I create highly technical videos about various topics of IT security. Many of my videos are walk-throughs of CTF challenges explaining my thought process. I think this playlist could be interesting: https://www.youtube.com/playlist?list=PLhixgUqwRTjywPzsTYz28...
Besides that, I can also really recommend livestreams/screenshares from the following creators. To me, seeing how somebody really does it and where they struggle, really really helped me break through a wall I was hitting:
I really appreciate your videos.. I'm an early early beginner, regardless though the videos and how you construct them is really entertaining and informative.
Keep it up. <3
The entry level cert in this area is the CEH. It's kind of looked down upon, like a lot of entry level certs are, but studying/working towards that isn't a bad thing.
Books:
- Practical:
The Web Application Hacker's Handbook 2nd Edition - Gives a very good overview and is a good place to start.
The Hacker Playbook 3: Practical Guide To Penetration Testing - #3 just came out. Haven't gone through my copy yet, but I've heard good things.
RTFM - Red Team Field Manual - Nice to have, quick reference guide
BTFM - Blue Team Field Manual - Like the above, but for the good guys ;)
- Covering the bigger picture, if you're curious (geopolitical):
The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age
The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries
Dark Territory: The Secret History of Cyber War
Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage
CEH is a fucking joke created by a former marketing professional and it shows. It's always been a ho-hum cert that attests to the fact that you once heard about this nmap thing, but it was cheap resume fodder for someone looking for their first industry position.
They successfully lobbied the DoD to make it an option for 8570 compliance and, after becoming a government contractor, doubled the price immediately afterward.
CEH never taught anything useful or lasting even at its former price point, and it only exists now to soak up mandatory spending of government cheddar. (The cynic in me speculates that this was their intention all along.)
Don't bother with it unless someone else is footing the bill.
But still gets looked down on. It's a running joke in pretty much everywhere I've worked that if you see someone with CEH and/or CISSP in their email signature - like a badge of honour - that you know you're going to be in for a real tough time.
There's no standard path in information security, most schools don't offer information security degrees and many extremely successful people in security didn't come from a CS background at all.
Some general recommendations:
- follow smart security people on Twitter, which is the defacto medium for information security discussion
- read publicly disclosed bug bounty reports on Hackerone and Bugcrowd
How about for proxy servers in headless browsers; what do you recommend? Any experience with how public and premium proxies vis-a-vis uptime and reliability compare?
Plenty of good suggestions here already. Some I've not seen mentioned yet:
Books:
Hacking, 2nd edition (some specifics are out of date, but it teaches hacking by teaching how the relevant pieces of a computer work which is still valuable)
WeChall: https://www.wechall.net/ (challenge site directory that'll help you pick challenge sites based on your topic of interest)
+Ma's Reversing: http://3564020356.org/ (old reverse engineering site/community - mostly dead as far as I know but the puzzles will still challenge you and the old articles you can unlock make it a bit of a hacking museum)
CTF Time: https://ctftime.org/ (A directory/calendar of tons of CTFs you can play in)
Pwn Adventure: http://www.pwnadventure.com/ (A vulnerable MMO server/client designed to demonstrate common game vulnerabilities)
VulnHub: https://www.vulnhub.com/ (A repository of deliberately vulnerable VMs you can host and attack in your security lab)
I find that talking to folks in the trenches is incredibly useful. If you’re already at a company that has a security team, or even a small company that has folks that deal with infra/app security and/or incidents, you can learn a boatload directly the practitioners on the line. Even better if there’s a chat room that you can be a fly on the wall in.
When I worked at Mashery (a SaaS API management company) we were the front end for the APIs of hundreds of companies around the world, handling billions of API calls for the likes of Comcast, Best Buy, Starbucks, Macy’s, etc. During my time there, I learned a god awful amount about ops, scaling, amd security, simply by sticking my head in whenever I detected chaos going down.
Some comments mentioned tools like Metasploit, or reading up on the OWASP 10. Yup and yup. Plus, there are other tools to add to your belt that I find indispensable: Charles Proxy (install a MITM to watch web traffic), nmap (discover all the services running on a network)
I highly recommend pentesterlab.com.
The Web for Pentester course is a great intro for first timers if you read the PDF and play with the VM
When training newbies I will start with this and get them to play around with google-gruyere.appspot.com.
These are only relevant for web app testing, I haven't been able to find a suitable free resource for network testing but for paid resources OSCP is a great practice course if not pretty challenging for first timers
The project ZAP is a really great tool to help you in the process.
(https://www.zaproxy.org)
Outside the web sphere, exploit database is a great site with a bunch of exploit code, explanation and papers.
(https://www.exploit-db.com)
The tool suite in Kali Linux is also very good if you don't mind read the documentation and try understanding the goal of the tools.
(https://www.kali.org)
Security is such a wide domain that you can quickly get flood.
I don't think the ultimate step-by-step learning guide exists.
Once you've learned and practiced a bit, if you don't give up too soon, you will get the point and understand how deep you need to go into a protocol or a system to actually do something yourself (then this not about security documentation anymore, but about understanding how the target works, and how you can make it work the way you want).
I would say that you need to focus on some targets first, and expand the scope over time depending on your needs/interests.
I would also like to highlight the following other creators. For me seeing the process of others has been a lot more fruitful then just following text tutorials:
Wow, thanks for sharing and for your hard work on your channel!
I recommend it to everyone who is even remotely interested in security as your videos provide really valuable knowledge which is very easy to digest in the same time.
If your goal is to land a job with the skills you acquire, you'll need more than just solid basic skills. It would be helpful to keep abreast of new developments, where there might not necessarily be a lot of training material yet.
One way to keep up on what's new, is to watch the talks posted by security conferences. Speakers generally submit their freshest work, and are often playing their own game of resume-enhancement by getting their name associated with hot topics. So pay attention to not just the topics, but also the vocabulary around them...
A lot of the newest-fanciest research won't necessarily be within your grasp as a neophyte, but some of it will, and some of it will inform your direction and focus as you work your way up.
And some of it will suggest entirely new avenues, disciplines, and modes of thinking.
This often goes overlooked on a forum full of coders, but not everyone who reads HN or wants into infosec is proficient with a major scripting language.
I'd bet being solid in python/bash/powershell would come in handy, and that having no skills in any of them may be a dealbreaker.
Highly recommend python or perl myself - and obviously know how to use bash as well.
One related suggestion: Do not become reliant on third party modules/add-ins (other than the standard library stuff) - at least when learning. Really learn how it works.
The university of NSW (respected Australian uni) is putting up a bunch of materials from their Masters in Cyber Security. It's going up slower than expected but the lecturer is engaging and the first subject to roll out covers a lot of good philosophy of security type subjects.
For getting started in web security, the Hacker101 series by HackerOne is a great — and free — place to start. And I believe they are currently adding new content every month.
recommended way,
1. learn operating system internals, start using Linux
2. learn computer networking. TCP/IP, OSI layer and network protocols like TCP, UDP, HTTP
3. learn about software programs and Web application architecture
4. start following up security related resource like books, videos, courses (OSCP is great).
- Pick one programming language along the way and try scripting programs while learning.
- you need not master every topic but knowledge of how and why everything works the way it works increases you expertise as security practitioner
- since there are many public bug bounty programs these days, legally testing out stuffs to hone your knowledge has never been easy. plus you get paid.
I have also recently started a series on Pwn Adventure 3, where we are hacking a game and I explain my process: https://www.youtube.com/playlist?list=PLhixgUqwRTjzzBeFSHXrw...
Besides that, I can also really recommend livestreams/screenshares from the following creators. To me, seeing how somebody really does it and where they struggle, really really helped me break through a wall I was hitting:
+ ippsec: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
+ John Hammond: https://www.youtube.com/user/RootOfTheNull
+ Gynvael EN: https://www.youtube.com/user/GynvaelEN
+ Derek Rook: https://www.youtube.com/channel/UCMACXuWd2w6_IEGog744UaA
+ ...
Free: https://www.cybrary.it/
Cheap: https://www.pluralsight.com/
The entry level cert in this area is the CEH. It's kind of looked down upon, like a lot of entry level certs are, but studying/working towards that isn't a bad thing.
Books:
- Practical:
The Web Application Hacker's Handbook 2nd Edition - Gives a very good overview and is a good place to start.
The Hacker Playbook 3: Practical Guide To Penetration Testing - #3 just came out. Haven't gone through my copy yet, but I've heard good things.
RTFM - Red Team Field Manual - Nice to have, quick reference guide
BTFM - Blue Team Field Manual - Like the above, but for the good guys ;)
- Covering the bigger picture, if you're curious (geopolitical):
The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age
The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries
Dark Territory: The Secret History of Cyber War
Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage
They successfully lobbied the DoD to make it an option for 8570 compliance and, after becoming a government contractor, doubled the price immediately afterward.
CEH never taught anything useful or lasting even at its former price point, and it only exists now to soak up mandatory spending of government cheddar. (The cynic in me speculates that this was their intention all along.)
Don't bother with it unless someone else is footing the bill.
Well, it's an entry level cert, as you say. Passing CEH doesn't mean someone knows what they're doing.
Is there an alternative entry-level qualification that evokes fewer frowns?
That's not a problem with the certificate, it's a problem with people confusing it for an advanced qualification.
Some general recommendations:
- follow smart security people on Twitter, which is the defacto medium for information security discussion
- read publicly disclosed bug bounty reports on Hackerone and Bugcrowd
- read The Tangled Web by Michal Zalewski
- learn to use Burp Suite
Burp Suite is an awesome tool for devs as well. The Repeater tool is better for messing with API calls than any of the browser dev tools, imo.
For people finding the proxy setup stuff annoying: install Foxyproxy in Firefox and it makes your life really simple.
Books:
Hacking, 2nd edition (some specifics are out of date, but it teaches hacking by teaching how the relevant pieces of a computer work which is still valuable)
Anything else from https://nostarch.com/catalog/security that looks relevant to your specific interests
Hands-on practice:
OverTheWire: http://overthewire.org/wargames/ (wargames to ease you into things)
WeChall: https://www.wechall.net/ (challenge site directory that'll help you pick challenge sites based on your topic of interest)
+Ma's Reversing: http://3564020356.org/ (old reverse engineering site/community - mostly dead as far as I know but the puzzles will still challenge you and the old articles you can unlock make it a bit of a hacking museum)
CTF Time: https://ctftime.org/ (A directory/calendar of tons of CTFs you can play in)
Pwn Adventure: http://www.pwnadventure.com/ (A vulnerable MMO server/client designed to demonstrate common game vulnerabilities)
VulnHub: https://www.vulnhub.com/ (A repository of deliberately vulnerable VMs you can host and attack in your security lab)
When I worked at Mashery (a SaaS API management company) we were the front end for the APIs of hundreds of companies around the world, handling billions of API calls for the likes of Comcast, Best Buy, Starbucks, Macy’s, etc. During my time there, I learned a god awful amount about ops, scaling, amd security, simply by sticking my head in whenever I detected chaos going down.
Some comments mentioned tools like Metasploit, or reading up on the OWASP 10. Yup and yup. Plus, there are other tools to add to your belt that I find indispensable: Charles Proxy (install a MITM to watch web traffic), nmap (discover all the services running on a network)
When training newbies I will start with this and get them to play around with google-gruyere.appspot.com.
These are only relevant for web app testing, I haven't been able to find a suitable free resource for network testing but for paid resources OSCP is a great practice course if not pretty challenging for first timers
WebGoat is a good way to put things in practice locally. (https://github.com/WebGoat/WebGoat)
The project ZAP is a really great tool to help you in the process. (https://www.zaproxy.org)
Outside the web sphere, exploit database is a great site with a bunch of exploit code, explanation and papers. (https://www.exploit-db.com)
The tool suite in Kali Linux is also very good if you don't mind read the documentation and try understanding the goal of the tools. (https://www.kali.org)
Kali NetHunter lets you practice from Android. (https://github.com/offensive-security/kali-nethunter)
Security is such a wide domain that you can quickly get flood. I don't think the ultimate step-by-step learning guide exists.
Once you've learned and practiced a bit, if you don't give up too soon, you will get the point and understand how deep you need to go into a protocol or a system to actually do something yourself (then this not about security documentation anymore, but about understanding how the target works, and how you can make it work the way you want).
I would say that you need to focus on some targets first, and expand the scope over time depending on your needs/interests.
In case you want cert: skip CEH, get some basic knowledge and go OSCP
Daily resources:
* https://www.reddit.com/r/netsec/
* https://www.hackerone.com/zerodaily
* https://hackerone.com/hacktivity
For lightweight learning by watching after work, check out LiveOverflow: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w
I would also like to highlight the following other creators. For me seeing the process of others has been a lot more fruitful then just following text tutorials:
+ ippsec: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
+ John Hammond: https://www.youtube.com/user/RootOfTheNull
+ Gynvael EN: https://www.youtube.com/user/GynvaelEN
+ Derek Rook: https://www.youtube.com/channel/UCMACXuWd2w6_IEGog744UaA
+ ...
I recommend it to everyone who is even remotely interested in security as your videos provide really valuable knowledge which is very easy to digest in the same time.
Thank you and keep it up please!:)
One way to keep up on what's new, is to watch the talks posted by security conferences. Speakers generally submit their freshest work, and are often playing their own game of resume-enhancement by getting their name associated with hot topics. So pay attention to not just the topics, but also the vocabulary around them...
A lot of the newest-fanciest research won't necessarily be within your grasp as a neophyte, but some of it will, and some of it will inform your direction and focus as you work your way up.
And some of it will suggest entirely new avenues, disciplines, and modes of thinking.
https://www.offensive-security.com/information-security-trai...
The price isn't bad, either.
DDoS BootCamp: https://www.ddosbootcamp.com/
InfoSec Industry: https://www.infosecinstitute.com/topics/information-security...
Learning Tree (might have free access through your local library): https://www.learningtree.com/training-directory/cyber-securi...
and several courses available on Coursera: https://www.coursera.org/learn/it-security
I'd bet being solid in python/bash/powershell would come in handy, and that having no skills in any of them may be a dealbreaker.
One related suggestion: Do not become reliant on third party modules/add-ins (other than the standard library stuff) - at least when learning. Really learn how it works.
Offensive Computer Security (used to be a class at FSU): http://hackallthethings.com/ocs.php
https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/le... (2014 version)
Opensecuritytraining (various stuff on different topics): http://opensecuritytraining.info/Welcome.html
https://nostarch.com/pentesting
/r/netsec
netsecfocus.com - chat community, super active
Books
I've only done the foundation so far, but as a long time developer I've already learnt a few things
OWASP find your local chapter and go to meetings.
YouTube, and pentesterlab (even the free ones are better than most (even all) other paid resources).
Use vulnerable VM's and practice like Metasploitable and https://github.com/SecGen/SecGen
Get the OSCP
I also highly recommend being good at some programming. This is for source code review and quick scripts/exploit development.
I mean, sure, yeah, that's great, but that's not an easy task.
Find it at sec.edu.au/moocs
https://www.hacker101.com/
- Pick one programming language along the way and try scripting programs while learning. - you need not master every topic but knowledge of how and why everything works the way it works increases you expertise as security practitioner - since there are many public bug bounty programs these days, legally testing out stuffs to hone your knowledge has never been easy. plus you get paid.
https://cryptopals.com/
Security Engineering — The Book https://www.cl.cam.ac.uk/~rja14/book.html