would this be a good way to start web hacking?
#11
(03-27-2020, 08:58 PM)MuddyBucket Wrote:
(03-27-2020, 06:14 PM)QMark Wrote: Would building networks help? What is a good way of learning computer networking fundamentals? I get that it doesn't help just to earn a bunch of certs is why I ask.

Learning by doing is a my go to way. Back in the day when I first started it was by getting 3-4 old shitty computers, and some simple routers/switches/hubs. But this was ~20 years ago. About 8 years ago when I wanted to update my skills and knowledge, I built a solid PC with 64gb ram, lots of diskspace, and ran virtual operating systems and virtual networks.

These days, and in the fact the future - software defined networking a thing. As is cloud-based stuff. I actually need to update my skillset again - and this time it will be Google and AWS that I focus on. Their networking capabilities and systems are soooo extensive. I have a basic understanding of some things through my day to day work - but I have barely scratched the surface. 

If you're just learning the basics of networking and routing and you want to physically see the design and handle stuff, the first route is still fine today. It's just potentially costly/resource intensive. If you are alright operating on virtual routing and what not, option 2 is also fine. It's probably what i'd recommend. Doesn't need to be a beast of a computer. though at least 8GB of ram, and preferably at least 16. The more you have the more you can run at a time. Stick to shit like CLI only Linux to reduce the resource requirements for each VM.

Will working with packet tracer help? I mean like configuring networls? What about working in the networking lan at my school (that also told me just to learn by playing around)?
Reply
#12
(03-27-2020, 09:12 AM)MuddyBucket Wrote:
(03-27-2020, 06:13 AM)QMark Wrote: So why did Insider recommend the easy way? Why do people at my school on the cybersecurity team say "some networking and some linux basics and you can start." On the other hand, people that are a part of the alt.2600 hacking community say I need far more programming skills. So on one hand I even hear some professional hackers tell me to learn much more advanced programming in order to get good. But then when I contact the elearn security team they say "to take our web hacking course just know basic networking and linux and take our intro course first" and I think "well, but if I do that, how will I be as effective as someone who knows enough web development that they could have invented SQLi?"

Thanks for the answer by the way. I really appreciate it. I'm gonna spend several months learning web development while I work on Sec+ and CCNA over the summer. In fact, I am gonna be working on web development as of today and I already started again on code academy. I made a decision to do both: learn the programming and web development and get good at that, as well as learn the Linux and networking knowledge. I think its better to go overkill than underkill when it comes to learning, and as well as in life in general.

But right now I'm focused on computer networking and web dev and I'm aiming to practice a little more Linux skills maybe in Fall, while still learning web development. By that point, I think I am gonna end up learning some of my web penetration testing through the unlimited elearn security courses my school's cybersecurity club gave me access to. That is, if I'm ready by then. I think I probably will be ready though because I'm a fast learner when I put my mind to something.

I have just been very scattered about everything, but now I am more focused and persistent the past few months.

Based on what I've read, I'm not certain that Insider necessarily recommended the easy way. I'm not a full-on developer. I don't like coding (anymore at least). But I have a solid understanding of programming concepts. I can look at source code and completely understand what it's doing. I can see security mistakes and oversights that have been made. If I need to write code I can write code in about a dozen languages. But the last time I actually worked on an actual programming project/application was probably 5 years ago. But that's the thing. If you can't look at code, understand what it's doing, then how are you going to even begin to break it?? This is the key. You don't need to be the world's best programmer. You need to be a solid programmer. To be good.

However, maybe I wasn't particularly clear. When you're learning programming, you should absolutely be learning secure programming practices as well. Security isn't an addon, it's integrated. Or at least it should be. Same goes with networking. Learn networking, but you should be learning about best practices as well, which includes security. Security should never be an afterthought. 

Security isn't really something you should 'go back and learn'. It should be part of the learning process. This learning process is more or less what makes you a good hacker. You begin to fully understand how things work. Once you've gotten to a point where you fully understand how things work, you begin to understand how you can break them. It's a natural progression. Once you get to this point, you may do more research on new ways people have come up to break systems - that you may not have found. And while this is similar to X action, Y condition, Z result - understanding how everything works allows you to change X actions depending on how Y condition changes to get the same or similar results.

So what would be a good rule of thumb before learning web hacking?
Reply
#13
(03-29-2020, 02:21 AM)QMark Wrote: So what would be a good rule of thumb before learning web hacking?

[Image: 90949992_10158196704423524_6470506314622...e=5EA43092]

Saw this "meme" today on facebook. Definitely relevant.

As for your question, once again, the fundamentals. solid programming skills for starters. then a solid understanding of the underlying technology used. Websites run on web servers like Apache, Nginx, etc. Do you understand the HTTP and HTTPS protocols? How about DNS? Understanding Linux when attacking a webserver running Linux for example. back in the day you could put something like ../../../etc/password in your browser bar on certain versions of apache and you'd get the password file for all the users on the system. or any other accessible file on the system. This is called directory traversal, and if you had no idea how linux systems worked, you'd probably not have much luck. Especially if say the passwd file was locked down, but you could still access things like config files in the current account. If you don't understand where or how those config files are - you're never going to get anywhere.

I'm starting to ramble... 

But i guess the point is, the more you understand about the systems you're trying to exploit, the more you'll be able to exploit. That's not to say you need to learn *everything* before you start hacking - but you need to have a solid understanding of the technology you're trying to exploit. And web hacking is too general of a term for me to specify what specifically you need to learn. 

You want to exploit SQL driven php websites? a solid understanding of HTTP/S, PHP, and SQL will be necessary.

You want to exploit a NoSQL driven NodeJS application? a solid understanding of NoSQL and NodeJS will be necessary.

You want to exploit a Java driven website? You'll probably need a solid understanding of Tomcat, Java, and Servlets.

Knowing PHP and SQL probably won't directly help you exploit a NodeJS or Java website. Understanding a programming language would of course help... but each language and technology has its own weaknesses and security considerations.

So the only rule of thumb I have for you - and this applies to any kind of hacking - no matter what you're trying to exploit - is learn the fundamentals of the technology running the system you're trying to exploit.
Reply
#14
(03-29-2020, 04:15 AM)MuddyBucket Wrote:
(03-29-2020, 02:21 AM)QMark Wrote: So what would be a good rule of thumb before learning web hacking?

[Image: 90949992_10158196704423524_6470506314622...e=5EA43092]

Saw this "meme" today on facebook. Definitely relevant.

As for your question, once again, the fundamentals. solid programming skills for starters. then a solid understanding of the underlying technology used. Websites run on web servers like Apache, Nginx, etc. Do you understand the HTTP and HTTPS protocols? How about DNS? Understanding Linux when attacking a webserver running Linux for example. back in the day you could put something like ../../../etc/password in your browser bar on certain versions of apache and you'd get the password file for all the users on the system. or any other accessible file on the system. This is called directory traversal, and if you had no idea how linux systems worked, you'd probably not have much luck. Especially if say the passwd file was locked down, but you could still access things like config files in the current account. If you don't understand where or how those config files are - you're never going to get anywhere.

I'm starting to ramble... 

But i guess the point is, the more you understand about the systems you're trying to exploit, the more you'll be able to exploit. That's not to say you need to learn *everything* before you start hacking - but you need to have a solid understanding of the technology you're trying to exploit. And web hacking is too general of a term for me to specify what specifically you need to learn. 

You want to exploit SQL driven php websites? a solid understanding of HTTP/S, PHP, and SQL will be necessary.

You want to exploit a NoSQL driven NodeJS application? a solid understanding of NoSQL and NodeJS will be necessary.

You want to exploit a Java driven website? You'll probably need a solid understanding of Tomcat, Java, and Servlets.

Knowing PHP and SQL probably won't directly help you exploit a NodeJS or Java website. Understanding a programming language would of course help... but each language and technology has its own weaknesses and security considerations.

So the only rule of thumb I have for you - and this applies to any kind of hacking - no matter what you're trying to exploit - is learn the fundamentals of the technology running the system you're trying to exploit.

Ok, what if I had specific books or courses in mind that I wanted to be optimally beneficial when I finally take them? Let's say I want to know all of the prerequisite concepts necessary in order to understand everything in elearn security's courses but I want to first learn every prerequisite I need to do the web hacking track which is PTS > WAPT > WAPTX so that I get the maximum possible benefit out of the course and not just the minimum.

How much networking, linux, and web development should I learn to do that as a start?

My short term goal is to get enough to gain the most out of the web hacking track, but I eventually want to be well-rounded and know all of elearn security's penetration testing courses plus know OSINT plus know social engineering and maybe earn OSCP afterwards. Let's say that's my long term goal, but in the short run I want to know the amount of networking, programming, and operating systems just to get the most out of the web hacking track. Obviously, I want to also be a programmer with a primary language of python for everything.

What would you recommend before starting on that?

I figured if I was more specific that maybe I would get a little bit further in terms of what I need to do to achieve this.
Reply
#15
(03-29-2020, 04:32 AM)QMark Wrote: Ok, what if I had specific books or courses in mind that I wanted to be optimally beneficial when I finally take them? Let's say I want to know all of the prerequisite concepts necessary in order to understand everything in elearn security's courses but I want to first learn every prerequisite I need to do the web hacking track which is PTS > WAPT > WAPTX so that I get the maximum possible benefit out of the course and not just the minimum.

How much networking, linux, and web development should I learn to do that as a start?

My short term goal is to get enough to gain the most out of the web hacking track, but I eventually want to be well-rounded and know all of elearn security's penetration testing courses plus know OSINT plus know social engineering and maybe earn OSCP afterwards. Let's say that's my long term goal, but in the short run I want to know the amount of networking, programming, and operating systems just to get the most out of the web hacking track. Obviously, I want to also be a programmer with a primary language of python for everything.

What would you recommend before starting on that?

I figured if I was more specific that maybe I would get a little bit further in terms of what I need to do to achieve this.

I have never looked at elearn security let alone done their courses. So I can't really tell you what you need to know. I don't know what level they start at, so I can't tell you their pre-requisites. That's something you should probably ask them.
Reply
#16
(03-29-2020, 04:48 AM)MuddyBucket Wrote:
(03-29-2020, 04:32 AM)QMark Wrote: Ok, what if I had specific books or courses in mind that I wanted to be optimally beneficial when I finally take them? Let's say I want to know all of the prerequisite concepts necessary in order to understand everything in elearn security's courses but I want to first learn every prerequisite I need to do the web hacking track which is PTS > WAPT > WAPTX so that I get the maximum possible benefit out of the course and not just the minimum.

How much networking, linux, and web development should I learn to do that as a start?

My short term goal is to get enough to gain the most out of the web hacking track, but I eventually want to be well-rounded and know all of elearn security's penetration testing courses plus know OSINT plus know social engineering and maybe earn OSCP afterwards. Let's say that's my long term goal, but in the short run I want to know the amount of networking, programming, and operating systems just to get the most out of the web hacking track. Obviously, I want to also be a programmer with a primary language of python for everything.

What would you recommend before starting on that?

I figured if I was more specific that maybe I would get a little bit further in terms of what I need to do to achieve this.

I have never looked at elearn security let alone done their courses. So I can't really tell you what you need to know. I don't know what level they start at, so I can't tell you their pre-requisites. That's something you should probably ask them.

They start at beginner level and go throughmore advanced material as the student progresses through more advanced courses.

I think I may merely follow Insiders advice when taking the courses and your advice as well since the people at eearm security said I needed networking and Linux primarily to do the courses but I think building a few websites won’t hurt me if nothing else. So I will just take both your advice because I think what Insider is saying works as an explanation for prerequisites so long as I comtinue to learn to code and get the right projects done in time I should be fine.

But yeah I think I need to get trough lots of cody academy if possible and build websites with what I learn. Because otherwise elearn won’t be as effective.
Reply
#17
A lot of gold nuggets of wisdom from Muddbucket here Big Grin Agree 100%. I used to be that noob hacker. I was SQL-injecting random google-dork sites. Following a tutorial from point A to B. But to be honest, I did not understand much of what I was doing. And following basic tutorials was all that I was limited too.

But once I got down the fundementals of SQL, you actually started to understand why and how things worked. You have to know the systems to break them to a certain extent.

Not saying to become a backend engineer. But maybe try making a simple PHP+SQL project? And then break it.
Reply
#18
(04-03-2020, 08:58 PM)Insider Wrote: A lot of gold nuggets of wisdom from Muddbucket here Big Grin Agree 100%. I used to be that noob hacker. I was SQL-injecting random google-dork sites. Following a tutorial from point A to B. But to be honest, I did not understand much of what I was doing. And following basic tutorials was all that I was limited too.

But once I got down the fundementals of SQL, you actually started to understand why and how things worked. You have to know the systems to break them to a certain extent.

Not saying to become a backend engineer. But maybe try making a simple PHP+SQL project? And then break it.

Ok that makes sense to me. So if I continue to practice web development on code academy then I can build a project the regular web dev track way, then after a few of those maybe start the PHP track? Then build a project on my own that incorporates all of that into one long project and that could take me a few months, then break that project, then start hacking?

Ok I see where your going with this. I am gonna follow your advice.

While I am doing that I obviously need to learn computer networking and gain some networking skills. I have an online course on computer networking that’s like over 70 hours long that might help. It comes with loads of packet tracer projects lol.

It looks like a combination of networking and web development is what I need for this. So those will be the two things I start to focus on now through the summer + building my own projects.

Good advice.

Thanks.
Reply
#19
Just keep in mind... dont try to learn too much at once. A lot of learning comes from practice. That's how it solidifies in your brain. If you're trying to learn 4 completely different technologies at the same time, you're probably not going to be too successful at learning any of them. 

I've noticed that you in particular have trouble focusing. Real talk: It doesnt look to me like you're accomplishing your goals. Pretty sure you were making these same posts 18 months ago.i have a feeling in 18 months we may be in the same situation. You should probably pick one thing to focus on, and really focus on it. Forget about where you want to be for the time being, pick one thing, and get really solid at it.

That's just mybadvice though. Take it or leave it.
Reply
#20
(04-04-2020, 05:12 AM)MuddyBucket Wrote: Just keep in mind... dont try to learn too much at once. A lot of learning comes from practice. That's how it solidifies in your brain. If you're trying to learn 4 completely different technologies at the same time, you're probably not going to be too successful at learning any of them. 

I've noticed that you in particular have trouble focusing. Real talk: It doesnt look to me like you're accomplishing your goals. Pretty sure you were making these same posts 18 months ago.i have a feeling in 18 months we may be in the same situation. You should probably pick one thing to focus on, and really focus on it. Forget about where you want to be for the time being, pick one thing, and get really solid at it.

That's just my advice though. Take it or leave it.

I agree. That's why recently I have been getting my game together. I am becoming more focused.

I'm working mainly on web development and also IT certs on the side just so I can gain some basic knowledge in a few areas. But 100% I'm not gonna do 4 different things anymore. Recently, I have been much more focused on one thing at a time rather than four different things.

But yeah I agree, I have issues with becoming scattered if I let myself. You know, that's what it is but I figure I can't change the past, only the future.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Coldfusion hacking Insider 0 2,709 08-14-2020, 01:55 AM
Last Post: Insider
  Basics of website and server hacking Insider 0 3,836 03-26-2020, 09:34 PM
Last Post: Insider
  is my site secure from common hacking? mhiats37 1 4,602 05-11-2019, 03:03 AM
Last Post: misfit
  WebDAV Hacking [Detect & Exploit] Insider 1 18,252 04-24-2019, 09:03 PM
Last Post: thunder