In the comments to an earlier article, Ideal Skill Set For the Penetration Testing, a reader, Nicole, asked, “Does anyone have any suggestions on where I should start building practical skills?” I originally wrote this as an answer to her comment. But it’s a question I get a lot in various classes I teach. So I reposted my answer here.
There are two general routes to gaining this knowledge. For some, it works better if they just take some classes to get started. Others just Google what they want to learn and teach themselves. When I was coming up in security, most of my best learning came from my learning on my free time. That approach takes much longer, but it works for some people. Most do a combination of taking classes and self-teaching via Google and articles like this.
Gaining technical skills really boils down to a few questions:
- How much time do you have to invest in learning this?
- How much money do you have to invest?
- How much money will your future/current employer be willing to invest? (People are surprised at how often employers are actually willing to pay for this type of training. You have to ask and even ask in your interviews when you are talking to employers.).
- How serious are you about security and how much do you like security?
Answer these questions and you should be able to come up with your plan of attack. One place to start your education is here! I would suggest reading through as many of the articles as possible and watch the videos on the InfoSec Resources. Don’t be overwhelmed by the fact that you won’t understand it all. Just stay plugged in. Jot down the terms and ideas that really confuse you for later study.
When you’re ready to get hands on, ideally, you have a spare computer or laptop to practice on. That machine needs the maximum RAM and CPU speed you can get in it in order to run multiple virtual machines. The more memory or speed you have, the more VMs you can run at the same time. If you don’t have a dedicated machine then be sure you’re setting up a virtual machine to work on.
Now that you have the machine — or your virtual machine — set up, download Backtrack4, or another Linux distro of your choice. First, read some tutorials on using Backtrack to do some basic stuff. If you have no technical skills, start with the basics. For example, learn how to get an IP address in Linux/Backtrack4. Then learn how to set a static IP address (one you assign).
Next, get yourself VMware or some other virtualization solution. Install Windows 2003, 2008, XP and 7. Just installing these will teach you some things and you’ll start to get more comfortable just from doing this. As a matter of fact, install them all two or three times.
Learn how to do basic things in each OS like: create user accounts, give permissions to users, lock user accounts, change IP addresses and network settings.
Next, you can learn how to network your Windows machines to each other. Create some shared files, store data there, move data from one machine to the other. Then move on to networking your Linux stuff with your Windows stuff. After you’ve got this all working, start reading up on how and why it works. After you’ve got some good theoretical knowledge on how it works, download wireshark, and tcpdump, for both Windows and Linux. Start studying the traffic between all the machines. First study traffic of you transferring files and other activities. Then study the traffic that is generated even when the machines are not actually transferring data.
Once you’ve done all the above things, and understand most of what you’ve done, you should be feeling comfortable with networking in general and have working knowledge of the operating systems from the perspective of a power user, at the very least, or a desktop administrator.
After this you’re ready to start delving into security. Go back to where you started with Backtrack4. By now you should be a lot more comfortable with it. Start learning how to use things like Nmap and other scanners. For example, if you set up a web server (and if you didn’t, go ahead and set one up), scan it and prove it’s a web server. From Linux, type the command ‘man nmap’. Read the ENTIRE man page. After reading it make yourself some notes of the things that really interest you. Now run nmap using EVERY option listed in the man page. Study its output, revisit man again to remind yourself of what a particular scan type is doing and what certain options are.
Next, start reading about vulnerabilities. Some of it won’t make sense yet, but that’s OK. After spending no less than 20 hours total reading about vulnerabilities (doesn’t matter how you stretch the 20 hours out), go back to Backtrack and learn how to exploit one of your unpatched Windows machines until you can get a shell. Pat yourself on the back, and then ask yourself “Now that I have a shell, what can I do with it?” Stop where you are and spend about 20 more hours learning how to do everything you’ve learned about Windows from the command line. Once you’ve done that, come back and exploit that target again. You should now be able to do some pretty decent stuff with that shell you’ve gained.
The next move is to find a rootkit and a Trojan. You just need one of each that you can spend some time mastering. Once you know how to use them, start planting them (via your exploited command shell only) on the compromised targets you’re practicing with.
At this point start playing with Perl, Python and Bash scripting to try and automate all the great stuff you’ve learned how to do via command line. This part will be painful at first, but it’ll get easier… Trust me.
Now you should be ready to start researching evasion techniques for anti-virus, ids and firewalls.
Apply everything else you’ve learned with these evasion techniques. Don’t worry about paying too much attention to “thinking like a hacker.” Because as you progress with the things I’m outlining, that will come naturally. You’ll find that part of thinking like a hacker is being able to think like the victim whose system you just compromised (which means you’ll know said victim’s every move before they make it).
Then you will be ready to move on to learning how to cover your tracks by getting rid of logs, skewing time stamps, modifying logs, etc. Then you’ll need to learn how to do it elegantly and non-destructively.
Eventually move to more advanced things like:
- Learning some coding
- Discovering your own vulnerabilities
- Writing your own exploits.
Now let me say this. You can devote most of your free time for the next couple of years doing these things and you can pretty much Google “how to ‘whatever-i-said-learn-above’” and find references for it all.
We can teach it all to you. Here’s a class path I recommend for you.
- A+ Class
- Network+ class
- MCITP track for Server Admin
- Ethical Hacking
- Advanced Ethical Hacking
- Computer Forensics (you need to know what they’ll look for and how they are going to look for it to truly understand covering your tracks)
- Coding for IT Security Professionals
- Intro to Reverse Engineering
- Reverse Engineering
- Advanced Reverse Engineering
- Malware Analysis
Understand that our classes are EXTREMELY hands on and lab based. You’ll be led by myself or another seasoned instructor who practices security for a living. I think our testimonials and evaluations speak for that.
Hope this article helps start you down the road to where you want to go in a field I have spent most of my adult life learning and continue to learn more about every day. I’ll close by re-stating one of my themes; Love what you do and understand that you should always have your foot in the door of some education/training conduit. To me mastery of anything requires one to NEVER stop learning.