- This topic has 74 replies, 1 voice, and was last updated 2 months, 1 week ago by
.
-
Posts
-
-
-
Why not start out reading a book on hacking, like Hacking for Dummies, Hacking Exposed, any Kevin Mitnick book? This could give you an overview of the fundamentals of hacking, and the Mitnick books have good stories, and history on hacking.
There are too many elements to consider on where to start.
Welcome by the way.
-
-
Welcome to the forum! There are lots of nice people here. ;D
I agree with Dengar13 about starting with a couple of books.
I also agree with you about basic Linux knowledge. But, I would not start right off with a hacking distribution, I would get to know the basics. Start with something like Ubuntu. Learn how to use the terminal, install programs, etc.
Since you are already in IT… If you don’t already know, I would suggest learning about the TCP/IP protocol, and learn the differences between a hubbed network and a switched network.
There are a lot of aspects to learn about, but those are good to start with.
-
-
-
Necessary ethical hacker skills, the starter edition:
TCP/IP
OS basics for M$ and the *IX distro of your choice
Internal network basics (switches, hubs, firewalls)
A sense of humor (preferably dirty but manic is also acceptable)
External network basics (routing, IP, interaction with internal networks, etc)
Relationship between services, ports, and how exploits work
Washboard abs
Some familiarity with coding (not expert, but can muddle through)
Understanding of general web application construction (front/back end, etc)
A WOW account (maybe EverQuest if you roll like that)
Some level of business sense (need to explain business impact of your findings)
A comfort level with your skin tone being 3 shades more pasty than your racial peers -
@pseud0 wrote:
Necessary ethical hacker skills, the starter edition:
TCP/IP
OS basics for M$ and the *IX distro of your choice
Internal network basics (switches, hubs, firewalls)
A sense of humor (preferably dirty but manic is also acceptable)
External network basics (routing, IP, interaction with internal networks, etc)
Relationship between services, ports, and how exploits work
Washboard abs
Some familiarity with coding (not expert, but can muddle through)
Understanding of general web application construction (front/back end, etc)
A WOW account (maybe EverQuest if you roll like that)
Some level of business sense (need to explain business impact of your findings)
A comfort level with your skin tone being 3 shades more pasty than your racial peersWell put, pseud0.
I think that is an excellent start for a new ethical hacker. ;D
-
lol, I’ve got a lot of that on the list…. Working on the distro basics and washboard abs atm….
The coding part is what scares me… I took a weed out java class in college and I think that scarred me for life regarding programming… I’ve been thinking of picking up C Primer Plus and working through that…
Oh if I only had 40 hour days it would be so much easier to go through everything I want to learn.
-
As far as programming goes, you should really just learn scripting for now. Not even writing scripts, yet, but just be able to read a bash script, VBScript, etc. and have a general idea of what it does.
Later, it will become very useful to be able to write scripts, and programs, or at least be able to modify source code.
-
pretty good replies
where the F were you guys when this was going on
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1821.0/
as far as programming. if you are new, start incorporating it into your learning plan NOW, if you stick with this field and you cant code or script you will hit a point where you cant put your ideas into code (or not easily) and that just sux
-
Chris,
It seems like the one guy on that post was more of a fan of tools than actual knowledge. Being new and having sat through various exams, I agree that you need knowledge of TCP/IP and how it works. Any one can run a tool and get a shell. Even I have done that. And I got a thrill from that. I also recognize that I still have a lot to learn. That being said, I also think that you need to understand the output a tool gives you. Thanks for posting that thread.
-
BigTone82,
first off welcome to the forum.
Only thing I’d add to the list is that before you get any of the things previously listed you need one thing, patience.
From my experience it take a lot of time and a lot more work to be an ‘ethical hacker’. I’ve been around IT and security for a while and don’t come close to what I’d class as a hacker (leaving the holy-wars out of it 😉 ) but I’m learning fast, have the ethical part and I’m still here wanting to improve.
As others have said learning the basics first helps (TCP/IP etc.) but don’t expect to learn everything instantly. Most importantly though if you want to remain interested in the field for the long game, ignore all the advice here and study whatever makes you go ‘ooooh, hows that work?’ be it IDS, shellcode, scanning, etc. I found this has helped keep up motivation to learn through the ‘do I really need this?’ moments.
If you dive in wherever you’re most motivated you’ll find the basics come through time as and when you need them. (at least I’m finding that).
Good luck, and don’t be afraid to ask the questions when necessary (just ask google first ;D )
-
Thanks guys,
Yes I’m a smart guy so the n00b questions shouldn’t slip out into here. I’m so tired of reading cert forums and seeing “OMG CAN I UZE A+ FOR A MCSA ELECTIVE”
Thanks for all your help. I’m going through the Redhat Linux CBT’s right now. The power of the shell compels me 🙂
Plus I see videos later on with nmap and snort and thats something I really want to get into so I’m excited.
-
The Penetration field is quite deep and wide, you can specialize in Windows pentesting, or databases, or web application security, what ever floats your boat. if you are very comfertable with Windows and know how to secure it well and have read the hacking exposed books or similar and would like to know more about Linux I would reccomend that you check the Linux documentaion project, and howtos, try to setup a server and secure it, and pen test it, scripting in Linux/Unix world is a must to understand the start/stop scripts, and to automate most of your work, In brief use what you already got, and develop yourself in the areas you enjoy most
-
here read this
-
Chris,
Well done, I will capture some of them in here1. Solid background in Operating Systems (Admin level experience in
Windows/*nix – preferably with some certs in this area such as an MCSE,
RHCE, SCSA, etc)
2. Solid background in Networking (Admin level experience – preferably
with some certs in this area such as a CCNA/CCNP)
3. Solid background in Programming (comfortable with languages like C,
Perl, Python, Ruby, SQL, etc – some documented work on an open source project might be a good resume stuffer for this)That’s what i like about security it consolidates the above knowledge together or it makes you think out of the box if i can use this words in here. that is think differently about the systems/networks/applications you are trying to run/manage. In brief it is approcable from all different angles, just work your way through from the angle you love most
-
-
@pseud0 wrote:
Necessary ethical hacker skills, the starter edition:
TCP/IP
OS basics for M$ and the *IX distro of your choice
Internal network basics (switches, hubs, firewalls)
A sense of humor (preferably dirty but manic is also acceptable)
External network basics (routing, IP, interaction with internal networks, etc)
Relationship between services, ports, and how exploits work
Washboard abs
Some familiarity with coding (not expert, but can muddle through)
Understanding of general web application construction (front/back end, etc)
A WOW account (maybe EverQuest if you roll like that)
Some level of business sense (need to explain business impact of your findings)
A comfort level with your skin tone being 3 shades more pasty than your racial peersWashboard abs?! Well, that disqualifies almost everyone I know in IT. 🙂 The skin complexion though? Got that one nailed…
-
@rance wrote:
Washboard abs?! Well, that disqualifies almost everyone I know in IT. 🙂 The skin complexion though? Got that one nailed…
I’m probably a bad hacker because I don’t have a WoW account or an EverQuest account. lol
-
@shawal wrote:
Chris,
Well done, I will capture some of them in here1. Solid background in Operating Systems (Admin level experience in
Windows/*nix – preferably with some certs in this area such as an MCSE,
RHCE, SCSA, etc)
2. Solid background in Networking (Admin level experience – preferably
with some certs in this area such as a CCNA/CCNP)
3. Solid background in Programming (comfortable with languages like C,
Perl, Python, Ruby, SQL, etc – some documented work on an open source project might be a good resume stuffer for this)That’s what i like about security it consolidates the above knowledge together or it makes you think out of the box if i can use this words in here. that is think differently about the systems/networks/applications you are trying to run/manage. In brief it is approcable from all different angles, just work your way through from the angle you love most
glad you like it, that post was by the founder of LearnSecurityOnline.com Joe McCray
-
-
@pseud0 wrote:
A sense of humor (preferably dirty but manic is also acceptable)
Washboard abs
A WOW account (maybe EverQuest if you roll like that)
A comfort level with your skin tone being 3 shades more pasty than your racial peersahahahahaaaa
nice 🙂
-
-
@bigtone82 wrote:
I’m completing my MCSA at the moment for my position here and theN i’m going to go into CCNA training, get some switches/routers and set up a virtual network. In the meantime, work with linux at home and get a handle on the OS and go from there I think.
Bit of late input here and you may already know of this, but check out GNS3 – http://www.gns3.net/ . As the site says, it’s a graphical network simulator. There’s a few of these floating around and they’re excellent for practising your network skills without shelling out for actual physical kit. Hope this is helpful.
Rob
-
@RobMongoose wrote:
check out GNS3 – http://www.gns3.net/
Rob,
cheers for the link. Haven’t come across this in the past, I’ve used (and paid for) Boson Netsim which is decent. I’m downloading now, hopefully should be good (and hopefully the Win Binaries will run under Vista 😉 ).
RR
-
-
All of the suggestions have been great. Best suggestions i have seen is to read books and maybe get yourself a free distro of slackware or ubuntu. Learn the linux terminal and network configurations. Best way to learn linux is to ins the prog and use it. rid yourself of microsoft products as much as possible.
gentereign
-
@bigtone82 wrote:
..Whats your opinion?
<– Complete n00b to the ethical hacking community and I've been on a windows computer all my life. I'm in IT and I want to be more learned on security and everything that is involved.
So far I know that you need
–>
Basic/Advanced Linux Knowledge
Add to my list!
can u tell me how to hack the wireless network?????and how can i enter the server computer computer with out the knowledge of the server admin?????
-
-
Welcome to the forum, I would say an Ethical Hacker / InfoSec Professional really needs to have passion.
By this I mean is a general interest for IT Security and all that it encompases. The Security field is very varied with so many subject domains, but dont worry about becoming the guru of everything security. Personally I feel its important to have a high level understanding of all of these domains, but by no means be the master of all.
As you start looking at InfoSec you will find what it is that floats your boat, these maybe technical or soft related skill sets, but as long as you enjoy it and you have passion you can succed.
All the best on the journey.
-
Hi Guys!
Im bruha666v from the philippines..im a computer science graduate and was exposed to “vb6” for four years. :-[
I decided to take this course because i wanted to learn how make viruses and stufss but later found out that its wrong. so here i am trying to learn how to hack.
But im really confused where to start and what to do. Then a guy i met in a chat room who is also from the philippines challenged me to hack his site and would give me 20k if i do so.
What i need to do is login as admin and just get 20 customer accounts and passwords from his customers database and send it to his email. The site is using php and the URL is:tipidweb.com.
I believe this could help me start out.Hope you guys could help me out. Im not in for the money, i just wanna learn.
Thanks!
-
@bruha666v wrote:
But im really confused where to start and what to do. Then a guy i met in a chat room who is also from the philippines challenged me to hack his site and would give me 20k if i do so.
You serious? Is that a closed offer or can anyone play? 😉
Any chance this guy is actually any way responsibl for the site in question?
First phase of any penentration engagement is to get a formal contract in place providing full authorisation for you to carry out the work, that way you don’t get sued/imprisoned when someone changes their mind. Otherwise known as a CYA document.
I’d be very inclined to take this ‘offer’ with a pinch of salt…
(P.S. I’ve got $20million stuck in an offshore account, I could give you 10% if you help me transfer it into your country….)
-
As RoleReversal says, I think you are buying into this to much.
One its in a chat room, and as on the Internet you can be anybody, I would ignore this guy.
If someone was to REALLY offer you work, it should be via more official means. Just because someone owns a website, its probably hosted by someone else and they would be responsible for authorising any Pen Testing, etc.
If you want to learn / practice pen testing, then have a search on this great forum for information on setting up a virtual lab, using live cds etc.
-
Thansk for the reply RR and DP..
Well the guy actually owns the site and he brags about it being “unhackable” and he is manila right now maintaining the site. So im pretty sure its not a scam or watever. Anyway ill try to contact him again and get the “letter” as you told me RR.
Anyway, its been nice knowing you guys are out here helping other pipol out.
Ill update you guys as soon as i get in touch with him again.
Bruha666v
-
-
I did a little research on the site and found that it is hosted by GoDaddy.com. Now that mean that you bruha would need not only authorization form the site owner, but also from GoDaddy. I did my research at dnsstuff.com. Further research shows that this is a Philippine web service provider. Chances are that you are getting in over your head. I would say stay away.
By the way, what was this chat room contacts name?
-
-
-
Thanks jm..
btw, he’s in irc. Channel: bacolod | nick: panulay
anyway, this site has really opened me to new ideas and concepts that could help start.
Im backed out already knowing that this could get me into trouble. Thanks guys!
Hope you could help me out. I really want to know how to “hack”. Not because i want to get into other peoples files o computers but i want to learn how to protect myself too knowing the vulnerabilities.
Thanks for the replies guys!
Bruha666v
-
Back to the original topic;
I agree with one of the other posters in this thread…You have to start with the basics and work up if you ever intend to be proficient in your profession, in this case, working as an Ethical Hacker (Network Security).
My recommendations would be:
A++, Network+ – You don’t necessarily have to have these certs, but having the knowledge that these certs test you on is essential to even start understanding how to hack.
Linux Is Your Friend – A basic understanding of Linux is pretty much essential in my opinion. How can you hack something you don’t understand anything about. At least know the basic commands: rm, ps, top, cd, ls, chown, su, sudo, etc. Staring at a Telnet/SSH prompt and not knowing what to type is hell…(Been there done that) Plus, several great tools are only available in Linux.
Programming – At least some type of basic programming understanding…I started out back in the QBasic days…telling my age now…Anybody else remember that or am I the oldest fart on the board? lol Unless you want to be labeled that dirty word, “script kiddie”, you best be able to write some of your own stuff or at least be able to modify others to suit your purpose.
Social Engineering – Yes, I would label this as a requirement for the ethical hacker and even a black hat hacker. (I know some will disagree) There will be times when you are just not going to get in…the IT Department has done their job and done it well. You must be able to go to the weakest link, the employee, vendor, etc. and be able to get the information you need to compromise their security. You can’t be just an all geek and number cruncher..you must have some social skills too.
This is just my opinion and we all know what opinions are like. But, I honestly couldn’t see someone succeeding as a hacker without these basic skills. You might be able to run a script against a web site or company with very poor security, but when you come up against a company/web site that has done their homework, that is where it will take skill and patience when the pre-written scripts fail.
In this high speed internet / fast food society we live in, we always want the quickest way and take all the shortcuts we can. But we must remember we are only cheating ourselves if we skip the basics. Take your time and build a good foundation, then the advanced skills come a lot easier.
-
Guys!
Remember the guys i told you that owns the site > Tipidweb.com ?? well he told me that godaddy.com doesnt host his site…He has his own dedicated server in the us. and he’s really bragging about it. He also told me that he uses the combination of different sql and php code and API combinations. I stopped messing with his site coz u guys told me to back off. Well thanks anyway…
-
This is a great thread to look at, when you hit your first plateau.
Some great information 🙂
And unlike some of the others here, I wanna know how to get into others systems without a proggy(I dont buy the ole “I wanna learn to protect myself” jazz!! lol.), I wanna know how to bounce off nodes to make detection that little more difficult, I wanna know how to mass inject a server, and tell Frank he’ll be alright once he gives my favourite Milli Vanilli single back!! I wanna know what the heck Im talking about when Im talking it!! lolIm not gonna try and mask what I want to learn, as it only hinders my own learning, and there’s nothing better than learning something you wanna learn 😉
But I can say out of all honesty.. Its out of curiosity and fun that I have been interested.
I dont wanna be the next Phantom Menace online.
But would like to be able to know, what Im looking at, when its right infront of me.Freedom of information, and Common sense, are 2 necessities greatly under utilised when starting off.
Understand these, and patience will be your virtue 😉My 2 shillings worth ;D
-
@Dengar13 wrote:
Why not start out reading a book on hacking, like Hacking for Dummies, Hacking Exposed, any Kevin Mitnick book? This could give you an overview of the fundamentals of hacking, and the Mitnick books have good stories, and history on hacking.
There are too many elements to consider on where to start.
Welcome by the way.
[move:2gp8riig]I am a newbie in hacking. I want you to be my mentor. Though much depends on me, I will be glad if you can help me through.
:)[/move:2gp8riig] -
@ChrisG wrote:
here read this
The only thing worse than training good employees and losing them
is NOT training your employees and keeping them
– Zig Ziglar
this make sense:P -
-
-
-
Hi Champions,
Please help,
This is Sathish Kumar, I work as ISMS Guys offlate i am interested to learn and enhance my skills onto the field of Ethical Hacking.
My BackGround is that i worked as Windows Administartor for almost 8 years and 4 years into the ISMS, I have very good exposure of Using VA tools like Nessus,ISS and Foundstone tools, however i want to learn and enhance my skills in exploiting the reported vulnerabilities.however i have already dowloaded Metasploit 3, but i don’t have a hacking exposure, Can anyone of u please do let me know is there is any step by step guide how to use the Metasploit framework to exploit the known Vulnerabilities that exist or any other tools which can used for these activities.
Please suggest.
Regards,
Sathish Kumar.S -
A few videos on metasploit:
-
You can start by getting a basic understanding of metasploit by reading the user guide that comes along with it.
http://www.metasploit.com/documents/users_guide.pdfAfter this you can proceed to other books.
http://books.google.com/books?q=metasploitI’m currently reading Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability research and am happy with it.
-
In addition to Xen-‘s reply, if you have the finances and time, look into the OSCP training, at Offensive Security’s site. muts has done an excellent job of putting together information about how to work with buffer overflows, exploit compilation, etc. While they don’t explain EVERY exploit (I don’t think anyone has that much free time on their hands, it does give good information to work from, in utilizing metasploiit framework, and its toolsets.
-
Good Evening All~
Im new to the site and new to the IT security world… IT world in general so I’m really just here to get a grasp on things. As an ex-west pointer (left prior to graduation) I’ve been struggling over the past 4 1/2 years on what to really do with my life and it seems that I have finally found some insight. I started dabbling with the idea of “something IT related” about a year and a half ago.
I decided that if im going to do something, I’m going to do something that interests me and I’m going to do it right. Granted I’ve been playing around with computers my whole life (Back to the mechwarrior days and 14.4k modems were the newest thing) but I never really gained a deeper level understanding. With that being said… Last week I kicked Microsoft to the curb, Installed Ubuntu as my sole OS and then started reading about this ethical hacking and IT security. I AM HOOKED. Been an athlete my whole life and these days I can do nothing but think about getting back to my computer to learn more. I’d just like to say thanks ahead of time to all of you guys (maybe a gal or two) who have contributed already and who will help me along on my journey.L2R
-
This my fist post on this site so yes I’m new, and yes I’m probably gonna be asking something you guys are tired of reading and I’m sorry in advance.
I’m not new to computers I’ve had them sense I was a kid, I’m 25 now, but for most of my life I didn’t care about anything, anyone, or really advancing in life. That was till I met my wife, but long story short my heads screwed on straight now and I know what I want. I desperately want to learn about computers at this time I do not have the money to pay for school or anything like that but when I do I plan to go for networking security.
Over all though I wanna learn everything I can bout computers, which yes includes hacking, have no interest in being a “black hat hacker” as I’ve head them called. I just wanna be able to mess around with my friends who are out of state learning computers and are hackers them selves. So now as I go around my ass to get to my elbow but I was wandering if you guys had ideas on books, sites or even classes I could get or take to get my foot in the door and start learning on my own?
-
Greetings Dtag. You are a man after my own heart….welcome to this forum by the way. I did the military route; and that as well as my wife did the trick to get my head on straight. What knowledge do you have as of now? That is a good barometer as to where and point you to. What is your educational background. How much experience/knowledge do you have in IT, and what does it consist of? Your answers will help us help you.
Again, welcome to this forum.
-
-
Welcome to the forums.
If money is too short then use the free resources available – there are tons of them. Especially if you are very new to everything and need the basics you should be able to find some great websites, whitepapers and even free books.
Think about which topics interest you most and search for those through google. Also browsing through this forum may answer a few more questions you might have.
-
In addition to what awesec has advised, I also suggest going to a library and getting some A+ and Network+ books from your local library. This will give you a foundation in IT, and from there you can decide whether you want to learn programming, networking, server administration, etc. Security should be considered after you get a solid understanding of the former as it is not an entry-level thing to get into.
-
Yeah I had a feeling secrity wasn’t entry level but I’m deffently hitting the library before the wifes derby practise today. Secrity is more of something I want in the long run don’t want it right off cause I do wannna learn programming as well. Thanks for the help guys and I think I may of found this to be one of my new fave sites. 🙂
-
I would recommend reading as much as possible. When I was first getting into security I found a lot of material available on the web, but the best was getting a good grounding in TCP/IP through books like the CCNA book, then building up through Hacking Exposed and then on to Web App hacking books. Setting up a small lab at home was my next step. Of course now there are also a lot of good videos that illustrate pen test techniques.
-
thank you all for the post it has been educating and at the same time confusing, i really need a mentor and someone to guide me, i am a student studing computer science, this is just me 2nd year but have a dream of becoming a CEH the big question is where do i start from which knowledge do i need before enbarking for the course. I will appretiate ur advice and thanks in advance.
-
It would help if we knew what you already had good grounding in. Also what besides or why do you want a CEH? Do you want it just to have it? Do you want it as a stepping stone to something else?
How are you at Networking, System Administration and programming? What hacking have you looked at or tried? Do you know Virtualization yet?
Couple of things to look into:
The rest of this site. Including the Features tabs where things get reviewed.
Hacking For Dummies (it’s a good start).
Hacking Dojo
Infosec Mentors (not a bad program. I have or had a mentor, but we didn’t really click).
Offensive Security’s WiFu course.
The Security + cert (Appears to give a broad overview of all aspects of security). -
Hi, I frame my learning process into 3 main parts:
1. Host
Learn to be comfortable using and configuring both Windows based and Linux based OSes.
I have a laptop that I dual boot to have both windows and Backtrack. By forcing myself to use Backtrack(linux) I was able to learn many linux commands fast.2. Applications
Learn to built your own website with any language E.g. PHP
Learn to configure web application servers E.g. Apache or IIS
Learn to configure databases E.g. MySQL3. Networks
Read up on TCP/IP and understand how packets flow and formed in the networks.
A very good book to start reading is TCP/IP Illustrated. However, do note that it is very dry.
Make use of wireshark to collect network traffic while you start surfing the web. By looking at the packets collected and cross reference to TCP/IP Illustrated book you can learn alot about networks.
Last but not least google is your friend. God Bless. 😉 -
I would say able to read and spend many hours reading about this stuff. I find myself going online and watching tutorials , reading forums and websites like ethicalhacker.net, going to the local book store reading hacking books and hacking mags like hakin9. The more I read the more I learn and can add to my ethical hacking skills.
-
-
I think it all depends on what area you want to work in. Most of what I have learned has been from doing tutorials and watching video and mostly network stuff. I landed a job a fews months ago that required me to test web apps so now in process trying learn as much as I can about web apps.
It might also be useful to stick with what you know to start off with if you good network then try learn as much as you can about them.
-
@rance wrote:
@pseud0 wrote:
Necessary ethical hacker skills, the starter edition:
TCP/IP
OS basics for M$ and the *IX distro of your choice
Internal network basics (switches, hubs, firewalls)
A sense of humor (preferably dirty but manic is also acceptable)
External network basics (routing, IP, interaction with internal networks, etc)
Relationship between services, ports, and how exploits work
Washboard abs
Some familiarity with coding (not expert, but can muddle through)
Understanding of general web application construction (front/back end, etc)
A WOW account (maybe EverQuest if you roll like that)
Some level of business sense (need to explain business impact of your findings)
A comfort level with your skin tone being 3 shades more pasty than your racial peersWashboard abs?! Well, that disqualifies almost everyone I know in IT. 🙂 The skin complexion though? Got that one nailed…
Am with you on the skin tone but Abs??? try AB! lol
-
-
Hi Guys
verry soon i will be writing my CEH and am shit scared in going because i do understand the concepts and the phaxes and all of that
The only part is when it comes to actually doing and implementing it
Ive brokeinto a few of my wifi AP to try out aircrack and played with DVWA but the thing is i keep hitting a brick wall
I scan a victim then see the open ports and google up the vulns but there after ??? clueless
Ive also tried the metasploit and understand but only thing that worked was the MS068 smb vulns thereafter zip …and i dont think its verry practical in running the automation tools (as the ceh instructor said)I just need someone to help me in setting an enviroment and breaking into there to uinderstand what happens etc
If some one would be willing to help please
I pretty much feel useless
My biggest dream is to get really good so to build a name for myself and i keep getting this wall -
CEH is a generalization, an intro into ethical hacking. It will not make you a pro overnight. If you hit a wall, make a list of what you know about the network, if you have open ports, note them. They may not have any known vulnerability surrounding the service in particular, but they can be used later to get data in or out depending on something internal. For instance, you hit a firewall that has say port 25/80/21/22/443 open. Hopefully the engineer did not filter what internal clients can go out through those (proxy only or other filtering systems). So you scan the firewall, check to see if you can enumerate the services and see if any are vulnerable to exploits that may allow you through the firewall. Well the web servers may have some clues. The FTP and SSH ports may be susceptible to brute-forcing, but you will need accounts to use. 443 may be worth a look, they may have a “secure” web site that has some nice information they believe is protected. You will need to do some recon from data you have access to. If all attempts to gain access from the outside fail, well now you need to look at gaining it from the inside. You will need to exercise some social engineering skills. For lab purposes you are looking at exploiting a flaw in a 3rd party app such as flash, adobe reader or Internet Explorer. You can use metasploit to create the payload and the listener (remember those open ports on the firewall).
Good luck oh and if you decide to pursue OSCP, don’t forget to try harder 😀
-
@tamato wrote:
I just need someone to help me in setting an enviroment and breaking into there to uinderstand what happens etc
Easiest way to start a test environment is to get a virtualisation playground (either dedicated box, or just from your main machine) and attack some vulnerable virtual systems.
Depending on your needs Samurai WTF contains some vulnerable web applications (including DVWA which you mention), and all the tools needed to attack them, all in one handy package.
For more information, take a look at section 2 of Metasploit Unleased (and Metasploit Unleashed in it’s entirety) and/or Rapid7’s article on how to setup a test lab. Both of which also link to some good additional resources for acquiring and setting up intentionally vulnerable targets.
HTH, happy hacking 🙂
-
-
I consider myself a very creative (out of the box thinker), would programming (specifically PYTHON) allow me to use that?
Another question….
I almost have my CCNA, also have my A+ (which means nothing since everyone has it), I was thinking about:
Linux Certs
Windows Certs
Net +
Security +useful or redundant?
Was also thinking of a
Win 7 and server 2012 certification as well. I find jobs to be a bit difficult, so far to get. I want something stable/steady with good $ (50k +) so that I can focus on more than this.Curious again if these will help or some are redundant?
I also (surprisingly) dont hear alot of people using Kali-Linux. Is this something that everyone uses and thus so, nobody seems to mention… or… is using this considered being a “Script Kiddie?”
-
Python is a great language to use for pentesting, so having familiarity with it early in the security field is great!
As far as certs go, it really depends on what you want to do. Information Security is a wide spanning field and can be applied to all aspects of computer science and beyond. Though, getting both the ccna and net+ is unnecessary. Ccna covers all the same material as the net+ and beyond. Everyone has their won path and own opinion, but here is one recommendation.
If you want to do server administration pick either Linux or Windows to start with to get a job, then learn both.
If you want to do network administration finish the ccna, get the security+, get a job in networking then move towards ccna security.
If you want to do specifically security look in “certifications” section on the forum and poke around. There are a wide variety of certs out there and a lot of opinions so ask questions and do what makes sense to you.
-
Hi all,
I am new here, wanted to introduce myself. But first some comedy, I couldn’t resist :+D
Regarding the washboard abs: I only seem to have 1 ab; Am thinking about getting a Wok to help me iron my shirt; I should stop having multiple Lite’n’Easy meals in one sitting !
With pale skin colour: Capre Nicht !
I first encountered Unix in 1988 with a Sparcstation 1, and taught myself C from K&R book. Also did some Fortran77 at uni, but mostly forgotten that now. I fooled around with the shell and some awk scripts, but the operative word is fooled. I guess it was hard with no mentors or help from anyone, nor internet back then :+)
Have dabbled with a bunch of other languages since then, most recently C++ which I have been doing for a few years now. Also some SQL & RDBMS design, Postgres and a bit of Pascal, assembler (DOS 16 bit API). I have so much to learn, not only languages like Ruby & Python, but plenty of tech like TCP and others things already mentioned.
At the moment my targets are scammers. So far I have installed Kali, a Win10 VM, and have been experimenting with wireshark, msfconsole and nmap.
I have had an interaction with a Nigerian scammer on the phone. I went through all the usual crap until I let him log on with Teamviewer, then closed the VM, telling him my machine had crashed – was in safe mode. Ended call. Retrieved IP address from wireshark, then did some nmap scans. It turns out that his machine was running Linux and all the ports 1-65535 were closed. So this is where I reach the end of my knowledge. I am guessing I might be better to get the target to download a RAT while in my teamviewer. I was looking at msvenom to do this, but am unsure how to proceed with that. I would like the shortcut to first run the RAT, then show a bank website, or maybe a fake bank website that I could make. With the RAT, where to look at the code for that?
Some other problems I am having:
proxychains seems to work 1 minute and not the next. I have 10 ip addresses in the config file, some http, some SOCKS5. Seems unusual that all of them fail at once.
The scammers seem relatively smart these days. Here in Australia we seem to have a lot of robo calls with spoofed numbers, some of the the same number as Australian Federal Police. Any call back numbers seem to be shutdown quickly. We don’t seem to have much of the Technical Support scammers. We do have Energy scammers that seem to go through a reasonable but unprofessional procedure, but they don’t ask for any money or to connect to my machine. I guess the scam is in the first bill they send in the mail.
I would like to have some phone software that will allow me to dial any number. Had a look at LinPhone, but that doesn’t seem to work unless the other party also has SIP. Now I am looking at Google Voice, does anyone have any other ideas, possibly free ?
Finally how to start a new Topic here?
I look forward to any replies, and thanks in advance.
-
- You must be logged in to reply to this topic.
