Table of contents
Recently, I was able to advise a few people on how they can start to learn cybersecurity through offensive security and pentesting. I realized that instead of repeating myself, I can write that down in an article, so it can be shared with anyone interested in expanding their itsec skills. I'll keep this article updated.
⚠ 1. Understand what it means to hack ethically.
This is crucial to understand that without a purpose, tools are neutral. They are neither bad nor good - with a kitchen knife one can slice an onion, or wound somebody. The same rule applies to every pentesting tool that you are going to use. You must have that in mind, that only you are responsible for the consequences of your actions.
Read the disclaimer here: Disclaimer
Fortunately, any of the courses I spotlight here starts with ethical hacking concept explanation.
To be clear if your purpose is to conduct mallicious activity - stay away from this site. I will never consciously help in performing such activities.
🔧 2. Hand-on experience, AKA keep your hands dirty.
✔ For a starter, take the free courses on TryHackMe and HackTheBox Academy - both are the first places I would learn from. THM have Complete Beginner Path and HTB Academy starts with Introduction Module. I haven't completed all available modules yet, but I feel like I know so much more and have that knowledge structuralized.
👉 My TryHackMe referral link ($5 discount with this link🤘 )
On July 2021 TryHackMe released a Pre Security Learning Path. It's a good way to start, but remember that on THM you almost always need a subscription to complete whole modules - for free are the first couple of rooms from a module.
💡 3. When hands are tired - watch meaty online courses.
✔ As for video lessons, I would recommend joining Dev Essential program from Microsoft. You should have found there time-limited access to the Pluralsight - if so, take the [Ethical Hacking CEH Preparation](app.pluralsight.com/paths/certificate/ethic.. path).
✔ Sometimes you can also acquire the 3 months of LinkedIn Learning access - for example, I found mine voucher on the Visual Studio Subscription associated with my company account. From this site I recommend both Learning Kali Linux and Become an Ethical Hacker.
All these materials are the top-notch theoretical ones in my opinion.
If you can spend a few bucks (or wait for the occasional discounts) this is a well put course on OWASP Top10 made by The XSS Rat.
🌋 4. Use vulnerables to practice live example scenarios.
Vulnerables are purposely crafted vulnerable applications or even whole operating systems like Metasploitable that you can use in your isolated internal network or play with them on a Docker.
👉 Look at my Damn Vulnerable Web Application on Docker Container article for example of set up.
🎩 5. See how the pros do it.
Are you a sports fan? Do you like watching online tournaments? Even if not, trust me in this one. I can't count how many times I have eagle-eyed something that get me that one level higher in my proficiency. Things like stabilizing shell, multitasking terminals or just overall approach in documenting my findings.
👉 Amazing David Bombal and Neal Bridges YouTube playlist - talks about starting ethical hacking, red/blue teaming, certificates and pentester software.
🔊 6. Subscribe and watch others that are on the similar level.
Have a look at these:
And, because the best way to learn is to get engaged with others - I recommend you to join the Hashnode yourself and share with others as you learn.
🎯 7. Think bigger. Set your goals and stand your ground.
Remember that to learn and improve you must stay out of your comfort zone. Keep challenging yourself, but also take care of yourself. Find other activities that relax you, that help you relieve the stress. For me, it is playing simulation/creation games like Farming Simulators or Minecraft. It is going to kitchen and prepare some food. I have my lovely Celestron Skymaster 15x70 and I tend to look at the stars, the Moon.
As for setting the goals, a recently OSCP certified Prateek Srivastava published two articles about his path and first-hand experience with Offensive Security labs and more. Read those, save them for later because it will come useful.
🚸 8. Join forces.
Look for healthy communities that will help you with your struggles. Did you get blocked on the hacking box? Couldn't get the reverse shell, although you are doing everything correctly? We all are facing these problems and sometimes just a little nudge or sanity check from the other person is what makes you understand your mistake - or simply realize you are doing everything alright, just have to restart that server.
🍦 9. Bonus: other aggregates.
Great Hakluke's huge list of resources for beginner hackers containing some resources already mentioned by me and much more!
MyCyberResources created and maintained by Robert Furr. It's a collection of sources not only about hacking but scoping the content across the whole Information Security domain. All materials are thoroughly reviewed before being added, giving you more details and context on particular resources.
And what do you think about it? Would you add something to the list? Please share your experience in the comments 👇!
- Added Discord Servers links
- Hakluke's huge list of resources for beginner hackers added.
Added THM Pre Security Learning Path
Added The OWASP top 10 demystified by The XSS Rat
- Added David Bombal and Neal Bridges discussions