I saw this post How to learn penetration testing at home? and I decide to ask about my self. I want to get into cyber security. So the post I send is about web security, I'm not interested in it. I had cover those topics: Basic programming on C, intermediate(I can write a few tools that are helpful for example brute-force scrit) in python, I can read assembly code, and write basic programs I'm familiar with the most structures in assembly language I mean the stack, heap global variables. I know who to use wireshark diffrent kind of flags(SYN ACK etc..) but I'm not very good at analyzing them I mean for example if the FTP connection isn't on port 23 it will be hard for me to understand that this connection is FTP, also I can understand the most of the banners. I have more experience with Linux than Windows, but I can administrate simple server on windows, also I had exploit more Windows than linux actually the only linux machine I had exploit is metasploitable. I had exploit windows xp and 7 with different exploits. I can use Nessus and OpenVAS, I can't get nexpose. I'm familiar with metasploit framework i can use the most of the modules. I'm also familiar with cryptography I can recognize a few hash algorithms, I'm familiar with most used techniques to exchange key for example Diffie–Hellman mythology, the public key infrastructure etc. I'm also familiar with DOD and OSI model but not very deep I understand how they work, also I learn electronics in school so I'm familiar with analog circuits, I can solder use multimeter I'm familiar with the most of elements(I mean transistor, diods etc..) and I know for what are they used and how are they used, from C and ASM I'm familiar with stack and heap overflow, I know little about integer overflow and format string exploitation. So tell me how to continue. I'm really unfamiliar with web exploitation I can use a few automated tools but I can't find XSS on my own(I had tried a few times one success and a lot of fails =D). Also I had never practice in real environment I mean I hadn't pen test real company I'm kind afraid of I may do something wrong a the company lose money which I should recover. So please give me hint what to learn, I can't pay for expensive course, also I don't think that CEH will give me skills I mean they don't have any pre-requirements about their students and is kind of stupid to teach to overflow people who write to python and had never touched C.
-
1It's hard to give you advise what to learn next without knowing what your actual goal is. – Philipp Apr 04 '14 at 22:26
2 Answers
If you have the motivation and perseverance you don't need any expensive course at all. The only thing courses will give you which you cannot gain any other way is certificates. Now if your wanting to get into a corporate business of some kind these will be vital to you securing a role most of the time. My perception is experience and understanding are much more valuable than a piece of paper, but the problem is how do you show that.
I can help you out with a few resources that have helped me a lot learning about infosec:
VulnHub is an extensive resource for not only links to great sites but it hosts a wide variety of virtual machines you can let loose on and gain/improve on your skills.
Pentesterlab is similar to Vulnhub but offers more in depth information and VM's. Also this site has a nice tab called bootcamp which can be usefull as what to learn each week.
SecurityTube One of the most extensive infosec video sites out there. The owner of this site is a great mentor and offers great tutorials from basic to advanced. There is a LOT out there on the internet and you can use google to your advantage. Hope this helps you a little.
- 341
- 1
- 7
you (and others are invited too) could try and start webhacking here @ fump.8ack.org, which is a service that has some intentionally vulnerable apps available
- Damn Vulnerable WebApp
- Exploit-KB
- Multillidae
- SQLOL
- WackoPicko
- 3,476
- 17
- 26