The Path to Hacker Mastery

[MaXe]

How many years of experience do you need in an IT job before you can land an infosec one?

Thanks for the remaining answer and those links too   

I'm still improving slowly, but it seems that Web Security turns up everywhere I turn....guess I will have to sharpen my skills on that?

Is it possible to just stick to systems, networks etc?

Or not?

Zero years, you could get directly into a junior position, but having worked in another IT-job such as sys admin or tech support increases your chances.

With a sys admin job you'll hopefully learn how to set up systems correctly (  ) and with tech support, you'll learn great patience, soft skills and what customer satisfaction is really about 

Well, Web App Sec, has become bigger over the last couple of years. Mostly because of Anonymous & LulzSec primarily, because before them, /i/, Internet Hate Machine, and so forth, before all these, we had script kiddies, and of course the well known zf0, r3m and other black hat groups just having fun or making profit in the dark, but even the script kiddies weren't as aggressive as they are nowadays. and it seems like there has been an extreme growth of these after all the media coverage about Anonymous and other hacking incidents.

So naturally, we need more people able to protect against the most common types of attacks (that are also more advanced now when you take a look at the highly targeted and not random attacks) and of course we also need to reconfigure the servers properly. This evolutionary problem has two sides. On one of the sides, Pentesting gets bigger, more companies that previously never wanted a pentest or vulnerability assessment, are suddenly willing to spend money on pentests, and on the other side, we have the massive influx of script kiddies that are often easy to defeat. (Nothing is 100% secure though.)

It's amazing though, that some companies still don't want their security assessed, and within 1 month to ~2 years, they will experience a breach in their security. The companies that gets a pentest done, may not know, that security is also about the users, so they end up getting compromised by a user getting phished or infected. (In fact, this has happened quite a lot recently, because the spammers, scammers, phishers, etc., are getting smarter in tricking users, some of their e-mails looks more and more legit, as they are not only spoofing the e-mail too, they are also writing more correct english, and they use the target sites design as well.

Some even takes it a step further, and calls random users in selected areas, the so called Microsoft Tech Support scam, that e.g., seems to originate from somewhere in India. (This actually compromised a rather large company not long ago, and some, if not all of the users even had training on what social engineering is. Amazing.)

Sooner or later you'll have to get to know about web app sec, but you can let it wait for now of course, and focus on systems, networks, etc., which are important to know about too, if you want to get a good understanding of web app sec as well 

[ZeroOne]

wow some great informations here, you guys should team up and write a book titled: The Path to Hacker Mastery

[MaXe]

wow some great informations here, you guys should team up and write a book titled: The Path to Hacker Mastery

The subtitle should then be: "A realistic and logical approach to becoming a hacker", or something like that so people don't think they can become one in 24 hours xD

After all, being a hacker isn't just the skills, it's the mindset that makes the hacker 

[ajohnson]

The subtitle should then be: "A realistic and logical approach to becoming a hacker", or something like that so people don't think they can become one in 24 hours xD

Only because "How To Become The Worlds No. 1 Hacker" was already taken...


Regarding web app testing, and media attention aside, it's only going to become increasingly more important as more applications are created and/or migrated to a web-based format. Even now, most penetration testing positions I see advertised desire that the candidate have elementary web app testing skills, at the very least.

Imagine the scenario where a fully-patched web server only has port 80 accessible. What are your attack vectors from the network/system side? Unless you have a zero-day, or the administrators have grossly misconfigured something, there aren't a lot of options. However, if the web application that is present on the web server comes into play, that opens the door for a wealth of attack vectors. 

As organizations figure out network security (at least on the perimeter), attacking web applications, wireless, client-side, mobile, etc. become much more viable. Why directly assault a fortified barrier when you can potentially circumvent it altogether with minimal effort?

Considering how much this trend will likely continue over the next 5+ years, I think you'd really be limiting yourself if you didn't expand beyond networking and systems.

[Novice hacker]

@ MaXe

Sorry for the late reply....got bogged down with work....

Zero years

That's very encouraging to hear but I know that I have to be very skilled to land a junior pen-testing position so I assure you I will be working hard      

From all these posts I have come to recognize the importance of Web App Security skills. Actually, I really kind of wanted to learn how to hack websites but why I avoided it and kind of disliked it was because:

1) I already know some basic programming in C,C++ so learning further programming kind of excites me . but the stuff that you need to know for web applications (e.g. Javascript, PHP etc.)
I don't really have a clue about them. In the web app field all I know is basic HTML. This is what was kind of discouraging me from expanding my knowledge in this domain.
But thanks for opening my eyes on the matter. I will try to improve in this aspect in the future  
(After all I don’t want to get owned by some script kiddie!! )
About getting a sys admin job, could you please mention the skills a sys admin has? I saw the Wikipedia page but ‘maintain and operate the system’ doesn’t seem to provide a good insight into what it actually is.
And I must say that your examples are highly instructive.
I forgot to add that I found the bread analogy educational as well       (Those links you provided were pretty cool including intern0t.org. Reading about your CTF experiences were cool but I will leave that to the ‘big boys’ for now.

Pentesting gets bigger, more companies that previously never wanted a pentest or vulnerability assessment, are suddenly willing to spend money on pentests

Yay        

Thanks for informing me about the scam too. I will keep my eyes peeled. (Ever since I started reading about E-mail hacking I’ve been pretty careful in checking for phishing pages. )
(I think you’re supposed to check the URL to  make sure it’s the Google Gmail page and not someone’s phishing page, right?)
@ZeroOne   
I agree that the people who have contributed to this thread are very knowledgeable and have posted many useful posts for beginners like me.  I’m sure the book would sell like hotcakes since it’s not just the title that’s catchy but the content is valuable too.

@MaXe

it's the mindset that makes the hacker

@ajohnson

Only because "How To Become The Worlds No. 1 Hacker" was already taken...

I read the reviews for that book and  ouch......it could never compete with the content offered by you guys      

Regarding web app testing, and media attention aside, it's only going to become increasingly more important as more applications are created and/or migrated to a web-based format. Even now, most penetration testing positions I see advertised desire that the candidate have elementary web app testing skills, at the very least.

Thanks for helping me to realize its importance and helping to overcome my initial fear. Now, I feel a lot more warm to web app stuff. I still don't know anything about improving my current position.(I only know HTML) but I will get to web app after I finish the basics or side by side with networking(this combination looks kind of good)

Imagine the scenario where a fully-patched web server only has port 80 accessible. What are your attack vectors from the network/system side? Unless you have a zero-day, or the administrators have grossly misconfigured something, there aren't a lot of options. However, if the web application that is present on the web server comes into play, that opens the door for a wealth of attack vectors.

Thank you very much for these examples too    

I love it when you guys give real life scenarios.   It makes it so much easier to grasp the concept and fun too. Like I said, I'm seeing web app with new eyes now. Do you know how to improve in this field and what I should know? (Don't worry I won't do learn it until I complete the basics, I'm just gathering info.)

Why directly assault a fortified barrier when you can potentially circumvent it altogether with minimal effort?

Sounds cool!

Considering how much this trend will likely continue over the next 5+ years, I think you'd really be limiting yourself if you didn't expand beyond networking and systems.

Once again thanks for making me aware of these issues  

[Novice hacker]

I researched some of the skills for System administrator and it seems like I should have a good knowledge of some OS for that. So, I will leave that be for right now and continue with my current development.

I've completed 1/3rd of the hardware book though I'm lagging a bit in learning programming.

Regarding web app, I once heard that I needed to know one web-designing language and one server side scripting language though I'm not exactly sure about what is. (Something like Javascript?)
I have a few questions that I would be grateful to have answered:


1)Could someone give me a complete list of stuff a pen-tester has to know about web app stuff? ( I may integrate learning that with networking, not now)

2) Could you also give me advice on learning programming with relation to hacking? (Should I read coding for pen-testers?)

I also received recent advice that I should not focus too much on one language and should learn several languages at an intermediate level to become versatile. Here's my list:

Python, Perl, C, C++                (Do you think this is OK or should I expand on this list?)

Thanks     

                                                                            -NH
   

[MaXe]

A web-designing language is HTML, so is CSS. Learning these are fairly simple, as HTML is the framework, the building blocks (and windows), while CSS, is the paint / design. Most HTML tags has a start and an end, e.g., <b>Hello World</b>. (Bold text.)

There isn't much to know / learn about HTML, except if you want to follow coding standards which has pretty much nothing to do with web app pentesting, besides you can look at code and think it looks horrible. So all you need to know is how to create a simple HTML page, and how the tags, attributes, values, and such work. (A good thing to know, is what you can use in specific tags, such as eventhandlers. You don't need to memorize this, you can just use w3schools.com for starters and lookup tags there most of the time.)

A simple HTML page is this:

Code:

<html>
<head>
<title>Hello World</title>
</head>
<body>
<h1>Hello World!</h1>
</body>
</html>

As you can see, it's fairly basic. Knowing why it's built like that, and what the difference is between putting a <script> tag in the <head></head> or <body></body> section, is useful for conducting e.g., XSS attacks which in essence, are fairly simple too. (I won't describe that now.) As I already mentioned, eventhandlers such as <body onload="alert('Hello World')" > is useful to know, as the "onload" eventhandler will execute the javascript that is within it, and it will execute when the page is loads aka "on loading".


JavaScript, are the mechanics behind. It's anything from popup boxes, to icons / buttons you click in e.g., the editor you use to reply on Ethical Hacker that inserts a smiley or makes the text bold, etc., to facebook and twitter dynamically loading new tweets or wallposts. The last feature is generally called ajax, which you don't need to know a lot about, except what it is and generally how it works. (If you're pentesting an ajax application it's often fairly simple, as you would focus on XML vulnerabilities quite often, which you'll get to, in time.)

XML, yet another language. What is it? Generally, it's just information stored in a simple language format, that can be parsed by a lot of programs, and websites. Of course, each program or website has its own way of creating these files (the content within which can be read with a text editor), but in essence XML is cross-compatible with anything that can read XML. (It may not work as intended from a website to a program, but it should be possible to do in most cases.)

So XML can be information shared dynamically in an open format.

A database, is what makes up most websites. The type is quite often MySQL or MSSQL where the latter is made by Microsoft. Both has their own features / potential vulnerabilities caused by e.g., misconfigurations, but the database is of course used to hold the data for the website as you're probably aware of. The SQL language is also, in most cases a "Cross-compatible language", or a universal language meaning it looks the same when used with various SQL databases. While it is possible to use JavaScript and websockets to connect to a database, often it is the backend language used.


The backend language, is often PHP, ASP (or for that sake JSP, RoR or .NET). This language is not necessary for a website to function, but it can be used to control sessions properly, and add extra functionality which e.g., JavaScript isn't as effective with, as the backend language uses the server-resources, while all the others (except the database of course), uses client-resources.

I should of course note, that with HTML5 it is possible to store files on the client system. This is called "HTML5 Storage" and if you open this on your computer, you will see that quite a few websites without you knowing it, already uses this feature to store e.g., their large JavaScript files to ensure faster loading and less waiting time 


It may seem like a lot, but most of it is really not. The biggest areas that may seem advanced or like a lot, are:
- Advanced SQL queries (Using CAST(), Encoding Schemes, CASE, etc.)
- PHP (Source code review where e.g., preg_replace() is used, or even htmlentities() is used properly but not implemented correct)
- HTML5 and CSS3, both has a lot of new features that even I haven't fully looked into.
- Advanced XSS Injections using JavaScript DOM.

You should try to get the basics first before learning about those in depth.


1) There's a lot to know about web app sec, but for starters and up to intermediate level, look at the Owasp Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and the Testing Project: https://www.owasp.org/index.php/OWASP_Testing_Project

2) Learn how to make basic applications in the languages you want to know, and of course more importantly know how to read the syntax. If you can read the syntax and generally know how a language is built, then you only need to find out what specific functions do. Using the "xxxxx for pentesters" books can be good, but keep in mind some of them may be quite advanced and discuss topics like buffer overflows which may seem hard to grasp at some points. You can check out "Gray Hat Python", but take a look at the contents first.

About your list, I think you should remove Python or Perl and add PHP instead. It's good to know how both are "built", but generally people use either Perl or Python. A long time ago, it was as if all hackers only used Perl, but now it seems like more has gone over to using Python, and well, I prefer Python too 

So learn Perl or Python, and PHP, instead of learning both scripting languages which you don't really need to, except the syntax and how they function.

[ajohnson]

I researched some of the skills for System administrator and it seems like I should have a good knowledge of some OS for that. So, I will leave that be for right now and continue with my current development.

Look at MCITP: Server Administrator / Enterprise Administrator and/or RHCE resources. You don't have to get the certs, but those will give you a solid understanding of systems administration.

O'Reilly's Essential System Administration is great too. It's focused on *nix, but many of the concepts are applicable to any OS.

1)Could someone give me a complete list of stuff a pen-tester has to know about web app stuff? ( I may integrate learning that with networking, not now)

I put a fairly comprehensive list together for my GWAPT challenge here: https://www.infosiege.net/2012/04/gwapt-challenge-review/ There is obviously always more to learn, so that isn't a "complete list." However, it's certainly more than enough to get you started.

2) Could you also give me advice on learning programming with relation to hacking? (Should I read coding for pen-testers?)

I also received recent advice that I should not focus too much on one language and should learn several languages at an intermediate level to become versatile. Here's my list:

Python, Perl, C, C++                (Do you think this is OK or should I expand on this list?)

That's a great book. The best thing about it is how it demystifies common security tasks and demonstrates how writing your own code isn't as difficult as you would expect.

You might want to start with just Python and C. That will give you a couple different perspectives on programming, and you should be able to transition to most other languages after that (with the notable exception of assembly). As MaXe mentioned for web programming, you'd want to look at PHP, as well as others such as ASP.NET/C#/VB.NET and Java.

If you want to get into exploit development or reverse engineering, you'd want to add assembly to your to-do list as well.

[3xban]

The subtitle should then be: "A realistic and logical approach to becoming a hacker", or something like that so people don't think they can become one in 24 hours xD

O'Reilly doesn't have "Learn Hacking in 24 hours"?  I thought it was right next to the SQL one

[Novice hacker]

Hi   
I haven’t been able to access the internet all this time due to a cable fault( I had to complain twice before they fixed it) But, I’m finally back on track!   
@MaXe
Thanks for getting me started in the web app direction         

“A web-designing language is HTML, so is CSS”

Would you recommend learning both or do you think that HTML is enough? It’s very useful when you mention how much you have to learn too. Like I already said, I already know basic HTML and I will try completing all of the w3school material when I reach that stage.
I’m not that sure about what an event handler is but I will make sure to know how it works. Thanks for all the info on the other languages but could you mention which one’s I actually need? (All of them?)
And I’m getting confused….should I learn Java or Javascript?
Please mention the languages that I should learn. (the one’s I need) and also mention how I could learn the basics of those languages. (I’m thinking w3schools and the local library, do you know any other good websites or resources for learning, if so please share them)
As for the OWASP top ten, I was already aware of the list but I never really got into learning the techniques, though I will as soon as I master the basics.

“Learn how to make basic applications in the languages you want to know”

What I want to know? I don’t know much about the field or the languages so I don’t think I can be trusted to pick any. But, with what I know I would probably choose HTML, Javascript, PHP.
As for Coding for pen-testers, do you think a basic/intermediate knowledge of programming skills is enough to follow those concepts? I also checked out the Table of contents in Gray hat python and it is WAY over my head but I will be sure to turn to it after getting the hand of programming.
Thanks for revising my list, would you add any programming languages to it?
@ajohnson
Nice profile pic     
Thanks for the wonderful resources that you gave on system administration. I will turn to those when I reach that stage.
As for your link, I really wanted to reach it, but I can’t reach the link.   
I tried to go to the main webpage but I couldn’t reach that either…..?
And I once again like your combination which suits me very well   (Python&C)
Do you recommend any other languages to add to my list? I will add assembly last.

“ASP.NET/C#/VB.NET and Java.”

Which of these are necessary to know? (all?) And do I have to learn Java or Javascript? And isn’t ASP different from .NET?
As you can see I’m clueless in this field……so do you have any resources as in websites or books to learn the basics of this field?(other than w3schools?)

Thanks again           

[ajohnson]

On the client-side, you need to know HTML, CSS, and JavaScript. Those are all complimentary technologies; it's not an either-or type of scenario. Java is entirely different and used for applets and server-side programming.

I've personally had good luck with the O'Reilly books on those topics, but there are many other quality books written for them as well. Just check out the Amazon reviews and try something you think will be a good fit. Perhaps buy a month of O'Reilly's Safari service, so you can check everything out before making any purchases. You can do the same with Wrox and Books24x7: http://www.wrox.com/WileyCDA/Section/Get-the-Wrox-Library-for-One-Low-Subscription-Rate-.id-130024.html I also like a lot of the Wrox books.

If you want a good starting point for moving into server-side programming and databases, try this: http://www.amazon.com/PHP-MySQL-Web-Development-Edition/dp/0672329166/ref=sr_1_1?ie=UTF8&qid=1336999776&sr=8-1

Coding for Penetration Testers is much more accessible than Gray Hat Python (it's a great book, just not for novices). Check out Google's two-day Python course and/or Learn Python the Hard Way first. Coding for Penetration Testers does a pretty good job at covering the basics, but I think you'll get more out of it if you establish a foundation first. I'll have a review out for that shortly, so keep an eye out for that.

I'm not sure why you're having problems accessing my website. It's fine on my home, work, and iPhone connections, and others can access it. Try again and send me a PM if you still have problems.

[Novice hacker]

@ajohnson

Thanks for clarifying that issue....

I don't have any doubts on the client-side but regarding the server side could you tell me whether Java is used only for web applications or can it be used to write programs as well? (just curious)

As for the remaining part of the message I've sent you a p.m.

   

[ajohnson]

You can use Java for anything from "traditional" applications to mobile development, such as Android. It'll run on anything that has a Java interpreter.

Edit: Wow, I just realized W3Schools is kind of a garbage resource: http://w3fools.com/ I've only referenced it sporadically and never noticed. The resources under the "What Should Be Done" section seem like they would be great starting points.

[Novice hacker]

Thanks!   

For informing me about that update on the site. You're right the section has some great info which I'm sure will keep me busy