I want to be a hacker [need help with certs]

I will start off by saying I have no working experience and very little with exploiting etc on my own system, so I am starting from the ground up.

So I want to be a ethical hacker, and I was looking into ceh from eccouncil but I have been reading that isn't the best route, also I don't just want a cert I want knowledge, and would love to go for the OSCP(?) Eventually.

So to the question. What would be a good alternative to ceh, not just for the cert but for getting a good baseline in pen testing/ethical hacking field.

If the ceh is a good choice I'll happily get that and plan on doing outside research as well as courseware.

Also as a FYI I am not totally lost when it comes to computers, I have kali set up on a VM as well as metasploitable and can navigate Linux decently. Just need help with a starting point. Thanks!

Find more posts tagged with

Comments

TacoRocket

No certification is going to make you a hacker. The ones that I would even come close won't make you a hacker. They are good for learning the concepts of penetration testing and types of vulnerabilities.

If you want to be a hacker you need to learn to program. Not Python either. Assembly, C++, and how machine architecture works.

Kali Linux is a start and better than nothing. Starts to penetration testing that people like are OSCP and eLearnSecurity.

Surrealalucard

Thanks for the quick reply, the reason I was looking for certs for hacking was so I could get a career as a pen tester.

So to get that career would I be better off not getting certs and just learning on my own/the two certs you specified?

Luckily I already know a bit of c++ syntax and am learning c from edx's cs50 program.

adrenaline19

Certs don't make you a hacker, the desire does.

Playing video games and watching Mr.Robot isn't going to cut it.

TacoRocket

Surrealalucard wrote: »

Thanks for the quick reply, the reason I was looking for certs for hacking was so I could get a career as a pen tester.

So to get that career would I be better off not getting certs and just learning on my own/the two certs you specified?

Luckily I already know a bit of c++ syntax and am learning c from edx's cs50 program.

I would look into the certifications for a baseline. Take the knowledge from them to formulate your own methodologies.

When you're getting into programming look for concepts like data structures and algorithms. I would say most pick me up programming courses are just for basic syntax. Yes it gets the job right, but as you deal with larger data sets and different scenarios your program isn't as flexible.

If you're new to computing I always recommend the basics. The CompTIA trifecta: A+, Network+, and Security+
At my current employer where I do information security (including penetration testing), I only had one security certificate and that was Security+

I find employers and people in that field are looking for technical knowledge. I was hired because of what I knew on Windows Servers and Linux Bash Scripting.

When it comes to Linux forget the GUI. CLI is your best bang for buck.

Final note, don't take my word alone. Let others chime in on the forums and make your own deductions. The best part is that you asked. Penetration Testing is an exciting field to be in. There are many ways to break it into the field.

Surrealalucard

TacoRocket wrote: »

I would look into the certifications for a baseline. Take the knowledge from them to formulate your own methodologies.

When you're getting into programming look for concepts like data structures and algorithms. I would say most pick me up programming courses are just for basic syntax. Yes it gets the job right, but as you deal with larger data sets and different scenarios your program isn't as flexible.

If you're new to computing I always recommend the basics. The CompTIA trifecta: A+, Network+, and Security+
At my current employer where I do information security (including penetration testing), I only had one security certificate and that was Security+

I find employers and people in that field are looking for technical knowledge. I was hired because of what I knew on Windows Servers and Linux Bash Scripting.

When it comes to Linux forget the GUI. CLI is your best bang for buck.

Final note, don't take my word alone. Let others chime in on the forums and make your own deductions. The best part is that you asked. Penetration Testing is an exciting field to be in. There are many ways to break it into the field.

I'm currently listening to the audio book for a+ and am finding it a little I formative but most of it I know because I have been on a computer sense I was 9 and I'm 26 now.
As for the GUI in Linux I do find it rather annoying, and prefer the terminal to most of the GUI.
I was looking at the offensive security training for kalito prep for oscp and was wondering if that would be a decent starting point.

Mike7

You did not mention where you are based or your background, so some of the info may not apply to you.

All the certs provide knowledge.
CEH is considered entry level and is a requirement for US DOD 8570. EC Council have higher level certs.
GIAC certs such as GPEN, GWAPT are quite well known. However, the SANS courses can be expensive.
eLearnSecurity has online courses that are targetted more at beginner to intermediate level penetration testers. The training material is good and exam is practical based. As they are fairly new, their certs are not as well recognized.
OSCP is considered advanced level.
If you are in UK, there is CREST

Some pen testers have a good mix of the above certs while others may not have any certs but are highly respected in the community due to their contributions. You can also look at penetration testers job listings in your area to get a feel of what the companies are looking for.

Surrealalucard

Mike7 wrote: »

You did not mention where you are based or your background, so some of the info may not apply to you.

All the certs provide knowledge.
CEH is considered entry level and is a requirement for US DOD 8750. EC Council have higher level certs.
GIAC certs such as GPEN, GWAPT are quite well known. However, the SANS courses can be expensive.
eLearnSecurity has online courses that are targetted more at beginner to intermediate level penetration testers. The training material is good and exam is practical based. As they are fairly new, their certs are not as well recognized.
OSCP is considered advanced level.
If you are in UK, there is CREST

Some pen testers have a good mix of the above certs while others may not have any certs but are highly respected in the community due to their contributions. You can also look at penetration testers job listings in your area to get a feel of what the companies are looking for.

Background: no experience in the field, just knowledge on computers and a little c/c++ knowledge.

I'm currently deciding between pwk with offensive security, elearn, and ceh. Mostly leaning toward the first two because currently do not need DoD or anything.

snowchick7669

Being a pen tester is like being a surgeon in the medical world. You need those years of training as a doctor etc and then you specialise and it can take quite a while. I know these days this is somewhat changing and people are taking on 'junior penetration testers', but the job descriptions over here in the UK still ask for 3-5 years working in info sec. Have a read of the blog post below. I found it quite interesting and gives you a general idea of what you need to be aiming for knowledge wise. I know the big certificate in the UK is the Crest one, but I'm not sure how successful you'd be in getting a job if you had that and no experience. Have a look on the forum here because there are a lot of posts about what paths to take and recommended certificates.

https://danielmiessler.com/blog/build-successful-infosec-career/

Mike7

Thanks for the link. It was informative.

I am curious about CREST as some of the exams include MCQ, labs and even essay writing. To me, anything that has a practical exam component is probably more difficult than a pure MCQ exam. As I understand, CREST is also accepting OSCP as a credit for some of their certification.

dustervoice

Certifications tells you what "hackers" do. Like others have mentioned, its more about desire. A thief becomes better at his/her craft by feeding the desire by continuous stealing not by reading a book or certs. Certifications are for HR bots.

JoJoCal19

There IS a difference between a hacker and a pentester. TacoRocket is absolutely correct in that to meet the classical definition of a hacker, you need to know how to program, and preferably C/C++ and assembly language.

We assume you want to move into pentesting. I would recommend getting one of the books for the CEH and starting there. It will give you a nice overview of the basic steps, and an intro to some of the tools. Feel free to skip the actual cert if you want to, but having the cert will hit some HR filters and at least give you an "in". From there, I would pursue GPEN or eCPPT, and then move into the OSCP, and OSCE realm. And of course along the way setting up your own lab and practicing is mandatory. For me personally I'd go CEH>GPEN/eCPPT>OSCP>OSCE. Also make sure you get well versed with C/C++, ASM, and Python.

Cyberscum

Download KALI and have fun. So many recourses it will numb your mind.

DistroWatch.com: Kali Linux

https://www.offensive-security.com/metasploit-unleashed/

http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X/ref=pd_sim_14_6?ie=UTF8&dpID=51P3X7neRbL&dpSrc=sims&preST=_AC_UL160_SR121%2C160_&refRID=11G0QV9VE8SRRYD4CNS7

http://www.amazon.com/Basic-Security-Testing-Kali-Linux/dp/1494861275

NetworkNewb

Definitely some good advice above... but don't forget to rent the movies "Hackers" and "Swordfish". Great references!

adrenaline19

I've seen the Matrix like 20 times, and I own the special edition box set of Mr. Robot. I'm a hacker all the way!

I really hate the word "hacker" now days.

E Double U

adrenaline19 wrote: »

Playing video games and watching Mr.Robot isn't going to cut it.

Now you tell me!!!

Mike7

NetworkNewb wrote: »

Definitely some good advice above... but don't forget to rent the movies "Hackers" and "Swordfish". Great references!

I want to be a wizard. I will watch all the Harry Potter movies at least 20 times.

fuz1on

Being a hacker is a mindset and something you're probably born with...

danny069

Hackers are everywhere, beware.

hacker.jpg

Surrealalucard

Update:
So I read through comptia a+ and net+ books and watched YouTube videos and after feeling comfortable with protocols and basics of networking went for the eJPT. Currently working through the pentest modules and have to say that they do a good job for introducing you to the world of pentesting.
Granted it seems like most of the material is probably fixed on most systems today, the basics of learning scripting/programming and how networks transfer data are really easy to comprehend, and they offer a lot of extra reading outside of just learning what they have.
The labs are interesting and they don't hold your hand too much, although they do have the manual that will tell you how to do everything step by step. I highly recommend not looking at the solution until you have completed the lab yourself, even if it takes you a long time to figure it out. The knowledge you gain from reading through things not so relevant now is just as important in my opinion.
I'll keep updating as I continue to work through and up until I finish.

So I took one of the practice exams for A+ on this site, and got a 50% on 10 questions....I think im going to read some A+ sec+ and net+ books and get a good baseline. It wasn't that I didn't know the material, just don't know all the acronyms and names for windows programs specifically to pass the test. My networking is a bit rusty so might as well study Net+ while im in the studying mood.

fuz1on wrote: »

Being a hacker is a mindset and something you're probably born with...

I don't believe its something you have to be born with, although I think you are correct. It is a mindset.

snowchick7669 wrote: »

Being a pen tester is like being a surgeon in the medical world. You need those years of training as a doctor etc and then you specialise and it can take quite a while. I know these days this is somewhat changing and people are taking on 'junior penetration testers', but the job descriptions over here in the UK still ask for 3-5 years working in info sec. Have a read of the blog post below. I found it quite interesting and gives you a general idea of what you need to be aiming for knowledge wise. I know the big certificate in the UK is the Crest one, but I'm not sure how successful you'd be in getting a job if you had that and no experience. Have a look on the forum here because there are a lot of posts about what paths to take and recommended certificates.

https://danielmiessler.com/blog/build-successful-infosec-career/

Thank you very much for the link.

Cyberscum wrote: »

Download KALI and have fun. So many recourses it will numb your mind.

DistroWatch.com: Kali Linux

https://www.offensive-security.com/metasploit-unleashed/

http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X/ref=pd_sim_14_6?ie=UTF8&dpID=51P3X7neRbL&dpSrc=sims&preST=_AC_UL160_SR121%2C160_&refRID=11G0QV9VE8SRRYD4CNS7

http://www.amazon.com/Basic-Security-Testing-Kali-Linux/dp/1494861275

and you as well.