Reddit makes me sad

All I want to do in life is browse r/hacking and r/howtohack without seeing threads every five seconds like “pls hax0r my school” and “h0w do i h4ck??!”. Although that’s probably not going to change anytime soon, these subreddits (all subreddits) lack an introduction, or a “get started” section. This field isn’t something which is taught at every school, and it’s important we work together as a community to responsibly introduce people to the ever-growing world of cybersecurity. So, grab your notepad, pull up a chair, and damn it Jerry quit falling asleep in my lecture, because Professor Nautilus is about to start class.

FUNdametnals

So, you want to be the cool kid in school, have a cool name, and make the girls and boys faint when you whip out your raspberry pi? Well, you have to learn the fundamentals first. Yes, this means reading books, watching YouTube tutorials, and reading strange forum posts.

Learn Networking (what is TCP/IP, which ports do what, etc.)

Learn how to work in a Linux environment comfortably

Read cybersecurity interview questions, these will provide you with basics to look into.

Look into what tools attackers are using (burp, w3af, SQLmap, beef)

Look into the OWASP Top 10 (critical web application security risks)

Interact with the community (twitter, reddit, forums)

Practice in a safe environment (Vulnhub boxes, DVWA, OverTheWire)

Read and understand the CFAA (I cannot stress this enough, you need to understand the laws, and what’s wrong with them)

Obviously this isn’t all there is to cover, but it’s a start. Different paths work for different people. There’s no right or wrong path but it’s important to cover the fundamentals at some point. Otherwise you end up with someone who can do “the thing” and not understand “the thing”. Sadly. I am one of those people, and I’ve spent the last few months going back and relearning my fundamentals.

It may suck, but learning the fundamentals will improve your offense and defense.

Resources

Okay. I constantly see people complaining that they don’t know where to get started in InfoSec. There are TONS of free resources available, but they’re not easy to find if you don’t know what you’re looking for.

OverTheWire Bandit: OverTheWire is awesome. Bandit will teach you the basics for working in a Linux terminal. Bandit does get tougher, and there are over 30 levels. Take your time working on it and take a break when you get frustrated. I run an Information Security club and a large percentage of the club left after the first week because they were frustrated/tired of trying.

OverTheWire Natas: Natas will teach you some of the basics to thinking like a hacker. Natas also introduces Burpsuite, as well as some concepts such as Reverse Engineering. I would recommend working up to level 4 by yourself and then looking into a tutorial on Burpsuite. If you’ve never worked with Burp before then look into a YouTube crash course.

Metasploitable 2: This may be a little trickier for starting off with, but Metasploitable 2 provides you with web based apps to attack. DVWA for example allows you to practice SQLi, XSS, BruteForce, and File Upload vulnerabilities.

VulnHub: Boxes that are vulnerable by design. VulnHub boxes challenge you to get (g)root. I recommend watching a tutorial for a beginner box, and then trying one by yourself. These boxes combine being familiar and comfortable with both Linux and tools.

Attack-Defense Online Labs: I just found out about this site the other day, and it’s great. For now, this site is free and it provides you with a wide variety of challenges. However, I wouldn’t recommend starting off with this website because the hints provided aren’t always the greatest.

Hack The Box: Pretty much the same as VulnHub. Watch a tutorial and then try some out.

Null Byte: There are some great tutorials on this site. Look around and read some articles. There’s a tutorial for pretty much any tool you’re trying to use.

Offensive Security: Offensive Security has some paid trainings/certifications, as well as some free resources. I’d recommend reading the Metasploit tutorial as well as Kali Linux Revealed.

Capture The Flag: There’s a ton of resources available for CTF. So here’s some | CTF365, CTFtime, and GiraffeCTF.

End

Thanks for reading. If you have any questions then shoot me a DM on Twitter. I’m always happy to provide you with more resources, or answer a question if you’re stuck on a challenge. Nautilus out.