what direction to go...

YuckTheFankees

Within the past 2 weeks I have subscribed to safari books (unlimited) and The Hacker Academy. Safari books gives me an unlimited amount of resources to learn and THA is showing me some basic pentesting tools, ideas, and concepts. I've started messing with nmap, nessus, metasploit, and really learning how to use everything through command lines.

When I'm using metasploit, I usually watch a video and read about a section of it..then try it. But I feel like I'm just typing exploits and payloads in the command line, but not really understanding what its actually doing. So I want to learn ASM, but you need to know C to do that(from what I hear). Also THA has a module about web app security..but I didnt get to far because I dont know HTML, CSS, Javascript, PHP, MySQL...so much to learn..where should I start?

Things I need to learn..
C, python, perl, ruby ( from what I hear you should know at least one of the 4 pretty well)
HTML
Javascript
CSS
PHP (from what I read it seems to be HTML -> javascript -> PHP?)
MySQL (How much so I know about SQL, its one of my weak areas)
Linux command line (I try to study and practice everyday with the command line)
ASM

I have a pretty solid background in networking and TCP/IP..but I dont know where to start from the list I just mentioned..

I need to guidance or ideas...thanks everybody

nicklauscombs

YuckTheFankees wrote: »

Things I need to learn..
C, python, perl, ruby ( from what I hear you should know at least one of the 4 pretty well)
HTML
Javascript
CSS
PHP (from what I read it seems to be HTML -> javascript -> PHP?)
MySQL (How much so I know about SQL, its one of my weak areas)
Linux command line (I try to study and practice everyday with the command line)
ASM

the topics you have listed can fill book upon book and will overwhelm you if you try to tackle all of them at once. since you said you have a good networking/tcpip background i would focus your efforts on really learning a programming language (python would be my suggestion) and getting comfortable with linux administration.

the_Grinch

I will start this by saying I do not work in a security based position (do some security work from time to time, but it is not part of my daily duties). If I was in your position, I would look to see what exactly I wanted to pen test. Given your current certifications, I'd assume that you are looking at the networking side of the house. So here is what I would do in your position:

1. Find what you want to focus on. I'm come to this realization finally, very hard to pen test a device if you don't know the process of how it works.

2. Get very familiar with the tools used for pen testing. I realize that you are currently doing this, but we want to focus on the exact operations of this tools (switches, etc) the how/why of it working will come from point 1 and further research

3. Learn Linux (very well). I see that you want to learn Python, Ruby, PHP. Stick to the basics and get the solid Linux skills. Those languages are weapons in your arsenal to be used with solid Linux skills.

Obviously, someone like JD is going to be the person to hear from on things like this (and other board members), but I will throw my opinion in the mix. I think you might be spreading yourself too thin. No pen testing team is going to expect you to know everything. They will expect you will be strong with something, good with a lot of things, and even possibly weak on somethings. That is why it is a team, so that you can have the best possible person in each spot with a specific skill set.

Best example I can give you is the Army Green Berets. Green Berets are a team of 12 men made up of the following:

CO, XO
2 Weapons SGTs
2 Communications SGTs
2 Engineering SGTs
2 Medical SGTs
Operations SGT
Asst. Operations/Intelligence SGT

Theory behind this is two fold:

1. If you lose one guy, you have his replacement
2. You can break into two teams, all you're bases are covered

Now, for even more redundancy, each of the SGT's will cross train into a field other then their main field. Are they expected to know everything they cross trained into? No, but if the crap hits the fan and you lost both Comm SGT's or the team splits and you lost the Comm SGT on your team, you want someone to have the basic knowledge needed to get the job done.

This is the same in a pen testing team. They want you to know what is needed for each position on the team, but excel at your specialization. If you're the networking guy, they want you to break through that firewall so that the Server guy can do his thing. If you can do what the server guy does with a quick tool scan, awesome, but if it needs something further that is what he's there for. This is why these positions want so much experience. Is it necessarily pen testing experience? Sometimes, but I think you'll find that they want experience with the product they plan to break into. I think once you get that solid experience in whatever you want to secure, it will make understanding how to break into it very easy.

So in this very long winded post I am basically saying: build that foundation. Learn the l33t h@xzor(sp?) skills along with those basic skills for operating and securing your product. I can offer one last example of something I had to do at work. They know I like security so when a customer failed PCI Compliance they gave it to me. Had I done a PCI Compliance audit before? Nope, so I read everything I needed to in that respect (how to figure out what forms were needed based on how credit cards were accepted, then reading through each survey question, etc).

The first thing I was told to do was confirm the findings of this company. One person here at my company knew how to use SAINT (which we own) to check PCI Compliance. We sat for two hours and ran through all the options needed to successfully run the test. Ran the test and they failed our scan for the same reasons the other company found. The person who showed me how to use SAINT is the network guy, he has limited server knowledge. For the server that failed, I had our server engineers and my knowledge. Now, here is the part that you don't see in movies: what does this report mean and how do I fix it? Nice you figured out you might be able to get in (obviously, this was just a compliance scan so no actual pen testing took place). We're their IT Company, so there was no "yup xxx findings were correct you'll have to have it fixed", we had to fix it. Thankfully, I am a semi-Windows Server pro, I work with it everyday. I knew enough to know or find what changes I needed to make to get them compliant. Next scan they passed and have been compliant since, minus the firewall doing it's job and blocking the scan (how you fail for the firewall blocking the scan, I will never know).

So get the foundation, keep learning the security tools, and you'll start learning the ins/outs of the exploits you're running. Takes time, good luck!

onesaint

YuckTheFankees wrote: »

Things I need to learn..
C, python, perl, ruby ( from what I hear you should know at least one of the 4 pretty well)
HTML
Javascript
CSS
PHP (from what I read it seems to be HTML -> javascript -> PHP?)
MySQL (How much so I know about SQL, its one of my weak areas)
Linux command line (I try to study and practice everyday with the command line)
ASM

To know that list well, I think you'll have your hands full for the next 10+ years. Maybe select one or two aspects (say, web technologies, DBA, or Linux) and learn it till you rattle off details in your sleep (like need be done for Cisco). What is your eventual goal, pen testing?

You've got networking. Have you tried playing with ARP vulnerabilities, spoofing, MiM, and the likes? I might focus on getting a strong foundation and understanding the exploits of the area you understand before moving on to the others. As you understand networking, try exploiting network technologies. Start constructing your own IP packets, building and monitoring IDS, monitoring SNMP & Syslogs, etc. Get good at network admin and security and then figure out how to circumvent the security.

If you feel like you need to move in another direction now, maybe pick up linux, shell scripting, & python (or perl). You'll find those handy and tie in well with the rest. Then move to building LAMPs and picking up web technologies (HTML, Apache, IIS, CSS, JS, etc.) or DBA (oh, and do you want windows, Linux or both?). Bare in mind that knowing these technologies well and then know how to break them can take a good deal of time.

demonfurbie

if your interested in pen testing id say download backtrack 5 with gnome and make it your primary os so you have to learn linux and all the tools are build into it

YuckTheFankees

demonfurbie: I have Backtrack 5 R1 on my 2nd laptop and I use it about 4-5 times a week while Im trying to learn linux and the tools.


onesaint: From what Ive read and from what people are telling me, I should pick an area and be an expert in that area...I think Im going to pick wireless networking as my expertise. I really think that wireless will take off in the next 5 years and I want to have the knowledge before the boom happens. But I really want to try OSCP..but you need to have so much knowledge for that...thats why I want to learn all the things I mentioned.

Everyone says you dont start in security/ pentesting, so my plan is to get into networking(hopefully a wireless role, even though I know there aren't many of them). Once I gain experience, Ill start moving towards my pentesting/ security role. I would really like to work for the government but we'll see how that goes.

The certs I'm thinking about getting now are: CWNA, CWSP, CWAP, CWDP, CCNA: wireless and maybe CCNP/ CCIE wireless.

onesaint

YuckTheFankees wrote: »

demonfurbie: I have Backtrack 5 R1 on my 2nd laptop and I use it about 4-5 times a week while Im trying to learn linux and the tools.


onesaint: From what Ive read and from what people are telling me, I should pick an area and be an expert in that area...I think Im going to pick wireless networking as my expertise. I really think that wireless will take off in the next 5 years and I want to have the knowledge before the boom happens. But I really want to try OSCP..but you need to have so much knowledge for that...thats why I want to learn all the things I mentioned.

Everyone says you dont start in security/ pentesting, so my plan is to get into networking(hopefully a wireless role, even though I know there aren't many of them). Once I gain experience, Ill start moving towards my pentesting/ security role. I would really like to work for the government but we'll see how that goes.

The certs I'm thinking about getting now are: CWNA, CWSP, CWAP, CWDP, CCNA: wireless and maybe CCNP/ CCIE wireless.

I think going down that CCNP path might be good, then you can grab your CCNP:W as well as the CSSP. Maybe try to get in with a WiMax provider or Ent. with wireless all over the place. I've been in some hospitals that have wireless everywhere.

With security, I think learning the foundation and then how to break it is the best way. Also, Infosec is still finding it's place in the corp. world. Or at least this is what I've been reading recently. With that said, I think the next 20+ years will be wrought with cyber-leaks, hacks, wars, and the likes. With networking you have hardware you can fall back on if security goes to the Devs.

As for picking an area, that's the right idea. Eventually, you need to refine your skills (while retaining knowledge of the big picture) in order to not get stuck in a dead end role.

ETA:Linux is an ocean. I took my current position to learn under a guy who is a Sr. Unix dev and codes in lisp for pleasure. It's been a great experience. First thing to do is learn Emacs or VI (vim) and a pick a distro like slackware to learn.

YuckTheFankees

Like you said, if I cant get a security role or if it isnt for me..I can always fall back on my networking knowledge. I'm going to research some wi-fi companies and start seeing what kind of positions are out there and their requirements. Thanks for the advice.

the_Grinch

If you don't already have a degree, I'd look at Electrical Engineering. Might be a little deep, but you will definitely get an understanding of wireless that way. Local college here combines electrical and computer engineering, which you can then concentrate in Telecommunications or Wireless. If your aiming for a government job, you'll find way more if you have a bachelors. Good luck!

YuckTheFankees

Thanks for the information Grinch, I'm about 6 months away from my B.S. in Network Admin from WGU. After my bachelors I was thinking about the Info Assurance masters from WGU but now I'm questioning if I should do that or find a different subject for my masters.

the_Grinch

Ah ok. I don't see a reason not to do the Masters in Information Assurance. Most people do a general IT degree for their undergrad work and then move into information security at the graduate level. I'd just make sure they were on the NSA's CAE list prior to putting any money into it. I believe they are working on getting CAE certified, but haven't as of yet.

YuckTheFankees

That's the biggest reason I'm double thinking it. It seems like the past two years its been the same answer from WGU "were still waiting, maybe next time". Cant beat the price of WGU. I looked at the University of Denver's program...pssh I could buy a pretty BMW for what they are charging plus WGU's masters.

the_Grinch

Yeah their prices are pretty good. I'd wonder how it works if you already hold the certifications they expect you to get when you complete it. I know they waive it for the BS, but would they waive those courses for the Masters? I don't, for some reason for Masters work I lean toward a brick and mortar school, especially since I hope to teach at some point.