The original intention of writing this article is that many friends want to know how to get started/change careers in network security and realize their "hacker dreams". The purpose of the article is to:
1. Point out some misunderstandings in self-study
2. Provide an objective and feasible study table
3. Recommend resources that I think are suitable for Xiaobai to learn. The big guy detours!
Phase 1: Getting Started with Basic Operations
The first step to getting started is to learn some current mainstream security tool courses and supporting books on basic principles. Generally speaking, this process takes about 1 month.
Phase Two: Learning the Basics
At this stage, you already have a basic understanding of cybersecurity. If you have finished the first step, I believe you have theoretically understood the above is sql injection, what is xss attack, and you have also mastered the basic operations of security tools such as burp, msf, and cs. The most important thing at this time is to start laying the foundation!
The so-called "foundation" is actually a systematic study of basic computer knowledge. If you want to learn network security well, you must first have 5 basic knowledge modules:
1. Operating system
2. Protocol/Network
3. Database
4. Development language
5. Principles of Common Vulnerabilities
https://mp.weixin.qq.com/s?__biz=MzkwNDI0MDc2Ng==&mid=2247483680&idx=1&sn=e1666c9a4a67f1222d90780a0ed619b8&chksm=c08b4a31f7fcc327deef435a30bf c550b33b5975f2bcc18dfb2ee20683da66025c68253a4c79&token=1423804057&lang=zh_CN#rdWhat is the use of learning these basics?
The level of knowledge in various fields of computer determines the upper limit of your penetration level.
[1] For example: if you have a high level of programming, you will be better than others in code auditing, and the exploit tools you write will be easier to use than others;
[2] For example: if you have a high level of database knowledge, then you are conducting SQL injection attacks
, you can write more and better SQL injection statements, which can bypass WAF that others cannot bypass;
【3】For example: if your network level is high, then you can understand the network structure of the target more easily than others when you infiltrate the internal network. You can get a network topology to know where you are, and get the configuration of a router. file, you will know what routes they have made;
【4】For another example, if your operating system is good, your privilege will be enhanced, your information collection efficiency will be higher, and you can efficiently filter out the information you want.
The third stage: actual combat operation
1. Mining SRC
The purpose of digging SRC is mainly to put the skills into practice. The biggest illusion of learning network security is to feel that you know everything, but when it comes to digging holes, you can’t do anything. SRC is a very good opportunity to apply skills.
2. Learn from technical sharing posts (vulnerability mining type)
Watch and learn all the 0day mining posts in the past ten years, and then build an environment to reproduce the loopholes, think and learn the author's digging thinking, and cultivate your own penetrating thinking
3. Watch some useful videos from station b
There are still some videos on station b that are helpful for your actual combat and improving your skills. You can also go to station b to chat up privately to receive actual combat courseware
4. Range practice
Build a shooting range by yourself or go to a free shooting range website to practice. If you have the conditions, you can buy it or apply to a reliable training institution. Generally, there are supporting shooting range exercises.
Stage 4: Participate in CTF competitions or HVV operations
Recommendation: CTF CTF has three points:
[1] The opportunity to be close to actual combat, now the network security law is very strict, unlike before, everyone can mess around
[2] Topics keep up with the frontiers of technology, but many books lag behind
[3] If you are a college student, it will be very helpful for finding a job in the future.
If you want to play a CTF competition, go directly to the competition questions. If you don’t understand the competition questions, go to the information based on what you don’t understand
Recommendation: HVV (network protection) has four points:
[1] It can also greatly exercise you and improve your own skills. It is best to participate in the HVV action held every year
【2】Be able to meet many bigwigs in the circle and expand your network
【3】The salary of HVV is also very high, so you can earn a lot of money if you participate
[4] Like the CTF competition, if you are a college student, it will also be very helpful for finding a job in the future
Relevant learning website recommendation
1、FreeBuf
The most concerned global Internet security media platform in China, a community for enthusiasts to exchange and share security technologies, and a network security industry portal.
2. Watch the snow
Kanxue Forum is a software security technology exchange place, providing a technology exchange platform and resources for security technology enthusiasts.
3. My Love Cracked
Wuai Crack Forum is a non-profit technical forum dedicated to software security and virus analysis.
4. Alibaba Cloud Prophet Community
An open technology platform.
5. Tencent Xuanwu Security Lab
Various CVE vulnerabilities.
Getting Started with Recommended Books
- "White Hats Talk about Web Security" 2012
- "In-depth Analysis of Web Security" 2015
- "Web Security Attack and Defense Penetration Testing Practical Guide" 2018 Advanced
- "WEB Difficulty - Modern WEB Application Security Guide" 2013
- "Security Guide for Intranet Security Attack and Defense Penetration Testing" 2020
- "Metasploit Penetration Testing Demon Training Camp" 2013
- "SQL Injection Attack and Defense" 2010
- "Hacking Attack and Defense Technology Collection - Web Combat (Second Edition)"
- The Definitive Guide to Log Management and Analysis
- "kali Linux Advanced Penetration Testing"
- "Hacker Social Engineering Attack and Defense Exercise"
- "XSS cross-site scripting attack analysis and defense"
- "Introduction to Mastery of Hacker Attack and Defense Combat"
2023 most comprehensive network security learning route
