Novice hacker wrote:@MaXe
Woah, that's the longest post I've ever seen in my life :)
It's one of my standard post lengths when I have time and there's a good reason to do so
Novice hacker wrote:
Thank you very very very much for posting all that info :)
But, before I address it, I would like to make my position a bit more clear. You have misunderstood me.
I plan to come to the Infosec field purely because of my great interest and passion for hacking and security. I'm not doing it for the money but the reason why I posted those question was because
1) I feel that "rewards stimulate me a great deal".
2) There will probably be pressure from my family to earn a lot when I choose an 'unconventional' field like ethical hacking. I feel as if i have to prove myself. But other than that, I joined this field ONLY because of the burning desire in my heart to learn hacking and my ULTIMATE dream is to become THE BEST or ONE OF THE BEST.....
I assure you that I am not doing it for the money alone
No problem, and no I wasn't judging you
Just wondering because you mentioned the salary in a few posts. But 1) Most ethical hacking jobs pays better than other non-management IT-jobs, plus it's a lot more fun imho, 2) You're going to have one of the coolest jobs in the world and the salary is often higher than other jobs in the IT-sector? If you want to use nice words, say IT-Security Consultant, as they may not understand at the moment that professional & legit hackers exist. (At least, some of my family denied that for several years, and some of them still do. Including friends requesting illegal services I of course deny, because they think all hackers are bad somewhere, but I don't think they would ask a cop to shoot someone just because they carry a gun. In this case, the mind of the hacker, is the gun.)
But IT-Security (or ICT-Security depending on where you are in the world), often pays quite good, especially if you're not a junior but on the "normal" or senior stage. Anything +50k is considered good, as you will earn more than most people. Tech Support, such as some of my previous dayjobs, has paid as low as 25k $USD per year, _before_ tax. It's one of the biggest IT-companies in the world and it was in a capital city in EU where they speak English, in fact, the company is IBM. It's not minimum wage salary, but it's close to, and there is a lot of tech support jobs, that are minimum wage, and getting any increases per year, is very hard, no matter how good you are at your job. So even 40k$ a year is nice. At another job I recently had they paid roughly 20% more, and this company is not very well known, it's still tech support, but the location is also in the middle of nowhere!
So just because a company is big, isn't equal to good salary, good work environment, or for that sake, many other things you will experience on your own perhaps. (I wish all the best for you of course.)
Novice hacker wrote:
On a happier mood,
I know a few hackers who began with A+ and Security+ material, they turned out to be great.
Thanks! That is very encouraging
There's a book by Thomas Wilhelm on that. (Publisher: Syngress, they publish a lot of good books on hacking.)
I read the table of contents and it looks great but there were a couple of negative reviews saying "Unfortunately, PPT should be called "Professional Pen Testing Project Management." Have you personally read the book? Would you give it the thumbs up?( because it looks good to me)
I haven't read it, but I've participated in his classes at the Hacking Dojo, and he has quite a lot of experience with pentesting, plus I know that he's particularly good at putting on focus on the things people don't tend to attack in labs. He made an article on this website recently about this issue, that people would often target servers, etc., instead of routers too. (Meaning you should eventually try to hack routers and switches too, it's an important skill. Especially to know what you can do, and what you should avoid.)
Novice hacker wrote:
Learning how TCP/IP functions first is a good idea, as learning about Operating Systems in depth, can be a bit boring.
I went through(skimmed through ) MOS by Andrew Tannenbaum in the library today and it was kind of outdated, but I will talk more about that when I get to that step. :)
Which volumes of TCP/IP should I read? (Is the I vol. enough?)
Haven't read that book, but TCP/IP hasn't generally been updated afaik (as far as I know), so even an old book, can be just as up2date as a new book about TCP/IP. The TCP/IP Illustrated book could be a good read, even though I've never read it. If you don't like "dry reading", avoid RFC's for now, but don't avoid them forever
(Check one out a day for e.g., a protocol you really like and want to know more about.)
Novice hacker wrote:
pays good enough to have an acceptable living where you can eat properly
And I plan to go for 'corporate hacking' because as you already stated I get to work with it DAILY
No matter how "good" you are, you have to be able to justify what you're worth, by knowledge but also in many cases proven experience. If you can't prove your knowledge besides saying you're really good, the company won't be able to know whether it is true or not. (If you on the other hand, have written several tools, advisories / pocs (0days), and much more, they can at least have some sort of picture even if you have no experience.)
I will try to do atleast one of these before I apply for a job......
Do you have anymore suggestions to prove my worth? (It would be very useful for me, thanks)
The more you learn, the bigger the picture will be
I like that the infosec field is a broad one too
Oh and I will be ready for all things coming
And I have to thank you a ton for that mini-SQL lesson. I found that highly instructive as well as interesting to learn. (It was a great analogy, though it took me a few seconds to grasp what it meant)
For the moment no, you have much to learn and reflect about, and I don't want to overwhelm you with too much information at once. I've given my best advice for now.
It's great to hear you learned something from the mini-SQL lesson, in fact it may make it easier for you to understand how SQL works in the future then.
Novice hacker wrote:
Dream companies, are those that perform real penetration testing, hires the good hackers, and knows what they're talking about. One of them could be: Rapid7 (they're sometimes hiring, mostly developer positions), but there's a lot of companies I can't remember the names of, that I know from friends' experience are more than great. Some of them have awesome bonuses and encourages research, others have crazy parties, some almost always go to the big conferences (Black Hat LV and Defcon, but also Derbycon too), and some will let you travel around the world.
WOW! That's my idea of a DREAM company! What you described is almost exactly what I want to do!! PLEASE tell me if you can remember the names of those companies and if you can contact your friends for the names. They seem to fit into my interests a lot.....
(Do you work for a similar company?)
Thanks for sharing your interests, it has kind of stimulated me to be more interested in Web App Security...its ok if I learn that last right?
As for correct info, I try to get my info from two sources or so.
What I described were several different companies, where most of them are located in the UK. This doesn't mean they exist in other countries though, as some of them were from USA, Australia, Denmark, etc., so the best way to find out, is when the time comes, read about the company and the job on their website, and perhaps during a phone interview if you get to this phase, ask about the benefits of working there, but not in a greedy way of course
Currently I work in Tech Support, while I've done some freelancing (mostly voluntary), but I've also done some lighter research, and many other interesting things which I'm sure you'll discover, however I am actually going to relocate to another country soon to work with ethical hacking (including penetration testing) plus a few other things for a living. I honestly can't wait to get started
I'm glad to hear you've developed a deeper interest for Web App Security, but yes, you can learn it last if that is what you want. When I "talk" with new hackers, I ask them whether they want to become a hacker who specializes in web applications, or programs, and from there, perhaps sub-specializations like reverse engineering, malware analysis / research, 0days / zero days (reverse engineering comes into place here), vulnerability research (can be applied to web app sec too), and so forth.
When you learn how to specialize in web apps, you need to learn the appropriate protocols that serves a website, from HTTP (including some basic SSL), to DNS, routing, TCP, UDP, IP, ICMP, ARP (even FTP and some SSH too), and different physical and virtual topologies. (Such as a star-shaped ethernet network. It's not that important to know, but learning how the ethernet protocols functions, at least some point during your self-taught education, is very good to do.)
If you are going to learn vulnerability research and / or exploit development of programs, you need to learn things like reverse engineering (at least somewhat), basic assembly (the programming language), debugging, but also how to analyze protocols and e.g., build your own protocol fuzzer, which in some cases is not as hard as it may sound. (Building a basic fuzzer for the TFTP or HTTP protocol isn't that hard.) You will need to know about TCP, UDP, IP, ICMP, ARP, etc., here too, along with other protocols including routing.
Otherwise, how will you be able to know when looking at a traffic dump in Wireshark if you've done something horribly wrong?
Of course you will probably be using "canned exploits" for both, so that's why both of these areas covers the same protocols, and just because I said HTTP in the first, doesn't mean you shouldn't learn it in the second. It's just a requirement in the first, if you want to be effective and know what's really going on when you send an exploit.
So take it in the order you find most interesting, that is what matters when you're learning on your own
But keep in mind, that for some topics, you should learn the basics / foundation first, before attempting fly without wings that haven't fully grown out yet
I'm glad to hear you're using at least two sources, but keep in mind that two sources can be incorrect too, even professionals who has worked with IT for 10 or 20 years.
PS: Long replies are my speciality in some cases hehe