects to learn about, but those are good to start with.

I'm completing my MCSA at the moment for my position here and theN i'm going to go into CCNA training, get some switches/routers and set up a virtual network.  In the meantime, work with linux at home and get a handle on the OS and go from there I think.

Always feel free to ask questions here.

A lot of the people here really know their stuff, and they are always helpful.

Necessary ethical hacker skills, the starter edition:
TCP/IP
OS basics for M$ and the *IX distro of your choice
Internal network basics (switches, hubs, firewalls)
A sense of humor (preferably dirty but manic is also acceptable)
External network basics (routing, IP, interaction with internal networks, etc)
Relationship between services, ports, and how exploits work
Washboard abs
Some familiarity with coding (not expert, but can muddle through)
Understanding of general web application construction (front/back end, etc)
A WOW account (maybe EverQuest if you roll like that)
Some level of business sense (need to explain business impact of your findings)
A comfort level with your skin tone being 3 shades more pasty than your racial peers

Well put, pseud0.

I think that is an excellent start for a new ethical hacker. ;D

lol, I've got a lot of that on the list.... Working on the distro basics and washboard abs atm....

The coding part is what scares me... I took a weed out java class in college and I think that scarred me for life regarding programming... I've been thinking of picking up C Primer Plus and working through that...


Oh if I only had 40 hour days it would be so much easier to go through everything I want to learn.

As far as programming goes, you should really just learn scripting for now. Not even writing scripts, yet, but just be able to read a bash script, VBScript, etc. and have a general idea of what it does.

Later, it will become very useful to be able to write scripts, and programs, or at least be able to modify source code.

pretty good replies

where the F were you guys when this was going on

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1821.0/

as far as programming. if you are new, start incorporating it into your learning plan NOW, if you stick with this field and you cant code or script you will hit a point where you cant put your ideas into code (or not easily) and that just sux

Chris,

It seems like the one guy on that post was more of a fan of tools than actual knowledge. Being new and having sat through various exams, I agree that you need knowledge of TCP/IP and how it works. Any one can run a tool and get a shell. Even I have done that. And I got a thrill from that. I also recognize that I still have a lot to learn. That being said, I also think that you need to understand the output a tool gives you. Thanks for posting that thread.

BigTone82,

first off welcome to the forum.

Only thing I'd add to the list is that before you get any of the things previously listed you need one thing, patience.

From my experience it take a lot of time and a lot more work to be an 'ethical hacker'. I've been around IT and security for a while and don't come close to what I'd class as a hacker (leaving the holy-wars out of it  ;) ) but I'm learning fast, have the ethical part and I'm still here wanting to improve.

As others have said learning the basics first helps (TCP/IP etc.) but don't expect to learn everything instantly. Most importantly though if you want to remain interested in the field for the long game, ignore all the advice here and study whatever makes you go 'ooooh, hows that work?' be it IDS, shellcode, scanning, etc. I found this has helped keep up motivation to learn through the 'do I really need this?' moments.

If you dive in wherever you're most motivated you'll find the basics come through time as and when you need them. (at least I'm finding that).

Good luck, and don't be afraid to ask the questions when necessary (just ask google first  ;D )

Thanks guys,

Yes I'm a smart guy so the n00b questions shouldn't slip out into here.  I'm so tired of reading cert forums and seeing "OMG CAN I UZE A+ FOR A MCSA ELECTIVE"



Thanks for all your help.  I'm going through the Redhat Linux CBT's right now.  The power of the shell compels me :)

Plus I see videos later on with nmap and snort and thats something I really want to get into so I'm excited.

The Penetration field is quite deep and wide, you can specialize in Windows pentesting, or databases, or web application security, what ever floats your boat. if you are very comfertable with Windows and know how to secure it well and have read the hacking exposed books or similar and would like to know more about Linux I would reccomend that you check the Linux documentaion project, and howtos, try to setup a server and secure it, and pen test it, scripting in Linux/Unix world is a must to understand the start/stop scripts, and to automate most of your work, In brief use what you already got, and develop yourself in the areas you enjoy most

here read this

http://seclists.org/pen-test/2008/Mar/0029.html

Chris,
Well done, I will capture some of them in here
That's what i like about security it consolidates the above knowledge together or it makes you think out of the box if i can use this words in here. that is think differently about the systems/networks/applications you are trying to run/manage. In brief it is approcable from all different angles, just work your way through from the angle you love most

ChrisG,

thanks for the link, nice to know the time I've spent as an admin, writing wobbly little apps isn't going to waste ;)

Washboard abs?!  Well, that disqualifies almost everyone I know in IT.  :)  The skin complexion though?  Got that one nailed...

I'm probably a bad hacker because I don't have a WoW account or an EverQuest account. lol

glad you like it, that post was by the founder of LearnSecurityOnline.com Joe McCray

Does CS Count?

=/

ahahahahaaaa

nice :)

Thanks for making my day....  ;D

Bit of late input here and you may already know of this, but check out GNS3 - http://www.gns3.net/ . As the site says, it's a graphical network simulator. There's a few of these floating around and they're excellent for practising your network skills without shelling out for actual physical kit. Hope this is helpful.

Rob

Rob,

cheers for the link. Haven't come across this in the past, I've used (and paid for) Boson Netsim which is decent. I'm downloading now, hopefully should be good (and hopefully the Win Binaries will run under Vista ;) ).

RR

well just like him i my self am in IT and i just started messing with the security part of it. I have been hacking for about a week now im not too good yet but i hope to get more knowledge and then be EHC.

All of the suggestions have been great. Best suggestions i have seen is to read books and maybe get yourself a free distro of slackware or ubuntu. Learn the linux terminal and network configurations. Best way to learn linux is to ins the prog and use it. rid yourself of microsoft products as much as possible.

gentereign

can u tell me how to hack the wireless network?????and how can i enter the server computer computer with out the knowledge of the server admin?????

I'm hoping so. I dumped WoW for EVE.

Welcome to the forum, I would say an Ethical Hacker / InfoSec Professional really needs to have passion.

By this I mean is a general interest for IT Security and all that it encompases. The Security field is very varied with so many subject domains, but dont worry about becoming the guru of everything security. Personally I feel its important to have a high level understanding of all of these domains, but by no means be the master of all.

As you start looking at InfoSec you will find what it is that floats your boat, these maybe technical or soft related skill sets, but as long as you enjoy it and you have passion you can succed.

All the best on the journey.

  Hi Guys!

  Im bruha666v from the philippines..im a computer science graduate and was exposed to "vb6" for four years. :-[

  I decided to take this course because i wanted to learn how make viruses and stufss but later found out that its wrong. so here i am trying to learn how to hack.

  But im really confused where to start and what to do.  Then a guy i met in a chat room who is also from the philippines challenged me to hack his site and would give me 20k if i do so.
 
  What i need to do is login as admin and just get 20 customer accounts and passwords from his customers database and send it to his email. The site is using php and the URL is:tipidweb.com.

  I believe this could help me start out.Hope you guys could help me out. Im not in for the money, i just wanna learn.

  Thanks!


 
 
 

You serious? Is that a closed offer or can anyone play? ;)

Any chance this guy is actually any way responsibl for the site in question?

First phase of any penentration engagement is to get a formal contract in place providing full authorisation for you to carry out the work, that way you don't get sued/imprisoned when someone changes their mind. Otherwise known as a CYA document.

I'd be very inclined to take this 'offer' with a pinch of salt...

(P.S. I've got $20million stuck in an offshore account, I could give you 10% if you help me transfer it into your country....)

As RoleReversal says, I think you are buying into this to much.

One its in a chat room, and as on the Internet you can be anybody, I would ignore this guy.

If someone was to REALLY offer you work, it should be via more official means. Just because someone owns a website, its probably hosted by someone else and they would be responsible for authorising any Pen Testing, etc.

If you want to learn / practice pen testing, then have a search on this great forum for information on setting up a virtual lab, using live cds etc.

Thansk for the reply RR and DP..

Well the guy actually owns the site and he brags about it being "unhackable" and he is manila right now maintaining the site. So im pretty sure its not a scam or watever. Anyway ill try to contact him again and get the "letter" as you told me RR.
 
Anyway, its been nice knowing you guys are out here helping other pipol out.

Ill update you guys as soon as i get in touch with him again.

Bruha666v

Btw, have you guys checked the site?

I did a little research on the site and found that it is hosted by GoDaddy.com. Now that mean that you bruha would need not only authorization form the site owner, but also from GoDaddy. I did my research at dnsstuff.com. Further research shows that this is a Philippine web service provider. Chances are that you are getting in over your head. I would say stay away.

By the way, what was this chat room contacts name?

Critical Reasoning Skills.
Developed sense of paranoia.

exactly
 
I find myself researching emails from people I don't know just to figure out if they are legit or not. the spammers are getting better by having names on the emails, but they don't often match the name on the email. It cracks me up.

Thanks jm..

btw, he's in irc. Channel: bacolod | nick: panulay

anyway, this site has really opened me to new ideas and concepts that could help start.

Im backed out already knowing that this could get me into trouble. Thanks guys!

Hope you could help me out. I really want to know how to "hack". Not because i want to get into other peoples files o computers but i want to learn how to protect myself too knowing the vulnerabilities.

Thanks for the replies guys!


Bruha666v

Back to the original topic;

I agree with one of the other posters in this thread...You have to start with the basics and work up if you ever intend to be proficient in your profession, in this case, working as an Ethical Hacker (Network Security).

My recommendations would be:

A++, Network+ - You don't necessarily have to have these certs, but having the knowledge that these certs test you on is essential to even start understanding how to hack.

Linux Is Your Friend - A basic understanding of Linux is pretty much essential in my opinion.  How can you hack something you don't understand anything about.  At least know the basic commands: rm, ps, top, cd, ls, chown, su, sudo, etc.  Staring at a Telnet/SSH prompt and not knowing what to type is hell...(Been there done that)  Plus, several great tools are only available in Linux.

Programming - At least some type of basic programming understanding...I started out back in the QBasic days...telling my age now...Anybody else remember that or am I the oldest fart on the board?  lol  Unless you want to be labeled that dirty word, "script kiddie", you best be able to write some of your own stuff or at least be able to modify others to suit your purpose.

Social Engineering - Yes, I would label this as a requirement for the ethical hacker and even a black hat hacker. (I know some will disagree)  There will be times when you are just not going to get in...the IT Department has done their job and done it well.  You must be able to go to the weakest link, the employee, vendor, etc. and be able to get the information you need to compromise their security.  You can't be just an all geek and number cruncher..you must have some social skills too.

This is just my opinion and we all know what opinions are like.  But, I honestly couldn't see someone succeeding as a hacker without these basic skills.  You might be able to run a script against a web site or company with very poor security, but when you come up against a company/web site that has done their homework, that is where it will take skill and patience when the pre-written scripts fail.

In this high speed internet / fast food society we live in, we always want the quickest way and take all the shortcuts we can.  But we must remember we are only cheating ourselves if we skip the basics.  Take your time and build a good foundation, then the advanced skills come a lot easier.

Guys!

   Remember the guys i told you that owns the site > Tipidweb.com ?? well he told me that godaddy.com doesnt host his site...He has his own dedicated server in the us. and he's really bragging about it. He also told me that he uses the combination of different sql and php code and API combinations. I stopped messing with his site coz u guys told me to back off. Well thanks anyway...



 

This is a great thread to look at, when you hit your first plateau.
Some great information :)
And unlike some of the others here, I wanna know how to get into others systems without a proggy(I dont buy the ole "I wanna learn to protect myself"  jazz!! lol.), I wanna know how to bounce off nodes to make detection that little more difficult, I wanna know how to mass inject a server, and tell Frank he'll be alright once he gives my favourite Milli Vanilli single back!! I wanna know what the heck Im talking about when Im talking it!! lol

Im not gonna try and mask what I want to learn, as it only hinders my own learning, and there's nothing better than learning something you wanna learn ;)
But I can say out of all honesty..  Its out of curiosity and fun that I have been interested.
I dont wanna be the next Phantom Menace online.
But would like to be able to know, what Im looking at, when its right infront of me.

Freedom of information, and Common sense, are 2 necessities greatly under utilised when starting off.
Understand these, and patience will be your virtue ;)

My 2 shillings worth ;D

The only thing worse than training good employees and losing them
is NOT training your employees and keeping them
                                                           - Zig Ziglar   
this make sense:P

Sup yaa,

TruckputerX in the house. Here to make new friends and learn as much as I can to increase my knowledge of Computer Security.

Welcome aboard buddy, you'll definitely going to learn a thing or two on this site.

Thanks for the welcome. Going to start reading the books recommended and configure a vmware lan with different OS's.

Hi Champions,

Please help,

This is Sathish Kumar, I work as ISMS Guys offlate i am interested to learn and enhance my skills onto the field of Ethical Hacking.

My BackGround is that i worked as Windows Administartor for almost 8 years and 4 years into the ISMS, I have very good exposure of Using VA tools like Nessus,ISS and Foundstone tools, however i want to learn and enhance my skills in exploiting the reported vulnerabilities.however i have already dowloaded Metasploit 3, but i don't have a hacking exposure, Can anyone of u please do let me know is there is any step by step guide how to use the Metasploit  framework to exploit the known Vulnerabilities that exist or any other tools which can used for these activities.

Please suggest.


Regards,
Sathish Kumar.S

A few videos on metasploit:

http://video.google.com/videosearch?q=metasploit+tutorial

You can start by getting a basic understanding of metasploit by reading the user guide that comes along with it.
www.metasploit.com/documents/users_guide.pdf

After this you can proceed to other books.
http://books.google.com/books?q=metasploit

I'm currently reading Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability research and am happy with it.

In addition to Xen-'s reply, if you have the finances and time, look into the OSCP training, at Offensive Security's site.  muts has done an excellent job of putting together information about how to work with buffer overflows, exploit compilation, etc.  While they don't explain EVERY exploit (I don't think anyone has that much free time on their hands, it does give good information to work from, in utilizing metasploiit framework, and its toolsets.

Good Evening All~

Im new to the site and new to the IT security world... IT world in general so I'm really just here to get a grasp on things. As an ex-west pointer (left prior to graduation) I've been struggling over the past 4 1/2 years on what to really do with my life and it seems that I have finally found some insight. I started dabbling with the idea of "something IT related" about a year and a half ago.
   I decided that if im going to do something, I'm going to do something that interests me and I'm going to do it right. Granted I've been playing around with computers my whole life (Back to the mechwarrior days and 14.4k modems were the newest thing) but I never really gained a deeper level understanding. With that being said... Last week I kicked Microsoft to the curb, Installed Ubuntu as my sole OS and then started reading about this ethical hacking and IT security. I AM HOOKED. Been an athlete my whole life and these days I can do nothing but think about getting back to my computer to learn more. I'd just like to say thanks ahead of time to all of you guys (maybe a gal or two) who have contributed already and who will help me along on my journey.

L2R