Getting Started With Hacking
If you have stumbled across this gitbook and are at the start of your hacking journey, this may be useful for you.
There is a very prevalent myth within the industry that you need a computer science degree or you need to have some crazy 0-days or you need to have prior experience as a system admin, dev, techie etc.
You need none of those things!!! I know this because I have none of those things and yet am a professional pentester.
The most important thing is dedication and passion. I have a masters in Forensic Chemistry. My university degree had nothing to do with my job now, but I built these skills in my own time. It takes time and it can be daunting starting out with so much information and no direction. I had no mentors or guides or friends that taught me, I just used youtube and google and had many many frustrating nights / weekends.
If you have literally done nothing with security before and would like to get into it, these are my suggestions:
- Read a guide on installing a Kali VM and follow it. This may require following a guide first on setting up VMware or Virtualbox to launch the VM.
- Get to grips with using a Linux terminal. I did this by playing the wargame Bandit (https://overthewire.org/wargames/bandit/). Watch a youtube series or read walkthroughs on this to get started and just follow along. There is no shame in just reading a walkthrough and doing it youself at the same time.
- Other wargames on the site can be used too if they interest you. Some get hard very fast, so I see it better to come back to these when you have other core skills.
- Find some vulnerable VMs to download and hack. https://www.vulnhub.com/ has several and a lot of them are beginner level. Find a beginner one that has several walkthroughs available, download it, read the walkthrough and follow the steps. If you get stuck, read other walkthroughs and see if one of them helps you. Once you 'complete' the VM, read other walkthroughs and use their methods as well. There is always more than one way of doing things in hacking and its important to get a range of skills.
- Keep notes of useful things you learn like commands and what they do so you can refer to them later.
- Get a VIP membership on https://www.hackthebox.eu/ (read a guide on signing up first as the registration itself is a little hacking challenge). The VIP membership gives you access to retired boxes. The active boxes you wont find walkthroughs for, so leave them for now. Do the retired boxes, working from easiest to hardest and use walkthroughs. Do it alongside them and keep learning. The youtube channel Ippsec is amazing for walking through all the challenges, do it alongside him and keep notes!
- Learn about hacking web apps. This is a crucial skill to learn to get a job as a pentester as a lot of it is web based, especially for juniors. Use https://www.hackthissite.org/ in a similar way to before, using a walkthrough. Also https://www.enigmagroup.org/. This will cover the very basics of various attacks.
- OWASP are an industry leader in application security and they develop several projects to help people learn web app hacking. The best of these (in my opinion) is https://www2.owasp.org/www-project-juice-shop/. I got absolutely sick of using dull applications with only one input field for testing web app hacking. Juice shop also has an extremely useful guide https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ to help out. Follow along and work your way up. Its very very useful for real life!!!
- Watch conference talks. Things like Defcon, Blackhat, Bsides, Steelcon etc. The talks are usually uploaded. Find some you're interested in and watch. Even if you don't understand it all yet, it will help conjure an interest and at some point will make sense.
- Use books like "Hacking: The Art of Exploitation", "The Hackers Playbook (1, 2 and 3. Dont just get 3, they all cover different things)", "The Web App Hackers Handbook".
- A less sexy point to finish on, but equally crucial. Learn the fundamentals. Learning to hack is all good and will help a lot, but you need to also understand what you are hacking and why it works. Books like "Network Security Assessment 3rd Edition" and courses such as "CompTIA Networking+" on https://www.cybrary.it/course/comptia-network-plus/. Cybrary has other free courses to watch as well, which just help build the fundamental understanding.
With the points above, you would have gained a very wide and useful skillset for getting into pentesting. One recommendation I have is to contact the people recruiting for pentesting positions early. I sent out several emails essentially saying "I don't have the skills yet, but I would like to in a couple years so when I leave uni I can get this job. What do you recommend learning?". I got several helpful responses giving me great ideas and great resources.