How to become a white hat hacker (network security engineer) through self-study

After working in network security for so many years, I always get asked a lot of strange questions:

"Uncle, my Steam account has been stolen, can you help me get it back? I'll send you a red envelope"

"My mobile phone has been monitored, and my life and work have been seriously affected. How should I solve it?"

"Little H Book's account was stolen and I can't get it back. What should I do if he keeps cheating on my fans?"

"Can I find the location of my mobile phone?"

In fact, I can also understand. After all, the concept of "network security" is mysterious and distant to everyone. Who knows what it is? !

But what I can't understand the most is that some people ask me: Is the threshold of network security so high that self-study can't be learned at all, and ordinary people can't enter the industry?

For a moment, I didn't know whether he was praising me or belittling himself~

You said that in today’s world where the Internet is so developed, as long as you use your hands, you can search for a lot of tutorials on the Internet, and you can learn how you want to learn in an open and transparent way.

Don't be fooled by the word "network security", and don't think it is difficult to learn network security by yourself! !

1. Misunderstandings and pitfalls of self-study network security

1.1. Don't try to start learning based on programming

In the previous articles, I have repeatedly emphasized not to start learning network security based on programming. Generally speaking, learning programming is not only a long learning cycle, but also there are not many key knowledge available after the actual transition to security

If ordinary people want to learn programming well and start learning network security, it often takes a long time, and it is easy to give up halfway. And learning programming is just a tool, not an end. Our goal is not to become a programmer. It is suggested that in the process of learning network security, what will not be filled, which is more purposeful and less time-consuming

1.2. Don't take deep learning as the first lesson

Many people are aiming to learn network security well and solidly, so it is easy to use too much force and fall into a misunderstanding: it is to learn all the content in depth, but it is not right to use deep learning as the first lesson of network security. good idea. The reasons are as follows:

[1] The black-box nature of deep learning is more obvious, and it is easy to learn and swallow

【2】Deep learning has high requirements on itself, it is not suitable for self-study, and it is easy to enter a dead end

1.3. Do not collect too much information

There are a lot of learning materials about network security on the Internet, and there are several gigabytes of materials that can be downloaded or watched at every turn. And many friends have "collection addiction", buying more than a dozen books at once, or collecting dozens of videos

Many online learning materials are extremely repetitive and most of the content has not been updated a few years ago. During the introductory period, it is recommended to choose "small but refined" materials. Below I will recommend some learning resources that I think are good for Xiaobai. Read on patiently.

2. Some preliminary preparations for learning network security

2.1. Hardware selection

I am often asked "Do I need a computer with a high configuration to learn network security?" The answer is no, the computer used by hackers does not need any high configuration, as long as it is stable. Because some programs used by hackers, low-end CPUs are also It can run very well, and it doesn't take up much memory. There is another one, the hacker is done under the DOS command, so the computer can be used to the best state!

So don't repurchase machines in the name of learning...

Computer configuration for learning infiltration:
1. Hard disk: minimum 1T hard disk, recommended 256G solid-state hard disk + 1T mechanical hard disk (dual hard disk slots).
2. Memory: Minimum 16G, because multiple virtual machines may be running.
3. CPU: minimum i5, recommended i7
4. If you only use it in one place, you can buy a desktop, otherwise it is more convenient to buy a notebook.

 

2.2. Software selection

Many people will be entangled in learning hackers whether to use Linux, Windows or Mac system. Although Linux looks cool, it is not friendly to newbies. The Windows system can also use the virtual machine to install the target machine for learning. If you have a Mac system, you can install dual systems for learning.

As for the programming language, Python is the most recommended because of its good expansion support. Of course, many websites on the market are developed by PHP, so it is also possible to choose PHP. Other languages ​​include C++, Java...

Many friends will ask if they want to learn all languages? the answer is negative! To quote my sentence above: Learning programming is just a tool, not an end, our goal is not to become a programmer

(An extra thing to mention here is that although learning programming cannot get you started, it can determine how far you can go on the road of network security, so I recommend you to learn some basic programming knowledge by yourself)

2.3. Language ability

We know that computers were first invented in the West, and many nouns or codes are in English. Even some existing tutorials were originally translated from English, and it usually takes a week for a bug to be translated into Chinese. Vulnerabilities may have been patched at this time difference. And if you don’t understand some professional terms, you will have obstacles when communicating technology or experience with other hackers, so you need a certain amount of English and hacker professional terms (you don’t need to be particularly proficient, but you must be able to understand the basics)

For example: broiler, hanging horse, shell, WebShell, etc.

3. Self-study network security learning route

 

3.1. Getting started with basic operations and learning basic knowledge

The first step to getting started is to learn some current mainstream security tool courses and supporting books on basic principles. Generally speaking, this process takes about 1 month.

At this stage, you already have a basic understanding of cybersecurity. If you have finished the first step, I believe you have theoretically understood the above is sql injection, what is xss attack, and you have also mastered the basic operations of security tools such as burp, msf, and cs. The most important thing at this time is to start laying the foundation!

The so-called "foundation" is actually a systematic study of basic computer knowledge. If you want to learn network security well, you must first have 5 basic knowledge modules:

1. Operating system

2. Computer protocols/networks

3. Database

4. Development language

5. Principles of Common Vulnerabilities

What is the use of learning these basics?

The level of knowledge in various fields of computer determines the upper limit of your penetration level.

[1] For example: if you have a high level of programming, you will be better than others in code auditing, and the exploit tools you write will be easier to use than others;

[2] For example: if you have a high level of database knowledge, then when you are conducting SQL injection attacks, you can write more and better SQL injection statements, which can bypass WAF that others cannot bypass;

【3】For example: if your network level is high, then you can understand the network structure of the target more easily than others when you infiltrate the internal network. You can get a network topology to know where you are, and get the configuration of a router. file, you will know what routes they have made;

【4】For another example, if your operating system is good, your privilege will be enhanced, your information collection efficiency will be higher, and you can efficiently filter out the information you want.

3.2. Actual Network Security Operations

1. Mining SRC

The purpose of digging SRC is mainly to put the skills into practice. The biggest illusion of learning network security is to feel that you know everything, but when it comes to digging holes, you can’t do anything. SRC is a very good opportunity to apply skills.

2. Learn from technical sharing posts (vulnerability mining type)

Watch and study all the 0day mining posts in the past ten years, and then build an environment to reproduce the loopholes, think and learn the author's digging thinking, and cultivate your own penetrating thinking​​​​​​

3. Range practice

Build a shooting range by yourself or go to a free shooting range website to practice. If you have the conditions, you can buy it or apply to a reliable training institution. Generally, there are supporting shooting range exercises.

3.3. Participate in CTF competition or HVV action

Recommended: CTF Competition

CTF has three points:

【1】A chance close to actual combat. Now the network security law is very strict, unlike before, everyone can mess around

[2] Topics keep up with the frontiers of technology, but many books lag behind

【3】If you are a college student, it will be very helpful for finding a job in the future

If you want to play a CTF competition, go directly to the competition questions, if you don’t understand the competition questions, go to the information according to what you don’t understand

CTF question recurrence platform

• BUUCTF

1. Reproducible environment with a large number of matches
2. The CTF reappearance platform that uses dynamic target drones earlier in China · Regularly holds various open competitions
3. Provide platform open source environment · Complete game Writeup

• CTFHub

1. All kinds of competitions over the years
2. More systematic skill tree
3. A relatively complete set of CTF tools
4. A comprehensive event calendar
5. A fuller game WriteUp

• My bug

1. An earlier domestic CTF reappearance platform (bugku was famous when buu and ctfhub were not yet popular) Relatively basic topics
2. More complete WriteUp

• Pwnable

1. Suitable for Pwn beginners, the topic is more friendly

Recommended: HVV (network protection)

HVV has four points:

[1] It can also greatly exercise you and improve your own skills. It is best to participate in the HVV action held every year

【2】Be able to meet many bigwigs in the circle and expand your network

【3】The salary of HVV is also very high, so you can earn a lot of money if you participate

[4] Like the CTF competition, if you are a college student, it will also be very helpful for finding a job in the future

4. Network security information recommendation

4.1. Book list recommendation

Computer operating system:

[1] Coding: the language hidden behind computer software and hardware

【2】In-depth understanding of the operating system

【3】In-depth understanding of windows operating system

【4】Linux kernel and implementation

Programming development class:

【1】windows programming

【2】windwos core becomes

【3】Linux programming

【4】Unix environment advanced into

【5】IOS becomes

[6] The first line of code Android

【7】C programming language design

【8】C primer plus

[9] C and pointers

[10] C expert programming

[11] C traps and defects

[12] Assembly language (Wang Shuang)

【13】java core technology

【14】java programming ideas

【15】Python core programming

[16] Linux shell script strategy

[17] Introduction to Algorithms

[18] Compilation principle

[19] Compilation and decompilation technology practice

[20] The way to clean code

[21] Code Encyclopedia

[22] TCP/IP Detailed Explanation

【23】Rootkit: Lurkers in the gray area of ​​the system

【24】Hacking Attack and Defense Technology Collection

【25】Encryption and decryption

【26】C++ Disassembly and Reverse Analysis Technique Revealed

[27] web security testing

【28】White hat talks about web security

【29】Proficient in script hacking

【30】Web front-end hacking technology secret

[31] Programmer's Application

【32】English Writing Handbook: Elements of Style

4.2 Common network security and forums

• Kanxue Forum
• safety class
• safety cow
• Safety internal reference
• Green League
• prophetic community
• XCTF Alliance

Five, network security interview questions arrangement

1. What is the principle of SQL injection?

SQL injection attack is an attack method that inserts maliciously constructed SQL statements into the input parameters of the application, and then parses and executes them on the background SQL server.

2. What is the cause of SQL injection?

In the process of program development, no attention was paid to the standard writing of SQL statements, and input parameters were not filtered.

3. MySQL injection, what conditions are required to write a one-sentence Trojan horse?

Using into outfile to write the Trojan horse into the web directory and get the webshell requires the following conditions:

1. The obtained mysql user has file_priv permission (show global variables like '%secure%' to view)

2. Have write permission to the web directory

3. Know the physical path of the system (requires into outfile ('path'))

4. What is the process of SQL injection?

1. Determine the injection point (by scanner, single quotes, special symbols, etc.)

2. Determine the injection method (character type, number type, error injection, etc.)

3. Determine the database type

4. Explode library name –> table name –> column name –> data in turn

5. Obtain useful data for utilization

5. What are the common web middleware?

1.IIS

2.Apache

3.Nginx

4.Tomcat

5.Jboss

6. What is the difference between MySQL injection above 5.0 and below 5.0?

After Mysql5.0, an information_schema database is added by default. The tables in this database are all read-only, and operations such as deletion, update, and insertion cannot be performed. But it records all important information such as library names, table names, and column names in the database.

information_schema.schemata: stores the library names of all databases in the database

information_schema.tables: stores the table names of all tables in the database

information_schema.colums: stores the column names of all columns in the database

7. What are the types of SQL injection?

1. According to the data type of the injection point:

• digital
• character type

2. According to the data transmission method:

• get type
• post type
• header header injection (UA, COOKIE, etc.)

3. According to the injection method:

• union injection
• Boolean Blind
• time blind
• Error injection
• secondary injection
• wide byte injection

8. What is wide byte injection?

The main use is that when mysql uses GBK encoding, it will artificially consider that two characters are a Chinese character. When escaping single quotes (0x27), if we add the filter escape symbol / (0x5c), we can use GBK encoding in / Add 0xdf or other hexadecimal characters that can form Chinese characters to form a Chinese character (df5c) to escape the single quotation marks.

9. How to defend against wide subsection injection?

1. The database uses utf-8 encoding

2. Using gbk-encoded patch scheme:

• Use mysql_set_charset (GBK) to specify the character set
• Escape with mysql_real_escape_string

Principle: The difference between mysqlmysql_real_escape_string and addslashes is that it will consider the currently set character set, and there will be no problem of splicing df and 5c into a wide byte. The current character set needs to be specified using mysql_set_charset. These two additions are indispensable.

10. What is secondary injection?

Filtering is done when storing in the database, but no filtering is done when fetching data, resulting in an injection method.

11. How to write SQL injection into the shell?

1. Use mysql's into outfile to write to webshell

2. Use the –os-shell method of sqlmap to write to the webshell

12. How to defend against SQL injection?

1. SQL precompilation

2. Strictly limit the parameter type, only numbers

3. Join the black and white list

4. Escape special characters

5. Use WAF

13. How does SQL injection bypass WAF?

1. Case and double writing bypass

2. Replace keywords

3. Use encoding

4. Using annotations

5. Use equivalent functions and commands

6. Use special symbols

7. Filling with junk data

14. What is the principle of XSS?

The attacker embeds a malicious script (usually js code) in the web interface, causing the user to control the operation of the user's browser when browsing the web page

15. What are the classifications of XSS? introduce each

1. Reflective type

Generally, malicious js is constructed on the url, and the link is sent to the target user. When the user visits the link, a GET request will be sent to the server to submit a link with malicious code.

2. DOM type

Script programs can dynamically modify page content through DOM.

3. Persistent

It is common to store malicious code and text in the database of the server on blog message boards, feedback complaints, forum comments, etc., and the malicious code will be triggered every time a user visits.

16. How to write XSS injection statement?

17. What is XSS blind typing and how to use it?

18. How to defend against XSS?

19. What is the principle of CSRF vulnerability?

20. How to defend against CSRF (say three methods)?

21. What is the difference between CSRF and XSS?

22. What is the harm of SSRF vulnerability?

23. Which protocols can be used to exploit SSRF vulnerabilities?

24. What dangerous functions are involved in SSRF?

25. How to bypass the SSRF hole with defense?

26. How to judge whether there is an SSRF vulnerability?

27. How to defend against SSRF vulnerabilities?

28. In which functions may SSRF vulnerabilities exist?

29. What is the principle of XML injection?

30. How to fix the XML injection vulnerability?

31. What is the principle of the file upload vulnerability?

32. What are the hazards of file upload vulnerabilities?

33. What are the common bypass methods for file upload vulnerabilities?

34. Describe the principle of Nginx parsing vulnerabilities

35. Describe the principle of Apache parsing vulnerabilities

36. Describe the principle of lIS parsing vulnerabilities

37. How to defend against file upload vulnerabilities?

38. What is the principle of a file containing a vulnerability?

39. What functions can be used in the file?

40. How to use the file inclusion?

41. What are the common command execution functions?

42. What methods can be used to bypass command execution when there is a blacklist?

43. How to defend against command execution?

44. What is an ultra vires vulnerability?

45. How to repair the unauthorized vulnerability?

46. ​​What loopholes usually exist when sending verification codes, and how to defend against them?

47. What loopholes will be involved in payment?

48. What are the loopholes in the login function, and how to defend against them?

49. Description—the principle of deserialization vulnerability

50. Name five Google Hack grammars

51. What is homologous strategy?

52. Introduce session and cookie respectively, and the relationship between the two

53. How to bypass CND to obtain the real IP of the website?

54. What tools can be used to collect subdomains?

55. Brief description - four modes of the Burpsuite lntrude module

56. What are the ways to obtain webshell?

57. How do you do code audit? How to ensure the comprehensiveness of code audit?

I have made a summary of the learning route, learning books, HW/SRC digging notes, and interview questions mentioned in the article. If you need it, you can refer to it.

Cyber ​​Security Documentation Notes

 Cyber ​​Security Video Tutorials

 Leave a message in the comment area where you need to customize the learning route learning materials