Boss: What is that?

Tech: What's what?

Boss: That!  Is that porn!?  Why are you watching porn!!?

Tech: Oh, that....It has secret messages.  From Al Qaeda.

Thanks for the thorough review.  The course sounds like a lot of fun.  It's too bad that the cert only covers web apps and doesn't test the other material.

Virtualization software are programs that pretend to be computers so that you can run another operating system inside of them.  So, you can have a desktop PC running Windows and install VMware then run Linux inside VMware without affecting Windows.  For a user with a single PC, this means you can run two OSes side by side and that you don't have to partition your hard drive and dual-boot in order to use a second OS.

Vol I is enough.  After that, you should read books that focus on other networking topics; either Cisco books or network security books.  TCP/IP Illustrated Vol. II is the source code for an actual TCP/IP stack implementation and is only useful if you are doing very low-level work and need to test or develop a custom TCP/IP stack.  Very few people have ever read it.  Vol III is mostly obsolete.

If you think your family will chafe at a career in "Ethical Hacking".  Just tell them you're getting into "Network Security" or "Information Security".  If they are hell bent on you being a doctor/lawyer/ballet dancer, they'll just have to be disappointed.

With no experience, you just can't give a company the value they need to justify paying you a six figure salary.  By the time benefits, hiring costs, training, etc. are factored in, the company is spending twice as much on you as they actually pay you in salary.  If you want to make $100k a year, you need to be able to justify the company spending that money.

A typical first IT job is probably close to $40k (depending on location).  The people who make over $100k are mostly top technical people, managers, and consultants.  You're not going to fill any of these roles fresh out of school or self-taught with a couple of certs.

I was just curious how it works.  I don't mean to take anything away from you and I'm aware you've been active in the past.  I get tied up with school as well.

Congrats and enjoy the class.

When I look up El33tsamurai, I don't see him posting anything at all for the month of March.  Is this participation-based or is it a random drawing of all members?

Knowing basic SQL is the bare minimum; it would help if you had some familiarity with MySQL or MS-SQL. 

You don't really read shellcode.  Shellcode is just the hex representation of actual executable code.  When you make shellcode, you write it in assembly, build (assemble) it, and then do some by-hand modification to remove null bytes.  It's a very low priority; Just worry about the other stuff for now.

I think the Security+ is a fine way to start.  It won't get you a job but it will help you to learn the basic concepts and terms.


Older editions drops in price because schools use the newest edition for their texts.


If you're already through the CCNA books, I'd suggest focusing on Linux/Windows before doing more Cisco.


Python.


You can leave the web app stuff until after you've gotten the IT basics down and started learning about hacking/pen-testing specifically.  Since it's not your particular interest, learn about pen-testing systems/networks first then web apps.


The pay is going to vary a lot by company and location as well as experience/skill.  Location matters a lot both for job availability and for the value of your dollar.  Your money will go a lot farther in Boise than San Francisco or New York, but there are definitely more security jobs in SF/NY.  I'm not advocating for or against living in any of those places btw, they are just examples.

If you're willing to start your own company, the pay is potentially higher but with more risk (i.e. your business could fail).  To get to the higher salaries ($100k) within a company, you'll probably have to get into a role where you are supervising other people.  And, depending on where you are the senior roles may not pay that much. 

You don't have to be a manager, but you will be a "Senior" whatever and have to provide supervision to junior staff on technical matters.  You need to be the guy that other people go to when they have questions.   

When you've learned how to program in C and want to learn to write your own exploits from scratch.


I gave you the IT basics that you need to get started in security.  You also need to learn security concepts and pen testing itself.  Go to Amazon.com and look at the table of contents of a couple of Security+ guides and some hacking books.  You need to know learn about all the areas listed.


No; it's been years since I read a book on databases.  Now I just Google when I have a question.

Look at job listings.  Try Microsoft or Google.  You're still going to need a CS degree and a cert or two wouldn't hurt either.

By a good school I mean MIT, Berkeley, etc.  The better the school, the more likely you can get in without experience.  If you go to an unknown local university or state school, your odds go down.  It doesn't mean you can't still do it jumping from a local U; it's just harder.  It's not an science; plan to do non-security work first and if you do manage to get a security job straight away, well...good for you.


Yeah.


Yes.


You'll have to do web-app stuff too.  It's too big of an area to ignore.  So, yes.  If you want to be a pen tester, you'll have to learn web-app stuff too.  That' doesn't mean you have to be an expert to get your first job.  But, you're going to have to have some knowledge of each area (web, networking, windows, unix) with stronger/in-depth knowledge in one or more of those areas.  You'll continue to build your skills as you go.

At this point, you really need to just jump in and start learning.  More of your questions will be answered as you learn.  If you want to do this, it's going to take you a few years.  If you're going to go to college, major in CS or IT and learn additional things or experiment in your free time.  If not, start learning the basics and once you have some basic networking/OS knowledge, apply for a help desk job.  Build your skills as you go and apply for better jobs when you are ready for them.

Novice: OSI is a conceptual model for computer networking.  When you study networking, OSI will be one of the first steps.  You should understand the OSI model before jumping into TCP/IP.  If you want to see how the layers match up between the two, just Google "OSI vs TCP/IP" and you'll find plenty.  Learning networking and the basics of Windows and/or Linux before jumping into programming.  Learn databases that.  If you don't understand basic programming, you can't do anything with databases.

If you're going to be a pen tester, you're going to hack databases.  You don't have to be an expert DBA, but SQL is how you query (look at) what's in the database.  You'll need to know the syntax well enough to do SQL injection, query/modify tables, and execute procedures.

Some big companies will hire people directly into a junior infosec role.  The best way to get into one of these is probably to get a CS degree from a good school.  Most companies have limited if any security staff so they can't afford to train you from the bottom.

I don't know anything about the CEH requirements.

Other than Python...most buffer overflow exploits are a combination of C and assembly language.  The program itself is written in C, but the shellcode (payload) requires assembly language to build.  Most of the programs vulnerable to buffer overflows are written in C and/or C++. For web app security, you need to learn basic HTML and Javascript to be able to do anything.  If you want to understand what is actually happening on the server side, you also need to learn one or more of Java, PHP, or ASP .Net (using VB, C#, etc).  I don't know what the minimum is, but my feeling is that you should be good/competent with at least one language that you can use for automation/tool building/parsing and that you should have some familiarity with several others.  By familiarity, I mean you can read code in that language and make minor changes to it.

Web application security is huge right now.  For the most part, I don't think you can be a pen tester and avoid it.  That doesn't mean you have to be a web app security tester specifically, but it's going to come up.

The programmer has to implement any filtering with every input or output.  There is no Anti-XSS flag that you can turn on to prevent all XSS.  If it was easy, XSS would be a non-issue already.

It's always harder to add security in after the fact than to build it in from the start.

Novice,

Wendell Odom's CCNA books are here (it's a 2 book set):

http://www.amazon.com/640-802-Official-Library-Updated-Edition/dp/158720438X/ref=sr_1_1?ie=UTF8&qid=1334677358&sr=8-1

Don't worry about the other Cisco books right now; you can chase after those once you've covered the basics.  Since you're not in IT now, I'll mention that there would be a lot of value to you personally to get CCNA certified and try to use that to get into a networking position so that you can start building your skills on the job.  You can move into security from there; most companies will want you to have a networking/sysadmin background if you don't already have security experience; they don't typically hire straight into a security role.

TCP/IP Illustrated Vol I. does not cover pen testing.  It covers a little bit of security (in the second edition) but only as it relates to protocols like IPsec.  It does cover traffic analysis and will give you most of the background you need to develop that skill.  Some of the other things I mentioned  (e.g. OS Identification) are covered in pentesting books, but others aren't.  There are several articles about port scanning and OS Identification in Phrack magazine (www.phrack.com).  The classic paper on IDS evasion is here (http://insecure.org/stf/secnet_ids/secnet_ids.html) but it's dated.  I don't know of an up-to-date paper on the topic.

With regards to exploits: you need to be able to modify tools and exploits for various reasons.  Sometimes a tool won't compile, other times you want it to do something slightly different.  You also need to be able to write small programs/scripts to automate tasks, parse logs, etc.  For web applications, you need to be able to exploit vulnerabilities for cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection without a canned exploit.  You have to understand those exploits and while you may have some cut-and-paste code snippets that you use, you'll modify them and create your own variations as well.  For other types of vulnerabilities such as buffer overflows, you don't need to be able to write your own exploits; those take time to create and I can't imagine your clients will want to pay you for that.   

Regards,

unicityd

TheXero,

I think the article gives a good overview of ASLR on Windows. 

In the introduction, you describe a basic overflow as overwriting EIP with a return address to a JMP instruction.  I'm not sure what the current state of the art is, but the old technique was to overwrite EIP with an address that pointed inside of a NOP sled that leads to the shellcode.  You could also create a sled out of a series of relative JMP instructions.  Unless something has changed, you would not (in ordinary circumstances) return to an absolute JMP.

Your paper has no references but you've obviously pulled information from several sources.  Ideally, you would cite these throughout the paper, but you should at least have a bibliography at the end.  Not only does this provide credit where appropriate, but it tells readers where they can go to get more information.  There are several published papers on ASLR that readers could use to learn more about various aspects.

You mention Linux in passing, but there are some differences on Linux (and OpenBSD) as opposed to Windows.  In particular, I think OpenBSD and some Linux distributions have full ASLR which would prevent your method #2 from working.  I can't say that with full confidence since I haven't studied their implementations recently, but it would be worth looking in to.

I thank you for writing and distributing this paper.  Too few people take the time to share their knowledge and discoveries with the community.

Congratulations.