I noticed there seems to be a number of people recently that have been asking how to get started in ethical hacking. I thought I would throw my 2 cents in as someone that has been hacking for sometime now.

To be really a high level hacker requires a vast amount of knowledge and it can easily put someone new to the subject into a state of overwhelm. You will hear you should learn networking, a number of operating systems inside and out, programming, various tools, etc…, the list goes on.

As that old dumb joke goes, “how do you eat an elephant?” well that’s really the perfect approach and I recommend tackling it “one bite at a time”.

I really recommend starting off with the study of TCP/IP, in fact I made that recommendation over a year ago on this forum.  Why TCP/IP?  Because this is “language” that computers use to speak to each other. Without a protocol to communicate, there is no hacking in the remote sense. At one time in the past computers didn’t need to communicate to each other, but now networking has made it a must and TCP/IP is the adopted protocol. 

I am not trying to say hacking is just accessing a remote machine, but it certainly is a very important aspect of it and as hackers we should understand how that works inside and out.

One really good book that I recommend for a good basic understanding is TCP/IP jumpstart, by Andrew Blank. It’s a Sybex book and really puts the protocol in easy to understand analogies and is perfect for the beginner.

Once that book has been started I really recommend starting to play with a tool.  The best tool to start with is Nmap.  Nmap is the perfect example of how a tool can play with and alter normal TCP/IP transmissions.  Knowing how to play and change normal transmissions with this protocol is a must for seeing through today’s firewall and IDSs.  Nmap is also the number one hacker tool and its mastery is a fundamental skill so the sooner one gets it under their belt the better.  When I say number one, I state that because I just about never find a hacker that doesn’t use it. Once in a while a hacker might say they don’t use it because they have written their own tool, but once I see that tool, its usually a watered down version of Nmap, lol.

That’s my recommendation for what its worth. Start off with a good study TCP/IP and start playing with Nmap.  Don’t rush through this. Spend sometime and really get the feeling you have a good understanding of both. I can assure you it will pay off huge dividends as you go deeper into this subject.

Hey, thanks for the input.

Step 0.1 in becoming a h4x0rzzz... practice your google-fu!   

You know.. I remember a time when google wasn't even conceived... and there were miriads of underground search engines and whatnot.  Now, it's rare to need anything but google (and knowledge of how to customize searches in it) to find just about anything.  Really kind of mind boggling, and so much less malware.  

Yeah, I would totally agree with your post on where to begin.  I don't think I would enjoy or understand what I do (which is quite small) if not for my having taken time to learn tcp/ip (and all the other things in my CCNA courses), and played around with Wireshark and Nmap.  I actually started out first with Wireshark, it was like a kid in a candy shop discovering what was happening over those wires connected to my computer.  I moved to Nmap only after I got the itch to actually start learning ethical hacking and work toward a career in it.  Up till recently I was just focusing on network administration.  I've found though, I enjoy far more than just networking.

I think Rance really hit the nail on the head with his mention of wanting ot know everything IT.  A thirst for knowledge has always been a driving force I think with anyone serious about hacking.  Well... at least traditionally, now it's becoming more of a career path (both white and black).  But I suppose that the general saying still aplies to those who actually become the 'l33t' hackers.  They all really have a thirst to learn. 

Oh.  Really?  Errr... I  have to, uhh... leave the country for a while! 

Seriously though, even though InfoSec has become a "career path" and you can study at the university level for it, the classroom environment is so totally different from the real world environment.  Of course, maybe I'm biased, I barely squeaked through high school and never did the college thing, but I've worked with a lot of "just out of college" people (in many different IT areas), and when it came to real-world scenarios, they just seemed to be lost.  I even had one guy I was training get in my face and tell me, "that's not how they showed us in school!"  So, his lesson for the day was to try to fix it himself.

Now don't get me wrong, I'm not against the whole higher education thing, any knowledge is good knowledge (unless it's incorrect knowledge), but I still believe that there's no substitute for good `ol fashioned experience.  I think the fact that I started as a third shift button pusher and learned everything along the way is much more valuable that a degree that costs $120k or whatever college is going for these days.

Alright, done ranting... for now.

But you need a job (fresh out of college ) to get the experience that then makes you better! The catch 22 of all new entrants to the workplace.

Im starting my masters in Ethical Hacking in September and I realise that when I get a job after completing it (and the EHC Im going to do as well) that the learning curve will be vertical. But thats where "drive" comes in. My course doesnt have work placement so Im making one for myself and going to get some experience from Cisco Systems (who I intend to work for after Graduation). We all have to start somewhere, though I agree that experience counts for a great deal.
 

Excellent advice.  I had 2 guys go over my resume, about 3 times each before they and I were all satisfied with it.  It helped since I landed the job I was after right away, and am enjoying it well enough.  There is nothing like experience it is true.  It's the difference between people who push through and get their CCNA really quick, and those who actually work with networking equipment in a day to day basis... one will know theory, one will know actuality.  I'm working on gathering both, in both the network and security fields.  I do think it is a bit of a sad thing that hacking has gravitated from a curiosity and thirst for knowledge pursuit, to a money driven one. 

For my own path, I'm trying to season my college, with both certs and real world experience.  I figure a nice three legged approach like that will be helpful in landing the job I want in the future.