My new career path..tell me what you think?

[YuckTheFankees]

I’m really interested in linux/wireless/wireless security/ and pentesting.

Currently I work as NOC/ linux support, so I’m gaining networking and linux experience. I just obtained my Linux+ this week and I want to learn more about linux but  would the RHCSA/RHCE be useful for pentesting or is that just overkill?

For the wireless portion; I would like to get all 4 of the CWNP’s certs and maybe the cisco wireless certs but most people say to focus on the CWNP certs.

After I get the CWNA, that’s when I’ll start studying for the pentesting certs. I would really like to get the GPEN and GAWN certs first then maybe OSCP or GWAPT. But then again, maybe start with eCPPT/OSWP/ security tube wireless cert than SANS?

Tell me what you think?

[impelse]

You just said the everybody dilema. ” I want to be this and this and this” after that I want to be a pentest, etc, etc. The problem is that only those fields cover a lot/time/knowledge.

This is my way, maybe I am wrong but I’ve been moving around and I never get anything done. So I did my plan in writing:

1. Linux Skills (selfstudy) – Done – Took 1 month and 20 days (10/20/11)
2. Python skills (selfstudy) – Process
3. Wireshark skills (monitoring) (selfstudy)
4. Wireless certification from Offensive Security (Online training)
5. Web pen tester certification from Elearnsecurity (online training)
6. OSCP certification from Offensive Security (online training)
7. CEH (selfstudy)
8. GPEN (selfstudy)

I am working on that plan and sometimes I want to change it. Yes I will do it (the order) but no the subjects. When I begin to read specially this forum I want to begin to do this and that again, then I open my plan and see where I am and keep going.

[YuckTheFankees]

Yeah I almost had the same plan but my python and wireshark study is up in the air. But I should probably learn python before I try GPEN.

[hurtl0cker]

I am more interested in Network part of Security. For now most of my learning part is going on self pace, thanks to my college library for having awesome books.
One major reason that I aint going for any certs now is not having $$  😛
I can be pretty stingy on things  ;D but I really don’t mind spending money on two things:
– Hardware
– Good Documentation

My path is some thing like:
– Linux Skills (Self pace) – there is a huge amount of material online.
– Protocols (TCP/IP…) – some good books like TCP/IP Illustrated
– nmap – lucky to have Fyodor’s book at library
– Wireshark Skills – Wireshark has really nice user guide and wiki.(and lots n lots of practice)
– Higher concepts like Firewall’s and IDS
– Python Skills – there are plenty of good books(some are free), this is something I have been focusing mostly on because at some point you feel like you can’t turn your ideas into code. So my focus is more on coding.

This list and some others  will keep me busy for quite some time.

My certification path would be something like:
CWNA – To get started with wireless things.
OSWP – getting deeper into wireless security
OSCP  – Once I am comfortable with the above skill (and some other skills) I am going for OSCP. I am not in for eCPPT, as it covers almost the same stuff like OSCP except it focuses more on Web App’s security.

Coming to your point,
“Linux +” skills will be pretty much fine for going further into security. if you have time & bucks, you can consider RH certs.

In the wireless portion, I would rather suggest to focus on CWNP certs because they are vendor neutral certifications.
After CWNP certs, as your focus is wireless you can go for OSWP, that course is pretty nicely laid out. SANS certs are good but they come with a big $$, I feel like Offensive Security certs come with a good learning curve and are not too pricey for what they offer. GPEN would be a nice place to start with.

eCPPT is good with the Web Apps security modules and you can also take a look at “So You Want To Be A Web App Pentester” by Joe McCray.

[YuckTheFankees]

hurtl0cker thanks for the input. So now I’ll probably put the RH certs on hold if they wont benefit me that much for security.

[n3r]

Hi !
here is my way :

Right now i’m passing my degree in networking so i have started with TCP/IP Protocol, Linux skills, C Language, SQL, Java.
In my free times i study on Python skills and wireless. I plan to go to OSWP when i’ll be comfortable and have the money.

After i’ll probably go to OCSP and CEH as CEH is most important for the french companies…

[YuckTheFankees]

How often will pentesters use SQL and Java?

[n3r]

i don’t know  ;D
but in my degree we have a C course and introduction to others languages, so SQL and Java. I didn’t choose  ::)

[YuckTheFankees]

oh lol. Well it’s good you’re learning those languages..only if I had enoug time in the day. When do you think youll start your 1st pentesting cert?

[n3r]

I don t know. I have been working hard on wireless pentest and my virtual wireless lab.
But I have no idea if I m ready for OSWP.

[YuckTheFankees]

My goal is to have 2-4 pentesting certs before next DefCon. I really want to try the challenges against other professionals and see how I compare.

[impelse]

Great. Remember one thing, it is not the certification when you compare with other people, it is skills and knowledge

[idr0p]

One thing to remember is to expect to be derailed. My path has changed sooo much since i started, for example i expected to do the OSCP and CISA among other things by now. Like the greats you must be able to adapt.

My path was the following.

Linux (When i was in H.S.)
Network Security (College Degree)
Learned Python (In College)
I got a Info Sec Analyst Job (which I am now.)
Took GCIA
Took GCIH
Took GPEN
Taking GWAPT exam – err… thursday *crosses fingers*
Going Back to School for M.S. CIS
Looking to take EnCe
Then GCFA and CCE
Then GSEC, CISSP
Finally GSE

I really want to throw the OSCP in there somewhere. it may have to wait until i complete school.

As for impulses path i would change it to the following.
1.  Linux Skills (selfstudy) – Done – Took 1 month and 20 days (10/20/11)
2.  Python skills (selfstudy) – Process (this will be a never ending step. push to background look at ‘gray hat hacking with python’) &
3.  CEH (do this earlier it will set a good foundation)
4.  tcpdump / Wireshark skills (monitoring) (selfstudy) (first understand tcp dump and packet analysis, you will get wireshark better.)
5.  Wireless certification from Offensive Security (Online training)
6.  Metaploit / Nessus Skills (self study) (understand how exploits and payloads work. pre and post exploitation)
7.  OSCP certification from Offensive Security (online training)
8.  GPEN (selfstudy) (the business side of pen testing)
9.  Web pen tester certification from Elearnsecurity (online training)
10. GWAPT?

[YuckTheFankees]

impelse,

In no way do I think certs will put me in elite status, but they do help my learning and hopefully point me in the right direction.

idr0p,

Thanks for the input. Right now I’m hoping to take a SANS course next april/may with my tax returns =) lol but then again..maybe I should hold off until I actually get a security job (since you have to renew them every 4 years).

I have a few questions for you…
How long after college did it take for you to land a info sec job?
Which of the SANS courses did you like the most so far?

thanks

[impelse]

Those are good ideas.

When i said learn Python is only read two books, I am reading Python® Programming for the Absolute Beginner, Third Edition and then Hacking: The Art of Exploitation, Second Edition

For wireshark I am watching Laura Chapell videos (going deep to tcp).

I will stuck there until I complete and keep according the plan with some modifications.

[idr0p]

YuckTheFankees,

If you want to take a SAN course, GSEC or GCIH would be good to start out and get your foot in the SEC door.

[YuckTheFankees]

I would really prefer to start with GPEN/GWAPT/ GAWN but when I look up jobs..GSEC comes up with the most jobs..but I feel like if I get the sec+, CEH, CPTE..then GSEC wouldnt do that much for me

[idr0p]

GSEC, even though i havent taken it… yet, looks like it has some good stuff in it. I think it is a step up from the Sec+ and the main thing about SANs tests is you want to get a feel for them it is a good cert to start with in general.

On a side note the GPEN does cover python, but no too deep. OSCP is where you will need the py skills more.

[p0et]

I took and passed the GCIH.  It was an awesome course and loved the CTF event at the end.  Since I won the CTF contest, they gave me the GSEC course materials for free.  I had a look at these and yes, it has a ton of valuable info but I never wrote the exam.  Just my opinion but if you already have your Sec+, CEH and CPTE, I would think you’re beyond GSEC.  I must admit that I’ve seen job ad’s with GSEC in there too.  I’d hope if they see you have a more advanced cert then GSEC, that would be sufficient.

[Author]

Posts