I guess everyone that works in Infosec world has heard these words: “How can I learn to hack?” or “What I need to learn to be a hacker?”. There are a lot of people that are curious and wants to learn about hacking, but they don’t know how to start. Also, sometimes it comes from people with not good knowledge of IT world, so it makes the answer to these questions a bit more difficult.
First of all, what do you want and why you want to learn to hack? Do you want to start doing Capture The Flags for fun, or do you want to start a professional career? The main difference is that if you want to work in Infosec you may need some certifications. You need to think about what job do you want to get, in this article I will cover what to learn to start working an ethical hacker/pentester.
From my point of view, there are some knowledge that you need if you want to start being a professional. There are more things that you should know. But in this post I will only cover the basics. You will need to know some important things related with Linux, networking, programming and of course about application security.
You need to learn about system architecture, structure of files, users, permissions, services, processes and commands. It can be a good exercise to install a Linux distribution like Arch o Gentoo, and start learning how this operating system works. After that, you may like to start playing around with Windows and understand the same topics.
Once you have a solid knowledge of Linux you can start learning Bash and begin doing your own scripts. Once this is completed, you can focus in learning some Python. You can do some developments to try to automate HTTP requests or DNS requests for example and after you can try to focus in more complex things.
It’s really important to have at least a solid knowledge of these protocols: TCP/IP and HTTP. It’s important to understand how these protocols works and be able to understand a simple traffic capture. There are a lot of concepts that are important here, from my point of view it is also important to learn concepts about IPS/IDS, firewalls and SIEM.
Once you have all the knowledge listed above, let’s start hacking! You can start doing some Boot2Root machines. I would recommend you 5 boxes:
– Kioptrix 1 to 4.
The first 4 are great boxes for beginners focused in infrastructure hacking (thank you and rest in peace LoneFerret). The last one is focused on Web Application hacking and it may not be so fun, but I think it’s a good resource to learn about web application security.
Finally, it’s sad but sometimes to get the first job in this sector, at least in my country, you may need some certifications, I would recommend you to start with CEH (Certified Ethical Hacker) from EC-Council. I didn’t do it myself but I have good references about this course.
Certified Ethical Hacker
Last thing I want to tell you, that to “be a hacker” is just be a person ho has a lot of knowledge about IT but also that has the right mindset. You have to learn by yourself, do not expect that someone will guide you, make your own road map and try to achieve your objectives. It may take years to accumulate the knowledge and the experience needed to have a good level in these topics. Try to learn whatever you want that make you think that it may help you, you are never losing your time if you are learning new things.