text:
Not much nonsense, let’s take a picture of the town building first to see what directions network security has, what are the relationships and differences between them, and what each needs to learn.
In this circle technology category, jobs mainly have the following three directions:
Security R&D Security Research: Binary Direction Security Research: Network Penetration Direction
Let's explain them one by one.
The first direction: security research and development
You can understand network security as the e-commerce industry, education industry and other industries. Every industry has its own software research and development, and network security is no exception as an industry. The difference is that the research and development of this industry is the development and network security business. related software.
That being the case, there are common positions in other industries in the security industry, such as front-end, back-end, big data analysis, etc., but in addition to such general development positions, there are also some R&D positions closely related to the security business.
This category can be further divided into two subtypes:
Do security product development, do defense, do security tool development, do attack
The products to be developed by the security industry mainly (but not limited to) include the following:
Firewall, IDS, IPSWAF (Web Site Application Firewall) Database Gateway NTA (Network Traffic Analysis) SIEM (Security Event Analysis Center, Situational Awareness) Big Data Security Analysis EDR (Security Software on Terminal Devices) DLP (Data Leakage Prevention) Anti-virus software Security Detection Sandbox
To sum up, most of the security research and development products are used to detect and defend against security attacks, involving the terminal side (PC computer, mobile phone, network equipment, etc.) and network side.
The technologies used to develop these products are mainly three major technology stacks of C/C++, Java, and Python, and there are also a small number of GoLang and Rust.
Compared with the other two directions, security R&D positions have lower requirements for network security technology (only relatively, the R&D of some products does not have low requirements for security skills), and I have even seen many R&D companies that have nothing to do with security. Know. In this case, if you have an understanding of network security technology in addition to basic development skills, it will naturally be a bonus item when you interview for these positions.
Second Direction: Binary Security
Binary security direction, which is one of the two major technical directions in the security field.
This direction mainly involves software vulnerability mining, reverse engineering, virus and Trojan horse analysis, etc., and involves operating system kernel analysis, debugging and anti-debugging, anti-virus and other technologies. Because we often deal with binary data, binary security is used to collectively refer to this direction over time.
The characteristic of this direction is: need to endure loneliness.
It’s not as good as security research and development, which can have real product output, and it’s not as cool as the direction of network penetration. This direction spends more time in silent analysis and research.
Taking vulnerability mining as an example, it takes a lot of time just to learn various attack techniques. In this field, it may take months or even years to study a problem, which is definitely not something that ordinary people can persist. Not only that, success is not achieved through hard work, but more on talent.
People like the heads of Tencent’s major security laboratories, well-known TK leaders in the industry, and Wu Shi have already mastered the mysteries of vulnerability mining and have mastered this stunt. They can think of new ways to play in their dreams. But geniuses like this are really rare, and most people can't match them.
If programmers are hard-working, then binary security research is hard-working Plus.
The third direction: network penetration
This direction is more in line with most people's perception of "hackers". They can hack mobile phones, computers, websites, servers, and intranets, and everything can be hacked.
Compared with the direction of binary security, this direction is easier to get started in the early stage. After mastering some basic technologies, you can hack with various ready-made tools.
However, if you want to change from a script kid to a master hacker, the further you go in this direction, the more things you need to learn and master.
The direction of network penetration is more inclined to "practical combat", so there are higher requirements for the breadth of technology, from network hardware devices, network communication protocols, network services (web, email, files, databases, etc.), to operating systems, attack Methods and so on need to know. I am more inclined to be an all-round computer expert, who can integrate various technologies for "actual combat".
Now let’s talk about the learning route. The content is a bit long, so you can start with three links first, so that you can find it in time if you don’t get lost.
learning path
Let's take network penetration as an example to see what a novice needs to learn from a zero foundation, and what is the specific learning route?
First come to a big picture, from the overall grasp of the whole:
In this roadmap, there are six stages in total, but it does not mean that you have to learn all of them before you can start working. For some junior positions, it is enough to learn the third and fourth stages.
The following content must be combined with the picture above to see the best effect. It is recommended to create a new tab page in the browser, open the picture, and look at it together.
[One by one to help with security learning [click me] one by one] ①Network security learning route ②20 penetration testing e-books ③Security attack and defense 357-page notes ④50 security attack and defense interview guides ⑤Security red team penetration toolkit ⑥Network security essential books ⑦100 An actual case of a vulnerability ⑧ internal tutorial of a major security factory
The first stage of the Stone Age
, the Stone Age, is aimed at pure novice Xiaobai who has just entered the arena. At this stage, it is mainly to lay the foundation, and there are five parts to learn:
Some basic commands on Windows
, the use of PowerShell and simple scripting, and the use of several important components that Windows will often deal with in the future: registry, group policy manager, task manager, event viewer, etc.
In addition, learn to build a virtual machine on Windows, learn to install the system, and prepare for the next learning of Linux.
For Linux
network security, it is necessary to deal with Linux frequently. I have seen many newcomers follow some training courses to learn Kali as soon as they come up. I am eager to learn Kali without even establishing the basic Linux concepts. This is learning to run before learning to walk, which is putting the cart before the horse.
In the basic stage, it is mainly based on use, learning commands related to text editing, files, networks, permissions, disks, users, etc., and has a basic understanding of Linux.
Computer Network
Network security, computer network is certainly very important to exist. As a basic stage, this section mainly studies computer networks from a macro perspective, rather than sticking to the meaning of certain fields of a certain protocol.
First of all, starting from the local area network, understand the basic network of computer communication - Ethernet, how to communicate in the local area network? What is the difference between a hub and a switch? What are the MAC address, IP address, subnet, and subnet mask used for?
Then it leads to a larger wide area network, the Internet, what is a network communication protocol, and the layering of communication protocols. Through the seven-layer and four-layer models, the basic concepts of computer networks are quickly established, the functions of each layer of protocols, and which protocols are there. How the protocol is applied in today's Internet.
Web Basics
A very important part of network penetration is Web security. To learn Web security, you must first start with the basics of the Web front-end.
This section is very simple. It is to learn the most primitive web front-end three tricks: the development and use of HTML+CSS+JS, which will lay the foundation for learning web-related security knowledge in the future.
This section is relatively hands-on, and requires more hands-on web programming, especially familiarity with JavaScript, understanding what Ajax is, and learning the commonly used jQuery library, which is very basic and important in the Web front-end Commonly used content.
Database Basics
In the last part of the basic stage, you can come to some basic knowledge of databases.
At this stage, I mainly learn some theoretical knowledge, focusing on mastering concepts such as libraries, tables, and indexes, and then learn to write SQL and learn to add, delete, modify, and query data. Temporarily do not use programming to operate the database.
The Bronze Age
passed the Stone Age, and you have already accumulated some basic computer knowledge: the use of operating systems, network protocols, front-end basics, and initial knowledge of databases, but this is not enough to do network security. In the second bronze stage, you You need to learn the basics further. After the first stage, the difficulty will start to rise slowly.
The knowledge to be learned at this stage is:
Advanced Web
In the previous Stone Age, we had a preliminary contact with web programming and understood the basic principles of web pages. But at that time, it was a purely front-end, purely static web page, without touching the back-end. At this advanced stage, you have to start touching the content of the Web backend.
Firstly, starting from the two commonly used mainstream web servers, learn the basic knowledge of Apache and Linux, and then introduce the basic principles of dynamic web pages, transition from CGI/Fast-CGI to later dynamic web page technologies such as ASP/PHP/ASPX/JSP, and understand Their history, evolution and basic working principles.
Finally, learn some basic knowledge in web development: form operations, Session/Cookie, JWT, LocalStorage, etc., to understand what these basic terms mean, what they are used for, and what they solve.
PHP programming
To learn Web back-end development, you have to learn a back-end development language. In this section, choose to start with PHP.
But remember, choosing PHP here is not to let you engage in PHP back-end development in the future, nor does it mean how popular PHP is now, but in a specific historical background, PHP-related website security issues are very representative, so choose this language It is more convenient for us to study security issues.
Due to the different purposes of learning, the learning method is different from ordinary back-end development. Here we learn the basics of grammar, basic back-end request processing, database access, and then get in touch with the commonly used ThinkPHP framework. Of course, if you are interested, it is of course better to learn more.
The second stage of advanced computer network
needs to enrich the study of computer network. This time, focus on HTTP/HTTPS and packet capture analysis.
You must master tcpdump on Linux, including common parameter configurations. Then focus on learning Wireshark to analyze data packets, and use Fiddler to capture and analyze encrypted HTTPS traffic.
By viewing the communication flow under the packet capture software, the understanding of the computer network changes from abstract to concrete.
Encryption and decryption technology
Next, let's learn about some codec technologies and encryption and decryption technologies that are often dealt with in the field of network security. Including base64 encoding, symmetric encryption, asymmetric encryption, hashing techniques, and more.
Understand their basic concepts, what they are used for, what problems they solve, and finally understand how they work.
Recommended book: "Encryption and Decryption"
The Silver Age
is now entering its third stage—the Silver Age, and an exciting moment is coming. At this stage, we have begun to fully learn real network security technologies. The foundation laid in the previous two stages will also be will come in handy.
The knowledge to be learned at this stage is:
Getting Started with Web Security
With the foundation of the previous Web front-end and PHP programming, you can formally study Web security. Several typical attack methods in the field of web security: SQL injection, XSS, CSRF, various injections, SSRF, file upload vulnerabilities, etc., each of which needs to be studied in detail, while learning theory and hands-on practice.
Be careful not to use websites on the Internet to attack learning, this is an illegal act. You can build some websites that contain vulnerabilities in the virtual machine (there are many websites that can be downloaded and played on the Internet), and use the websites you built to practice.
Network Scanning and Injection
We have learned some web security attack methods, but these are not enough. When we face the attack target, how to find the attack point and obtain the target information is very important.
This information includes: what operating system the target is running, what ports are open, what services are running, what type of backend service is, what version information is, etc., and what vulnerabilities can be exploited. Only by obtaining this information can we target Predictively formulate attack methods and take down the target.
Common network information scanning includes port scanning, website background scanning, vulnerability scanning and so on. Need to learn common scanning tools and how they work.
Information Collection & Social Engineering
In addition to the information that needs to be scanned above, in network security, it is often necessary to investigate a lot of information, such as website registration information, associated characters, content retrieval within the website, and so on. This requires learning and mastering related techniques of information gathering and social engineering.
Whois information is used to query domain name information, cyberspace search engines such as shodan, zoomeye, and fofa retrieve information behind IP, domain name, URL, etc., Google Hacking uses search engines to retrieve website internal information, these things are often used in network information collection skills used.
Brute Force Cracking
In a network attack, when the open service of the target is scanned, the most direct thing is to log in. Common services are SSH, RDP, MySQL, Redis, web forms, and more.
At this time, brute force cracking usually comes in handy, by using a dictionary composed of common usernames and passwords of various services, and brute force cracking through programs.
Commonly used blasting tools include hydra, super weak passwords, and mimikatz, which are often used to obtain Windows system passwords.
golden age
In the last stage, I learned some security attack technologies. At this stage, I need to learn about security defense and security detection technologies. Security has both offensive and defensive aspects, and both are indispensable.
WAF technology
The first thing to learn is WAF - Web Application Firewall.
What Web security learns is to attack computer systems through Web technology, and WAF is to detect and defend against these security attacks. As the saying goes, knowing yourself and the enemy can win every battle. As an attacker, you must master the working principle of WAF and find weaknesses to bypass detection. As a defender, you need to continuously strengthen security detection and defense capabilities to effectively discover and defend against Web attacks.
It is necessary to learn the architecture adopted by the current mainstream WAF software, such as openresty, modsecurity, and several main detection algorithms: feature-based, behavior-based, machine learning-based, etc.
Network Protocol Attacks & Intrusion Detection
WAF is mainly aimed at Web-related security attacks. In this section, we will further expand our vision to the entire network protocol stack, including TCP hijacking, DNS hijacking, DDoS attacks, DNS tunneling, ARP spoofing, and ARP flooding Wait, you need to master the principles of these traditional classic attack methods, build an environment for practice, and lay the foundation for subsequent intranet penetration.
In addition, as the defensive side, you also need to learn security detection through network traffic analysis technology, understand commonly used network analysis technology, detection framework, rule syntax, and prepare for future security-related development or security defense work.
Log technology
is the most common behavior to discover attack behavior through logs. The attacker’s web request, system login, brute force cracking attempt, etc. will be recorded by various software in the system, and the attacker will often erase the related Log records, so learning to master these logs is a skill that both offensive and defensive teams need to learn.
Common logs include system login logs (Windows, Linux), Web server logs, database logs, and so on.
Python programming
At this stage, it's time to learn some Python programming development. Although network security does not often need to do a lot of engineering development, it is very useful to master basic programming skills, which can be used to write crawlers, data processing, network scanning tools, vulnerability POC, etc., and among many programming languages, Python is undoubtedly is the most suitable.
Browser Security
The last part of this stage is to learn some security knowledge on the browser side, and consolidate browser-related vulnerability attacks in web security.
It is necessary to focus on mastering the two most mainstream browser features of IE and Chrome, what is the sandbox mechanism of the browser, same-origin policy and cross-domain technology, etc.
platinum age
Web security-related attacks in front of third-party component vulnerabilities
are some classic methods for many years. After years of development, they have become quite mature. The vulnerabilities of third-party components are completed, so studying and researching the vulnerabilities of these common third-party components, on the one hand, mastering these attack methods for use in actual combat, on the other hand, by analogy, is also very helpful for the work of vulnerability mining.
The research objects mainly cover some engineering components actually used in the current Internet services, such as the Java technology stack series Spring Family Bucket, SSM, Redis, MySQL, Nginx, Tomcat, Docker, etc.
Intranet penetration
In network penetration, after capturing a point, it is just the beginning. How to transfer and control more nodes after the penetration is the scope of research and study of intranet penetration. A typical example is the Eternal Blue virus of the year, which spread rapidly through the SMB protocol loopholes, resulting in a large area of being infected.
There are many and complicated things to learn in intranet penetration, and the difficulty will increase a lot, but this is a very important part of network penetration, and you must chew more. This part has less theory and more practicality, and needs to build more environments to simulate learning.
Operating system security technology & privilege escalation technology & virtualization technology
penetrates into the computer through web and other means, due to various restrictions, there is often a demand for privilege escalation, and it also involves many contents closely related to the operating system security mechanism. Therefore, it is also necessary to learn some operating system security knowledge.
Such as the respective authority management mechanism on Windows and Linux, the method of escalation of authority, commonly used vulnerabilities, tools and so on.
Finally, learn some knowledge about virtualization technology to deal with scenarios where you may need to escape from the virtual machine.
Age of Kings
CobalStrike & MetaSploit
engage in network penetration, these two artifacts are absolutely indispensable. The information scanning, vulnerability attack, intranet penetration, Trojan horse implantation, port bounce and other technologies learned earlier can be comprehensively used and integrated through these two artifacts. At the same time, these two tools are frequently used by major hacker teams.
Learning to use these two artifacts will greatly improve the attack efficiency, and it is a must-have choice for network infiltrators at home and traveling!
Other security technologies have expanded
to the late stage of network penetration. If you want to become a security expert, you must not just rest in your own field of expertise. You need to learn more about other fields of network security to expand your knowledge.
Such as binary vulnerability attack, reverse engineering, Trojan horse technology, kernel security, mobile security, side channel attack, etc. Of course, when studying, you don’t need to go as deep as students in the professional direction, but you need to dabble and understand, enrich your knowledge, and build A comprehensive network security knowledge and skill stack.
The above is the network security learning route I shared. I hope it can inspire and help you who are self-study.