Recently I’ve been reading a ton of questions, posts and general discussion about getting into the ‘Information Security’ game, and in my opinion at least it’s typically followed up by a fair amount of misleading information. That might be a little harsh considering I’m sure it’s good intentioned, it’s also even possible that the advice worked for them (there is no one size fits all advice) but I thought I’d lay my thoughts out here in the hope of helping a new budding hacker or infosec enthusiast move forward.
I want to play sport, where should I start?
This vague, open ended and very ambiguous question is very similar to someone asking how they should go about getting into information security. The first thing to realize is, there is a huge range of information security fields, and within each of those huge fields, is a lifetime’s worth of learning content. Just like picking a sport there is no ‘best’, it’s simply sometimes area’s you may enjoy more than others. Off the top of my head here are some example area’s that is by no means exhaustive:
How to be a Hacker
- Web Application Security
- Mobile Application Security
- Reverse Engineering
- Malware Reverse Engineering
- Cloud Security
- Network Security
- Incident Response
- Hardware Hacking
- IoT Hacking
- Risks, Governance and Compliance
- Programming / Creating Tools for Others
- Exploit Development
Some of these are more of a technical nature while others are more of a theoretical focus. I guarantee that whatever you like there are others out there who will find it boring, just as you will with what others are interested in sometimes. Right now it’s expected that if you’re reading this you may know very little about any of these area’s but what’s important is your willingness to learn and what type of motivation you have.
The Hacking Type
One trademark that is almost universal of people throughout those fields is their focus on independent, self directed learning. Unfortunately in some ways security is still considered a ‘dark art’, I mean why would anyone want to know how to break into a computer system unless they were going to do so? As a result plenty of people will show disdain to outright hostility when asking about security related questions under the false (perhaps sometimes true) assumption it’s merely a ‘script kiddie’ looking to learn to hack systems instead of wanting to learn and use that knowledge for a good purpose. It’s also a fact that the ‘learning’ resources of information security are quite disjointed with no real central repository of learning material.
The point of highlighting this is that if you wish to prosper and successfully enter into the information security field you should be prepared to jump in and find your way without waiting for someone to hold your hand and lead you down the right path. Google some of the above terms and see what sounds like fun. Despite what sometimes seems like a constant battle to find the ‘best’ field to learn, or the ‘best’ resource, or the ‘best’ way to learn often more time is spent procrastinating wondering these questions rather than dedicating the time to actually learning. Look up video’s on youtube for hacking examples – it’s ok if you don’t know what a lot of it means, but write down a list then google those terms. Use points of interest to spawn out with an ever increasing web of knowledge around topics you’re interested in.
Do I need to learn X first?
Of course you need to have a full knowledge of the OSI layer before you begin. Yes you need to read that 1000 page book on the TCP protocol. Yes you need to be proficient in 5 programming languages (at least!) before you consider hacking. Can you compile your own Linux kernel from source code? No? Don’t bother learning hacking. Actually…. all that is full of rubbish, yet it’s one of the most common responses given to people looking to learn information security. There is one requirement to becoming a decent hacker – interest. The difference between a future hacker and a script kiddie isn’t knowledge, it’s the willingness to learn.
“Ok, I get the hint – I need to learn things myself, but can you at least give me a starting point?”
Sure, there are a ton of great free or cheap resources out there to get started depending on what topic appeals to you. Here are some examples.
Web Application Security
- HackThisSite – Good for some basic web based challenges (link)
- Enigma Group – Similar to Hack this site (link)
- Hack The Box – A massive, online cybersecurity training platform (link)
- OWASP Top 10 – Idea of what are the most common vulnerabilities (link)
- TryHackMe – a free online platform for learning cyber security (link)
- OWASP Broken Wep Apps – A virtual computer you can load up to practice hacking skills on your network (link)
- Pentesting Lab – Another web focused virtual machine (link)
- In fact anything from vulnhub that interested you is good (link)
- The Web Application Hackers Handbook – The book on web hacking and vulnerabilities (link)
Reverse Engineering / Malware Reversing
- Lena’s Tutorials – Known as pretty much one of the best introductions to reverse engineering (link)
- The Legends of Random – Again another solid set of tutorials for reverse engineering (link)
- Reversing: Secrets of Reverse Engineering – A good book on the foundation’s of reverse engineering (link)
- Practical Malware Analysis – A great book focusing on reversing malware (link)
- Malware Analysts Cookbook – Another book focusing on reversing malware (link)
- Virtual Machines dominate this category as they allow you to practice against real machines. Head to vulnhub and download any VM that looks interesting (link)
- Metasploit Unleashed – A solid run through of the metasploit testing framework to be used in conjunction against VM’s. (link)
- The Basics of Hacking and Penetration Testing – A very basic look at penetration testing useful for those completely new to the field. (link)
- Metasploit – The Penetration Testers Guide – Another book focusing around the use of metasploit in penetration testing (link)
- Because this is such a huge field often it’s breaking it down into one aspect, then researching that aspect specifically. Blogs are your best friend here. (link)
- Corelan – This is by far the best resource out there for learning about exploit development. (link)
- FuzzySecurity – Another good learning resource with some tutorials available (link)
- Exploit-DB – One of the best things you can do is find examples of exploits (often with apps attached) and try and replicate the exploit independently (link)
- Hacking – The Art of Exploitation – A fantastic book that covers ton’s of different exploitation techniques (link)
- The Shellcoders Handbook – Another fantastic book on exploit development and shellcoding (link)
Other than that, Google, Google, and some more Google. I’ve left off some area’s such as forensics and compliance because personally I’m not interested in them so I haven’t gone looking for resources, I’m sure there are some fantastic ones out there.
Outside of the free resources you can also begin to get certificates to make yourself more appealing to employers if you wish to transition into the field as more of a career path. Some certification’s I’d highly recommend would be the “Penetration Testing with Kali Linux” course from Offensive Security (link) if you’re interested in network security. It’s easily one of the best learning experiences I’ve ever had in the field and taught me more in 60 days than I’d learnt in a year on my own. Their “Cracking the Perimeter” is also a great course, focusing a little more on exploit development (link).
If you’re looking at developing your programming skills things like SecurityTube’s “Python for Pentesters and Hackers” (link) is a great foundation that will teach you how to do plenty of nifty things like building your own port scanners, password crackers etc. I don’t place a huge value into their certification’s that they offer from an employment perspective, but I’d look at it more as a consolidated lump of knowledge and examples for sale which can still be valuable.
The “Certified Ethical Hacker” course is another commonly mentioned. Honestly it’s typically looked down upon so I don’t think it’s necessarily worth the money – but if you need a formal course to learn things then it might be worth the money to you. A lot of these certifications and their value are discussed over at TheEthicalHacker.net’s forums located here.
“Just seeing if you can”
Hacking is all about gaining access to things that we’re not meant to. Creating an exploit, finding a SQL injection, Password Cracking it’s all designed to put us towards the goal of taking control of the box we’re attacking. I guarantee almost every new hacker has started dreaming about “Just seeing if they can” get access to that school website. “Just seeing if they can” gain access to the neighbors WiFi network. Sending their friend a trojan virus “just to see if they can” take control. Worse still you might end up visiting places like HackForums.net and seeing a lot of people trying to infect others with RATs, build botnet’s etc under the impression this is hacking, or sadly that this is the only way you can learn.
I need to emphasize that this is not the case. Any type of “just seeing if you can” type exercises can be replicated through the use of virtual machines, your own routers or even capture the flag / wargame competitions out there. Being realistic even if you can access another person’s machine, what are you going to do with it? Are you really going to try and steal credit card details and make fraudulent transactions? Are you really going to steal passwords and be paranoid that your activity is going to be traced back to you for the sake of peeking at someone’s emails? There have been plenty of examples of newbies being charged, not realizing the seriousness of the crimes they are committing. If you went for a job with the FBI and they had a look through your post history would you like them to read that post about you asking how to host a botnet? It’s a classic example of what’s on the internet is forever, and if you really want a career in information security you need that clean record to obtain any security clearances you’re going to need to do your job. Getting caught for stupid stuff just isn’t worth it.
So after a long ramble, what’s the key points?
- A hacker will actively seek out information, not wait for others to give it to him
- The difference between a script kiddie and a new hacker is the desire to learn
- You need to experiment with a wide range of information security fields to find what interests you
- Don’t let anyone tell you that there are prerequisites for learning information security, there isn’t.
- It’s not worth “just seeing if you can” do anything that isn’t legal, the risk vs reward makes no sense for doing so
- With courses, wargames, capture the flags and more importantly virtual machines there is no hacking scenario that can’t be replicated legally
Have fun, sorry if it got preachy towards the end and enjoy pwning boxes! Information security is an awesome field and you’ll be learning something new every day that you’re involved in it. There is no right answer for getting into the field apart from jumping into it with both feet. Get wet, learn to tread water and stay afloat, one day you might even be able to swim a little!
Find me on twitter @jimmwayans