The Path to Hacker Mastery

[unicityd]

Novice,

Wendell Odom's CCNA books are here (it's a 2 book set):

http://www.amazon.com/640-802-Official-Library-Updated-Edition/dp/158720438X/ref=sr_1_1?ie=UTF8&qid=1334677358&sr=8-1

Don't worry about the other Cisco books right now; you can chase after those once you've covered the basics.  Since you're not in IT now, I'll mention that there would be a lot of value to you personally to get CCNA certified and try to use that to get into a networking position so that you can start building your skills on the job.  You can move into security from there; most companies will want you to have a networking/sysadmin background if you don't already have security experience; they don't typically hire straight into a security role.

TCP/IP Illustrated Vol I. does not cover pen testing.  It covers a little bit of security (in the second edition) but only as it relates to protocols like IPsec.  It does cover traffic analysis and will give you most of the background you need to develop that skill.  Some of the other things I mentioned  (e.g. OS Identification) are covered in pentesting books, but others aren't.  There are several articles about port scanning and OS Identification in Phrack magazine (www.phrack.com).  The classic paper on IDS evasion is here (http://insecure.org/stf/secnet_ids/secnet_ids.html) but it's dated.  I don't know of an up-to-date paper on the topic.

With regards to exploits: you need to be able to modify tools and exploits for various reasons.  Sometimes a tool won't compile, other times you want it to do something slightly different.  You also need to be able to write small programs/scripts to automate tasks, parse logs, etc.  For web applications, you need to be able to exploit vulnerabilities for cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection without a canned exploit.  You have to understand those exploits and while you may have some cut-and-paste code snippets that you use, you'll modify them and create your own variations as well.  For other types of vulnerabilities such as buffer overflows, you don't need to be able to write your own exploits; those take time to create and I can't imagine your clients will want to pay you for that.   

Regards,

unicityd

[Novice hacker]

Thanks everybody, I feel that with every post I'm closer to my dream..

I just have a few doubts to clear:


@ajohnson

Thanks, I will look into that. Do you know any sites where I can buy cheap books without a credit card?

@ziggy

Sorry, for the confusion created....From the posts, I'm guessing that the Operating systems that you mentioned are the MOST common ones I will be encountering as a pen-tester. So, I'm guessing that I will be attacking Server operating systems, not individual workstations/desktops? I know this will probably sound dumb but can Linux be used as a server OS?

Additionally, it seems as if I may have to keep up to date and I will probably have to learn Windows 8 when it comes out(If it becomes popular)

Oh and one more doubt: Can I access a workstation after gaining access into the server OS?

Thanks for sharing your wisdom   

@unicityd

I have a 2 questions regarding study of contents:

Which is the best chronological order for learning about the following:

I) OSI and its working, Programming, networking, database management?

II) Why do I have to learn database management? I think you recommended that I have to learn basic SQL commands?

I'll mention that there would be a lot of value to you personally to get CCNA certified and try to use that to get into a networking position so that you can start building your skills on the job.  You can move into security from there; most companies will want you to have a networking/sysadmin background if you don't already have security experience; they don't typically hire straight into a security role.

Ouch, so, there's no way to go into the Infosec field directly?
I also read that the C|EH requires 2 yrs minimum experience in Information Security....Is there no way to write it directly? And if there's no way to do that what networking position would you recommend?

Thanks for mentioning those references:

Could you please also mention an additional reference for network mapping?

As for writing exploits, which programming languages would you recommend? Please give a list. I know you recommended starting with Python and then proceeding. But, could you give me a list of all the programming languages  a good pen-tester should know?

For web applications, you need to be able to exploit vulnerabilities for cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection without a canned exploit.

I'm not interested in web application related attacks that much....I wanted to learn those too but I don't know anything except for HTML and it looks like I have already loads to do at the moment.....(But, I can bear that cause I'm pretty interested in those stuff like networking)

Thanks yet again     

[ziggy_567]

Much of what you're asking about gaining access to multiple systems depends heavily on how a system or environment is configured. If you gain access to a system (server or workstation), you might have access to more systems if say the entire environment is configured with the same username/password. It's pretty common to find that the admins use the same password for local administrator accounts, so many times if you can gain that level of access to one system you will have administrative access to pretty much any workstation and possibly server in the environment.

To answer your question about what you'll be targeting, the answer is also "it depends." When you start professionally pentesting, you will have a rules of engagement that is determined in the pre-engagement phase. If workstations are included in the scope, you can certainly attack workstations. If you're focused solely on a few systems, those will be what you focus on. Period.

About Linux:

99 out of 100 times on an engagement, if you see Linux it will be on a server. In fact, I can only remember one time when I found a workstation with Linux installed.

The bottom line is that every environment is different. Even if they're using the same technology as a previous client, it will be configured differently. That's why its so important to know the technology so well or at least be able to research and learn the technology. You have to be able to learn quickly and adapt what you know to each individual environment.

[ajohnson]

@ajohnson
Thanks, I will look into that. Do you know any sites where I can buy cheap books without a credit card?

You could always buy a pre-paid card to use if you don't have a credit card. Otherwise. half.com is an eBay company, so they may accept PayPal (and any of the payment methods they support).

[unicityd]

Novice: OSI is a conceptual model for computer networking.  When you study networking, OSI will be one of the first steps.  You should understand the OSI model before jumping into TCP/IP.  If you want to see how the layers match up between the two, just Google "OSI vs TCP/IP" and you'll find plenty.  Learning networking and the basics of Windows and/or Linux before jumping into programming.  Learn databases that.  If you don't understand basic programming, you can't do anything with databases.

If you're going to be a pen tester, you're going to hack databases.  You don't have to be an expert DBA, but SQL is how you query (look at) what's in the database.  You'll need to know the syntax well enough to do SQL injection, query/modify tables, and execute procedures.

Some big companies will hire people directly into a junior infosec role.  The best way to get into one of these is probably to get a CS degree from a good school.  Most companies have limited if any security staff so they can't afford to train you from the bottom.

I don't know anything about the CEH requirements.

Other than Python...most buffer overflow exploits are a combination of C and assembly language.  The program itself is written in C, but the shellcode (payload) requires assembly language to build.  Most of the programs vulnerable to buffer overflows are written in C and/or C++. For web app security, you need to learn basic HTML and Javascript to be able to do anything.  If you want to understand what is actually happening on the server side, you also need to learn one or more of Java, PHP, or ASP .Net (using VB, C#, etc).  I don't know what the minimum is, but my feeling is that you should be good/competent with at least one language that you can use for automation/tool building/parsing and that you should have some familiarity with several others.  By familiarity, I mean you can read code in that language and make minor changes to it.

Web application security is huge right now.  For the most part, I don't think you can be a pen tester and avoid it.  That doesn't mean you have to be a web app security tester specifically, but it's going to come up.

[Novice hacker]

@ajohnson

                   Thanks. I checked out half.com and it looks pretty good.
Which do you think would be cheaper? Half.com or the used books on Amazon? (No, I don't mean the one's in really bad condition)

@ziggy

Much of what you're asking about gaining access to multiple systems depends heavily on how a system or environment is configured.

So, it depends on HOW the network is configured?

If you gain access to a system (server or workstation), you might have access to more systems if say the entire environment is configured with the same username/password.

If I gain access to a server then don't I automatically gain access to all its clients?   

It's pretty common to find that the admins use the same password for local administrator accounts,

If they don't do I have to hack individually?

 Thanks for the rest of the info too   

Oh and could you please tell me a bit about the life of a pen-tester,

The pay(when you start out) (and as you gain experience)

 Every pen-tester's dream (like to get employed in _______________ company(please fill the dash))

And also working hours

Please also mention how(or where)(like which institutes)  to pick up pen-testing skills.

Thanks once again for your help   

@ unicityd

Thanks a lot for the order. I think I've got it figured out.....
OSI, networking, TCP/IP, Specific OS (Windows server, Linux, Windows XP and Windows 7), Programming and then databases.
I left one thing out though. Where does learning shellcode come in this list?

Oh and please also mention if this list consists of a pen-tester's knowledge.....if the list is not complete please edit, or add items to the list.

If you're going to be a pen tester, you're going to hack databases.  You don't have to be an expert DBA, but SQL is how you query (look at) what's in the database.  You'll need to know the syntax well enough to do SQL injection, query/modify tables, and execute procedures.

Ok, thanks. Do you know any good books on databases which will teach me enough?

Some big companies will hire people directly into a junior infosec role.

Yay!  Please mention some of those companies.

The best way to get into one of these is probably to get a CS degree from a good school.

Good college? Followed by? A master's degree in Ethical hacking?

The program itself is written in C, but the shellcode (payload) requires assembly language to build

I think I've heard of this before. Payload refers to the transfer of the buffer overflow program, right?

Web application security is huge right now.  For the most part, I don't think you can be a pen tester and avoid it.  That doesn't mean you have to be a web app security tester specifically, but it's going to come up.

Don't web app security testers have to learn all that stuff?
As a pen-tester, won't I only be asked to hack into computers, and stuff like that? Do I also have to hack into web applications? Is it essential I have to learn that too? (My hands already seem kind of full........)

Anyhow, thanks for providing the information in a detailed and clear manner 

[Novice hacker]

@ the ethical hacker community

Does anybody know about the requirements of C| EH?

Please also tell me about learning metasploit and how it works.

Also mention the other certification likely to land one as a junior pen-tester....

Thanks everyone for your help   

[ziggy_567]

I appreciate your enthusiasm and wanting to know more about pentesting and ethical hacking, but ALL of your questions can be found in other threads and/or Google.

Does anybody know about the requirements of C| EH?

http://www.eccouncil.org/courses/certified_ethical_hacker.aspx

Please also tell me about learning metasploit and how it works.

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6158.0/

Also mention the other certification likely to land one as a junior pen-tester....

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/board,23.0/

[ajohnson]

http://www.securitytube.net/ is another fantastic resource for Metasploit and numerous other topics.

Please don't take this the wrong way, but you really seem to be putting the cart before the horse here. Metasploit shouldn't even be on your radar when the difference between the OSI and TCP models is still a mystery.

I agree with the path that has been laid out by sil (infiltrated.net), but realistically, I think 52 weeks is an extremely aggressive timeline for someone who has yet to obtain basic networking knowledge. With where you are now, it will literally take years to obtain a solid understanding of networking, Linux, Windows, etc.

I'm not trying to be rude; I just want you to really consider the massive amount of information you need to absorb and develop a realistic timeline for your goals. If you cut corners, you're going to end up as someone who is mindlessly dependent on tools other people have written.

However, everyone has been in the exact same position as you are right now, so you shouldn't feel discouraged either. You've received a lot of really good advice in this thread. If I were you, I'd look at a pentesting position as a 5-10 year goal, and then break that down into realistic steps for getting there. You're going to overwhelm yourself if you try to do everything at once.

For example, you could set obtaining your CCNA as your first short-term goal, focus exclusively on that until it's achieved, and then reevaluate where you are and determine your next feasible step. It may sound like a long time to work for something, but it will go faster than you think. The key is to stick with it and make continual progress over time.

[ziggy_567]

+1 for ajohnson!!!

[unicityd]

I left one thing out though. Where does learning shellcode come in this list?

When you've learned how to program in C and want to learn to write your own exploits from scratch.

Oh and please also mention if this list consists of a pen-tester's knowledge.....if the list is not complete please edit, or add items to the list.

I gave you the IT basics that you need to get started in security.  You also need to learn security concepts and pen testing itself.  Go to Amazon.com and look at the table of contents of a couple of Security+ guides and some hacking books.  You need to know learn about all the areas listed.

Ok, thanks. Do you know any good books on databases which will teach me enough?

No; it's been years since I read a book on databases.  Now I just Google when I have a question.

Yay!  Smiley Please mention some of those companies.

Look at job listings.  Try Microsoft or Google.  You're still going to need a CS degree and a cert or two wouldn't hurt either.

Good college? Followed by? A master's degree in Ethical hacking?

By a good school I mean MIT, Berkeley, etc.  The better the school, the more likely you can get in without experience.  If you go to an unknown local university or state school, your odds go down.  It doesn't mean you can't still do it jumping from a local U; it's just harder.  It's not an science; plan to do non-security work first and if you do manage to get a security job straight away, well...good for you.

I think I've heard of this before. Payload refers to the transfer of the buffer overflow program, right?

Yeah.

Don't web app security testers have to learn all that stuff?

Yes.

As a pen-tester, won't I only be asked to hack into computers, and stuff like that? Do I also have to hack into web applications? Is it essential I have to learn that too? (My hands already seem kind of full........)

You'll have to do web-app stuff too.  It's too big of an area to ignore.  So, yes.  If you want to be a pen tester, you'll have to learn web-app stuff too.  That' doesn't mean you have to be an expert to get your first job.  But, you're going to have to have some knowledge of each area (web, networking, windows, unix) with stronger/in-depth knowledge in one or more of those areas.  You'll continue to build your skills as you go.

At this point, you really need to just jump in and start learning.  More of your questions will be answered as you learn.  If you want to do this, it's going to take you a few years.  If you're going to go to college, major in CS or IT and learn additional things or experiment in your free time.  If not, start learning the basics and once you have some basic networking/OS knowledge, apply for a help desk job.  Build your skills as you go and apply for better jobs when you are ready for them.

[DragonGorge]

Novice, I've got to echo some of the last few sentiments expressed here: What you're asking is equivalent to "Please tell me how to be a nuclear engineer/doctor/pilot". You're not going to learn pentesting on a forum. You can use it to augment your knowledge but not create it from the ground up.

There are a ton of books on pentesting. If you go to Amazon's site and do a search you'll find enough to keep you busy for a few months. Start with a one that gives you the basics of pentesting and introduces you to all the different areas - if it's got upwards of 3 stars as an average rating it will likely be pretty good. Once you've gotten the basics down, you can delve into the specifics from there. I don't think you need to be an expert in all areas, similar to a doctor, you can specialize (social engineering, web app, wifi, etc) but you need to know the basics of the different areas.

The CEH is a decent "Intro to pentesting" cert but you won't learn how to penetrate a system from it. It's too high level and covers somewhat antiquated methods. Plus, if you've got $500 - $1000 to spend on the CEH, you should be able to invest in a few pentesting books that'll give you as much if not more (minus the cert).

[Novice hacker]

Hi guys.......

I just nearly finished my reply to this when I experienced a power cut.........................

Unfortunately, I lost ALL my data once again. I thought I saw the worst when I lost my data the last time...

Anyways, thanks for the advice everyone 

I appreciate constructive criticism so you don't have to worry about me taking it the wrong way or anything   

I don't have the time to type up my reply again today so I will post tomorrow.

Once again, thanks everyone for caring for my development as a hacker.     

[Novice hacker]

Hi! This message has been typed in MS-word and then edited. (The auto save feature comes in use some times)


Anyways, like I said I appreciate constructive criticism, so thanks for the suggestions 

@ziggy

I appreciate your enthusiasm and wanting to know more about pentesting and ethical hacking, but ALL of your questions can be found in other threads and/or Google.

Thanks, and I will try to post questions only after searching using Google and the search box in this forum.  If I can’t find an answer or I don’t understand anything, then I will post it here   
(Can you just answer the pen-tester’s dream question? I want an inside view of a pen-testing job, thanks )
@ajohnson

Please don't take this the wrong way, but you really seem to be putting the cart before the horse here. Metasploit shouldn't even be on your radar when the difference between the OSI and TCP models is still a mystery.”

I don’t mean to actually learn Metasploit right now. I set up this thread with an idea of making a plan to become a pen-tester. Right now I’m just collecting details to construct the plan. i.e. I wanted to construct the overall plan and then jump into it. But, do you recommend coming up with the next steps of the plan after completing the initial steps? If so, then I will follow that idea    

I just want you to really consider the massive amount of information you need to absorb and develop a realistic timeline for your goals. ”

Don’t worry; I don’t plan on finishing all of the things on my plan in one year or so. I am perfectly OK with the 10 year plan. Here’s my scenario:
I am currently about to turn 17.
I will not be able to properly study the hacking techniques for the next 1 year approx. (I have important exams that I am pressurized to do well at.) (That leaves me with approx. 9 years to learn hacking before I go into a pen-testing position. I am confident of my learning abilities and I will work hard, so I’m pretty sure that I can achieve all my goals in this gap.

For example, you could set obtaining your CCNA as your first short-term goal,

Ok, but I did some research of my own and CCNA cert is not even mentioned here:
http://infiltrated.net/TechnicalSecurityRoadmap.html#   (I still plan on getting it, I just would like your opinion on this)
@unicityd
 

look at the table of contents of a couple of Security+ guides and some hacking books.  You need to know learn about all the areas listed.

I’ve done what you said and I would like to know if you would recommend getting Comp TIA or Microsoft certified in Security +.  Oh and someone once told me that self-study was the best way to become a hacker by researching on the hacking topics…can all the info about hacking topics be found using Google?
Thanks for all the other information posted in your last post too.

Finally, here’s a bit of my plan everyone:   (Master 1 step and then proceed to the next)
1)   Read A+ material.  (To capture the grains of knowledge that have thus escaped my grasp.
Read up on the OSI and its working. Purchase “Operating System Concepts, Seventh Edition” (Why is this more than 3 times cheaper than its successor?)
     
2)   Read up on networking. Master content in Odom’s books.
3)   Proceed to TCP/IP Volume Illustrated, learn as much as I can
4)   ? (Should I read the other Cisco books on routers and stuff now)
5)   Start gaining knowledge of specific OS. Preferably Linux, Windows server, XP, 7)
6)   Learn programming. (I already know the basics of C and C++ and I plan to promote this step up the order, is that ok? And one more q: Which programming language would you recommend for writing tools….I’m thinking Python is the easiest for this purpose.
7& Start learning database management (Is knowing basic SQL commands enough?) and assembler(knowing to read shellcode is enough or do I have to be able to write it too?


Well, this WAS my plan before you said to learn web-app stuff too….Hmmm,

Where do I fit in learning that?

Note: I plan to complete what unicityd said before proceeding to the content included in Sil’s link

So...... any changes to the plan(its not finished)? Or is it OK?

Awaiting your wisdom.........

[Novice hacker]

@dragongorge

                     Thanks for sharing your wisdom. I found your post pretty useful

And I don't mean to learn actual pen-testing on the forum but the path  to go about it AKA "The path to hacker mastery"
can hopefully be learned.