Clarify the learning ideas of web infiltration, sort out your own learning plan and the points that need to be learned, and you will find that the idea of infiltration suddenly becomes a little bit.
There is a popular word among programmers called 35-year-old crisis, which means that 35-year-old is a threshold and is easy to be eliminated.
So is there such a hurdle in the security industry? I don’t think so, because the security is different from the previous position, and he is more experienced as an older person, but he is more popular, especially the recruitment requirements of many large factories are 5-10 years, so there is no such thing as 30 or 40 years old with 10 years of experience?
Network security is easy to mix, but not easy to mix well. In fact, this is the case in any industry. If you want to do well, you must continue to learn and improve.
So what aspects of learning do we need to focus on to improve our own penetration level? There will be a detailed description below!
The above is the mind map of the route from 0 to 1. The penetration and improvement stage here belongs to the second stage and later. The first stage of learning has been explained in the previous article, so I won’t go back too much.
Web Vulnerability Exploitation Capabilities
The ability to exploit web vulnerabilities refers to the ability to use the security holes of web systems or programs to carry out network attacks. Since the Web system is the construction form of most institutional business systems or external service systems, the exploitation of Web vulnerabilities is also one of the most common and basic forms of network attacks.
In the actual attack and defense drills, the common forms of Web vulnerabilities used by the blue team include command execution, code execution, parsing vulnerabilities, XSS, weak passwords, file uploads, SQL injection, logical vulnerabilities, information leakage, configuration errors, deserialization, and permission bypassing. too wait.
probably include these
①Network security learning route
②20 penetration testing e -books ③357
pages of notes on security attack and defense ④50
interview guides on security attack and defense CTF capture the flag problem analysis
Ability to utilize basic security tools
It mainly includes the utilization capabilities of basic security tools such as Burp Suite, sqlmap, AppScan, Awvs, Nmap, Wireshark, MSF, and Cobalt Strike. Proficiency in tool utilization is the guarantee for efficient penetration work.
Then there are advanced capabilities that mainly include four categories: Web vulnerability mining, Web development and programming, writing PoC or EXP exploits, and social engineering phishing.
(1) Web vulnerability mining
Web vulnerability mining capability is mainly the ability to mine vulnerabilities in Web systems or software. Among the web application vulnerabilities discovered by the blue team, the more common forms of vulnerabilities include command execution, code execution, parsing vulnerabilities, XSS, weak passwords, file uploads, SQL injection, logical vulnerabilities, information leakage, configuration errors, deserialization, Permission bypass, etc.
(2) Web development and programming
Mastering one or several programming languages is an important basic ability for blue team personnel to dig deep into web application vulnerabilities and analyze the operating mechanism of web sites and business systems. In the actual offensive and defensive drills, the blue team most often encounters and needs to master programming languages such as Java, PHP, Python, C/C++, and Go.
(3) Write PoC or EXP and other exploits
PoC is the abbreviation of Proof of Concept, that is, proof of concept, specifically referring to the code written to verify the existence of vulnerabilities. It is also sometimes used as an alias for Oday and Exploit.
EXP is the abbreviation of Exploit, that is, exploit code. In general, there are loopholes do not necessarily have
EXP, and with EXP, there must be loopholes.
The concepts of PoC and EXP are only slightly different. The former is used for verification, while the latter is for direct use. Writing PoC or EXP independently is much more difficult than directly using exploit tools or mature exploit code written by a third party. But for many vulnerabilities or Oday vulnerabilities that have no known exploit code, it is very important to write PoC or EXP independently.
In addition, the difficulty of writing a PoC or EXP is different for different targets or in different system environments. For web applications and smart hardware/oT devices, etc., it is relatively easy to write PoC or EXP, which is an advanced ability; while it is more difficult to write PoC or EXP for operating systems or security devices, which is an advanced ability.
(4) Social worker fishing
Social worker phishing is not only a combat method often used in actual combat offensive and defensive drills, but also the most commonly used attack method by black industry groups or hacker organizations. In many cases, it is much easier to attack a person than a system. There are various methods and means of social worker fishing.
In actual combat offensive and defensive drills, there are four most commonly used and practical skills: open source intelligence collection, social engineering database collection, harpooning emails, and social phishing. Among them, the first two are intelligence gathering capabilities, while the latter two are offensive and defensive interaction capabilities.
- 1) Open source intelligence collection.
Open source intelligence collection capabilities refer to the ability to legally collect key intelligence information of target organizations on open Internet information platforms. For example, public information sharing platforms such as news media, technical communities, corporate official websites, and customer resource platforms are all important channels for open source intelligence collection.
The blue team can collect key intelligence information such as internal mailboxes, contact information, corporate structure, supply chain directory, product codes, etc. of enterprise employees through open source intelligence collection. All of this information can provide support for further attacks.
Open source intelligence collection is the primary intelligence collection method for the blue team, and the key lies in finding and screening out valuable intelligence information combinations from massive network information.
Under normal circumstances, most of the institutional information disclosed through a single channel is not sensitive and confidential, and has limited value. However, if multi-source information from different channels is combined, very valuable intelligence information can be formed.
Of course, it cannot be ruled out that some organizations will inadvertently leak internal sensitive information on Internet platforms. It is not uncommon for the blue team to directly find the internal development code of the organization on the Internet platform, and find the account password book.
- 2) Collection of social work database.
The ability to collect social work database refers to the ability to collect information on the social work database of a specific target organization.
The so-called social engineering library usually refers to a database or data package that contains a large amount of user sensitive information. User sensitive information includes but is not limited to account numbers, passwords, names, ID numbers, phone numbers, face information, fingerprint information, behavior information, etc.
Since this information is very helpful for attackers to design targeted social engineering traps for specific targets, the data package or database that gathers this information is called a social engineering library, or social engineering library for short.
The social worker library is an important target for underground black products or dark web transactions. However, in the actual offensive and defensive drills, the resources of the social engineering library used by the blue team must take into account the issue of legality, which is much more difficult than the establishment of a social engineering database by black production gangs.
- 3) Harpoon mail.
Harpoon mail ability refers to a social engineering ability to effectively deceive specific personnel within an organization by making and delivering spear mail.
Spear emails are targeted email scams targeting specific individuals within a specific organization with the goal of stealing confidential data or system privileges. There are many forms of spear phishing emails. Trojan horse programs can be sent to specific attack targets as email attachments, or special and targeted email content can be constructed to lure the target person to reply or click on the phishing website.
Spear emails are mainly targeted at internal employees of organizations with insufficient security awareness or capabilities. However, some well-crafted harpoon emails are difficult for even experienced security personnel to identify.
- 4) Social fishing.
Social phishing is generally based on making people's decisions produce cognitive biases, and it is also the main method of online fraud activities, but it has rarely been used in previous actual combat offensive and defensive drills.
With the continuous improvement of the defense's capabilities, it is becoming more and more difficult to directly make technical breakthroughs. There are also many effective monitoring methods for phishing emails. Therefore, social phishing methods have been used more and more in the past two years.
Advanced Penetration Techniques
Then there are advanced abilities.
High-level capabilities mainly include system-level vulnerability exploitation and protection, system-level vulnerability mining, identity hiding, intranet penetration, mastering CPU instruction sets, advanced security tools, advanced exploitation such as writing PoC or EXP, and teamwork.
- penetration framework
- privilege escalation
- Authority maintenance
- tunnel technology
- Intranet penetration
- Traceability and evidence collection
- wireless security
- DDOS attack and defense
finally
In order to help you better learn about network security, the editor has prepared a set of introductory/advanced learning materials for network security for you. The contents are all notes and materials suitable for zero-based beginners. I understand, all the information is 282G in total. If you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it)~
CSDN spree: "Introduction to Network Security & Advanced Learning Resource Pack" for free sharing
Network security source code collection + toolkit
Network
security interview questions
The last is the network security interview questions section that everyone is most concerned about.
The total data is 282G. If you need a full set of network security introduction + advanced learning resource package, you can click to get it for free ( If you encounter problems with scanning the code, you can leave a message in the comment area to get it)~
Video supporting materials & domestic and foreign network security books and documents
