I Have the Core Knowledge, Now What?
Congratulations, if you attained all the core knowledge listed above, you are no longer a noob. That is a lot of knowledge to have about technology and with it you can probably get a decent entry level tech job. Now it is time, if you haven't already, to get a job. Most pentesters come from varying backgrounds such as Network Admin, I.T Helpdesk, Security Analyst, Web Development, Programmers, and more. The point is, get a job in technology, doesn't need to be security related immediately though that is a bonus. At this point you should also look at getting a few certs, Network+ and CCNA would be great for getting into a networking job. MCSA is good for geting into a System Admin role. If you mastered the core knowledge then you should have no issues getting a few of the entry level certs.
You may be asking, why wasn't programming listed as core knowledge. There is a good argument that it should be but I think programming should be part of the next step. Mastering everything in the first section will take at least a year or two depending on how fast you can learn, your current background in technology, etc. Adding programming on top of that immediately will take up even more time, and if you don't have a reason to learn coding yet then you are likely to forget a lot.
Ok so now you have a job in I.T, it pays shit but it looks good on the resume. Every job you have from now on will be a stepping stone. Don't expect to remain at any one job for more then two years because the way to the top is a ladder and getting complacent will get you stuck on a lower rung. Of course if you do find that you really enjoy being a Network Admin, System Admin, Security Analyst and don't feel like pursuing Penetration Testing, that is perfectly fine. Those jobs are great and will provide you with a good future.
Now though, for those who want to keep climbing the ladder, we start to dig deep into security.
How to Become a Hacker?
1. Learn Defensive Security
Probably one of the most asked questions on HF is how to become a hacker. Well to start off if you mastered those core topics you are well on your way. Now we can apply security to each of those core topics. I find it best to learn Blue Team (Defensive Security) before jumping into Red Team (Offensive Security). Because while studying defensive security first you will also learn about offensive security. And any pentester should know what kind of defenses may be in place to prevent a reverse shell, code execution, logging, standard AV behavior and more. Also going down this route can lead to a security analyst position which is a great lead into penetration testing. Of course you can skip this step if you want, learn the advance subjects listed later, and you probably can still get into penetration testing. This is only my recommendation.
How to Prepare:
* Study: Security+ and CISSP (don't have to get cert but at least study).
* Understand common defense techniques such as how Anti-Virus works, how Web Application Firewalls work, how Firewalls/IDS/IPS work and where they are installed in networks.
* Create your own lab setup, play with setting up Splunk and other free security tools.
* Study compliance such as HIPPA, PCI DSS, and FedRAMP. Study standards such as ISO 9000 and NIST.
At this point you should be able to design, at least on paper, a fully secured network and understand each type of security device you put in place for the layered security. You also should be able to write a Security Policy and understand different security controls based on the compliance or security standard any company may want to utilize.
If you are not a Security Analyst or on an I.T Security team at this point, start applying. You now have the knowledge to get at least a level 1 security position.
2. Can I Start Coding Yet?
Yes, now it is time to learn how to write programs. One thing to keep in mind is that you don't need to be a programmer to be a penetration tester. In fact, unless you already are a programmer, studying to become one would be a waist of time. What you should know though is the basics of computer science and how to write at least basic scripts/programs for security testing. We want to know how to test applications, find insecure code and exploit it, but we don't need to be devops to do that. Of course the more you know about programming the better you will be at testing it, but that is only one of many areas a pentester needs to know. If programming is your thing then you should start that much earlier in the training, add it to your core knowledge set, go to school for it, and make that your job. You can later move to penetration testing if you want but there are better jobs in my opinion, such as Malware Analyst (reverse engineer) or Security Researcher (finding and creating zero days exploits). Both of which rely heavily on being an expert at programming and are also awesome jobs.
For penetration testers though we want to keep it simple. Python is a great language to learn and master. You can learn about computer science with Python, write custom security tools etc. Python runs natively on Linux and Mac and soon Microsoft will be adding it natively on Windows. I recommend learning Python 2.x first but also know how to write in Python 3.x. There are a ton a great free resources for learning Python but the one I found most useful for starting out is "Learning Python the Hard Way". After that you can move to books like "Black Hat Python" and "Violent Python".
While I recommend sticking with one language until you truly mastered it, there are other languages that will be valuable to learn, at least to the point where you can read source code and understand it.
* C and ASM for exploit development.
* PHP for server side.
* HTML for web development.
* JavaScript for client Side.
By no means is this a complete list of languages to be familiar with but it is a great start. Once you understand programming basics it really comes down to learning different syntaxes. Of course there are many differences between Python and C (not to mention ASM) but you should be able to jump into C and be able to apply some previous knowledge to it. Once you know the basics, one of the best ways to learn coding is to review source code found on github and other places.
Congratulations, if you attained all the core knowledge listed above, you are no longer a noob. That is a lot of knowledge to have about technology and with it you can probably get a decent entry level tech job. Now it is time, if you haven't already, to get a job. Most pentesters come from varying backgrounds such as Network Admin, I.T Helpdesk, Security Analyst, Web Development, Programmers, and more. The point is, get a job in technology, doesn't need to be security related immediately though that is a bonus. At this point you should also look at getting a few certs, Network+ and CCNA would be great for getting into a networking job. MCSA is good for geting into a System Admin role. If you mastered the core knowledge then you should have no issues getting a few of the entry level certs.
You may be asking, why wasn't programming listed as core knowledge. There is a good argument that it should be but I think programming should be part of the next step. Mastering everything in the first section will take at least a year or two depending on how fast you can learn, your current background in technology, etc. Adding programming on top of that immediately will take up even more time, and if you don't have a reason to learn coding yet then you are likely to forget a lot.
Ok so now you have a job in I.T, it pays shit but it looks good on the resume. Every job you have from now on will be a stepping stone. Don't expect to remain at any one job for more then two years because the way to the top is a ladder and getting complacent will get you stuck on a lower rung. Of course if you do find that you really enjoy being a Network Admin, System Admin, Security Analyst and don't feel like pursuing Penetration Testing, that is perfectly fine. Those jobs are great and will provide you with a good future.
Now though, for those who want to keep climbing the ladder, we start to dig deep into security.
How to Become a Hacker?
1. Learn Defensive Security
Probably one of the most asked questions on HF is how to become a hacker. Well to start off if you mastered those core topics you are well on your way. Now we can apply security to each of those core topics. I find it best to learn Blue Team (Defensive Security) before jumping into Red Team (Offensive Security). Because while studying defensive security first you will also learn about offensive security. And any pentester should know what kind of defenses may be in place to prevent a reverse shell, code execution, logging, standard AV behavior and more. Also going down this route can lead to a security analyst position which is a great lead into penetration testing. Of course you can skip this step if you want, learn the advance subjects listed later, and you probably can still get into penetration testing. This is only my recommendation.
How to Prepare:
* Study: Security+ and CISSP (don't have to get cert but at least study).
* Understand common defense techniques such as how Anti-Virus works, how Web Application Firewalls work, how Firewalls/IDS/IPS work and where they are installed in networks.
* Create your own lab setup, play with setting up Splunk and other free security tools.
* Study compliance such as HIPPA, PCI DSS, and FedRAMP. Study standards such as ISO 9000 and NIST.
At this point you should be able to design, at least on paper, a fully secured network and understand each type of security device you put in place for the layered security. You also should be able to write a Security Policy and understand different security controls based on the compliance or security standard any company may want to utilize.
If you are not a Security Analyst or on an I.T Security team at this point, start applying. You now have the knowledge to get at least a level 1 security position.
2. Can I Start Coding Yet?
Yes, now it is time to learn how to write programs. One thing to keep in mind is that you don't need to be a programmer to be a penetration tester. In fact, unless you already are a programmer, studying to become one would be a waist of time. What you should know though is the basics of computer science and how to write at least basic scripts/programs for security testing. We want to know how to test applications, find insecure code and exploit it, but we don't need to be devops to do that. Of course the more you know about programming the better you will be at testing it, but that is only one of many areas a pentester needs to know. If programming is your thing then you should start that much earlier in the training, add it to your core knowledge set, go to school for it, and make that your job. You can later move to penetration testing if you want but there are better jobs in my opinion, such as Malware Analyst (reverse engineer) or Security Researcher (finding and creating zero days exploits). Both of which rely heavily on being an expert at programming and are also awesome jobs.
For penetration testers though we want to keep it simple. Python is a great language to learn and master. You can learn about computer science with Python, write custom security tools etc. Python runs natively on Linux and Mac and soon Microsoft will be adding it natively on Windows. I recommend learning Python 2.x first but also know how to write in Python 3.x. There are a ton a great free resources for learning Python but the one I found most useful for starting out is "Learning Python the Hard Way". After that you can move to books like "Black Hat Python" and "Violent Python".
While I recommend sticking with one language until you truly mastered it, there are other languages that will be valuable to learn, at least to the point where you can read source code and understand it.
* C and ASM for exploit development.
* PHP for server side.
* HTML for web development.
* JavaScript for client Side.
By no means is this a complete list of languages to be familiar with but it is a great start. Once you understand programming basics it really comes down to learning different syntaxes. Of course there are many differences between Python and C (not to mention ASM) but you should be able to jump into C and be able to apply some previous knowledge to it. Once you know the basics, one of the best ways to learn coding is to review source code found on github and other places.