Security

Question

Tips for a noob in the field of ethical hacking

By Illidan1371 ·
So as the subject title suggests i am a beginner when it comes to cyber security, hacking and pentesting. My goal is to learn ethical hacking. I understand that the term "hacking" cannot be defined properly as it includes many subjects. I don't necessarily want to earn money through this as i already have a job which pays well, so i don't care about what companies want, i want to be able to one day be able to hack into remote machines and find my own vulnerabilities now before you tell me that it is illegal, i know, im not trying to do anything illegal, i just want to have the knowledge, out of curiosity.

Having said all that i have gone through two udemy courses on this subject. They gave me valuable knowledge about tools like kali linux, cracking passwords using dictionaries, nmap, nessus port scanning etc. But they teach how to use them but never how they work and why they work. All of them involved hacking into intentionally vulnerable systems like metasploit and old versions of windows 7 and 10 with known vulnerabilities.

They never satisfied me, i know that if a vulnerability is taught online it means its known and patched and in order to actually hack i need to find my own vulnerabilities.

I have watched many YouTube videos they all say that programming is a bonus but not necessary for ethical hackers? How though? How can you find wholes in a code if you don't know how to understand them? I know C(i guess intermediate level, i know structs, pointers and how to access peripheral and cpu registers)

So i decided that i want to build a super simple OS for a Microcontroller unit just to see how and OS works behind the scene so that hopefully i can break other OSes in the future. Do you guys think it is a good idea?
I am also studying CCNA official cert guide to learn networking, i already know the basics and everyone says that hackers only need to know the basics of of networking? But again why?

Do you guys think i need to learn ccna networking before moving to pentest+?i just don't understand how im supposed to break a network if i dont understand how exactly they work.

As u can see im so confused and need help to come up with a road map, im learning so many things in parallel and am confused.
Thanks in advance
Thread display: Collapse - | Expand +

All Answers

Collapse -

This is more than one thing. (or question.)

by rproffitt Moderator In reply to Tips for a noob in the fi ...

There's a few things going on here.

1. Your quest for knowledge.
2. Your quest to be certified for said skills and knowledge.
3. Employers that want said things.
4. The SALE of said training.

That's a lot to break down so it's all up to you to determine if you are doing this for your own edification, you are seeking a job and the final thing (item 4) where you are being inundated with the sale of training.

Just like other educational systems in the news there's high pressure sales going on here so you will get confusing advice from almost everywhere.

Turn down the input from the sellers of training courses.

If you are seeking work in this field, look at what they are asking for.
If you are doing this for your own education, you do what you want.

Collapse -

Regarding certificates

by Illidan1371 In reply to This is more than one thi ...

Thanks for your answer. When i say I'm learning through ccna cert guide, im not doing so to get the cert, although maybe i will do so one day, rather i want to know networking itself.

You are right i guess i must stop listening to these youtubers so much.

Collapse -

A quick look at networking.

by rproffitt Moderator In reply to Regarding certificates

My work in the networking has been almost exclusively in fixing down networks followed by protocol work (that is, new design and re-design.)

In the design phase we do give some thought to penetration and I won't tell all here. For example you mention password cracking. In the systems I've worked that fails since we usually implement a hour to many day lockout if the password is wrong a few times in a row. This neatly plugs the hole where the user tries over and over their list of passwords.

Also, since the attacker does not have the system's ONE WAY ENCRYPTED password, those password crackers are ineffective.

I'm going to be short that black box penetration is usually too hard for it to be profitable. What you hear about most of the time is where it's been a white box situation or companies that leave the default passwords in place such as "solarwinds123" which was in the news.

Read https://www.explainxkcd.com/wiki/index.php/538:_Security about how it usually happens if you need access to something.

Collapse -

One more thing.

by rproffitt Moderator In reply to Tips for a noob in the fi ...

If you don't code, your stature as a pen-tester is diminished since you won't know what you are looking at.

But then again, I always thought the old shirt "Coredata Systems" and a clipboard plus a little company knowledge always worked to get you past the front security (if they have any) to the company's server area at odd times.

Penetration testing is not always about remote access or code.

Related Discussions

Related Forums